【正文】 evice that uses ACLs can do packet filtering. ACLs are probably the most monly used objects in Cisco IOS router configuration. Not only are they used for packet filteringfirewalls, but they can also select specified types of traffic to be analyzed, forwarded, orinfluenced in some way. While packet filtering is effective and transparent to users, there are these disadvantages:n Packet filtering is susceptible to IP spoofing. Arbitrary packets can be sent that fit ACLcriteria and pass through the filter.n Packet filters do not filter fragmented packets well. Because fragmented IP packets carry the TCP header in the first fragment and packet filters filter on TCP header information, allnonfirst fragments are passed unconditionally. This process is based on the assumptionthat the filter of the first fragment is accurately enforcing the policy. n Complex ACLs are difficult to implement and maintain correctly.Some services cannot be filtered. For example, it is difficult to permit dynamically negotiatedsessions without opening up access to a whole range of ports, which in itself might bedangerous.610 Implementing Secure Converged Wide Area Networks (ISCW) The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,for the sole use by Cisco employees for personal study. The files or printed representations may not beused in mercial training, and may not be distributed for purposes other than individual selfstudy.169。 2006 Cisco Systems, Inc.Cisco IOS Threat Defense Features67The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,for the sole use by Cisco employees for personal study. The files or printed representations may not beused in mercial training, and may not be distributed for purposes other than individual selfstudy.Firewall TechnologiesThis topic describes the operational strengths and weaknesses of the three firewalltechnologies: packet filter, stateful firewall, and application gateway.Firewall TechnologiesFirewalls use three technologies:? Packet filtering? Application layer gateway? Stateful packet filtering169。 2006 Cisco Systems, Inc.Cisco IOS Threat Defense Features65The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,for the sole use by Cisco employees for personal study. The files or printed representations may not beused in mercial training, and may not be distributed for purposes other than individual selfstudy.Multiple DMZsThe DMZ is a single network, nested between the inside and outside security zones. Theconcept of multiple DMZs is an alternative.Multiple DMZsMultiple DMZs provide better separation and access control:? Each service can be hosted in its own DMZ.? Damage is limited and attackers contained if a service is promised.169。s arebuffer networks which are neither inside nor outside.169。 2006 Cisco Systems, Inc.The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,for the sole use by Cisco employees for personal study. The files or printed representations may not beused in mercial training, and may not be distributed for purposes other than individual selfstudy. Lesson 1Introducing the Cisco IOSFirewallOverviewThis lesson describes the concept of stateful filtering and its implementation on Cisco IOSrouters, called Cisco IOS Firewall, formerly known as ContentBased Access Control (CBAC).Cisco IOS Firewall is available on routers running the Cisco IOS Firewall Feature Set (FFS),which includes three main functions: Cisco IOS Firewall, authentication proxy, and theintrusion prevention system (IPS). Authentication proxy and IPS are mentioned briefly, whilethe lesson focuses on the details of the Cisco IOS Firewall. It describes the handling of TCPand User Datagram Protocol (UDP) and discusses the inspection of the most monapplication protocols. ObjectivesUpon pleting this lesson, you will be able to explain the Cisco IOS Firewall functionality. This ability includes being able to meet these objectives:n Explain the basic structure of a layered defensen Describe the operational strengths and weaknesses of the three firewall technologiesn Explain the basic operation of a stateful firewalln Describe the features of the Cisco IOS Firewalln Describe how the Cisco IOS Firewall bines the features of packet inspection and proxy firewalls to provide an optimal security solutionn Explain the Cisco IOS Firewall processThe PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,for the sole use by Cisco employees for personal study. The files or printed representations may not beused in mercial training, and may not be distributed for purposes other than individual selfstudy.Layered Defense StrategyThis topic describes the basic structure of a layered defense.DMZ? A DMZ is established between security zones—DMZ39。 2006 Cisco Systems, Inc. All rights reserved.ISCW —64The DMZ is an ideal place to host services—public services, exposed servers that untrustedusers connect to, or proxy servers such as ALGs—to enable inside users to connect to theoutside perimeter.NoteBecause of its ability to contain an attack and limit damage in the case of a breakin, theDMZ approach is the most popular and monly used modern architecture.The multiple layers of security offered by a DMZ are distributed between services and filteringpoints, as follows:n T