6/1/2015 PIX in a Day. 6/1/2015 Objective This is a two part course designed for people with good...
-
date post
18-Dec-2015 -
Category
Documents
-
view
216 -
download
0
Transcript of 6/1/2015 PIX in a Day. 6/1/2015 Objective This is a two part course designed for people with good...
04/18/23
PIX in a Day
04/18/23
Objective
This is a two part course designed for people with good knowledge of IP and some knowledge.
It is presented in two parts. The first part, this course, shows how how to configure a PIX V6 firewall in a number of scenarios. The second covers trouble shooting.
This is not a security course – base principles are not covered - a good knowledge of Networks. It will not teach anyone to design a firewall (leave that to experts like me) only how to implement one.
04/18/23
Marketing fluff
04/18/23
Pix Features according to Cisco• Embedded system (Cisco PIX firewall OS) is real-time and
secure; not subject to operating system vulnerabilities• Adaptive security Algorithm (ASA) provides stateful
connection control. Packet information is placed in a table; information from the packet must match information in the table
• Cut-through proxy; user-based authentication of inbound and outbound connections Improved performance over proxy filters Low overhead processing = better performance
• Stateful failover/hot standby Fully redundant topology (failover) can be configured
04/18/23
PIX Firewall ASA
Adaptive Security Algorithm is Cisco's name for the subroutines that performs stateful packet filtering.
A data packet is analyzed, and its information is placed in a table – the state table or xlate table.
On the receipt of return traffic, the incoming packet is checked against the table. In order for the connection to be established, there must be a match between the two. ASA is part of the PIX operating system.
04/18/23
PIX Firewall Cut-Through Proxy
The cut-through proxy provides a method for user-based authentication.Inbound and outbound connections can be authenticated.
Better performance than a proxy filter because the processing overhead on the PIX is reduced by using the cut-through proxy feature. Sockets are not terminated and re-opened – the device never becomes an end point.
After authentication by a TACACS+ or RADIUS server, per-user connection state information is maintained by the firewall. For protocols that don’t support authentication, a virtual telnet server exists.
04/18/23
PIX: Stateful Filtering
PIX obtains the IP address and port from each layer 4 protocol. PIX logs the connection data in the statefull connection table. A session object is created at this stage of the process.
The inbound and outbound packets are compared to the table.If a connection entry exists, the packets are allowed to pass.
Once the connection is terminated, the connection information, including the session object, is eventually deleted .
For protocols where no state exists timers are used to “tear down” the connection object
04/18/23
PIX Firewall features
FailoverPix supports active-passive in a stateful and non-stateful mode.Two PIX Firewalls must be identical models. which are identically configured.In stateful failover, connections do not have to be restarted
04/18/23
PIX Firewall commandsThese are basically the Version 10 IOS commands
•enable – as IOS •configure terminal - changes PIX configuration; changes merged with running config in RAM and takes place at once•passwd - sets password for Telnet access option encrypted sets an encrypted password show config - displays startup configuration write terminal / show run
- shows running config on terminal write net - sends config to TFTP write standby – writes config to standby PIX write erase - clears Flash memory configuration
(startup configuration)
04/18/23
PIX Firewall commands
show xlate - shows translation slots; IP addresses allocated for address translation•configure net - merges running configuration with TFTP server stored file of the same name •configure memory - merges running configuration with startup configuration in Flash •show interface - shows many parameters of the named interface •show history - shows recently entered commands •show ip address - shows all IP addresses
04/18/23
PIX Firewall commands
Clear xlate - clears translation slots; disrupts service
•Shun – temporary blocks IPS
•Reload - restarts
•kill – kills telnet /ssh sessions
04/18/23
The basic configuration
04/18/23
pixfirewall(config)# interface ethernet0 autopixfirewall(config)# interface ethernet1 100full pixfirewall(config)# nameif ethernet0 outside security0pixfirewall(config)# nameif ethernet1 inside security100pixfirewall(config)# ip address outside 61.2.93.93 255.255.255.240pixfirewall(config)# ip address inside 10.0.0.2 255.255.255.0pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 61.2.93.81 1
First 4 config commands
04/18/23
The IP address command adds an IP address to an interface
pixfirewall(config)# ip address inside 10.0.0.2 255.255.255.0
Usage: [no] ip address <if_name> <ip_address> [<mask>] [no] ip address <if_name> dhcp [setroute] [retry <retry_cnt>]
And everyone recognises a static route
Usage: route <if_name> <foreign_ip> <mask> <gateway> [<metric>]
pixfirewall(config)# route inside 0.0.0.0 0.0.0.0 61.2.93.81 1
In the above example inside is the interface that the packet will leave from
IP address & Route
04/18/23
Interface command
pixfirewall(config)# interface ethernet1 100full
Usage: interface <hardware_id> [<hw_speed> [shutdown]]
The interface command enables properties of an interface. Options includeAuto / 10baseT / 10full100baseTX / 100full / 1000auto1000full / 1000full nonegotiate
For dot1q virtual interfaces:
Usage: interface hardware_id vlan_id logical
pixfirewall(config)# interface ethernet1 vlan99 logical
04/18/23
PIX ASA Security Levels
One of two interfaces must be of a higher level. Packets can pass from lower to higher level interfaces but not from higher to lower level interfaces without an access list. (except ICMP)
Security levels range from 0 through 100.100 is most secure: default for inside interface: can't be changed 0 is least secure: default for outside interface: can't be changed
1 through 99 can be assigned to other interfaces such as a DMZ
04/18/23
PIX ASA Security Levels
Inside to outside: data traveling from more secure to less secure requires an address translation (only – see caveat)
Outside to inside: data traveling from a less secure to a more secure interface needs one of the following to pass through a Static translation AND an Access list
No traffic can pass through identical security level interfaces.For example, if two DMZS have a security level of 50, they can't talk to each other.
Don’t rely on this – it has changed in versions
04/18/23
EXCEPT ICMP
Inside to outside: data traveling from more secure to less secure requires an address translation (only)
Security people DON’T LIKE ICMP
THEREFORE WE MAKE IT DIFFICULT TO USE
TO GET A RETURNED ECHO-REPLY YOU NEED A ACCESS_LIST
04/18/23
PIX ASA Security Levels
Inside 100
Outside
0
DMZ 50
04/18/23
The Nameif command assigns a logical name or label to an interface. It also assigns a security value 0 – 100
Usage : nameif <hardware_id> < label > <security_lvl> nameif <vlan_id> < label > <security_lvl>
hardware_id = interface label = a logical name Security–level :-
0 is the dirtiest - Traditionally outside 100 is the cleanest – Traditionally inside
pixfirewall(config)# nameif ethernet1 inside security100
nameif command
04/18/23
But your firewall still won’t work
You need GLOBAL and NAT
04/18/23
Global & Nat
PIX relies on address translation to provide security. Under normal circumstances connection will have its:
•Source address translated on outbound connections
•Dest address translated on inbound connection
For the Exam – Global address is a valid outside address
- Local is a internal address
- Private is an 1918 address
04/18/23
Global & NatTypes of Address translation
• Static NAT (network address translation) – One2one translation based on a STATIC table - explained later
• Dynamic NAT – Dynamically translate a source address to an address selected from a GLOBAL address pool
a,b10.0.0.1 port1500 to196.1.1.1 port 80
c,b10.0.0.11 port1800 to196.1.1.1 port 80
a,b212.23.35.117 port1500 to196.1.1.1 port 80
c,b212.23.35.118 port1800 to196.1.1.1 port 80
A
S
A
global-pool: 212.23.35.117-118
Dynamic nat
04/18/23
Global & Nat
Dynamic PAT – Dynamically translate a source address to the address of the outbound interface and change the source port to a free ephemeral port
a,b10.0.0.1 port1500 to196.1.1.1 port 80
c,b10.0.0.11 port1800 to196.1.1.1 port 80
a,b212.23.35.117 port132,001 to196.1.1.1 port 80
c,b212.23.35.117 port132,002 to196.1.1.1 port 80
A
S
A
04/18/23
Global & Nat
Global command defines a a global pool of addresses to use for address translation
usage Global (if-label) pool-no ip_address [-to ipaddress | mask]
global (outside) 1 212.23.35.117 212.23.35.127
NAT command defines a range of source addresses that may use a particular global pool
usage nat (if-label) pool-no ip_address subnet-mask
nat (inside) 1 10.0.0.0 255.255.0.0
04/18/23
Global & NatExample
a,b10.0.0.1 port1500 to196.1.1.1 port 80
c,b10.0.0.11 port1800 to196.1.1.1 port 80
a,b212.23.35.117 port1500 to196.1.1.1 port 80
c,b212.23.35.118 port1800 to196.1.1.1 port 80
A
S
A
global-pool: 212.23.35.117-118
global (outside) 1 212.23.35.117 212.23.35.118 : create a translation pool on the outside interfacenat (inside) 1 10.0.0.0 255.255.255.0 : allow any address 10.0.0.* coming in on inside to use
outsideinside
04/18/23
Global & Nat
Only define 1 address in global for PAT
global (outside) 1 212.23.35.117or global (outside) 1 Interface
To turn of NAT use NAT 0
nat (inside) 0 0 0
04/18/23
Nat
Or to be a right smart arse use an access-list
nat (inside) 1 access-list natlist
04/18/23
You now know enough to get a basic firewall working
04/18/23
pixfirewall(config)# interface ethernet0 autopixfirewall(config)# interface ethernet1 100full pixfirewall(config)# nameif ethernet0 outside security0pixfirewall(config)# nameif ethernet1 inside security100pixfirewall(config)# ip address outside 61.2.93.93 255.255.255.240pixfirewall(config)# ip address inside 10.0.0.2 255.255.255.0pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 61.2.93.81 1pixfirewall(config)# global (outside) 1 interfacepixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
But this configuration only allows information “out”
basic
04/18/23
Lab
• Configure a PIX to have the addresses provided
• So that it can browse the WWW
• PATs all requests to the outside interface
• Allows no traffic in
Time: 45 minutes
04/18/23
Allowing information “IN”
04/18/23
Static
The ASA will only allow traffic to travel from a “low” to a “high” interface if a static address translation is configured
This is done with the static command
usage: static (if-src, if-dest) ip-dest ip-src netmask netmask
static (inside,outside) 61.2.93.82 10.0.0.2 netmask 255.255.255.255 0 0
You now have an external address – but it has an implied access-list of
ip deny any any
04/18/23
Access-lists
04/18/23
access-list
Pix access-list are different from IOS access-lists. The key differences are:
•They are stateful – so they allow return traffic
•The mask is a genuine subnet mask
•The identifier (i.e. name) is alphanumeric –
IOS = access-list 101 permit
PIX = access-list one0one
•Line numbers can be used to edit access-lists
04/18/23
Example access list :access-list acl-outside permit tcp any host 217.64.230.186 eq https access-list acl-outside permit tcp any 217.64.230.0 255.255.255.0 eq https access-list acl-outside deny ip any any
Applying an access list to an interface : access-group acl-outside in interface outside
Removing an access list from an interface :
no access-group acl-outside in interface outside
access-list
04/18/23
Object-group
04/18/23
Object-group
With version 5, Pix worked brilliantly in small organisations. But larger organisations always chose Checkpoint firewall 1
One reason that was complexity, when I converted one small bank from FW1 to PIX – one screen of FW1access-lists turned into 7 pages of PIX access-list:-
• services could not be grouped
• addresses could not be grouped
Which resulted in pages of repetition
04/18/23
Imagineaccess-list oldlist permit tcp host 10.0.0.1 any eq wwwaccess-list oldlist permit tcp host 10.0.0.1 any eq https access-list oldlist permit tcp host 10.0.0.2 any eq wwwaccess-list oldlist permit tcp host 10.0.0.2 any eq https access-list oldlist permit tcp host 10.0.0.3 any eq wwwaccess-list oldlist permit tcp host 10.0.0.3 any eq httpsaccess-list oldlist permit tcp host 10.0.0.9 any eq wwwaccess-list oldlist permit tcp host 10.0.0.9 any eq httpsaccess-list oldlist permit tcp host 10.0.0.22 any eq wwwaccess-list oldlist permit tcp host 10.0.0.22 any eq https
Object-group
04/18/23
object-group network inside10 description inside 10 class objects network-object host 10.0.0.1 network-object host 10.0.0.2 network-object host 10.0.0.3 network-object host 10.0.0.9 network-object host 10.0.0.22
Object-group
04/18/23
pixfirewall(config)# show objectobject-group network inside10 description: inside 10 class objects network-object host 10.0.0.1 network-object host 10.0.0.2 network-object host 10.0.0.9 network-object host 10.0.0.22object-group service browsing tcp description: this is the web tcp ports port-object eq www port-object eq httpspixfirewall(config)# access-list obj-exmple permit tcp object-group inside10 any object-group browsingpixfirewall(config)#
Object-group access-list
04/18/23
Legacy access-lists
04/18/23
The access-list command was introduced at 5.4 to make it like IOS – At 6.3 these legacy commands were deprecated – not even in v7.0
Example access list :conduit permit tcp host 212.23.35.119 eq https any
“Old style” access list for an outbound interface :
usage: outbound ID permit | deny ip_address [netmask [port]][proto]
Pix# outbound 11 deny 161.73.0.0 255.255.0.0 412 tcp
Applying an outbound list to an interface :
usage: apply [(if_name)] ID outgoing_src | outgoing_dest Pix# apply (inside) 11 outgoing_src
Conduit, outbound + apply
04/18/23
Advanced PIXProto analysis
04/18/23
fixup
Protocols are not designed with security in mind – they often have features that are insecure or difficult to embody in access-list
Firewalls use packet inspection and protocol analysis to overcome these difficulties
Pix enables the protocol feature and assign the processing to a particular port with the fixup command
04/18/23
fixupfixup protocol ftp [strict] [port] fixup protocol http [port[-port] fixup protocol h323 {h225 | ras} port [-port] fixup protocol ils [port[-port]] fixup protocol rsh [514] fixup protocol rtsp [port] fixup protocol sip [5060] fixup protocol skinny [2000] fixup protocol smtp [port[-port]] fixup protocol sqlnet [port[-port]] fixup protocol skinny port [-port]
Add at version 6.3Add at version 6.3fixup protocol icmp errors <- theres always 1 smart arsefixup protocol ctiqbe 2748 [no] fixup protocol dns [maximum-length length] fixup protocol esp-ike fixup protocol snmp [161[-162]] fixup protocol tftp [port[-port]]
Fixup disappearswith version 7
04/18/23
Other protectionMailGuard (enabled by fixup protocol smtp ) only allows the smtp commands mail to, rcpt frm, data, end & quit
DnsGuard (enabled by fixup protocol dns or on by default pre 6.3 ) only accespts first dns datagram
FloodGuard (FloodGuard enable ) enables flood protection
FragGuard ( sysopt security fragguard replaced by the fragment command)
04/18/23
Advanced PIXDealing with attacks
04/18/23
Basic IDS/IPS functions are enabled by
pixfirewall(config)# ip audit info action alarmpixfirewall(config)# ip audit attack action alarmip audit attack action alarm drop ip audit signature 2000 disable ip audit signature 2001 disable ip audit signature 2004 disable ip audit signature 2005 disable Syslog<162>May 29 2005 10:24:15 10.0.0.2 : %PIX-2-106017: Deny IP due to Land Attack from 61.2.93.93 to 61.2.93.93
<162>May 29 2005 10:24:15 10.0.0.2 : %PIX-2-106017: Deny IP due to Land Attack from 61.2.93.93 to 61.2.93.93
<162>May 29 2005 10:24:15 10.0.0.2 : %PIX-2-106017: Deny IP due to Land Attack from 61.2.93.93 to 61.2.93.93
IDS/IPS
04/18/23
Anti spoofing is enabled by pixfirewall(config)# ip verify reverse-path
Syslog167>May 29 2005 10:21:21 10.0.0.2 : %PIX-7-710005: UDP request discarded from 61.2.93.87/137 to outside:61.2.93.95/netbios-ns
<161>May 29 2005 10:21:22 10.0.0.2 : %PIX-1-106021: Deny udp reverse path check from 10.0.0.55 to 61.2.93.93 on interface outside
<161>May 29 2005 10:21:22 10.0.0.2 : %PIX-1-106021: Deny udp reverse path check from 10.0.0.55 to 61.2.93.93 on interface outside
Getting a packet trace in pcap format pix# capture snifer access-list sniflist packet-length 74 interface inside
Anti-spoofing & investigations
04/18/23
04/18/23
Site 2 site VPN
04/18/23
Imagine 2 separate tunnels used for IPSEC vpnConstructed in 3 steps –covering 2 distinct IPSEC phases
IKE/
ISAKMP
1. Identify need for a VPN
2.Phase1- ISAKMP
-identify/authenticate peers
-establish IKE SA (security association)
3. Phase 2- IPSEC
- negotiate IPSEC SA (security association)
- Encrypt and transmit data
Encrypted data
04/18/23
pixfirewall(config)# access-list a1 permit ip any any
pixfirewall(config)# isakmp policy 10 authen pre-sharepixfirewall(config)# isakmp policy 10 encrypt despixfirewall(config)# isakmp policy 10 hash md5pixfirewall(config)# isakmp policy 10 lifetime 3600pixfirewall(config)# isakmp policy 10 group 2pixfirewall(config)# isakmp key my-secret address 10.0.0.1pixfirewall(config)# isakmp enable outside
ISAKMP
04/18/23
pixfirewall(config)# sysopt connection permit-ipsec pixfirewall(config)# sysopt ipsec pl-compatiblepixfirewall(config)# access-list a1 permit ip any anypixfirewall(config)# crypto ipsec transform-set mytrans esp-des esp-md5-hmacpixfirewall(config)# crypto map mymap 10 set transform-set mytranspixfirewall(config)# crypto map mymap 10 set peer 10.0.0.10pixfirewall(config)# crypto map mymap 10 match address a1pixfirewall(config)# crypto map mymap interface outside
IPSEC
04/18/23
Lab
Using the IPSEC site-2-site template configure your PIX to encrypt all traffic between it and the IOS router
Time: 1 hr 15 minutes
04/18/23
Secure client VPN
04/18/23
Cisco Secure client
1. Secure client software on the pc contact the pix
2. Authenticates using info in the vpngroup command
3. Sets up a virtual network interface on the pc with info from the IP LOCAL POOL
4. sets up an ipsec tunnel over it to the PIX as normal
vpnpool 10.0.1.1-10.0.1.30 61.2.93.91
10.0.1.1
ipsec tunnel mode212.1.3.88 <> 10.0.1.1212.1.3.88
04/18/23
access-list nonatlist permit ip any 10.0.1.0 255.255.255.0nat (inside) 0 access-list nonatlist
ip local pool vpnpool 10.0.1.1-10.0.1.30aaa-server vpnauth protocol radiusaaa-server vpnauth (inside) host 172.31.30.195 MYSECRET timeout 20
crypto dynamic-map vpn 10 set transform-set my-transcrypto map mynmap 10 ipsec-isakmp dynamic vpncrypto map mynmap client authentication vpnauthcrypto map mymap interface outside
vpngroup vpn1 address-pool vpnpoolvpngroup vpn1 dns-server x.x.x.x vpngroup vpn1 wins-server x.x.x.x vpngroup vpn1 default-domain x.comvpngroup vpn1 password ********
VPNGroupTurns off nat for
VPN clients
VPNAUTH labellinks to radius
VPN labellinks to dynamic map
vpnpool links to ip pool
Group name and password stored VPN clients
04/18/23
access-list nonatlist permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0nat (inside) 0 access-list nonatlistip local pool vpnpool 10.0.1.1-10.0.1.30aaa-server vpnauth protocol radiusaaa-server vpnauth (inside) host 172.31.30.195 MYSECRET timeout 20
crypto dynamic-map vpn 10 set transform-set my-transcrypto map mynmap 10 ipsec-isakmp dynamic vpncrypto map mynmap client authentication vpnauthcrypto map mymap interface outside
vpngroup vpn1 address-pool vpnpoolvpngroup vpn1 dns-server x.x.x.x vpngroup vpn1 wins-server x.x.x.x vpngroup vpn1 default-domain x.comvpngroup vpn1 idle-time 1800vpngroup vpn1 password ********
VPNGroup
04/18/23
Lab
Using the IPSEC Secure Client template configure your PIX to allow connection from secure client
Time: 1 hr 15 minutes
04/18/23
04/18/23
Additional
04/18/23
snmp-server host inside X.X.X.X snmp-server host inside X.X.X.X snmp-server host inside X.X.X.X snmp-server location Heathrow Data Center - Rack 31 snmp-server contact Network Support snmp-server community xxxxx
snmp-server enable traps
SNMP
04/18/23
IP:10.0.0.47 mac: 00-0C-F1-37-FF-FA
failover failover ip address outside 217.64.224.47 failover ip address inside 10.0.0.47
failover
IP:10.0.0.1 mac: 00-0C-F1-37-FF-F1
IP:217.64.224.47mac: 00-0C-F1-37-F5-F8
IP:217.64.224.01 mac: 00-0C-F1-37-F5-F7
04/18/23
failover
AfterBefore
pix(config)# show failoverFailover OnReconnect timeout 0:00:00Poll frequency 15 secondsLast Failover at: 18:32:16 UTC Mon Apr 7 2003This host: Primary – ActiveActive time: 510 (sec)Interface outside (192.168.1.1): Normal Interface inside (10.1.1.1): Normal Other host: Secondary – StandbyActive time: 0 (sec)Interface outside (192.168.1.2): Normal Interface inside (10.1.1.2): Normal
pix(config)# show failoverFailover OnReconnect timeout 0:00:00Poll frequency 15 secondsLast Failover at: This host: Primary – StandbyActive time: 510 (sec)Interface outside (192.168.1.2): Normal Interface inside (10.1.1.2): Normal Other host: Secondary – ActiveActive time: 0 (sec)Interface outside (192.168.1.1): Normal Interface inside (10.1.1.1): Normal
04/18/23
making a HA cluster
failover failover timeout 0:00:00 failover poll 15 failover ip address outside 217.64.224.47 failover ip address inside X.X.X.X failover ip address stateful 192.168.100.102 failover link stateful
failover
04/18/23
Educate your telnet
telnet 10.0.1.2 255.255.255.255 insidetelnet 61.2.93.81 255.255.255.255 insidetelnet 61.2.93.82 255.255.255.255 inside
Educate your ssh
ssh 10.0.1.2 255.255.255.255 inside ssh 61.2.93.81 255.255.255.255 inside ssh 61.2.93.82 255.255.255.255 inside
Telnet & ssh
04/18/23
Operating the Pix
04/18/23
pixfirewall# show xlate 2 in use, 79 most used
PAT Global 61.2.93.94(1134) Local 10.0.0.1(1038)
PAT Global 61.2.93.94(1321) Local 10.0.0.1(1219)
pixfirewall# show xlate debug
2 in use, 79 most used
Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, o - outside, r - portmap, s - static
UDP PAT from inside:10.0.0.1/1038 to outside:61.2.93.94/1134 flags ri idle 0:00: 08 timeout 0:00:30
TCP PAT from inside:10.0.0.1/1219 to outside:61.2.93.94/1321 flags ri idle 0:00:
00 timeout 0:00:30
04/18/23
pixfirewall# show conn2 in use, 17 most usedUDP out 61.2.93.81:161 in 10.0.0.1:1038 idle 0:00:16 flags -
TCP out 213.19.160.190:80 in 10.0.0.1:1219 idle 0:00:00 Bytes 14137527 flags UIO
04/18/23
• established tcp 9999 0 permitto tcp 1024-65535 permitfrom tcp 0
• established tcp 9998 0 permitto tcp 1024-65535 permitfrom tcp 0
• established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
04/18/23
Alias
alias [<(if_name)>] <dnat_ip> <foreign_ip> [<mask>]
04/18/23
Alias
alias [<(if_name)>] <dnat_ip> <foreign_ip> [<mask>]alias (inside) 84.233.190.80 69.57.146.21 255.255.255.255
If the PIX Firewall gets a packet destined for the dnat_IP_address, send it to the
foreign_IP_address.• When the PIX gets a DNS packet containingforeign_network_address, it will change the contents of the
DNS packet - foreign network address to dnat_network_address.