【正文】 kets based on source and destinationIP addresses, source and destination port numbers, and packet type. These rules can also beused to reject any packet from the outside that claims to e from an address inside thenetwork. Recall that each service relies on specific ports. By restricting certain ports, you canrestrict those services. For example, blocking port 23 for all user workstations prevents theusers from using Telnet, which is an insecure management protocol.Any device that uses ACLs can do packet filtering. ACLs are probably the most monly used objects in Cisco IOS router configuration. Not only are they used for packet filteringfirewalls, but they can also select specified types of traffic to be analyzed, forwarded, orinfluenced in some way. While packet filtering is effective and transparent to users, there are these disadvantages:n Packet filtering is susceptible to IP spoofing. Arbitrary packets can be sent that fit ACLcriteria and pass through the filter.n Packet filters do not filter fragmented packets well. Because fragmented IP packets carry the TCP header in the first fragment and packet filters filter on TCP header information, allnonfirst fragments are passed unconditionally. This process is based on the assumptionthat the filter of the first fragment is accurately enforcing the policy. n Complex ACLs are difficult to implement and maintain correctly.Some services cannot be filtered. For example, it is difficult to permit dynamically negotiatedsessions without opening up access to a whole range of ports, which in itself might bedangerous.610 Implementing Secure Converged Wide Area Networks (ISCW) The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,for the sole use by Cisco employees for personal study. The files or printed representations may not beused in mercial training, and may not be distributed for purposes other than individual selfstudy.169。 2006 Cisco Systems, Inc.The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,for the sole use by Cisco employees for personal study. The files or printed representations may not beused in mercial training, and may not be distributed for purposes other than individual selfstudy.Note169。 2006 Cisco Systems, Inc.Cisco IOS Threat Defense Features67The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,for the sole use by Cisco employees for personal study. The files or printed representations may not beused in mercial training, and may not be distributed for purposes other than individual selfstudy.Firewall TechnologiesThis topic describes the operational strengths and weaknesses of the three firewalltechnologies: packet filter, stateful firewall, and application gateway.Firewall TechnologiesFirewalls use three technologies:? Packet filtering? Application layer gateway? Stateful packet filtering169。 2006 Cisco Systems, Inc.The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,for the sole use by Cisco employees for personal study. The files or printed representations may not beused in mercial training, and may not be distributed for purposes other than individual selfstudy.Modern DMZ DesignThe figure shows simplified versions of the multiDMZ configuration.Modern DMZ Design? Various systems (stateful packet filter, proxy server) canfilter traffic.? Proper configuration of the filtering device is critical.169。 2006 Cisco Systems, Inc.Cisco IOS Threat Defense Features65The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,for the sole use by Cisco employees for personal study. The files or printed representations may not beused in mercial training, and may not be distributed for purposes other than individual selfstudy.Multiple DMZsThe DMZ is a single network, nested between the inside and outside security zones. Theconcept of multiple DMZs is an alternative.Multiple DMZsMultiple DMZs provide better separation and access control:? Each service can be hosted in its own DMZ.? Damage is limited and attackers contained if a service is promised.169。 2006 Cisco Systems, Inc.The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,for the sole use by Cisco employees for personal study. The files or printed representations may not beused in mercial training, and may not be distributed for purposes other than individual selfstudy.Layered Defense FeaturesThis section explains the features of a layered defense approach.Layered Defense Features? Access control is enforced on traffic entering and exiting the buffer network to all security zones by:– Classic routers– Dedicated firewalls? DMZs are used to host services:– Exposed public services are served on dedicated hosts insidethe buffer network.– The DMZ may host an application gateway for outboundconnectivity.? A DMZ contains an attacker in the case of a breakin.? A DMZ is the most useful and mon modern architecture.169。s arebuffer networks which are neither inside nor outside.169。Module 6Cisco IOS Threat DefenseFeaturesOverviewCisco IOS Firewall software offers a full set of security features that you can implement toprovide security for a network. In this mod