© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1 PIX Firewall.
-
Upload
arleen-richardson -
Category
Documents
-
view
228 -
download
3
Transcript of © 2002, Cisco Systems, Inc. CSPFA 2.1—3-1 PIX Firewall.
© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1
PIX FirewallPIX Firewall
What Is a Firewall?What Is a Firewall?
A firewall is a system or group of systems that manages access between two networks.
Firewall TechnologiesFirewall Technologies
Firewall operations are based on one of three technologies:• Packet filtering
• Proxy server
• Stateful packet filtering
ACL
Packet FilteringPacket Filtering
Limits information into a network based on destination and source address
Proxy ServerProxy Server
Requests connections between a client on the inside of the firewall and the outside
Stateful Packet FilteringStateful Packet Filtering
Limits information
into a network based not only on destination and source address, but also on packet data content
PIX Firewall—What Is it?
• Stateful firewall with high security and fast performance
• Adaptive security algorithm provides stateful security
• Cut-through proxy eliminates application-layer bottlenecks
• Secure, real-time, embedded operating system
Adaptive Security Algorithm
• Provides “stateful” connection control through the PIX Firewall
• Tracks source and destination ports and addresses, TCP sequences, and additional TCP flags
• TCP sequence numbers are randomized to minimize the risk of attack
• Tracks UDP and TCP session state
• Connections allowed out—allows return session back flow (TCP ACK bit)
ASA Security Level Example
Internet
PIX Firewall
Outside network
e0• Security level 0• Interface name = outside
e0• Security level 0• Interface name = outside
Perimeter network
e2• Security level 50• Interface name = pix/intf2
e2• Security level 50• Interface name = pix/intf2
Inside network
e1• Security level 100• Interface name = inside
e1• Security level 100• Interface name = inside
e0
e1e2
Cut-Through Proxy OperationCut-Through Proxy Operation
Authenticates once at the application layer (OSI Layer 7) for each supported service
Connection is passed back to the PIX Firewall high-performance ASA engine, while maintaining session state
Internal/external
user
IS resource
1. The user makes a request to an IS resource.
2. The PIX Firewall intercepts the connection.
3. The PIX Firewall prompts the user for a username and password, authenticates the user, and checks the security policy on a RADIUS or TACACS+ server.
5. The PIX Firewall directly connects theinternal or external user to the IS resource via ASA.
4. The PIX Firewall initiates a connection from the PIX Firewall to the destination IS resource.
CiscoSecure
PIX FirewallUsername and Password Required
Enter username for CCO at www.com
User Name:
Password:
OK Cancel
student
123@456
3.
Stateful FailoverStateful Failover
Internet
SecondaryPIX Firewall
Primary PIX Firewall
10.0.0.0 /24
192.168.0.0 /24
Backbone, web, FTP, and
TFTP server
172.26.26.0 /24
e2 .1
e0 .2 e0 .7
e1 .7e1 .1 .2
DMZ
Failover cable
172.16.0.0/24
.1
e2 .7e3 .1 e3 .7172.17.0.0 /24
.50
.3
Summary
• There are three firewall technologies: packet filtering, proxy server, and stateful packet filtering.
• The PIX Firewall features include: Secure operating system, Adaptive Security Algorithm, cut-through proxy, stateful failover, and stateful packet filtering.
© 2002, Cisco Systems, Inc. CSPFA 2.1—3-13
PIX Command Line InterfacePIX Command Line Interface
Access ModesAccess Modes
The PIX Firewall has four administrative access modes:• Unprivileged mode
• Privileged mode
• Configuration mode
• Monitor mode
enable Commandenable Command
pixfirewall> enablepassword:pixfirewall# configure terminalpixfirewall(config)#pixfirewall(config)# exitpixfirewall#
enable
pixfirewall>
• Enables you to enter different access modes
enable password password
passwd password
pixfirewall#
enable password and passwd Commands
enable password and passwd Commands
• The enable password command is used to control access to the privileged mode.
• The passwd command is used to set a Telnet password.
pixfirewall#
hostname and ping Commands
hostname and ping Commands
pixfirewall (config)# hostname proteusproteus(config)# hostname pixfirewall
• hostname command
hostname newname
pixfirewall(config)#
pixfirewall(config)# ping 10.0.0.3
10.0.0.3 response received -- 0Ms
10.0.0.3 response received -- 0Ms
10.0.0.3 response received -- 0Ms
• ping command
ping [if_name] ip_address
pixfirewall(config)#
write Commandswrite Commands
The following are the write commands:• write net
• write erase
• write floppy
• write memory
• write standby
• write terminal
show?
show Commandsshow Commands
The following are show commands:• show history
• show memory
• show version
• show xlate
• show cpu usage
• show interface
• show ip address
© 2002, Cisco Systems, Inc. CSPFA 2.1—3-20
PIX Configuration Commands
PIX Configuration Commands
Six Primary Configuration Commands
Six Primary Configuration Commands
• nameif
• interface
• ip address
• nat
• global
• route
nameif hardware_id if_name security_level
pixfirewall(config)#
pixfirewall(config)# nameif ethernet2 dmz sec50
nameif command nameif command
• The nameif command assigns a name to each interface on the PIX Firewall and specifies its security level.
interface hardware_id hardware_speed
pixfirewall(config)#
interface command interface command
• The interface command configures the speed and duplex.
pixfirewall(config)# interface ethernet0 100fullpixfirewall(config)# interface ethernet1 100full
• The outside and inside interfaces are set for 100 Mbps Ethernet full-duplex communication.
ip address if_name ip_address [netmask]
pixfirewall(config)#
ip address command ip address command
• The ip address command assigns an IP address to each interface.
pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0
© 2002, Cisco Systems, Inc. CSPFA 2.1—3-25
PIX Firewall TranslationsPIX Firewall Translations
Sessions in an IP WorldSessions in an IP World
In an IP world, a network session is a transaction between two end systems. It is carried out over two transport layer protocols:• TCP (Transmission Control Protocol)
• UDP (User Datagram Protocol)
TCPTCP
• TCP is a connection-oriented, reliable-delivery, robust, and high performance transport layer protocol.
• TCP features
–Sequencing and acknowledgement of data
–A defined state machine (open connection, data flow, retransmit, close connection)
–Congestion management and avoidance mechanisms
PIX Firewall
TCP header
IP header
The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created.
10.0.0.3
The PIX Firewall follows the Adaptive Security Algorithm:
• (Src IP, Src Port, Dest IP, Dest Port ) check
• Sequence number check
• Translation check
If the code bit is not syn-ack,PIX drops the packet.
# 1172.30.0.50
# 2
# 3# 4
Start the embryonicconnection counterNo data
TCP Initialization—Inside to Outside
TCP Initialization—Inside to Outside
Private network
Source port
Destination addr
Source addr
Initial sequence #
Destination port
Flag
Ack
172.30.0.50172.30.0.50
10.0.0.310.0.0.3
10261026
2323
4909149091
SynSyn
10.0.0.310.0.0.3
172.30.0.50172.30.0.50
2323
10261026
9251392513
Syn-AckSyn-Ack
4909249092
Public network
172.30.0.50172.30.0.50
192.168.0.20192.168.0.20
4976949769
SynSyn
192.168.0.20192.168.0.20
172.30.0.50172.30.0.50
2323
10261026
9251392513
Syn-AckSyn-Ack
4977049770
10261026
2323
Private network Public network
PIX Firewall
Reset the embryonic counter for this client. It then increments the connection counter for this host.
10.0.0.3
# 5172.30.0.50
# 6
Strictly follows theAdaptive SecurityAlgorithm
Data flows
TCP Initialization—Inside to Outside (cont.)
TCP Initialization—Inside to Outside (cont.)
172.30.0.50172.30.0.50
192.168.0.20192.168.0.20
10261026
2323
4977049770
AckAck
9251492514
Source port
Destination addr
Source addr
Initial sequence #
Destination port
Flag
Ack
172.30.0.50172.30.0.50
10.0.0.310.0.0.3
10261026
2323
4909249092
AckAck
9251492514
TCP header
IP header
UDPUDP
• Connectionless protocol
• Efficient protocol for some services
• Resourceful but difficult to secure
PIX Firewall
TCP header
IP header
The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created.
10.0.0.3
The PIX Firewall follows the Adaptive Security Algorithm:
• (Src IP, Src Port, Dest IP, Dest Port ) check
• Translation check
# 1172.30.0.50
# 2
# 3# 4
UDP (cont.)UDP (cont.)
Private network
Source port
Destination addr
Source addr
Destination port
172.30.0.50172.30.0.50
10.0.0.310.0.0.3
10281028
4500045000
10.0.0.310.0.0.3
172.30.0.50172.30.0.50
4500045000
10281028
Public network
172.30.0.50172.30.0.50
192.168.0.20192.168.0.20
192.168.0.20192.168.0.20
172.30.0.50172.30.0.50
4500045000
10281028
10281028
4500045000
All UDP responses arrive from outside and within UDP user-configurable timeout. (default=2 minutes)
Internet
Static Translations
10.0.0.10 DNS Server
192.168.0.1
192.168.0.2
10.0.0.1
PIX Firewall
Perimeter router
pixfirewall(config)# static (inside, outside)192.168.0.18 10.0.0.10
pixfirewall(config)# static (inside, outside)192.168.0.18 10.0.0.10
• Packet from 10.0.0.10 has source address of 192.168.0.18
• Permanently maps a single IP address
• Recommended for internal service hosts like a DNS server
Internet
Dynamic Translations Dynamic Translations
• Configures dynamic translations
– nat (inside) 1 0.0.0.0 0.0.0.0
– global (outside) 1 192.168.0.20-192.168.0.254netmask 255.255.255.0
192.168.0.20-192.168.0.254
Global PoolGlobal Pool
10.0.0.3
192.168.0.1
192.168.0.2
10.0.0.1
Connections vs. TranslationsConnections vs. Translations
• Translations—xlate
– IP address to IP address translation
–65,536 translations supported
• Connections—conns
–TCP or UDP sessions
xlate Command
clear xlate [global_ip [local_ip]]clear xlate [global_ip [local_ip]]
• The clear xlate command clears the contents of the translation slots.
pixfirewall(config)#
SummarySummary
• The PIX Firewall manages the TCP and UDP protocols through the use of a translation table.
• Static translations assign a permanent IP address to an inside host. Mapping between local and global addresses is done dynamically with the nat command.
• Dynamic translations use NAT for local clients and their outbound connections and hides the client address from others on the Internet.
NAT terminology when usingthe PIX
NAT terminology– an inside (or local) network is the network,
from which we translate addresses (local addresses)
– an outside (or global) network is the network, to which we translate local addresses which become global addresses
– a translation is a one-to-one mapped pair of (local, global) IP addresses
NAT terminology when usingthe PIX
– a translation slot (xlate slot)is a software structure inside PIX/OS used to describe active translations
– a connection slot is a software structure inside PIX/OS describing an active connection (many connection slots can be bound to a translation slot)
– the translation table (xlate table) is the software structure inside PIX/OS containing all active translation and connection slot objects
2323
NAT Example
10.0.0.3
49090Source port
Destination addr
Source addr
Destination port
200.200.200.10200.200.200.10
49090Source port
Destination addr
Source addr
Destination port
192.168.0.20192.168.0.20
200.200.200.10
23
Inside Outside
Inside LocalIP Address
GlobalIP Pool
10.0.0.310.0.0.4
192.168.0.20192.168.0.21
Internet10.0.0.3
10.0.0.4
Translation table
10.0.0.3 192.168.0.20
nat [(if_name)] nat_id local_ip [netmask]
pixfirewall(config)#
nat command nat command
• The nat command defines which addresses can be translated.
pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0
global command global command
• Works with the nat command to assign a registered or public IP address to an internal host with the same nat_id.
pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0
pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254
pixfirewall(config)#
global[(if_name)] nat_id {global_ip[-global_ip][netmask global_mask]} | interface
• When internal hosts access the outside network through the firewall, they are assigned addresses from the 192.168.0.20–192.168.0.254 range.
Two Interfaces with NAT (Multiple Internal Networks)
Two Interfaces with NAT (Multiple Internal Networks)
Backbone,web, FTP, and TFTP server
Pod perimeter router
PIX Firewall
192.168.0.0/24
.1
10.0.0.0 /24
e0 outside .2security level 0
172.26.26.50
Internet
e1 inside .1security level 100
10.1.0.0 /24
pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0
pixfirewall(config)# nat (inside) 2 10.1.0.0 255.255.255.0
pixfirewall(config)# global(outside) 1 192.168.0.1-192.168.0.14 netmask 255.255.255.240
pixfirewall(config)# global(outside) 2 192.168.0.17-192.168.0.30 netmask 255.255.255.240
• Use separate nat_id’s to assign different global address pools.
• The mask used in the nat and global commands is not a mask for host ranges but the mask for each address .
Three Interfaces with NATThree Interfaces with NAT
Inside host, andweb and FTP server
Backbone, web, FTP, and TFTP server
Pod perimeter router
PIX Firewall
192.168.0.0/24
.1
.3
10.0.0.0 /24
e0 outside .2security level 0
e2 dmz .1security level 50
Bastion host, andweb and FTP server
172.26.26.50
.2
172.16.0.0/24
Internet
e1 inside .1security level 100
pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0
pixfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
pixfirewall(config)# global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0
• Inside users can start outbound connections to both the DMZ and the Internet.
• DMZ users can start outbound connections to the Internet.
172.30.0.50172.30.0.50
192.168.0.15
PAT GlobalPAT Global
Port Address Translation
172.30.0.50172.30.0.50
10.0.0.2
49090
23
10.0.0.3
172.30.0.50172.30.0.50
2000
2323
192.168.0.15192.168.0.15
172.30.0.50172.30.0.50
2001
2323
192.168.0.15192.168.0.15
Source port
Destination addr
Source addr
Destination port
Source port
Destinationaddr
Source addr
Destinationport
10.0.0.3
49090Source port
Destination addr
Source addr
Destination port 23
10.0.0.2
Source port
Destination addr
Source addr
Destination port
Internet
PAT Example
pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0
pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0
pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1
pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.9 netmask 255.255.255.0
• Assign a single IP address (192.168.0.9) as a global pool
• Source addresses of hosts in network 10.0.0.0 are translated to 192.168.0.9 for outgoing access
• Source port changes to a unique number greater than 1024
SalesEngineering
10.0.1.0 10.0.2.0
Information systems
192.168.0.1
192.168.0.2
172.16.0.2
Bastion hostPIX Firewall
Perimeter router
10.0.0.1
PAT Using Outside Interface Address
pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0
pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0
pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1
pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
pixfirewall(config)# global (outside) 1 interface
SalesEngineering
10.0.1.0 10.0.2.0
Information systems
192.168.0.1
192.168.0.2
172.16.0.2
Bastion hostPIX Firewall
Perimeter router
10.0.0.1
• Use the interface option to enable use of the outside interface ip address as the PAT address.
• Source addresses of hosts in network 10.0.0.0 are translated to 192.168.0.2 for outgoing access.
• The source port is changed to a unique number greater than 1024.
pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0
pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0
pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1
pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.19 netmask 255.255.255.0
Augmenting a Global Pool with PAT
Augmenting a Global Pool with PAT
SalesEngineering
10.0.1.0 10.0.2.0
Information systems
192.168.0.1
192.168.0.2
172.16.0.2
Bastion hostPIX Firewall
Perimeter router
10.0.0.1
10.0.0.0
• When hosts on the 10.0.0.0 network access the outside network through the firewall, they are assigned public addresses from the 192.168.0.20-192.168.0.254 range.
• When the addresses from the global pool are exhausted, PAT begins.
• Make sure PAT address is not part of global pool.
route if_name ip_address netmask gateway_ip [metric]
pixfirewall(config)#
route route
• The route command defines a static or default route for an interface.
pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
Other Configuration Commands
Other Configuration Commands
• static
• conduit
• name
• fixup protocol
OutsideSecurity 0
InsideSecurity 100
Statics and ConduitsStatics and Conduits
• The static and conduit commands allow connections from a lower securityinterface to a higher security interface.
• The static command is used to create apermanent mapping between aninside IP address and a globalIP address.
• The conduit command is an exception in the ASA’s inbound securitypolicy for a given host.
static Commandstatic Command
pixfirewall(config)#
static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_mask][max_conns[em_limit]][norandomseq]
• Maps a local IP address to a global IP address
10.0.0.3
192.168.0.1
192.168.0.2
10.0.0.1
PIX Firewall
Perimeter routerpixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.3 netmask 255.255.255.255 0 1000
• Packet sent from 10.0.0.3 has a source address of 192.168.0.10
• Permanently maps a single IP address (external access)
• Recommended for internal service hosts
pixfirewall(config)# conduit permit tcp host 192.168.0.10 eq ftp any
conduit permit|deny protocol global_ip global_mask [operator port[port]] foreign_ip foreign_mask[operator port[port]]
conduit Commandconduit Command
• A conduit maps specific IP address and TCP/UDP connection from the outside host to the inside host.
pixfirewall(config) #
10.0.0.3
192.168.0.1
192.168.0.2
10.0.0.1
PIX Firewall
Perimeter router
• The conduit statement is backwards from an ACL.
Port Redirection Port Redirection
pixfirewall(config)#
static [(internal_if_name, external_if_name)] {tcp|udp}{global_ip|interface}global-port local_ip local-port[netmask mask][max_conns[emb_limit [norandomseq]]]
• Allows outside users to connect to a particular IP address or port and have the PIX redirect traffic to the appropriate inside server.
• The external user directs an HTTP port 8080 request to the PIX Firewall PAT address, 192.168.0.9. The PIX Firewall redirects this request to host 172.16.0.2 port 80.
pixfirewall(config)# static (inside,outside) tcp 192.168.0.9 8080 172.16.0.2 www netmask 255.255.255.255 0 0
http://192.168.0.9:8080 http://172.16.0.2:80 172.16.0.2Web Server
Conduit Example
pixfirewall(config)# nameif ethernet0 outside sec0
pixfirewall(config)# nameif ethernet1 inside sec100
pixfirewall(config)# nameif ethernet2 dmz sec50pixfirewall(config)# ip address outside
192.168.0.2 255.255.255.0pixfirewall(config)# ip address inside 10.0.0.1
255.255.255.0pixfirewall(config)# ip address dmz 172.16.0.1
255.255.255.0pixfirewall(config)# nat (inside) 1 10.0.0.0
255.255.255.0pixfirewall(config)# global (outside) 1
192.168.0.20-192.168.0.254 netmask 255.255.255.0
pixfirewall(config)# global (dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0
pixfirewall(config)# static (dmz,outside) 192.168.0.11 172.16.0.2
pixfirewall(config)# conduit permit tcp host 192.168.0.11 eq http any
pixfirewall(config)# nameif ethernet0 outside sec0
pixfirewall(config)# nameif ethernet1 inside sec100
pixfirewall(config)# nameif ethernet2 dmz sec50pixfirewall(config)# ip address outside
192.168.0.2 255.255.255.0pixfirewall(config)# ip address inside 10.0.0.1
255.255.255.0pixfirewall(config)# ip address dmz 172.16.0.1
255.255.255.0pixfirewall(config)# nat (inside) 1 10.0.0.0
255.255.255.0pixfirewall(config)# global (outside) 1
192.168.0.20-192.168.0.254 netmask 255.255.255.0
pixfirewall(config)# global (dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0
pixfirewall(config)# static (dmz,outside) 192.168.0.11 172.16.0.2
pixfirewall(config)# conduit permit tcp host 192.168.0.11 eq http any
e0e2
e1
Bastionhost
.2
.1.1
.2
172.16.0.0/24
10.0.0.0/24
192.168.0.0/24
Internet
Another Conduit Examplepixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100pixfirewall(config)# nameif ethernet2 dmz sec50pixfirewall(config)# nameif ethernet3 partnernet
sec40pixfirewall(config)# ip address outside 192.168.0.2
255.255.255.0pixfirewall(config)# ip address inside 10.0.0.1
255.255.255.0pixfirewall(config)# ip address dmz 172.16.0.1
255.255.255.0pixfirewall(config)# ip address partnernet
172.18.0.1 255.255.255.0pixfirewall(config)# nat (inside) 1 10.0.0.0
255.255.255.0pixfirewall(config)# global (outside) 1
192.168.0.20-192.168.0.254 netmask 255.255.255.0pixfirewall(config)# global (dmz) 1 172.16.0.20-
172.16.0.254 netmask 255.255.255.0pixfirewall(config)# static (dmz,outside)
192.168.0.11 172.16.0.2pixfirewall(config)# conduit permit tcp host
192.168.0.11 eq http anypixfirewall(config)# static (dmz,partnernet)
172.18.0.11 172.16.0.2pixfirewall(config)# conduit permit tcp host
172.18.0.11 eq http any
pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100pixfirewall(config)# nameif ethernet2 dmz sec50pixfirewall(config)# nameif ethernet3 partnernet
sec40pixfirewall(config)# ip address outside 192.168.0.2
255.255.255.0pixfirewall(config)# ip address inside 10.0.0.1
255.255.255.0pixfirewall(config)# ip address dmz 172.16.0.1
255.255.255.0pixfirewall(config)# ip address partnernet
172.18.0.1 255.255.255.0pixfirewall(config)# nat (inside) 1 10.0.0.0
255.255.255.0pixfirewall(config)# global (outside) 1
192.168.0.20-192.168.0.254 netmask 255.255.255.0pixfirewall(config)# global (dmz) 1 172.16.0.20-
172.16.0.254 netmask 255.255.255.0pixfirewall(config)# static (dmz,outside)
192.168.0.11 172.16.0.2pixfirewall(config)# conduit permit tcp host
192.168.0.11 eq http anypixfirewall(config)# static (dmz,partnernet)
172.18.0.11 172.16.0.2pixfirewall(config)# conduit permit tcp host
172.18.0.11 eq http any
PartnernetPartnernet
e0e2
e1
Bastionhost
DMZDMZ
.2
.1.1
.2
172.16.0.0/24
10.0.0.0/24
192.168.0.0/24
e3
172.18.0.0/24.1
Internet
Fixup Protocol Command
PIX has a protocol fixup feature to recognize applications running on non-standard ports
fixup protocol <protocol> <port>[-<port>]
NAT uses the fixup information for badly behaved protocols to handle those connections properly
fixup protocol ftp 2021
fixup protocol sqlnet 1600
Attack Guards
The PIX has special handling for DNS and SMTP using the fixup protocol command.
fixup protocol DNS <port>[-<port>]
fixup protocol SMTP <port>[-<port>]
DNS will only allow one response back to a query.
SMTP will only allow RFC 821 specified commands such as HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT.
Defending against denial-of-service attacks
The PIX can defend against inbound SYN-flooding (excess connection requests) attacks with the option for maximum number of embryonic (SYN only) connections per translation slot
static (int_if_name, out_if_name) global_ip local_ip [max_conn [max_embr]][norandomseq]
AAA and SYN Floodguards
AAA Floodguard protects against DoS attacks of authorization requests. It is enabled by default.
Floodguard enable | disable
SYN Floodgaurd protects against DoS half-open connection attacks.
Nat(inside) 1 0 0 [max_conns [em_limit]]
static(inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255 [max_conns [em_limit]]
Max_conns is the maximum connections permitted to hosts accessed from local_ip.
Em_limit is the maximum embryonic connections permitted to hosts accessed from local_ip.
SummarySummary
• The PIX Firewall has four administrative access modes: unprivileged, privileged, configuration, and monitor.
• Interfaces with a higher security level can access interfaces with a lower security level, while interfaces with a lower security level cannot access interfaces with a higher security level unless given permission.
• The primary commands necessary to configure the PIX Firewall are the following: nameif, interface, ip address, nat, global, static, conduit, and route.
Summary (continued)Summary (continued)
• The nat and global commands work together to hide internal IP addresses.
• The nat 0 command allows an address to go out of the PIX untranslated while providing ASA security features for inbound requests.
• The static and conduit commands work together to provide access though the PIX.
• The PIX firewall supports protocol redirection and has advanced protocol handling features.
• The PIX firewall has DoS attack guards and Floodguards.
© 2002, Cisco Systems, Inc. CSPFA 2.1—3-62
Configuring FailoverConfiguring Failover
Internet
SecondaryPIX Firewall
PrimaryPIX Firewall
failover cable
FailoverFailover
The primary and secondary units must:
• be the same model number.• have identical software versions and
activation key types.• have the same amount of Flash
memory and RAM.
Internet
Secondary PIX Firewall(standby/active)
(failover IP/system IP)
Primary PIX Firewall(active/standby)
(system IP/failover IP)192.168.0.0 /24
.1 e0 .2
e0 .7
10.0.0.0 /24
e1 .1
e1 .7
.3
IP Address for Failoveron PIX Firewalls
IP Address for Failoveron PIX Firewalls
Configuration ReplicationConfiguration Replication
Configuration replication occurs:• When the standby firewall completes its initial
bootup.
• As commands are entered on the active firewall.
• By entering the write standby command.
Failover and Stateful FailoverFailover and Stateful Failover
• Failover
– Connections are dropped.
– Client applications must reconnect.
– Provides redundancy .
• Stateful failover
– Connections remain active.
– No client applications need to reconnect.
– Provides redundancy and stateful connection.
failover Commandsfailover Commands
failover link [stateful_if_name]
pixfirewall(config)#
• The failover link command enables stateful failover.
failover ip address if_name ip_address
pixfirewall(config)#
• The failover ip address command creates an IP address for the standby PIX Firewall.
failover
pixfirewall(config)#
• The failover command enables failover between the active and standby PIX Firewalls.
pixfirewall# failover ip address inside 10.0.0.4
• The failover active command makes a PIX Firewall the primary firewall.
failover [active]
pixfirewall(config)#
failover poll Commandfailover poll Command
•Specifies how long failover waits before sending special failover “hello” packets between the primary and standby units over all network interfaces and the failover cable.
•Failover waits ten seconds before sending special failover "hello“ packets.
pixfirewall(config)#
pixfirewall(config)# failover poll 10
failover poll seconds
show failover Commandshow failover Command
pixfirewall(config)# show failoverFailover OnCable status: NormalReconnect timeout 0:00:00 This host: Primary - Active Active time: 360 (sec) Interface dmz (172.16.0.1): Normal Interface outside (192.168.0.2): Normal Interface inside (10.0.0.1): Normal Other host: Secondary - Standby Active time: 0 (sec) Interface dmz (172.16.0.4): Normal Interface outside (192.168.0.4): Normal Interface inside (10.0.0.4): Normal
Stateful Failover Logical Update Statistics Link : dmz
pixfirewall(config)# show failoverFailover OnCable status: NormalReconnect timeout 0:00:00 This host: Primary - Standby Active time: 0 (sec) Interface dmz (172.16.0.4): Normal Interface outside (192.168.0.4): Normal Interface inside (10.0.0.4): Normal Other host: Secondary - Active Active time: 150 (sec) Interface dmz (172.16.0.1): Normal Interface outside (192.168.0.2): Normal Interface inside (10.0.0.1): Normal
Stateful Failover Logical Update Statistics Link : dmz
Before failover After failover
SummarySummary
• The primary and secondary PIX Firewalls are the two firewalls used for failover. The primary PIX Firewall is usually active, while the secondary PIX Firewall is usually standby, but during failover the primary PIX Firewall goes on standby while the secondary becomes active.
• The configuration of the primary PIX Firewall is replicated to the secondary PIX Firewall during configuration replication.
• During failover, connections are dropped, while during stateful failover, connections remain active.
© 2002, Cisco Systems, Inc. CSPFA 2.1—3-71
Access Control Configuration and Content Filtering
Access Control Configuration and Content Filtering
Access Control ListAccess Control List
• An ACL enables you to determine what traffic will be allowed or denied through the PIX Firewall.
• ACLs are applied per interface (traffic is analyzed inbound relative to an interface).
• The access-list and access-group commands are used to create an ACL.
• The access-list and access-group commands are an alternative for the conduit and outbound commands.
ACL Usage GuidelinesACL Usage Guidelines
• Higher to lower security level
–Use an ACL to restrict outbound traffic.
–The ACL source address is the actual (un-translated) address of the host or network.
• Lower to higher security level
–Use an ACL to restrict inbound traffic.
–The destination host must have a statically mapped address.
–The ACL destination address is the “global ip” assigned in the static command.
access-list Commandaccess-list Command
access-list acl_name [deny | permit] protocol {src_addr | local_addr} {src_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port
pixfirewall(config)#
• Enables you to create an ACL
• ACLs associated with IPSec are known as “crypto” ACLs
• ACL “dmz1” denies access from the 192.168.1.0 network to TCP ports less than 1025 on host 192.168.0.1
pixfirewall(config)# access-list dmz1 deny tcp 192.168.1.0 255.255.255.0 host 192.168.0.1 lt 1025
access-group Commandaccess-group Command
pixfirewall(config)#
access-group acl_name in interface interface_name
• Binds an ACL to an interface
• The ACL is applied to traffic inbound to an interface
• ACL “dmz1” is bound to interface “dmz”
pixfirewall(config)# access-group dmz1 in interface dmz
ACL
An ACL applies to a single interface, affecting all traffic entering that interface regardless of its security level.
Conduit
A conduit creates an exception to the PIX Firewall Adaptive Security Algorithm by permitting connections from one interface to access hosts on another.
ACL
It is recommended to use ACLs to maintain future compatibility.
conduit
ACLs Versus ConduitsACLs Versus Conduits
Convert Conduits to ACLs Convert Conduits to ACLs
access-list acl_name [deny | permit] protocol {src_addr | local_addr} {src_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port
conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask[operator port[port]]
• global_ ip = destination_addr
• foreign_ip = src_addr
pixfirewall(config)# conduit permit tcp host 192.168.0.10 eq www any
pixfirewall(config)# access-list acl_in permit tcp any host 192.168.0.10 eq www
pixfirewall(config)#
pixfirewall(config)#
ACLsACLs
pixfirewall(config)# nat (dmz) 1 0 0
pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
pixfirewall(config)# static (inside,dmz) 172.16.0.10 10.0.0.3 netmask 255.255.255.255
pixfirewall(config)# static (inside,dmz) 172.16.0.12 10.0.0.4 netmask 255.255.255.255
pixfirewall(config)# access-list 102 permit tcp 172.16.0.0 255.255.255.0 172.16.0.10 255.255.255.255 eq ftp
pixfirewall(config)# access-list 102 permit tcp 172.16.0.0 255.255.255.0 172.16.0.12 255.255.255.255 eq smtp
pixfirewall(config)# access-list 102 permit tcp 172.16.0.0 255.255.255.0 any eq www
pixfirewall(config)# access-group 102 in interface dmz
• Users on the DMZ are able to access the Internet, the internal FTP server, and the internal mail server.
nameif ethernet0 outside sec0nameif ethernet1 inside sec100access-list acl_out deny tcp any any eq wwwaccess-list acl_out permit ip any anyaccess-group acl_out in interface insidenat (inside) 1 10.0.0.0 255.255.255.0global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
Deny Web Accessto the Internet
Deny Web Accessto the Internet
• Denies web traffic on port 80 from the inside network to the Internet
• Permits all other IP traffic from the inside network to the Internet
www
InternetIP Internet
Permit Web Accessto the DMZ
nameif ethernet0 outside sec0nameif ethernet1 inside sec100nameif ethernet2 dmz sec50ip address outside 192.168.0.2
255.255.255.0ip address inside 10.0.0.1 255.255.255.0ip address dmz 172.16.0.1 255.255.255.0static (dmz,outside) 192.168.0.11
172.16.0.2access-list acl_in_dmz permit tcp any
host 192.168.0.11 eq wwwaccess-list acl_in_dmz deny ip any anyaccess-group acl_in_dmz in interface
outside
Web server.2
.1.1
.2
172.16.0.0/24
10.0.0.0/24
192.168.0.0/24
Internet
• The ACL acl_in_dmz permits web traffic on port 80 from the Internet to the DMZ web server.
• The ACL acl_in_dmz denies all other IP traffic from the Internet.
icmp Commandicmp Command
• Enables or disables pinging to an interface
pixfirewall(config)# icmp deny any echo-reply outside
pixfirewall(config)# icmp permit any unreachable outside
pixfirewall(config)#
icmp permit | deny [host] src_addr [src_mask] [type] int_name
• All ping requests are denied at the outside interface, and all unreachable messages are permitted at the outside interface
SummarySummary
• ACLs enable you to determine which systems can establish connections through your PIX Firewall.
• Cisco recommends migrating from conduits to ACLs.
• Existing conduits can easily be converted to ACLs.
• With ICMP ACLs, you can disable pinging to a PIX Firewall interface so that your PIX Firewall cannot be detected on your network.
• The PIX Firewall can work with URL-filtering software to control and monitor Internet activity.