The Cisco ASA firewall appliance provides great security protection out-of-the box with its default configuration. However, to increase the security protection even further, there are several configuration enhancements that can be used to implement additional security features. Two of these features are IP Spoofing protection and basic Intrusion Prevention (IPS) support.
IP Spoofing Protection:
IP spoofing attacks are those that change the actual source IP address of packets to obscure their true origin. This means that packets arriving at a particular interface (e.g inside) must have a valid source IP address that matches the correct source interface according to the firewall routing table. Normally the firewall only looks at the destination address of a packet in order to forward it accordingly. If you enable the IP Spoofing mechanism, the firewall checks also the source address of the packets.
If for example our inside interface connects to internal network 192.168.1.0/24, this means that packets arriving at the inside firewall interface must have a source address in the range 192.168.1.0/24 otherwise they will be dropped (if IP Spoofing is configured).
The IP Spoofing feature uses the Unicast Reverse Path Forwarding (Unicast RPF) mechanism, which dictates that for any traffic that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address.
To enable IP Spoofing protection, enter the following command:
CiscoASA5500(config)# ip verify reverse-path interface "interface_name"
For example, to enable IP spoofing on the inside interface, use the following command:
CiscoASA5500(config)# ip verify reverse-path interface inside
Basic IPS Protection:
Although the ASA Firewall supports full IPS functionality with an extra IPS hardware module (AIP-SSM), it supports also basic IPS protection which is built-in by default without using an extra hardware module. The built-in IPS feature supports a basic list of signatures and you can configure the security appliance to perform one or more actions on traffic that matches a signature. The command that implements the basic IPS feature is called "ip audit".
There are two signature groups embedded in the firewall software: "Informational" and "Attack" signatures. You can define an IP audit policy for each signature group as following:
For informational signatures:
CiscoASA5500 (config)# ip audit name "name" info [action [alarm] [drop] [reset]]
For attack signatures:
CiscoASA5500 (config)# ip audit name "name" attack [action [alarm] [drop] [reset]]
The keywords [alarm], [drop], [reset] define the actions to perform on a malicious packet that matches one of the signatures. [alarm] generates a system message showing that a packet matched a signature, [drop] drops the packet, and [reset] drops the packet and closes the connection.
After defining an IP audit policy (IPS policy) as shown above, we need to attach the policy to a specific interface:
CiscoASA5500 (config)# ip audit interface "interface_name" " policy_name"
Let's see an actual example:
CiscoASA5500 (config)# ip audit name dropattacks attack action drop
CiscoASA5500 (config)# ip audit interface outside dropattacks
You can visit my website Cisco Tips for more information about Cisco products and solutions. You can also learn how to configure any Cisco ASA 5500 Firewall Here.
Article Source: http://goarticles.com/article/IP-Spoofing-and-IPS-Protection-with-a-Cisco-ASA-5500-Firewall/1237260/
Showing posts with label firewall support. Show all posts
Showing posts with label firewall support. Show all posts
Friday, July 8, 2011
Wednesday, May 25, 2011
Need For Firewall Support
A firewall software application aims at controlling access to or from a computer for security related concerns. A firewall is a software program, hardware device, or a combination of both that keeps a vigilant watch over your incoming data coming through the Internet connection into your computer. The firewall will only allow data in that you asked for. It will also monitor outgoing data of your computer to the Internet. It will only let information out that you say can go out.
Windows firewall is a fully developed firewall application which can start on its own and should be left on if you are not replacing it with any other firewall product. And, there is no doubt about efficiency of Windows firewall.
Windows XP's Internet Connect Firewall is half a firewall. It only checks incoming information of your PC and doesn't check outgoing data of your computer. Why is it still popular among computer users? If your system has by mistake become virus infected, your personal information is definitely in danger. Virus replicates itself and spread infection to other computers connected through a common network, or even allows hackers to access your computer to do whatever they want.
The only quality of a true firewall is that it will prevent infectious matter from getting out of your system & inform you about the existing problem so you can clean it up. This is what makes firewall software to be the most important thing for your PC security.
A managed firewall ensures the highest level of security for an enterprise network. As signified by its name, 24x7 firewall ensures that your data is secure and protected round the clock.
If you do not have an efficient monitoring and network reporting system in place then your database might not be running efficiently. You can think about buying support from computer support centers to for an effective data management and keep your database up and running on a 24x7 basis in an effective manner. However, be meticulous enough while choosing your technical support partner. The decision must be based on the factors like experience, market reputation and service prices.
Source: http://goo.gl/eGa3h
Windows firewall is a fully developed firewall application which can start on its own and should be left on if you are not replacing it with any other firewall product. And, there is no doubt about efficiency of Windows firewall.
Windows XP's Internet Connect Firewall is half a firewall. It only checks incoming information of your PC and doesn't check outgoing data of your computer. Why is it still popular among computer users? If your system has by mistake become virus infected, your personal information is definitely in danger. Virus replicates itself and spread infection to other computers connected through a common network, or even allows hackers to access your computer to do whatever they want.
The only quality of a true firewall is that it will prevent infectious matter from getting out of your system & inform you about the existing problem so you can clean it up. This is what makes firewall software to be the most important thing for your PC security.
A managed firewall ensures the highest level of security for an enterprise network. As signified by its name, 24x7 firewall ensures that your data is secure and protected round the clock.
If you do not have an efficient monitoring and network reporting system in place then your database might not be running efficiently. You can think about buying support from computer support centers to for an effective data management and keep your database up and running on a 24x7 basis in an effective manner. However, be meticulous enough while choosing your technical support partner. The decision must be based on the factors like experience, market reputation and service prices.
Source: http://goo.gl/eGa3h
Wednesday, January 27, 2010
Firewall Configuration
A firewall is a device or a set of devices, which can be implemented in any of the hardware, software or both. All the messages passing through the firewall are verified to meet some level of security criteria.
It acts as a computer security barrier, which analyzes all the incoming and outgoing traffic to and from your computer or network based on the firewall settings. There are some common types of firewalls like: Application level gateway, Packet filtering firewall, Circuit gateways and Hybrid firewall.
Application level gateway firewall works on the application layer of the protocol stack. It works more intelligently than the packet filtering firewall. Packet filtering firewall examines the information contained in the header of the message packets.
There are some factors based on which the filters can be added or removed from the firewall:
1. IP address
2. Ports
3. Protocols
IP address: Every computer connected to Internet has a unique IP address. The firewall configuration can be customized to block any IP address so that your computer will not allow any kind of communication to take in between.
Ports: The firewall can be configured to allow or block messages from any port number.
Protocols: There are some commonly used protocols like IP, HTTP, TCP, FTP, and SMTP etc., which can be included in the firewall filter.
Some operating systems, such as Microsoft Windows offer built-in firewalls that are turned on by default to block all the incoming threats from Internet. There are several other third party firewalls available. You can choose any one the firewall to replace the default firewall in Windows.
Tuesday, November 17, 2009
Windows 7 registry: Understanding the usability of Root Keys
The Registry may be a dangerous tool, but you can mitigate that danger somewhat by becoming familiar with the layout of the Registry and what it various bits and parts are used for. This will help you avoid sensitive areas and stick to those Registry neighborhoods where it's safe to poke around. The next few sections introduce you to the major parts of the Registry.
Getting to Know the Registry's Root Keys
The root keys are your Registry starting points, so you need to become familiar with what kinds of data each key holds. The next few sections summarize the contents of each key.
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT—usually abbreviated as HKCR—contains data related to file extensions and their associated programs, the objects that exist in the Windows 7 system, as well as applications and their automation information. There are also keys related to shortcuts and other interface features.
The top part of this key contains subkeys for various file extensions. You see .bmp for bitmap (Paint) files, .txt for text (Notepad) files, and so on. In each of these subkeys, the Default setting tells you the name of the registered file type associated with the extension. (I discussed file types in more detail in Chapter 3, "Customizing the File System.") For example, the .txt extension is associated with the txtfile file type.
See "Understanding File Types,"
These registered file types appear as subkeys later in the HKEY_CLASSES_ROOT branch, and the Registry keeps track of various settings for each registered file type. In particular, the shell subkey tells you the actions associated with this file type. For example, in the shell\open\command subkey, the Default setting shows the path for the executable file that opens. Figure 12.3 shows this subkey for the txtfile file type.
Figure 12.3
Figure 12.3 The registered file type subkeys specify various settings associated with each file type, including its defined actions.
HKEY_CLASSES_ROOT is actually a copy (or an alias, as these copied keys are called) of the following HKEY_LOCAL_MACHINE key:
HKEY_LOCAL_MACHINE\Software\Classes
The Registry creates an alias for HKEY_CLASSES_ROOT to make these keys easier for applications to access and to enhance compatibility with legacy programs.
HKEY_CURRENT_USER
HKEY_CURRENT_USER—usually abbreviated as HKCU—contains data that applies to the user that's currently logged on. It contains user-specific settings for Control Panel options, network connections, applications, and more. Note that if a user has group policies set on his account, his settings are stored in the HKEY_USERS\sid subkey (where sid is the user's security ID). When that user logs on, these settings are copied to HKEY_CURRENT_USER. For all other users, HKEY_CURRENT_USER is built from the user's profile file, ntuser.dat (located in %UserProfile%).
To know each users SID's, open the following Registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\
Here you'll find a list of SIDs. The ones that begin S-1-5-21 are the user SIDs. Highlight one of these SIDs and then examine the ProfileImagePath setting, which will be of the form %SystemDrive%\Users\user, where user is the username associated with the SID.
Some of the most significant HKEY_CURRENT_USER subkeys are App Events ( It contains sound files which play during any particular system events such as when you maximize your window), Control Panel ( contains setting regarding certain Control Panel icons), Keyboard Layout ( Cotains the keyboard layout as selected via Control Panel's Keyboard icon), Network ( It consist of setting related to mapped network drives) and Software ( Which has user-specific settings related to any application and Windows).
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE (HKLM) contains non-user-specific configuration data for your system's hardware and applications. Three subkeys are used most often: Hardware( it contains subkeys regarding serial ports and modems as well as the floating-point processor), Software ( It comprise of computer-specific settings related to installed programs) and System ( It contains subkeys and settings related to Windows Startup).
HKEY_USERS
HKEY_USERS (HKU) contains settings that are similar to those in HKEY_CURRENT_USER. HKEY_USERS is used to store the settings for users with group policies defined, as well as the default settings (in the .DEFAULT subkey) which get mapped to a new user's profile.
HKEY_CURRENT_CONFIG
The settings related to the current hardware profile are inbuilt with HKEY_CURRENT_CONFIG (HKCC). If your system utilses only one hardware profile, HKEY_CURRENT_CONFIG is an alias for HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001. If your machine uses multiple hardware profiles, HKEY_CURRENT_CONFIG is an alias for HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn, where nnn is the numeric identifier of the current hardware profile. This identifier is given by the CurrentConfig setting in the following key: HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB