Cisco PIX Firewalls: Configure, Manage, & Troubleshoot

326_PIX_2e_FM.qxd 5/7/05 11:25 AM Page i Register for Free Membership to [email protected] Over the last few y...

Author: Charles Riley (Editor) | Umer Khan | Michael Sweeney

197 downloads 1173 Views 12MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

326_PIX_2e_FM.qxd

5/7/05

11:25 AM

Page i

Register for Free Membership to [email protected] Over the last few years, Syngress has published many best-selling and critically acclaimed books, including Tom Shinder’s Configuring ISA Server 2004, Brian Caswell and Jay Beale’s Snort 2.1 Intrusion Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal Packet Sniffing. One of the reasons for the success of these books has been our unique [email protected] program. Through this site, we’ve been able to provide readers a real-time extension to the printed book. As a registered owner of this book, you will qualify for free access to our members-only [email protected] program. Once you have registered, you will enjoy several benefits, including: ■

Four downloadable e-booklets on topics related to the book. Each booklet is approximately 20-30 pages in Adobe PDF format. They have been selected by our editors from other best-selling Syngress books as providing topic coverage that is directly related to the coverage in this book.

■

A comprehensive FAQ page that consolidates all of the key points of this book into an easy-to-search Web page, providing you with the concise, easy-to-access data you need to perform your job.

■

A “From the Author” Forum that allows the authors of this book to post timely updates links to related sites, or additional topic coverage that may have been requested by readers.

Just visit us at www.syngress.com/solutions and follow the simple registration process. You will need to have this book with you when you register. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there is anything else we can do to make your job easier.

326_PIX_2e_FM.qxd

5/7/05

11:25 AM

Page ii

326_PIX_2e_FM.qxd

5/7/05

11:25 AM

Page iii

Cisco PIX Firewalls C o n f i g u r e , M a n a g e , & Tr o u b l e s h o o t

Thorsten Behrens Brian Browne Ido Dubrawsky Daniel Kligerman Michael Sweeney Charles Riley Technical Editor Umer Khan Technical Reviewer

326_PIX_2e_FM.qxd

5/7/05

11:25 AM

Page iv

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively ìMakersî) of this book (ìthe Workî) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®”,“Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The Definition of a Serious Security Library™,” “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 GHFDDD5638 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Cisco PIX Firewalls: Configure, Manage, & Troubleshoot

Copyright © 2005 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-59749-004-0 EDT: 000231

Publisher: Andrew Williams Acquisitions Editor: Gary Byrne Technical Editor: Charles Riley Cover Designer: Michael Kavish

Page Layout and Art: Patricia Lupien Copy Editor: Adrienne Rebello and Beth Roberts Indexer: Julie Kawabata

Distributed by O’Reilly Media, Inc. in the United States and Canada. For information on rights and translations, contact Matt Pedersen, Director of Sales and Rights, at Syngress Publishing; email [email protected] or fax to 781-681-3585.

326_PIX_2e_FM.qxd

5/7/05

11:25 AM

Page v

Acknowledgments Syngress would like to acknowledge the following people for their kindness and support in making this book possible. Syngress books are now distributed in the United States and Canada by O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible, and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Dawn Mann, Kathryn Barrett, John Chodacki, Rob Bullington, and Aileen Berg. The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Chris Hossack, Krista Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, and Chris Reinders for making certain that our vision remains worldwide in scope. David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, Joseph Chan, and Siti Zuraidah Ahmad of STP Distributors for the enthusiasm with which they receive our books. David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands.

v

326_PIX_2e_FM.qxd

5/7/05

11:25 AM

Page vi

Coauthor Mike Sweeney in his DWC’d-out Test Lab.

We would not have been able to publish this book without the professional, prompt, and friendly service provided by the great people at Duane Whitlow & Co., Inc., which provided the rented Cisco equipment that we used to write this book. As we tested the PIX 7.0 beta, we needed fast delivery of multiple boxes with very specific configurations for use in our test lab. All of the folks at DWC made sure that we had exactly what we needed, when we needed it, and where we needed it. No problems. No hassles. We would like to extend a special thank you to Duane, Conrad, and the rest of the DWC team. —Syngress Publishing

Duane Whitlow & Co., Inc. Since 1977, Duane Whitlow & Co. Inc. has specialized in providing both new and used IBM and plug-compatible computer equipment to computer users worldwide. In these ever-changing times, recent focus has centered on buy, sell, lease, and short-term rental of used Cisco System networking equipment. Meeting specific needs using multiple platforms and systems integration is our specialty. For example: Short-term rentals of Cisco System Products for corporate customers, training companies and students studying for their Cisco Certification are unique programs from DWC that are specifically designed for those special needs.

Duane Whitlow & Co., Inc. www.dwc-computer.com 4950 Keller Springs Rd., Ste 415 Addison, TX 75001 Phone 800/977-7473 or 972/931-3001 Fax 972/931-3340 email: [email protected] or [email protected]

326_PIX_2e_FM.qxd

5/7/05

11:25 AM

Page vii

Technical Editor and Foreword Contributor

Charles Riley, along with Methuselah, has spent some time specializing in networking and security. He remembers reverse engineering Basic code to enlarge the ship in Canyon Cruiser on the Commodore 64, causing its wings to scrape the pixilated walls. Shortly afterward, he was forced to resign from the middle school computer club. Had there been appropriate security in place at the time, life might have taken a different turn. The career of Charles spans decades, starting as a young cowherd at the tender age of 6. At less than 4 feet tall, and while other children were watching Captain Kangaroo, Charles was herding several tons of walking, unpredictable beef into a large barn. From there, it was a logical transition to herding packets through a network, and sheltering them behind a firewall. Charles has coauthored and edited several books, including Routing and Configuring Cisco Voice over IP, Second Edition, and The Best Damn Cisco Internetworking Book Period (Syngress Publishing, ISBN: 1-931836-91-4). He has designed and implemented robust networking solutions for large Fortune 500 and privately held companies. Charles started as an U.S. Army telecommunications specialist at Fort Huachuca, Arizona, eventually finishing his Army career as the network manager of the 7th Army Training Command in Grafenwoehr, Germany. Charles graduated from the University of Central Florida in 1989. He’d like express his gratitude and love to his beloved wife, Rene’. Her belief and love lifted him to greater heights than he ever thought possible. Rene’ first saw the writer in the cowherd, and then proceeded to make everything wonderful.To his daughter,Tess, who has the potential to soar so high; he is eagerly looking forward to seeing you do so. He wishes to thank you both for the time and support.

326_PIX_2e_FM.qxd

5/7/05

11:25 AM

Page viii

Contributing Authors Michael Sweeney (CCNA, CCDA, CCNP, MCSE, SCP) is the owner of the Network Security consulting firm Packetattack.com. Packetattack.com specialties are network design and troubleshooting, wireless network design, security, and analysis.The Packetattack team uses such industry standard tools as NAI Sniffer, AiroPeekNX, and Airmagnet. Packetattack.com also provides digital forensic analysis services. Michael has been a contributing author for Syngress for the books Cisco Security Specialist Guide to PIX Firewalls, ISBN: 1-931836-63-9; Cisco Security Specialist Guide to Secure Intrusion Detection Systems, ISBN: 1-932266-69-0; and Building DMZs For Enterprise Networks, ISBN: 1-931836-88-4.Through PacketPress, Michael has also published Securing Your Network Using Linux, ISBN: 1-411621-77-8. Michael graduated from the University of California, Irvine, extension program with a certificate in communications and network engineering. Michael currently resides in Orange, CA, with his wife, Jeanne, and daughters, Amanda and Sara.

Brian Browne (CISSP) is the Principal Consultant with Edoxa, Inc., and provides both strategic and technical information security consulting. He has 14 years of experience in the field of information security and is skilled in all phases, from security management through hands-on implementation. His specific security experience includes Sarbanes-Oxley and HIPAA gap analysis and remediation, vulnerability assessments, network security, firewall architecture, virtual private networks (VPN), UNIX security, Windows Active Directory security, and public key infrastructure (PKI). He also conducts application performance assessments and network capacity planning using Opnet IT Guru. Brian resides in Willow Grove, PA, with his wife, Lisa and daughter, Marisa. viii

326_PIX_2e_FM.qxd

5/7/05

11:25 AM

Page ix

Daniel Kligerman (B.Sc, CCSE, CCIE #13999) is the Manager of the Data Diagnostic Centre at TELUS National Systems, responsible for the support and management of enterprise customers’ data and VoIP networks. Daniel was the technical editor of Check Point Next Generation with Application Intelligence Security Administration (Syngress, ISBN: 1-932266-89-5) and the contributing author of Building DMZs for Enterprise Networks (Syngress, ISBN: 1-931836-88-4), Check Point NG VPN-1/Firewall-1 Advanced Configuration and Troubleshooting (Syngress, ISBN: 1-931836-97-3), Nokia Network Security Solutions Handbook (Syngress, ISBN: 1-931836-70-1), and Check Point Next Generation Security Administration (Syngress, ISBN: 1-928994-74-1). He resides in Toronto, Canada, with his wife, Merita.

Thorsten Behrens (CCMSE, CCSE+, CCNA, CNE) is a Senior Security Engineer with Integralis’ Managed Security Services Team.Thorsten’s specialties include Check Point FireWall-1, Cisco PIX, and ISS RealSecure.Thorsten is a German national who delights his neighbors in Springfield, MA, with bagpipe practice sessions.

Ido Dubrawsky (CCNA, CCDA, SCSA, CISSP) is a Senior Security Consultant with SBC’s Callisma consulting practice. Previously, Ido was a Network Security Architect working in the SAFE architecture group of Cisco Systems, Inc. His responsibilities include research into network security design and implementation. Previously, Ido was a member of Cisco’s Secure Consulting Services in Austin,TX, where he conducted security posture assessments and penetration tests for clients as well as provided technical consulting for security design reviews. Ido was one of the codevelopers of the Secure Consulting Services wireless network assessment toolset. His strengths include Cisco routers and switches, PIX firewalls, the Cisco Intrusion Detection System, and the Solaris operating system. His specific interests are in ix

326_PIX_2e_FM.qxd

5/7/05

11:25 AM

Page x

vulnerability assessments, penetration testing, freeware detection systems, and network performance monitoring. Ido holds bachelor’s and master’s degrees from the University of Texas at Austin in Aerospace Engineering and is a longtime member of USENIX and SAGE. He has written numerous articles covering Solaris security and network security for Sysadmin as well as the online SecurityFocus. He is a contributor to Hack Proofing Sun Solaris 8 (Syngress Publishing, ISBN: 1-928994-44-X) and Hack Proofing Your Network, Second Edition (Syngress, ISBN: 1-928994-70-9). He currently resides in Silver Spring, MD, with his family.

Technical Reviewer and Contributor Umer Khan (CCIE #7410, MCSE, SCSA, SCNA, CCA, SCE, CNX) is the Manager of Networking,Telecommunications, and Windows Infrastructure at Broadcom Corporation (www.broadcom.com), where he enjoys the challenging and fast-paced IT environment. Umer’s teams are responsible for the design, implementation, and support of a broad range of Broadcom’s global IT infrastructure, some of which include LAN, MAN, WAN, 802.11 wireless, PBX, VoIP, VPN, firewall, cellular, Windows server, Active Directory, Citrix, Microsoft Exchange, SQL, IIS, Biztalk, VMware, authentication, content load balancing, caching, audio/video conferencing, and audio/video distribution technologies. Umer has contributed toward several publications, including the Sun Certified System Administrator for Solaris 8 Study Guide (ISBN: 007-212369-9) and Sniffer Pro: Network Optimization and Troubleshooting Handbook (Syngress, ISBN: 1-93-183657-4). He was also the technical editor for Cisco Security Specialist’s Guide to PIX Firewalls (Syngress, ISBN: 1-931836-63-9). Umer completed his bachelor’s in computer engineering at Illinois Institute of Technology. His personal Web site is located at www.umer-khan.net.

x

326_PIX_2e_TOC.qxd

5/7/05

2:12 PM

Page xi

Contents

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxv Chapter 1 Introduction to Security and Firewalls . . . . . .1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 The Importance of Security . . . . . . . . . . . . . . . . . . . . . . . . .2 What Is Information Security? . . . . . . . . . . . . . . . . . . . . .2 The Early Days of Information Security . . . . . . . . . . . . . .4 Insecurity and the Internet . . . . . . . . . . . . . . . . . . . . . . .4 The Threats Grow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Creating a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Cisco’s Security Wheel . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Securing the Environment . . . . . . . . . . . . . . . . . . . . . . .11 Monitoring Activity . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Testing Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Improving Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Firewall Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 What Is a Firewall? . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Types of Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Stateful Inspection Packet Filters . . . . . . . . . . . . . . . .19 Application Proxies . . . . . . . . . . . . . . . . . . . . . . . . . .20 Inbound and Outbound . . . . . . . . . . . . . . . . . . . . . . . .21 Firewall Interfaces: Inside, Outside, and DMZ . . . . . . . . .22 Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Static Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Dynamic Translation . . . . . . . . . . . . . . . . . . . . . . . . .27 Port Address Translation . . . . . . . . . . . . . . . . . . . . . .28 xi

326_PIX_2e_TOC.qxd

xii

5/7/05

2:12 PM

Page xii

Contents

Virtual Private Networking . . . . . . . . . . . . . . . . . . . . . .28 Cisco Security Certifications . . . . . . . . . . . . . . . . . . . . . . . .30 Cisco Firewall Specialist . . . . . . . . . . . . . . . . . . . . . . . . .30 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Cisco Certified Security Professional . . . . . . . . . . . . . . .31 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Cisco Certified Internetwork Expert Security . . . . . . . .32 The Qualification (Written) Exam . . . . . . . . . . . . . .32 The Lab Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 The CSPFA Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .39 Chapter 2 Introduction to PIX Firewalls . . . . . . . . . . . .41 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Cisco PIX Version 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Major Changes to Cisco PIX 7.0 . . . . . . . . . . . . . . . . . .43 What’s New in PIX 7.0? . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Commands New to 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Modified Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 What Commands Do We Bid Farewell To? . . . . . . . . . . . . .45 PIX Firewall Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 Embedded Operating System . . . . . . . . . . . . . . . . . . . . .46 The Adaptive Security Algorithm . . . . . . . . . . . . . . . . .46 State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Security Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 How ASA Works . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Technical Details for ASA . . . . . . . . . . . . . . . . . . . . .51 User Datagram Protocol . . . . . . . . . . . . . . . . . . . . . .55 Advanced Protocol Handling . . . . . . . . . . . . . . . . . . . . .56 VPN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 URL Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 PIX Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

326_PIX_2e_TOC.qxd

5/7/05

2:12 PM

Page xiii

Contents

Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59 PIX 501 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 PIX 506E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 PIX 515E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 PIX 525 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 PIX 535 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Cisco Firewall Services Module . . . . . . . . . . . . . . . . .63 Software Licensing and Upgrades . . . . . . . . . . . . . . . . . . . .63 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64 Upgrading Software . . . . . . . . . . . . . . . . . . . . . . . . . . .66 Preliminary Upgrade to 6.3 . . . . . . . . . . . . . . . . . . .67 Upgrade from 6.3 to 7.0 Code . . . . . . . . . . . . . . . . .69 Downgrading from 7.0 to 6.3 . . . . . . . . . . . . . . . . . .74 Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . .75 Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 USB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . .78 Command-Line Interface . . . . . . . . . . . . . . . . . . . . . . .80 Administrative Access Modes . . . . . . . . . . . . . . . . . . .80 Basic Commands . . . . . . . . . . . . . . . . . . . . . . . . . . .83 Hostname and Domain Name . . . . . . . . . . . . . . . . . .84 Configuring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . .85 The interface Command . . . . . . . . . . . . . . . . . . . . . .85 The nameif Command . . . . . . . . . . . . . . . . . . . . . . .86 The security-level Command . . . . . . . . . . . . . . . . . .86 The ip address Command . . . . . . . . . . . . . . . . . . . . .86 Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87 Password Configuration . . . . . . . . . . . . . . . . . . . . . .89 Basic Security (What Is Configured by Default Out of the Box) . . . . . . . . . . . . . . . . . . . . . . . . . . . .90 Managing Configurations . . . . . . . . . . . . . . . . . . . . . . .90 Configuration Commands . . . . . . . . . . . . . . . . . . . . .90 Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

xiii

326_PIX_2e_TOC.qxd

xiv

5/7/05

2:12 PM

Page xiv

Contents

Write . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91 Copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91 Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92 The configure Command . . . . . . . . . . . . . . . . . . . . .94 Initializing Images . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Powercycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Factory Default Configurations . . . . . . . . . . . . . . . . . . .95 Cisco Catalyst 6500 Series Firewall Services Module .98 IP Version 6 (IPv6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99 IPv4 vs. IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99 Header Comparison . . . . . . . . . . . . . . . . . . . . . . . .100 IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 IPv6 Address Space . . . . . . . . . . . . . . . . . . . . . . . . . . .102 The Fundamentals of IPv6 Addresses . . . . . . . . . . . . . .103 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .110 Chapter 3 PIX Firewall Operations . . . . . . . . . . . . . . . .113 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114 Security Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 The Bare Minimum: Outbound Traffic . . . . . . . . . . . . . . .117 Configuring Dynamic Address Translation . . . . . . . . . .117 Blocking Outbound Traffic (Defining an Access List) . .122 Access Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122 Opening Your Network: Allowing Inbound Traffic . . . . . . .130 Static Address Translation . . . . . . . . . . . . . . . . . . . . . . .130 Access Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 ICMP Access Lists . . . . . . . . . . . . . . . . . . . . . . . . .133 Port Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . .135 Enabling/Disabling of ACL Entries (New) . . . . . . . .136 Outbound ACLs (New) . . . . . . . . . . . . . . . . . . . . . . . . . .137 Time-Based ACLs (New) . . . . . . . . . . . . . . . . . . . . . . . . .139 NAT Control (New) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 Bypassing NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 Identity NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142

326_PIX_2e_TOC.qxd

5/7/05

2:12 PM

Page xv

Contents

NAT Exemption . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Static Identity NAT . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Policy NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 Object Grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Configuring and Using Object Groups . . . . . . . . . . . . .146 ICMP-Type Object Groups . . . . . . . . . . . . . . . . . .146 Network Object Groups . . . . . . . . . . . . . . . . . . . . .147 Protocol Object Groups . . . . . . . . . . . . . . . . . . . . .147 Service Object Groups . . . . . . . . . . . . . . . . . . . . . .148 TurboACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Conduit and Outbound . . . . . . . . . . . . . . . . . . . . . . . .150 Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .159 Chapter 4 Adaptive Security Device Manager . . . . . . .161 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162 Features, Limitations, and Requirements . . . . . . . . . . . . . . .162 Supported PIX Firewall Hardware and Software Versions 163 PIX Device Requirements . . . . . . . . . . . . . . . . . . .163 Host Requirements for Running ASDM . . . . . . . . .164 Adaptive Security Device Manager Limitations . . . . . . .164 Unsupported Commands . . . . . . . . . . . . . . . . . . . .164 Unsupported Characters . . . . . . . . . . . . . . . . . . . . .165 ASDM CLI Does Not Support Interactive Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165 Printing from ASDM . . . . . . . . . . . . . . . . . . . . . . .166 Installing, Configuring, and Launching ASDM . . . . . . . . . .166 Preparing for Installation . . . . . . . . . . . . . . . . . . . . . . .166 Installing or Upgrading ASDM . . . . . . . . . . . . . . . . . .167 Obtaining a DES Activation Key . . . . . . . . . . . . . . .167 Configuring the PIX Firewall for Network Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 Installing a TFTP Server . . . . . . . . . . . . . . . . . . . . .168 Upgrading the PIX Firewall and Configuring the DES Activation Key . . . . . . . . . . . . . . . . . . . . .168

xv

326_PIX_2e_TOC.qxd

xvi

5/7/05

2:12 PM

Page xvi

Contents

Installing or Upgrading ASDM on the PIX Device .169 Enabling and Disabling ASDM . . . . . . . . . . . . . . . . . . .170 Launching ASDM . . . . . . . . . . . . . . . . . . . . . . . . . . . .171 Configuring the PIX Firewall Using ASDM . . . . . . . . . . . .182 Using the Startup Wizard . . . . . . . . . . . . . . . . . . . . . .182 Configuring System Properties . . . . . . . . . . . . . . . . . . .187 The AAA Menu . . . . . . . . . . . . . . . . . . . . . . . . . . .189 The Advanced Menu . . . . . . . . . . . . . . . . . . . . . . .191 The ARP Static Table Menu . . . . . . . . . . . . . . . . . .195 The Auto Update Menu . . . . . . . . . . . . . . . . . . . . .195 The DHCP Services Menu . . . . . . . . . . . . . . . . . . .196 The DNS Client Menu . . . . . . . . . . . . . . . . . . . . .198 The Failover Menu . . . . . . . . . . . . . . . . . . . . . . . . .199 The History Metrics Category . . . . . . . . . . . . . . . .201 The IP Audit Menu . . . . . . . . . . . . . . . . . . . . . . . .201 The Logging Menu . . . . . . . . . . . . . . . . . . . . . . . .203 The Priority Queue Category . . . . . . . . . . . . . . . . .207 The SSL Category . . . . . . . . . . . . . . . . . . . . . . . . .208 The SunRPC Server Category . . . . . . . . . . . . . . . .208 The URL Filtering Category . . . . . . . . . . . . . . . . .208 Configuring VPNs Using ASDM . . . . . . . . . . . . . . . . . . . .210 Configuring a Site-to-Site VPN Using ASDM . . . . . . .210 Configuring a Remote Access VPN Using ASDM . . . .216 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .227 Chapter 5 Application Inspection . . . . . . . . . . . . . . . .229 New Features in PIX 7.0 . . . . . . . . . . . . . . . . . . . . . . . . .230 Supporting and Securing Protocols . . . . . . . . . . . . . . . . . .230 TCP, UDP, ICMP, and the PIX Firewall . . . . . . . . . . . .231 Application Layer Protocol Inspection . . . . . . . . . . . . . . . .234 Defining a Traffic Class . . . . . . . . . . . . . . . . . . . . . . . .235 Associating a Traffic Class with an Action . . . . . . . . . . .239 Customizing Application Inspection Parameters . . . . . .240 Applying Inspection to an Interface . . . . . . . . . . . . . . .240

326_PIX_2e_TOC.qxd

5/7/05

2:12 PM

Page xvii

Contents

Domain Name Service . . . . . . . . . . . . . . . . . . . . . .240 Remote Procedure Call . . . . . . . . . . . . . . . . . . . . .241 SQL*Net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243 Internet Locator Service and Lightweight Directory Access Protocol . . . . . . . . . . . . . . . . . . . .244 HTTP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . .245 FTP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246 Active versus Passive Mode . . . . . . . . . . . . . . . . . . .246 ESMTP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . .249 ICMP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . .250 H.323 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250 Simple Network Management Protocol (SNMP) . . .251 Voice and Video Protocols . . . . . . . . . . . . . . . . . . . . . .252 SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 CTIQBE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 SCCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253 Real-Time Streaming Protocol (RTSP), NetShow, and VDO Live . . . . . . . . . . . . . . . . . . . . . . . . . . . .253 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .256 Chapter 6 Filtering, Intrusion Detection, and Attack Management . . . . . . . . . . . . . . . . . . . . . . . . . .259 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260 Filtering Web and FTP Traffic . . . . . . . . . . . . . . . . . . . . . .260 Filtering URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260 Websense and Sentian by N2H2 . . . . . . . . . . . . . . .261 Fine-Tuning and Monitoring the Filtering Process . .262 Configuring HTTP URL Filtering . . . . . . . . . . . . .266 Configuring HTTPS Filtering . . . . . . . . . . . . . . . . .267 Setting Up FTP Filtering . . . . . . . . . . . . . . . . . . . .267 Active Code Filtering . . . . . . . . . . . . . . . . . . . . . . . . .268 Filtering Java Applets . . . . . . . . . . . . . . . . . . . . . . . .269 Filtering ActiveX Objects . . . . . . . . . . . . . . . . . . . .270 Virus Filtering; Spam, Adware, Malware, and Other-Ware Filtering . . . . . . . . . . . . . . . . . . . . . . .270

xvii

326_PIX_2e_TOC.qxd

xviii

5/7/05

2:12 PM

Page xviii

Contents

TCP Attack Detection and Response . . . . . . . . . . . . . .271 PIX Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . .273 Supported Signatures . . . . . . . . . . . . . . . . . . . . . . . . . .273 Configuring Intrusion Detection/Auditing . . . . . . . . . .276 Disabling Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . .278 Configuring Shunning . . . . . . . . . . . . . . . . . . . . . . . . .279 Attack Containment and Management . . . . . . . . . . . . . . . .279 Placing Limits on Fragmentation . . . . . . . . . . . . . . . . .279 SYN FloodGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . .281 The TCP Intercept Feature . . . . . . . . . . . . . . . . . . .281 Preventing IP Spoofing . . . . . . . . . . . . . . . . . . . . . . . .282 Other Ways the PIX Can Prevent, Contain, or Manage Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283 Configuring Connection Limits and Timeouts . . . . .283 Preventing MAC Address Spoofing . . . . . . . . . . . . .284 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .288 Chapter 7 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . .289 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 DHCP Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 DHCP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 Cisco IP Phone-Related Options . . . . . . . . . . . . . .292 DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293 DHCP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293 PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294 EasyVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297 EasyVPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297 Routing and the PIX Firewall . . . . . . . . . . . . . . . . . . . . . .298 Unicast Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298 Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299 RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300 OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301 Network Address Translation as a Routing Mechanism 302 Multicast Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . .302 Stub Multicast Routing . . . . . . . . . . . . . . . . . . . . . .303

326_PIX_2e_TOC.qxd

5/7/05

2:12 PM

Page xix

Contents

PIM Multicast Routing . . . . . . . . . . . . . . . . . . . . .304 BGP through PIX Firewall . . . . . . . . . . . . . . . . . . . . .304 Queuing and Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . .305 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .308 Chapter 8 Configuring Authentication, Authorization, and Accounting . . . . . . . . . . . . . . . . . .309 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310 New and Changed Commands in 7.0 . . . . . . . . . . . . .310 Introducing AAA Concepts . . . . . . . . . . . . . . . . . . . . . . . .311 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315 Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315 AAA Security Protocols . . . . . . . . . . . . . . . . . . . . . . .315 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315 How RADIUS Works . . . . . . . . . . . . . . . . . . . . . .316 TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318 How TACACS+ Works . . . . . . . . . . . . . . . . . . . . .319 Optional Security Protocols and Methods . . . . . . . .321 AAA Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322 Configuring Console Authentication . . . . . . . . . . . . . . . . .322 Configuring Local Authentication . . . . . . . . . . . . . . . .323 Configuring Local AAA Using the ASDM . . . . . . . .326 Configuring Command Authorization . . . . . . . . . . . . . . . .326 Configuring Local Command Authorization . . . . . . . .328 Configuring TACACS+ and RADIUS Console Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329 Configuring TACACS+ Command Authorization . . . .333 Configuring Authentication for Traffic through the Firewall 337 Configuring Cut-through Proxy . . . . . . . . . . . . . . . . .337 Virtual HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Virtual Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342 Configuring Authorization for Traffic through the Firewall 343 Configuring Accounting for Traffic through the Firewall . . .344 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346

xix

326_PIX_2e_TOC.qxd

xx

5/7/05

2:12 PM

Page xx

Contents

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .349 Chapter 9 PIX Firewall Management . . . . . . . . . . . . . .351 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352 Configuring Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . .352 Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353 Dropped and Changed Syslog Messages from 6.x . . . . .354 Logging Facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362 Local Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363 Buffered Logging . . . . . . . . . . . . . . . . . . . . . . . . . .363 Console Logging . . . . . . . . . . . . . . . . . . . . . . . . . .364 Terminal Logging . . . . . . . . . . . . . . . . . . . . . . . . . .364 Remote Logging via Syslog . . . . . . . . . . . . . . . . . . . . .365 Disabling Specific Syslog Messages . . . . . . . . . . . . . . . .370 Configuring Remote Access . . . . . . . . . . . . . . . . . . . . . . .371 Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372 Enabling SSH Access . . . . . . . . . . . . . . . . . . . . . . . .372 Troubleshooting SSH . . . . . . . . . . . . . . . . . . . . . . .377 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379 Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381 Configuring Simple Network Management Protocol . . . . .381 Configuring System Identification . . . . . . . . . . . . . . . .382 Configuring Polling . . . . . . . . . . . . . . . . . . . . . . . . . . .383 Configuring Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . .385 Managing SNMP on the PIX . . . . . . . . . . . . . . . . . . .386 Configuring System Date and Time . . . . . . . . . . . . . . . . . .387 Setting and Verifying the Clock and Time Zone . . . . . .387 Configuring and Verifying the Network Time Protocol 390 NTP Authentication . . . . . . . . . . . . . . . . . . . . . . . .392 Management Using the Cisco PIX Adaptive Security Device Manager (ASDM) . . . . . . . . . . . . . . . .394 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .399

326_PIX_2e_TOC.qxd

5/7/05

2:12 PM

Page xxi

Contents

Chapter 10 Configuring Virtual Private Networking 401 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402 What’s New in PIX 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . .403 IPsec Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404 Internet Key Exchange . . . . . . . . . . . . . . . . . . . . . .408 Security Associations . . . . . . . . . . . . . . . . . . . . . . . .411 Certificate Authority Support . . . . . . . . . . . . . . . . .415 Configuring a Site-to-Site VPN . . . . . . . . . . . . . . . . . . . .416 Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .416 Allowing IPsec Traffic . . . . . . . . . . . . . . . . . . . . . . .418 Enabling IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . .418 Creating an ISAKMP Protection Suite . . . . . . . . . .419 Defining an ISAKMP Preshared Key . . . . . . . . . . . .420 Configuring Certificate Authority Support . . . . . . .420 Configuring Crypto Access-Lists . . . . . . . . . . . . . . .427 Defining a Transform Set . . . . . . . . . . . . . . . . . . . .429 Bypassing Network Address Translation . . . . . . . . . .430 Configuring a Crypto Map . . . . . . . . . . . . . . . . . . .430 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . .432 Remote Access—Configuring Support for the Cisco Software VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . .433 Enabling IKE and Creating an ISAKMP Protection Suite 434 Defining a Transform Set . . . . . . . . . . . . . . . . . . . . . . .435 Crypto Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435 Tunnel Groups and Group Policies . . . . . . . . . . . . . . . .436 Address Pool Configuration . . . . . . . . . . . . . . . . . . . . .436 Split Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437 NAT Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438 Authentication against Radius,TACACS+, SecurID, or Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . .438 Automatic Client Update . . . . . . . . . . . . . . . . . . . . . .439 Configuring Client Firewall Requirements . . . . . . . . . .439 Sample Configurations of PIX and VPN Clients . . . . . .440 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .446

xxi

326_PIX_2e_TOC.qxd

xxii

5/7/05

2:12 PM

Page xxii

Contents

Chapter 11 Configuring Failover . . . . . . . . . . . . . . . . .447 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448 Failover Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448 Failover Requirements . . . . . . . . . . . . . . . . . . . . . . . . .448 Active/Standby and Active/Active Failover . . . . . . . . . .449 The Failover Link . . . . . . . . . . . . . . . . . . . . . . . . . . . .451 Stateful Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452 Failure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . .454 Configuration Synchronization, and Command Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455 IP and MAC Addresses Used . . . . . . . . . . . . . . . . . . . .456 Configuring and Monitoring Failover . . . . . . . . . . . . . . . .458 Configuring and Monitoring Cable-Based Active/ Standby Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . .458 Configuring and Monitoring LAN-Based Active/ Standby Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . .465 Configuring Cable-Based Active/Active Failover . . . . .468 Configuring LAN-Based Active/Active Failover . . . . . .469 Advanced Failover Control and Configurations . . . . . . . . .469 Forcing Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . .470 Disabling Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . .470 Failover Authentication and Encryption . . . . . . . . . . . .470 HTTP Replication . . . . . . . . . . . . . . . . . . . . . . . . . . .471 Failure Detection Parameters . . . . . . . . . . . . . . . . . . . .471 Failover Preemption . . . . . . . . . . . . . . . . . . . . . . . . . .473 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .473 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .474 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .476 Chapter 12 Troubleshooting and Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478 Troubleshooting Hardware and Cabling . . . . . . . . . . . . . . .479 Troubleshooting PIX Hardware . . . . . . . . . . . . . . . . . .480 Troubleshooting PIX Cabling . . . . . . . . . . . . . . . . . . .491 Troubleshooting Connectivity . . . . . . . . . . . . . . . . . . . . . .494 Checking Addressing . . . . . . . . . . . . . . . . . . . . . . . . . .495

326_PIX_2e_TOC.qxd

5/7/05

2:12 PM

Page xxiii

Contents

Checking Routing . . . . . . . . . . . . . . . . . . . . . . . . . . .497 Failover Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . .501 Checking Translation . . . . . . . . . . . . . . . . . . . . . . . . . .502 Checking Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . .505 Troubleshooting IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . .507 IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .509 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512 Capturing Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .515 Displaying Captured Traffic . . . . . . . . . . . . . . . . . . . . .516 Display on the Console . . . . . . . . . . . . . . . . . . . . . .516 Display to a Web Browser . . . . . . . . . . . . . . . . . . . .517 Downloading Captured Traffic . . . . . . . . . . . . . . . . . . .517 Support Options as Troubleshooting Tools . . . . . . . .518 Monitoring and Troubleshooting Performance . . . . . . . . . .519 CPU Performance Monitoring . . . . . . . . . . . . . . . . . .520 The show cpu usage Command . . . . . . . . . . . . . . .521 The show processes Command . . . . . . . . . . . . . . . .521 The show perfmon Command . . . . . . . . . . . . . . . .523 Memory Performance Monitoring . . . . . . . . . . . . . . . .524 The show memory Command . . . . . . . . . . . . . . . .525 The show xlate Command . . . . . . . . . . . . . . . . . . .525 The show conn Command . . . . . . . . . . . . . . . . . . .525 The show block Command . . . . . . . . . . . . . . . . . . .526 Network Performance Monitoring . . . . . . . . . . . . . . . .526 The show interface Command . . . . . . . . . . . . . . . .526 The show traffic Command . . . . . . . . . . . . . . . . . .527 Identification (IDENT) Protocol and PIX Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .529 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .530 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .531 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .533 Note: Throughout this book, italics or angled brackets <,> indicate specific information or values (IP addresses, port numbers, etc.) with must be filled in for your specific configuration.

xxiii

326_PIX_2e_TOC.qxd

5/7/05

2:12 PM

Page xxiv

326_PIX_2e_Fore.qxd

5/7/05

3:59 PM

Page xxv

Foreword

“Always do right. This will gratify some of the people and astonish the rest.”—Mark Twain “Always firewall. That will inconvenience some of the attackers and impede the rest.”—Charles Riley (apologies to Mr. Twain)

You hold in your hand a book that was given life to aid our fellow security professionals, our brothers and sisters in the trenches of information warfare engaged in protecting the information and networks in their charge. But you are not alone; the tools in the endless war between protectors of the information and the attackers who would own that information have advanced and improved greatly.Witness the overhaul of the PIX operating system in version 7.0, the main subject of this book. Version 7.0 makes many improvements to the code, including adding longdesired features.Version 7.0 also gives the “Old Yeller” treatment to commands that are no longer relevant or can no longer do the job. For example, the conduit command with its awkward syntax is no more. Cisco has made the commands more like its mainstream IOS, although there are a few holdouts that mark version 7.0 as a PIX operating system.These commands are among many detailed in this book. Each chapter has been carefully organized and developed to provide maximum coverage of version 7.0. In assembling this book, the mission of our team was to provide you, our reader, with a font of information that will allow you to master 7.0 and use it for your own purposes.The result is the 12 chapters that make up this book: Chapter 1 Introduction to Security and Firewalls Chapter 2 Introduction to PIX Firewalls Chapter 3 PIX Firewall Operations Chapter 4 Adaptive Security Device Manager xxv

326_PIX_2e_Fore.qxd

xxvi

5/7/05

3:59 PM

Page xxvi

Foreword

Chapter 5 Application Inspection Chapter 6 Filtering, Intrusion Detection, and Attack Management Chapter 7 Services Chapter 8 Configuring Authentication, Authorization, and Accounting Chapter 9 PIX Firewall Management Chapter 10 Configuring Virtual Private Networking Chapter 11 Configuring Failover Chapter 12 Troubleshooting and Performance Monitoring Version 7.0 introduces contexts, something that might be new to many readers. PIX firewalls running 7.0 can run either in routed mode (where they are aware of and participate in IP routing) or in transparent mode where the firewall silently performs its function, but is not seen as a hop in the path to a destination. Contexts are just one of the many changes that Cisco made to version 7.0. For more, read on—and thank you for being part of the vanguard of information security.When it comes to protecting your networks and data, Shakespeare put it best in Henry V: From this day to the ending of the world, But we in it shall be remember’d; We few, we happy few, we band of brothers; For he to-day that sheds his blood with me Shall be my brother; be he ne’er so vile, This day shall gentle his condition: And gentlemen in England now a-bed Shall think themselves accursed they were not here, And hold their manhoods cheap whiles any speaks

—Charles Riley HoH Consultants LLC

www.syngress.com

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 1

Chapter 1

Introduction to Security and Firewalls Solutions in this chapter: ■

The Importance of Security

■

Creating a Security Policy

■

Cisco’s Security Wheel

■

Firewall Concepts

■

Cisco Security Certifications

Summary Solutions Fast Track Frequently Asked Questions 1

326_PIX_2e_01.qxd

2

5/6/05

12:40 PM

Page 2

Chapter 1 • Introduction to Security and Firewalls

Introduction In an age where our society relies so heavily on electronic communication, the need for information security is continuously increasing. Given the value and confidential nature of the information that exists on today’s networks, CIOs are investing very heavily in security. Without security, a company can suffer from theft or alteration of data, legal ramifications, and other issues that all result in monetary losses. Consequently, corporations are realizing the need to create and enforce an information security policy. Furthermore, companies are now experiencing significant pressure from external regulators and governance rules such as Sarbanes-Oxley. In this chapter, you will learn about why information security is necessary. We also look at how and why security policies are created and how security needs to be handled as a process. We look at firewalls in general, explore the different types of firewalls available in the market, and learn basic concepts about how firewalls work. Finally, we discuss the three relevant security certifications that Cisco offers in the context of PIX firewalls: the Cisco Firewall Specialist, the Cisco Certified Security Professional (CCSP), and the Cisco Certified Internet Expert (CCIE) Security.

The Importance of Security Over the last couple of decades, many companies began to realize that their most valuable assets were not only their buildings or factories, but also the intellectual property and other information that flowed internally within the company, as well as outwardly to suppliers and customers. Company managers, used to dealing with risk in their business activities, started to think about what might happen if their key business information fell into the wrong hands, perhaps a competitor’s. For a while, this risk was not too large, due to how and where that information was stored. Closed systems was the operative phrase. Key business information, for the most part, was stored on servers accessed via dumb terminals or terminal emulators and had few interconnections with other systems. Any interconnections tended to be over private leased lines to a select few locations, either internal to the company or to a trusted business partner. However, over the last 10 years or so, the Internet has changed how businesses operate, and there has been an amazing acceleration in the interconnectedness of organizations, systems, and networks. Entire corporate networks have access to the Internet, often at multiple points.This proliferation has created risks to sensitive information and business-critical systems where they had never existed before.The importance of information security in the business environment has now been underscored, as has the need for skilled, dedicated practitioners of this specialty.

What Is Information Security? We have traditionally thought of security as consisting of people, sometimes with guns, watching over and guarding tangible assets such as a stack of money or a research lab. Maybe they sat at a desk and watched via closed-circuit cameras installed around the property.These

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 3

Introduction to Security and Firewalls • Chapter 1

people usually had minimal training and sometimes did not understand much about what they were guarding or why it was important. However, they did their jobs (and continue to do so) according to established processes, such as walking around the facility on a regular basis and looking for suspicious activity or people who do not appear to belong there. Information security moves that model into the intangible realm. Fundamentally, the objective of information security is to ensure that only authorized people (and systems) have access to information. Information security professionals sometimes have different views on the role and definition of information security. One definition offered by Simson Garfinkel and Gene Spafford is, “A computer is secure if you can depend on it and its software to behave as you expect.”This definition actually implies a lot. If information stored on your computer system is not there when you go to access it, or if you find that it has been tampered with, you can no longer depend on it as a basis for making business decisions. What about nonintrusive attacks, though—such as someone eavesdropping on a network segment and stealing information such as passwords? This definition does not cover that scenario, since nothing on the computer in question has changed. It is operating normally, and it functions as its users expect. Sun Microsystems’ mantra of “The Network is the Computer” is true. Computing is no longer just what happens on a mainframe, a minicomputer, or a server; it also includes the networks that interconnect systems. The three primary areas of concern in information security have traditionally been defined as follows: ■

Confidentiality Ensuring that only authorized parties have access to information. Encryption is a commonly used tool to achieve confidentiality. Authentication and authorization, treated separately in the following discussion, also help with confidentiality.

■

Integrity Ensuring that information is not modified by unauthorized parties (or even improperly modified by authorized ones!) and that it can be relied on. Checksums and hashes are used to validate data integrity, as are transaction-logging systems.

■

Availability Ensuring that information is accessible when it is needed. In addition to simple backups of data, availability includes ensuring that systems remain accessible in the event of a denial of service (DoS) attack. Availability also means that critical data should be protected from erasure—for example, preventing the wipeout of data on your company’s external Web site.

Often referred to simply by the acronym CIA, these three areas serve well as a security foundation.To fully scope the role of information security, however, we also need to add a few more areas of concern to the list. Some security practitioners include the following within the three areas described, but by getting more granular, we can get a better sense of the challenges that must be addressed: ■

Authentication Ensuring that users are, in fact, who they say they are. Static passwords, of course, are the longstanding way to authenticate users, but other methods such as cryptographic tokens and biometrics are also used.

3

326_PIX_2e_01.qxd

4

5/6/05

12:40 PM

Page 4

Chapter 1 • Introduction to Security and Firewalls ■

Authorization/access control Ensuring that a user, once authenticated, is able to access only information to which he or she has been granted permission by the owner of the information.This can be accomplished at the operating system level using file system access controls or at the network level using access control lists on routers or firewalls.

■

Accounting Ensuring that activity and transactions on a system or network can be monitored and logged in order to maintain system availability and detect unauthorized use.This process can take various forms: logging by the operating system, logging by a network device such as a router or firewall, or logging by an intrusion detection system (IDS) or packet-capture device.

You can say that your information is secure when all six of these areas have been adequately addressed.The definition of adequately varies based on business requirements and the particular situation at hand. Some areas may present greater risk in a particular environment than in others. In the field of information security, risk must always be outweighed against the benefits of implementing tighter security policy.

The Early Days of Information Security If we set the dial on our “way-back machine” to the 1980s, we would find that the world of information security was vastly different from today. Companies’ “important” computing was performed on large, expensive systems that were tightly controlled and sat in very chilly rooms with limited human access. Users got their work done either via terminals connected to these large computers or large metal IBM PCs on their desks.These terminals pretty much allowed users to do only what the application and systems programmers enabled them to, via menus and perhaps a limited subset of commands to run jobs. Access control was straightforward and involved a small set of applications and their data, and frankly, not many users outside the glass room understood how to navigate around a system from a command prompt. As far as PCs were concerned, management’s view was that nothing important was really happening with users’ Lotus 1-2-3 spreadsheets, so they were not a security concern. Networking was limited in extent. Corporate local area networks (LANs) were nearly nonexistent.Technologies such as X.25 and expensive leased lines at the then blazing speeds of 56 kbps ruled the day. Wide area network (WAN) links were used to move data from office to office in larger companies, and sometimes to other related entities. Because networks consisted of a series of point-to-point private links, the risk of an intruder gaining access to inner systems was slim.

Insecurity and the Internet The federation of networks that became the Internet consisted of a relatively small community of users by the 1980s, primarily in the research and academic communities. Because it was rather difficult to get access to these systems and the user communities were rather closely knit, security was not much of a concern in this environment, either.The main objective of connecting these various networks together was to share information, not keep

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 5

Introduction to Security and Firewalls • Chapter 1

it locked away.Technologies such as the UNIX operating system and the Transmission Control Protocol/Internet Protocol (TCP/IP) networking protocols that were designed for this environment reflected this lack of security concern. Security was simply viewed as unnecessary. By the early 1990s, however, commercial interest in the Internet grew.These commercial interests had very different perspectives on security, ones often in opposition to those of academia. Commercial information had value, and access to it needed to be limited to specifically authorized people. UNIX,TCP/IP, and connections to the Internet became avenues of attack and did not have much capability to implement and enforce confidentiality, integrity, and availability. As the Internet grew in commercial importance, with numerous companies connecting to it and even building entire business models around it, the need for increased security became quite acute. Connected organizations now faced threats that they had never had to consider before.

The Threats Grow When the corporate computing environment was a closed and limited-access system, threats mostly came from inside the organizations.These internal threats came from disgruntled employees with privileged access who could cause a lot of damage. Attacks from the outside were not much of an issue since there were typically only a few, if any, private connections to trusted entities. Potential attackers were few in number, since the combination of necessary skills and malicious intent were not at all widespread. With the growth of the Internet, external threats grew as well.There are now millions of hosts on the Internet as potential attack targets, which entice the now large numbers of attackers.This group has grown in size and skill over the years as its members share information on how to break into systems for both fun and profit. Geography no longer serves as an obstacle, either.You can be attacked from another continent thousands of miles away just as easily as from your own town. Threats can be classified as structured or unstructured. Unstructured threats are from people with low skill and perseverance.These usually come from people called script kiddies—attackers who have little to no programming skill and very little system knowledge. Script kiddies tend to conduct attacks just for bragging rights among their groups, which are often linked only by an Internet Relay Chat (IRC) channel.They obtain attack tools that have been built by others with more skill and use them, often indiscriminately, to attempt to exploit a vulnerability on their target. If their attack fails, they will likely go elsewhere and keep trying. Additional risk comes from the fact that they often use these tools with little to no knowledge of the target environment, so attacks can wind up causing unintended results. Unstructured threats can cause significant damage or disruption, despite the attacker’s lack of sophistication.These attacks usually are detectable with current security tools. Structured attacks are more worrisome because they are conducted by hackers with significant skill. If the existing tools do not work for them, they are likely to modify them or write their own.They are able to discover new vulnerabilities in systems by executing complex actions that the system designers did not protect against. Structured attackers often use so-called zero-day exploits, which are exploits that target vulnerabilities that the system vendor

5

326_PIX_2e_01.qxd

6

5/6/05

12:40 PM

Page 6

Chapter 1 • Introduction to Security and Firewalls

has not yet issued a patch for or does not even know about. Structured attacks often have stronger motivations behind them than simple mischief.These motivations or goals can include theft of source code, theft of credit card numbers for resale or fraud, retribution, or destruction or disruption of a competitor. A structured attack might not be blocked by traditional methods such as firewalls or detected by an IDS. It could even use noncomputer methods such as social engineering.

NOTE Social engineering, also known as people hacking, is a means for obtaining security information from people by tricking them. The classic example is calling up a user and pretending to be a system administrator. The hacker asks the user for his or her password to ostensibly perform some important maintenance task. To avoid being hacked via social engineering, educate your user community that they should always confirm the identity of any person calling them and that passwords should never be given to anyone over e-mail, instant messaging, or the phone.

Attacks With the growth of the Internet, many organizations focused their security efforts on defending against outside attackers (that is, anyone originating from an external network) who are not authorized to access their systems. Firewalls were the primary focus of these efforts. Money was spent on building a strong perimeter defense, resulting in what Bill Cheswick from Bell Labs famously described years ago as “a crunchy shell around a soft, chewy center.” Any attacker who succeeded in getting through (or around) the perimeter defenses would then have a relatively easy time compromising internal systems.This situation is analogous to the enemy parachuting into the castle keep instead of breaking through the walls (the technology is off by a few centuries, but you get the idea!). Perimeter defense is still vitally important, given the increased threat level from outside the network. However, it is simply no longer adequate by itself. Various information security studies and surveys have found that the majority of attacks actually come from inside the organization.The internal threat can include authorized users attempting to exceed their permissions or unauthorized users trying to go where they should not be at all.The insider is potentially more dangerous than outsiders because he or she has a level of access that the outsider does not—to both facilities and systems. Many organizations lack the internal preventive controls and other countermeasures to adequately defend against this threat. Networks are wide open, servers could be sitting in unsecured areas, system patches might be out of date, and system administrators might not review security logs.

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 7

Introduction to Security and Firewalls • Chapter 1

The greatest threat, however, arises when an insider colludes with a structured outside attacker.The outsider’s skills, combined with the insider’s access, could result in substantial damage or loss to the organization. Attacks can be defined in three main categories: ■

Reconnaissance attacks Hackers attempt to discover systems and gather information. In most cases, these attacks are used to gather information to set up an access or a DoS attack. A typical reconnaissance attack might consist of a hacker pinging IP addresses to discover what is alive on a network.The hacker might then perform a port scan on the systems to see which applications are running as well as try to determine the operating system and version on a target machine.

■

Access attacks An access attack is one in which an intruder attempts to gain unauthorized access to a system to retrieve information. Sometimes the attacker needs to gain access to a system by cracking passwords or using an exploit. At other times, the attacker already has access to the system but needs to escalate his or her privileges.

■

DoS attacks Hackers use DoS attacks to disable or corrupt access to networks, systems, or services.The intent is to deny authorized or valid users access to these resources. DoS attacks typically involve running a script or a tool, and the attacker does not require access to the target system, only a means to reach it. In a distributed DoS (DDoS) attack, the source consists of many computers that usually are spread across a large geographic boundary.

In recent years, attacks have become significantly more complex, and these days blended threats have become the norm. A blended threat makes use of multiple attack methods and techniques to spread and cause damage. Examples of these blended threats include Nimda, CodeRed, and Gaobot. Let’s take a look at the example of Gaobot.The source code for this virus has been posted to numerous Web sites, resulting in about a 1,000 variants. Once it infects a system, it overwrites the local HOSTS file and blocks access to anti-virus software update sites. It also attempts to terminate any anti-virus and firewall software, and then connects to an IRC server, where it waits to receive commands from the attacker.The attacker can remotely activate various functionality, including launching a DOS attack, sniffing traffic, shutting down the computer, terminating processes, and so on. Computer viruses have been around for a long time, but now the threats have increased with a variety of malware software.These include viruses, worms, trojan horses, backdoors, rootkits, key loggers, spyware, and a lot more.To fully protect a system nowadays, a combination of network firewalls, system firewalls, intrusion detection system, anti-virus software, anti-spyware software, and a variety of other hardware and software tools are required. Even still, the end-user of a system must be careful, as clicking one wrong button in a Web browser or e-mail client application can load a variety of software on the device.

7

326_PIX_2e_01.qxd

12:40 PM

Page 8

Chapter 1 • Introduction to Security and Firewalls

Creating a Security Policy A comprehensive security policy is fundamental to an effective information security program, providing a firm basis for all activities related to the protection of information assets. In creating their policies, organizations take one of two basic approaches: that which is not expressly prohibited is allowed, or that which is not explicitly allowed is prohibited.The chosen approach is usually reflective of the organization’s overall culture.

Designing & Planning… Developing a Comprehensive Security Policy A good security policy addresses the following areas: ■

Defines roles and responsibilities

■

Defines acceptable use of the organization’s computing resources

■

Serves as a foundation for more specific procedures and standards

■

Defines data sensitivity classifications

■

Helps prevent security incidents by making clear management’s expectations for protecting information

■

Provides guidance in the event of a security incident

■

Specifies results of noncompliance

Figure 1.1 shows a hierarchical security model. Each layer builds on the ones beneath it, with security policies serving as the foundation. An organization that implements security tools without defining good policies and architecture is likely to encounter difficulties.

Figure 1.1 Security Hierarchy Layer 5 Auditing , Monitoring, and Investigating

Layer 4 Technologies and Products

Validation

8

5/6/05

Layer 3 Awareness and Training

Layer 2 Architecture and Processes

Layer 1 Policies and Standards

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 9

Introduction to Security and Firewalls • Chapter 1

Creation of the security policy is guided by management’s level of trust in the organization’s people, de facto processes, and technology. Many organizations resist formalizing their policies and enforcing them, since they do not want to risk damaging their familial and trusting culture. When a security incident occurs, however, these organizations discover that they might have little or no guidance on how to handle it or that they do not have a legal foundation to prosecute or even terminate an employee who breaches security. Others follow a command-and-control model and find that defining policies fits right into their culture.These organizations, however, could wind up spending a great deal of money to enforce controls that provide little incremental reduction in risk and create an oppressive atmosphere that is not conducive to productivity. For most organizations, a middle approach is best, following the dictum,“Trust, but verify.” The policy creation process might not be easy. People have very different ideas about what policies represent and why they are needed.The process should strive to achieve a compromise among the various stakeholders: ■

Executive managers

■

Internal auditors

■

Human resources

■

IT staff

■

Security staff

■

Legal staff

■

Employee groups

As you can see, some level of buy-in from each of these stakeholder groups is necessary to create a successful policy. Particularly important is full support from executive management. Without it, a security policy will become just another manual gathering dust on the shelf. Employees need to see that management is behind the policy, leading by example. Once a representative policy development team has been put together, its members should begin a risk-assessment process.The result of this effort is a document that defines how the organization approaches risk, how risk is mitigated, and the assets that are to be protected and their worth.The policy should also broadly define the potential threats that the organization faces.This information will be a guideline to the amount of effort and money that will be expended to address the threats and the level of risk that the organization will accept. The next step is to perform a business needs analysis that defines information flows within the organization as well as information flowing into and out of it.These flows should each have a business need defined; this need is then matched with the level of risk to determine whether it will be allowed, allowed with additional controls, or restricted. A good policy has these characteristics: ■

States its purpose and what or who it covers

■

Is realistic and easy to implement

9

326_PIX_2e_01.qxd

10

5/6/05

12:40 PM

Page 10

Chapter 1 • Introduction to Security and Firewalls ■

Has a long-term focus—in other words, does not contain specifics that will change often

■

Is clear and concise

■

Is up to date, with provisions for regular review

■

Is communicated effectively to all affected parties, including regular awareness training

■

Is balanced between security of assets and ease of use

Probably the most important component of a security policy is the definition of acceptable use. It covers how systems are to be used, user password practices, what users can and cannot do, user responsibility in maintaining security, and disciplinary action if users engage in improper activity. It is essential that all users sign this policy, acknowledging that they have read and understood it. Ideally, users should review the acceptable use policy on an annual basis.This practice helps reinforce the message that security is important. Finally, an organization’s security policy guides the design, architecture, and implementation of security devices such as firewalls, intrusion detection systems, honeypots, and so on, for both internal and perimeter networks. Firewall policies will be covered in more detail in a later section.

NOTE You can find examples of security policies, including a sample acceptable use policy, on the SANS Security Policy Resource page located at www.sans.org/ resources/policies/.

Cisco’s Security Wheel Experienced security professionals often say that information security is not a goal or result, it is a process.This truism refers to the fact that you can never secure your network and then be done with it. Information security is a dynamic field that is continually presenting challenges in the form of new technology, new threats, and new business processes. If you were to set a target secure state and then actually achieve it, you would find that the landscape had changed and further effort is required. One example of this sort of change is the ongoing discovery of vulnerabilities in existing software, for which patches must be applied. Although this process might seem daunting and often frustrating, it is what keeps many security practitioners interested in the field and excited about working in a mode of continuous improvement. Cisco has created a model, called the Cisco Security Wheel, that shows this process graphically (see Figure 1.2).

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 11

Introduction to Security and Firewalls • Chapter 1

Figure 1.2 The Cisco Security Wheel Secure

Manage and Improve

Corporate Security Policy

Monitor and Respond

Test

The Security Wheel really starts “rolling” when you have created your corporate security policy.The model defines four ongoing steps: 1. Secure the environment. 2. Monitor activity and respond to events and incidents. 3. Test the security of the environment. 4. Improve the security of the environment. Each of these steps is discussed in detail in the following sections.

Securing the Environment The task of securing an entire network can be overwhelming if viewed in the whole, especially if it covers multiple locations and thousands of systems. However, you can make the process much more manageable by breaking it down into smaller subtasks. Based on the risk analysis that was performed during the policy development process, you can identify which of the following areas need attention first, second, and so on: ■

Confidentiality For example, does your policy specify that sensitive information being communicated over public networks such as the Internet needs to be encrypted? If so, you might want to begin evaluating deployment of virtual private network (VPN) technology. A VPN creates an encrypted “tunnel” between two sites or between a remote user and the company network. Other efforts may include data classification, and user education in handling of sensitive information.

■

Integrity Does the risk assessment identify particular risks to company information? Does your company maintain a high-traffic Web site? Various tools and processes can be used to enhance the integrity of your information.

11

326_PIX_2e_01.qxd

12

5/6/05

12:40 PM

Page 12

Chapter 1 • Introduction to Security and Firewalls ■

Availability Various factors that have an impact on the availability of critical networks and systems might have been identified.This area of security, although important, will probably prove less critical than some of the others, unless you have been experiencing frequent system outages or have been the victim of frequent DoS attacks.

■

Authentication Although it’s one of the first lines of defense, authentication is a common area of weakness. Many organizations do not have adequate password policies and processes in place. For example, passwords are not changed on a regular basis, are not required to be of a certain level of complexity, or can be reused.

■

Access control Another common area of weakness, access controls at both the network and system level, are often not as strong as they should be. Drives may be shared by all users with read/write access.The typical user has a greater level of access than he or she needs to do a job.Tightening up access controls can result in substantial improvements in a company’s security posture. Some technological solutions include firewalls, router access lists, and policy enforcement tools that validate and perhaps control file system access.

■

Auditing This is a primary activity in the next phase, monitoring.

Another key task in securing your systems is closing vulnerabilities by turning off unneeded services and bringing them up to date on patches. Services that have no defined business need present an additional possible avenue of attack and are just another component that needs patch attention. Keeping patches current is actually one of the most important activities you can perform to protect yourself, yet it is one that many organizations neglect.The Code Red and Nimda worms of 2001 were successful primarily because so many systems had not been patched for the vulnerabilities they exploited, including multiple Microsoft Internet Information Server (IIS) and Microsoft Outlook vulnerabilities. Patching, especially when you have hundreds or even thousands of systems, can be a monumental task. However, by defining and documenting processes, using tools to assist in configuration management, subscribing to multiple vulnerability alert mailing lists, and prioritizing patches according to criticality, you can get a better handle on the job. One useful document to assist in this process has been published by the U.S. National Institute of Standards and Technology (NIST), which can be found at http://csrc.nist.gov/publications/nistpubs/800-40/sp800-40.pdf (800-40 is the document number). Patch sources for a few of the key operating systems are located at: ■

Microsoft Windows: http://windowsupdate.microsoft.com

■

Sun Solaris: http://sunsolve.sun.com

■

Red Hat Linux: www.redhat.com/apps/support/

■

Hewlett-Packard HP/UX: http://us-support.external.hp.com

Also important is having a complete understanding of your network topology and some of the key information flows within it as well as in and out of it.This understanding helps you define different zones of trust and highlights where rearchitecting the network in places

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 13

Introduction to Security and Firewalls • Chapter 1

might improve security—for example, by deploying additional firewalls internally or on your network perimeter.

Monitoring Activity As you make efforts to secure your environment, you move into the next phase of information security: establishing better mechanisms for monitoring activity on your network and systems. Adequate monitoring is essential so that you can be alerted, for example, when a security breach has occurred, when internal users are trying to exceed their authority, or when hardware or software failures are having an impact on system availability. Effective monitoring has two components: turning on capabilities already present on your systems and implementing tools for additional visibility.The first component includes use of the auditing function built into: ■

Operating systems such as administrator account access.

■

Network devices, as in login failures and configuration changes.

■

Applications, including auditing capability in the application as created by the vendor (for commercial software), as well as auditing added within a custom-developed application. Monitored events tend to be more transactional in nature, such as users trying to perform functions for which they are not authorized.

Most systems have such auditing turned off by default, however, and require you to specifically enable it. Be careful not to turn on too much, since you will be overwhelmed with data and will wind up ignoring it.This “turn on and tune” methodology flows into the second component, which also includes deployment of tools such as IDS on networks and hosts. In any environment that contains more than a few systems, performing manual reviews of system and audit logs, firewall logs, and IDS logs becomes an impossible and overwhelming task. Various tools (such as Swatch, at http://swatch.sourceforge.net) can perform log reduction and alert only on important events.

Testing Security It is far, far better to test your own security and find holes than for a hacker to find them for you. An effective security program includes regular vulnerability assessments and penetration testing as well as updates to your risk assessment when there are significant changes to the business or the technology. For example, initiating extranet links to business partners or starting to provide remote broadband access to employees should be accompanied by an updated risk profile that identifies the risks of the new activity and the component threats, prioritized by probability and severity.This testing identifies the components that need to be better secured and the level of effort required. A partial list of things that need to be tested or checked for include: ■

Security policy compliance, including things like password strength

■

System patch levels

13

326_PIX_2e_01.qxd

14

5/6/05

12:40 PM

Page 14

Chapter 1 • Introduction to Security and Firewalls ■

Services running on systems

■

Custom applications, particularly public-facing Web applications

■

New servers added to the network

■

Active modems that accept incoming calls

NOTE Modems that are set up to accept incoming calls on computers can be very dangerous as they can be used as a bridge from an outside network to a company’s internal networks. Modems nowadays tend to be configured with a fully functional TCP/IP stack, enabling easy bridging and/or routing functionality. For example, a user could dial into their ISP, and configure their PC as a bridge or router between the two networks, creating a back door in the process. The same problem exists nowadays with Wi-Fi networks, which are proliferating very quickly. The vulnerability will become even worse as technologies like WiMax become more common. A user can connect to a WiMax access point several miles away, and open a backdoor via their PC to your “secure” network.

A multitude of tools, both freeware and commercial off-the-shelf, are available to perform security testing. Some freeware tools include: ■

Nmap (www.insecure.org/nmap/) Nmap is one of the most commonly used network and port scanning tools, used by hackers and security professionals alike. It also has the ability to “fingerprint” the operating system of the target host by analyzing the responses to different types of probes.

■

Nessus (www.nessus.org) Nessus is a powerful, flexible vulnerability-scanning tool that can test different target platforms for known holes. It consists of a server process that is controlled by a separate graphical user interface (GUI). Each vulnerability is coded via a plug-in to the Nessus system, so new vulnerabilities can be added and tested for.

■

whisker (http://sourceforge.net/projects/whisker/) whisker is a collection of PERL scripts used to test Web server CGI scripts for vulnerabilities, a common point of attack in the Web environment.

■

Security Auditor’s Research Assistant (www-arc.com/sara/) SARA is a third-generation UNIX-based security assessment tool based on the original SATAN. SARA interfaces with other tools such as nmap and Samba for enhanced functionality.

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 15

Introduction to Security and Firewalls • Chapter 1 ■

L0phtCrack (www.atstake.com/products/lc/) L0phtCrack is used to test (crack) Windows and UNIX passwords. It is a great tool to look for weak passwords.

Commercial tools include: ■

ISS Internet Scanner (www.iss.net) Internet Scanner is used to scan networks for vulnerabilities. ISS also makes scanners specifically for databases, host systems, and wireless networks.

■

Symantec Enterprise Security Manager (www.symantec.com) ESM helps monitor for security policy compliance.

■

NetIQ Vulnerability Manager (www.netiq.com) Vulnerability Manager assesses for vulnerabilities across an enterprise with easy-to-use reporting.

In addition to testing security yourself, it is good practice to bring in security experts that are skilled in vulnerability assessments and penetration testing.These experts (sometimes known as ethical hackers) conduct attacks in the same manner as a hacker would, looking for any holes accessible from the outside.They are also able to conduct internal assessments to validate your security posture against industry best practices or standards such as the Common Criteria (http://csrc.nist.gov/cc/) or ISO17799. Internal assessments include interviews with key staff and management, reviews of documentation, and testing of technical controls. A third-party review potentially provides a much more objective view of the state of your security environment and can even be useful in convincing upper management to increase IT security funding.

Improving Security The fourth phase in the Security Wheel is that of improving security. In addition to securing your network, setting up monitoring, and performing vulnerability testing, you need to stay abreast, on a weekly or even daily basis, of current security news, primarily consisting of new vulnerability reports. Waiting for a particular vendor to alert you to new vulnerabilities is not enough; you also need to subscribe to third-party mailing lists such as Bugtraq (www.securityfocus.com), CERT (www.cert.org), or Security Wire Digest (www.infosecuritymag.com). Also important is verifying configurations on key security systems on a regular basis to ensure that they continue to represent your current policy. Most important of all, the four steps of the Security Wheel must be repeated continuously.

Firewall Concepts In this section, we discuss the concept and definition of firewalls and look at the different types of firewalls and some other architectural aspects such as network interfaces, address translation, and VPNs.

15

326_PIX_2e_01.qxd

16

5/6/05

12:40 PM

Page 16

Chapter 1 • Introduction to Security and Firewalls

What Is a Firewall? The term firewall comes from the bricks-and-mortar architectural world. In buildings, a firewall is a wall built from heat- or fire-resistant material such as concrete that is intended to slow the spread of fire through a structure. In the same way, on a network a firewall is intended to stop unauthorized traffic from traveling from one network to another.The most common deployment of firewalls occurs between a trusted network and an untrusted one, typically the Internet. Figure 1.3 depicts this configuration and shows the border router that terminates a serial connection from the Internet service provider (ISP). In the past, it was actually rather common for Internet-connected organizations to have no firewalls, instead simply relying on the security of their host systems to protect their data. As networks got larger, it became unwieldy and risky to try to adequately secure each and every host, especially given the ever-increasing hacker threat.

Figure 1.3 Typical Firewall Placement

Internet

Border router

Firewall

Internal LAN

More and more sites, however, are also deploying firewalls into their internal networks, to separate zones of criticality. One example is putting a firewall between the payroll department subnet and the rest of the organization’s network. In this case, the company security policy could have specified that the payroll data and systems are sensitive, that few (if any) employees outside the department need to initiate connections into it, and that payroll employees need outbound access to other local network resources as well as the Internet. Deployment of internal firewalls has driven the requirement for faster firewalls that can handle Gigabit and multi-Gigabit speeds.

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 17

Introduction to Security and Firewalls • Chapter 1

Configuring & Implementing… Deploying a Firewall For quite some time, it was common for companies to think that once they deployed a firewall, they were secure. However, firewalls are just one component in an enterprise security strategy. They are generally good at what they do (filtering traffic), but they cannot do everything. The nature of perimeter security has also changed; many companies no longer need outbound-only traffic. Many enterprises now deal with much more complex environments that include business partner connections, VPNs, and complicated e-commerce infrastructures. This complexity has driven huge increases in firewall functionality. Most firewalls now support multiple network interfaces and can control traffic between them, support VPNs, and enable secure use of complicated application protocols such as H.323 for videoconferencing. The risk, however, is that as more and more functionality is added to the firewall, holes might arise in these features, compromising integrity and security. Another risk is that these features will exact a performance penalty, reducing the firewall’s ability to focus on traffic filtering. So the message is this: Try to use your firewall to the minimum extent possible so it can focus on its core function, and you can better manage the security risk of the other functions by shifting them to other systems to handle the load.

Firewall systems have certainly evolved over the years. Originally, firewalls were handbuilt systems with two network interfaces that forwarded traffic between them. However, this was an area for experts only, requiring significant programming skills and system administration talent. Recognizing a need in this area, the first somewhat commercial firewall was written in the early 1990s by Marcus Ranum, who was working for Trusted Information System (TIS) at the time. It was called the Firewall Toolkit, or fwtk for short. It was an application proxy design (definitions of firewall types are in the following section) that intermediated network connections from users to servers.The goal was to simplify development and deployment of firewalls and minimize the amount of custom firewall building that would otherwise be necessary.The Gauntlet firewall product evolved from the original fwtk, and TIS was acquired by Network Associates, Inc. Other vendors got into the firewall market, including Check Point, Netscreen, Symantec, and of course, Cisco. Research firm Meta Group believes that in the year 2005, the market for firewalls will be approximately US$ 2.5 billion worldwide. Meta Group states that this is due to the increase in firewall usage at companies—more firewalls are being deployed, not only externally, but also internally between business units. Next, let’s look at the types of firewalls and compare their functionalities.

17

326_PIX_2e_01.qxd

18

5/6/05

12:40 PM

Page 18

Chapter 1 • Introduction to Security and Firewalls

Types of Firewalls Although the original fwtk used a proxy-type design, other types of firewalls use a much different approach. Before we look at these, recall the Open Systems Interconnect (OSI) model (see Figure 1.4).

Figure 1.4 The OSI Model Application

FTP, Telnet, HTTP, etc.

Presentation Session Transport

TCP, UDP, etc.

Network

IP, ICMP, etc.

Data link

Ethernet, Token Ring, etc.

Physical

Copper or optical media, or wireless

Using this model as a reference, we can compare how the types of firewalls operate and make informed decisions about which type of firewall is appropriate for a particular need.

Packet Filters In its most basic form, a packet filter makes decisions about whether to forward a packet based only on information found at the IP or TCP/UDP layers; in effect, a packet filter is a router with some intelligence. However, a packet filter only handles each packet individually; it does not keep track of TCP sessions.Thus, it is poorly equipped to detect spoofed packets that come in through the outside interface, pretending to be part of an existing session by setting the ACK flag in the TCP header. Packet filters are configured to allow or block traffic according to source and destination IP addresses, source and destination ports, and type of protocol (TCP, UDP, ICMP, and so on). Figure 1.5 shows how inspection only goes as far as the transport layer—for example,TCP.

Figure 1.5 Packet Filter Data Flow Application Presentation Session Transport Network Data link Physical

Inspection done here

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 19

Introduction to Security and Firewalls • Chapter 1

NOTE The term source address spoofing refers to an attacker deliberately modifying the source IP address of a packet in an effort to trick packet filters or firewalls into thinking that the packet came from a trusted network so that it will pass the packet through. It also serves the obvious benefit of hiding the source of the attack packets. The attacker can also undermine any access controls that are based solely on the source IP address. If the source IP used is that of an existing host, however, the real owner of that address will receive any replies to the attacker’s packets and will reject them with a TCP reset, since they do not match an existing session in its tables. An attacker will typically use spoofing when he or she just wants to initiate some action without needing to see a reply, as in a reflection DoS attack such as smurf, where a ping is sent to a broadcast address using the source IP of the intended DoS target. More complicated attacks using IP spoofing are possible, particularly where the attacker is trying to exploit UNIX trust relationships. This is how Kevin Mitnick attacked Tsutomu Shimomura’s systems on Christmas Day, 1994. Although Mitnick succeeded in his attack while coming over the Internet, this type of spoofing attack works only on an internal network these days (unless the victim has no firewall and is running old software).

So why would you use a packet filter? Historically, the benefit was speed. Since it does not have to do any inspection of application data, a packet filter can operate nearly as fast as a router that is performing only packet routing and forwarding. As we will see, however, the packet filter concept has been improved, and with advances in hardware/software technology, a new type of firewall providing stateful inspection capability has now replaced packet filters, and can provide the same level of performance.

Stateful Inspection Packet Filters The concept of stateful inspection came about in an effort to improve on the capability and security of regular packet filters while capitalizing on their inherent speed. A packet filter with stateful inspection is able to keep track of network sessions, so when it receives an ACK packet, it can determine its legitimacy by matching the packet to the corresponding entry in the connection table. An entry is created in the connection table when the firewall sees the first SYN packet that begins the TCP session.This entry is then looked up for succeeding packets in the session. Entries are automatically timed out after some configurable timeout period. Statefulness can also be applied to UDP communication in a pseudo fashion, which normally has no concept of state. In this case, the firewall creates an entry in the connection table when the first UDP packet is transmitted. A UDP packet from a less secure network (a

19

326_PIX_2e_01.qxd

20

5/6/05

12:40 PM

Page 20

Chapter 1 • Introduction to Security and Firewalls

response) will be accepted only if a corresponding entry is found in the connection table. If we move up to the application layer, we can see further use for statefulness for protocols such as FTP. FTP is a bit different in that the server that the user connects to on port 21 will initiate a data connection back on port 20 when a file download is requested. If the firewall has not kept track of the FTP control connection that was initially established, it will not allow the data connection back in.This concept also applies to many of the newer multimedia protocols such as H.323 and SIP. Stateful inspection packet filters remain the speed kings of firewalls and are the most flexible where new protocols are concerned, but they are sometimes less secure than application proxies. Check Point FireWall-1, Juniper/Netscreen, and the Cisco PIX are the leading examples of this type of firewall.

NOTE Modern stateful inspection firewalls often provide deep packet inspection capabilities, allowing the firewall to inspect network traffic as high as the application layer. For example, the latest versions of the PIX firewall are able to allow/deny traffic based on HTTP and FTP commands, which sit at the application layer of the OSI model.

Application Proxies As their name implies, application proxy firewalls act as intermediaries in network sessions. The user’s connection terminates at the proxy, and a corresponding separate connection is initiated from the proxy to the destination host. Connections are analyzed all the way up to the application layer to determine if they are allowed. It is this characteristic that gives proxies a higher level of security than packet filters, stateful or otherwise. However, as you might imagine, this additional processing extracts a toll on performance. Figure 1.6 shows how packet processing is handled at the application layer before it is passed on or blocked.

Figure 1.6 Application Proxy Data Flow Inspection done here Application Presentation Session Transport Network Data link Physical

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 21

Introduction to Security and Firewalls • Chapter 1

One potentially significant limitation of application proxies is that as new application protocols are implemented, corresponding proxies must be developed to handle them.This means that you could be at the mercy of your vendor if there is a hot new video multicasting technology, for example, but there is no proxy for it.

NOTE Modern proxy-based firewalls often provide the ability to configure generic proxies for IP, TCP, and UDP. Although not as secure as proxies that work at the application layer, these configurable proxies often allow for passing of newer protocols.

One example of a proxy-based firewall is the Symantec Enterprise Firewall ().

Inbound and Outbound When you go to a Web site or check your mail, the computer you are using opens a connection over the network to another computer. When defining the direction of a connection in terms of network traffic and firewalls, outbound from your computer means that your computer initiated the connection, and includes the data returned to the request.The outbound request and the return data together are considered a session. So, outbound and inbound are terms relative to the system that makes the request and the system that is the target of a request.These terms are also used to discuss connections relative to a protected inside network and the outside network (for example, “outbound to the Internet” and “inbound from the Internet”). The benefit of using a firewall to control inbound connections to a protected network when connected to the Internet is unquestionable. Restricting inbound traffic can eliminate exposure to worms and other attacks on vulnerable services, and is a requirement to keep computers from infection on the Internet.This also allows a protected network to continue to provide rich services, such as a Windows domain, print services, and access to files on network shares, without exposing those services to the dangers of the Internet. Home gateways and firewalls help protect home networks in a similar manner. Restricting outbound connections out to the Internet also has become increasingly important. Systems infected with malware often install programs that can hide from detection, collect information, and send it back to their master across the Internet.That information can be files from your hard drive or network shares, or another popular source of information for hackers is keystroke recorders. A keystroke recorder will do just that—capture all the information from the keyboard.This recorder can capture the URL for your bank’s Web site, your username and your password, and send them across the Internet to the hacker. Besides just capturing information, many hacker programs can connect to a master and allow access to microphones, webcams, or even give full remote control of the compromised machine to an attacker somewhere out on the Internet. Allowing freely open connec-

21

326_PIX_2e_01.qxd

22

5/6/05

12:40 PM

Page 22

Chapter 1 • Introduction to Security and Firewalls

tions out through a firewall facilitates these compromises.These kinds of compromises put personal privacy and security, as well as our corporate privacy and security, at risk. An enterprise can design its firewall architecture so inbound and outbound traffic goes through the same firewall, or the same set of firewalls. However, based on security, performance, and availability requirements, these roles can also be separated. In this case, the firewalls handling outbound traffic are called outbound firewalls, and similarly, the firewalls handling inbound traffic are referred to as inbound firewalls.

Firewall Interfaces: Inside, Outside, and DMZ In its most basic form, a firewall has just two network interfaces: inside and outside.These labels refer to the level of trust in the attached network, where the outside interface is connected to the untrusted network (often the Internet) and the inside interface is connected to the trusted network. In an internal deployment, the interface referred to as outside may be connected to the company backbone, which is probably not as untrusted as the Internet but just the same is trusted somewhat less than the inside. Recall the previous example of a firewall deployed to protect a payroll department. As a company’s Internet business needs become more complex, the limitations of having only two interfaces become apparent. For example, where would you put a Web server for your customers? If you place it on the outside of the firewall, as in Figure 1.7, the Web server is fully exposed to attacks, with only a screening router for minimal protection.You must rely on the security of the host system in this instance.

Figure 1.7 A Web Server Located outside the Firewall

Internet

Border router

Web server

Firewall

Internal LAN

The other possibility in the two-interface firewall scenario is to put the Web server inside the firewall, on an internal segment (see Figure 1.8).The firewall would be configured to allow Web traffic on port 80, and maybe 443 for Secure Sockets Layer (SSL), through to

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 23

Introduction to Security and Firewalls • Chapter 1

the IP address of the Web server.This prevents any direct probing of your internal network by an attacker, but what if he or she is able to compromise your Web server through port 80 and gain remote superuser access? Then he or she is free to launch attacks from the Web server to anywhere else in your internal network, with no restrictions.

Figure 1.8 A Web Server Located inside the Firewall Internet

Border router Web server Firewall

Internal LAN

The answer to these problems is to have support for more than two interfaces on your firewall, as most systems now do.This solution allows for establishment of intermediate zones of trust that are neither inside nor outside.These are referred to as DMZs (for the military term demilitarized zone). A DMZ network is protected by the firewall to the same extent as the internal network but is separated so that access from the DMZ to the internal network is filtered as well. Figure 1.9 shows this layout.

Figure 1.9 A DMZ Network Internet

Web server

Border router

DMZ

Firewall

Internal LAN

23

326_PIX_2e_01.qxd

24

5/6/05

12:40 PM

Page 24

Chapter 1 • Introduction to Security and Firewalls

Another design sometimes deployed uses two firewalls: an outer one and an inner one, with the DMZ lying between them (see Figure 1.10). Sometimes firewalls from two different vendors are used in this design, with the belief that a security hole in one would be blocked by the other. However, evidence shows that nearly all firewall breaches come from misconfiguration, not from errors in the firewall code itself.Thus, such a design generally increases expense and management overhead, without providing much additional security, if any.

Figure 1.10 A Two-Firewall Architecture Internet

Web server

Border router

Firewall DMZ Firewall

Internal LAN

Some companies implement multiple DMZs, each with a different business purpose and corresponding level of trust. For example, one DMZ segment could contain only servers for public access, whereas another could host servers just for business partners or customers.This approach enables a more granular level of control and simplifies administration. In a more complex e-commerce environment, the Web server might need to access customer data from a backend database server on the internal LAN. In this case, the firewall would be configured to allow Hypertext Transfer Protocol (HTTP) connections from the outside to the Web server and then specific connections to the appropriate IP addresses and ports as needed from the Web server to the inside database server.

Firewall Policies As part of your security assessment process, you should have a clear idea of the various business reasons for the different communications allowed through your firewall. Each protocol carries with it certain risks, some far more than others.These risks must be balanced with

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 25

Introduction to Security and Firewalls • Chapter 1

their business benefits. For example, one person needing X Windows (a notoriously difficult protocol to secure properly) access through the firewall for a university class she is taking is unlikely to satisfy this requirement. On the other hand, a drop-box File Transfer Protocol (FTP) server for sharing of files with customers might satisfy it. It often happens that the firewall rule base grows organically over time and reaches a point where the administrator no longer fully understands the reasons for everything in there. For that reason, it is essential that the firewall policy be well documented, with the business justification for each rule clearly articulated in this documentation. Changes to the firewall policy should be made sparingly and cautiously, only with management approval, and through standard system maintenance and change control processes.

Address Translation RFC 1918, “Address Allocation for Private Internets,” specifies certain nonregistered IP address ranges that are to be used only on private networks and are not to be routed across the Internet.The RFC uses the term ambiguous to refer to these private addresses, meaning that they are not globally unique.The reserved ranges are: 10.0.0.0

-

10.255.255.255

(10/8 prefix) (172.16/12 prefix)

172.16.0.0

-

172.31.255.255

192.168.0.0

-

192.168.255.255 (192.168/16 prefix)

The primary motivation for setting aside these private address ranges was the fear in 1996 that the 32-bit address space of IP version 4 was becoming rapidly depleted due to inefficient allocation. Organizations that had at most a few thousand hosts, most of which did not need to be accessible from the Internet, over the years had been allocated huge blocks of IP addresses that had gone mostly unused. By renumbering their private networks with these reserved address ranges, companies could potentially return their allocated public blocks for use elsewhere, thus extending the useful life of IP v4. The sharp reader, however, will point out that if these addresses are not routable on the Internet, how does one on a private network access the Web? The source IP of such a connection would be a private address, and the user’s connection attempt would just be dropped before it got very far.This is where Network Address Translation (NAT), defined in RFC 1631, comes into play. Most organizations connected to the Internet use NAT to hide their internal addresses from the global Internet.This serves as a basic security measure that can make it a bit more difficult for an external attacker to map out the internal network. NAT typically is performed on the Internet firewall and takes two forms, static or dynamic. When NAT is performed, the firewall rewrites the source and/or the destination addresses in the IP header, replacing them with translated addresses.This process is configurable. First, some terms need to be defined. In the context of address translation, inside refers to the internal, private network. Outside is the greater network to which the private network connects (typically the Internet). Local IP addresses are seen on the inside network, and global IP addresses are seen on the outside network.

25

326_PIX_2e_01.qxd

26

5/6/05

12:40 PM

Page 26

Chapter 1 • Introduction to Security and Firewalls

Within the inside address space, addresses are referred to as inside local (typically RFC 1918 ranges) and are translated to inside global addresses that are visible on the outside. For example, if we have a host on the inside network of 10.0.0.0/8 having a real IP address of 10.18.2.7, this would be considered its inside local address. When communicating with the outside world (for example, the Internet), this private address would get translated to a public, routable IP address, which would be referred to as this device’s inside global address. Similarly, for translations of outside addresses coming to the inside, distinction is made also between local and global addresses. Outside global addresses are the real addresses assigned to hosts on the outside network. Outside local, as the name might imply, is the reverse of inside global.These are addresses of outside hosts that are translated for access internally. Figure 1.11 provides a visual description of these terms. In the figure, SA stands for Source Address of the packet, and DA stands for the Destination Address.

Figure 1.11 NAT Terminology Inside network

Outside network

SA = Inside Local DA = Outside Local

SA = Inside Global DA = Outside Global

DA = Inside Local SA = Outside Local

DA = Inside Global SA = Outside Global

To keep these terms straight, just keep in mind the direction in which the traffic is going—in other words, from where it is initiated.This direction determines which translation will be applied.

Static Translation In static NAT, a permanent one-to-one mapping is established between inside local and inside global addresses.This method is useful when you have a small number of inside hosts that need access to the Internet and have adequate globally unique addresses to translate to. When a NAT router or firewall receives a packet from an inside host, it looks to see if there is a matching source address entry in its static NAT table. If there is, it replaces the local source address with a global source address and forwards the packet. Replies from the outside destination host simply are translated in reverse and routed onto the inside network. Static translation is also useful for outside communication initiated to an inside host. In this situa-

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 27

Introduction to Security and Firewalls • Chapter 1

tion, the destination (not the source) address is translated. Figure 1.12 shows an example of static NAT. Each local inside address (192.168.0.10, 192.168.0.11, and 192.168.0.12) has a matching global inside address (10.0.1.10, 10.0.1.11, and 10.0.1.12, respectively).

Figure 1.12 Static Address Translation Static NAT Table Local 192.168.0.10 192.168.0.11 192.168.0.12

Inside network

Global 10.0.1.10 10.0.1.11 10.0.1.12

192.168.0.10 Internet 192.168.0.11

PIX using NAT

192.168.0.12

Dynamic Translation When dynamic NAT is set up, a pool of inside global addresses is defined for use in outbound translation. When the NAT router or firewall receives a packet from an inside host and dynamic NAT is configured, it selects the next available address from the global address pool that was set up and replaces the source address in the IP header. Dynamic NAT differs from static NAT because address mappings can change for each new conversation that is set up between two given endpoints. Figure 1.13 shows how dynamic translation might work.The global address pool (for example purposes only) is 10.0.1.10 through 10.0.1.12, using a 24-bit subnet mask (255.255.255.0).The local address 192.168.0.10 is mapped directly to the first address in the global pool (10.0.1.10).The next system needing access (local address 192.168.0.12 in this example) is mapped to the next available global address of 10.0.1.11.The local host 192.168.0.11 never initiated a connection to the Internet, and therefore a dynamic translation entry was never created for it.

27

326_PIX_2e_01.qxd

28

5/6/05

12:40 PM

Page 28

Chapter 1 • Introduction to Security and Firewalls

Figure 1.13 Dynamic Address Translation Inside network

192.168.0.10 Internet 192.168.0.11

192.168.0.12

PIX using NAT Dynamic translation Global address pool: 10.0.1.10-12 Local 192.168.0.10 192.168.0.12

Global 10.0.1.10 10.0.1.11

Port Address Translation What happens when there are more internal hosts initiating sessions than there are global addresses in the pool? This can be handled through a configurable parameter in NAT known as overloading, also referred to as Port Address Translation, or PAT. In this situation, you have the possibility of multiple inside hosts being assigned to the same global source address.The NAT/PAT box needs a way to keep track of which local address to send replies back to.This is done by using unique source port numbers as the tracking mechanism and involves possible rewriting of the source port in the packet header.You should recall that TCP and UDP use 16 bits to encode port numbers, which allows for 65,536 different services or sources to be identified (for each TCP and UDP). When performing translation, PAT tries to use the original source port number if it is not already used. If it is, the next available port number from the appropriate group is used. Once the available port numbers are exhausted, the process starts again using the next available IP address from the pool.

Virtual Private Networking The concept of VPN initially was developed as a solution to the high cost of dedicated lines between sites that needed to exchange sensitive information. As the name indicates, it is not quite private networking, but “virtually private.”This privacy of communication over a public network such as the Internet typically is achieved using encryption technology and usually addresses the issues of confidentiality, integrity, and authentication. In the past, organizations that had to enable data communication between multiple sites used a variety of pricey WAN technologies such as point-to-point leased lines, Frame Relay, X.25, and Integrated Services Digital Network (ISDN).These were especially expensive for companies that had international locations. However, whether circuit-switched or packet-

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 29

Introduction to Security and Firewalls • Chapter 1

switched, these technologies carried an inherent decent measure of security. A hacker typically would need to get access to the underlying telecom infrastructure to be able to snoop on communications.This was, and still is, a nontrivial task, since carriers typically have done a good job on physical security. Even so, organizations such as banks that had extreme requirements for WAN security would deploy link encryption devices to scramble all data traveling across these connections. Another benefit to having dedicated links has been that you had a solid baseline of bandwidth that you could count on. Applications that had critical network throughput requirements would drive the specification of the size of WAN pipe that was needed to support them. VPNs experienced slow initial adoption due to the lack of throughput and reliability guarantees on the Internet as well as the complexity of configuration and management. Now that the Internet has proven its reliability for critical tasks and many of the management hurdles have been overcome, VPN adopters are now focusing their attention on issues of interoperability and security.The interoperability question has mostly been answered as VPN vendors are implementing industry-standard protocols such as IPsec for their products.The IPsec standards provide for confidentiality, integrity, and optionally, authentication. Because of these improvements, organizations are now able to deploy VPNs in a rather straightforward manner, enabling secure access to the enterprise network for remote offices and/or telecommuters. Figure 1.14 shows the two main reasons for setting up VPNs.The first is to provide site-to-site connectivity to remote offices.The second is for telecommuters, adding flexibility by enabling enterprise access not only via dial-up to any ISP but also through a broadband connection via a home or hotel, for example. VPNs are used for many other reasons nowadays, including setting up connectivity to customers, vendors, and partners.

Figure 1.14 VPN Deployment

Satellite office Internet PIX VPN tunnels Telecommuter

SECURITY ALERT Many organizations have gone through the trouble of setting up VPN links for their remote users but have not taken the extra step of validating or improving the security of the computers that these workers are using to access the VPN. The most secure VPN tunnel offers no protection if the user’s PC has been compromised by a Trojan horse program that allows a hacker to ride through the VPN tunnel right alongside legitimate, authorized traffic.

29

326_PIX_2e_01.qxd

30

5/6/05

12:40 PM

Page 30

Chapter 1 • Introduction to Security and Firewalls

The solution is to deploy cost-effective firewall and intrusion detection software or hardware for each client that will be accessing the VPN, as well as continuous monitoring of the datastream coming out of the tunnel. Combined with real-time antivirus scanning and regular security scans, this solution helps ensure that the VPN does not become an avenue for attack into the enterprise.

Cisco Security Certifications Cisco offers a variety of certifications for the practitioner to demonstrate competence in Cisco security technologies. For specializing in a particular technology, Cisco offers a variety of Cisco Qualified Specialist certifications. In the area of PIX firewalls, there is a Cisco Firewall Specialist certification. At the professional level, Cisco has the Certified Security Professional (CCSP), and at the expert level, there is the Cisco Certified Internetwork Expert (CCIE) Security.These two certifications show that the holder has significant experience and skills using and integrating a broad range of Cisco security products, including VPN devices, IDS, and, of course, PIX firewalls.

Cisco Firewall Specialist The Cisco Firewall Specialist is one of many programs offered under the portfolio of Cisco Qualified Specialist certifications. It demonstrates expertise in Cisco PIX firewall and Cisco IOS router security.

Requirements A valid Cisco Certified Network Associate (CCNA) certification is a prerequisite. Once this requirement is met, the candidate needs to pass two exams to obtain the certification, listed in Table 1.1.

Table 1.1 Cisco Firewall Specialist Certification Exam Requirements Exam Number

Training Course

642-501

Securing Cisco IOS Networks (SECUR)

642-521

Cisco Secure PIX Firewall (CSPFA)

NOTE Cisco keeps its certifications up to date; therefore, the certifications and their requirements are constantly changing. As of publication of this book, Cisco has not yet released updated exams/certifications for PIX firewall software 7.0. Visit Cisco’s Web site for the latest information on current certification and exams.

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 31

Introduction to Security and Firewalls • Chapter 1

A person with the Cisco Firewall Specialist certification needs to recertify every two years by taking a written exam.

Cisco Certified Security Professional The CCSP certification is a professional level certification program offered by Cisco. A person who has achieved the CCSP certification has proven through examination that he or she possesses a keen understanding of network security processes, technologies, and risks. He or she also understands how to deploy, configure, and manage Cisco security tools to support efforts in perimeter defense, network and host intrusion monitoring, and network-level encryption.

Requirements Like the Cisco Firewall Specialist, the initial requirement to obtain the CCSP certification is a current CCNA certification. With that, the candidate can choose to get specific training through a Cisco Training Partner or Cisco e-learning to augment and reinforce their skills or simply sit in for the necessary written exams.There is no requirement that the candidate go through training in order to take the exams. However, because the exams are quite rigorous, the candidate should ensure that they meet all the knowledge objectives as described for each course and corresponding exam. After passing the CCNA, the current five exams that must be passed to obtain CSS-1 certification are shown in Table 1.2.

Table 1.2 CCSP Certification Exam Requirements Exam Number

Training Course

642-501

Securing Cisco IOS Networks (SECUR)

642-521

Cisco Secure PIX Firewall Advanced (CSPFA)

642-531

Cisco Secure Intrusion Detection Systems (CSIDS)

642-511

Cisco Secure Virtual Private Networks (CSVPN)

642-541

Cisco SAFE Implementation (CSI)

NOTE Cisco keeps its certifications up to date; therefore, the certifications and their requirements are constantly changing. As of publication of this book, Cisco has not yet released updated exams/certifications for PIX firewall software 7.x. Visit Cisco’s Web site for the latest information on current certification and exams.

31

326_PIX_2e_01.qxd

32

5/6/05

12:40 PM

Page 32

Chapter 1 • Introduction to Security and Firewalls

A person with CCSP certification needs to recertify every three years by taking a written exam.

Cisco Certified Internetwork Expert Security The CCIE certification demonstrates that the holder belongs to the top tier of internetworking talent.The extremely challenging path to CCIE certification requires passing both a written test and a comprehensive hands-on lab exam. As an adjunct to the CCIE program, Cisco has created a security designation for those who want to demonstrate additional toplevel competence in Cisco’s security technologies.

The Qualification (Written) Exam Cisco’s written exam (350-018) for CCIE Security covers the following areas of knowledge: ■

Security protocols

■

Application protocols

■

General networking

■

Security technologies

■

Cisco security applications

■

General security knowledge

■

General Cisco knowledge

NOTE A detailed blueprint of the CCIE Security written exam is available on Cisco’s Web site at www.cisco.com/go/ccie.

The written exam is a computerized multiple-choice test and contains 100 questions. The candidate is allotted two hours to complete the test to demonstrate comprehensive knowledge in each of these areas in order to pass the written exam and qualify to take the lab exam.

The Lab Exam Whereas the written exam is of a more theoretical, “book knowledge” nature, the CCIE Security lab exam validates actual hands-on skills in building and troubleshooting an internetwork built with Cisco technologies.The eight-hour lab exam requires a solid understanding of routing and switching, augmented by firewall and VPN knowledge. It should be noted that achieving CCIE certification depends on the candidate’s preparation as a combination of self-study, training, and work experience. It is unlikely that

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 33

Introduction to Security and Firewalls • Chapter 1

training or self-study alone will be enough to pass the CCIE exam, since in-depth knowledge of Cisco commands and architecture is required.The candidate should be very familiar with the following equipment and services: ■

2600 series routers

■

3600 series routers

■

3700 series routers

■

Catalyst 3550 series switches

■

PIX firewalls

■

Certificate Authority Support

■

Cisco Secure Access Control System

■

Cisco Secure Intrusion Detection System

■

Cisco VPN concentrators

■

Cisco IDS sensors

Cisco’s lab exam covers the following broad areas of technology: ■

Bridging and switching

■

IGP Routing

■

PIX Firewall

■

ISDN

■

BGP

■

IP/IOS features

■

AAA

■

VPN

■

IOS firewall

■

Advanced security

■

Intrusion detection system

NOTE A detailed blueprint of the CCIE Security lab exam is available on Cisco’s Web site at www.cisco.com/go/ccie.

33

326_PIX_2e_01.qxd

34

5/6/05

12:40 PM

Page 34

Chapter 1 • Introduction to Security and Firewalls

The CSPFA Exam The Cisco Secure PIX Firewall Advanced exam (642-521) is required for both the Cisco Firewall Specialist and Cisco Certified Security Professional certifications.This computerbased exam is 75 minutes in duration and includes 55 to 65 questions.This book covers all the objectives of the CSPFA exam and in most cases overshoots them.The goal of this book is not only to provide the knowledge needed to pass the CSPFA exam, but also to provide real-world insights that will help you better deploy and manage Cisco PIX firewalls in your environment.

Exam Objectives The CSPFA (642-521) exam covers the following topic areas: ■

■

■

■

■

Cisco PIX Firewall Technology and Features ■

Firewalls

■

PIX Firewall models

Cisco PIX Firewall Family ■

PIX Firewall models

■

PIX services module

■

PIX Firewall licensing

Getting Started with the Cisco PIX Firewall ■

User interface

■

Examining the PIX Firewall status

■

ASA security levels

■

Basic PIX Firewall configuration

■

Syslog configuration

■

DHCP server configuration

■

PPPoE and the PIX Firewall

Translations and Connections ■

Transport Protocols

■

Network Address Translation

■

Configuring DNS support

■

Port Address Translations

Access Control Lists and Content Filtering ■

ACLs

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 35

Introduction to Security and Firewalls • Chapter 1

■

■

■

■

■

■

■

■

Converting Conduits to ACLs

■

Using ACLs

Object Grouping ■

Overview of object grouping

■

Getting started with object groups

■

Configuring object groups

■

Nested object groups

Advanced Protocol Handling ■

Advanced protocols

■

Multimedia support

Attack Guards, Intrusion Detection, and Shunning ■

Attack guards

■

Intrusion detection

Authentication, Authorization, and Accounting ■

Introduction

■

Installation of CSACS for Windows NT

■

Authentication configuration

■

Downloadable ACLs

Failover ■

Understanding failover

■

Serial failover configuration

■

LAN-based failover configuration

Virtual private networks ■

PIX Firewall enables a secure VPN

■

Prepare to configure VPN support

■

Configure IKE parameters

■

Configure IPsec parameters

■

Test and verify VPN configuration

■

Cisco VPN client

■

Scale PIX Firewall VPNs

System maintenance

35

326_PIX_2e_01.qxd

36

5/6/05

12:40 PM

Page 36

Chapter 1 • Introduction to Security and Firewalls

■

■

■

■

■

Remote access

■

Command authorization

Cisco PIX Device Manager ■

PDM overview

■

Prepare for PDM

■

Using PDM to configure the PIX Firewall

■

Using PDM to create a site-to-site VPN

■

Using PDM to create a remote access VPN

Enterprise PIX Firewall Management ■

Configuring access and translation rules

■

Reporting, tools, and administration

Enterprise PIX Firewall Maintenance ■

Introduction to the auto update server

■

PIX Firewall and AUS communication settings

■

Devices, images, and assignments

■

Reports and administration

Firewall Services Module ■

FWSM overview

■

Using PDM with the FWSM

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 37

Introduction to Security and Firewalls • Chapter 1

Summary In this chapter, we learned about the importance of security to any organization deploying networks today.Threats can come from both outside and inside. A security strategy must address issues of confidentiality, integrity, availability, authentication, access control, and accounting. Every organization with an IT infrastructure needs an information security policy.The policy development and maintenance process should include multiple stakeholders representing the different areas of the organization, and it must take into account the overall risk picture. Information security is not a goal or result, it is a process. Cisco’s Security Wheel describes this ongoing process of securing your network, monitoring and responding to incidents, testing for vulnerabilities, and managing and improving security. Firewalls are devices that regulate and filter traffic between networks.The most common deployment is on an Internet connection, but more and more organizations are using firewalls internally to segment sensitive areas.There are two fundamental approaches to firewall design: packet filtering, which operates at the network layer, and application proxying, which works at the application layer and understands details of particular applications. Packet filters have the advantage of speed, but proxies have the advantage in security. Stateful packet filters, an evolution of basic packet filters, have the intelligence to keep track of connections to make more informed pass/block decisions. Firewall architectures often include one or more DMZ networks, which enable services to be made available to the Internet while keeping them protected by the firewall and segmented from the internal LAN. Network Address Translation allows an organization to use private, nonunique addresses on their internal networks.These addresses are translated to globally unique addresses for routing on the Internet. NAT also provides security by hiding internal network details from the outside. Virtual private networks are supported by most major firewalls today.They enable remote sites and users to gain authenticated, confidential access to the enterprise from the Internet. Cisco offers two security-specific certification programs: CCSP and CCIE Security. CCSP requires the CCNA certification and passing of five written tests. CCIE Security is a more advanced certification and requires a rigorous hands-on lab exam in addition to a difficult written exam.

Solutions Fast Track The Importance of Security Information security is more important than ever due to the interconnectedness of businesses and the increased sophistication of hackers.

37

326_PIX_2e_01.qxd

38

5/6/05

12:40 PM

Page 38

Chapter 1 • Introduction to Security and Firewalls

Fundamental areas of security include confidentiality, integrity, availability, authentication, authorization, and accounting. The Internet and its associated protocols were not initially designed to be secure. This means that extra effort is required to secure information assets using defined and documented processes, additional technologies, and security awareness. The greater threat to an organization comes from employee and contractor misuse on the inside. Perimeter defense is important but should not be the only area of effort.

Creating a Security Policy A good security policy forms the foundation for all other information security activities. It should be general in scope so that changes in people or technology do not require that the policy be changed as well. Participation from key stakeholders in the policy development process is essential to gaining support for the policy. The policy process should include a companywide risk assessment and documentation of the critical information flows. The high-level policies flow down and guide creation of specific standards, processes, and procedures.

Cisco’s Security Wheel The Cisco Security Wheel is a model that graphically represents the ongoing process nature of security. Based on the security policy, the Wheel includes four major functions: secure, monitor and respond, test, and manage and improve. Many tools, both commercial and free, are available to support each function in the Security Wheel.

Firewall Concepts Firewalls are most often placed between an organization’s internal network and the Internet, although they are increasingly used within the internal LAN to separate different zones of trust. There are two fundamental approaches to firewall design: packet filters and application proxies. Many packet filters offer the ability to keep track of active connections (statefulness) and in general offer much faster performance and the most flexibility. Application proxies are considered more secure but require that a proxy agent be available for each application running through the firewall.

326_PIX_2e_01.qxd

5/6/05

12:40 PM

Page 39

Introduction to Security and Firewalls • Chapter 1

Firewall policies should be assiduously documented with business justification, with a defined process for making changes. Address translation allows use of private, nonroutable IP addresses on the internal (local) network, which are translated at the firewall into globally unique addresses for routing on the Internet. Most firewalls support virtual private networking (VPN) capability, which allows other sites and remote users to connect to the enterprise network through encrypted tunnels.

Cisco Security Certifications To achieve the Cisco Certified Security Professional (CCSP) certification, you need to demonstrate a solid understanding of Cisco network security, PIX firewalls, VPN solutions, and Cisco Secure IDS by taking five written exams. CCNA certification is a prerequisite. CCIE Security is extremely complex and requires detailed knowledge of networking, PIX firewalls, and VPNs.The CCIE Security process includes both a written exam and an eight-hour hands-on lab exam.

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. You will also gain access to thousands of other FAQs at ITFAQnet.com.

Q: How do I convince my managers of the need for security and get more funding? A: Unfortunately, managers in many organizations have not expanded their definition of business risk to include risk to information assets.The problem is that generally, most other risks are quantifiable, and it is a straightforward calculation to determine how much money should be spent to mitigate those risks, if any. Information security is a thornier problem in that hard-and-fast numbers are not available to enable an organization to determine how likely it is that they will experience a security incident and how much it will cost. It is becoming easier to calculate these numbers based on various industry surveys and direct loss experiences, but the seemingly random nature of attacks makes such quantification tough. Management often views information security as spending money (often lots of it) to protect against something that might never happen. It frequently takes an actual serious breach or worm infestation to “shake the money tree.” In the (fortu-

39

326_PIX_2e_01.qxd

40

5/6/05

12:40 PM

Page 40

Chapter 1 • Introduction to Security and Firewalls

nate) absence of that event, you should collect as much data as you can. Participate in trade groups and information security associations so you can talk to others in your industry or field. Document carefully the risks and threats you face, along with descriptions of the business benefits that the spending will result in.The need for security is real, and you must convince your management of that.

Q: How can I get a policy developed when my company takes a very casual and trusting approach to security?

A: Talk to the various stakeholders in your company about what they perceive as the key risks. Every company has risks, and the company culture does not change that. Try to convince the stakeholders of the benefits of protecting information assets—if not from employees, at least from outside attackers. Creating an acceptable use policy is a great start.

Q: I do not have enough staff to adequately manage security. How can I keep on top of everything?

A: You need to prioritize your activities and automate wherever possible. Perform a risk analysis, evaluate where the greatest threats are, and do what is necessary to protect against them. Build a secure baseline configuration for all your OS platforms from which all new systems are built. Develop a good configuration management process to make it easier to stay current on patches. By making a strong initial effort to secure your network, you will experience less tactical firefighting.

Q: I have a new Web application that needs to communicate with a database server on my internal LAN. How do I make this application secure with my firewall?

A: Place your Web server on the DMZ network. Create rules to filter traffic from the outside coming into your Web server. Accessible ports should be only HTTP (TCP 80) and/or HTTPS (TCP 443) and any others necessary for the application to run. Then restrict inbound traffic to come from the Web server IP address only, going only to the database server IP and destination port number(s). Monitor this backend connection continuously, and deploy network-based intrusion detection on the DMZ as well as host-based intrusion detection on the Web and database servers to detect malicious activity.

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 41

Chapter 2

Introduction to PIX Firewalls Solutions in this chapter: ■

Cisco PIX Version 7.0

■

What’s New in PIX 7.0?

■

Some Commands That Have Been Added to PIX 7.0

■

What Command Have Been Modified?

■

What Commands Do We Bid Farewell To?

■

PIX Firewall Features

■

PIX Hardware

■

PIX Software Licensing and Upgrades

■

Command-Line Interface

■

IP Version 6 (IPv6)

Summary Solutions Fast Track Frequently Asked Questions 41

326_PIX_2e_02.qxd

42

5/7/05

1:00 PM

Page 42

Chapter 2 • Introduction to PIX Firewalls

Introduction It is a cliché, but a true one, to say that network security is vital and integral to any organization needing to protect its information. Good security administration can be labor-intensive, and organizations can find it difficult to maintain the security of a large number of internal machines. Most organizations place a layer of security in the form of a firewall between the networks containing their data and the users (trusted and untrusted) of that data. Increasingly, firewalls provide additional security or performance services; they sit at a point in the network that mediates all communication with the end host, so various types of service extensions can naturally be integrated into them. Even in high-security environments, where the resources to harden and provide ongoing security support for the end application are available, firewalls can play an important role. Firewalls can help provide defense in depth: multiple protective technologies support higher levels of trust in case of error or omission at one layer. Having multiple controls also supports the concept of separation of duties: different groups can support application layer and network layer securities, ensuring that no single person or group can compromise the entire system. Cisco PIX firewalls are a line of appliances that offer world-class security and high levels of performance and reliability.They are a mature product, having been a part of enterprise and service provider networks since 1995. Cisco PIX firewalls fit into a wide range of environments, from small office/home office (SOHO) environments to large enterprises and service providers. With support for complex protocols, the latest VPN technologies, and intrusion detection features, PIX firewalls are leaders in the market. In this chapter, you will learn about some of the main features that Cisco PIX firewalls have to offer. We will look at the different models of PIX and the types of environment in which they fit. We will then perform basic configuration on a PIX firewall through the command-line interface.

Cisco PIX Version 7.0 The Cisco PIX version 7.0 release was highly anticipated in the Cisco community with rumors of nifty new features and the retirement of some older commands (favored and illfavored). Version 7.0 incorporates new features and new ways of securing your network, which makes the PIX firewall a very competitive product. Version 7.0 standardizes the PIX firewall along internetwork operating system (IOS) lines. Anyone who is familiar with the IOS command structure and the IOS way of configuration will find the changes friendly and welcome. Commands have been deleted, changed, or added, which in many cases, provide long-sought-after structure and consistency that were lacking in previous releases. Longtime PIX administrators and engineers may have a harder time to adapting to the changes than PIX newcomers who are starting with version 7.0 since old habits can be hard to break. Cisco had added many new features to its PIX firewalls with 7.0. In some cases, these features are simply enhanced versions, and in other cases, long overdue overhauls. It is beyond the scope of this book to discuss each individual change. Instead, we will focus on the most typical configuration scenarios and provide the 7.0 way of accomplishing them.

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 43

Introduction to PIX Firewalls • Chapter 2

The PIX software design team has eliminated several awkward and/or useless commands such as outbound and conduit in favor of the more flexible and consistent access lists.The old FIXUP command, which always brought to mind uncomfortable dating experiences, has been replaced by Inspect commands, which are familiar to anyone who has configured IOS firewall features.The IPsec sysopt feature is now enabled by default, or we should say, the function provided by this command is now a matter of course in 7.0 and configurable.The default is that IPsec is permitted through the interface, but does not have the right to bypass any VPN access lists for the control of end-user behaviors. The interface commands have been overhauled so that they are more aligned with the structure of IOS. As with configuring interfaces on any other IOS device, you start with interface Ethernet and configure its parameters below it.The parameters for speed, duplex, and description are now nested together rather than the old way of separate line items. Certain VPN commands, such as those for IPsec, have also been updated to be more consistent with their IOS progeny. The no, show, and clear commands are more like IOS than ever before. Previously, this particular group was subject to very individualized behaviors, requiring memorization and frequent consultation of the command reference manuals.They now have more predictive results, which should reduce trial-and-error hunts to negate or clear certain parts of a configuration.

Major Changes to Cisco PIX 7.0 Some of the bigger changes to the PIX code include the following: ■

PIX command line is now much more IOS-like than ever.The structure and syntax follow the Cisco router IOS very closely now.

■

The much-maligned PIX PDM is no more, and has been replaced by the Cisco Adaptive Security Device Manager (ASDM). ASDM can be run as a Java applet or as a Windows native application.

■

Exchange users rejoice, as there is now ESMTP inspection available to you.

■

Enhanced inspection engines for H.323, SIP, RTSP, and more.

■

Ethertype ACLs are now available.

■

Virtual firewalls, or what Cisco calls “Security Contexts.”

■

Enhanced VPN support for items like the ability to block clients based on OS type and VPN version.

■

OSPF routing over a VPN.

■

IPv6 Support for inspection, ACLs, and management.

■

The ability to schedule a reload.

■

The ability to have multiple configurations and rollback support.

43

326_PIX_2e_02.qxd

44

5/7/05

1:00 PM

Page 44

Chapter 2 • Introduction to PIX Firewalls ■

VPN stateful failover.

■

Active/Active failover.

What’s New in PIX 7.0? There are a slew of new commands to use in the PIX 7.0 code. We will list most of them to give you an idea of what’s in store as you read through the book. Some commands have been dropped completely; others, such as the CA command, has been deprecated. Other commands are completely new in version 7.0. Let’s take a quick look at our brave new world.

Commands New to 7.0 The following commands have been added to PIX 7.0: ■

boot system Specifies which image to use on bootup and which configuration file to use.

■

crashinfo A file generated on a system crash is written to flash.You can force a crash test and read the file.

■

copy capture Copies a capture file to a TFTP server.

■

crypto ca The new prefix for several commands such as authenticate, trustpoint, enroll, and more.

■

crypto key Generates RSA key pairs.

■

class-map Classifies traffic for an interface.

■

downgrade Will downgrade the PIX from 7.0 to an older version and reformat flash.

■

duplex This was a keyword and now is a configuration mode command.

■

nat control NAT controls that allow inside to communicate with outside without a NAT rule.

■

ospf Now allowed over a VPN.

■

security-level This was a keyword and is now a configuration mode command.

■

speed This was a keyword and is now a configuration mode command.

■

tunnel-group Create and manage the database of IPsec/L2TP connection records.

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 45

Introduction to PIX Firewalls • Chapter 2

Modified Commands The following commands have been modified in usage or have new parameters to choose from: aaa server, ca, clear, copy, crypto ipsec, dhcp, established, failover, igmp, interface, ip address, Isakmp, Mgcp, Mroute, nameif, no, pager, Show, shutdown, ssh, telnet, tftp server, and vlan.

What Commands Do We Bid Farewell To? These commands are either no longer supported at all or will be dropped completely in the next release of 7.x code: access-list compiled, ca save all, conduit, crypto dyamic-map, failover ip, fixup, floodguard, multicast interface, no tftp server, outbound, sysopt, vpnd, and ^Z (control Z) as an exit command. The fixup commands in your configuration will automatically be migrated to the new inspection format when you upgrade from 6.3 to 7.0 code.The one fixup command that will not migrate to the new inspection format is the fixup ESP-IKE command. For help in converting your conduit commands to access lists, Cisco offers a tool to registered customers located at http://www.cisco.com/pcgi-bin/tablebuild.pl/pix. Cisco also offers a tool to analyze the complete configuration at https://www.cisco.com/cgibin/Support/OutputInterpreter/home.pl, which also requires you to be registered. In Figure 2.1 we see the screen for the output interpreter tool.

Figure 2.1 Cisco Web-Based Output Interpreter Tool

PIX Firewall Features The PIX 500 series firewalls are market leaders for security appliances for good reason.They provide robust performance in a firewall while providing a highly scalable architecture ranging from plug-and-play SOHO devices to carrier-class firewalls with gigabit connections.They

45

326_PIX_2e_02.qxd

46

5/7/05

1:00 PM

Page 46

Chapter 2 • Introduction to PIX Firewalls

provide protective services that define what a firewall should do. From stateful packet inspection to content filtering, VPN termination to address translation, and offering support for PKI applications to providing security to multimedia applications, the PIX does it all. With such flexibility comes the requirement to configure the devices correctly. Luckily, for those who are already comfortable with an IOS router prompt, the PIX is based on the same familiar command prompt. Of course, the PIX fits into standard Cisco management tools such as CiscoWorks, so it will seamlessly integrate into your network environment.

Embedded Operating System Many firewalls are based on general-purpose operating systems (OS).This means that maintenance is required to ensure that the correct configuration is used and that the base OS is patched and secured.This requirement offers both a higher long-term cost as well as the potential for security weaknesses. An embedded OS is one in which the OS is self-contained in the device and resident in ROM.This involves reduced maintenance costs, and because no customizations or OS configurations are required, a single image is downloaded and stored to flash. It means that there is little that can actually go wrong with the OS itself; you cannot accidentally leave an unnecessary service running because the firewall has all its services tuned to only those features appropriate for a security device. Unlike appliances based on a general-purpose kernel such as Linux or Windows CE, the PIX is based on a hardened, specialized OS specific to security services.This OS allows for kernel simplification, which supports explicit certification and validation:The PIX OS has been tested for vendor certification such as ICSA Labs’ firewall product certification criteria and the very difficult-to-obtain International Standards Organization (ISO) Common Criteria EAL4 certification.This testing allows for maximum assurance in deployment from Cisco’s positive security engineering based on good commercial development practices. Kernel simplification has advantages in throughput as well; the PIX 535 will support up to 256,000 simultaneous connections, far exceeding the capabilities of a UNIX- or Windowsbased OS on equivalent hardware. One key advantage to the software on a PIX firewall is its command-line structure similarity to Cisco IOS.This means that firewall administrators have the ability to rapidly master management of the PIX, reducing deployment costs and supporting management by network operations center (NOC) personnel.

The Adaptive Security Algorithm The heart of the PIX is the Adaptive Security Algorithm, or ASA.The ASA is a mechanism to determine if packets should be passed through the firewall, consistent with the information flow control policy as implemented in the access control list (ACL) table.The PIX evaluates packet information against a developed state and decides whether to pass the packet. Let’s go through this process. First, there is the concept of a datastream. Packets flowing across a network have identifying characteristics: IP address of source and destination, sometimes numbers associated with the type of communication (ports) of source and destination,

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 47

Introduction to PIX Firewalls • Chapter 2

and numbers such as IP identifiers or synchronization and acknowledgment numbers that identify where a packet belongs in a particular connection. When you open a Web page—say, to www.cisco.com/index.html—you establish a connection between your browser and the Web server. One piece of HTML is transferred; if it has not been cached, this page represents about 90K of text.That text may then open additional connections for all the embedded pictures. The process involves a “dance” between browser and server—a “handshake” to initialize the connection, a “get” to specify the data being requested, a “response” to say if the data is available, and the actual data itself. Because the file is so large, these steps all occur in multiple packets between browser and Web server, with data flowing down from the server and acknowledgment of receipt of data flowing up from the browser. In the following list of steps we see how the Cisco PIX will use ASA to check the initialization of a connection and to verify the correct response for the connection. 1. The inside host starts a connection to an outside resource or host. 2. The PIX makes an entry into the state table with the following information: The source IP address The source port The destination IP address The destination source port The TCP sequencing information Any additional TCP flags The randomly generated TCP sequence number 3. The connection is compared with the security policies. If the policy disallows the connection, the connection is dropped. 4. If the connection is allowed, then the connection request is allowed to continue to the destination. 5. The outside resource or host replies to the initial connection request. 6. The response from the outside resource or host is received by the PIX and compared with the session object. If the response from the outside resource matches the session object, the response is allowed to continue to the inside. If there is not a match, the connection is dropped. The information flow control policy is an expression of the information that is allowed to flow through the network. A sample policy might be, “If the datastream was initiated by someone on the inside, let it pass; if the datastream was initiated by someone from the outside, block it.” An ACL table is a mechanism via which you can try to implement this policy. It compares those distinguishing numbers against a database to see if the packet is consistent with policy. If it is not allowed by the database, the packet is dropped and optionally logged.

47

326_PIX_2e_02.qxd

48

5/7/05

1:00 PM

Page 48

Chapter 2 • Introduction to PIX Firewalls

The earliest routers used fixed ACLs to determine if a packet should be routed; they compared fundamental information about the packet, such as the IP address of the source or destination or the type of service requested or, for some services such as TCP, individual flags on the packets.Then, based on fixed rules, they decided to route the traffic or to drop it. For example, the fixed rules may allow any packet that might possibly be a “return” packet because under certain circumstances such a packet would be valid.This isn’t too much of a problem because a “return” packet, if it hasn’t been requested by the original host, should be dropped by the host. However, that can cause some information to leak out, so it is helpful to get rid of such packets if we can. The concept of state is the idea that ACLs should probably change over time. A stateful packet filter allows for dynamic rule bases—for example, if the packet is coming from the outside toward the inside, you should check to see if this packet was part of a previously opened datastream. Now, we allow packets back in only if they were previously authorized; the Cisco Web server can’t decide to send us data unless we previously requested it. The biggest problem with fixed rules is that to allow certain kinds of traffic—FTP, for example—overly permissive ACLs would need to be implemented. In FTP, two TCP data flows are developed. One, the command channel, runs from the client out to the user—from the inside to the outside. Routers would generally be able to determine the direction of this flow and allow that traffic, as described previously.The second, the data channel, is negotiated by the FTP server and flows from the server back into the client—from the outside to the inside. Moreover, the TCP port—a service identifier telling you an identifier for the port— varies depending on how many files the server has transferred since reboot; thus, the ACL would have to allow all inbound traffic in a wide range of TCP ports.This means that a malicious user would have free run of the network in those ranges. Consequently, router ACL-based firewalls are little more than Swiss cheese enforcement points! The smart approach is to monitor the negotiation between the FTP server and client. That’s part of the concept of state. Armed with that piece of information, the firewall can open only the necessary port for the inbound data flow, and open it only while the transfer is active—dynamically changing the ACLs over time.This allows the firewall to permit authorized traffic and disallow inappropriate traffic with far more sophistication than a static rule.

State State is a way of saying that the firewall is maintaining a history of the traffic that has passed and will compare new packets against history to see if the packet is allowed by policy rules. There is also a performance benefit of maintaining state: if a packet can be determined to be similar to those already passed, a full analysis against the firewall policy rules does not need to be followed; it can be passed based on the existing state.This allows the PIX to perform at line rate where static access lists would be much slower. One key piece of state is to record active connections. If we can add something to a connection table when it first starts and remove that thing from a connection table when the connection is (gracefully) closed, we have a leg up for that concept of “similar to those already passed.”This data is stored in the connections table (CONN).

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 49

Introduction to PIX Firewalls • Chapter 2

The PIX has the ability to rewrite the characteristic information described previously, such as IP address and port data.Thus, another piece of state is to remember what IP address and port data the PIX has seen lately as well as remembering what it did with them before. It needs to remember how it translated something from a protected net into the outside world.This data is stored in the translations table (XLATE). Here are the XLATE and CONN tables’ output as displayed by the PIX operating system on a quiet firewall: PIX1# show xlate 3 in use, 112 most used PAT Global 192.168.50.230(1225) Local 10.10.10.11(32775) PAT Global 192.168.50.230(22451) Local 10.10.10.11(4025) PAT Global 192.168.50.230(22450) Local 10.10.10.11(32778) PIX1# show conn 1 in use, 26 most used TCP out 192.168.50.140:21 in 10.10.10.11:32775 idle 0:00:10 Bytes 154 flags UIO

This code shows that the user at 10.10.10.11 has connected to 192.168.50.140 on port 21 (FTP).The translation maps between socket 192.168.50.230, 1225 on the outside and socket 10.10.10.11, 32775 on the inside.The flags from the connection table are showing that the connection is up and that there is inbound and outbound data. A little while later: PIX1# show conn 1 in use, 26 most used TCP out 192.168.50.140:21 in 10.10.10.11:32775 idle 0:06:48 Bytes 216 flags UFRIO

Notice that the idle counter is larger (the traffic flow has been idle, and no packets have been received), a few more bytes have passed, and the flags now have F, for outside FIN, and R, for outside acknowledged FIN. This indicates that the firewall has recorded the transfer. In addition to the basic housekeeping of passing traffic appropriately (there is translation going on, so that must be addressed), the PIX is monitoring transported traffic. Port 21 is FTP, so it knows that there might be an inbound connection. It knows from the first output that traffic between those two devices on those socket pairs is expected and should be passed. It knows from the second output that traffic between those two devices should no longer occur because the sides have reset each other. Any stray packets are now either lost retransmissions or unauthorized activity.The firewall has “learned” about the transfer over time and is able to change its rules in response to past traffic.

49

326_PIX_2e_02.qxd

50

5/7/05

1:00 PM

Page 50

Chapter 2 • Introduction to PIX Firewalls

Security Levels When firewalls were first implemented, they typically had only two interfaces: the outside, or “black,” network, and the inside, or “red,” network.These interfaces corresponded to degrees of trust: Because the inside was controlled and was “us,” we could allow pretty much anything originating in the red network to travel to the black network. Furthermore, because the outside was “them,” we limited pretty much anything originating in the black network to come inside the firewall. The current approach is to have a DMZ, or multiple service networks.This makes the idea of “us versus them” much more complex.The PIX 535 has a modular chassis with support for up to 10 interfaces! Using the security-level command, you can assign a security level, an integer between 1 and 100. Make sure that each interface has a different value. When you are designing your security zones, order the zones by degrees of trust and then assign integers to the levels, corresponding to how much you trust the network—0 is the default for the outside (untrusted network), 100 is the default for the inside (trusted network), and values between 1 and 99 are for relative trust such as the DMZ, which may be assigned 50.

How ASA Works Informally, ASA allows traffic to flow from a higher security level to a lower security level, unless modified by access-list commands. More formally, the manual notes: ■

No packets can traverse the PIX firewall without a connection and state.

■

Outbound connections or states are allowed, except those specifically denied by ACLs. An outbound connection is one in which the originator or client is on a higher security interface than the receiver or server.

■

Inbound connections or states, except those specifically allowed, are denied. An inbound connection or state is one in which the originator or client is on a lower security interface or network than the receiver or server.You can apply multiple exceptions to a single xlate (translation).This lets you permit access from an arbitrary machine, network, or any host on the Internet to the host defined by the xlate.

■

All ICMP packets are denied unless specifically permitted.

■

All attempts to circumvent the previous rules are dropped, and a message is generated. It is sent to a management device (local buffer, SNMP trap, syslog, console), depending on the severity of the attempt and local configuration. (Note that normal traffic may also trigger logging, again depending on configuration. At the highest debugging mode, every packet generates an alert!)

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 51

Introduction to PIX Firewalls • Chapter 2

Technical Details for ASA The PIX is an Internet Protocol (IP) firewall. It accepts and passes only IP packets; all others are dropped. It is worth taking a moment to look at the details of the protocols to see what the PIX is looking at and how it uses that information.

Internet Protocol IP is an unreliable, routable packet delivery protocol. All upper-layer protocols use IP to send and receive packets. IP receives segments from the transport layer, fragments them into packets, and passes them to the network layer. The IP address is a logical address assigned to each node on a TCP/IP network. IP addressing is designed to allow routing of packets across internetworks. Since IP addresses are easy to change or spoof, they should not be relied on to provide identification in untrusted environments. As shown in Figure 2.2, the source and destination addresses are included in the IP header.

Figure 2.2 The IP Header 0

4

VER

8

IHL

16 Type of

24

31

Total Length

Service

Identification

Time to Live

19

Flags

Protocol

Fragment Offset

Header Checksum

Source Address

Destination Address

Options

Padding

Data Payload

Let’s review the meaning of key fields in Figure 2.2 to put what the PIX does in context: ■

The protocol parameter indicates the upper-level protocol that is using IP.The decimal value for TCP is 6, and UDP is 17.The list of assigned numbers for this field is available at www.iana.org/assignments/protocol-numbers. Note that this field is important for access-list commands.The command syntax is: access-list {deny | permit} <protocol>…

51

326_PIX_2e_02.qxd

52

5/7/05

1:00 PM

Page 52

Chapter 2 • Introduction to PIX Firewalls

The protocol number here corresponds to this field. Note that you can specify the keyword tcp for type 6 or udp for type 17. ■

The source address and destination address fields are filled with the IP addresses of the respective devices; note that an IP address is four octets, so this can be viewed as a 32-bit number.You will see these numbers in the XLATE table.

Transmission Control Protocol Many services, such as HTTP, SMTP, or SSH, are based on TCP.This protocol provides reliable service by being connection oriented and includes error detection and correction.The connection must be established before a data transfer can occur, and transfers are acknowledged throughout the process. Firewalls can identify the connection establishment and often interrupt that establishment as part of the protective mechanism. Acknowledgments assure that data is being received properly. The acknowledgment process provides robustness in the face of network congestion or communication unreliability.The acknowledgment has also been used to penetrate stateless firewalls; the PIX can identify packets that are not part of valid streams and block transmission.TCP also determines when the transfer ends and closes the connection, thus freeing resources on the systems. As noted earlier, the PIX watches for transfer end and acts appropriately. Checksums assure that the data has not been accidentally modified during transit. In Figure 2.3, we see the construction of the TCP header. As the PIX firewall often modifies the TPC header (for implementing random sequence numbers or address translation), it also recalculates and updates the checksum field.

Figure 2.3 The TCP Header 0

4

10

16

Source Port

31

24

Destination Port

Sequence Number

Acknowledgment Number

Source Address Data Offset

Reserved

U R G

A C K

P S H

R S T

Checksum

S Y N

F I N Urgent Pointer

Options

Padding

Data Payload

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 53

Introduction to PIX Firewalls • Chapter 2

The PIX inspects TCP packets for several fields, notably source port, destination port, sequence and acknowledgment numbers, and TCP flags. Notice that source and destination ports and information about the flags are listed in the CONN connections table. The concept of port is common to both TCP and UDP (discussed in the following section).The idea is that for these types of protocols, we can identify an ordered pair (IP address and port), called a socket, with each side of the communication flow. Multiple communications from the same host (same IP) can be distinguished by different port numbers—thus different sockets. Sockets on the server generally have a “well-known port” number.The PIX has a mapping between well-known ports and their English equivalents. We have enough background to see how ASA works for TCP connections. A TCP datastream begins with the “three-way handshake.”The idea is for each side to set up the initial sequence number, a pointer that will describe the position in the datastream for each packet sent.The TCP flag that indicates a request to start that datastream is the SYN flag.The first three packets are an initial SYN request from the client to the server; then back from the server to the client with acknowledgment of the client’s request (by setting the ACK flag) and the server’s need to initialize as well (by setting the SYN flag); and finally the client back to the server, acknowledging the server’s synchronization request.Therefore, from the TCP level, the path is SYN, SYN/ACK, ACK. We see this handshake in Figure 2.4.

Figure 2.4 TCP Three-Way Handshake SYN Packet from Host A Host A

Host B ACK and SYN Packet From Host B

Host A

Host B ACK Packet from Host A

Host A

Host B Data Transfer

At the PIX, a little more goes on. Figure 2.5 provides a diagram for how information flows through the PIX. Let’s follow the flow of the first network packets.

53

326_PIX_2e_02.qxd

54

5/7/05

1:00 PM

Page 54

Chapter 2 • Introduction to PIX Firewalls

Figure 2.5 Basic ASA Operations Access Control Lists

2

1

6

PIX using ASA

Client 7

3

XLATE Connections

Server 5

4

Inspection Engine

1. A TCP SYN packet arrives at the PIX Firewall from the client to establish a new connection per the TCP three-way handshake process. 2. The PIX Firewall checks the ACL database to determine if the connection is to be allowed or denied. 3. The PIX Firewall creates a new entry in the connection database (XLATE and CONN tables). 4. The PIX Firewall checks the inspections database to determine if this new connection requires an application-level inspection. 5. After application inspection is complete, the PIX Firewall forwards the packet to the destination system (the server). 6. The destination system sends its response to the initial request. 7. The PIX Firewall receives the reply packet, validates the connection in the connection database, and forwards the packet because it belongs to an established session.

TCP Sequence Number Randomization All those SYN and SYN/ACK exchanges seek to get both sides to agree on an initial sequence number (ISN) for each side of their communication.This adds a layer of security protection; in theory, you would have to be able to “hear” the TCP SYN request to know what ISN to use.The IP address of the host in the datastream must be able to receive the packet, and therefore, for example, hosts on the Internet can’t masquerade as local hosts. Unfortunately, many servers use an easily guessed ISN generation function. One famous break-in, Kevin Mitnick’s raid on Tsunomo Shinomura’s data, chronicled in the book Takedown, was based on this flaw.The PIX provides protection against this type of attack by

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 55

Introduction to PIX Firewalls • Chapter 2

using TCP sequence number randomization. As the packets pass through the firewall, they are rewritten so that the ISNs cannot be predicted. Randomization is not foolproof; other methods such as authentication and authorization can help strengthen security. Randomization by itself provides an extra layer of protection that will let your security officers sleep better at night.

User Datagram Protocol Several Internet applications, notably Domain Name Service (DNS) and many streaming audio and video protocols, use User Datagram Protocol (UDP). UDP is a simple, unreliable transport service. It is connectionless, so delivery is not assured.The simple design of the UDP header in Figure 2.6 illustrates the efficiency of UDP. Since connections are not set up and torn down, there is very little overhead. Lost, damaged, or out-of-order segments will not be retransmitted unless the application layer requests it. UDP is used for fast, simple messages sent from one host to another. Due to its simplicity, UDP packets are more easily spoofed than TCP packets. If reliable or ordered delivery of data is needed, applications should use TCP.

Figure 2.6 The UDP Header 0

16

31

Source Port

Destination Port

Length

Checksum Data Payload

There is usually a trade-off between simplicity and security, and this is true with UDP. Because TCP is connection oriented, we can identify the start of the session by unique flags—but as you can see in Figure 2.6, there aren’t any flags here. All you have to work with is the UDP socket pairs. This is where the firewall state comes in.The PIX has the ability to recognize the first UDP packet in a datastream. When the first packet is permitted by the information flow control policy (either because it is coming from a trusted net toward a less trusted one or because of an explicit exception in the ACL), the same sort of process shown in Figure 2.5 occurs. If permitted, an entry is made in the connections table, and further packets with the same socket pairs are associated with that authorized datastream until an idle timeout occurs. (The idle timeout is set with the timeout command and defaults to two minutes.) Note that other protocols besides TCP and UDP are permitted. Most common is the Internet Control Message Protocol (ICMP). ICMP provides diagnostic functions and error reporting for IP. For example, ICMP can provide feedback to a sending host when a destination is unreachable or time is exceeded (TTL=0). A ping is an ICMP echo request message, and the response is an ICMP echo reply.

55

326_PIX_2e_02.qxd

56

5/7/05

1:00 PM

Page 56

Chapter 2 • Introduction to PIX Firewalls

Other types of protocols can be filtered by the PIX, although the concept of socket does not apply (and so you cannot specify extra parameters on the access list beyond filtering on the source and destination addresses).The special protocol 0 refers to any IP packet, and you can specify any value between 0 and 255.You can also use literals; you have already seen the literals TCP (which is 17), UDP (which is 6), and ICMP (which is 1). These other protocols are handled similarly to the UDP approach, with idle time-outs removing entries from the connection table when they are no longer valid.

Advanced Protocol Handling The PIX combines stateful packet filtering with advanced protocol handling with proxies via application inspection (this was called fixup). Application inspection gives us a tighter security model for that given protocol. For example, if we configured an access list for SMTP, we could filter on port, source IP, and destination IP. When we use the SMTP inspection engine in conjunction with an access-list, only the seven basic SMTP commands will be allowed and as restricted by the ACL.The inspection command also allows us to change the port assignment of the protocol. Using our same example of SMTP, we could say along with the default inspect SMTP (port 25) use port 8080 also. In pre-7.0 code, we used the fixup command, but now we need to use two commands.The first command, called class-map, allows us to name the mapping, which in this example is SMTP-INSPTECTION-8080.Then we use the match command to specify the port, the protocol, and the port number: PIX1(config)# class-map SMTP-INSPECTION-8080 PIX1(config-cmap)# match port tcp eq 8080 PIX1(config-cmap)# exit PIX1(config)#

Our final result in the configuration looks like this: ! class-map SMTP-INSPECTION match port tcp eq smtp 8080 class-map inspection_default match default-inspection-traffic !

Now along with port 25, the Cisco PIX would listen on port 8080 for SMTP traffic. You can also inspect a range of port such like this: class-map RANGEOPORTS match port tcp range 1024 1055

Now the class-map of RANGEOPORTS will match from 1024 to 1055. Providing support for complex protocols is a distinguishing characteristic of the PIX. The default class-map includes FTP, HTTP, H.323, RSH, RTSP, SMTP, ESMTP, SIP, skinny, SNMP, MGCP, ICMP, NetBios, DNS, and SQLNET.

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 57

Introduction to PIX Firewalls • Chapter 2

Application support of this type is the real power of the PIX firewall.The PIX is more than just a gatekeeper passing or blocking packets; it understands the underlying protocol and actively rewrites the communications—enforcing RFCs, eliminating dangerous commands, and preventing the leakage of information—to provide the highest level of security available, consistent with application functionality. In the following example, we will use the FTP inspection engine that is enabled by default and tighten things up a bit more by restriction of which FTP commands can be used through the PIX. We configure the FTP inspection engine just as we did before, but with a twist. PIX1(config)# ftp-map FTP-INSPECTION PIX1(config-ftp-map)# request-command deny ?

ftp-map mode commands/options: appe

Append to a file

cdup

Change to parent of current directory

dele

Delete a file at server site

get

FTP client command for the retr command - retrieve a file

help

Help information from server

mkd

Create a directory

put

FTP client command for the stor command - store a file

rmd

Remove a directory

rnfr

Rename from

rnto

Rename to

site

Specify server specific command

stou

Store a file with a unique name

PIX1(config-ftp-map)# request-command deny dele

You can see in this example that we are going to block the delete function of FTP by using the request-command deny dele command.You can also see the range of options that we can block of the FTP commands.

VPN Support An important aspect of network security is confidentiality of information. Packets flowing along a network are much like postcards sent through the mail; if you don’t want the world reading your messages, you have to take additional steps. To achieve the kind of confidentiality offered on a private network, several approaches have been followed. One is to use encryption to conceal (encrypt) the information. An early standard, supported by Microsoft, is the Point-to-Point Tunneling Protocol (PPTP). Much like putting a letter inside a sealed envelope, this standard allows encapsulating (and concealing) network traffic inside a transport header. A similar but more comprehensive approach is to use the Layer 2 Tunneling Protocol (L2TP).This protocol is native to many Microsoft deployments, and so the PIX’s support for PPTP and L2TP is an important element of the feature set.

57

326_PIX_2e_02.qxd

58

5/7/05

1:00 PM

Page 58

Chapter 2 • Introduction to PIX Firewalls

In the fall of 1998, the Security Architecture for IP (IPsec) was published in RFC2401. Cisco has provided a leadership position in IPsec implementation, having coauthored many of the IPsec RFCs as well as providing solutions for some of the stickier IPsec issues, such as trying to use NAT and L2TP/IPsec together. Trying to use NAT with L2TP/IPsec is one of the bigger issues with VPNs and network security that uses IPsec since NAT rewrites the IP header, which defeats the entire purpose of L2TP/Ipsec, which ensures the authenticity of the IP header. So there is an RFC numbered 3193 that details how NAT Traversal is used to allow the UDP encapsulation of the authenticated IP packet using port 4500. The PIX is an excellent IPsec tunnel termination point. It has a wide range of interoperable standards and is straightforward to configure with preshared keys or with a certificate authority (CA). Many companies are using the PIX as an integrated firewall/VPN terminator, particularly in SOHO environments, as well as a stand-alone VPN terminator in conjunction with another (dedicated) firewall. One of the PIX’s best features is VPN performance.The simplicity of the PIX firewall appliance makes it a sound choice for VPN termination in many enterprise or carrier-class environments.

URL Filtering A uniform resource locator, or URL, is the way we identify user-friendly addresses for information on the World Wide Web (WWW) instead of using IP addresses, which are not nearly as friendly.The PIX firewall supports URL filtering by intercepting a request and validating its permissibility against a database located on a N2H2 or Websense server.The N2H2 server can be running Linux (see www.n2h2.com/products/bess.php?os=lnx&device=pix) or Microsoft Windows (see www.n2h2.com/products/bess.php?os=win&device=pix); the Websense server can use these platforms or be installed on a Solaris server (www.websense.com/products/integrations/ciscoPIX.cfm). URL filtering provides the means to apply and enforce an acceptable use policy for Internet browsing as well as to capture and analyze how your personnel are using the Internet.The servers themselves provide reporting capabilities so that you can determine how well your policy is being followed.

Address Translation Network address translation is a key feature of the Cisco PIX. In fact, the PIX originated as an appliance created by a company called Network Translations Inc., and the PIX’s first role simply was to perform address translation. (The name PIX comes from Private Internet Exchange, reflecting its purpose: to exchange traffic between private networks and the Internet.) Refer back to Chapter 1 for more information on address translation.

High Availability The three fundamental concepts of information security are confidentiality, integrity, and availability.The PIX addresses the availability idea by providing a robust, fault-tolerant envi-

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 59

Introduction to PIX Firewalls • Chapter 2

ronment. Fault-tolerant has a specific meaning where firewalls are concerned: if an error or failure occurs, alerts are triggered and sent, allowing corrective actions to be taken. The term high availability usually refers to hardware fault tolerance. Obviously, a firewall is a critical piece of equipment: to effectively perform its function, it is usually placed in the middle of multiple datastreams. Cisco hardware is of very high quality, and the PIX has no moving parts. Nonetheless, errors or problems will occur, and even the best-made equipment does fail. High availability is a device configuration so that isolated failure of the hardware will not bring down your network. To achieve high-availability requires multiples of hardware. In this case, two PIX firewalls are configured similarly and maintain communications between themselves: loss of these special communications equates to a failure, allowing corrective actions to occur automatically. If one firewall in the pair fails, the other transparently picks up the traffic, and alarm messages are sent to the network management console. High availability can be configured in several ways. Naturally, you need a second PIX that will be configured in a hot standby fashion.The simplest and least expensive way is through a serial cable, provided when you purchase the failover license. Alternately, a LAN interface can be dedicated to the failover process. With the failover cable, hello packets containing the number of bytes seen by the interfaces are transmitted between the two boxes, and if the values differ, failover can occur. With the LAN interface, full state information is transmitted so that in the event of a failover, the TCP sessions can keep running without reinitialization. PIX 7.0 also allows for firewalls to be run in active/active mode, enabling the ability to balance some of the traffic across a pair of firewalls.

PIX Hardware The PIX has many different configuration models to ensure that the product will be suited to different environments. Obviously, the requirements of a SOHO user will be different from those of a service provider. Cisco has provided various classes with different price points to ensure optimum product placement.

Models Five models are currently supported: the 501, the 506E, the 515E, the 525, and the 535. However, there are three models that you may see deployed in enterprise environments: the 515, the 525, and the 535. As it turns out, these are the three models that the new 7.0 code will run on. The 7.0 code at the time of this writing does not run on the SOHO models, which are the 501 and 506E. Table 2.1 shows the vital characteristics of each of the models.

59

10

8

6**

2

2

Yes

Yes

Yes

No

No

1.7Gbps

330Mbps

190Mbps

100Mbps

60Mbps

Clear-Text Throughput

YES

Yes

Yes

Yes

No

No

5Gps

425Mbps*

145Mbps*

135Mbps*

16Mbps

3Mbps

3DES VAC ThroughAvailable? put

* Maximum 3DES throughput is achieved with the VPN+ Accelerator; ** Maximum requires the unrestricted license.

FWSM

535

525

515E

506E

133MHz AMD SC520 300MHz Intel Celeron 443MHz Intel Celeron 600MHz Intel Pentium III 1GHz Intel Pentium III No

Failover Support

1Gb

1Gb**

512Mb**

128Mb**

32Mb

16Mb

RAM Memory

1:00 PM

501

Model

Maximum Interfaces

5/7/05

Processor Type

60

Table 2.1 PIX Model Characteristics

326_PIX_2e_02.qxd Page 60

Chapter 2 • Introduction to PIX Firewalls

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 61

Introduction to PIX Firewalls • Chapter 2

PIX 501 The 501 is the basic entry model for the PIX line, with a fixed hardware configuration. It has a four-port 10/100Mbps switch for inside connectivity and a single 10/100Mbps interface for connecting to the Internet upstream device (such as cable modem or DSL router). It will provide 3Mbps throughput on a 3DES IPsec connection, which should satisfy most SOHO requirements.The base license is a 10-user license with DES IPsec.There is an optional 50-user upgrade and/or 3DES VPN support.There is also an unlimited user count version available. The 501 is based on a 133MHz AMD SC520 processor with 16MB of RAM and 8MB of flash.There is a console port, a full/half duplex RJ45 10BaseT port for the outside, and an integrated, auto-sensing, auto-MDIX 4 port RJ45 10/100 switch for the inside.

PIX 506E The 506E product, an enhanced version of the 506, has replaced it on the product sheets.The chassis are similar, but the 506E has a beefier CPU, a quieter fan, and a new power supply.The CPU is a 300MHz Intel Celeron, and the RAM and flash are of the same capacity as the original 506. Clear-text throughput has been increased to 100Mbps (wire speed), and 3DES throughput increased to 16Mbps. Licensing on the 506E (and 506) is provided in a single, unlimited-user mode.The only extra license you may need is the 3DES license.The 506E has one console port and two RJ45 10BaseT ports, one for the outside and one for the inside.

PIX 515E The 515E replaced the 515 in May 2002. It has a higher-performing 433MHz Intel Celeron, increasing base firewall performance, and is intended for the enterprise core of small- to medium-sized businesses.The 515E can offload the arithmetic load of DES computation from the OS to a dedicated VPN accelerator card (VAC+), delivering up to 135Mbps 3DES throughput and 2,000 VPN tunnels. Licensing is similar: the restricted license limits you to three interfaces and no failover, whereas the unrestricted license has the memory upgrade, the VAC+, and up to six interfaces.

61

326_PIX_2e_02.qxd

62

5/7/05

1:00 PM

Page 62

Chapter 2 • Introduction to PIX Firewalls

The chassis is a 1U pizza-box, intended for rack mounting.The most important difference between the 506E and the 515E is that the 515E chassis is hardware configurable.The 515E provides a slot for an additional single-port or four-port Fast Ethernet interface, allowing the inside, outside, and up to four additional service networks. The licensing is flexible, allowing enterprises to purchase only what they need.The restricted license limits the number of interfaces to three and does not support high availability.The unrestricted license allows for an increase in RAM (from 32MB to 128MB) and up to six interfaces, together with failover capability

PIX 525 The PIX 525 replaced the PIX 520 in June 2001. It is designed for large enterprise or small service provider environments.The diskette drive found on the 520 is gone.The 525 supports single- or four-port 10/100 Fast Ethernet, 4/16 Token Ring, and dual-attached multimode FDDI cards, as well as Gigabit Ethernet. Performance tells the story here: the 525 with its 600MHz Intel Pentium III boasts 330Mbps clear-text throughput and, with the VPN+ accelerator card, 145Mbps of 3DES IPsec tunnel traffic. Licensing is based on interface counts and failover, as with the other models.The restricted license limits the PIX 525 to 128MB of RAM and six interfaces.The unrestricted license bumps RAM to 512MB, allows up to eight interfaces, and supports failover. As before, 3DES licensing is separate, if desired.

PIX 535 The PIX 535 is the top-of-the-line model, suitable for service provider environments. Performance is the key: up to 1.7Gbps clear-text throughput, half a million simultaneous connections, and 7000 connection initialization/teardowns per second. With the VAC+, you can get 425Mbps 3DES throughput, with up to 2000 simultaneous security associations (VPN tunnels). In terms of hardware, the PIX 535 is based on a 1GHz Intel Pentium III, with up to 1GB of RAM. It has a 16MB flash and 256K cache running at 1GHz, as well as a dual 64bit 66MHz PCI system bus. Cards available are the one- or four-port 10/100 Ethernet NICs or 1GB Ethernet multimode “stick and click” fiber connectors.

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 63

Introduction to PIX Firewalls • Chapter 2

Cisco Firewall Services Module The Cisco Firewall Services Module (FWSM) is an integrated firewall and switching module based on the Cisco PIX. It is designed and intended for the Catalyst 6500 series switch and the Cisco 7600 series router. It offers 5Gbps of throughput with one million concurrent connections.You can place up to four FWSMs in a single chassis.You can manage the FWSM using PDM version 4 for FWSM (Release 2.3), Monitoring Center for Performance or using Management Center for Firewalls.You can also configure the FWSM to use Telnet or SSHv1 to access the CLI of the module. The FWSM can work with either CatOS or IOS-based code and supports a few different supervisor cards. In Table 2.2, we see the relationship between supervisor cards and the level of code needed to run an FWSM. At the time of this writing, version 7.0 had not been deployed for the FWSM.

Table 2.2 Supervisor Cards Needed to Run an FWSM Sup1 (with MSFC)

Sup2 (with MSFC)

Sup720

Module Code

Cisco IOS/CatOS

Cisco IOS /CatOS

Cisco IOS /CatOS

FWSM Version

12.1(13)E /7.5(1)

12.1(13)E /7.5(1)

12.2(14)SX1 /8.2(1)

Software Licensing and Upgrades The PIX uses software licensing to enable or disable features within the PIX OS. Although the hardware is common to all platforms (except that certain licenses can ship with additional memory or hardware accelerators) and the software is common, features differ depending on the activation key. The activation key allows you to upgrade features without acquiring new software, although the process is similar.The activation key is computed by Cisco depending on what you have ordered and your serial number; it is different for each piece of PIX hardware.The serial number is based on the flash, so if you replace the flash, you have to replace the activation key.

63

326_PIX_2e_02.qxd

64

5/7/05

1:00 PM

Page 64

Chapter 2 • Introduction to PIX Firewalls

The activation key enables feature-specific information such as interfaces, high availability, and type of encryption. More specific information is found in the section, “PIX Licensing and Upgrades.” To get information about the activation key, use the show version command.The command provides information about the code version, hardware information, and activation key information. Alternately, the command show activation-key provides this printout: PIX1# show activation-key Serial Number:

808413563

Running Activation Key: 0xf9200218 0x4c8b6b1f 0x253632cd 0x8c5d666b

Licensed features for this platform: Maximum Physical Interfaces : 10 Maximum VLANs

: 100

Inside Hosts

: Unlimited

Failover

: Active/Active

VPN-DES

: Enabled

VPN-3DES-AES

: Enabled

Cut-through Proxy

: Enabled

Guards

: Enabled

URL Filtering

: Enabled

Security Contexts

: 2

GTP/GPRS

: Disabled

VPN Peers

: Unlimited

This platform has an Unrestricted (UR) license.

The flash activation key is the SAME as the running key. PIX1#

Updating the activation key in version 7.0 of the PIX OS couldn’t be simpler.The command activation-key activation-key-four-or-five-tuple sets the key to the new value. Note that activation tuples are in hexadecimal, are case insensitive, and don’t require you to start the numbers with 0x.Thus, the previously mentioned machine could be set with: PIX1(config)# activation-key 75fe7c49 c08b4082 08979930 e4b4c4b0 004b4ccd

Licensing Generally, Cisco PIX licensing falls into one of four types: Restricted, Unrestricted, Failover, and Failover Active/Active.The restricted and unrestricted apply to all Cisco PIX firewalls

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 65

Introduction to PIX Firewalls • Chapter 2

except the 501 and 506, but the failover applies to only the 515, 525 and 535 models.The 501 and 506 do not have the required interfaces for the failover. With the release of the PIX 7.0 code, the Failover method has added an Active/Active feature to its Active and Standby model.

NOTE The Cisco FWSM does not require a license of any kind. FWSM does not run 7.0 at the time of this writing.

There are various pieces that make up the licensing or feature set for the Cisco PIX. In Table 2.3 we see several of the key features of each license type and how they differ between the licenses.

Table 2.3 PIX 500 Series Licensing UR (unrestricted) FO (Failover)

FO-AA (Failover Active/Active

Security Contexts No support

2 Default up to 5

2 default up to 5

Failover

No support

Active/Standby Active/Standby Active/Active

Active Standby Active/Active

Max VLANs

10

25

25

25

Concurrent

49 K

130 K

130 K

130 K

Connections Max. Physical

3

6

6

6

None Default Base DES or 3DES/AES

None Default Base DES or 3DES/AES

None Default Base DES or 3DES/AES

None Default Base DES or 3DES/AES

Min RAM

64 MB

128 MB

128 MB

128 MB

PIX 525

Restricted

UR (unrestricted) FO (failover)

FO-AA(Failover Active/Active)

Security Contexts No support

2 or 5,10,20,50 2 or 5,10,20,50

2 or 5,10,20,50

Failover

No support

Active Standby Active Standby Active/Active

Active Standby Active/Active

Max VLANS

25

100

100

100

Concurrent Connections

110 K

280 K

280 K

280 K

PIX 515/515E

Interfaces Encryption

Restricted

2 Default

Continued

65

326_PIX_2e_02.qxd

66

5/7/05

1:00 PM

Page 66

Chapter 2 • Introduction to PIX Firewalls

Table 2.3 continued PIX 500 Series Licensing PIX 525

Restricted

UR (unrestricted) FO (failover)

FO-AA(Failover Active/Active)

Max. Physical Interfaces

6

10

10

10

Encryption

None Base DES 3DES/AES

None Base DES 3DES/AES

None Base DES 3DES/AES

None Base DES 3DES/AES

Min RAM

128 MB

512 MB

512 MB

512MB

PIX 535

Restricted

UR (unrestricted) FO (failover)

FO-AA(Failover Active/Active)

Security Contexts No support

2,5,10,20, 50,100

2,5,10,20,50,100

Failover

No support

Active Standby Active Standby Active/Active

Active Standby Active/Active

Max VLANs

50

200

200

200

Concurrent Connections

250 K

500 K

500 K

500 K

Max Physical Interfaces

8

14

14

14

Encryptions

None Base DES 3DES/AES

None Base DES 3DES/AES

None Base DES 3DES/AES

None Base DES 3DES/AES

Min RAM

512 MB

1024 MB

1024 MB

1024 MB

2,5,10,20,50, 100

Upgrading Software The traditional way of managing images is via TFTP, a fast and efficient UDP protocol. Unfortunately, it is not authenticated, so you have to be a bit careful to ensure that your data gets saved when you write to a TFTP server and that the data downloaded doesn’t get corrupted. By default, UNIX and Linux hosts have TFTP software preinstalled. If you do have a UNIX laptop, try man tftpd to see how to turn it on. If you have a Windows laptop, the server is not installed (although a client might well be—it’s standard on most NT and Win2K environments). Luckily, a TFTP server for a Windows environment is easy to acquire and install. Perhaps one of the best is the Solar Winds TFTP server, which Solarwinds gives away as a freebie in the hopes you will buy the entire suite of tools (which is well worth the money).You can get the TFTP server at www.solarwinds.net/Tools/Free_tools/TFTP_Server/. In Figure 2.7, we see a screenshot of the Solarwinds TFTP server running on a Windows XP host.

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 67

Introduction to PIX Firewalls • Chapter 2

Figure 2.7 Solarwinds TFTP Server

Another free TFTP server is provided by Cisco via its Web site. It can be downloaded at www.cisco.com/cgi-bin/tablebuild.pl/tftp. Simply provide your Cisco user ID when you download, and launch the installer executable. Running the Cisco TFTP server is straightforward.The server, by default, is not running. (This mode is recommended because there is no authentication; you don’t want anyone uploading or downloading files without your knowledge.) The first time you run it, press O for Options (under the View menu) to set the log file, if desired, and set the TFTP root directory where the images are stored. If you are going to be upgrading the PIX software, FTP the binary image down from the Web into that directory, and you are ready for the transfer.

Preliminary Upgrade to 6.3 Before we can upgrade to 7.0, you must be running version 6.2 or 6.3; if not, you will need to upgrade to either of these versions. Upgrading to 6.2 or 6.3 will resolve configuration issues that may arise from older configurations when you upgrade to 7.0.The following steps will take you through the 6.3 upgrade. Once that upgrade is complete, we can move to the 7.0 upgrade, which is very significant because it will completely reformat the FLASH to the IOS style of formatting. There are also new memory requirements. For the PIX 515E, the memory requirements are 64MB of RAM for a restricted license and 128MB of RAM for Unrestricted or Failover licensing.The Cisco PIX 525 restricted license requires 128MB of RAM and the unrestricted license requires 256MB of RAM.The 535 PIX with a restricted license requires 512MB of RAM and 1024MB of RAM for an unrestricted license.

67

326_PIX_2e_02.qxd

68

5/7/05

1:00 PM

Page 68

Chapter 2 • Introduction to PIX Firewalls

NOTE This 6.3 image for the PIX 515 can access only the first 8 MB of RAM even if 16 MB of RAM is installed. When the 7.0 image tries to load into the memory, there may not be enough room, and an error will result. The solution is to load the 7.0 code from monitor mode.

If you have a very old version of the software (pre 5.1(x)), you must upgrade using monitor mode.You can follow the preceding notes or the following step-by-step procedure: 1. Enter monitor mode. Remember, this requires that you get a console session running, power-cycle the box, and press Escape within 10 seconds of the boot. 2. The PIX is currently unconfigured. Set up your download interface by doing the following: ■

Use interface number to set the TFTP interface.The default is 1, so you don’t have to set it if the TFTP server is on the inside.

■

Use address IP address to set the IP address of the PIX.

■

Hopefully, your server is on the same network as the TFTP interface. If not, you can set a default gateway with gateway IP address.

3. Next prepare the transfer information: ■

Use server IP address to set the IP address of your TFTP server.

■

Use file filename to set the name of the image to upload.

4. Finally, execute the transfer. Use tftp to start the file. This process loads a new image in place, and when you reboot, you will come up under the new image. Luckily, this process should not apply—unless you accidentally upload the wrong file or your TFTP transfer fails. Monitor mode is used primarily in the event of disaster. The process of updating your software on a reasonably new version of code is straightforward.You can avoid monitor mode and do everything from the PIX enable command line. Log in to the PIX and get into enable mode. It is a good idea to ping your TFTP server to verify connectivity—for example: PIX1# ping inside 10.1.1.1

Get the version of the software onto your TFTP server, and copy the file to flash: pixfirewall# copy tftp flash Address or name of remote host [127.0.0.1]? 10.1.1.1 Source file name [cdisk]? pix621.bin copying tftp://10.1.1.1/pix621.bin to flash [yes|no|again]? yes

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 69

Introduction to PIX Firewalls • Chapter 2 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Received 1640448 bytes. Erasing current image. Writing 1640448 bytes of image. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Image installed.

On the next reload, the new image is available.

Upgrade from 6.3 to 7.0 Code Now that we have our PIX running version 6.3, and we have resolved any configuration issues such as still using conduits—which are not supported in 7.0, we can move on to the upgrade. We will use the TFTP server just as we did for the 6.3 upgrade.The format is to use the copy tftp command shown in the following example and then tell the PIX to copy to FLASH the image, as shown in the next example. # copy tftp:/// flash:image

The IP address and the filename do not have to be specified on the command line; the PIX will prompt you for the IP address of the server and the filename if you just give the command: # copy tftp flash:image pixfirewall(config)# copy tftp flash:image Address or name of remote host [0.0.0.0]? 192.168.50.14 Source file name [cdisk]? pix-7.0.0.97-.bin copying tftp://192.168.50.14/pix-7.0.0.97-.bin to flash:image [yes|no|again]? yes !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ::: Trimmed for clairity ::: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Received 5105664 bytes Erasing current image Writing 5046328 bytes of image !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Image installed pixfirewall(config)# reload Proceed with reload? [confirm]

Version 7.0 does things in new ways that are different from previous versions.There are new messages associated with the booting process. Version 7.0 will reformat the flash and

69

326_PIX_2e_02.qxd

70

5/7/05

1:00 PM

Page 70

Chapter 2 • Introduction to PIX Firewalls

rewrite the directory structure. For the new image to start the installation process, we have to reload the PIX. Once the Cisco PIX reloads, we see the following text: Rebooting..

CISCO SYSTEMS PIX FIREWALL Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73 Compiled by morlee 256 MB RAM

PCI Device Table. Bus Dev Func VendID DevID Class Irq 00 00 00 8086 7192 Host Bridge 00 07 00 8086 7110 ISA Bridge 00 07 01 8086 7111 IDE Controller 00 07 02 8086 7112 Serial Bus 9 00 07 03 8086 7113 PCI Bridge 00 0D 00 8086 1209 Ethernet 11 00 0E 00 8086 1209 Ethernet 10 00 11 00 14E4 5823 Co-Processor 11 00 13 00 1011 0026 PCI-to-PCI Bridge 01 00 00 8086 1229 Ethernet 11 01 01 00 8086 1229 Ethernet 10 01 02 00 8086 1229 Ethernet 9 01 03 00 8086 1229 Ethernet 5

Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001 Platform PIX-525 System Flash=E28F128J3 @ 0xfff00000

Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Reading 5042688 bytes of image from flash.

flashfs[7]: erasing block 52...done. flashfs[7]: Checking block 53...block number was (-19520) flashfs[7]: erasing block 53...done. flashfs[7]: Checking block 54...block number was (26492) flashfs[7]: erasing block 54...done. flashfs[7]: Checking block 55...block number was (-23649) ::: trimmed for clairity :::

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 71

Introduction to PIX Firewalls • Chapter 2 flashfs[7]: erasing block 124...done. flashfs[7]: Checking block 125...block number was (0) flashfs[7]: erasing block 125...done. flashfs[7]: 0 files, 1 directories flashfs[7]: 0 orphaned files, 0 orphaned directories flashfs[7]: Total bytes: 16128000 flashfs[7]: Bytes used: 1024 flashfs[7]: Bytes available: 16126976 flashfs[7]: flashfs fsck took 147 seconds. flashfs[7]: Initialization complete.

Saving the configuration ! Saving a copy of old configuration as downgrade.cfg ! Saved the activation key from the flash image Saved the default firewall mode (single) to flash Saving image file as image.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! :: Trimmed for clairity:::

GTP/GPRS : Not Supported VPN Peers : Unlimited

This machine has an Unrestricted (UR) license.

Encryption hardware device : VAC+ (Crypto5823 revision 0x1) Creatingcontext 'single_vf'... Done. (0) -------------------------------------------------------------------------C i s c o S y s t e m s Private Internet eXchange --------------------------------------------------------------------------

Cisco PIX Security Appliance Software Version 7.0(1

Compiled on Thu 31-Mar-05 14:37 by builders

Setting dispatch table to default

****************************** Warning *******************************

71

326_PIX_2e_02.qxd

72

5/7/05

1:00 PM

Page 72

Chapter 2 • Introduction to PIX Firewalls This product contains cryptographic features and is subject to United States and local country laws governing, import, export, transfer, and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute, or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to [email protected]. ******************************* Warning *******************************

Copyright (c) 1996-2004 by Cisco Systems, Inc.

Restricted Rights Legend

Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706

Cryptochecksum(unchanged): 25d8ff73 485b6e70 c0df6bbb e42f9639 INFO: converting 'fixup protocol dns maximum-length 512' to MPC commands INFO: converting 'fixup protocol ftp 21' to MPC commands INFO: converting 'fixup protocol h323_h225 1720' to MPC commands INFO: converting 'fixup protocol h323_ras 1718-1719' to MPC commands

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 73

Introduction to PIX Firewalls • Chapter 2 INFO: converting 'fixup protocol http 80' to MPC commands INFO: converting 'fixup protocol netbios 137-138' to MPC commands INFO: converting 'fixup protocol rsh 514' to MPC commands INFO: converting 'fixup protocol rtsp 554' to MPC commands INFO: converting 'fixup protocol sip 5060' to MPC commands INFO: converting 'fixup protocol skinny 2000' to MPC commands INFO: converting 'fixup protocol smtp 25' to MPC commands INFO: converting 'fixup protocol sqlet 1521' to MPC commands INFO: converting 'fixup protocol sunrpc_udp 111' to MPC commands INFO: converting 'fixup protocol tftp 69' to MPC commands INFO: converting 'fixup protocol sip udp 5060' to MPC commands INFO: converting 'fixup protocol xdmcp 177' to MPC commands Type help or '?' for a list of available commands. pixfirewall>

Now when we use the show version command, we will see that our code is now 7.0. pixfirewall# show version

Cisco PIX Security Appliance Software Version 7.0(1) Device Manager Version 5.0(1)

Compiled on Thu 31-Mar-05 14:37 by builders System image file is "flash:/image2.bin" Config file at boot was "startup-config" pixfirewall up 50 secs

Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz Flash E28F128J3 @ 0xfff00000, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1) 0: Ext: Ethernet0 : media index 0: irq 10 1: Ext: Ethernet1 : media index 1: irq 11 2: Ext: Ethernet2 : media index 2: irq 11 3: Ext: Ethernet3 : media index 3: irq 10 4: Ext: Ethernet4 : media index 4: irq 9 5: Ext: Ethernet5 : media index 5: irq 5

License Features for this Platform: Maximum Physical Interfaces : 10

73

326_PIX_2e_02.qxd

74

5/7/05

1:00 PM

Page 74

Chapter 2 • Introduction to PIX Firewalls Maximum VLANs : 100 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Cut-through Proxy : Enabled Guards : Enabled URL-filtering : Enabled Security Contexts : 2 GTP/GPRS : Not Supported VPN Peers : Unlimited

This machine has an Unrestricted (UR) license.

Serial Number: 80XXXX563 Running Activation Key: 0xf92xx218 0x4c8xxb1f 0x2xx32cd 0x8cxx666b Configuration has not been modified since last system restart. pixfirewall#

Downgrading from 7.0 to 6.3 One feature new in version 7.0 is the ability to downgrade from 7.0 back to 6.3.There are some caveats to remember when attempting to downgrade the PIX.To effect this downgrade of code, we will use the downgrade command. Cisco also recommends that the files are stored locally since the downgrade cannot tolerate any interruption.The downgrade will verify the four tuple key, which is stored when the PIX is upgraded. If the PIX cannot verify the key, it will have to be reentered. We see in the following example, the downgrade command parameters that we can choose from: PIX1# downgrade ?

/noconfirm

Do not prompt for confirmation

flash:

URL of the image to reboot with

ftp:

URL of the image to reboot with

http:

URL of the image to reboot with

https:

URL of the image to reboot with

tftp:

URL of the image to reboot with

PIX1#

When the downgrade is completed, the downgrade command will reboot the PIX to enable the old code. When you use the downgrade command, if you do not specify the configuration file to use, the PIX will use the saved downgrade.cfg by default.

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 75

Introduction to PIX Firewalls • Chapter 2

Management Access Management access is how you will access the Cisco PIX for your configuration and management.The Cisco PIX is very flexible for access.You can connect through a console port and a simple eight wire cable, you can connect to it by telnet, you can connect by SSH or you can connect by HTTPS using a browser.This gives you a lot of options for configuring the Cisco PIX management access in a secure manner for your own situation. In this section we will cover the various methods of connecting to your Cisco PIX firewall and how to configure the access and how to keep the access as secure as possible.

Console Port The primary mechanism for talking to a PIX is via the console port. Some devices have the old DB9 connectors—nine-pin D-subminiature connectors similar to those found on the back of many PCs.The newer devices use the Cisco standard RJ45 connector (rollover cable), similar to those used with most Cisco routers and switches. In each case, an appropriate cable is provided with your equipment. The communication is via null-modem and uses communications set to 8-N-1. If you are using Windows, a good program to communicate with a PIX is HyperTerminal, which is provided with most Windows-based installations, under Accessories/Communications. When launching HyperTerminal, configure your connection to direct-connect to COM 1, as shown in Figure 2.8.

Figure 2.8 Configuring HyperTerminal

The communications parameters then need to be set, as shown in Figure 2.9.

75

326_PIX_2e_02.qxd

76

5/7/05

1:00 PM

Page 76

Chapter 2 • Introduction to PIX Firewalls

Figure 2.9 Port Communication Properties for HyperTerminal

At this point, you should be connected. Power on your PIX, and you will see the boot process taking place, as shown in Figure 2.10.Your output will differ slightly.

Figure 2.10 Sample Output from Boot Sequence

If you do not see output or the output is garbled, it usually means your parameters are not set correctly. If you are not using the provided cable, make sure it is null-modem and that your parameters are set to 8 bit, 9600 baud, 1 stop bit, no parity, and no flow control.

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 77

Introduction to PIX Firewalls • Chapter 2

USB Even though the Cisco PIX 515, 525 and 535 have a USB port available, it is not used for any purpose at this time.

Telnet Telnet is one of the most common ways to access a network device and although the Cisco PIX will support Telnet access on the inside interface by default and on the outside interface only when used with encryptions such as IPsec.Telnet is strongly discouraged in favor of using SSH, which is encrypted.The default port for Telnet is TCP port 23.The default Telnet password for the Cisco PIX is “cisco.”

SSH Secure Shell (SSH) is the preferred method of connecting over a network to the Cisco PIX firewall. SSH is a suite of encrypted applications that can replace Telnet, copy and FTP with SSH, SCP, and SCP. SSH uses port 22 and is not enabled by default. For full details on the usage of SSH and enabling SSH on the Cisco PIX firewall, please see Chapter 8.

Web The Cisco PIX can be managed by a Web interface called the Adaptive Security Device Manager (ASDM), which replaces the PIX Device Manager (PDM).The new ASDM can be accessed by using HTTPS or by using a Windows application installed on the management console.The Web-based interface is Java-based, so it is not a requirement to use Internet Explorer; you can use a recent release of Mozilla or FireFox to manage the PIX. In Figure 2.11 we see the startup screen, which offers the choice of the Windows application or the Java-based front end.

Figure 2.11 Choosing the ASDM Front End

77

326_PIX_2e_02.qxd

78

5/7/05

1:00 PM

Page 78

Chapter 2 • Introduction to PIX Firewalls

Once you have chosen the front end, the ASDM will start up. In Figure 2.12, we see the final screen of the ASDM when starting using Java and FireFox 1.01.

Figure 2.12 Running ASDM in the FireFox Web Browser

Password Recovery Cisco makes it easy to recover from a lost or forgotten password on its PIX firewalls with a minimum of downtime.You download a program, depending on your OS version, that will execute on the PIX and reset the password to the default, cisco.You can then get in and use enable mode to set the password to a known value. Earlier you saw that monitor mode was used for emergencies. Forgetting the password is a pretty good emergency. With the emergency defined, use Table 2.4 to find the recovery file you will need to download from Cisco’s Web site.

Table 2.4 PIX Password Recovery Binaries Version

Filename

URL

4.3 <

nppix.bin

www.cisco.com/warp/public/110/nppix.bin

4.4 release

np44.bin

www.cisco.com/warp/public/110/np44.bin

5.0 release

np50.bin

www.cisco.com/warp/public/110/np50.bin

5.1 release

np51.bin

www.cisco.com/warp/public/110/np51.bin

5.2 release

np52.bin

www.cisco.com/warp/public/110/np52.bin

5.3 release

np53.bin

www.cisco.com/warp/public/110/np53.bin Continued

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 79

Introduction to PIX Firewalls • Chapter 2

Table 2.4 continued PIX Password Recovery Binaries Version

Filename

URL

6.0 release

np60.bin

www.cisco.com/warp/public/110/np60.bin

6.1 release

np61.bin

www.cisco.com/warp/public/110/np61.bin

6.2 release

np62.bin

www.cisco.com/warp/public/110/np62.bin

6.3 release

np63.bin

www.cisco.com/warp/public/110/np63.bin

Follow these steps to effect a Cisco PIX firewall recovery. 1. Pick the correct version of the software from Table 2.2. 2. Place this software on a TFTP server accessible to the PIX. 3. Connect to the PIX on the console port. Verify connectivity. (You should get a password prompt, which you can’t answer.) 4. Reboot the PIX. 5. Within 10 seconds of the reboot, press Esc to enter monitor mode. 6. Use the interface command to set the interface to that of the TFTP server. 7. Use the address command to specify the IP address of that interface. 8. Use the server command to specify the IP address of the TFTP server. 9. Use the gateway command to specify the default route to the TFTP server, if needed. (This is not recommended; if at all possible, try to have the TFTP server on the same network as the PIX interface to minimize the likelihood of file corruption.) 10.

Use the file command to specify the filename of the recovery file you chose in Step 1.

11.

Use the ping command to verify that you can connect to the TFTP server.

12.

Use the tftp command to start the download.

At this point, you should be prompted to erase the passwords, and you will be in.The default password has now been set to cisco, with no enable password. It is possible to turn off password recovery and to force the user trying to recover the password to erase the configuration.To disable the password recovery, we use this command: PIX1(config)# no service password-recovery

This command will force the user to erase all flash systems before the password can be reset using the PIX password recovery tool. Use this command with caution! If you do not keep copies of the current configuration and lock yourself out of the PIX with this command, your only recourse to regain control of your firewall is to delete its entire configuration and start over.

79

326_PIX_2e_02.qxd

80

5/7/05

1:00 PM

Page 80

Chapter 2 • Introduction to PIX Firewalls

Command-Line Interface “Real administrators use the command line” is the comment heard a lot around network geeks when discussing their favorite network equipment. In the case of the Cisco PIX firewall, the command line is a very flexible way to configure the Cisco PIX and now with the new 7.0 code, it is a bit easier if you already knew the IOS command structure since many of the old PIX commands were updated to reflect the structure of the IOS command line. And in some rare cases, the command line is still the only way to configure certain features that the ASDM does not support just yet.This section will show you just how rich the command line is for those willing to learn and use the Cisco PIX command line so sit back and get ready to dig into the nuts and bolts of your Cisco PIX firewall.

Administrative Access Modes An administrative access mode is a state in which the administrator is able to issue commands, potentially to change the configuration of the PIX. Monitor mode, described earlier, is an administrative access mode, but it is contained in ROM rather than in the binary image, and hopefully you will never have to use it. When you first log in, you are in an unprivileged mode.You can identify the mode you are in from the prompt: If the prompt looks like the hostname followed by a right-angle bracket (>), you are in unprivileged mode. Few commands are available: PIX1> ? clear

Reset functions

enable

Turn on privileged commands

exit

Exit from the EXEC

help

Interactive help for commands

login

Log in as a particular user

logout

Exit from the EXEC

ping

Send echo messages

quit

Exit from the EXEC

show

Show running system information

PIX1>

This is not a complete list of the available commands. For example, when you are in unprivileged mode: PIX1> show ? checksum

Display configuration information cryptochecksum

curpriv

Display current privilege level

flash: history running-config version

Display information about flash: file system Display the session command history Show current operating configuration Display system software version

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 81

Introduction to PIX Firewalls • Chapter 2 PIX1>

PIX1# show version

Cisco PIX Security Appliance Software Version 7.0(0)102 Device Manager Version 5.0(0)73

Compiled on Sun 20-Feb-05 00:40 by builders System image file is "flash:/image2.bin" Config file at boot was "startup-config"

PIX1 up 30 mins 11 secs

Hardware:

PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0xfff00000, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB :: trimmed for clarity ::: …

The most important of these is enable mode, which turns on the privileged commands. At this point, your prompt will change; now it ends in a pound sign.To show your new privilege: PIX1# ?

activation-key

Modify activation-key

asdm

Disconnect a specific ASDM session

blocks

Set block diagnostic parameters

capture more

Capture inbound and outbound packets on one or interfaces

cd

Change current directory

clear

Reset functions

client-update groups clock configure copy crashinfo

Execute client updates on all or specific tunnelManage the system clock Configure using various methods Copy from one file to another Crash information

debug

Debugging functions (see also 'undebug')

delete

Delete a file

dir

List files on a filesystem

81

326_PIX_2e_02.qxd

82

5/7/05

1:00 PM

Page 82

Chapter 2 • Introduction to PIX Firewalls disable

Exit from privileged mode

downgrade

Downgrade the file system and reboot

erase

Erase a filesystem

exit

Exit from the EXEC

failover or force it

Switch a unit or failover group to active state back to an unfailed state

format

Format a filesystem

fsck

Fsck a filesystem

gdb

Manipulate remote debugger

help

Interactive help for commands

kill

Terminate a telnet session

logging

Configure flash file name to save logging buffer

logout

Exit from the EXEC

memory

Memory tools

mkdir

Create new directory

more

Display the contents of a file

no

Negate a command or set its defaults

perfmon

Change or view performance monitoring options

ping

Send echo messages

pwd

Display current working directory

quit

Exit from the EXEC

reload

Halt and reload system

rename

Rename a file

rmdir

Remove existing directory

show

Show running system information

shun hosts

Manages the filtering of packets from undesired

ssh

Disconnect a specific SSH session

terminal

Turn on/off syslogging to this terminal

test

Test subsystems, memory, and interfaces

undebug vpn-sessiondb

Disable debugging functions (see also 'debug') Configure the VPN Session Manager

who

Show active administration sessions on the system

write terminal

Write running configuration to memory, network, or

PIX1#

While you remain in enable mode but have not yet entered the configuration mode (which requires enable privileges), you are more or less protected from accidentally harming the system: you can erase the configuration in total, but it will not make small changes until

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 83

Introduction to PIX Firewalls • Chapter 2

you enter configuration mode. Use the configure terminal command to get into configuration mode. Again, your prompt will change to show privilege: PIX1(config)#

There are approximately 100 lines of commands, so it is not appropriate to show them all here. Unlike a Cisco router, for which there are additional modes, these are all the modes that occur: you have no rights (nonenable), you are somewhat protected (enable mode only), or you are changing the configuration (enable and configuration mode). However, note that if you are in configuration mode, your show commands are still available. The PIX also stores previous commands you’ve executed. Use the show history command to see what you’ve executed.This feature is helpful in two ways: One, if you are unsure what you have executed so far, look at the show history command to see what you’ve done to date. PIX1# show history show en show version show history PIX1#

A more common use is when you have lots of similar commands.You can use the uparrow key to see the previous line in your history and then use the basic commands (covered in the following section) to edit the line and resubmit it.

NOTE The PIX firewall provides help functionality built into the command-line interface. Use the question mark key (?)—it is your friend. At any point, pressing ? will help you complete your commands. In addition, a “man page” or “manual page” functionality is built in. For example, if you want to ping something and forgot the syntax, try ping ?. If you don’t remember what the ping command does, try help ping. This provides usage, and description and syntax issues. In the new 7.0 code, online help has been greatly reduced to keep the size of the image small and to lessen the risk of a possible exploits taking advantage of the code used to provide the online help.

Basic Commands The environment at the command prompt is similar to that of a Cisco router and uses emacs-style commands, shown in Table 2.5.

83

326_PIX_2e_02.qxd

84

5/7/05

1:00 PM

Page 84

Chapter 2 • Introduction to PIX Firewalls

Table 2.5 Basic Keystroke Shortcuts Command

Result

Tab

Command-line completion.

Ctrl + A

Moves the cursor to the start of a line.

Ctrl + B

Moves the cursor one character left (nondestructive).

Alt + B

Moves the cursor one word left.

Ctrl + D

Deletes the character under the cursor.

Ctrl + E

Moves the cursor to the end of the line.

Ctrl + F

Moves the cursor one character right.

Alt + F

Moves the cursor one word right.

Ctrl + H or Rubout

Erases the previous character.

Ctrl + R

Reprints a line.

Up Arrow or Ctrl + P

Displays the previous line.

Up Arrow or Ctrl + N

Displays the next line.

Help or ?

Displays help.

To see additional editing commands, try searching the Web for emacs style commands. However, the list shown in Table 2.5 is sufficient for most users. For example, if you are setting up multiple ACL statements, you can save a great deal of effort by changing only a port number, then pressing Ctrl + P to get the previous line, Alt + F to move right a few words, Ctrl + D to delete the old port, and then typing the new port. In addition, you don’t have to type the full command—you have to provide only enough of the command to establish a unique initial segment. For example, the command configure terminal can be abbreviated; the first three letters aren’t enough (both conduit and configure start with con), and only one option from the configure command starts with t. Therefore, to get into configuration mode, just type conf t. Such shortcuts can save a bit of typing, particularly on long commands.

Hostname and Domain Name Two useful commands are the hostname and domain-name commands.These set the hostname (which appears in the prompt) and the domain name of the PIX.The syntax is hostname and domain-name —for example: PIX1(config)# hostname PIX1 PIX1(config)# domain-name secret.com

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 85

Introduction to PIX Firewalls • Chapter 2

Configuring Interfaces The most important aspect of a network device is the network interface. In the PIX, configuring the network interface is a fairly straightforward process.You need to specify the security context and a few parameters to put connectivity in context. Once completed, the default information flow policy takes over.

The interface Command The interface command has changed in the new PIX 7.0 code.The interface command now sets which physical interface we will be working with just like if we were working on a router. From the interface prompt we can set the various parameters of the interface with the commands we see here: PIX1(config-if)# ? Interface configuration commands: default

Set a command to its defaults.

description

Interface specific description.

duplex

Configure duplex operation.

exit

Exit from interface configuration mode.

help

Interactive help for interface subcommands.

igmp

IGMP interface commands.

ip

Configure ip addresses.

ipv6

IPv6 interface subcommands.

management-only

Dedicate an interface to management. Block thru traffic

nameif

Assign name to interface.

no

Negate a command or set its defaults.

ospf

Configure interface specific OSPF parameters.

pim

PIM interface commands.

security-level

Specify the security level of this interface after this keyword, Eg: 0, 100 etc. The relative security level between two interfaces determines the way the Adaptive Security Algorithm is applied. A lower security_level interface is outside relative to a higher level interface and equivalent interfaces are outside to each other.

shutdown

Shutdown the selected interface.

speed

Configure speed operation.

PIX1(config-if)#

85

326_PIX_2e_02.qxd

86

5/7/05

1:00 PM

Page 86

Chapter 2 • Introduction to PIX Firewalls

The nameif Command The nameif command is used to give an interface a logical name.The name should be memorable, since it will be used in all other commands.To set the name of the interface now requires you to use the interface command first to change to the physical interface you want to set the name on first, much like working on a router.The format of the new command is: nameif <word>

The <word> is the string of the characters that make up the name and the string can be up to 49 characters.The command looks like this: PIX1(config-if)# nameif DMZ

The security-level Command This is a new command for the 7.0 code. Where we use to set the security level using the nameif command, it is now a separate command called security-level.The format is very simple: security-level <0-100>

We will pick our security levels, with 0 being the least trusted interface such as the outside interface and 100 being the most trusted interface such as the inside interface. We can go from the MOST trusted level to the LEAST trusted level by default so we can go from the inside to the outside. But we cannot go the other way, or from LEAST trusted to MOST trusted, unless we put a specific exception in place.

The ip address Command The ip address command has changed from 6.3 to 7.0.To set the ip address in 7.0 requires you to use the interface command first to change to the physical interface you want to set the ip address on first, much like working on a router.The format of the new command is: interface

Which will look like: PIX1(config)# interface ethernet 0

Once we have changed to the physical interface, we can set the ip address using the format ip address <subnet_mask>: PIX1(config-if)# ip address 192.168.1.1 255.255.255

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 87

Introduction to PIX Firewalls • Chapter 2

NOTE The PIX can also obtain an IP address through DHCP client or PPPoE functionality.

Static Routes Though the PIX is not a router and does not have a wide selection of routing protocols, it does offer static routes, RIP, and a limited, basic version of OSPF. Specifying a static route is done with the following syntax: route [metric]

Translating this syntax into English, it reads “If packets destined for interface if_name on the network specified by network address ip_address are bounded by mask netmask, then route it via a next hop at gateway_ip.”The optional metric command is used to give an indication of distance (preference). A particularly important route is the default route.This is the “route of last resort”—the route used when no other direction is known for the packet. Only one default route is allowed on the PIX.This route is indicated by the 0 route with netmask 0; for example: PIX1(config)# route outside 0 0 192.168.50.140 1

To see our routes, you will use the command show route as we see here: PIX1(config)# show route

S

0.0.0.0 0.0.0.0 [1/0] via 172.16.1.1, inside

C

172.16.1.0 255.255.255.0 is directly connected, inside

C

192.168.0.0 255.255.255.0 is directly connected, Outside

PIX1(config)#

We have one static route and two connected routes showing in our example.To set up RIP on an interface, we just need to use the RIP command in this format: Rip <default|passive>

We can specify if RIP will be the default and advertise the routes on the interface or be passive and just listen for updates. We can set the version of RIP we want to use, version 1 or version 2. In the following example we are advertising from the DMZ interface and using RIP version 2: PIX1(config)# rip dmz default version 2

To use OSPF we need to go into the router configuration by using the router command from the configuration mode. First, we type the router command, then the protocol, which in this case is OSPF, and finally the area number we want or need to use as we see here:

87

326_PIX_2e_02.qxd

88

5/7/05

1:00 PM

Page 88

Chapter 2 • Introduction to PIX Firewalls PIX1(config)# router ospf 100 PIX1(config-router)# ? Router configuration commands: area compatible default-information

OSPF area parameters OSPF compatibility list Control distribution of default information

distance

Define an administrative distance

exit

Exit from router configuration mode

help

Interactive help for router subcommands

ignore

Do not complain about specific event

log-adj-changes

Log changes in adjacency state

neighbor

Specify a neighbor router

network

Add/remove interfaces to/from OSPF routing process

no

Negate a command

redistribute

Redistribute information from another routing process

router-id

router-id for this OSPF process

summary-address timers

Configure IP address summaries Adjust routing timers

PIX1(config-router)#

Once we are in the config-router mode, we can set up OSPF to broadcast the network information we want to transmit. In the following example, we are going to set up network 172.16.2.0 with a mask of /24 and use area 100. PIX1(config-router)# network 172.16.2.0 255.255.255.0 area 100

OSPF also has parameters for the interfaces to configure if required. First, change to the interface and then configure the OSPF parameters as we see here: PIX1(config)# interface ethernet 1 PIX1(config-if)# ospf ?

interface mode commands/options: authentication

Enable authentication

authentication-key

Authentication password (key)

cost

Interface cost

database-filter

Filter OSPF LSA during synchronization and flooding

dead-interval

Interval after which a neighbor is declared dead

hello-interval

Time between HELLO packets

message-digest-key

Message digest authentication password (key)

mtu-ignore

Ignores the MTU in DBD packets

network

Network type

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 89

Introduction to PIX Firewalls • Chapter 2 priority

Router priority

retransmit-interval

Time between retransmitting lost link state

transmit-delay

Link state transmit delay

advertisements

PIX1(config-if)#

As you can see, Cisco has brought a lot of flexibility to the PIX and 7.0 by including the protocol OSPF.

Password Configuration Two passwords need to be set: a password for access to the PIX and an enable password to get into privileged (enable) mode.The PIX is limited to 16-byte passwords and is case sensitive. A basic password will assign a password, such as: PIX1(config)# passwd cisco PIX1(config)# enable password cisco

In the configuration, the password is stored in an encrypted fashion.The command then looks like this: enable password 2KFQnbNIdI.2KYOU encrypted passwd 2KFQnbNIdI.2KYOU encrypted

When first connecting to the PIX, you will see a password prompt: Connected to 10.10.10.1. Escape character is '^]'.

User Access Verification

Password: Type help or '?' for a list of available commands. pix1> en Password: *****

You should note that to preserve security, the password is not echoed to the screen, and the previous sequence will get you into enable mode.

NOTE The PIX also supports local user accounts with individual passwords. Alternatively, you can use RADIUS or TACACS+ for console authentication.

89

326_PIX_2e_02.qxd

90

5/7/05

1:00 PM

Page 90

Chapter 2 • Introduction to PIX Firewalls

Basic Security (What Is Configured by Default Out of the Box) The basic PIX security posture out of the box with the exception of the 525, 535, and FWSW is that all traffic is allowed out of the outside interface to the Internet or external network, and all inbound traffic is blocked at the outside interface.This security posture makes it relatively easy to set up the Cisco PIX and to have it online quickly with the minimum of fuss. However, to improve your security posture, you must go back and lock down the outbound traffic with various access lists and filters.

Managing Configurations Having a configuration is just the start of the care and feeding of your Cisco PIX firewall. You also need to manage the configuration and this means that you need to know how to make changes, how to save those changes, how to back up the configuration and how to restore your configuration. All important stuff to know and we will show you in this section just how easy it can be.

Configuration Commands Just as with any network device, the most important task related to your PIX is ongoing management. It is important that you be comfortable not just manipulating the configuration with configuration mode but also pushing configurations out to storage and in from backup systems. Key commands here are write, which allows you to store a command; copy, which allows you to manage the underlying PIX application software; and configure, which allows you to update the configuration.

Configure You can manage configurations via the configure command.This is the alternative to the write commands. For example, just as write terminal dumps the configuration to the terminal, configure terminal allows you to change the configuration from the terminal. These commands generally merge the configuration from the media with the existing configuration.You will often want to clear configure to wipe out the existing configuration so you can pull a complete stored config.The other choices are: configure [terminal|floppy|memory]

You’ve used this one already, in the conf t command. It allows you to add commands from the terminal, from a diskette (if the PIX has a diskette drive), or from flash (memory). Analogous to the copy command, the following command configure http[s]://[<user>:<password>@][:<port>]/<pathname>

merges a configuration that is stored on a Web server with the running configuration. configure net []:[<pathname>] configure factory-default [ [<mask>]]

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 91

Introduction to PIX Firewalls • Chapter 2

Write The write command allows you to write the configuration to various types of media. Allowed variants are write net, write memory, write standby, write terminal, write erase, and write floppy. write net [[server_ip] : [filename] ]

The write command writes the configuration to a TFTP server.The IP address of the server can be specified on the command line or preset with the TFTP server command, tftpserver [if_name] ip_address path. Specifying a value on this line supersedes the value on the TFTP server line, but if the TFTP-server information is set, you can provide just a colon (or no parameters at all). The next command allows you to store the configuration to flash.The uncompressed parameter specifies storing the configuration as an uncompressed string and is generally not necessary. write memory [uncompressed]

If you want to print the configuration to the terminal (screen), use this command: write terminal

Note that this command prints out the running configuration. Show running-config lists the same output as write terminal, and show startup-config shows the configuration that is stored in flash. If the pager variable is set, the screen will pause after a fixed number of lines.To store the configuration via an ASCII capture, set the pager to 0, and then type write terminal. There is one other write command, which must be used with great care: write erase.This command clears the flash configuration to a known good state and allows you to reconfigure.

Copy The copy command is a similar way of managing images.The most common use of the command is in the copy tftp command—for example: copy tftp[:[[//location] [/tftp_pathname]]] flash[:[image | pdm]]

Most of the copy parameters are self-explanatory as they specify the location and filename of the TFTP server and, as previously mentioned, can be set with the TFTP-server command.The keyword flash indicates that the information is being stored to flash.The files can be conventional images, in which case they are available on the next reload, or PDM images, in which case they are available immediately. Images can also be downloaded from a Web server via conventional HTTP or over SSL. This is specified by the following command: copy http[s]://[user:password@] location [:port ] / http_pathname flash [: [image | pdm] ]

91

326_PIX_2e_02.qxd

92

5/7/05

1:00 PM

Page 92

Chapter 2 • Introduction to PIX Firewalls

The first part is the standard URL notation: http for clear-text Web use or https for SSL service.The user:password@location portion allows you to encode user information; if you are working via a Web browser, this portion displays a pop-up dialogue box requesting an username and password. Because the PIX does not have a pop-up, you can specify it on the command line by inserting it before the @ sign. If the Web server is running on a nonstandard port, you can also specify it here by putting the port after a colon, similar to this: copy http://fwadmin:[email protected]:99/pix_image flash

This solution is convenient if you do not have a TFTP server handy and can safely store the image files on a Web server.

Show The show command is one of the most used commands as this is how we can see what version of PIX hardware and code we have, how the interfaces are configured, what IP addresses are used, how much CPU processing power is being used, and more.The show command is available in both the user mode and the enable mode. In the following example we see the few show commands available in the user mode: checksum

Display configuration information cryptochecksum

curpriv

Display current privilege level

flash:

Display information about flash: file system

history running-config

Display the session command history Show current operating configuration

version

Display system software version

In the enable mode, there are many more commands available. Some of the most common uses of the show command are shown in the following example:. PIX1# show config : Saved : Written by enable_15 at 20:07:18.845 PST Sun Mar 20 2005

PIX Version 7.0(0)102 names ! interface Ethernet0 nameif Outside security-level 0 ip address 192.168.0.254 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 93

Introduction to PIX Firewalls • Chapter 2 ip address 172.16.1.50 255.255.255.0 ::: truncated for clarity::::

PIX1# show ip System IP Addresses: Interface Subnet mask

Method

Ethernet0 255.255.255.0

CONFIG

Ethernet1 255.255.255.0

CONFIG

Ethernet2 255.255.255.0

CONFIG

Name

IP address

Outside

192.168.0.254

inside

172.16.1.50

DMZ

10.0.0.254

Name

IP address

Outside

192.168.0.254

inside

172.16.1.50

DMZ

10.0.0.254

Current IP Addresses: Interface Subnet mask

Method

Ethernet0 255.255.255.0

CONFIG

Ethernet1 255.255.255.0

CONFIG

Ethernet2 255.255.255.0

CONFIG

PIX1# pix2# show xlate 0 in use, 0 most used PIX1# show version Cisco PIX Security Appliance Software Version 7.0(0)102 Device Manager Version 5.0(0)73 Compiled on Sun 20-Feb-05 00:40 by builders System image file is "flash:/image2.bin" Config file at boot was "startup-config"

PIX1 up 1 hour 33 mins

Hardware:

PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0xfff00000, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1) 0: Ext: Ethernet0

: media index

0: irq 10

1: Ext: Ethernet1

: media index

1: irq 11

2: Ext: Ethernet2

: media index

2: irq 11

3: Ext: Ethernet3

: media index

3: irq 10

93

326_PIX_2e_02.qxd

94

5/7/05

1:00 PM

Page 94

Chapter 2 • Introduction to PIX Firewalls 4: Ext: Ethernet4

: media index

4: irq 9

5: Ext: Ethernet5

: media index

5: irq 5

Licensed features for this platform: Maximum Physical Interfaces : 10 Maximum VLANs

: 100

::: truncated for clarity ::: PIX1# show crypto key mypubkey rsa Key pair was generated at: 12:44:05 PST Mar 17 2005 Key name: Usage: General Purpose Key Modulus Size (bits): 2048 Key Data:

30820121 300d0609 2a864886 f70d0101 01050003 82010e00 30820109 02820100 77cbf246 e512d6e7 60a03f63 4af21793 96a97614 478ed7ea 39f92892 6cd878bd be8973dc e0050462 289a7892 2a89ba87 29096f17 8506f22e 7f843f08 43804cb9 02030100 01 Key pair was generated at: 12:03:16 PST Mar 27 2005 Key name: .server Usage: Encryption Key Modulus Size (bits): 768 Key Data:

307c300d 06092a86 4886f70d 01010105 00036b00 30680261 00b51f5e ec12e6de 2da476bc d3d15276 1e7acd7d 6abf377f 398e0481 42f37b9f b9fa4175 8a92a525 ::truncated for clarity :::

The various show commands allow us to view certain aspects and operations of the PIX firewall.To see all of the options, just type show ? and then you can page through the options.

The configure Command To use the configure command, you have to be in the configure mode (config t) first.The configure command allows us to clear configurations, configure from flash, configure from the network, and it will let us configure the secondary or failover Cisco PIX. In the following example we see the options we can use with the configure command: configure [terminal|floppy|memory] configure http[s]://[<user>:<password>@][:<port>]/<pathname> configure net []:[<pathname>] configure factory-default [ [<mask>]] clear configure [primary|secondary|all]

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 95

Introduction to PIX Firewalls • Chapter 2

Initializing Images There will always be a time where it is just easier to whack the existing configuration and start over. Or you are upgrading and need to remove an existing configuration before the vultures on Ebay get their hands on the old PIX firewall. Or you made a change to the configuration and now you need to backout but have lost access to the PIX and hopefully you did not save the configuration to flash just yet.This section will address the need to either reload or remove an existing configuration.

Powercycle Generally, after installing a new image, you will want to have the PIX reboot and use the new image. Similarly, it is helpful to occasionally restore the configuration to what is running on the flash—if, for example, you have been exploring commands and have gotten to an uncertain state.You can always power-cycle the device; this solution has no moving parts, and configurations and images are fully flushed to flash.There is a better way: the reload command.

Reload You can restart the PIX gracefully using the reload command.This command prompts you to verify you really want to reboot the PIX firewall.The reload command can be executed only from privileged mode: pix1# reload Proceed with reload? [confirm]

At this point, there is a brief pause while the PIX reboots, and then you will be working under the new system. Note: If you want to bypass pressing the second carriage return, you can type reload noconfirm, but when you are executing a potentially dangerous command such as a reboot, it is generally good to have an “Are you really sure you want to do this?” checkpoint.

Factory Default Configurations The factory default configuration is very pared down compared with 7.0 predecessors.The interfaces are not named or addressed, and have no security levels assigned.The default password for Telnet and the administrative mode is blank. Application inspection is enabled for several common protocols, using a combination of class-maps and policy-maps.The following example shows the default configuration on an unconfigured PIX 525. PIX Version 7.0(1) names !

95

326_PIX_2e_02.qxd

96

5/7/05

1:00 PM

Page 96

Chapter 2 • Introduction to PIX Firewalls interface Ethernet0 shutdown no nameif no security-level no ip address

!

interface Ethernet1 shutdown no nameif no security-level no ip address !

interface Ethernet2 shutdown no nameif no security-level no ip address !

interface Ethernet3 shutdown no nameif no security-level no ip address !

interface Ethernet4 shutdown no nameif no security-level no ip address !

interface Ethernet5 shutdown no nameif no security-level

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 97

Introduction to PIX Firewalls • Chapter 2 no ip address !

enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

ftp mode passive

pager lines 24

no failover

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute

no snmp-server location no snmp-server contact snmp-server enable traps snmp

telnet timeout 5 ssh timeout 5 console timeout 0 !

class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp

97

326_PIX_2e_02.qxd

98

5/7/05

1:00 PM

Page 98

Chapter 2 • Introduction to PIX Firewalls inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end

To reset the configuration back to this default condition for the 515 and 515E, we need to use the configure factory-default command.This command is not supported on the 525 or 535 Cisco PIX. When we attempt to use this command on our 525, it fails as shown. PIX1(config)# configure factory-default

'config factory-default' is not supported on PIX-525

NOTE In order to use the new ASDM with the Cisco PIX 515 and 7.0 code, you must have a license for DES or 3DES.

Cisco Catalyst 6500 Series Firewall Services Module The Cisco FWSM may be based on the Cisco PIX design, but is a very different breed than the traditional Cisco PIX. With the FWSM in place in a Cisco 6500, before the module can be accessed to be configured, the switch must be configured. Once the switch is configured, Telnet or SSH to the switch and use the session command to access the FWSM.The default password for the FWSM is cisco, which you should change as soon as possible. Once you have logged into the FWSM, enter the administrative mode by typing the command enable. The initial enable password is blank; pressing the Enter key is sufficient.To start configuring the FWSM, you will use the config t command, which takes you to the configuration mode.

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 99

Introduction to PIX Firewalls • Chapter 2

IP Version 6 (IPv6) In version 7.0, Cisco introduces support for IP version 6. This is good news, as the demise (exhaustion) of the IP version 4 address space has been predicted and anticipated for several decades now. Before we delve into configuration of IPv6 on the PIX, we need to review IPv6 addresses. Although 32 bits of address space originally were thought to be “more than enough,” time and growth haven’t proved this not to be the case. Additionally, IPv4 suffers from a lack of hierarchical structure; although addresses may be sequentially allocated and summarized, they are not optimized by routing or allocation. Designers of IPv6 worked diligently to ensure that the same issues would not be encountered with version 6 of IP, by specifically addressing each of these issues. Members of the Internet community who were responsible for developing the protocol carefully scrutinized each new Request for Comments (RFC) penned for IP. In this section, we will cover IP version 6, which was developed to overcome the exhaustion of IPv4 addresses and to improve on IPv4 in general.

IPv4 vs. IPv6 IPv6 eases the network administrator’s burden in that Aggregatable Global Unicast (to be discussed later) addresses do not require translation when used to access external networks such as the Internet. In IPv4, private address spaces are used when global addresses are unavailable.These private addresses must be translated to a limited set of global addresses when accessing external networks. IPv4 address translation schemes include Network Address Translation (NAT) and Port Address Translation (PAT). IPv6 virtually eliminates the need for address translation as a means of accessing external networks. Table 2.6 illustrates the reduced address administration burden placed upon IPv6 network administrators.

Table 2.6 Address Administration Comparison Address Administration Issues

IPv4 Private Class A Block

IPv6 Aggregatable Global Unicast

Address length

32 bits

128 bits

Length of preassigned upstream fields

8 bits

48 bits

Length of delegated addressing fields

24 bits

80 bits

Host identifier length

24 – subnet bits

64 bits

Subnet identifier length

24 – host bits

16 bits (SLA ID)

Allocate host addresses for subnet identifiers

Yes

No

Determine subnet identifiers

Yes

Yes

Determine host identifiers

Yes

No

Address Translation Required (NAT/PAT)

Yes

No

99

326_PIX_2e_02.qxd

100

5/7/05

1:00 PM

Page 100

Chapter 2 • Introduction to PIX Firewalls

Header Comparison Five fields are eliminated, including the variable-length IPv4 options field. Removal of the variable-length field and other fields permits the IPv6 header to have a fixed header of 40 bytes in length. A comparison of the two types of headers is summarized in Table 2.7.

Table 2.7 Header Comparison Header

IPv4

IPv6

Header format

Variable

Fixed

Header fields

13

8

Header length

20-60 bytes

40 bytes

Address length

32 bits

128 bits

Header checksum

Yes

No

Fragmentation fields

Yes

No

Extension headers

No

Yes

To provide for additional options, IPv6 defines the following extension headers that are used to provide specific information needed for particular operations. ■

Hop-by-Hop Options header

■

Destination Options header

■

Routing header

■

Fragment header

■

Authentication header

■

Encapsulating Security Payload header

IPv6 Addresses IPv6 splits its address into a set of definite scopes, or boundaries, by which addresses are delegated.The Format Prefix is used to show that an address is GRU, or another type of address, and is always set to the same value.This allows a router to quickly discern what type of IPv6 packet it has received. By obtaining this information quickly, the routing device can more efficiently send the packet to its next hop or final destination. Two fields, the TLA ID and the NLA ID, are key to understanding IPv6’s support for an aggregatable addressing hierarchy The Top-Level Aggregation Identifier (TLA ID) designates a large block of addresses from which smaller blocks of addresses are allocated to downstream networks.This makes address assignment more structured and eases routing burdens. IPv6 global addresses will be assigned to service providers or TLA organizations.The TLA organizations in turn

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 101

Introduction to PIX Firewalls • Chapter 2

will allocate addressing space to the Next-Level Aggregation (NLA) organizations.This hierarchical method of allocating address space encourages address aggregation to reduce the size of core routing tables. The Next-Level Aggregation Identifier (NLA ID) address block is a block of addresses that are assigned downstream out of a TLA block.These addresses are to be aggregated as much as possible into bigger TLA blocks, when they are exchanged between providers, in the Internet core.This stabilizes routing through the network. The Site-Level Aggregation Identifier (SLA ID) enjoys most of the benefits that an NLA does, except for its size: the SLA is usually a network or network provider with a much smaller network. Unlike the TLA ID and the NLA ID, the SLA ID usually is not delegated to a downstream organization with a preassigned value. Per RFC 3587, the SLA ID allows an organization to define its own local subnets and addressing hierarchy.Therefore, a smaller delegation of address space is needed. It retains the values of aggregations in that its routing tables are kept smaller, even when receiving a full Internet routing table from its upstream provider. It also enjoys the benefits of global route stability in that its upstream provider, whether an NLA or a TLA, aggregates according to the principles of the IPv6 aggregations model.The 16 bits provided by the SLA ID for subnet identifiers can support 65,535 subnets, enough for all but the largest organizations.To support even larger networks, a downstream organization may request that a lowerorder portion of the NLA ID be delegated. The IPv6 architecture provides advantages in network performance and scalability.These advantages include: ■

Reduced Address Translation Overhead Address translation to overcome address space limitations is unnecessary.

■

Reduced Routing Overhead IPv6 addresses are allocated via service providers to encourage an addressing hierarchy that reduces routing overhead.

■

Increased Route Stability A single provider can aggregate the routes of many networks and allow route flapping to be isolated to that provider’s network. Routing changes need only to be advertised between peer routers in a provider’s network.

■

Reduced Broadcasts IPv6 uses Neighbor Discovery to perform a similar function during the autoconfiguration process without the use of ARP broadcasts.

■

Scoped Multicasts In IPv6, a multicast address contains a scope field that can restrict multicast packets to the node, the link, or the organization.

■

Streamlined Header IPv6 header has only eight fixed-length fields.To implement extended functions, extension headers can be used that need not be checked by intermediate routers.This streamlined header architecture lowers network overhead.

■

No Intermediate Node Fragmentation Only the source node will perform packet fragmentation.To assist the source node, IPv6 provides a Path MTU Discovery function to determine the MTU size for the path from source to destination.

101

326_PIX_2e_02.qxd

102

5/7/05

1:00 PM

Page 102

Chapter 2 • Introduction to PIX Firewalls ■

No Header Checksum IPv6 eliminates the header checksum field. Although this may cause erroneous packets to be forwarded, the reliability of current links reduces that probability. Checksum verification is already performed at the source and destination by upper-layer processes such as TCP and UDP. In IPv6, checksum processing is solely the responsibility of the source and destination.This greatly reduces network overhead.

■

Mandatory use of IPsec IPsec in IPv4 was an option but now in IPv6, it is mandatory. IPsec will enhance the security model of TCP/IP through the entire architecture and should make network security easier to implement overall since it is now an integral part of the IP architecture.

■

Support of IPv4 IPv6 will support the “tunneling “ of the older IPv4 protocol over IPv6 links to help maintain backward compatibility.This will allow legacy networks to still attach to and utilize IPv6 as they transition to IPv6.

■

QoS Support IPv6 offers support for Quality of Service (QoS) for multimedia applications and others that require QoS.

IPv6 Address Space The 128 bits that IPv6 has available for addressing (2128 addresses) are used differently depending on the address format and type. For example, Globally Routable Unicast (GRU) addresses set the first three bits (Format Prefix) to 001.This leaves 125 bits for addresses (2125 addresses) before GRU address space is depleted. The IPv6 Aggregatable Global Unicast address is 128 bits long and is composed of a subnet prefix and an interface identifier.The first 64 bits are used for network numbering, and the last 64 bits are used for host numbering.The 48 bits of the last 64 bits of the host ID are derived from the MAC address, with 16 bits of padding.The format is shown in Figure 2.13.

Figure 2.13 IPv6 Address Structure 64 bits Subnet Identifier

64 bits Interface Identifier

The subnet prefix is the network number assigned to the link.The interface identifier is derived from the node’s Media Access Control (MAC) address. IPv6 actually uses the last 64 bits of the address to distinguish hosts from one another on the same subnet. Regardless of the address format, the last 64 bits on a device will remain the same. During IPv6 address autoconfiguration, the host node supplies its own interface ID from MAC components such as network cards and queries the local router or DHCPv6 server for a subnet prefix. Current

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 103

Introduction to PIX Firewalls • Chapter 2

MAC addresses are only 48 bits long, so each one is padded with a 16-bit prefix.The IEEE has proposed a MAC address known as EUI-64 that is 64 bits long. IPv6 addresses are classified as unicast, multicast, or anycast addresses.The IPv6 address space utilizes a 128-bit format that consists of an eight-part hex address separated by colons (:). Each part of the IPv6 address space represents 16 bits, thus providing a theoretical address space of 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses. Because IPv6 has reserved addresses, the total assignable address space is smaller than this. The size and scope of the IPv6 address space enables allocations of addresses in a more hierarchal fashion than IPv4, which in turn enables independent customers of service providers to obtain and deploy globally routable addresses within their environments.The IPv6 address space provides more than enough address space to reassign public IPv6 addresses to all entities that require global routing over the Internet.

The Fundamentals of IPv6 Addresses IPv6 utilizes hex notation.This is a fundamental change from the dotted decimal notation used in the IPv4 addressing. Utilization of dotted decimal notation to express and address space equivalent to the size of the IPv6 scope would be complex and cumbersome.To express the same address space as IPv6 in decimal notation, the current IPv4 string would have to be expanded four times. If dotted decimal notation were used, addresses would appear as 15.25.35.45.55.65.75.85.95.105.115.125.135.145.155.165; thus, remembering IP addresses would be very difficult. Using hexadecimal notation allows for the expression of these numbers using two hexadecimal numbers. Conversion from decimal to hexadecimal and vice versa is a necessary evil for anyone considering IPv6, especially if IPv4 addresses are incorporated into the IPv6 address.Table 2.8 depicts decimal to hexadecimal equivalents. This table is useful when converting smaller numbers.

Table 2.8 Decimal to Hexadecimal Equivalents Decimal Notation

Hex Notation

0

0

1

1

2

2

3

3

4

4

5

5

6

6

7

7

8

8

9

9

10

a Continued

103

326_PIX_2e_02.qxd

104

5/7/05

1:00 PM

Page 104

Chapter 2 • Introduction to PIX Firewalls

Table 2.8 continued Decimal to Hexadecimal Equivalents Decimal Notation

Hex Notation

11

b

12

c

13

d

14

e

15

f

How are hexadecimal numbers used within the IPv6 addressing architecture? RFC3513 provides an addressing structure for IPv6 addressing architectures. Cisco requires that all addressing comply with RFC3513. Although the hexadecimal notation shortens the number of digits required to express a decimal value, the address structure is much longer than IPv4 because of the amount of address space. As previously discussed, IPv6 addresses utilize a 128-bit format that consists of an eightpart hex address separated by colons (:). Expressed another way, there are eight 16-bit hexadecimal values separated by colons as shown generically, where X is 16-bits of two hexadecimal values. X:X:X:X:X:X:X:X

Therefore, an IPv6 address is expressed as follows: ADBF:0:FEEA:0:0:00EA:00AC:DEED (or ADBF:0000:FEEA:0000:0000:00EA:00AC:DEED)

IPv6 provides two methods for compressing the syntax of the address space.The first is the omission of leading zeroes, and the second is the replacement of multiple groups of zeroes by double colons (::). Using these methods, the preceding address can be shortened considerably. For example, using the first method, omitting the leading zeroes, provides an address of ADBF:0:FEEA:0:0:EA:AC:DEED. If the second method is applied, the address is represented as ADBF:0:FEEA::EA:AC:DEED. However, the double colon can appear only once in the address. In addition to replacing multiple groups of zeroes within the address, the double colon can be used to represent the leading or trailing zeroes in an address. With a few minor differences, the configuration process for IPv6 is the same as that for IPv4, only with much longer addresses. Version 7.0 supports dual-stack configurations; consequently, the transition to IPv6 is facilitated because you can run both IP address versions at the same time. The following commands in PIX 7.0 code display IPv6: capture, configure, copy, http, name, object-group, ping, show conn, show local-host, show tcpstat, ssh, telnet, tftp-server, who, and write. This list of commands was modified to support IPv6: debug, fragment, ip verify, mtu, and icmp. And without inspection engines supporting IPv6, the Cisco PIX would be rather useless, so Cisco provided IPv6 with the following support for these inspection engines: FTP, HTTP, ICMP, SMTP,TCP, and UDP.

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 105

Introduction to PIX Firewalls • Chapter 2

The easiest way to configure a Cisco PIX firewall interface for IPv6 is like this: PIX1(config)# interface ethernet 1 PIX1(config-if)# ipv6 address autoconfig

To see our new IPv6 configuration, we use our old friend, the show command, like this: PIX1(config-if)# show ipv6 interface inside inside is up, line protocol is up IPv6 is enabled, link-local address is fe80::212:7fff:fecb:20b3 No global unicast address is configured Joined group address(es): ff02::1 ff02::2 ff02::1:ffcb:20b3 ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 1000 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses.

We can see in the highlighted text that IPv6 is enabled and that we have an IPv6 address in place.

105

326_PIX_2e_02.qxd

106

5/7/05

1:00 PM

Page 106

Chapter 2 • Introduction to PIX Firewalls

Summary The PIX is a dedicated firewall appliance with a special-purpose, hardened operating system. The simplified kernel and reduced command structure (compared with firewalls based on general-purpose operating systems) means that all other things being equal, the PIX will have higher throughput and more reduced maintenance costs than the general-purpose device.The similarity to IOS provides an edge to security administrators who are familiar with the Cisco environment. The PIX is a hybrid firewall that performs stateful packet filtering using proxies for specific applications.The stateful packet filter is known as the Adaptive Security Algorithm, or ASA. ASA uses two databases, a table of translations and a table of known connections, to maintain state of the traffic transiting the network and to dynamically allow packets through the filter.The ASA inspects both packet header information, including source address, destination address, and TCP and UDP socket information, as well as packet contents for certain protocols, to make intelligent decisions on routing the packets. ASA has additional features: It will rewrite packets where necessary, as part of its inspection engine, where the protocols are well known. About a dozen inspection engines are associated with the PIX. Some, such as the FTP inspection engine, augment the ASA process by permitting the passing of packets associated with an allowed communication. Whereas the command channel follows the normal threeway handshake initiated by the client and directed at a well-known socket, the data channels have the handshake initiated by the server (in the opposite direction of the usual security policy) and directed at a port defined during the transaction. Others, such as the SMTP inspection engine, enforce a limited subset of protocol commands and provide additional security to potentially buggy applications. Still others, such as the multimedia inspection engines, provide the intelligence to extract IP addresses from the body of the packets and handle the complex rewriting and authorization for these interrelated protocols. In addition to its native packet-filtering and access control features, the PIX provides additional common firewall services. Again, a key advantage of an appliance is performance, and the PIX makes an excellent VPN terminator, with the ability to pass encrypted traffic at wire speed, when an accelerator card is installed. It can provide content logging and filtering to help control Web surfing and provides address translation to allow for either “sewing together” networks seamlessly at the perimeter or consolidating (and concealing) internal networks to present to the outside world a limited number of addresses. Modern environments depend on firewalls, and so the PIX provides high resiliency through its failover mechanism.This mechanism provides for a hot spare—a second PIX with an equivalent configuration that will automatically press itself into service should the primary device fail.This flexibility can be the traditional failover where one PIX works and the other waits, or you can configure the Active/Active Failover where both PIX firewalls are live and sharing the load while watching for failure. The PIX’s extensive capabilities are matched by hardware flexibility. As of this writing, five different models are shipping, designed to match almost any environment.The PIX 501 is designed for the SOHO user, with a small switch built in for basic use.The PIX 506E,

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 107

Introduction to PIX Firewalls • Chapter 2

designed for the small or branch office, supports better performance for connecting back to the corporate hub.The PIX 515E is designed for the enterprise core of small- to mediumsized business, with a rack-mount chassis and corresponding enterprise-class performance. The PIX 525 is designed for large enterprise or small service provider environments and has a slot-based configuration to allow for multiple interface configurations.The PIX 535 is the top-of-the-line model, designed for service provider environments, with the best possible throughput of the PIX appliances.The newest PIX is the FWSM blade Cisco PIX, which is a true enterprise PIX with a 6Gb Ethernet 802.1q trunk connecting the PIX to the switch or router backplane. Communicating with an unconfigured PIX is most easily achieved through the console cable.This is provided with each firewall kit. Use a communications program such as HyperTerminal, set your parameters to 9600 baud 8-N-1, and during the boot sequence you will see characters on your screen. Licensing for the PIX features is set via an activation key.You should have received information about your activation key when you purchased the PIX; additional features can be purchased and new activation keys applied.The activation keys are dependent on a (hardware) serial number based on your flash.You can add new keys through either monitor mode or the activation-key command. Licensing usually falls into three types: unrestricted (all features enabled), restricted (limited features and interfaces), or failover (used for hot standby machines). Password recovery is achieved by running a special program (different for each version of the operating system) on the PIX itself.The process requires either a dedicated boot diskette or the use of monitor mode and a TFTP download of a temporary image. The normal configuration of the PIX is achieved through a command-line interface. This interface uses the emacs editing commands and is very similar to that provided in the Cisco IOS.The command structure is modal, with three major modes: unprivileged, which has very few available commands; privileged, where all commands are available (subject to your privilege level, which can be set in a local database); and configuration mode, by which changes are made to the running configuration. Things that you will want to set up in every configuration include host and domain name, which configures the prompt and controls fields in the digital certificates used in VPN traffic, and the properties of the interfaces.You control a name—an association between a distinctive identifier for the interface and its default security characteristics—physical properties, and IP properties.You will also probably want to set up some basic routing, particularly the default route. Passwords on any security device are very important.There are passwords for access to the device (unprivileged mode) and for escalation to privileged mode.They can be shared passwords, one per box, or passwords on a per-user basis. Cisco recommends the latter method, which requires setting up AAA services, either remote or local. Managing configuration information is also important. Once you have built the perfect configuration, you do not want to have to retype it all in case of an emergency. Configurations can be stored in human-readable format via an ASCII capture (via write terminal) or as a text file on a TFTP server (via write net). Images can also be brought onto the

107

326_PIX_2e_02.qxd

108

5/7/05

1:00 PM

Page 108

Chapter 2 • Introduction to PIX Firewalls

system with the copy command, either from a TFTP server (copy tftp) or from a Web server URL (copy https://servername/pix_image flash).The system can then be restarted with the reload command and is ready to run under the new configuration. Now with 7.0 code, you can also keep multiple copies of the configuration in FLASH so you can rollback from faulty configuration.

Solutions Fast Track PIX Firewall Features The Cisco PIX is a stateful inspection firewall that uses the Adaptive Security Algorithm (ASA). The Cisco PIX uses a custom embedded operating system, which is contained within the system FLASH memory and has been tested for both ICSA and ISO compliance. Traffic by default can flow from a high security level to a low level security level. This allows traffic to leave the inside network (level 100) and flow to the outside network (level 0) without restriction, but traffic is blocked coming into the PIX on the outside interface. The Cisco PIX firewall offers both Network Address Translation (NAT) and Port Address translation (PAT). Cisco offers the PIX firewall both with and without a DMZ port.The PIX 515 and higher model firewalls can support 2 or more interfaces.The Enterprise level Cisco PIX firewalls such as the 535 can have up to 10 interfaces. The Cisco PIX interface with the 7.0 code is much more like configuring a Cisco router now so skills can more easily transfer from one to the other. The Cisco PIX offers layer 2 virtual firewalls called “Security Contexts.” The Cisco PIX offers IPv6 support. The Cisco PIX offers Active/Active Failover where both PIX firewalls will pass traffic while guarding against the failure of one of them. The Cisco PIX offers the OSPF routing protocol over VPN connections.

PIX Software Licensing and Upgrades The Cisco PIX uses licensing to make features available on the PIX such as user count, or 3DES. The Cisco FWSM does not use licensing like the traditional PIX firewall.

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 109

Introduction to PIX Firewalls • Chapter 2

The traditional method of upgrading the PIX software image is to use TFTP but with the new 7.0 code base, you can use the SSH command SCP (Secure Copy) to transfer configurations and images. Failover and Active/Active only supported for unrestricted licenses. The restricted license does not support security contexts. The minimum RAM for a 515E with a restricted license is 64Mb, and for an unrestricted license is 128Mb of RAM. The minimum RAM for a 525 with a restricted license is 128Mb, and for an unrestricted license is 512MB of RAM. The minimum RAM for a 535 with a restricted license is 512Mb, and for an unrestricted license is 1024 Mb of RAM.

Command-Line Interface The command line interface is the preferred method to configure the Cisco PIX and is the only way to initially configure the 525 and 535 PIX firewalls in their default states. The Cisco PIX firewall has four administrative access modes using the command line, unprivileged mode, privileged mode, configuration mode, and monitor mode. There are seven basic command line commands used to configure a Cisco PIX firewall, nameif, interface, ip address, security-level, nat, global, and route. The command line interface can be used to pull up detailed information on the Cisco PIX status of interfaces, translations (xlate), CPU, memory, packets, and more. The command line interface is one method of managing the Cisco PIX and can accomplish some tasks that the GUI cannot.

109

326_PIX_2e_02.qxd

110

5/7/05

1:00 PM

Page 110

Chapter 2 • Introduction to PIX Firewalls

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. You will also gain access to thousands of other FAQs at ITFAQnet.com.

Q: How do I recover my password from my Cisco PIX firewall? A: The password recovery for the Cisco PIX requires you to download a program from Cisco for the exact PIX firewall you are recovering the password from.This program will be used either from a floppy drive on the older PIX firewalls like the 520 or from a TFTP server on newer PIX firewalls.You will need to press the ESC key within 10 seconds of booting the PIX.You will configure the interface, address, and TFTP server in monitor mode.You will also configure a gateway and the filename of the recovery tool.You will use the tftp command to start downloading the tool and you will be prompted to erase the passwords.

Q: What are Cisco default passwords? A: The default Telnet password is cisco and the enable password is blank. Q: What is the default IP address for my Cisco PIX firewall? A: For the Cisco PIX 501, 506, 506E and the 515, the default IP address in the inside interface is 192.168.1.1 and the outside interface is configured to use DHCP from the ISP

Q: How do I clear an existing configuration so I can start over? A: For the PIX 501 and 506, you can use the configure factory-default, which will put the PIX back to factory specifications including the IP addresses.You can also use the clear configuration and then wri memory to blank the startup configuration. A final option is to use the clear all command.

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 111

Introduction to PIX Firewalls • Chapter 2

111

Q: How do I upgrade my old Cisco PIX to 7.0 code? A: For the PIX 501 and 506, the word is sorry, you cannot upgrade to 7.0 yet. For the owners of the 515E, 525 and 535, you have to first upgrade to 6.3 from whatever version you are on and then you can upgrade to 7.0.

Q: Does the 7.0 code on the Cisco PIX support IPv6? A: Yes, one of the features of the 7.0 code is that you can configure IPv6 either by enabling IPv6 processing or explicitly using an IPv6 address.To enable IPv6 processing on an interface, use the ipv6 enable command.To give an interface an IPv6 address, use the ipv6 address autoconfig

LY89

326_PIX_2e_02.qxd

5/7/05

1:00 PM

Page 112

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 113

Chapter 3

PIX Firewall Operations

Solutions in this chapter: ■

Security Contexts

■

The Bare Minimum: Outbound Traffic

■

Opening Your Network: Allowing Inbound Traffic

■

Outbound ACLs (New)

■

Time-Based ACLs (New)

■

NAT Control (New)

■

Bypassing NAT

■

Policy NAT

■

Object Grouping

Summary Solutions Fast Track Frequently Asked Questions 113

326_PIX_2e_03.qxd

114

5/9/05

12:07 PM

Page 114

Chapter 3 • PIX Firewall Operations

Introduction Once the Cisco PIX firewall has been unboxed, plugged in, booted up, and configured with its initial system parameters, the first thing most security professionals want to do is configure it to pass traffic appropriately (i.e., according to the organization security policy). A firewall would not serve any purpose if it indiscriminately blocked all traffic.To properly protect a network environment, network traffic must be filtered in both outbound and inbound directions.The key to configuring a firewall is to permit only the traffic you want and block the traffic you do not want.This concept is easy to understand, but not always an easy task. This chapter provides the basics needed to pass traffic through Cisco PIX firewalls. Perhaps one of the most important fundamentals to traffic passing is address translation, of which there are two types: static and dynamic. Once translation has been configured, the PIX will automatically allow all connections from a higher security interface to a lower security interface and deny all connections from a lower security interface to a higher security interface.To configure more granular access, you can permit or deny specific traffic using access lists. The decisions to permit or deny specific traffic compose the firewall rules, typically in the form of access lists. Whether you are configuring rules for outbound or inbound traffic, the process is the generally the same: 1. Configure address translation. 2. Define an access list and apply it to an interface. You must ensure that users can access the required network services through the firewall. You must also ensure that external services are available to one or more communities of users. While the process for filtering inbound and outbound traffic is the same, task details differ. The Cisco PIX firewall offers several features that are valuable in managing traffic, including: ■

Object Grouping simplifies access list configuration and maintenance

■

TurboACLs

■

Time-based ACLs

■

Access list logging

■

Enabling/disabling ACL entries

■

NAT control

■

Policy NAT

Throughout the chapter, we provide examples to describe the various commands. We also include a complex case study to reinforce concepts.

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 115

PIX Firewall Operations • Chapter 3

Security Contexts Have you ever wished you could clone your Cisco PIX firewall? Ever had the need to have two very different security policies in place on your network, say one for the finance folks (very restricted) and one for the IT folks (anything goes)? Well, Cisco has listened, and for version 7.0, implemented something called security contexts. When you set up a security context, each context has its own security policies, interfaces, and supported features.This means that not all PIX firewall features are supported in security contexts. Some that are not supported when you have multiple security contexts include: ■

Dynamic routing protocols

■

VPN

■

Multicast

When you start the PIX in single context mode and convert to multiple context mode, a new file called admin.cfg is created on the built-in flash.This is the default administrator security context.You can store multiple security contexts on the same flash or you can have the PIX download them from the network using TFTP, FTP, or HTTP(s).

NOTE When converting from single security context mode to multiple security context mode, the original startup configuration is not saved, so always make a backup when working with security contexts. The running configuration is used to make the two new security context files.

Use the mode command to place the Cisco PIX firewall in multiple security context mode. Our options for the mode command are: PIX1(config)# mode ?

configure mode commands/options: multiple noconfirm single

Multiple mode; mode with security contexts Do not prompt for confirmation Single mode; mode without security contexts

PIX1(config)#

To go from single mode to multimode: PIX1(config)# mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot

115

326_PIX_2e_03.qxd

116

5/9/05

12:07 PM

Page 116

Chapter 3 • PIX Firewall Operations Proceed with change mode? [confirm] Convert the system configuration? [confirm] WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Convert the system configuration? [confirm] !! The old running configuration file will be written to flash

The admin context configuration will be written to flash

The new running configuration f

*** *** --- SHUTDOWN NOW --*** *** Message to all terminals: *** ***

change mode

file was written to flash Security context mode: multiple

Rebooting...

When you confirm, the Cisco PIX will reboot itself to enable the new mode. We can confirm the mode by using the show command: PIX1# show mode Security context mode: multiple PIX1#

To restore the Cisco PIX to single mode security context, we need to copy the original (you did make a backup, right?) to flash: PIX1(config)# copy flash:old_running.cfg startup-config

Then we will set the mode back to single: PIX1(config)# mode single WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm]

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 117

PIX Firewall Operations • Chapter 3

The Bare Minimum: Outbound Traffic After completing the initial configuration, a primary task is allowing outbound traffic (such as from inside to outside). Outbound connections are from a higher security interface (e.g., the organization’s internal network) to a lower security interface (e.g., an external network such as the Internet).This requires either configuring address translation or explicitly disabling it. Once address translation is configured, by default, if no access lists or apply/outbound statements are applied, all outbound traffic is allowed.This is a primary feature of the Adaptive Security Algorithm (ASA) and is the reason why security levels are so critical. Since the PIX is stateful, when an outbound connection is initiated, return traffic that is part of an established connection is allowed from the lower security interface to the higher security interface. The specific approach for controlling outbound traffic consists of: ■

Configuring dynamic address translation.

■

Defining an access list and applying it to an interface on the PIX (optional).

NOTE With version 7.0, the requirement for address translation policies to be in place before allowing network traffic to flow from an inside host to an outside destination has been eliminated, thanks to the NAT Control feature. For new configurations (i.e., a new installation of a PIX using v7.0), the translation rules are not required, and NAT Control is automatically disabled via the no nat-control command. For upgraded configurations (i.e., existing PIX firewall being upgraded to v7.0), the translation rules are required to preserve the functionality already defined in the configuration, and NAT Control is automatically enabled via the nat-control command. Note that NAT Control is different from identity NAT (nat 0). See the sections titled “NAT Control,” “NAT Control (New),” and “Identity NAT.”

Configuring Dynamic Address Translation Address translation is the first requirement for passing outbound traffic. Address translation (through NAT and/or PAT) maps local IP addresses to global IP addresses. A local IP address is one from a network that is being protected by the PIX (e.g., your internal network), and is frequently a private, nonroutable IP address. A global IP address is one from a network on an outside interface of the PIX, and is frequently a public, routable IP address.The address translation configuration causes the PIX to translate the local IP address to the global IP address by making the appropriate substitution within the packet. Once NAT and/or PAT are configured, the PIX automatically allows traffic to traverse from a higher security interface to a lower security interface on the PIX firewall (also known as outbound connections). The PIX also permits any return traffic related to these outbound connections.

117

326_PIX_2e_03.qxd

118

5/9/05

12:07 PM

Page 118

Chapter 3 • PIX Firewall Operations

Configuration of NAT/PAT is a two-step process: 1. Use the nat command to identify the local addresses that will be translated. 2. Use the global command to define the global addresses to translate to.

NOTE Address translation records are known as translation slots (or xlate) and are stored in a table known as the translation table. To view the contents of this table, use the show xlate command. The xlate timer monitors the translation table and removes records that have been idle longer than the defined timeout. By default, this timeout is set to three hours, and the current settings can be set using the timeout xlate command and can be verified by using the show running-config timeout xlate command.

The syntax of the nat command is as follows: nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]

The keywords and parameters for the nat command are described here. The real_ifc parameter is the interface that is the source of the traffic to be translated. It must match the name associated with this interface via the nameif command. If this parameter is not specified, the inside interface is assumed. The nat_id parameter is an integer between 0 and 65,535 that establishes a mapping between the local IP addresses (real_ip) identified by the nat command and the global IP addresses specified by the global command.The id 0 is special and is used to specify that you do not want the specified local addresses translated: local addresses and global addresses are the same. The mask parameter is used with real_ip to specify the IP addresses to be translated.The optional dns keyword translates the IP address included in DNS responses using active entries in the translation table.The optional outside keyword allows for external addresses to be translated. The optional tcp keyword configures several TCP-related parameters. tcp_max_conns defines how many total concurrent TCP active connections are allowed, while emb_limit specifies how many concurrent half-open TCP connections are allowed.The default for both is 0, meaning unlimited connections.Too many half-open connections can be the result of a denial-of-service (DoS) attack, which tuning the emb_limit can help minimize. By default, when performing address translation, the PIX firewall also randomizes the sequence numbers in TCP segments.The optional norandomseq keyword disables this randomization, which can be useful (and possibly necessary) when performing address translation twice (e.g., when you have two PIX firewalls in the path), and multiple randomization

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 119

PIX Firewall Operations • Chapter 3

is not desired.The timeout parameter defines how long an entry in the translation table may be idle. The optional udp keyword configures a UDP-related parameter.The udp_max_conns parameter defines how many total concurrent active UDP “connections” are allowed.

NOTE Because of its stateless nature, there is no such thing as a UDP “connection.” The PIX firewall is stateful, and can permit return traffic in response to a UDP datagram. The stateless nature of UDP is also the reason why there is not a corresponding emb_limit for the udp keyword as there was with the tcp keyword. There is no such thing as a UDP half-open connection.

Once you have identified the local addresses to be translated using the nat command, you then need to specify the global addresses to which the local addresses should be translated. Use the global command to accomplish this: global (mapped_ifc) nat_id {mapped_ip [-mapped_ip] [netmask mapped_mask]} | interface

The mapped_ifc parameter defines the egress interface for outbound traffic; the default assumption is the outside interface. The nat_id parameter pairs one or more nat statements to a global statement. The mapped_ip parameter defines the global IP addresses for translation. If a single IP address is specified, port address translation is performed. If a range is specified (via mapped_ip), network address translation is used until no more global addresses are available. Once the global addresses pool is exhausted, port address translation is performed. The netmask keyword is associated with the mapped_ip range to specify the network mask.This determines the range of valid global addresses for the PIX to use, and ensures that the PIX does not use broadcast or network addresses in its translation. If the global IP address to be used is assigned to an interface (e.g., the outside interface of the PIX), the interface keyword can be used instead of the mapped_ip parameter to specify this. The use of the nat and global commands can be illustrated using an example organization.The fictitious Secure Corporation needs to network three locations and provide Internet access to its employees. It does not own any public IP addresses, and must use RFC 1918 private addresses for its internal networks. RFC 1918 addresses are not routable or usable on a public network such as the Internet. Secure Corporation is using private addresses because it does not want to re-address if it switches service providers. By using a private IP address scheme, the company can change public IP addresses whenever circumstances require, and all it will have to do is associate the new IP address range to the private IP addresses. Figure 3.1 shows the network layout. (Note: Even though it is a private address range, the 192.168.0.0/16 network is being used to represent the public IP address space in this chapter. Keep this in mind as you read the rest of the chapter.)

119

326_PIX_2e_03.qxd

120

5/9/05

12:07 PM

Page 120

Chapter 3 • PIX Firewall Operations

Figure 3.1 Network Address Translation Inside

Outside

172 .16.1.0

192 .168.1.0

172 .16.2.0

192 .168.2.0

172 .16.3.0

192 .168.3.0

172.16.1.0

Internet

172.16.2.0

172.16.3.0

Figure 3.1 shows that each location has been assigned a 24-bit network from a range specified in RFC 1918.These ranges are 172.16.1.0/24, 172.16.2.0/24, and 172.16.3.0/24, respectively.The service provider has allocated a 24-bit subnet (192.168.1.0, 192.168.2.0, and 192.168.3.0) to each location, which needs to be mapped to a private address range.The following configuration allows each node to have a unique public IP address dynamically mapped from a pool established for each location.Traffic to be translated is identified using the nat command and then mapped to a pool of public IP addresses defined by the global command. PIX1(config)# nat (inside) 1 172.16.1.0 255.255.255.0 PIX1(config)# global 1 192.168.1.1-192.168.1.254 netmask 255.255.255.0 PIX1(config)# nat (inside) 2 172.16.2.0 255.255.255.0 PIX1(config)# global 2 192.168.2.1-192.168.2.254 netmask 255.255.255.0 PIX1(config)# nat (inside) 3 172.16.3.0 255.255.255.0 PIX1(config)# global 3 192.168.3.1-192.168.3.254 netmask 255.255.255.0 PIX1(config)# exit PIX1# clear xlate

NOTE The clear xlate command is used to clear contents in the translation table. This command should be executed after any translation configuration changes are made; otherwise, there is a danger of stale entries sticking around in the translation table. However, note that this will also disconnect all current connections that use the translations.

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 121

PIX Firewall Operations • Chapter 3

Validate your configuration using the show running-config nat and show running-config global commands: PIX1# show running-config nat nat (inside) 1 192.168.1.0 255.255.255.0 0 0 nat (inside) 2 192.168.1.0 255.255.255.0 0 0 nat (inside) 3 192.168.1.0 255.255.255.0 0 0 PIX1# show running-config global global (outside) 1 10.1.1.1-10.1.1.254 netmask 255.255.255.0 global (outside) 2 10.1.2.1-10.1.2.254 netmask 255.255.255.0 global (outside) 3 10.1.3.1-10.1.3.254 netmask 255.255.255.0

In this simple but unrealistic example, the provider allocated enough public addresses to allow one-to-one mappings between local and global addresses. What would happen if the provider did not allocate enough public addresses? Let’s modify our example to where the provider only gave Secure Corp. a single 24-bit public address range (10.1.1.0/24). Instead of separate global pools for each location, there is one global pool for all to share, meaning that PAT is needed. PAT allows many IP addresses to be translated to a single IP address by incorporating both the IP address and the source port.The configuration would be as follows: PIX1(config)# nat (inside) 1 192.168.1.0 255.255.255.0 PIX1(config)# nat (inside) 1 192.168.2.0 255.255.255.0 PIX1(config)# nat (inside) 1 192.168.3.0 255.255.255.0 PIX1(config)# global (outside) 1 10.1.1.1-10.1.1.254 netmask 255.255.255.0 PIX1(config)# exit PIX1# clear xlate

NOTE PAT works with DNS, FTP, HTTP, mail, RPC, RSH, Telnet, URL filtering, and outbound traceroute. PAT does not work with H.323, caching name servers, and PPTP.

To enable NAT on multiple interfaces, separate global commands are needed for each interface.The key is the same id on all the global commands to permit one set of nat commands on the translated interfaces to map a private IP address to one of many different global address ranges based on destination. For example, the following commands configure the PIX to translate the 192.168.1.0/24 network to either a 10.1.1.0/24 address or PAT to the DMZ interface IP address, depending on the interface the packet was going to exit: PIX1(config)# nat (inside) 1 192.168.1.0 255.255.255.0 PIX1(config)# global (outside) 1 10.1.1.1-10.1.1.254 netmask 255.255.255.0 PIX1(config)# global (dmz) 1 interface

121

326_PIX_2e_03.qxd

122

5/9/05

12:07 PM

Page 122

Chapter 3 • PIX Firewall Operations PIX1(config)# exit PIX1# clear xlate

As with most commands on the PIX firewall, use the no keyword with the nat and global commands to remove them from the configuration.

Blocking Outbound Traffic (Defining an Access List) Without any additional configuration, the PIX allows all higher security interfaces to send traffic to lower security interfaces. If you want to block some outbound traffic, it must be explicitly blocked. Controlling the outbound traffic that is allowed to traverse the PIX firewall is always a part of a well-designed security policy. With version 7.0, there is only one way to accomplish this task: using access lists.

NOTE In previous PIX software versions, you could also block outbound traffic using the outbound command. With version 7.0, this command has been completely replaced by the access-list command, and is no longer supported. Cisco has been discouraging the use of the outbound command, so this should not be a surprise. Existing outbound commands are not automatically converted to access-list commands. Refer to the section “Conduit and Outbound” for more information, and for a description of how to convert outbound commands to access-list commands.

Access Lists Access lists on the PIX firewall are very similar to those used on Cisco routers, and can be used to limit the traffic based on several criteria, including source address, destination address, source TCP/UDP ports, and destination TCP/UDP ports. Access list configuration is a two-step process: 1. Define the access list by creating permit and deny statements using the access-list command. 2. Apply the access list to an interface using the access-group command. There are three different basic protocol classes for the access-list command: IP,TCP/UDP, and ICMP. Each of these classes has an access-list command syntax that differs slightly from the others, as shown here: access-list id [line line-number] [extended] {deny | permit} protocol {host sip | sip mask | any} {host dip | dip mask | any}

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 123

PIX Firewall Operations • Chapter 3 access-list id [line line-number] [extended] {deny | permit} {tcp | udp} {host sip | sip mask | any} [operator port] {host dip | dip mask | any} [operator port]access-list id [line line-number] [extended] {deny | permit} icmp {host sip | sip mask | any} {host dip | dip mask | any} [icmp_type ]

The parameters and keywords that are common across all three access-list command syntaxes are identified and described in this section. Parameters and keywords that are specific to each of the command syntaxes are identified and described in the following paragraphs. The id parameter identifies the access list and can be either a name or a number.The order of access-list statements is sequential from top to bottom.The first entry that matches is applied, and further processing is halted. The line keyword and line-num parameter allow entries to be inserted at a specific location within the access list. The extended keyword identifies this as an extended access list that can specify source and destination IP addresses and ports. The source IP address is specified using the sip parameter and identifies the origin of the traffic. The destination IP address is specified using the dip parameter and identifies the destination of the traffic. The mask parameter specifies the netmask bits to apply to either sip or dip. The any keyword specifies all networks or hosts, and is the equivalent of a network of 0.0.0.0 and a mask of 0.0.0.0. The host keyword followed by an IP address specifies a single host.

NOTE The syntax for access lists on the PIX firewall is very similar to that of IOS routers. The key difference is that access lists on PIX firewalls use standard wildcard masks, whereas on routers they use inverse wildcard masks. For example, when blocking a 24-bit subnet, you would use a mask of 255.255.255.0 on a PIX firewall and a mask of 0.0.0.255 on a Cisco router.

IP Protocol Access List Parameters and Keywords In the IP protocol access-list command syntax, the protocol parameter specifies the IP protocol. You can either enter the numerical value or specify a literal name.Table 3.1 lists possible literal names.

123

326_PIX_2e_03.qxd

124

5/9/05

12:07 PM

Page 124

Chapter 3 • PIX Firewall Operations

Table 3.1 Literal Protocol Names and Values Literal

Value

Description

ah

51

Authentication header for IPv6, RFC 1826

eigrp

88

Enhanced Interior Gateway Routing Protocol

esp

50

Encapsulated Security Payload for IPv6, RFC 1827

gre

47

General Routing Encapsulation

icmp

1

Internet Control Message Protocol, RFC 792

igmp

2

Internet Group Management Protocol, RFC 1112

igrp

9

Interior Gateway Routing Protocol

ip

0

Internet Protocol

ipinip

4

IP-in-IP encapsulation

nos

94

Network Operating System (Novell’s NetWare)

ospf

89

Open Shortest Path First routing protocol, RFC 1247

pcp

108

Payload Compression Protocol

snp

109

Sitara Networks Protocol

tcp

6

Transmission Control Protocol, RFC 793

udp

17

User Datagram Protocol, RFC 768

TCP/UDP Protocol Access List Parameters and Keywords In the TCP/UDP protocol access-list command syntax, the parameters and keywords are identified and described in this section. The tcp and udp keywords specify whether this access list entry applies to TCP or UDP traffic. The operator and port identify source and destination ports. To specify all ports, do not specify an operator and port. To specify a single port, use the eq keyword as the operator. To specify all ports less than a specified port, use the lt keyword as the operator. To specify all ports greater than a specified port, use the gt keyword as the operator. To specify all ports except a specific one, use the neq keyword as the operator. To specify a range of ports, use the range keyword as the operator. The port can be specified using either a number or a literal name. A list of literal port names is presented in Table 3.2.

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 125

PIX Firewall Operations • Chapter 3

Table 3.2 Literal Port Names and Values Name

Port

Protocol Name

Port

Protocol Name

Port

Protocol

bgp

179

tcp

http

80

tcp

radius

1645, 1646

udp

biff

512

udp

hostname

101

tcp

rip

520

udp

bootpc

68

udp

ident

113

tcp

smtp

25

tcp

bootps

67

udp

irc

194

tcp

snmp

161

udp

tcp

isakmp

500

udp

snmptrap 162

udp

citrix-ica 1494 tcp

klogin

543

tcp

sqlnet

1521

tcp

cmd

tcp

kshell

544

tcp

sunrpc

111

tcp/udp

daytime 13

tcp

login

513

tcp

syslog

514

udp

discard

9

tcp/udp lpd

515

tcp

tacacs

49

tcp/udp

dnsix

195

udp

434

udp

talk

517

tcp/udp

chargen 19

514

mobile-ip

domain 53

tcp/udp nameserver 42

udp

telnet

23

tcp

echo

7

tcp/udp netbios-dgm 138

udp

tftp

69

udp

exec

512

tcp

netbios-ns

137

udp

time

37

udp

finger

79

tcp

nntp

119

tcp

uucp

540

tcp

ftp

21

tcp

ntp

123

udp

who

513

udp

ftp-data 20

tcp

pim-auto-rp 496

tcp/udp whois

43

tcp

gopher

70

tcp

pop2

109

tcp

www

80

tcp

h323

1720 tcp

pop3

110

tcp

xdmcp

177

tcp

125

326_PIX_2e_03.qxd

126

5/9/05

12:07 PM

Page 126

Chapter 3 • PIX Firewall Operations

Note that the system-defined port mapping of http is the same as www and is silently translated in the configuration.

ICMP Access List Parameters and Keywords In the ICMP access-list command syntax, the parameters and keywords are identified and described as follows: ■

The icmp keyword applies this access list entry to ICMP traffic.

■

The icmp_type parameter identifies the ICMP message type, and can be specified using either a number or a literal name. A list of ICMP message types and literal names can be found in Table 3.3.

Table 3.3 ICMP Message Types ICMP Type

Literal

0

echo-reply

3

unreachable

4

source-quench

5

redirect

6

alternate-address

8

echo

9

router-advertisement

10

router-solicitation

11

time-exceeded

12

parameter-problem

13

timestamp-reply

14

timestamp-request

15

information-request

16

information-reply

17

mask-request

18

mask-reply

31

conversion-error

32

mobile-redirect

After configuring an access list, you must apply it to an interface using the following command: access-group access-list {in | out} interface interface_name. The parameters and keywords of the access-group command are identified and described here.

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 127

PIX Firewall Operations • Chapter 3

The access-list parameter specifies which access list statements to apply to the interface.This parameter value must correspond to the id (name) specified in previous access-list commands. The in or out keyword is used to specify whether the access list is applied to packets that are inbound to the interface or outbound from the interface. The interface keyword and interface_name parameter specify the interface to which the access-list statements should be applied. Applying an access list to an interface via the access-group command denies or permits traffic as it enters the specified interface.

NOTE In previous versions of the PIX software, access lists on the PIX firewall could only be applied to traffic entering an interface via the in keyword. In version 7.0, the access lists can also be applied to traffic as it exits an interface via the out keyword.

Access lists have an implicit deny all at the end. Unless traffic has been specifically permitted within the access list, it will be denied.You can create very complex access lists simply by following the flow of what should and should not be allowed. Only one access list at a time can be applied to an interface. Let’s now look at an example of Secure Corp., which has just purchased a new PIX firewall for its network in New York, as shown in Figure 3.2. All the servers at the site, as well as all the clients within the network, are located on the inside interface of the PIX.The site uses a single network with the address space of 192.168.0.0/24.The ISP has assigned the 10.1.1.0/24 public network to use. Internal clients should not be permitted to send certain traffic such as that associated with malware infection vectors.This includes Common Internet File System/Server Message Block (CIFS/SMB) traffic, a file sharing protocol. Other prohibited traffic includes Trivial File Transfer Protocol (TFTP), bootp, Simple Network Management Protocol (SNMP), SQL*Net, Kazaa, and P2P Networking traffic. Other than this explicitly prohibited traffic, the clients should have unrestricted access to the Internet. DMZ servers should only have Internet access using protocols that support their core function. For example, the e-mail server should be permitted to send and receive Simple Mail Transfer Protocol (SMTP) traffic, the Web server should be permitted to send and receive only HyperText Transfer Protocol (HTTP) and HTTP over SSL (HTTPS) traffic, and the DNS server should be permitted to send and receive only Domain Name Service (DNS) traffic. Since the DMZ interface is a higher security interface than the outside interface, any traffic initiated from the DMZ servers to the Internet will be implicitly permitted. We want to apply the same restrictions to the DMZ servers that have been applied to internal clients.

127

326_PIX_2e_03.qxd

128

5/9/05

12:07 PM

Page 128

Chapter 3 • PIX Firewall Operations

Because there should be no Web browsing from the servers, the company has defined a policy to prohibit outbound Web (i.e., HTTP and HTTPS) traffic from the DMZ servers.

Figure 3.2 An Outbound Access List

Clients 172 .16.2.0/24

NO_INSIDE_OUT Access List Email Server 10 .1.1.1

Inside - 172.16.1.254 DMZ - 10.1.1.254

Outside - 192.168.1.254 Web Server 10 .1.1.2 NO_DMZ_OUT Access List

Internet

DNS Server

Secure Corporation’s requirements are satisfied by two outbound access lists: one applied to the inside interface and one applied to the DMZ interface.The following commands define and apply the inside outbound access list: PIX1(config)# access-list NO_INSIDE_OUT deny tcp any any eq 135 PIX1(config)# access-list NO_INSIDE_OUT deny udp any any eq 135 PIX1(config)# access-list NO_INSIDE_OUT deny udp any any eq netbios-ns PIX1(config)# access-list NO_INSIDE_OUT deny udp any any eq netbios-dgm PIX1(config)# access-list NO_INSIDE_OUT deny tcp any any eq netbios-ssn PIX1(config)# access-list NO_INSIDE_OUT deny udp any any eq 139 PIX1(config)# access-list NO_INSIDE_OUT deny tcp any any eq 445 PIX1(config)# access-list NO_INSIDE_OUT deny udp any any eq 445 PIX1(config)# access-list NO_INSIDE_OUT deny udp any any eq tftp PIX1(config)# access-list NO_INSIDE_OUT deny udp any any eq bootpc PIX1(config)# access-list NO_INSIDE_OUT deny udp any any eq bootps PIX1(config)# access-list NO_INSIDE_OUT deny udp any any eq snmp PIX1(config)# access-list NO_INSIDE_OUT deny udp any any eq snmptrap PIX1(config)# access-list NO_INSIDE_OUT deny tcp any any eq sqlnet

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 129

PIX Firewall Operations • Chapter 3 PIX1(config)# access-list NO_INSIDE_OUT deny tcp any any eq 1214 PIX1(config)# access-list NO_INSIDE_OUT deny tcp any any eq 3408 PIX1(config)# access-list NO_INSIDE_OUT deny tcp any any eq 3531 PIX1(config)# access-list NO_INSIDE_OUT permit any any PIX1(config)# access-group NO_INSIDE_OUT in interface inside PIX1(config)# exit

The following commands define and apply the DMZ outbound access list, which differs from the inside outbound list primarily in the prohibition of Web traffic: PIX1(config)# access-list NO_DMZ_OUT deny tcp any any eq 135 PIX1(config)# access-list NO_DMZ_OUT deny udp any any eq 135 PIX1(config)# access-list NO_DMZ_OUT deny udp any any eq netbios-ns PIX1(config)# access-list NO_DMZ_OUT deny udp any any eq netbios-dgm PIX1(config)# access-list NO_DMZ_OUT deny tcp any any eq netbios-ssn PIX1(config)# access-list NO_DMZ_OUT deny udp any any eq 139 PIX1(config)# access-list NO_DMZ_OUT deny tcp any any eq 445 PIX1(config)# access-list NO_DMZ_OUT deny udp any any eq 445 PIX1(config)# access-list NO_DMZ_OUT deny udp any any eq tftp PIX1(config)# access-list NO_DMZ_OUT deny udp any any eq bootpc PIX1(config)# access-list NO_DMZ_OUT deny udp any any eq bootps PIX1(config)# access-list NO_DMZ_OUT deny udp any any eq snmp PIX1(config)# access-list NO_DMZ_OUT deny udp any any eq snmptrap PIX1(config)# access-list NO_DMZ_OUT deny tcp any any eq sqlnet PIX1(config)# access-list NO_DMZ_OUT deny tcp any any eq 1214 PIX1(config)# access-list NO_DMZ_OUT deny tcp any any eq 3408 PIX1(config)# access-list NO_DMZ_OUT deny tcp any any eq 3531 PIX1(config)# access-list NO_DMZ_OUT deny tcp any any eq www PIX1(config)# access-list NO_DMZ_OUT deny tcp any any eq https PIX1(config)# access-list NO_DMZ_OUT permit tcp10.1.1.1 any eq smtp PIX1(config)# access-list NO_DMZ_OUT permit tcp10.1.1.3 any eq dns PIX1(config)# access-list NO_DMZ_OUT permit udp10.1.1.3 any eq dns PIX1(config)# access-group NO_DMZ_OUT in interface DMZ PIX1(config)# exit

It is important to note that we have not yet covered how to configure inbound access. The preceding access lists only allow these servers to initiate contact with other servers—as a client would do. For example, the e-mail server can send mail to another domain, but it cannot receive it.The DNS server can resolve domain information from another domain, but it cannot respond to queries from other domains. In the section titled “Opening Your Network: Allowing Inbound Traffic,” we cover in detail how inbound access is enabled. One useful feature in configuring the PIX is the name, which maps a name alias to an IP address. When configuring, instead of referencing a host by its IP address, the host can be

129

326_PIX_2e_03.qxd

130

5/9/05

12:07 PM

Page 130

Chapter 3 • PIX Firewall Operations

referenced by a name.This can aid in configuring and troubleshooting complex configurations. It can also ease address changes: the name remains the name but the IP address can be changed without having to modify access lists.The syntax for the command is: name ip_address name

For example, the following command maps the names emailserver, webserver, and dnsserver to the 172.16.1.1, 172.16.1.2, and 172.16.1.3 IP addresses, respectively: PIX1(config)# name10.1.1.1 emailserver PIX1(config)# name10.1.1.2 webserver PIX1(config)# name10.1.1.3 dnsserver

The names emailserver, webserver, and dnsswerver can now be used in access lists instead of IP addresses.

Opening Your Network: Allowing Inbound Traffic At some point, you will most likely face a requirement to enable untrusted and unknown hosts to initiate sessions with your trusted and protected devices such as servers. For example, users originating on the Internet may need to establish communications with your servers in the DMZ.The PIX would not be useful if it could not allow and control traffic from untrusted sources into networks containing critical systems, such as a corporate Web server.The PIX ASA treats inbound traffic (from lower security interface to a higher security interface) differently from outbound traffic. Unlike outbound traffic, inbound traffic is denied by default.This ensures that the boundaries defined by the interface security levels are valid and not circumvented. As with outbound traffic, allowing inbound traffic is a two-step process. A static translation must be defined, and an access list be created to allow the inbound traffic.

NOTE The conduit command has been completely superseded by access lists in 7.0. Cisco has been discouraging the use of the conduit command since 6.x, so this is not a big surprise.

Static Address Translation When a publicly accessible server (hopefully located in a DMZ) is protected by a PIX firewall, connections initiated on a lower security interface to a higher security interface must explicitly be allowed. Allowing inbound traffic starts with the creation of a static address

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 131

PIX Firewall Operations • Chapter 3

translation.The static command permanently maps global-to-local IP addresses.The syntax for the command is: static (real_ifc,mapped_ifc) {mapped_ip | interface} {real_ip [netmask mask]} | {access-list access_list_name} [dns] [norandomseq [nailed]] [[tcp] [max_conns [emb_lim]] [udp udp_max_conns]

The parameters and keywords of the static command are identified and described here. The real_ifc parameter is the interface to which the server being translated is connected. The mapped_ifc parameter is the interface of the mapped global IP address.This is the interface where you are making the device (e.g., server) visible and accessible. The mapped_ip parameter is the global IP address that should be used for translation. The real_ip parameter is the local IP address that should be translated. It is typically the actual, or real, IP address of the device (e.g., server) that you are making visible and accessible. The netmask keyword and mask parameter are used when statically translating more than one IP address at a time. The default value for max_cons, em_lim, and udp_max_conss is 0 (unlimited).Their meanings are the same as in the nat command. In Figure 3.3, Secure Corp. has three servers connected to the DMZ network.The following static commands establish static address translation for these servers. PIX1(config)# static (dmz, outside) 192.168.1.1 10.1.1.1 netmask 255.255.255.255 0 0 PIX1(config)# static (dmz, outside) 192.168.1.2 10.1.1.2 netmask 255.255.255.255 0 0 PIX1(config)# static (dmz, outside) 192.168.1.3 10.1.1.3 netmask 255.255.255.255 0 0

These commands provide the necessary translation to make the DMZ servers accessible via the 192.168.1.1, 192.168.1.2, and 192.168.1.3 addresses. With multiple DMZ servers, instead of configuring a separate static entry for each, you could configure a single static command with the appropriate netmask. For example, for 14 DMZ servers with the IP addresses of 10.1.1.1 through 10.1.1.15, you would use the following command: PIX1(config)# static (dmz, outside) 192.168.1.0 10.1.1.1.0 netmask 255.255.255.240 0 0

Now consider the fact that the Web server located in the DMZ needs to access a database server located on the inside interface of the PIX, as shown in Figure 3.3. The process is the same: Whenever a lower security interface needs to access a higher security interface, a static translation needs to be created.The following configuration translates the real IP address of the internal database server (192.168.1.10) to an address accessible by the DMZ Web server (172.16.1.10): PIX1(config)# static (inside, dmz) 10.1.1.10 172.168.1.10 netmask 255.255.255.255 0 0

131

326_PIX_2e_03.qxd

132

5/9/05

12:07 PM

Page 132

Chapter 3 • PIX Firewall Operations

Figure 3.3 Static Address Translation

Clients 172 .16.2.0/24

Database Server 172 .16.1.10 (Real) 10 .1.1.10 (NAT-DMZ) Email Server 10 .1.1.1 (Real) 192 .168.1.1 (NAT-Outside)

Inside - 172.16.1.254 DMZ - 10.1.1.254 Outside - 192.168.1.254

Web Server 10 .1.1.2 (Real) 192 .168.1.2 (NAT-Outside)

DMZ_TO_INSIDE Access List INTERNET_TO_DMZ Access List

Internet

DNS Server 10 .1.1.3 (Real) 192 .168.1.3 (NAT-Outside)

Static translation alone is not enough to enable lower to high security communications; an access list must be defined to explicitly allow this traffic.The static command only creates a static address mapping between global and local IP addresses. Since the default action for inbound traffic is to drop it, the next step is to create an access list to allow the traffic to enter the PIX.

Access Lists Creating an access list to allow inbound access is similar to creating an access list for outbound access.The command syntax is the same, as are all the parameters.The key difference is that static translation must be configured to enable lower to higher security traffic. For the Secure Corporation example in Figure 3.4, define and apply two access lists: one that permits communication from the Internet to the DMZ servers, and one that permits communication from the DMZ Web server to the internal database server. The following commands define and apply the Internet inbound access list to the DMZ network:

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 133

PIX Firewall Operations • Chapter 3 PIX1(config)# access-list INTERNET_TO_DMZ permit tcp any 192.168.1.1 eq smtp PIX1(config)# access-list INTERNET_TO_DMZ permit tcp any 192.168.1.2 eq web PIX1(config)# access-list INTERNET_TO_DMZ permit tcp any 192.168.1.1 eq https PIX1(config)# access-list INTERNET_TO_DMZ permit tcp any 192.168.1.1 eq dns PIX1(config)# access-list INTERNET_TO_DMZ permit udp any .1.1 eq dns PIX1(config)# access-group INTERNET_TO_DMZ in Outside PIX1(config)# exit

The following commands define and apply the DMZ inbound access list to the internal network: PIX1(config)# access-list DMZ_TO_INSIDE permit tcp host 10.1.1.2 10.1.1.10 eq sqlnet

host

PIX1(config)# access-group DMZ_TO_INSIDE in interface DMZ PIX1(config)# exit

Remember that there is an implicit “deny all” at the end of both access lists.This ensures that traffic not explicitly permitted to flow from a lower to higher security interface is denied. In our example, notice in the DMZ_TO_INSIDE access list that SQLNet traffic is only permitted between the DMZ Web server and the internal database server. Both the source and destination IP addresses are specified in the access-list statement. Only one access list (per direction) can be applied to an interface, and the DMZ_TO_INSIDE access list has to be combined with the NO_DMZ_OUT access list statements from the previous section to achieve the policy desired by Secure Corporation.

ICMP Access Lists ICMP is a useful diagnostic protocol, perhaps best known and used via two useful utilities: ping and traceroute. Both tools generate ICMP messages, and use the responses to determine reachability and path information. Improperly controlled, ICMP can also be an attacker’s most useful tool to pry open your organization. In addition, certain protocols may need ICMP to make path discoveries, or to determine reachability before session establishment. All of this combines to make troubleshooting a difficult issue.The lack of ICMP responses could indicate a network problem, or the firewall doing what it was created to do—protect your networks. For this reason, the PIX firewall by default blocks ICMP, except as follows. Devices can ping the directly connected interfaces of the firewall appliance. Devices may ping each other, as long as they do not transit the firewall. ICMP traffic from the outside network to any higher security interface is blocked by default. Before you open your firewall to ICMP traffic, determine what traffic and between what networks you need to allow. If it has no value to you, do not allow it. There are two approaches for permitting ICMP traffic to traverse the PIX: ■

Access lists Because ICMP is a connectionless protocol, you need access lists to allow ICMP in both directions (by applying access lists to the source and destination interfaces).

133

326_PIX_2e_03.qxd

12:07 PM

Page 134

Chapter 3 • PIX Firewall Operations ■

ICMP inspection engine You need to enable the ICMP inspection engine, which treats ICMP conversations as stateful connections.The ICMP inspection engine uses the Modular Policy Framework (MPF), a new PIX software v7.0 feature.

In this chapter we will show you how to use access lists to permit ICMP traffic to traverse the PIX. In Figure 3.4, we want the devices on the inside network to be able to ping and traceroute to devices on the DMZ network.

Figure 3.4 ICMP ACL

Clients 172 .16.2.0/24 ICMP Echo-Reply and Time -Exceeded Traffic

134

5/9/05

Email Server 10 .1.1.1

Inside - 172.16.1.254 DMZ - 10.1.1.254 Outside - 192.168.1.254

Web Server 10 .1.1.2

DMZ_PING_TRACE ICMP Access List

Internet

DNS Server 10 .1.1.3

By default, the ICMP traffic from the inside network to the DMZ network will be permitted; therefore, we do not need to apply an access list to the inside interface.To allow the return traffic from the DMZ, we need to permit the following: ■

For pings from the inside to the DMZ, the ICMP Echo packets from the inside to the outside will be permitted by default; however, we need to allow ICMP Echo Reply packets from the DMZ to the inside.

■

For traceroute from the inside to the DMZ, the packets from the inside to the outside will be permitted by default; however, we need to allow ICMP Time Exceeded packets from the DMZ to the inside.

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 135

PIX Firewall Operations • Chapter 3

The following commands will accomplish this: PIX1(config)# access-list DMZ_PING_TRACE permit icmp 10.1.1.0 255.255.255.0 172.16.0.0 255.255.240.0 eq echo-reply PIX1(config)# access-list DMZ_PING_TRACE permit icmp 10.1.1.0 255.255.255.0 172.16.0.0 255.255.240.0 eq time-exceeded PIX1(config)# access-group DMZ_PING_TRACE in DMZ PIX1(config)# exit

Port Redirection Port redirection allows one public IP address to serve as the public IP address for more than one server. Port redirection allows you to define a mapping between a port on a public IP address and a port on a private IP address.To enable redirection, an access list still must be created, since the traffic is traversing from a lower security interface to a higher security interface. Because the mapping can be set at the port level, one IP address can serve as the gateway to many servers behind the PIX. For example, Secure Corp. has set up a network at its Toronto site and has been assigned only one public IP address from the ISP. At this site, Secure Corp. has two Web servers, one Telnet server, and one FTP server. How can it make all these services accessible publicly with a single IP address? By using the static command to perform port redirection: static (real_ifc,mapped_ifc) {tcp | udp} {mapped_ip | interface} mapped_port {real_ip real_port [netmask mask]} | {access-list access_list_name} [dns] [norandomseq [nailed]] [[tcp] [max_conns [emb_lim]] [udp udp_max_conns]

We discussed the static command earlier in the chapter, so we will not go through all the parameters again. However, we introduced some new parameters in the preceding section: ■

The tcp and udp keywords are used to specify TCP or UDP port redirection through static PAT.

■

The mapped_port and real_port parameters specify the mapped port (i.e., external port accessible outside the PIX) and the real port (i.e., actual port listening on the server), respectively.

■

Instead of using the mapped_ip parameter, you can use the interface keyword to specify the IP address of the PIX interface specified in the mapped_ifc parameter. This option is important if you do not have any additional usable public IP addresses.

To configure port redirection for the first Web server using the PIX public IP address as the Web server’s public address: PIX1(config)# static (dmz, outside) tcp interface 8010.1.1.1 80

135

326_PIX_2e_03.qxd

12:07 PM

Page 136

Chapter 3 • PIX Firewall Operations

If the company also wanted to host Telnet, FTP, and another Web server, three more static commands would have to be added to map the global ports to the correct servers. Since the Web port is already taken, a high port (8080) is chosen for access to the second Web server.This example is shown in Figure 3.5.The additional commands are as follows: PIX1(config)# static (dmz, outside) tcp interface 2310.1.1.2 23 PIX1(config)# static (dmz, outside) tcp interface 21 10.1.1.3 21 PIX1(config)# static (dmz, outside) tcp interface 8080 10.1.1.4 80

Figure 3.5 Port Redirection Internet

1 2

Port Redirection Mappings Original Port

Private IP 10 .1.1.1

Translated Port

TCP 80 TCP 23

10 .1.1.2

TCP 23

TCP 21

10 .1.1.3

TCP 21

TCP 8080

10 .1.1.4

TCP 80

TCP 80

Incoming Traffic to 192 .168.1.254

136

5/9/05

1

TCP 80

10.1.1.1

2

TCP 23

10.1.1.2

3 4

Client opens http session with 192.168.1.254 Client opens telnet session with 192.168.1.254 Client opens ftp session with 192.168.1.254 Client opens http session on port 8080 with 192.168.1.254

Outside 192 .168.1.254 DMZ - 10.1.1.254 4 3

TCP 21

10.1.1.3

TCP 80

10.1.1.4

Enabling/Disabling of ACL Entries (New) PIX software version 7.0 has introduced the capability to temporarily disable an access control entry without removing it from the configuration file.This is a powerful troubleshooting tool for testing and fine-tuning access control lists. If you are troubleshooting some communication issues through the PIX firewall and are not sure which access control entry is causing the problem, you can selectively disable an entry by including the inactive keyword in the appropriate access-list statement. Similarly, if you want to temporarily disable an entry that may be re-activated at some point in the future, include the inactive keyword. For example, to disable the access control list entry permitting inbound Web traffic to the DMZ Web server: PIX1(config)# access-list INTERNET_TO_DMZ permit tcp any host 10.1.1.2 eq web inactive PIX1(config)# exit

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 137

PIX Firewall Operations • Chapter 3

Outbound ACLs (New) Access lists can be used to filter risky outbound traffic such as CIFS,TFTP, bootp, SNMP, SQL*Net, Kazaa, and P2P Networking traffic. In an earlier example, we created and applied access lists to the internal and DMZ interfaces to block this traffic to the Internet.This leads into our section on a new PIX software version 7.0 feature called “Outbound ACLs.” In previous PIX OS versions, access lists could be applied to only packets that were inbound to the interface. With the PIX v7.0 Outbound ACL feature, access lists can be applied to either inbound to or outbound from the interface. However, you can apply only one ACL per direction on each interface.

NOTE It is important to differentiate the terms “inbound” and “outbound” within the context of Outbound ACLs from when they are used to describe traffic flow within the context of perimeter network traversal. For Outbound ACLs, “inbound” and “outbound” refer to the application of an access list on an interface, either to traffic entering the security appliance on an interface or traffic exiting the security appliance on an interface. For perimeter network traversal, “inbound” refers to the movement of traffic from a lower security interface to a higher security interface, while “outbound” refers to higher to lower interface traffic.

To implement an Outbound ACL, use the access-group command with the out keyword instead of the in keyword: access-group access-list out interface interface_name

In the previous Secure Corporation example, we created and applied inbound access lists to the internal and DMZ interfaces to block this high-risk traffic from entering the PIX. Alternatively, we could create and apply a single outbound access list and apply it to the outside interface of the PIX to prevent the high-risk traffic from exiting the PIX.This solution, shown in Figure 3.6, is more scalable because the access list is created and applied once regardless of the number of interfaces. In previous versions, we would have had to include the relevant access list entries in a separate ACL applied to each interface. For Secure Corporation, the Outbound ACL configuration follows: PIX1(config)# access-list NO_HIGHRISK_OUT deny tcp any any eq 135 PIX1(config)# access-list NO_HIGHRISK_OUT deny udp any any eq 135 PIX1(config)# access-list NO_HIGHRISK_OUT deny udp any any eq netbios-ns PIX1(config)# access-list NO_HIGHRISK_OUT deny udp any any eq netbios-dgm PIX1(config)# access-list NO_HIGHRISK_OUT deny tcp any any eq netbios-ssn PIX1(config)# access-list NO_HIGHRISK_OUT deny udp any any eq 139

137

326_PIX_2e_03.qxd

138

5/9/05

12:07 PM

Page 138

Chapter 3 • PIX Firewall Operations PIX1(config)# access-list NO_HIGHRISK_OUT deny tcp any any eq 445 PIX1(config)# access-list NO_HIGHRISK_OUT deny udp any any eq 445 PIX1(config)# access-list NO_HIGHRISK_OUT deny udp any any eq tftp PIX1(config)# access-list NO_HIGHRISK_OUT deny udp any any eq bootpc PIX1(config)# access-list NO_HIGHRISK_OUT deny udp any any eq bootps PIX1(config)# access-list NO_HIGHRISK_OUT deny udp any any eq snmp PIX1(config)# access-list NO_HIGHRISK_OUT deny udp any any eq snmptrap PIX1(config)# access-list NO_HIGHRISK_OUT deny tcp any any eq sqlnet PIX1(config)# access-list NO_HIGHRISK_OUT deny tcp any any eq 1214 PIX1(config)# access-list NO_HIGHRISK_OUT deny tcp any any eq 3408 PIX1(config)# access-list NO_HIGHRISK_OUT deny tcp any any eq 3531 PIX1(config)# access-list NO_HIGHRISK_OUT permit any any PIX1(config)# access-group NO_HIGHRISK_OUT out interface outside PIX1(config)# exit

Figure 3.6 Outbound ACL

Clients 172 .16.2.0/24 Email Server 10 .1.1.1

Inside - 172.16.1.254 DMZ - 10.1.1.254 Outside - 192.168.1.254

Web Server 10 .1.1.2 access

NO_HIGHRISK_OUT Outbound Access List - group NO _HIGHRISK _OUT out interface outside

Internet

DNS Server 10 .1.1.3

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 139

PIX Firewall Operations • Chapter 3

Time-Based ACLs (New) Version 7.0 introduces support for time-based ACLs, where individual access list entries can be configured to be active and enforced during a specified time period.This new capability has been implemented via a new command (time-range) and the extension of the existing access-list command with a new keyword (time-range).To implement time-based restrictions for an access list entry: 1. Define a time range via the new time-range command. 2. Create or modify an access list entry to use that time range via the time-range keyword in the access-list command. The format of the time-range command is: time-range name

The name parameter assigns a name to the time range you are defining. Once you enter this command, you enter time range configuration mode. Within this mode, you use the absolute, periodic, and default commands to define the time range parameters.The absolute command defines an absolute time when a time range is in effect. Its format is: absolute [end time date] [start time date] ■

The meaning of the start and end keywords is obvious.

■

The format of the time parameters is HH:MM (e.g., 20:00 for 8 P.M.), and the format of the date parameters is day month year (e.g., 1 January 2006).

The periodic command defines a periodic time when the time range is in effect. Its format is: periodic days-of-the-week time to [days-of-the-week] time

The parameters and keywords of the periodic command are identified and described here. The first occurrence of the days-of-the-week parameter specifies the starting day or day of the week for the time range.The potential values for days-of-the-week are any single day or combinations of days, including Monday,Tuesday, Wednesday,Thursday, Friday, Saturday, and Sunday. In addition, the following values are also valid: ■

Daily

■

Weekends

■

Weekdays

The second occurrence specifies the ending day or day of the week for the time range. The second occurrence is optional and can be omitted if the ending days are the same as the starting days. The first occurrence of the time parameter specifies the starting time, while the second occurrence specifies the ending time, and is not optional.The format of the time parameters

139

326_PIX_2e_03.qxd

140

5/9/05

12:07 PM

Page 140

Chapter 3 • PIX Firewall Operations

is HH:MM (e.g., 20:00 for 8 P.M.). Multiple periodic commands are permitted per time-range command. In addition, if a time-range command has both absolute and periodic values specified, the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached. The default command restores the default configuration settings to the time-range command absolute and periodic keywords.

NOTE Obviously, the time range feature relies on the accuracy of the PIX clock. Best practice would include the synchronization of the PIX clock with an NTP server.

Now that a time range has been defined using the time-range command, you must use it to specify an active time period for an access list entry via the access-list command.The general format of this command with respect to time ranges is: access-list id [line line-number] [extended] {deny | permit} {tcp | udp} {host sip | sip mask | any} [operator port] {host dip | dip mask | any} [operator port] time-range time_range_name

The use of access lists is discussed earlier in this chapter.To make an access-list statement active for a particular time range, simply include the time-range keyword and the time_range_ name, which is the name of a time range previously defined using the time-range command. For example, suppose Secure Corporation has a business requirement to exchange data with a partner via FTP.The company has implemented an FTP server in its DMZ to provide a staging point for the exchange of files, as shown in Figure 3.7.The exchange of data via FTP occurs nightly at a specified time. Because Secure Corporation does not want the DMZ FTP server exposed unnecessarily when it is not being used, it has chosen to implement a time-based ACL to allow FTP traffic to/from the server only when necessary. The existing INTERNET_TO_DMZ access list has been extended via the following commands: PIX1(config)# static (dmz, outside) 192.168.1.4 10.1.1.4 netmask 255.255.255.255 0 0 PIX1(config)# time-range PARTNER_FTP_TIME PIX1(config-time-range)# periodic weekdays 20:00 to 22:00 PIX1(config-time-range)# exit PIX1(config)# access-list INTERNET_TO_DMZ permit tcp any host 192.168.1.4 eq ftp time-range PARTNER_FTP_TIME PIX1(config)# access-list INTERNET_TO_DMZ permit tcp any host 192.168.1.4 eq ftp-data time-range PARTNER_FTP_TIME PIX1(config)# access-group INTERNET_TO_DMZ in Outside PIX1(config)# exit

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 141

PIX Firewall Operations • Chapter 3

Figure 3.7 Time-Based ACL

Email Server 10 .1.1.1 (Real) 192 .168.1.1 (NAT-Outside)

Clients 192 .168.2.0/24

FTP Server 10 .1.1.4 (Real) 192 .168.1.4 (NAT-Outside)

Inside - 172.16.1.254 DMZ - 10.1.1.254 Outside - 192.168.1.254

Web Server 10 .1.1.2 (Real) 192 .168.1.2 (NAT-Outside)

INTERNET_TO_DMZ Access List with TimeBased Entry

FTP Traffic - 8PM to 10PM Weekdays

Internet

DNS Server 10 .1.1.3 (Real) 192 .168.1.3 (NAT-Outside)

NAT Control (New) Version 7.0 simplifies the deployment of the PIX by eliminating the requirement for address translation policies to be in place before allowing network traffic to flow from a host on an inside network to outside networks.This feature is provided via a new command, natcontrol. When enabled, nat-control preserves the previous requirement that translation rules be defined before traffic can traverse the PIX from an inside interface to an outside interface. When disabled via the no nat-control command, the translation rules are not required for the traffic to flow from an inside interface to an outside one. For new configurations, NAT Control is automatically disabled via the no nat-control command. For upgraded configurations, NAT Control is automatically enabled via the natcontrol command to preserve the functionality already defined in the configuration. If you have NAT Control enabled, but do not want to translate specific addresses, you can “bypass” NAT through one of several mechanisms described in the next section.

Bypassing NAT With NAT Control, you can bypass NAT using one of three mechanisms that all achieve compatibility with inspection engines discussed in Chapter 5:

141

326_PIX_2e_03.qxd

142

5/9/05

12:07 PM

Page 142

Chapter 3 • PIX Firewall Operations ■

Identity NAT (nat 0 command)

■

NAT exemption (nat 0 access-list command)

■

Static identity NAT (static command) Each of these mechanisms is described in the following paragraphs.

Identity NAT Identity NAT is configured with the nat 0 command. Instead of using an associated global command to define the global address, the internal address is mapped to itself when translating. Use the nat command with an id of 0, and do not define an associated global command. An example command to configure the PIX to translate any address in the 10.1.1.0/24 network to itself is: PIX1(config)# nat (inside) 0 10.1.1.0 255.255.255.0 nat 0 10.1.1.0 will be non-translated

When configured, identity NAT applies to all interfaces.You cannot choose to perform identity NAT when the IP addresses access one interface (e.g., DMZ interface) and perform normal translation when the IP addresses access another interface (e.g., outside interface). Moreover, for identity NAT, connections can only be initiated from the inside to the outside. Connections from the outside cannot be established even if the interface access list allows it.

NAT Exemption NAT exemption is configured with the nat 0 access-list command, which bypasses NAT altogether. First, you must define an access list that identifies the traffic to be translated.Then, use the nat command with an id of 0 and the access list name to bypass the NAT process. Example commands to configure the PIX to bypass NAT for the 10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24 networks using an access list would be as follows: PIX1(config)# access-list inside_public permit ip 10.1.1.0 255.255.255.0 any PIX1(config)# access-list inside_public permit ip 10.1.2.0 255.255.255.0 any PIX1(config)# access-list inside_public permit ip 10.1.3.0 255.255.255.0 any PIX1(config)# nat (inside) 0 access-list inside_public PIX1(config)# exit PIX1# clear xlate

Like identity NAT, NAT exemption applies to all interfaces when it is configured.You cannot choose to perform NAT exemption when the IP addresses access one interface (e.g., DMZ interface) and perform normal translation when the IP addresses access another interface (e.g., outside interface). However, NAT exemption allows you to specify both the real and destination addresses (similar to policy NAT), so you have greater control than with identity NAT. Unlike identity NAT, NAT exemption permits connections to be initiated from both the inside and outside interfaces.

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 143

PIX Firewall Operations • Chapter 3

Static Identity NAT Static identity NAT is configured using the static command. Unlike identity NAT and NAT exemption, static identity NAT does not apply to all interfaces when it is configured.You choose the interfaces for which you want the real address to appear. In addition, static identity NAT lets you use policy NAT, which specifies both the real and the destination addresses when determining translation. For example, suppose you have an internal syslog server that you use to collect log information from all of your network perimeter devices, including your Internet router (see Figure 3.8).To allow syslog information from any device connected to a lower level security interface (e.g., Outside, DMZ) to the syslog server on the inside interface, you need to perform the steps for allowing inbound access: 1. Configure static address translation. 2. Define an access list permitting inbound syslog traffic from the Internet router to the internal syslog server.

Figure 3.8 Static Identity NAT

Clients 172 .16.2.0/24

Syslog Server 172 .16.1.20 (Real) 172 .16.1.20 (NAT-Outside) Email Server 10 .1.1.1

Inside - 172.16.1.254 DMZ - 10.1.1.254 Syslog Traffic

Web Server 10 .1.1.2

Outside - 192.168.1.254

OUTSIDE_IN Access List

OUTSIDE_IN Access List

Internet DNS Server 10 .1.1.3

So far, these tasks should be nothing new to you. However, when configuring static address translation for the internal syslog server, you may not want to use one of your public

143

326_PIX_2e_03.qxd

144

5/9/05

12:07 PM

Page 144

Chapter 3 • PIX Firewall Operations

IP addresses.You probably have a limited number of public IP addresses, and you probably want to reserve them for devices that need to be accessible to a broader group of people (e.g., customers, partners). Using static identity NAT, you could simply define that mapped IP address to be the same as the real IP address.The commands to accomplish this are shown in the following example: PIX1(config)# static (inside, outside) 172.16.1.20 172.16.1.20 netmask 255.255.255.255 0 0 PIX1(config)# access-list OUTSIDE_IN permit udp host 192.168.1.253 host 172.16.1.20 eq syslog PIX1(config)# access-group OUTSIDE_IN in interface outside PIX1(config)# exit

NOTE For the preceding example to work, the Internet router needs to have a route to the internal syslog server (172.16.1.20) so that it knows which interface to send it out. Depending on your configuration, you may need to establish a static route to the outside PIX interface for the syslog server.

Policy NAT Policy NAT lets you establish translation rules by specifying both the real address and the destination address.This allows you to translate addresses differently based on the destination of the packet. Policy NAT also allows you to translate addresses differently based on the source or destination ports. For example, suppose you have established a DMZ that is used strictly for partner connections.You have several private lines to partners that terminate on different routers within the DMZ, as shown in Figure 3.9.You have client workstations on your internal network that need to use both partner connections; however, your partners have placed requirements on you that dictate what source address you must use when accessing their resources. In other words, the same client workstation may be required to have two different source addresses when it communicates to your two partners. You can accomplish this with policy NAT, which allows you to specify translations based on both source and destination addresses and ports. In the preceding example, you would accomplish this via the following commands: PIX1(config)# access-list PARTNER1 permit ip 172.16.2.0 255.255.255.0 10.4.1.0 255.255.255.0 PIX1(config)# access-list PARTNER2 permit ip 172.16.2.0 255.255.255.0 10.5.1.0 255.255.255.0 PIX1(config)# nat (inside) 1 access-list PARTNER1 PIX1(config)# global (partner_dmz) 1 10.3.1.100 255.255.255.255

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 145

PIX Firewall Operations • Chapter 3 PIX1(config)# nat (inside) 2 access-list PARTNER2 PIX1(config)# global (partner_dmz) 2 10.3.1.200 255.255.255.255 PIX1(config)# exit

Figure 3.9 Policy NAT

Packet Dest . Addr. 10 .4.1.10

Packet Dest . Addr. 10 .5.1.10

Clients 172 .16.2.100 INSIDE

172.16.2.254 Source Addr. Translation 172 .16.2.100 --> 10.3.1.100

Source Addr. Translation 172 .16.2.100 --> 10.3.1.200 10.3.1.254

PARTNER_DMZ

Partner1

10.4.1.0/24

Partner2

10.5.1.0/24

NOTE Except for NAT exemption, all forms of NAT support policy NAT. NAT exemption allows you to specify source and destination addresses, but not source and destination ports.

Object Grouping Introduced in version 6.2, object grouping makes complex access lists much simpler to configure. Before the object-grouping feature was available, each unique network, node, service, and protocol combination that needed to be defined in an access list had to be configured

145

326_PIX_2e_03.qxd

146

5/9/05

12:07 PM

Page 146

Chapter 3 • PIX Firewall Operations

with a separate access-list statement. However, in most organizational security policies, groups of entries have similar access rights. Object groups allow groups of network addresses, services, protocols, and ICMP types to be defined, thereby reducing the number of access list entries needed. For example, say that an organization wants to deny inside users access to a number of external FTP servers because they contain illegal software and viruses. Without object groups, an access list entry has to be defined for each individual FTP server. However, using object groups, we can define a network object group containing a list of hosts that contains all the IP addresses of the banned FTP servers. IP addresses can easily be added and removed from this group at will. Now, only one access list entry has to be created denying access to the object group from the inside.The access list does not need to be modified if entries are added or removed from the object group. As you can see, object groups allow for simplification of access list configuration and maintenance.

Configuring and Using Object Groups There are four types of object groups: icmp-type, protocol, network, and service. Each object group type corresponds to a field in the access-list or conduit command. Once an object group has been created, a subconfiguration mode is entered so the group can be populated. Each object group type has different subconfiguration options, so we will look at each separately. Once an object group has been configured, it can be used in an access-list or conduit command.

ICMP-Type Object Groups An ICMP-type object group is a group of ICMP-type numerical or literal values. ICMP-type object groups can be used in place of the icmp-type parameter in an access list or conduit.To create an ICMP-type object group, the syntax is: object-group icmp-type

Once an object group has been defined, the subconfiguration mode enables the object group to be populated. At this stage, an optional description can be specified using the description subcommand.To populate the ICMP-type object group, the syntax is: icmp-object

For example, the following object group defines ICMP-type values that will be used later with an access list or conduit: PIX1(config)# object-group icmp-type icmp-grp PIX1(config-icmp-type)# description ICMP Type allowed into the PIX PIX1(config-icmp-type)# icmp-object echo-reply PIX1(config-icmp-type)# icmp-object unreachable PIX1(config-icmp-type)# exit PIX1(config)# exit

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 147

PIX Firewall Operations • Chapter 3

Network Object Groups A network object group is a group of host IP addresses or networks. Network object groups can be used in place of an src_addr or dst_addr parameter in an access list or conduit statement.To create a network object group, the syntax is as follows: object-group network

Network object groups have two subcommands for defining the group of hosts and networks.The syntax for defining a host entry in the object group is: network-object host

The host_addr parameter is the IP address of the host being added to the object group. Alternatively, the host_name parameter specifies the hostname of a host defined using the name command. The syntax for defining a network entry in the object group is: network-object

For example, the following object group defines host and network values to be used later with an access list or conduit: PIX1(config)# object-group network net-grp PIX1(config-network)# description List of Public HTTP Servers PIX1(config-network)# network-object host 192.168.1.10 PIX1(config-network)# network-object host 172.16.10.1 PIX1(config-network)# network-object 172.16.2.0 255.255.255.0 PIX1(config-network)# exit PIX1(config)# exit

Protocol Object Groups A protocol object group is a group of protocol numbers or literal values. Protocol object groups can be used in place of the protocol parameter in an access list or conduit.To create a protocol object group, the syntax is as follows: object-group protocol

Once an object group has been defined, the subconfiguration mode enables the object group to be populated.To populate the protocol object group, the syntax is: protocol-object <protocol>

The protocol parameter is a protocol number or literal value. For example, the following object group defines a group of protocols that will be used later with an access list or conduit to provide VPN access: PIX1(config)# object-group protocol vpn-grp PIX1(config-protocol)# description Protocols allowed for VPN Access

147

326_PIX_2e_03.qxd

148

5/9/05

12:07 PM

Page 148

Chapter 3 • PIX Firewall Operations PIX1(config-protocol)# protocol-object ah PIX1(config-protocol)# protocol-object esp PIX1(config-protocol)# protocol-object gre PIX1(config-protocol)# exit PIX1(config)# exit

Service Object Groups A service object group is a group of TCP and/or UDP port numbers or port number ranges. Service object groups can be used in place of the port parameter in an access list or a conduit.The syntax to create a service object group is as follows: object-group service tcp|udp|tcp-udp

Since a service object group is a listing of ports and port ranges, the ports defined need to be configured as TCP, UDP, or both TCP and UDP.The tcp, udp, and tcp-udp keywords define the common IP protocol for all ports listed in the object group.The subconfiguration command syntax to populate the service object group with a single port is: port-object eq <port>

The subconfiguration command syntax to populate the service object group with a range of ports is: port-object range <end-port>

For example, the following object group defines a group of ports that all Web servers within in organization need to have opened on the firewall: PIX1(config)# object-group service websrv-grp tcp PIX1(config-service)# description Ports needed on public web servers PIX1(config-service)# port-object eq 80 PIX1(config-service)# port-object eq 8080 PIX1(config-service)# port-object range 9000 9010

To verify that an object group was created and populated with the correct information, we can view the current object group configuration using the show object-group command: PIX1# show object-group object-group icmp-type icmp-grp description: ICMP Type allowed into the PIX icmp-object echo-reply icmp-object unreachable object-group network net-grp description: List of Public HTTP Servers network-object host 192.168.1.10 network-object host 172.16.10.1

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 149

PIX Firewall Operations • Chapter 3 network-object 172.16.2.0 255.255.255.0 object-group protocol vpn-grp description: Protocols allowed for VPN Access protocol-object ah protocol-object gre protocol-object esp object-group service websrv-grp tcp description: Ports needed on public web servers port-object eq www port-object eq 8080 port-object range 9000 9010

If one of the object groups does not look correct or is not needed, it can be removed using the no object-group command. Object groups can be used in place of their respective values in access lists or conduits, but they must be preceded by the object-group keyword. For example, to allow the ICMP type values defined in the icmp-grp object group to enter the PIX’s outside interface, the access-list command is: PIX1(config)# access-list icmp_in permit icmp any any object-group icmp-grp

To allow access to the Web servers defined in the net-grp on the ports defined in websrvgrp, the command is: PIX1(config)# access-list outside_in permit tcp any object-group net-grp object-group websrv-grp

One nice feature of object groups is the ability to nest object groups of the same type together. For example: PIX1(config)# object-group network all-servers PIX1(config-network)# group-object net-grp PIX1(config-network)# network-object 172.16.3.0 255.255.255.

TurboACLs TurboACLs were a new feature in version 6.2 that enabled a long or complex access list to be compiled, or indexed, to enable faster processing of traffic through the access list.This was accomplished via the compiled keyword in the access-list statement, and could be turned on at the global level or for individual access lists. With PIX software version 7.0, there is no longer a need to compile access lists.The software now automatically optimizes access list processing. From an upgrade perspective, any existing access-list statements with a compiled keyword are ignored and no longer accepted. An error message is printed and the statement is not stored in the running configuration, as shown here:

149

326_PIX_2e_03.qxd

150

5/9/05

12:07 PM

Page 150

Chapter 3 • PIX Firewall Operations PIX1(config)# access-list compiled ERROR:%

Incomplete Command

PIX1(config)# access-list 888 compiled WARNING:% This command has been DEPRECATED. maintained in optimized form

The access-lists are always

Conduit and Outbound PIX version 7.0 does not support the conduit and outbound commands, which have been completely replaced by the access-list command. From an upgrade perspective, you must migrate any conduit and outbound commands in your configuration file to access-list commands prior to upgrading to PIX v7.0. If you do not, the PIX will output errors. You can migrate these commands in a completely manual fashion prior to the upgrade, or you can use the PIX Outbound/Conduit Converter (OCC) tool, which is available to contracted users form the Cisco Web site (www.cisco.com/pcgi-bin/tablebuild.pl/pix).This is for registered customers only. This tool facilitates the conversion of conduit and outbound commands to access control list configurations; however, because of the different nature of these access control methods, there may be some changes to the actual functionality and behavior.This tool must only be considered as an aid and a starting point.You must review and test all configurations converted by the OCC tool prior to deployment.

Case Study We’ve covered many important topics in this chapter.The following case study will put the concepts and features we learned into action. Figure 3.10 shows the network layout of a new corporate site for Secure Corporation. The company has just bought the PIX and needs to configure it. It has already defined a security policy and has determined that the perimeter architecture it will implement requires four PIX interfaces. The inside interface is the highest security interface. All corporate users and internal servers will be located behind this interface. Private addressing is used for the nodes located behind this interface. NAT Control will be used, and the PIX will use PAT to translate IP addresses when the nodes send traffic to the Internet.The PIX should not NAT any traffic from the nodes behind this interface when they access any other interface.There should be no direct access from the Internet to any server located behind this interface. The DMZ-DB interface will have the second highest security level, and will be used to host database servers that enable the public Web servers to build dynamic HTML pages. No private or confidential information is stored on these database servers, which will use private addressing and are the only nodes located behind this interface.The database servers do not need access to the Internet, and no direct connections from the Internet should be allowed to the database servers.The database servers are using SQL*Net as the communication protocol with the Web servers; therefore, they need to be accessible from the Web servers in the DMZ.The database servers do not need direct access to any hosts on the inside interface.

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 151

PIX Firewall Operations • Chapter 3

Figure 3.10 A Complex Configuration of a Network

Clients 172 .16.2.0/24 Email Server 10 .1.1.1

Syslog Server 172 .16.1.20

Database Servers 10 .10.2.1 10 .10.2.2 10 .10.2.3

INSIDE

DB_DMZ Web Servers 10 .1.1.2 10 .1.1.3 10 .1.1.4

.254 DMZ

.254 .254

.254 .254

PARTNER_DMZ 10.10.3.0/24

192.168.1.0/24

OUTSIDE

Partner1

Partner2

FTP Server 10 .1.1.5 Internet 10.4.1.0/24

10.5.1.0/24

DNS Server 10 .1.1.6

The DMZ interface will have the third highest security level. Publicly accessible services (Web, e-mail, and DNS) will be located behind this interface. In addition, an FTP server is used to transfer data files with partners.The file transfers occur each weeknight between 8 P.M. and 10 P.M., and the company wants to restrict access to the server to those time windows only. All the servers will use private addressing and require static translations. As these servers may be attacked, access to the Internet should only be allowed from the services that each server provides. Only direct access to the database servers from the Web servers using SQL*Net is permitted. The outside interface will have the lowest security level.The company wants to only allow access to the identified services in the DMZ.The company also wants to make sure that it will not be the victim of a spoof attack, so it wants to filter out any traffic sourced with a private address. Since the inside network can ping, it is desirable to allow ICMP responses. In addition, the company has identified a list of high-risk traffic that it does not want to traverse from the inside, DMZ-DB, or DMZ networks to the Internet. We will now discuss the commands to apply this security policy using NAT and access lists.

151

326_PIX_2e_03.qxd

152

5/9/05

12:07 PM

Page 152

Chapter 3 • PIX Firewall Operations

1. Begin by configuring the interfaces by naming them, assigning security levels, setting the speed and duplex, and assigning IP addressses: PIX1(config)# interface ethernet0 PIX1(config-if)# nameif inside PIX1(config-if)# security-level 100 PIX1(config-if)# speed 100 PIX1(config-if)# duplex full PIX1(config-if)# ip address 172.16.1.254 255.255.240.0 PIX1(config-if)# no shutdown PIX1(config-if)# exit PIX1(config)# interface ethernet1 PIX1(config-if)# nameif outside PIX1(config-if)# security-level 0 PIX1(config-if)# speed 100 PIX1(config-if)# duplex full PIX1(config-if)# ip address 192.168.1.254 255.255.255.0 PIX1(config-if)# no shutdown PIX1(config-if)# exit PIX1(config)# interface ethernet2 PIX1(config-if)# nameif DMZ PIX1(config-if)# security-level 40 PIX1(config-if)# speed 100 PIX1(config-if)# duplex full PIX1(config-if)# ip address 10.10.1.254 255.255.255.0 PIX1(config-if)# no shutdown PIX1(config-if)# exit PIX1(config)# interface ethernet3 PIX1(config-if)# nameif DB_DMZ PIX1(config-if)# security-level 80 PIX1(config-if)# speed 100 PIX1(config-if)# duplex full PIX1(config-if)# ip address 10.1.2.254 255.255.255.0 PIX1(config-if)# no shutdown PIX1(config-if)# exit PIX1(config)# interface ethernet4 PIX1(config-if)# nameif PARTER_DMZ PIX1(config-if)# security-level 60 PIX1(config-if)# speed 100 PIX1(config-if)# duplex full PIX1(config-if)# ip address 10.1.3.254 255.255.255.0 PIX1(config-if)# no shutdown PIX1(config-if)# exit

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 153

PIX Firewall Operations • Chapter 3

2. Assign a default route to the PIX: PIX1(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.1

3. Create an access list to be used later to bypass NAT: PIX1(config)# access-list nonatinside permit ip 172.16.2.0 255.255.255.0 10.1.1.0 255.255.255.0 PIX1(config)# access-list nonatinside permit ip 172.16.2.0 255.255.255.0 10.1.2.0 255.255.255.0 PIX1(config)# access-list nonatdmzdb permit ip 10.10.2.0 255.255.255.0 10.1.1.0 255.255.255.0

4. Create a global pool using PAT for the inside network: PIX1(config)# global (outside) 1 192.168.1.254

5. Bypass NAT where needed: PIX1(config)# nat (inside) 0 access-list nonatinside PIX1(config)# nat (DB_DMZ) 0 access-list nonatdmzdb

6. Enable NAT on the inside interface and have it mapped to the global id: PIX1(config)# nat (inside) 1 0 0

7. Create static translations for access from the lower level security interfaces: PIX1(config)# static (DMZ, outside) 192.168.1.11 10.1.1.1 netmask 255.255.255.255 0 0 PIX1(config)# static (DMZ, outside) 192.168.1.12 10.1.1.2 netmask 255.255.255.255 0 0 PIX1(config)# static (DMZ, outside) 192.168.1.13 10.1.1.3 netmask 255.255.255.255 0 0 PIX1(config)# static (DMZ, outside) 192.168.1.14 10.1.1.4 netmask 255.255.255.255 0 0 PIX1(config)# static (DMZ, outside) 192.168.1.15 10.1.1.5 netmask 255.255.255.255 0 0 PIX1(config)# static (dmz, outside) 192.168.1.16 10.1.1.6 netmask 255.255.255.255 0 0 PIX1(config)# static (DB_DMZ, DMZ) 10.1.1.11 10.1.2.1 netmask 255.255.255.255 0 0 PIX1(config)# static (DB_DMZ, DMZ) 10.1.1.12 10.1.2.2 netmask 255.255.255.255 0 0 PIX1(config)# static (DB_DMZ, DMZ) 10.1.1.13 10.1.2.3 netmask 255.255.255.255 0 0 PIX1(config)# static (inside, outside) 172.16.1.20 172.16.1.20 netmask 255.255.255.255 0 0

8.

Configure names for the public addresses of the DMZ servers:

153

326_PIX_2e_03.qxd

154

5/9/05

12:07 PM

Page 154

Chapter 3 • PIX Firewall Operations PIX1(config)# name 192.168.1.11 email PIX1(config)# name 192.168.1.12 web1 PIX1(config)# name 192.168.1.13 web2 PIX1(config)# name 192.168.1.14 web3 PIX1(config)# name 192.168.1.15 ftp PIX1(config)# name 192.168.1.16 dns

9.

Configure object groups: PIX1(config)# object-group network dbhosts PIX1(config-network)# network-object host 10.1.2.1 PIX1(config-network)# network-object host 10.1.2.2 PIX1(config-network)# network-object host 10.1.2.3 PIX1(config-network)# exit PIX1(config)# object-group network dmzhosts PIX1(config-network)# network-object host 10.1.1.1 PIX1(config-network)# network-object host 10.1.1.2 PIX1(config-network)# network-object host 10.1.1.3 PIX1(config-network)# network-object host 10.1.1.4 PIX1(config-network)# network-object host 10.1.1.5 PIX1(config-network)# network-object host 10.1.1.6 PIX1(config-network)# exit PIX1(config)# object-group network webhosts PIX1(config-network)# network-object host 10.1.1.2 PIX1(config-network)# network-object host 10.1.1.3 PIX1(config-network)# network-object host 10.1.1.4 PIX1(config-network)# exit PIX1(config)# object-group icmp-type icmp-outside-in PIX1(config-icmp-type)# icmp-object echo-reply PIX1(config-icmp-type)# icmp-object time-exceed PIX1(config-icmp-type)# icmp-object unreachable PIX1(config-icmp-type)# exit PIX1(config)# object-group protocol tcphighrisk tcp PIX1(config-protocol)# description highrisk tcp services PIX1(config-protocol)# port-object eq 135 PIX1(config-protocol)# port-object eq 137 PIX1(config-protocol)# port-object eq 138 PIX1(config-protocol)# port-object eq 139 PIX1(config-protocol)# port-object eq 139 PIX1(config-protocol)# port-object eq 445 PIX1(config-protocol)# port-object eq 1521 PIX1(config-protocol)# port-object eq 1214 PIX1(config-protocol)# port-object eq 3408

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 155

PIX Firewall Operations • Chapter 3 PIX1(config-protocol)# port-object eq 3531 PIX1(config-protocol)# exit PIX1(config)# object-group protocol udphighrisk udp PIX1(config-protocol)# description highrisk udp services PIX1(config-protocol)# port-object eq 67 PIX1(config-protocol)# port-object eq 68 PIX1(config-protocol)# port-object eq 69 PIX1(config-protocol)# port-object eq 135 PIX1(config-protocol)# port-object eq 137 PIX1(config-protocol)# port-object eq 138 PIX1(config-protocol)# port-object eq 139 PIX1(config-protocol)# port-object eq 139 PIX1(config-protocol)# port-object eq 445 PIX1(config-protocol)# port-object eq 161 PIX1(config-protocol)# port-object eq 462 PIX1(config-protocol)# exit PIX1(config)# object-group network bogons PIX1(config-network)# network-object 0.0.0.0 255.0.0.0.0 PIX1(config-network)# network-object 10.0.0.0 255.0.0.0.0 PIX1(config-network)# network-object 127.0.0.0 255.0.0.0.0 PIX1(config-network)# network-object 172.16.0.0 255.240.0.0.0 PIX1(config-network)# network-object 192.168.0.0 255.255.0.0.0 PIX1(config-network)# network-object 224.0.0.0 224.0.0.0.0 PIX1(config-network)# exit

10.

Configure a time range for partner FTP access: PIX1(config)# time-range PARTNER_FTP_TIME PIX1(config-time-range)# periodic weekdays 20:00 to 22:00 PIX1(config-time-range)# exit

11.

Configure access lists for each interface: PIX1(config)# access-list dmzdb_in permit icmp 10.10.2.0 255.255.255.0 172.16.0.0 255.255.240.0 PIX1(config)# access-list dmzdb_in deny ip any any PIX1(config)# access-list dmz_in permit tcp host 10.1.1.1 any eq smtp PIX1(config)# access-list dmz_in permit tcp host 10.1.1.6 any eq domain PIX1(config)# access-list dmz_in permit udp host 10.1.1.6 any eq domain PIX1(config)# access-list dmz_in permit tcp object-group dmzhosts any eq http

155

326_PIX_2e_03.qxd

156

5/9/05

12:07 PM

Page 156

Chapter 3 • PIX Firewall Operations PIX1(config)# access-list dmz_in permit tcp object-group webhosts object-group dbhosts eq sqlnet PIX1(config)# access-list dmz_in permit icmp object-group dmzhosts 172.16.0.0 255.255.240.0 PIX1(config)# access-list outside_in deny ip object-group bogons any PIX1(config)# access-list outside_in permit tcp any object-group webhosts eq http PIX1(config)# access-list outside_in permit tcp host mail eq smtp PIX1(config)# access-list outside_in permit tcp host dns eq domain PIX1(config)# access-list outside_in permit udp host dns eq domain PIX1(config)# access-list outside_in permit udp 192.168.1.253 172.16.1.20 eq syslog PIX1(config)# access-list outside_in permit tcp any host ftp eq ftp time-range PARTNER_FTP_TIME PIX1(config)# access-list outside_in permit tcp any host ftp eq ftpdata time-range PARTNER_FTP_TIME PIX1(config)# access-list outside_in permit icmp any 192.168.1.0 255.255.255.0 object-group icmp-outside-in PIX1(config)# access-list outside_in dny icmp any 192.168.1.0 255.255.255.0 PIX1(config)# access-list outside_in deny ip ip PIX1(config)# access-list outside_out deny tcp any any eq objectgroup tcphighrisk PIX1(config)# access-list outside_out deny udp any any eq objectgroup udphigh risk PIX1(config)# access-list outside_out permit ip any any

12.

Apply the access lists to the appropriate interfaces: PIX1(config)# access-group outside_in in interface outside PIX1(config)# access-group outside_out out interface outside PIX1(config)# access-group dmz_in in interface dmz PIX1(config)# access-group dmzdb_in in interface DB_DMZ

13.

Configure Policy NAT for partner DMZ connections: PIX1(config)# access-list PARTNER1 permit ip 172.16.2.0 255.255.255.0 10.4.1.0 255.255.255.0 PIX1(config)# access-list PARTNER2 permit ip 172.16.2.0 255.255.255.0 10.5.1.0 255.255.255.0 PIX1(config)# nat (inside) 11 access-list PARTNER1 PIX1(config)# global (partner_dmz) 11 10.3.1.100 255.255.255.255 PIX1(config)# nat (inside) 12 access-list PARTNER2 PIX1(config)# global (partner_dmz) 12 10.3.1.200 255.255.255.255

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 157

PIX Firewall Operations • Chapter 3

Summary Configuring the PIX to pass inbound or outbound traffic requires multiple steps. Basic connectivity allows users on a higher security-level interface of the PIX to transmit traffic to a lower security-level interface using NAT or PAT.This is accomplished using the nat command in conjunction with a global command. Because the PIX allows higher security-level interfaces to transmit traffic to lower security-level interfaces, and because the PIX is stateful, users on the inside of the PIX should be able to run almost any application without extra configuration on the PIX. Controlling outbound traffic has become a critical part of a comprehensive security policy. With PIX version 7.0, this can be accomplished only using the access-list and accessgroup commands.The outbound command is no longer supported. In addition, if you keep traffic that you consider high risk from leaving your network, including the inside and DMZ interfaces, you can use the Outbound ACL feature.This feature is new in PIX version 7.0 and allows you to apply an access list either inbound or outbound to the interface.To prevent high-risk traffic from leaving your network, you can simply create and apply a single Outbound ACL to the outside interface instead of creating and applying multiple inbound ACLs to each of your internal interfaces. Once outbound access is secure, moving on to allowing inbound access is relatively easy. By default, all inbound access (connections from a lower security-level interface to a higher security-level interface) is denied. With PIX version 7.0, only access lists can be used to allow inbound traffic. Conduits are no longer supported.The fundamentals of the access-list command are no different between controlling inbound or outbound traffic. For inbound traffic, configuring a static translation (using the static command) is required for each publicly accessible server in addition to access-list or conduit. With PIX version 7.0, there are several new access list features, including time-based ACLs and the ability to enable/disable individual access control list entries.The time-based ACL feature allows you to specify a time period during which an access control list entry is active.This could be useful for permitting access to DMZ resources to partners for scheduled jobs only during a specified time period.The ability to enable/disable individual access control list entries should ease troubleshooting for complex ACLs. Version 7.0 also simplifies the deployment of the PIX by eliminating the requirement for address translation policies to be in place before allowing network traffic to flow from a host on an inside network to outside networks.This feature is provided via a new command, nat-control. When enabled, nat-control preserves the previous requirement that translation rules be defined before traffic can traverse the PIX from an inside interface to an outside interface. When disabled via the no nat-control command, the translation rules are not required for the traffic to flow from an inside interface to an outside one. If NAT Control is desired or required by your security policy, you can selectively bypass NAT using one of three mechanisms: identity NAT (nat 0 command), NAT exemption (nat 0 access-list command), and static identity NAT (static command). Policy NAT lets you establish translation rules by specifying both the real address and the destination address.This allows you to translate addresses differently based on the destination of the packet. Policy NAT also allows you to translate addresses differently based on the source or destination ports.

157

326_PIX_2e_03.qxd

158

5/9/05

12:07 PM

Page 158

Chapter 3 • PIX Firewall Operations

Object grouping makes complex access lists much simpler to configure. Without object grouping, each unique network, node, service, and protocol combination that needs to be defined in an access list has to be configured with a separate access-list statement. However, in most organizational security policies, groups of entries have similar access rights. Object groups allow groups of network addresses, services, protocols, and ICMP types to be defined, thereby reducing the number of access list entries needed.

Solutions Fast Track NAT Control Version 7.0 simplifies the deployment of the PIX by eliminating the requirement for address translation policies to be in place before allowing network traffic to flow from a host on an inside network to outside networks. This feature is provided via a new command, nat-control. When enabled, nat-control preserves the previous requirement that translation rules be defined before traffic can traverse the PIX from an inside interface to an outside interface. When disabled via the no nat-control command, the translation rules are not required for the traffic to flow from an inside interface to an outside one. For brand new PIX installations, NAT control is automatically disabled via the no nat-control command. For an upgrade of an existing configuration, NAT control is automatically enabled via the nat-control command to preserve the functionality already defined in the configuration. If NAT Control is desired or required by your security policy, you can selectively bypass NAT using one of three mechanisms: identity NAT (nat 0 command), NAT exemption (nat 0 access-list command), and static identity NAT (static command).

The Bare Minimum: Outbound Traffic By default, if address translation is configured, the PIX firewall allows all connections from a higher security-level interface to a lower security-level interface. A well-defined security policy usually does not allow all outbound traffic. Define and control which applications you allow. With PIX version 7.0, there is only one method for controlling outbound traffic: access lists.The outbound and apply commands are no longer supported. PIX version 7.0 also introduces a feature called Outbound ACLs. In previous PIX OS versions, access lists could be applied to only packets that were inbound to the interface. With the PIX v7.0 Outbound ACL feature, access lists can be applied to either inbound to or outbound from the interface. However, you can only apply one ACL per direction on each interface.

326_PIX_2e_03.qxd

5/9/05

12:07 PM

Page 159

PIX Firewall Operations • Chapter 3

PIX version 7.0 introduces a new feature called “time-based ACLs,” which allow you to specify a time period during which an access control list entry is active. This could be useful for permitting access to DMZ resources to partners for scheduled jobs only during a specified time period. PIX version 7.0 introduces a new feature that allows you to enable/disable individual access control list entries.The ability to enable/disable individual access control list entries should ease troubleshooting for complex ACLs. With PIX version 7.0,TurboACLs are no longer supported.TurboACLs was a new feature in version 6.2 that enabled a long or complex access list to be compiled, or indexed, to enable faster processing of traffic through the access list.There is no longer a need to compile access lists because the software now automatically optimizes access list processing.

Opening Your Network: Allowing Inbound Traffic By default, connections from a lower security-level interface to a higher securitylevel interface are denied. Port redirection is an excellent option for small businesses that do not have the money to buy a large amount of IP address ranges. The syntax for access lists is the same whether they are applied to inbound or outbound traffic.

Object Grouping Object groups allow simplification of access list configuration and management. There are four types of object groups: ICMP type, network, protocol, and service.

159

326_PIX_2e_03.qxd

160

5/9/05

12:07 PM

Page 160

Chapter 3 • PIX Firewall Operations

Frequently Asked Questions Q: Could I use a static command with a netmask option instead of the nat 0 access-list command to configure public IP addresses inside the PIX?

A: Although this configuration will work, it opens the firewall to vulnerabilities if an access list is misconfigured. Use nat 0 access-list if you can.

Q: Why do I have to issue a clear xlate after I make changes? A: The xlate table is maintained by the NAT process of the PIX, so if you make changes to that process, items can become stuck in the table, or items that should not be in the table might still remain.This can cause unpredictable results, and creates a security risk.

Q: Should I move all my servers into a DMZ? A: DMZs are very helpful in containing security risks for publicly accessible servers. If a server is not accessible to the outside world, there is probably no good reason to move it into a DMZ. If you do not trust the inside users, that is another story.

Q: Why should I use private IP addresses inside my network if I have enough public address space?

A: Using private address space inside your network can provide many advantages to a corporation.The amount of address space provided allows for increased flexibility in the network design and allows for expansion. However, private addresses are not for everyone, and many universities and other institutions that have large amounts of IP address space use public addressing in their networks.

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 161

Chapter 4

Adaptive Security Device Manager

Solutions in this chapter: ■

Features, Limitations, and Requirements

■

Installing, Configuring, and Launching ASDM

■

Configuring the PIX Firewall Using ASDM

■

Configuring VPNs Using ASDM

Summary Solutions Fast Track Frequently Asked Questions 161

326_PIX_2e_04.qxd

162

5/7/05

12:13 PM

Page 162

Chapter 4 • Adaptive Security Device Manager

Introduction Until this chapter, our focus has been on the configuration and management of the PIX firewall using the command-line interface, or CLI.The PIX firewall also supports a graphical user interface (GUI), which used to be called the PIX Device Manager (PDM). PDM has been replaced in version 7.0 with the Adaptive Security Device Manager (ASDM), which allows an administrator to use a Web browser to install, configure, and maintain the PIX firewall. ASDM is a Java-based GUI used to manage the Cisco PIX firewall. It consists of a software image that runs from flash memory on the PIX firewall, enabling administrative access via a Secure Sockets Layer (SSL) encrypted HTTPS session. ASDM completely replaces PDM, which was available for versions before 7.0. ASDM allows firewall administrators to work from a variety of authorized workstations configured with a compatible browser and includes nearly all PIX CLI functionality. For example, using ASDM, administrators can add, modify, and delete firewall rule sets, configure network address translation (NAT), or set up a virtual private network (VPN). In addition to altering PIX configurations, ASDM facilitates administrative monitoring of the PIX firewall through powerful graph and table displays for near-real-time insight into PIX performance.This chapter introduces ASDM, and provides detailed information for using it to configure and monitor the PIX firewall.

NOTE ASDM is used for administration of a single firewall. CiscoWorks VPN/Security Management Solution (VMS) is a Cisco product that supports centralized management of multiple Cisco security devices, including firewalls, VPNs, and IDS sensors.

Features, Limitations, and Requirements ASDM provides nearly all functionality available in the PIX firewall CLI.This includes the ability to modify access, AAA, filter rules on the firewall, and implement and control NAT. ASDM also gives firewall administrators granular control of administrative functionality such as logging, IDS configuration, and user account maintenance while providing insight into current performance through the detailed ASDM graphical monitoring functionality. A wealth of performance metrics and real-time statistics can easily be generated and viewed using ASDM. ASDM includes powerful wizards such as the Setup Wizard and the VPN Wizard. Both tools guide firewall administrators through the often-complex configuration of advanced features such as auto-update functionality and DHCP server setup or site-to-site and software client VPN configuration. ASDM also supports object grouping, NAT, LAN failover, several fixup configurations, and command authorization. For information regarding these and many

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 163

Adaptive Security Device Manager • Chapter 4

other supported features in the ASDM interface, refer to the ASDM Version 5.0 Release Notes at www.cisco.com/en/US/customer/products/ps6121/prod_release_note_ book09186a0080426ad1.html. Cisco provides ASDM via Java applets embedded in the ASDM image stored on the PIX firewall.These signed applets are downloaded directly from PIX flash memory to facilitate PIX administration free of cumbersome client-side software.Therefore, no special client software other than a compliant Web browser is required for the ASDM client. However, there are several prerequisites for ASDM to run successfully.These hardware, software, and client-side requirements for ASDM are described in the following sections. In addition, Cisco has now made ASDM available as a downloadable application that can run locally.

Supported PIX Firewall Hardware and Software Versions The ASDM replaces the PIX Device Manager (PDM) with PIX software v7.0.The following paragraphs discuss the hardware and software requirements for ASDM.

PIX Device Requirements ASDM v5.0 software requires PIX software version 7.0(1), and runs on the following platforms: ■

PIX 515/515E

■

PIX 525

■

PIX 535

ASDM cannot be used with earlier versions of the PIX software (v6.3 and earlier), nor can it be used for PIX 506/506E or PIX 501 platforms because they do not yet support version 7.0. For specific PIX software v7.0 memory requirements and upgrade procedures, refer to the sections entitled “PIX Hardware” and “Software Licensing and Upgrades,” respectively, in Chapter 2

Additionally, the PIX platform must have a Data Encryption Standard (DES) or 3DES activation key.The DES or 3DES activation key enables SSL-based communication between the remote Java management client and the PIX device. PIX devices shipped with software version 6.0 and higher already include a DES activation key and encryption capabilities. 3DES, which enables stronger encryption capabilities, is available from Cisco as an additional license.

NOTE Check the PIX software version, memory, and DES capabilities using the show version command on the selected PIX firewall.

163

326_PIX_2e_04.qxd

164

5/7/05

12:13 PM

Page 164

Chapter 4 • Adaptive Security Device Manager

Host Requirements for Running ASDM Because Cisco created ASDM using Java technology, there are multiple client workstations capable of running the ASDM client software. Specifically, ASDM can be run from the operating systems shown in Table 9.1.

Table 9.1 ASDM Client OS Requirements Client Operating Systems

OS Version

Browser

Solaris

Solaris 8 or 9 running CDE window manager

Mozilla 1.7.3 with Java plug-in 1.4.2 or 1.5.0

Linux

Red Hat Linux 9.0 or Red Hat Linux WS, version 3 running GNOME or KDE

Mozilla 1.7.3 with Java plug-in 1.4.2

Windows

Windows 2000 (SP4), Windows XP

Internet Explorer 6.0 with Java plug-in 1.4.2 or 1.5.0

Adaptive Security Device Manager Limitations You can use ASDM to configure almost every feature of the PIX; however, there are some limitations in terms of unsupported commands, unsupported character sets, and printing when compared with the traditional CLI.

Unsupported Commands ASDM does not support the complete command set of the CLI. In most cases, ASDM ignores unsupported commands, leaving them intact in the configuration.The following are effects of some of the unsupported commands: ■

If ASDM loads an existing running configuration and finds IPv6-related commands, ASDM displays a dialog box informing you that it does not support IPv6. You cannot configure any IPv6 commands in ASDM, but all other configuration is available.

■

If ASDM loads an existing running configuration and finds other unsupported commands, ASDM operation is unaffected.To view the unsupported commands, see Options | Show Commands Ignored by ASDM on Device.

■

If ASDM loads an existing running configuration and finds the alias command, it enters Monitor-only mode. Monitor-only mode allows access to the following functions: the Monitoring area and the CLI tool (Tools | Command Line Interface), which lets you use the CLI commands.

To exit Monitor-only mode, use the CLI tool or access the security appliance console, and remove the alias command.You can use outside NAT instead of the alias command.

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 165

Adaptive Security Device Manager • Chapter 4

NOTE You might also be in Monitor-only mode because your user account privilege level, indicated in the status bar at the bottom of the main ASDM window, was set up as less than or equal to 3 by your system administrator, which allows Monitoronly mode. For more information, see Configuration | Device Administration | User Accounts and Configuration | Device Administration | AAA Access.

Unsupported Characters ASDM does not support any non-English characters or any other special characters. If you enter non-English characters in any text entry field, they become unrecognizable when you submit the entry, and you cannot delete or edit them. If you are using a non-English keyboard or usually type in a language other than English, be careful not to enter non-English characters accidentally.

ASDM CLI Does Not Support Interactive Commands The ASDM CLI feature does not support interactive user commands. If you enter a CLI command that requires interactive confirmation, ASDM prompts you to enter “[yes/no]” but does not recognize your input. ASDM then times out waiting for your response. For example, on the ASDM Tools menu, click Command Line Interface. Enter the command crypto key generate rsa. ASDM generates the default 1024-bit RSA key. Enter the command again: crypto key generate rsa. Instead of regenerating the RSA keys by overwriting the previous one, ASDM displays the following error: Do you really want to replace them? [yes/no]:WARNING: You already have RSA ke0000000000000$A key

Input line must be less than 16 characters in length. %Please answer 'yes' or 'no'. Do you really want to replace them [yes/no]:

%ERROR: Timed out waiting for a response. ERROR: Failed to create new RSA keys names

165

326_PIX_2e_04.qxd

166

5/7/05

12:13 PM

Page 166

Chapter 4 • Adaptive Security Device Manager

NOTE You can configure most commands that require user interaction by means of the ASDM panels. In addition, for CLI commands that have a noconfirm option, use it when entering the CLI command. For example: crypto key generate rsa noconfirm

Printing from ASDM ASDM supports printing for the following features: ■

The Configuration | Features | Interfaces table

■

All Configuration | Features | Security Policy tables

■

All Configuration | NAT tables

■

The Configuration | Features | VPN | IPsec | IPsec Rules table

■

Monitoring | Features | Connection Graphs and its related table

NOTE Printing is only supported for Microsoft Windows 2000 or XP in this release. If you want to print from within ASDM, start ASDM in application mode. Printing is not supported in applet mode in this release.

Installing, Configuring, and Launching ASDM This section of the chapter provides insight into the logical steps and procedures required to install, configure, and launch ASDM.

Preparing for Installation Before attempting to use ASDM or configure a PIX device using ASDM, verify that the PIX firewall software version of the device is 7.0 or later. If it is not, the software version must be upgraded and DES must be activated before ASDM will function. To verify the PIX firewall version, log in to the CLI and type show version.The first two lines of the response should display the current PIX firewall version and indicate whether ASDM is installed on the device.The following shows a PIX firewall with software version 7.0(1) and ASDM version 5.0(1) installed:

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 167

Adaptive Security Device Manager • Chapter 4 PIX1# show version Cisco PIX Security Appliance Software Version 7.0(1) Device Manager Version 5.0(1)

If the PIX firewall version is 7.0 or later and ASDM 5.0 is installed, proceed to the section “Configuring the PIX Firewall Using ASDM.” If these are not installed, refer to the following steps to upgrade the PIX firewall, install the DES activation key, and install/upgrade ASDM.

Installing or Upgrading ASDM As with all upgrade and installation procedures, begin by backing up all configuration data on the existing PIX firewall device that you plan to upgrade. If the PIX firewall is a production device, schedule the upgrade procedure during off-hours and notify the users of the potential service disruption. Doing so will help ensure a smooth upgrade process and will prevent complaints from the user community. Verify that the PIX firewall meets all requirements listed previously in this chapter before starting with the upgrade and installation. Read all release notes carefully to determine whether any specific functionality has been removed or changed in the new release. Finally, be sure to have the software image of the PIX firewall version currently running on the PIX device backed up in the event the new version upgrade fails and you must roll back.The installation procedure is generally trouble free, but best practice always dictates preparation for version rollback in the event of a failure.

NOTE Administrators with a valid CCO login can find Cisco PIX firewall software and ASDM images on the Cisco Web site at www.cisco.com/cgi-bin/tablebuild.pl/pix.

To install or upgrade ASDM: 1. Obtain a DES activation key. 2. Configure the PIX firewall for basic network connectivity. 3. Install a TFTP server and make it available to the PIX firewall. 4. Upgrade to the version of PIX firewall software and configure the DES activation key on the PIX device. 5. Install or upgrade ASDM on the PIX device. Let’s take a closer look at each of these steps.

Obtaining a DES Activation Key The first step in configuring ASDM on a PIX firewall is obtaining a new activation key to enable DES encryption (if you do not already have one). A DES activation key is free from

167

326_PIX_2e_04.qxd

168

5/7/05

12:13 PM

Page 168

Chapter 4 • Adaptive Security Device Manager

Cisco and is required for ASDM functionality. Because it could take some time for Cisco to issue the new key, it is best to start the request process before upgrading software on the PIX firewall. Use the show version command to obtain the PIX serial number.This number is required to request a new activation key. From a Web browser, go to www.cisco.com/ go/license and fill out either the “DES (56-bit) Encryption License (Free)” or the “PIX Firewall 3DES/AES License Registration” request form. A Cisco representative will e-mail you the appropriate activation key shortly thereafter.

Configuring the PIX Firewall for Network Connectivity To upgrade a PIX firewall and install ASDM, the PIX firewall must first be capable of basic network connectivity. If the PIX firewall device is already on the network and capable of connecting to other devices, proceed to the next section and install a TFTP server. 1. Establish a connection to the console port of the PIX device and log in to the CLI. Enter Enable mode by typing enable at the console prompt.Type configure terminal to enter Configuration mode on the PIX firewall. Enter the setup dialog box by typing setup after entering Configuration mode. Follow the setup dialog prompts and enter information for the following variables: ■

Enable password

■

Clock variables

■

IP address information

■

Hostname

■

Domain name

2. When prompted, save the information to write the configuration to memory. When you’re finished, physically attach the PIX firewall to the network and test for network connectivity using the ping command on the PIX firewall.

Installing a TFTP Server After the PIX firewall is successfully configured on the network, a TFTP server must be installed to accommodate the new PIX firewall software and ASDM software upload. Follow the instructions provided in Chapter 2 to install a TFTP server. If a TFTP server already exists, proceed to the next section and upgrade the PIX firewall software.

Upgrading the PIX Firewall and Configuring the DES Activation Key Because ASDM 5.0 only functions on PIX 7.0 and later, PIX devices with versions before 7.0 must be upgraded. Furthermore, the use of ASDM requires the activation of DES or 3DES to facilitate a secure, encrypted management session.To enable DES, the new key

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 169

Adaptive Security Device Manager • Chapter 4

requested in previous steps must be activated either during a new PIX image load using the Monitor mode method on the PIX firewall or using the activation-key command.The key on the PIX firewall cannot be changed using the typical copy tftp flash command. To upgrade the PIX firewall software, follow the steps outlined in Chapter 2. If the PIX device is already running software version 7.0 and you simply need to install the new DES or 3DES license key, use the activation-key command from the CLI.Type activation-key in Configuration mode, followed by the appropriate activation key hexadecimal code provided by Cisco.To verify the key, use the show activation-key command.

Installing or Upgrading ASDM on the PIX Device After the PIX firewall software is successfully upgraded to 7.0 and the DES or 3DES key is installed, ASDM must be loaded into flash. As with the PIX firewall software upgrade, the installation of ASDM is a potentially difficult operation. Always make backups of configuration files and software images before proceeding with the installation. Always verify that the PIX firewall meets the requirements specified for ASDM. To install or upgrade from PDM to ASDM: 1. Copy the ASDM binary file (asdm-501.bin) to a TFTP or FTP server on your network. 2. Log in to your security appliance using the console (or other appropriate method that you have configured). 3. Ensure that you have connectivity from your security appliance to your TFTP/FTP server. If you have an existing copy of the PIX Device Manager, delete it: PIX1(config)# delete flash:/pdm

4. Copy the ASDM binary onto your security appliance using the appropriate command:

For TFTP: copy tftp://your-server-IP/pathtofile flash:/asdm-501.bin For FTP: copy ftp://your-server-IP/pathtofile flash:/asdm-501.bin 5. If you have more than one ASDM image, enter the following command to configure the location of the ASDM image: PIX1(config)# asdm image flash:/asdm501.bin

6. Enter the following command to enable the HTTPS server on the device: PIX1(config)# http server enable

7. Identify the systems or networks that are allowed to access ASDM.This is done by specifying one or more hosts/networks using the following command: PIX1(config)# http 10.1.1.1 255.255.255.255 inside

169

326_PIX_2e_04.qxd

170

5/7/05

12:13 PM

Page 170

Chapter 4 • Adaptive Security Device Manager

8. The IP address 10.1.1.1 is a host that may access ASDM and that is connected via the inside interface. 9. Verify that ASDM is installed correctly by connecting from the client system (10.1.1.1 in the preceding example) to the security appliance, using a supported browser. For example: https://10.1.1.1/admin/

NOTE In early beta releases of ASDM and in previous releases of PDM (versions 4.1 and earlier), the device manager stored its cache in <userdir>\pdmcache; for example, D:\Documents and Settings\jones\pdmcache. Now, the cache directory for ASDM is in <user dir>\.asdm\cache. The File > Clear ASDM Cache option in ASDM clears this new cache directory. It does not clear the old one. To free up space on your system, if you are no longer using your older versions of PDM or ASDM, delete your pdmcache directory manually.

Enabling and Disabling ASDM To use ASDM, you need to enable the HTTPS server, and allow HTTPS connections to the security appliance. All of these tasks are completed if you use the setup command.This section describes how to manually configure ASDM access.The security appliance allows a maximum of five concurrent ASDM instances per context, if available, with a maximum of 32 ASDM instances between all contexts. To configure ASDM access: 1. To enable the HTTPS server, enter the following command: PIX1(config)# http server enable

2. To identify the IP addresses from which the security appliance accepts HTTPS connections, enter the following command for each address or subnet: PIX1(config)# http source_IP_address mask source_interface

3. For example, to enable the HTTPS server and let a host on the inside interface with an address of 192.168.1.2 access ASDM, enter the following commands: PIX1(config)# http server enable PIX1(config)# http 192.168.1.2 255.255.255.255 inside

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 171

Adaptive Security Device Manager • Chapter 4

4. To allow all users on the 192.168.3.0 network to access ASDM on the inside interface, enter the following command: PIX1(config)# http 192.168.3.0 255.255.255.0 inside

5. To disable ASDM, type no http server enable at the configure prompt. Doing so disables ASDM for all clients.To disable specific clients, type: PIX1(config)# no http

Launching ASDM ASDM management clients are only permitted from authorized IP addresses as specified previously by the http command. Before attempting to connect to the PIX via ASDM, verify that the management workstation meets all functional requirements previously detailed. In addition, verify that the ASDM management client is included in the http configuration statement on the PIX firewall.To verify that the client management station is configured for access to ASDM, use the show http command on the PIX device. Now, complete this series of steps to connect to the PIX firewall with ASDM. 1. Launch a JDK 1.1.4 capable browser on an authorized ASDM management workstation and connect to the internal IP address of the PIX firewall using SSL.

NOTE Be sure to type https://, not http://, in the URL string. ASDM only allows encrypted access and will not function via an unencrypted link.

2. A Security Alert window will appear upon connecting to ASDM the first time, as shown in Figure 4.1.

Figure 4.1 The Security Alert Window

171

326_PIX_2e_04.qxd

172

5/7/05

12:13 PM

Page 172

Chapter 4 • Adaptive Security Device Manager

3. When you’re prompted to proceed, choose to accept the SSL security certificate by clicking Yes. 4. After you accept the security certificate, an authentication prompt appears, as shown in Figure 4.2. When prompted for authentication credentials, do not enter a username unless you have already configured individual user accounts via the PIX CLI. Enter the enable password in the password field and click OK.

Figure 4.2 The ASDM Login Window

5. ASDM will display the window in Figure 4.3.This window permits you to either (1) download ASDM Launcher and Start ASDM, or (2) run ASDM as a Java Applet.The first option is a new feature of ASDM that allows you to run ASDM as an application from your desktop, while the second option is the traditional way of using the PIX Device Manager (PDM), ASDM’s predecessor. Select the download option.

Figure 4.3 The Cisco ASDM Running Options

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 173

Adaptive Security Device Manager • Chapter 4

6. Select the download option and the ASDM download process will begin and the screen shown in Figure 4.4 will appear.

Figure 4.4 The ASDM Launcher

7. If you select the Run ASDM as Java Applet option from Figure 4.3, the Security Warning window will appear, as shown in Figure 4.5. Click Yes.

Figure 4.5 The Security Warning Window

Both options result in the display of the ASDM main screen, as shown in Figure 4.6. 8. From the main ASDM screen, notice that there are pull-down menus, toolbar buttons, and some status panels. Click the pull-down menus and toolbar buttons to become familiar with the interface.The three main toolbar buttons are: ■

Home This screen is used to show a dashboard style status of the PIX.

173

326_PIX_2e_04.qxd

174

5/7/05

12:13 PM

Page 174

Chapter 4 • Adaptive Security Device Manager ■

Configuration This screen is used to configure the various aspects of the PIX.

■

Monitoring This screen is used to monitor the PIX firewall.

Figure 4.6 The ASDM Main Screen

In addition to the main toolbar buttons available in ASDM, there are several useful pulldown menus. Figure 4.7 shows the options available from the File pull-down menu.You can write configuration changes to various locations such as a TFTP server or the PIX firewall, and view the running configuration, refresh the ASDM configuration, or reset the PIX to the factory default configuration. Resetting the PIX to the factory default configuration is a convenient way to erase any changes made to the configuration since it was installed and resort to an initial state of operation. Figure 4.8 shows the options available from the Options pull-down menu. ASDM does not support the complete command set of the CLI. In most cases, ASDM ignores unsupported commands, and they can remain in your configuration. Selecting the Show Commands Ignored by ASDM on Device item from the Options menu displays a list of commands that are ignored by ASDM in the current configuration, as shown in Figure 4.9.

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 175

Adaptive Security Device Manager • Chapter 4

Figure 4.7 The File Pull-Down Menu Items

Figure 4.8 The Options Pull-Down Menu Items

175

326_PIX_2e_04.qxd

176

5/7/05

12:13 PM

Page 176

Chapter 4 • Adaptive Security Device Manager

Figure 4.9 The Commands Ignored by ASDM Window

Selecting the Preferences menu item from the Options pull-down menu allows you to specify some options regarding your use of ASDM, as shown in Figure 4.10. For users who are unfamiliar with CLI commands, selecting the Preview commands before sending to the device option will show you the CLI commands that are generated when you configure various aspects of the PIX via ASDM.This preference can be used as a type of learning mode for CLI commands.The Confirm before exiting from ASDM option will ensure that you don’t accidentally exit ASDM.The Issue ‘clear xlate’ cmd when access-lists are deployed option will implement a best practice discussed in Chapter 3, “PIX Firewall Operations,” regarding access-list modifications. Clearing the existing translations ensures that there are no stale translations.The Alert about existence of the VPN Wizard when the VPN feature is accessed will notify you that a VPN Wizard is available to help you configure VPNs on the PIX.

Figure 4.10 The ASDM Preferences Window

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 177

Adaptive Security Device Manager • Chapter 4

Figure 4.11 shows the options available from the Tools pull-down menu.The tools provide graphical windows from which you can configure aspects of the PIX.

Figure 4.11 The Tools Pull-Down Menu

Selecting the Command Line Interface item from the Tools menu displays the window shown in Figure 4.12.This window allows you to enter a CLI command that will be sent to the PIX.The results are displayed in the Response panel within the window.

Figure 4.12 The ASDM Command Line Interface Window

177

326_PIX_2e_04.qxd

178

5/7/05

12:13 PM

Page 178

Chapter 4 • Adaptive Security Device Manager

Selecting the Ping item from the Tools menu displays the window shown in Figure 4.13.This tool allows you to test basic network connectivity via the ping command.

Figure 4.13 The ASDM Ping Window

Selecting the Manage Service Groups item from the Tools menu provides the graphical interface to define TCP, UDP, and TCP-UDP services groups, as shown in Figure 4.14.

Figure 4.14 The ASDM Manage Service Groups Window

From the Manage Service Groups window, click Add to create a new service group. The Add Service Group window shown in Figure 4.15 appears. Create a new service group by specifying a name and description, selecting services or ports to include in the group, and click OK.

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 179

Adaptive Security Device Manager • Chapter 4

Figure 4.15 The ASDM Add Service Group Window

Selecting the File Management item from the Tools menu provides a Windows Explorer-like graphical interface to the PIX file system, as shown in Figure 4.16.You can manage the file system just as you would manage your local hard drive.You can create a new directory, and copy, cut, paste, delete, rename, and view files.

Figure 4.16 The ASDM File Management Window

Selecting the Upload Image from Local PC item from the Tools menu provides a graphical interface for specifying a local ASDM or PIX image file to upload to the PIX, as shown in Figure 4.17.

179

326_PIX_2e_04.qxd

180

5/7/05

12:13 PM

Page 180

Chapter 4 • Adaptive Security Device Manager

Figure 4.17 The ASDM Upload Image from Local PC Window

Selecting the File Transfer item from the Tools menu provides a graphical interface for specifying a file to transfer to or from the PIX, as shown in Figure 4.18. Within the window, you specify the source file, destination file, and the method of transfer (TFTP, FTP, HTTP, HTTPS).

Figure 4.18 The ASDM File Transfer Window

Selecting the System Reload item from the Tools menu provides a graphical interface for specifying an immediate or scheduled reload, as shown in Figure 4.19.You can also specify that the running configuration should be saved at the time of reload.

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 181

Adaptive Security Device Manager • Chapter 4

Figure 4.19 The ASDM System Reload Window

Figure 4.20 shows the options available from the Wizards pull-down menu.The Startup Wizard and VPN Wizard help you configure the PIX upon initial installation and configure VPN connections, respectively. Using the VPN Wizard is described in the section entitled Configuring VPNs Using ASDM.

Figure 4.20 The Wizards Pull-Down Menu

181

326_PIX_2e_04.qxd

182

5/7/05

12:13 PM

Page 182

Chapter 4 • Adaptive Security Device Manager

The final pull-down menu is Help. From Help, you will find links to detailed information regarding ASDM and the PIX firewall. Help features in ASDM are context sensitive.

Configuring the PIX Firewall Using ASDM After successfully installing ASDM, connect to the PIX firewall via ASDM and begin configuring a specific security policy appropriate for your company. In this section, we discuss all the main toolbar buttons available in ASDM and work through several exercises typical of PIX firewall implementations, such as: ■

Using the Startup Wizard

■

Configuring firewall system properties

■

Implementing NAT

■

Allowing inbound traffic from external sources

■

Configuring VPNs

Using the Startup Wizard ASDM includes wizards to assist firewall administrators in the initial setup and ongoing maintenance of the PIX firewall. One of these wizards, the Startup Wizard, guides you through typical setup configuration prompts such as interface settings, passwords, auto-update information, and others.The Startup Wizard is an excellent tool to use initially and for regular configuration changes; it extracts the current configuration and provides these PIX attributes to the administrator automatically.Therefore, the Startup Wizard process will not overwrite the current PIX firewall configuration. This section provides a step-by-step exercise through the Startup Wizard prompts. 1. To access the Startup Wizard, select Startup Wizard from the Wizards menu. The Startup Wizard Welcome window appears, as shown in Figure 4.21. 2. To proceed with the wizard, click Next.The Basic Configuration window appears, as shown in Figure 4.22.This window allows you to configure the PIX hostname and domain name, as well as the Enable password.

NOTE At any time during the wizard process, you may exit by clicking Cancel. To exit the Startup Wizard and save your changes at any time, click Finish. PDM updates the running PIX configuration and you will return to the PDM main window.

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 183

Adaptive Security Device Manager • Chapter 4

Figure 4.21 The ASDM Startup Wizard Welcome Screen

Figure 4.22 The ASDM Startup Wizard Basic Configuration Screen

3. To change any of the settings, simply type a new hostname or domain name or click the Change Enable Password check box and enter new authentication credentials.To continue with the wizard, click Next.The Outside Interface Configuration window appears (see Figure 4.23).

183

326_PIX_2e_04.qxd

184

5/7/05

12:13 PM

Page 184

Chapter 4 • Adaptive Security Device Manager

Figure 4.23 The ASDM Startup Wizard Outside Interface Configuration Screen

4. From the Outside Interface Configuration window, you can select the speed of the outside interface and determine how to address the outside interface. From the wizard, you can choose to automatically configure the interface via PPPoE.You can also select DHCP to automatically determine the address of the outside interface.

NOTE Before using PPPoE or DHCP to configure the outside interface, verify that your ISP is providing these services.

5. To statically configure the outside interface, select Static IP Address and provide the IP address, subnet mask, and default gateway in the field provided.To proceed with the wizard, click Next to set up auto-update functionality.The Other Interfaces Configuration window appears (see Figure 4.24). 6. From the Other Interfaces Configuration window, you can configure the remaining PIX firewall interfaces. Select an interface from the list in the Other Interfaces Configuration window and click Edit to change interface parameters. Click Next to proceed to the DHCP Server Configuration window, as shown in Figure 4.25.

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 185

Adaptive Security Device Manager • Chapter 4

Figure 4.24 The ASDM Startup Wizard Other Interfaces Configuration Screen

Figure 4.25 The ASDM Startup Wizard DHCP Server Screen

7. The PIX firewall can act as a DHCP server for internal clients, which is quite useful in small office/home office (SOHO) environments. From the DHCP Server Configuration window, you can establish a basic DHCP server configuration.To start DHCP server operations on the firewall, click Enable DHCP server on the inside interface and enter a DHCP address range in the space provided.You can also alter the DHCP lease length time from the wizard as well. When finished, click Next.The Address Translation (NAT/PAT) window is displayed, as shown in Figure 4.26.

185

326_PIX_2e_04.qxd

186

5/7/05

12:13 PM

Page 186

Chapter 4 • Adaptive Security Device Manager

Figure 4.26 The ASDM Startup Wizard Address Translation (NAT/PAT) Screen

8. From this window, you can configure the different types of address translation available on the PIX firewall.To configure PAT, click Use Port Address Translation (PAT) and either use the outside interface as the PAT address or enter a specific IP address in the space provided. If you would like to configure NAT, click Use Network Address Translation (NAT) and enter the appropriate global address parameters. Finally, to turn NAT off, click Do not translate any addresses. When you’re finished, click Next.The Administrative Access window appears, as shown in Figure 4.27.

Figure 4.27 The ASDM Startup Wizard Administrative Access Screen

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 187

Adaptive Security Device Manager • Chapter 4

9. From this window, you can configure which addresses are allowed to access the PIX using the various access modes, including ASDM/HTTPS, SSH, or Telnet. This window also provides you the options of enabling the HTTP server for ASDM access and enabling ASDM history metrics. When finished, click Next. A screen appears to signify that the wizard is complete, as shown in Figure 4.28.

Figure 4.28 The ASDM Startup Wizard Administrative Access Screen

10.

Click Finish to exit the wizard, save the changes made during the wizard process, and return to the ASDM window. After you complete the wizard, ASDM sends the updated configurations to the PIX firewall and refreshes the PIX configuration visible via the ASDM interface. After making changes to the PIX firewall, you must click Save to save updated configurations to the PIX flash memory. If you fail to do so, the new configurations will not be available after a reboot.

Configuring System Properties Although the Startup Wizard is a convenient and helpful ASDM utility, configuring more granular and specific properties and rules on the PIX firewall requires the use of the toolbar buttons in the main ASDM window. 1. To configure the System Properties, click on the Configure toolbar button.This displays the window shown in Figure 4.29. 2. On the left side of the screen, click Properties.The window shown in Figure 4.30 appears.

187

326_PIX_2e_04.qxd

188

5/7/05

12:13 PM

Page 188

Chapter 4 • Adaptive Security Device Manager

Figure 4.29 The ASDM Configuration Window

Figure 4.30 The ASDM Configuration—Properties Window

From this window, you can administer many important PIX system properties, as shown in the explorer panel on the left side of the window.The configurable properties include:

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 189

Adaptive Security Device Manager • Chapter 4 ■

AAA Setup

■

Advanced

■

ARP Static Table

■

Auto Update

■

DHCP Services

■

DNS Client

■

Failover

■

History Metrics

■

IP Audit

■

Logging

■

Priority Queue

■

SSL

■

SUNRPC Server

■

URL Filtering

The AAA Menu The AAA Setup menu item facilitates the configuration of Cisco authentication, authorization, and accounting variables through the AAA Server Groups, AAA Servers, and Auth. Prompt subcategories. Click each of these submenu items to view the options contained therein.The AAA Server Groups Configuration window is shown in Figure 4.31.Three AAA server groups are predefined and visible from the AAA Server Groups subcategory: TACACS+, RADIUS, and LOCAL.These default groups can be used in your configuration, or you can add new groups by clicking Add. New groups can be either RADIUS or TACACS+ based. Clicking on the AAA Servers submenu item within the explorer pane displays the AAA Servers Configuration window shown in Figure 4.32.This window displays the AAA servers that have been defined on the PIX.To add a new AAA server, click Add, and specify the server group to which it should belong, the PIX interface where it resides, the IP address, the timeout (in seconds), and the appropriate AAA protocol (e.g.,TACACS+, RADIUS) parameters.

189

326_PIX_2e_04.qxd

190

5/7/05

12:13 PM

Page 190

Chapter 4 • Adaptive Security Device Manager

Figure 4.31 The ASDM AAA Server Groups Configuration Screen

Figure 4.32 The ASDM AAA Server Groups Configuration Screen

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 191

Adaptive Security Device Manager • Chapter 4

Clicking on the Auth Prompt submenu item within the explorer pane displays the Auth Prompt Configuration window shown in Figure 4.33.This window allows you to specify the messages that should be displayed when the user is prompted for the username and password, when the user authentication succeeds, and when the user authentication fails.

Figure 4.33 The ASDM Auth Prompt Configuration Screen

The Advanced Menu The Advanced menu provides you with the ability to specify some advanced TCP/IP protocol security countermeasures, including anti-spoofing, fragment parameters,TCP option parameters, and timeout parameters. Clicking on the Anti-Spoofing submenu item within the explorer pane displays the Anti-Spoofing Configuration window shown in Figure 4.34.This window allows you to enable Unicast Reverse Path Forwarding on the PIX interfaces, which guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source).The antispoofing protection is accomplished by ensuring that all packets have a source IP address that matches the correct source interface according to the PIX routing table.To enable Unicast RPF on an interface, simply highlight the interface and click Enable. Clicking on the Fragment submenu item within the explorer pane displays the Fragment Configuration window shown in Figure 4.35.This window allows you to configure the IP fragment database on each PIX interface to improve compatibility with NFS. The fragment database consists of the following parameters for each interface:

191

326_PIX_2e_04.qxd

192

5/7/05

12:13 PM

Page 192

Chapter 4 • Adaptive Security Device Manager

Figure 4.34 The ASDM Anti-Spoofing Configuration Screen

■

Size The maximum number of fragments that can be awaiting reassembly (default 200).

■

Chain length The maximum number of fragments that a full packet can be fragmented into (default 24).

■

Timeout The maximum number of seconds to wait for an entire fragmented packet to arrive (default 5).

To change any of these settings for an interface, simply highlight the interface and click Edit. Clicking on the TCP Options submenu item within the explorer pane displays the TCP Options Configuration window shown in Figure 4.36.This window allows you to set options for TCP parameters, including: ■

Force Maximum Segment Size for TCP Proxy Sets the maximum value for maximum TCP segment size in bytes. If either the client or server attempts to set the maximum segment size to a value greater than the parameter, the PIX will override it and insert the value set here.To disable this feature, set the size to 0 bytes.

■

Force Minimum Segment Size for TCP Proxy Sets the minimum value for maximum TCP segment size in bytes. If either the client or server attempts to set the maximum segment size to a value less than the parameter, the PIX will override it and insert the value set here.This feature is disabled by default (i.e., set to 0 bytes).

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 193

Adaptive Security Device Manager • Chapter 4

Figure 4.35 The ASDM Fragment Configuration Screen

■

Force TCP Connection to Linger in TIME_WAIT State for at Least 15 Seconds This feature enables you to configure the PIX to wait for an additional 15 seconds after the final normal TCP connection close.This can be useful for applications that do a quick release TCP connection close, because the PIX may release the connection before one of the communicating hosts has a chance to close its side of the connection.This could degrade the performance of the host.

■

Reset Inbound Configures the PIX to send TCP resets for all TCP sessions that are attempting to traverse the security appliance and are denied based on accesslists. When this option is not selected, the PIX silently discards the packets of all such sessions.

■

Reset Outside Configures the PIX to send TCP resets for all TCP sessions that arrive at the least secure interface or terminate at the least secure interface, and are denied based on access-lists. When this option is not selected, the PIX silently discards the packets of all such sessions.

Clicking on the Timeouts submenu item within the explorer pane displays the Timeouts Configuration window shown in Figure 4.37.This window allows you set the timeout durations for use with the PIX. All durations are displayed in the format hh:mm:ss. You can set the idle time for the connection and translation slots of various protocols. If the slot has not been used for the idle time specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60 seconds after a normal connection close sequence.

193

326_PIX_2e_04.qxd

194

5/7/05

12:13 PM

Page 194

Chapter 4 • Adaptive Security Device Manager

Figure 4.36 The ASDM TCP Options Configuration Screen

NOTE It is recommended that you do not change these values unless advised to do so by Customer Support.

Figure 4.37 The ASDM Timeouts Configuration Screen

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 195

Adaptive Security Device Manager • Chapter 4

The ARP Static Table Menu Clicking on the ARP Static Table menu item within the explorer pane displays the ARP Static Table Configuration window shown in Figure 4.38.This window allows you to add static ARP entries that map a MAC address to an IP address for a given interface.

Figure 4.38 The ASDM ARP Static Table Configuration Screen

The Auto Update Menu Clicking on the Auto Update submenu item within the explorer pane displays the Auto Update Configuration window shown in Figure 4.39.This window allows you to configure the PIX to be managed remotely from a server that supports Auto Update.This allows you to apply configuration changes to the PIX and receive software updates from a remote location.The automated update capability greatly simplifies firewall administration, especially in large corporate environments with multiple PIX firewalls. To use the automatic update feature, you must first configure a Web server to store the configuration files and provide update services.To enable automatic updates, click the Enable Auto Update check box. Several attributes must be configured before auto-update will function properly. From the Auto Update URL section of the screen, determine the server address, port, password, and protocol. Additionally, you must specify the path to the configuration file on the server. Other variables such as server timeout and polling parameters can also be configured from this screen.

195

326_PIX_2e_04.qxd

196

5/7/05

12:13 PM

Page 196

Chapter 4 • Adaptive Security Device Manager

Figure 4.39 The ASDM Auto Update Configuration Screen

NOTE Cisco Secure Policy Manager (CSPM) can be used as an auto-update server.

The DHCP Services Menu Clicking on the DHCP Server submenu item within the explorer pane displays the DHCP Server Configuration window shown in Figure 4.40.This window allows you to configure the PIX interfaces as DHCP servers.This is extremely beneficial in small office and home environments where access to additional server equipment could be limited.You can configure only one DHCP server per interface, and you cannot configure a DHCP server on an interface that has DHCP Relay configured on it. Enable DHCP services on the PIX firewall by highlighting the desired interface and clicking Edit. In the dialog box that appears, click the Enable DHCP server check box, specify the DHCP address pool, and click OK. From the main screen, you can specify Other DHCP Options such as DNS Servers, Domain Name, and WINS Servers.You can also specify the DHCP Lease Length and Ping Timeout values. Clicking Advanced lets you configure DHCP option parameters.You can use these to provide additional information to DHCP clients. For example, DHCP option 150 and DHCP option 66 provide TFTP server information to Cisco IP Phones and Cisco IOS routers.

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 197

Adaptive Security Device Manager • Chapter 4

Figure 4.40 The ASDM DHCP Server Configuration Screen

Clicking on the DHCP Relay submenu item within the explorer pane displays the DHCP Relay Configuration window shown in Figure 4.41.This window allows you to configure DHCP relay services on the PIX.This passes DHCP requests received on one interface to a DHCP server located behind a different interface.To configure DHCP relay, you need to specify at least one DHCP relay server and then enable a DHCP relay agent on the interface receiving DHCP requests.

Figure 4.41 The ASDM DHCP Relay Configuration Screen

197

326_PIX_2e_04.qxd

198

5/7/05

12:13 PM

Page 198

Chapter 4 • Adaptive Security Device Manager

To configure DHCP relay, you first need to specify at least one DHCP relay server, and then enable a DHCP relay agent on the interface receiving DHCP requests.To specify a DHCP server, click Add in the DHCP Relay Servers panel. In the dialog box that appears, enter the IP address, specify the interface that should be used to reach the server, and then click OK.To enable DHCP relay on an interface, highlight the desired interface in the DHCP Relay Agent panel, and click Edit. In the dialog box that appears, check the Enable DHCP Relay Agent check box. From this box, you can also configure the PIX to modify the default router parameter being communicated by the DHCP server to be the PIX interface address. Click OK.

NOTE Before configuring DHCP Relay on the PIX, you must ensure that you have implemented a separate DHCP server. This server cannot be another PIX firewall interface configured as a DHCP server.

The DNS Client Menu Clicking on the DNS Client submenu item within the explorer pane displays the DNS Client Configuration window shown in Figure 4.42.This window allows you to specify DNS servers for the PIX to use to resolve names to IP addresses.

Figure 4.42 The ASDM DNS Client Configuration Screen

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 199

Adaptive Security Device Manager • Chapter 4

The Failover Menu Clicking on the Failover submenu item within the explorer pane displays the Failover Configuration window shown in Figure 4.43.This window contains the tabs where you can configure Active/Standby failover in single context mode. For detailed information regarding failover, refer to Chapter 11, “Configuring Failover.” You can enable failover for the PIX from the Setup tab within the window, as shown in Figure 4.43.You also specify the failover link, the state link (if using stateful failover), and the LAN failover parameters (if using LAN failover instead of serial cable failover).

Figure 4.43 The ASDM Failover (Setup) Configuration Screen

Clicking on the Interfaces tab brings up the window shown in Figure 4.44. Use this tab to define the standby IP address for each interface on the security appliance and to specify whether the status of the interface should be monitored. Simply highlight the desired interface, click Edit, and provide the standby IP address. Clicking on the Criteria tab brings up the window shown in Figure 4.45. Use this tab to define criteria for failover, such as how many interfaces must fail and how long to wait between polls.

199

326_PIX_2e_04.qxd

200

5/7/05

12:13 PM

Page 200

Chapter 4 • Adaptive Security Device Manager

Figure 4.44 The ASDM Failover (Interfaces) Configuration Screen

Figure 4.45 The ASDM Failover (Criteria) Configuration Screen

Clicking on the MAC Addresses tab brings up the window shown in Figure 4.46. Use this tab to configure the virtual MAC addresses for the interfaces in an Active/Standby failover pair.

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 201

Adaptive Security Device Manager • Chapter 4

Figure 4.46 The ASDM Failover (MAC Addresses) Configuration Screen

The History Metrics Category Clicking on the History Metrics submenu item within the explorer pane displays the History Metrics window shown in Figure 4.47.This window allows you to configure the PIX to keep a history of various statistics that can be displayed by ASDM on any graph or table. If you do not enable history metrics, you can only monitor statistics in real time. Enabling history metrics lets you view statistics graphs from the last 10 minutes, 60 minutes, 12 hours, and 5 days.

The IP Audit Menu Clicking on the IP Audit Policy submenu item within the explorer pane displays the IP Audit Policy window shown in Figure 4.48.This window allows you to add attack and informational audit policies and assign them to interfaces.The attack policy determines the action to take with packets that match an attack signature, while the informational policy determines the action to take with packets that match an informational signature (e.g., port scan). For detailed information regarding the configuration of Intrusion Detection and Attack Management, refer to Chapter 6, “Filtering, Intrusion Detection, and Attack Management.”

201

326_PIX_2e_04.qxd

202

5/7/05

12:13 PM

Page 202

Chapter 4 • Adaptive Security Device Manager

Figure 4.47 The ASDM History Metrics Configuration Screen

Figure 4.48 The ASDM IP Audit Policy Configuration Screen

Clicking on the IP Audit Signatures submenu item within the explorer pane displays the IP Audit Signatures window shown in Figure 4.49.This window allows you to disable audit signatures.You might want to disable a signature if legitimate traffic continually

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 203

Adaptive Security Device Manager • Chapter 4

matches a signature, and you are willing to risk disabling the signature to avoid large numbers of alarms. For detailed information regarding the configuration of Intrusion Detection and Attack Management, refer to Chapter 6.

Figure 4.49 The ASDM IP Audit Signatures Configuration Screen

The Logging Menu Clicking on the Logging Setup submenu item within the explorer pane displays the Logging Setup window shown in Figure 4.50.This window allows you enable system logging and configure logging parameters. For detailed information regarding the configuration of Logging, refer to Chapter 9. Clicking on the Event Lists submenu item within the explorer pane displays the Event Lists window shown in Figure 4.51.This window allows you to define a set of syslog messages to filter for transmission to a logging destination.To place each window in context, the previous window (Logging Setup) allows you to enable logging and set up logging parameters.This window (Event Lists) allows you to configure syslog filters that can be sent to a logging destination, and the next window (Logging Filters) allows you to specify a logging destination (e.g., buffer, console, syslog server) for event lists. For detailed information regarding the configuration of Logging, refer to Chapter 9.

203

326_PIX_2e_04.qxd

204

5/7/05

12:13 PM

Page 204

Chapter 4 • Adaptive Security Device Manager

Figure 4.50 The ASDM Logging Setup Configuration Screen

Figure 4.51 The ASDM Event Lists Configuration Screen

Clicking on the Logging Filters submenu item within the explorer pane displays the Logging Filters window shown in Figure 4.52.This window allows you to configure a logging destination for event lists (syslog filters) that have been configured using the previous window (Event Lists).The potential destinations include:

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 205

Adaptive Security Device Manager • Chapter 4 ■

Internal buffer

■

Console

■

Telnet sessions

■

Syslog servers

■

SNMP trap

■

E-mail

■

ASDM

For detailed information regarding the configuration of Logging, refer to Chapter 9.

Figure 4.52 The ASDM Logging Filters Configuration Screen

Clicking on the Syslog Setup submenu item within the explorer pane displays the Syslog Setup window shown in Figure 4.53.This window allows you to configure syslog parameters, including the facility code to include in syslogs, whether to include timestamps in syslogs, view syslog ID levels, modify syslog ID levels, and suppress syslog messages. For detailed information regarding the configuration of Logging, refer to Chapter 9. Clicking on the Syslog Servers submenu item within the explorer pane displays the Syslog Servers window shown in Figure 4.54.This window allows you to specify the syslog servers to which the security appliance will send syslog messages.To make use of the syslog server(s) you define, you must enable logging using the Logging Setup window (Figure 4.49) and set up the appropriate filters for destinations using the Logging Filters window (Figure 4.51). For detailed information regarding the configuration of Logging, refer to Chapter 9.

205

326_PIX_2e_04.qxd

206

5/7/05

12:13 PM

Page 206

Chapter 4 • Adaptive Security Device Manager

Figure 4.53 The ASDM Syslog Setup Configuration Screen

Figure 4.54 The ASDM Syslog Servers Configuration Screen

Clicking on the E-Mail Setup submenu item within the explorer pane displays the EMail Setup window shown in Figure 4.55.This window allows you to set up a source e-mail address and a list of recipients for specified syslogs to be sent as e-mails. For detailed information regarding the configuration of Logging, refer to Chapter 9.

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 207

Adaptive Security Device Manager • Chapter 4

Figure 4.55 The ASDM E-Mail Setup Configuration Screen

The Priority Queue Category Clicking on the Priority Queue submenu item within the explorer pane displays the Priority Queue window shown in Figure 4.56.This window shows the priority queue parameters on each configured interface. It is disabled by default.

Figure 4.56 The ASDM Priority Queue Configuration Screen

207

326_PIX_2e_04.qxd

208

5/7/05

12:13 PM

Page 208

Chapter 4 • Adaptive Security Device Manager

The SSL Category Clicking on the SSL submenu item within the explorer pane displays the SSL window shown in Figure 4.57.This window allows you to configure SSL client versions, server versions, and encryption algorithms for use with ASDM and WebVPN sessions.

Figure 4.57 The ASDM SSL Configuration Screen

The SunRPC Server Category Clicking on the SunRPC Server submenu item within the explorer pane displays the SunRPC Server window shown in Figure 4.58.This window shows what SunRPC services are allowed to traverse the security appliance and their specific timeout, on a per-server basis.

The URL Filtering Category Clicking on the URL Filtering submenu item within the explorer pane display the URL Filtering window shown in Figure 4.59.This window allows you to apply filtering to connection requests originating from a more secure network to a less secure network. Although you can use ACLs to prevent outbound access to specific content servers, managing usage this way is difficult because of the size and dynamic nature of the Internet.You can simplify configuration and improve security appliance performance by using a separate server running one of the following Internet filtering products:

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 209

Adaptive Security Device Manager • Chapter 4 ■

Websense Enterprise for filtering HTTP, HTTPS, and FTP.

■

Sentian (by N2H2) for filtering HTTP only. (Although some versions of Sentian support HTTPS, the security appliance only supports filtering HTTP with Sentian.)

Figure 4.58 The ASDM SunRPC Server Configuration Screen

When filtering is enabled and a request for content is directed through the security appliance, the request is sent to the content server and to the filtering server at the same time. If the filtering server allows the connection, the security appliance forwards the response from the content server to the originating client. If the filtering server denies the connection, the security appliance drops the response and sends a message or return code indicating that the connection was not successful.

NOTE Although security appliance performance is less affected when using an external server, users may notice longer access times to Web sites or FTP servers when the filtering server is remote from the security appliance.

209

326_PIX_2e_04.qxd

210

5/7/05

12:13 PM

Page 210

Chapter 4 • Adaptive Security Device Manager

Figure 4.59 The ASDM URL Filtering Configuration Screen

Configuring VPNs Using ASDM The command-line configuration of VPNs is addressed in detail in Chapter 10. In this chapter, we show you how to configure both Site-to-Site and Remote Access VPNs using the ASDM VPN Wizard.

Configuring a Site-to-Site VPN Using ASDM 1. To launch the VPN Wizard, select the VPN Wizard from the Wizards dropdown menu, as shown in Figure 4.60. 2. This brings up the ASDM VPN Wizard Tunnel Type screen shown in Figure 4.61.This screen prompts you to select the type of VPN that you want to configure: ■

Site-to-Site A VPN tunnel between two devices that is bidirectional.

■

Remote Access A VPN tunnel that is established from remote users such as telecommuters in order to access resources protected by the PIX.

■

VPN Tunnel Interface The interface that establishes a secure tunnel with the remote VPN peer.

3. Select the Site-to-Site tunnel type and the Outside interface. Click Next.

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 211

Adaptive Security Device Manager • Chapter 4

Figure 4.60 Launching the ASDM VPN Wizard

Figure 4.61 ASDM VPN Wizard Tunnel Type Screen

4. The Remote Site Peer screen appears, as shown in Figure 4.62, which prompts you for the following information:

211

326_PIX_2e_04.qxd

212

5/7/05

12:13 PM

Page 212

Chapter 4 • Adaptive Security Device Manager ■

Peer IP Address Enter the IP address of the remote VPN peer that terminates the tunnel.The peer could be another PIX, a VPN concentrator, or any other gateway device that supports IPsec.

■

Tunnel Group Name Enter a name to create a group that contains VPN connection policies for this connection. A group that you configure with this VPN wizard specifies an authentication method, and uses the PIX Default Group Policy.

■

Authentication Use this panel to specify how the remote site peer authenticates—with either a pre-shared key or a certificate. ■

Pre-shared Key Click this button to use a pre-shared key for authentication between the PIX and the remote peer, and enter the pre-shared key value in the text box. Use a secure method to exchange the preshared key with the administrator of the remote site.

■

Certificate Click this button to use certificates for authentication between the PIX and the remote peer.To complete this section, you must have previously enrolled with a CA and downloaded one or more certificates to the PIX (refer to Chapter 10). Select the Certificate Signing Algorithm from the drop-down list (either rsa-sig for RSA or dsa-sig for DSA). Additionally, select the Trustpoint Name that identifies the certificate the PIX sends to the remote peer.

5. Enter the Peer IP Address and Tunnel Group Name, and select Pre-shared Key authentication with an appropriate value for the pre-shared key. Click Next.

NOTE The choice between using pre-shared keys or certificates for authentication is a question of ease of deployment versus scalability. Using a pre-shared key is a quick and easy way to set up communication with a limited number of remote peers and a stable network; however, it may cause scalability problems in a large network. Using digital certificates is a more scalable way to perform authentication than pre-shared keys; however, the initial setup is more complex.

6. The IKE Policy screen appears, as shown in Figure 4.63.This screen prompts you for the Encryption algorithm, the Authentication algorithm, and the DiffieHellman Group that the two peers should use to negotiate an Internet Key Exchange (IKE) security association. Select the default values of 3DES, SHA, and 2 for the Encryption, Authentication, and DH Group values, respectively. Click Next.

326_PIX_2e_04.qxd

5/7/05

12:13 PM

Page 213

Adaptive Security Device Manager • Chapter 4

Figure 4.62 ASDM VPN Wizard Remote Site Peer Screen

NOTE The remote peer must have the same exact values selected for Encryption, Authentication, and DH Group, or the two peers will fail to establish a VPN tunnel.

Figure 4.63 ASDM VPN Wizard IKE Policy Screen

213

326_PIX_2e_04.qxd

214

5/7/05

12:14 PM

Page 214

Chapter 4 • Adaptive Security Device Manager

7. The IPsec Encryption and Authentication screen appears, as shown in Figure 4.64.This screen prompts you for the Encryption and Authentication algorithms to use for the actual VPN tunnel. Select the default values of 3DES and SHA for Encryption and Authentication, respectively. Click Next.

NOTE The remote peer must have the same exact values selected for Encryption and Authentication, or the two peers will fail to establish a VPN tunnel.

Figure 4.64 ASDM VPN Wizard IPsec Encryption and Authentication Screen

8. The Local Hosts and Networks screen appears, as shown in Figure 4.65.This screen prompts you to identify hosts and networks at the local site that can use this LAN-to-LAN IPsec tunnel to communicate with remote site devices.You can identify hosts and networks by IP address, DNS name or group policy. Depending on your choice, the remaining fields in this panel change. Make the desired selection(s) and click Add. Once all of the desired hosts and networks are listed in the Selected Hosts/Networks list, click Next.

NOTE For the VPN tunnel to succeed, both peers in the LAN-to-LAN connection must have compatible entries for hosts and networks.

326_PIX_2e_04.qxd

5/7/05

12:14 PM

Page 215

Adaptive Security Device Manager • Chapter 4

Figure 4.65 ASDM VPN Wizard Local Hosts and Networks Screen

9. The Remote Hosts and Networks screen appears, as shown in Figure 4.66.This screen is similar to the previous one, but it prompts you to identify hosts and networks at the remote site that can use this LAN-to-LAN IPsec tunnel to communicate with local site devices.You can identify hosts and networks by IP address, DNS name, or group policy. Depending on your choice, the remaining fields in this panel change. Make the desired selection(s) and click Add. Once all of the desired hosts and networks are listed in the Selected Hosts/Networks list, click Next.

NOTE For the VPN tunnel to succeed, both peers in the LAN-to-LAN connection must have compatible entries for hosts and networks.

10.

The Summary screen appears, as shown in Figure 4.67.This provides a summary of all of the VPN configuration information that you specified throughout the wizard process. Verify that the information is accurate, and click Finish to create the Site-to-Site VPN. If any of the information is inaccurate, use the Back button to go back to the appropriate screen and make changes.

215

326_PIX_2e_04.qxd

216

5/7/05

12:14 PM

Page 216

Chapter 4 • Adaptive Security Device Manager

Figure 4.66 ASDM VPN Wizard Remote Hosts and Networks Screen

Figure 4.67 ASDM VPN Wizard Summary Screen

Configuring a Remote Access VPN Using ASDM 1. To launch the VPN Wizard, select the VPN Wizard from the Wizards dropdown menu, as shown in Figure 4.68.

326_PIX_2e_04.qxd

5/7/05

12:14 PM

Page 217

Adaptive Security Device Manager • Chapter 4

Figure 4.68 Launching the ASDM VPN Wizard

2. This brings up the ASDM VPN Wizard Tunnel Type screen shown in Figure 4.69.This screen prompts you to select the type of VPN that you want to configure: ■

Site-to-Site A VPN tunnel between two devices that is bidirectional.

■

Remote Access A VPN tunnel that is established from remote users such as telecommuters in order to access resources protected by the PIX.

■

VPN Tunnel Interface The interface that establishes a secure tunnel with the remote VPN peer.

3. Select the Remote Access tunnel type and the Outside interface. Click Next. 4. The Remote Access Client screen appears, as shown in Figure 4.70. Click the Cisco VPN Client Release 3.x or higher, or other Easy VPN Remote product button for IPsec connections, and click Next.

217

326_PIX_2e_04.qxd

218

5/7/05

12:14 PM

Page 218

Chapter 4 • Adaptive Security Device Manager

Figure 4.69 ASDM VPN Wizard Tunnel Type Screen

Figure 4.70 ASDM VPN Wizard Remote Access Client Screen

5. The VPN Client Tunnel Group Name and Authentication Method screen appears, as shown in Figure 4.71.This screen allows you to group remote access tunnel users based on common connection parameters and client attributes.You can create different remote access tunnel groups that have differing privileges when connecting to the network. It prompts you for the following information:

326_PIX_2e_04.qxd

5/7/05

12:14 PM

Page 219

Adaptive Security Device Manager • Chapter 4 ■

Tunnel Group Name Enter a name to create a group that contains VPN connection policies for this connection.

■

Authentication Use this panel to specify how the remote site peer authenticates—with either a pre-shared key or a certificate.

■

Pre-shared Key Click this button to use a pre-shared key for authentication between the PIX and the remote peer, and enter the pre-shared key value in the text box. Use a secure method to exchange the pre-shared key with the administrator of the remote site.

■

Certificate Click this button to use certificates for authentication between the PIX and the remote peer.To complete this section, you must have previously enrolled with a CA and downloaded one or more certificates to the PIX (refer to Chapter 10). Select the Certificate Signing Algorithm from the drop-down list (either rsa-sig for RSA or dsa-sig for DSA). Additionally, select the Trustpoint Name that identifies the certificate the PIX sends to the remote peer.

6. Enter the Tunnel Group Name, and select Pre-shared Key authentication with an appropriate value for the pre-shared key. Click Next.

NOTE The choice between using pre-shared keys or certificates for authentication is a question of ease of deployment versus scalability. Using a pre-shared key is a quick and easy way to set up communication with a limited number of remote peers and a stable network; however, it may cause scalability problems in a large network. Using digital certificates is a more scalable way to perform authentication than pre-shared keys; however, the initial setup is more complex.

7. The Client Authentication screen appears, as shown in Figure 4.72.This screen allows you to specify the method used to authenticate remote access VPN users. You could authenticate them either using the local user database on the PIX, or using an external AAA server group via the RADIUS or TACACS+ protocols. Refer to Chapter 8 for more detailed information on configuring AAA. Select the Authenticate using an AAA server group and select the appropriate group from the AAA Server Group drop-down list. Click Next.

219

326_PIX_2e_04.qxd

220

5/7/05

12:14 PM

Page 220

Chapter 4 • Adaptive Security Device Manager

Figure 4.71 ASDM VPN Wizard VPN Client Tunnel Group Name and Authentication Method Screen

NOTE For a large community of Remote Access VPN users, using an external AAA server group is more scalable. If you have already established your users within an internal directory, such as Microsoft Active Directory, you can authenticate your Remote Access VPN users against the directory using RADIUS. Refer to Chapter 8 for more detailed information.

Figure 4.72 ASDM VPN Wizard Client Authentication Screen

326_PIX_2e_04.qxd

5/7/05

12:14 PM

Page 221

Adaptive Security Device Manager • Chapter 4

8. The Address Pool screen appears, as shown in Figure 4.73.This screen allows you to configure a pool of IP addresses for the PIX to allocate dynamically to Remote Access VPN users when they establish a connection. Specify the pool either by identifying a starting and ending value or by specifying a starting value and a subnet mask. Click Next.

Figure 4.73 ASDM VPN Wizard Address Pool Screen

9. The Attributes Pushed to Client screen appears, as shown in Figure 4.74.This screen allows you to specify DNS, WINS, and domain name information for the PIX to communicate to Remote Access VPN users when they establish a connection. Enter the primary and secondary DNS and WINS servers and the default domain name. Click Next. 10.

The IKE Policy screen appears, as shown in Figure 4.75.This screen prompts you for the Encryption algorithm, the Authentication algorithm, and the DiffieHellman Group that the two peers should use to negotiate an Internet Key Exchange (IKE) security association. Select the default values of 3DES, SHA, and 2 for the Encryption, Authentication, and DH Group values, respectively. Click Next.

NOTE The remote peer must have the same exact values selected for Encryption, Authentication, and DH Group, or the two peers will fail to establish a VPN tunnel.

221

326_PIX_2e_04.qxd

222

5/7/05

12:14 PM

Page 222

Chapter 4 • Adaptive Security Device Manager

Figure 4.74 ASDM VPN Wizard Attributes Pushed to Client Screen

Figure 4.75 ASDM VPN Wizard IKE Policy Screen

11.

The IPsec Encryption and Authentication screen appears, as shown in Figure 4.76.This screen prompts you for the Encryption and Authentication algorithms to use for the actual VPN tunnel. Select the default values of 3DES and SHA for Encryption and Authentication, respectively. Click Next.

326_PIX_2e_04.qxd

5/7/05

12:14 PM

Page 223

Adaptive Security Device Manager • Chapter 4

NOTE The remote peer must have the same exact values selected for Encryption and Authentication, or the two peers will fail to establish a VPN tunnel.

Figure 4.76 ASDM VPN Wizard IPsec Encryption and Authentication Screen

12.

The Address Translation and Split Tunneling screen appears, as shown in Figure 4.77.This screen allows you to identify local hosts/networks that do not require address translation. By default, the PIX hides the real IP addresses of internal hosts and networks from outside hosts by using dynamic or static NAT. If you want all hosts and networks to be exempt from NAT, configure nothing on this panel. Otherwise, specify the hosts and/or networks and click Add.

NOTE If you have even one entry in the Selected Hosts/Networks list, all other hosts and networks are subject to NAT and may not be reachable by Remote Access VPN users.

This screen also allows you to configure split tunneling, which causes traffic for protected networks to be encrypted, while traffic to unprotected networks is unencrypted.

223

326_PIX_2e_04.qxd

224

5/7/05

12:14 PM

Page 224

Chapter 4 • Adaptive Security Device Manager

When you enable split tunneling, the PIX pushes a list of IP addresses to the remote VPN client after authentication.The remote VPN client then encrypts traffic to the IP addresses that are behind the PIX, while sending all other traffic unencrypted directly to the Internet without involving the PIX.

NOTE From a security perspective, it is good practice to disable split tunneling. The use of split tunneling essentially causes the Remote Access VPN client to be dual-homed to both your internal network (via VPN) and the Internet. This creates a window of opportunity for your internal network to be compromised via the VPN client.

Figure 4.77 ASDM VPN Wizard Address Translation and Split Tunneling Screen

13.

The Summary screen appears, as shown in Figure 4.78.This provides a summary of all of the VPN configuration information that you specified throughout the wizard process. Verify that the information is accurate, and click Finish to create the Remote Access VPN. If any of the information is inaccurate, use the Back button to go back to the appropriate screen and make changes.

326_PIX_2e_04.qxd

5/7/05

12:14 PM

Page 225

Adaptive Security Device Manager • Chapter 4

Figure 4.78 ASDM VPN Wizard Summary Screen

Summary ASDM is a highly capable graphical interface for managing the PIX firewall. In addition to providing nearly all CLI functionality, ASDM includes several features to further simplify the ongoing maintenance and operations firewall administrators and security policymakers perform. Because ASDM is Java based and runs as a signed applet over an SSL-encrypted browser session, administrators can use it securely from any authorized client.This remote management capability can be highly valuable in large, distributed environments. Of the vast ASDM functionality, perhaps most powerful are the ASDM wizards, which include the Startup Wizard and the VPN Wizard. Using these tools, administrators are guided using interactive prompts through the often-complex process of building PIX configurations and VPN tunnel services. In addition to the wizard functionality, ASDM facilitates full configuration of PIX firewall access, AAA, filter, NAT rules, logging, user accounts, and IDS configurations.This functionality includes the ability to manage complex, grouped services and network objects. The ASDM GUI is intuitive and well organized and helps prevent accidental syntax and configuration errors that could cause the firewall to fail. Moreover, ASDM can be used as a CLI learning tool for administrators who are not completely proficient with the PIX firewall command line by previewing all commands sent to the PIX. Whether you are managing a single PIX firewall, five redundant PIX pairs, or 100 corporate firewalls, ASDM is a handy and powerful tool for firewall administrators.

225

326_PIX_2e_04.qxd

226

5/7/05

12:14 PM

Page 226

Chapter 4 • Adaptive Security Device Manager

Solutions Fast Track Features, Limitations, and Requirements ASDM 5.0 is supported on PIX 515/515E, PIX 525, and PIX 535 platforms running PIX firewall software version 7.0 or later. Some CLI commands reduce ASDM functionality to Monitor-only mode. ASDM is Java based and can be run either as a Java Applet or as a local application. It is available from any compliant and authorized client workstation for firewall management.

Installing, Configuring, and Launching ASDM You must acquire and install a Data Encryption Standard (DES) or 3DES activation key on the PIX before PDM will function. ASDM can be installed on the PIX firewall in a process similar to that of a PIX software image upgrade. You can authorize specific IP addresses or networks for access via ASDM using the http command.

Configuring the PIX Firewall Using ASDM Administrators can use the VPN Wizard to build IPsec, L2TP, and PPTP tunnels. Object groups for services or network entities can be created and managed using PDM on the PIX firewall. Rule sets can easily be rearranged from the Access Rules tab using the cut-andpaste functionality of the PDM Rules drop-down menu, the toolbar buttons, or the right-click mouse menu. To set up a syslog logging host, use the Logging category available from the PDM System Properties tab.

326_PIX_2e_04.qxd

5/7/05

12:14 PM

Page 227

Adaptive Security Device Manager • Chapter 4

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. You will also gain access to thousands of other FAQs at ITFAQnet.com.

Q: Can I monitor and manage remote PIX firewalls using ASDM from a central facility or other offsite locations?

A: Yes. Using the http command via the CLI or ASDM, you can authorize an IP range or a specific IP address for access to ASDM.The ASDM connection is encrypted for security.

Q: Can I set up AAA for administrative connectivity to the PIX firewall using ASDM? A: Yes. ASDM includes full AAA configuration functionality. Additionally, you can use ASDM to configure the PIX for AAA services for ASDM itself.

Q: Do I need a special license to enable ASDM on my PIX firewall? A: Yes.You need a DES or 3DES activation key from Cisco before ASDM will function properly. A 56-bit DES key is available free.The 168-bit 3DES key is available from Cisco at an additional cost.

Q: Does ASDM include VPN maintenance functionality? A: Yes. VPN maintenance functionality is available in ASDM. Additionally, ASDM includes VPN functionality not present in the CLI, such as the VPN Wizard.

Q: Can I use ASDM to manage multiple PIX firewalls at once? A: Yes, but a separate instance of ASDM must be launched for each firewall.

227

326_PIX_2e_04.qxd

5/7/05

12:14 PM

Page 228

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 229

Chapter 5

Application Inspection

Solutions in this chapter: ■

New Features in PIX 7.0

■

Supporting and Securing Protocols

■

Application Layer Protocol Inspection

Summary Solutions Fast Track Frequently Asked Questions 229

326_PIX_2e_05.qxd

230

5/7/05

11:58 AM

Page 230

Chapter 5 • Application Inspection

Introduction The Cisco PIX firewall has been providing the ability to secure application protocols for many years now, and version 7.0 is no exception.The ability to correct or compensate for native insecurities in an application is a prime requirement for security.This feature is called application inspection in version 7.0. Prior to the release of version 7.0, the PIX firewall handled application inspection through the fixup feature. In version 7.0, this has been replaced by protocol inspection, which is configured and deployed as a subset of modular policy framework (MPF), which allows for flexible and easily reusable modular configuration of inspection features. Similar to the modular quality of service functionality in Cisco IOS software, MPF is configured in three steps—class-maps, policy-maps, and service-policies—which will be discussed in full detail later.

New Features in PIX 7.0 Although it is still possible to configure fixup in version 7.0, any such commands are automatically converted to the new protocol inspection commands.Therefore, it is desirable to use the new command set to avoid confusion between entered and displayed configuration, and to take advantage of the flexibility of the new protocol inspection methodology (see Figure 5.1). Using the MPF-based commands also reduces potential complexity in the way that fixup commands are translated; because of the added granularity and flexibility and MPF provides, conversion of fixup commands may not occur exactly as you might expect. As well, in future PIX releases the fixup commands will no longer be supported, and you will be required to use MPF-based configuration. Prior to MPF, most of these actions were an all or nothing proposition: either all traffic transiting an interface was subject to the same policies or none of the traffic. With MPF, 7.0 provides granularity to allow you to pick subsets of traffic from the whole, and apply policies to it. MPF is new to PIX 7.0; there were no pre-7.0 equivalents. Arguably, you could have some of this functionality in pre-7.0 by cobbling together various parameters, but nothing as granular or flexible as MPF. An important note: Despite their similar names, the PIX inspect command is not the same as the ip inspect command in Cisco IOS software.Their functionality or configuration syntax should not be confused.

Supporting and Securing Protocols Controlling access to and from your network may be as simple as implementing access control lists that define what traffic may come and go, based on addresses and port numbers. But there is an additional level of complexity involved with securing your network while allowing certain protocols to function; protocols that open secondary channels on dynamically assigned ports, or those that embed IP addresses within data packets require application inspection to function securely.

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 231

Application Inspection • Chapter 5

Figure 5.1 MPF Process START

Identify traffic to be subject to the .policy Includes IP addresses and transport protocol port numbers.

class-map

Create the policy, which specifies the actions that permits, denies , or otherwise manipulates the traffic and /or its handling.

policy-map

Activate the policy by enabling it on an interface.

service-policy

END

One of earliest examples is File Transfer Protocol, or FTP (which we discuss in detail in the next section).The general problem these applications pose is that they use more than one connection to operate and only one of these connections occurs on a well-known port; the others use dynamically assigned port numbers, which are negotiated in the process of communication. In this chapter, we will look at the protocols that fall into these categories, to understand their unique characteristics and the security concerns associated with them. We will then go into detail about how to configure the PIX firewall to effectively handle these protocols, so that required access is seamlessly provided, while the firewall handles the application-specific details behind the scenes. Our example network is shown in Figure 5.2.

TCP, UDP, ICMP, and the PIX Firewall Any firewall that wants to handle TCP, UDP, and ICMP negotiations well needs the ability to monitor them, understand them, and adjust its rules accordingly.This situation becomes even more complicated when NAT or PAT are involved; the firewall might need to change the data portion of a packet that carries embedded address information in order for the packet to be processed correctly by a client or server on the other side of PIX.There are many implementations of this feature for various firewalls—for example, Stateful Inspection in the Check Point product family.The PIX firewall makes use of the Adaptive Security Algorithm (ASA).

231

326_PIX_2e_05.qxd

232

5/7/05

11:58 AM

Page 232

Chapter 5 • Application Inspection

Figure 5.2 Application Inspection A A

B

192.168.10.0/24 B C

C Web FTP SMTP 192 .168.10.1 192 .168.10.2 192 .168.10.3

Web FTP SMTP 10 .0.0.1 10 .0.0.2 10 .0.0.3 10.0.0.0/24

Outside User 192 .168.10.10

Outside Sessions DMZ

Sessions from Inside to Outside 172.16.1.0/24 Inside

192.168.0.0/24 PIX

“The Internet”

Outside

Inside User 172 .16.1.10

The ASA uses several sources of information during its operation: ■

Access control lists (ACLs), which allow or deny traffic based on hosts, networks, and the TCP or UDP ports involved.

■

Internal translation (xlate) and connection (xlate) tables, which store information about the state of the established connections and are used for fast processing of the traffic that belongs to these connections.

■

Embedded rules for application inspection, which allow automatic processing of most of the complicated cases mentioned. Although some of these rules are configurable, others are fixed.

Here we look at the processing of a TCP packet by ASA, including application-level intelligence (not considering address translation): 1. If the packet is not the first one in a connection (with the SYN bit set), it is checked against internal tables to decide if it is a reply to an established connection. If it is not, the packet is denied. 2. If it is a SYN packet, it is checked against internal tables to decide if it is a part of another established connection. If it is, the packet is permitted and internal tables are adjusted in order to permit return traffic for this connection. 3. If this SYN packet is not a part of any established communication, it is checked against ACLs.

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 233

Application Inspection • Chapter 5

4. If the SYN packet is permitted, the PIX creates a new entry in internal tables (the XLAT and/or CONN table). 5. The firewall checks to see whether the packet needs additional processing by application-level inspection algorithms. During this phase, the firewall can create additional entries in internal tables. For example, it can open a temporary conduit for an incoming FTP connection based on the PORT command that it sees in the packet. “Temporary” means that this conduit will exist only until the FTP session terminates and will be deleted after the session is closed. 6. The inspected packet is forwarded to the destination. The situation for UDP is similar, although simpler because there are no distinct initial packets in the UDP protocol, so the inspection simply goes through internal tables and ACLs and then through application inspection for each packet received. The PIX uses source/destination port numbers to decide if application inspection is needed for a particular packet. Some of these ports are configurable and others are not.Table 5.1, courtesy of Cisco (http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/ products_configuration_guide_chapter09186a00804231c0.html, table 21-1), summarizes the application inspection functions provided by 7.0.

Table 5.1 Application Inspection Functions Application

PAT?

NAT (1-1)?

Configure Port?

Default Port

Standards

CTIQBE

Yes

Yes

Yes

TCP/2748

—

DNS

Yes

Yes

No

UDP/53

RFC 1123

FTP

Yes

Yes

Yes

TCP/21

RFC 959

GTP

Yes

Yes

Yes

UDP/3386 UDP/2123

—

H.323

Yes

Yes

Yes

TCP/1720 UDP/1718 UDP (RAS) 1718-1719

ITU-T H.323, H.245, H225.0, Q.931, Q.932

HTTP

Yes

Yes

Yes

TCP/80

RFC 2616

ICMP

Yes

Yes

No

—

—

ICMP ERROR

Yes

Yes

No

—

—

ILS (LDAP)

Yes

Yes

Yes

—

—

MGCP

Yes

Yes

Yes

2427, 2727

RFC2705bis-05

NBDS / UDP

Yes

Yes

No

UDP/138

—

NBNS / UDP

No

No

No

UDP/137

— Continued

233

326_PIX_2e_05.qxd

234

5/7/05

11:58 AM

Page 234

Chapter 5 • Application Inspection

Table 5.1 continued Application Inspection Functions NAT (1-1)?

Configure Port?

Default Port

Standards

NetBIOS over IP

No

No

No

— —

PPTP

Yes

Yes

Yes

1723

RFC2637

RSH

Yes

Yes

Yes

TCP/514

Berkeley UNIX

RTSP

No

No

Yes

TCP/554

RFC 2326, RFC 2327, RFC 1889

SIP

Yes

Yes

Yes

TCP/5060 UDP/5060

RFC 2543

SKINNY (SCCP) Yes

Yes

Yes

TCP/2000

—

SMTP/ESMTP Yes

Yes

Yes

TCP/25

RFC 821, 1123

SQL*Net

Yes

Yes

Yes

TCP/1521 (v.1)

—

Sun RPC

No

No

No

UDP/111 TCP/111

—

XDCMP

No

No

No

UDP/177

—

Application

PAT?

Depending on the protocol it is used with, application inspection provides the following functionality for complex protocols: ■

Securely and dynamically open and close temporary conduits for legitimate traffic

■

Network Address Translation

■

Port Address Translation

■

Inspect traffic for malicious behavior

Application Layer Protocol Inspection Depending on the protocol, inspection may or may not be enabled by default. All protocol inspection in PIX version 7.0 is configured through the use of the Modular Policy Framework (MPF), which is a versatile and powerful way to apply protocol inspection to your firewall. MPF has four main steps: ■

Defining a traffic class

■

Associating the traffic class with one or more actions

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 235

Application Inspection • Chapter 5 ■

Customizing the parameters of the application inspection for the protocol in question

■

Applying the defined inspection to an interface

Defining a Traffic Class Defining a traffic class is done through the use of the class-map command.The idea behind this command is that you want to identify a certain subset of the total traffic flowing through an interface.There are a number of possible methods of matching traffic, including: ■

Using an access list

■

Matching all traffic

■

Using a list of predefined default IP protocols

■

Matching traffic based on DSCP values

■

Using a flow-based policy

■

Matching specified TCP or UDP ports (without using an access list)

■

Matching traffic based on IP precedence values

■

Matching traffic based on RTP port numbers

■

Matching a specified tunnel group

Prior to configuring any of these match conditions, the first step to configuring a traffic class is to define the traffic class and give it a name.To create a traffic class called “class1”, enter: PIX1(config)# class-map class1 PIX1(config-cmap)#

You will notice that following this command, your prompt changes to “config-cmap”, indicating that you are now in class-map configuration mode, and may enter commands relating to the specific class map (in this case “class1”) that you have defined. At this prompt, you have the option of entering a description for this traffic class: PIX1(config-cmap)# description sample traffic class

You also have the ability to rename the traffic class without removing and recreating it. In this case, we will rename the traffic class from “class1” to “class2”: PIX1(config-cmap)# rename class2

The next step is to configure the traffic class to match certain traffic.To see all possible matching options: PIX1(config-cmap)# match ? mpf-class-map mode commands/options: access-list

Match an Access List

235

326_PIX_2e_05.qxd

236

5/7/05

11:58 AM

Page 236

Chapter 5 • Application Inspection any default-inspection-traffic

Match any packet Match default inspection traffic: ctiqbe----tcp--2748

dns-------udp-

ftp-------tcp--21

gtp----udp--

-53 2123,3386 h323-h225-tcp-1720

h323-ras-udp-1718-

1719 http------tcp--80

icmp------icmp

ils-------tcp--389

mgcp---udp--

netbios---udp--137-138

rpc-------udp-

rsh-------tcp--514

rtsp------tcp--

sip-------tcp--5060

sip-------udp--

skinny----tcp--2000

smtp------tcp-

sqlnet----tcp--1521

tftp------udp-

2427,2727 -111 554 5060 -25 -69 xdmcp-----udp--177

dscp flow

Match IP DSCP (DiffServ CodePoints) Flow based Policy

port precedence rtp tunnel-group

Match TCP/UDP port(s) Match IP precedence Match RTP port numbers Match a Tunnel Group

To match traffic by access list, you must configure an access-list prior to configuring the traffic class. For example, to configure an access list called “acl1” that matches all traffic on TCP port 1111 and then apply it to the traffic class “class2”: PIX1(config)# access-list acl1 permit tcp any any eq 1111 PIX1(config)# class-map class2 PIX1(config-cmap)# match access-list acl1

To match any traffic, simply enter: PIX1(config-cmap)# match any

The PIX default inspection traffic ports are shown in Table 5.2 (the table is courtesy of Cisco; see http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/ products_configuration_guide_chapter09186a00804231c0.html,Table 21-2).

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 237

Application Inspection • Chapter 5

Table 5.2 PIX Default Inspection Ports Protocol Name

Protocol

Port

ctiqbe

tcp

2748

dns

udp

53

ftp

tcp

21

gtp

udp

2123,3386

h323 h225

tcp

1720

h323 ras

udp

1718-1719

http

tcp

80

icmp

icmp

N/A

ils

tcp

389

mgcp

udp

2427,2727

netbios

udp

N/A

rpc/sunrpc

udp

111

rsh

tcp

514

rtsp

tcp

554

sip

tcp, udp

5060

skinny

tcp

2000

smtp

tcp

25

sqlnet

tcp

1521

tftp

udp

69

xdmcp

udp

177

To match the PIX default inspection traffic ports, simply enter: PIX1(config-cmap)# match default-inspection-traffic

To match traffic based on DSCP value, you may enter one or more of the following parameters, separated by a space: PIX1(config-cmap)# match dscp ?

mpf-class-map mode commands/options: <0-63>

Differentiated services codepoint value

af11

Match packets with AF11 dscp (001010)

af12

Match packets with AF12 dscp (001100)

af13

Match packets with AF13 dscp (001110)

af21

Match packets with AF21 dscp (010010)

af22

Match packets with AF22 dscp (010100)

237

326_PIX_2e_05.qxd

238

5/7/05

11:58 AM

Page 238

Chapter 5 • Application Inspection af23

Match packets with AF23 dscp (010110)

af31

Match packets with AF31 dscp (011010)

af32

Match packets with AF32 dscp (011100)

af33

Match packets with AF33 dscp (011110)

af41

Match packets with AF41 dscp (100010)

af42

Match packets with AF42 dscp (100100)

af43

Match packets with AF43 dscp (100110)

cs1

Match packets with CS1(precedence 1) dscp (001000)

cs2

Match packets with CS2(precedence 2) dscp (010000)

cs3

Match packets with CS3(precedence 3) dscp (011000)

cs4

Match packets with CS4(precedence 4) dscp (100000)

cs5

Match packets with CS5(precedence 5) dscp (101000)

cs6

Match packets with CS6(precedence 6) dscp (110000)

cs7

Match packets with CS7(precedence 7) dscp (111000)

default

Match packets with default dscp (000000)

ef

Match packets with EF dscp (101110)

If you wish to match traffic based on a TCP or UDP port without using an access list, you may use the “match port” command. For example, to match the same TCP port 1111 as in the preceding example: PIX1(config-cmap)# match port tcp eq 1111

Note that the “match port” command allows you to specify ranges of ports.To do so, substitute “eq” with “range”, and then specify a lower and upper limit to the ports to match. For example, to match TCP ports 1111 through 1120: PIX1(config-cmap)# match port tcp eq 1112

To match traffic based on its IP precedence, you may enter precedence values by name or number. For example, to match precedence values 2, 4, and 6: PIX1(config-cmap)# match precedence 2 4 6

NOTE The PIX supports multiple match commands only for the tunnel-group and default-inspection-traffic types. You may configure one of these commands in conjunction with any other match command. However, all other match commands cannot be configured at the same time; you must remove one before adding another.

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 239

Application Inspection • Chapter 5

Associating a Traffic Class with an Action Once you have identified traffic of interest, the next step is to associate that traffic with a particular action, in order to actually perform the protocol inspection.To do so, the first step is to define a policy map. For example, to create a policy map named “pol1”: PIX1(config)# policy-map pol1 PIX1(config-pmap)#

At this point, you will notice that the prompt is changed to “config-pmap”, indicating all subsequent commands apply to the policy map. Just as with a class map, you have the option of adding a description to the policy map, or renaming it.The next step is to specify one or more traffic classes to the policy map. For example, to specify the traffic class we created earlier (“class2”): PIX1(config-pmap)# class class2 PIX1(config-pmap-c)#

Notice that now the prompt has changed to “config-pmap-c”, indicating that subsequent commands apply to the class map within the policy map. In order to enable protocol inspection, you may now use the inspect command.The following protocol inspection engines are available: PIX1(config-pmap-c)# inspect ?

mpf-policy-map-class mode commands/options: ctiqbe dns esmtp ftp gtp h323 http icmp ils mgcp netbios pptp rsh rtsp sip skinny snmp sqlnet

239

326_PIX_2e_05.qxd

240

5/7/05

11:58 AM

Page 240

Chapter 5 • Application Inspection sunrpc tftp xdmcp

For example, to enable FTP protocol inspection: PIX1(config-pmap-c)# inspect ftp

Once you have completed the inspect configuration, you may wish to return to the policy map configuration mode in order to define additional traffic classes.To do so: PIX1(config-pmap-c)# exit PIX1(config-pmap)#

Notice that the prompt has now returned to “config-pmap”.You may now enter additional configuration, or exit again to return to the main configuration mode.

Customizing Application Inspection Parameters Although in general, protocol inspection will function without modifying the default parameters, there are times when you may wish to tune the various options associated with a protocol inspection engine.To do so, you must use application maps. Application maps are available for a number of protocols, and we will go into detail of how to configure these, when available, in each application-specific section of this chapter. An application map called httpmap1 is applied within the policy map configuration as follows: PIX1(config-pmap-c)# inspect http httpmap1

Applying Inspection to an Interface The final step to enabling protocol inspection is to apply the inspection you have configured to one interface, multiple interfaces, or all interfaces.To do so, use the service-policy command. For example, to apply the aforementioned policy map to the outside interface: PIX1(config)# service-policy pol1 interface

outside

Similarly, if you wish to apply this policy to all interfaces: PIX1(config)# service-policy pol1 global

Domain Name Service The main task of application inspection for DNS (known as DNS Guard) is to impose specific restrictions on DNS requests over UDP that pass through the firewall (compared with the generic processing of all UDP communications). Roughly speaking, the data part of each DNS request contains a serial number (ID) and the body of the request. For example, requests for A-records (address records) include the DNS name for which an IP address is sought.The reply to this request should contain the same ID and an IP address.

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 241

Application Inspection • Chapter 5

DNS Guard ensures the following: ■

Only replies with the correct ID are accepted.

■

Only one reply is accepted. In the case of multiple replies, all but the first one are ignored.

■

The UDP connection associated with the DNS connection is destroyed as soon as a DNS reply is received, not after the UDP timeout has expired.

■

IP addresses in A-record replies are translated if necessary.This process is controlled by the alias command. It also translates addresses to be consistent with NAT statements, including outside NAT, which was introduced in version 6.2. Generally, the alias command is not needed because of this outside NAT feature.

As an example for the last case, consider the configuration in which a client (192.168.0.1) and a Web server (web.company.com, IP address 192.168.0.5) are located on the inside interface of PIX and have nonroutable addresses. A DNS server is on the outside.The PIX is configured to translate both the client and the server addresses via PAT to a single IP of 1.2.3.4. This address is recorded on the DNS server as an address for web.company.com. When a client requests an IP address (an A-record) for the server, the PIX forwards the request to the DNS server, translating the source IP. When it receives the DNS server’s reply, it not only translates the packet’s destination IP address (changing 1.2.3.4 to 192.168.0.1), but it also changes the address of the Web server contained in the reply’s data field (that is, 1.2.3.4 contained in the reply is changed to 192.168.0.5). As a result, the internal client will use the internal address 192.168.0.5 of the Web server to directly connect to it. Not to be confused with DNS Guard, when the DNS server is on a more secure interface than the Web server and/or client, either outside NAT or alias commands are used. Outside NAT is very similar to the previous situation.

NOTE When using alias commands for DNS fixups, you need to turn off proxy ARP on the internal interface, using the sysopt noproxyarp inside_interface command. It is also possible to turn off processing of DNS replies for addresses stated in the alias commands by using the sysopt nodnsalias command.

It is not possible to disable application inspection of DNS or change the DNS port from the default of 53.

Remote Procedure Call Remote procedure call (RPC) is a very general mechanism for client-server applications developed by Sun Microsystems. Many applications are built on top of this system, the most important of which are Network File System (NFS) and Network Information System (NIS), which are used in many UNIX networks.

241

326_PIX_2e_05.qxd

242

5/7/05

11:58 AM

Page 242

Chapter 5 • Application Inspection

The RPC server is a collection of procedures, each of which can be called by a client sending an RPC request to the server, possibly passing some parameters.The server runs the required procedure and sends the results to the client.This data exchange is platform-independent and is encoded using External Data Representation (XDR) format. Each procedure is identified by an assigned program number, which the client indicates in the request.The default correspondence between program numbers and procedures is stored on UNIX hosts in the /etc/rpc file.To further complicate things, an RPC server can run various versions of each program at the same time. In this case, the version numbers are added to the request. On TCP/IP networks, each version of a program running on the server is assigned a TCP and a UDP port (both ports have the same number). In order for this service to be generic (and because RPC programs do not use reserved port numbers), there is no fixed correspondence between program names (or numbers) and the ports they are running on.The ports are assigned dynamically by a separate daemon called portmapper, which functions as a multiplexing service. Each program has to register with portmapper in order to be available for RPC calls. Portmapper then reserves a TCP and a UDP port for it. When a client wants to make a call to a remote procedure, it first queries the portmapper daemon (which runs on port 111 by default), sending it a program number and receiving the number of a port it runs on.The client then connects to this port and interacts directly with the required program. Here, the problem for a firewall arises when the RPC server is on a more secure interface; it is simple to permit incoming connections to the portmapper port 111, but it is not possible to know beforehand which extra ports need to be opened for incoming RPC requests to specific programs.The PIX does the following: 1. It inspects all outgoing packets that have a source port of 111. 2. When it notices a portmapper reply with some port number, the PIX opens embryonic TCP and UDP connections on this port. 3. The PIX does not inspect RPC packets for anything else. For example, it does not attempt to translate embedded IP addresses. To enable RPC inspection, first create an access-list that matches RPC traffic: PIX1(config)# access-list rpc permit udp any any eq 111

Next, create a traffic class that matches this access-list: PIX1(config)# class-map rpc1 PIX1(config-cmap)# match access-list rpc

Next, create a policy map that specifies the traffic class created in the previous example and defines the inspection to perform: PIX1(config)# policy-map rpcpol1 PIX1(config-pmap)# class rpc1 PIX1(config-pmap-c)# inspect rpc

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 243

Application Inspection • Chapter 5

Finally, apply this inspection configuration to the desired interface, in this case outside: PIX1(config)# service-policy rpcpol1 interface outside

SQL*Net SQL*Net, which is used to query SQL databases, is another firewall-unfriendly protocol. There are three versions of SQL*Net: SQL*Net v1 (an old version used in Oracle 7), SQL*Net v2, and Net8/Net9 (newer versions of Oracle, such as 8i). Versions 1 and 2 are incompatible, whereas Net8/Net9 is just a small improvement on version 2. All these protocols have common behavior: When a client wants to connect to an Oracle server, it first establishes a connection to the dedicated Oracle port (port 1525 by default in SQL*Net version 1, port 1521 in versions 2 and later) and then is redirected by this server to another instance of Oracle running on this machine or even another server.The client now has to establish a connection to the IP address and port it was told. In SQL*Net v2 and later, even after that the client can be redirected again. The only case in which all communications happen only on one port without any redirection is when Oracle runs in Dedicated Server mode.This might need some extra configuration to function; refer to Oracle documentation if you are interested in this feature. The problem with firewalls arises when the server is on a more secure interface than the client. Generally, the client will not be able to establish inbound connections to arbitrary ports and IP addresses. In order to process this correctly, the PIX needs to monitor the information exchange between the server and the client to notice which address/port number is negotiated and open a temporary conduit for inbound connections. The default port is 1521. In case of SQL*Net v1, the PIX scans all messages from the server to the client, checks the address and port negotiation, performs NAT on the embedded address if necessary, and forwards the resulting packets to the client.The inbound connections from the client are also de-NATted correctly and permitted by a temporary conduit. SQL*Net version 2 communications are much more complicated than version 1, so the inspection process is also more complex. Messages used in this protocol can be of the following types: Data, Redirect, Connect, Accept, Refuse, Resend, and Marker. When the PIX firewall notices a Redirect packet with zero data length, it sets an internal flag for this connection to expect the relevant address/port information.This information should arrive in the next message, which must be only of Data or Redirect type.The relevant part of the message looks like the following: (ADDRESS=(PROTOCOL=tcp)(DEV=6)(HOST=a.b.c.d)(PORT=p))

The PIX then needs to NAT this a.b.c.d:p pair inside the message and permit inbound connections on the corresponding IP address/port pair. If anything other than a Redirect or Data packet arrives after the initial null Redirect packet, the internal flag is reset. To enable SQL*Net inspection, first create an access-list that matches SQL*Net traffic: PIX1(config)# access-list sqlnet permit tcp any any eq 1521

243

326_PIX_2e_05.qxd

244

5/7/05

11:58 AM

Page 244

Chapter 5 • Application Inspection

Next, create a traffic class that matches this access-list: PIX1(config)# class-map sqlnet1 PIX1(config-cmap)# match access-list sqlnet

Next, create a policy map that specifies the traffic class created in the previous example and defines the inspection to perform: PIX1(config)# policy-map sqlnetpol1 PIX1(config-pmap)# class sqlnet1 PIX1(config-pmap-c)# inspect sqlnet

Finally, apply this inspection configuration to the desired interface, in this case outside: PIX1(config)# service-policy sqlnetpol1 interface outside

Internet Locator Service and Lightweight Directory Access Protocol Microsoft developed the Internet Locator Service (ILS) protocol for use in products such as NetMeeting, SiteServer, and Active Directory services. It is based on Lightweight Directory Access Protocol (LDAP) version 2.The main purpose of ILS application inspection is to let internal users communicate locally, even while registered to outside LDAP servers.This is done by inspecting LDAP messages traversing the firewall and performing NAT when necessary.There is no PAT support, because only IP addresses are stored on the server. When attempting translation of an IP address, the PIX searches its internal XLATE table first, then DNAT tables. If neither contains the required address, it is left unchanged. ILS/LDAP communications occur on a client/server model over TCP, so there is no need for any temporary conduits to be opened by the PIX. During client/server communications, the PIX monitors for ADD requests and SEARCH responses, decoding them with BER decode functions; parses the message for IP addresses; translates them as necessary; encodes the message back, and sends the received packet to its destination. To enable ILS inspection, first create an access-list that matches ILS traffic: PIX1(config)# access-list ils permit tcp any any eq 389

Next, create a traffic class that matches this access-list: PIX1(config)# class-map ils1 PIX1(config-cmap)# match access-list ils

Next, create a policy map that specifies the traffic class created in the previous example and defines the inspection to perform: PIX1(config)# policy-map ilspol1 PIX1(config-pmap)# class ils1 PIX1(config-pmap-c)# inspect ils

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 245

Application Inspection • Chapter 5

Finally, apply this inspection configuration to the desired interface, in this case outside: PIX1(config)# service-policy ilspol1 interface outside

HTTP Inspection HTTP protocol inspection has the ability to check for the following items: ■

Conforms to RFC 2616

■

Message body, header, and URI length are no larger than a set limit

■

Excludes methods on a set list

■

Must include a specific transfer encoding method or application type

■

The content of the body matches the content type specified in the header, and the content in the response matches the accept-type of the request

■

The message includes a MIME type

■

Defined keywords are present or missing from specific parts of the message

To enable HTTP inspection, first create a traffic class that matches port 80: PIX1(config)# class-map http1 PIX1(config-cmap)# match port tcp eq 80

Next, create an HTTP map to configure the HTTP-specific parameters of the inspection engine.The various options are displayed: PIX1(config)# http-map httpmap1 PIX1(config-http-map)# ?

Http-map configuration commands: content-length

Content length range inspection

content-type-verification

Content type inspection

max-header-length

Maximum header size inspection

max-uri-length

Maximum URI size inspection

no

Negate a command or set its defaults

port-misuse

Application inspection

request-method

Request method inspection

strict-http transfer-encoding

Strict HTTP inspection Transfer encoding inspection

Next, create a policy map that specifies the traffic class created in the previous example and defines the inspection to perform, including the HTTP map: PIX1(config)# policy-map httppol1 PIX1(config-pmap)# class http1 PIX1(config-pmap-c)# inspect http httpmap1

245

326_PIX_2e_05.qxd

246

5/7/05

11:58 AM

Page 246

Chapter 5 • Application Inspection

Finally, apply this inspection configuration to the desired interface, in this case outside: PIX1(config)# service-policy httppol1 interface outside

FTP Inspection One of the first application-level protocols that posed problems for simple packet-filtering devices was FTP, which is documented in RFC 959. FTP always uses two connections for operation.The control connection is a connection from the client FTP program to the server’s FTP port (TCP port 21 by default).This connection is used for sending commands to the server and receiving informational replies.These commands and replies are a little different from what you enter on the keyboard. For example, when you log into an FTP server and enter your username, your FTP client sends the USER username command to the server and probably receives a reply 331 User name okay, need password. It then asks you for your password, and the login process completes. The second connection is opened for the actual file transfer operation and can behave differently depending on the mode in which the client is operating; it can be initiated either by the client or by the server.The main difference is whether the client tells the server to operate in passive or active mode.

Active versus Passive Mode The first FTP servers and clients used active mode, where a file transfer happens as described here: 1. When the client (already connected to the server’s FTP control port and logged in) needs to receive a file from the server, it sends a PORT A1,A2,A3,A4,a1,a2 command, where A1, A2, A3, and A4 are the four octets of the client’s IP address and a1 and a2 are the port numbers on which it will listen for connections.This port number is an arbitrary value and is calculated as a1*256+a2. 2. After receiving a 200 OK reply from the server, the client sends the RETR command to start the transfer. 3. The server opens a connection to the port that the client specified and pipes the file’s contents into this connection. After the file is transferred, this data connection is closed, while the control connection stays open until the client disconnects from the server.The source port of this connection is “ftp-data,”TCP port 20. Now, if the client is behind a firewall (or, in PIX terms, is on a higher security-level interface than the server), the connection from the server is likely to be refused unless the firewall permits inbound connections to all high ports on the client side, which, of course, is not good security practice.The PIX firewall can monitor FTP control connections, so when it discovers a PORT command issued by the client, it temporarily permits inbound connections to the port requested by the client in this command. The other issue here is that when NAT or PAT are used, the PIX also translates the address and port number inside the command to the NATted IP and port. For example,

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 247

Application Inspection • Chapter 5

consider a client with IP address 10.0.0.1 that will be translated to 192.168.0.1. In this case, the client will issue port command PORT 10,0,0,1,4,10, which says that the client is ready to receive connections to 10.0.0.1:1034. During its transit through the PIX it will be translated to PORT 192,168,0,1,8,10, and the server will then open the data connection to 192.168.0.1:2058.This destination will be properly translated by the PIX back to 10.0.0.1:1034 . The second mode of FTP operation is passive mode. In this mode, a file transfer happens as described here: 1. Soon after connecting to the server’s FTP control port and logging in, the client sends the PASV command, requesting the server to enter the passive mode of operation. 2. The server responds with “227 Entering Passive Mode A1,A2,A3,A4,a1,a2.”This response means that the server is now listening for data connections on the IP address and port it has specified in the reply. 3. The client connects to the specified port and sends the RETR command to start the transfer. 4. The server sends the file’s contents over this second (data) connection. This mode of operation does not cause a problem when the client is on a more secure interface, since by default the client is permitted to initiate any outbound connections. Unfortunately, there is a problem when the server is on a more secure interface than the client; the firewall will generally not allow the client to open an inbound connection on an arbitrary port.To overcome this problem, the PIX firewall monitors PASV commands and “227” replies, temporarily permits an inbound connection to the specified port, and modifies IP addresses and port numbers to correspond with NATted ones. The full functionality of FTP application inspection consists of the following tasks: 1. Tracking of FTP command and response sequence (PORT and PASV commands and “227” replies). 2. Creating a temporary conduit for the data connections based on the result of this tracking (if necessary). 3. NATting of IP addresses inside the commands and replies. 4. Generating an audit trail. An audit trail is generated in the following cases: ■

An audit record 302002 is generated for each uploaded or downloaded file.

■

Each download (RETR) or upload (STOR) command is logged.

■

File operations are logged together with the FTP username, source and destination IP addresses, and NAT address.

■

An audit record 201005 is generated if the firewall failed to allocate a secondary channel due to memory shortage.

247

326_PIX_2e_05.qxd

248

5/7/05

11:58 AM

Page 248

Chapter 5 • Application Inspection

If one of the following problems is encountered, the connection is denied or dropped: ■

Clients are prevented from sending embedded commands.The connection that tries to use these commands is closed.This action is performed by checking how many characters are present in the PORT or PASV command after the IP address and port number. If there are more than eight characters, it is assumed that it is an attempt to add another command at the end of the line, and the connection is dropped.

■

Before a new command is allowed, the server should send a reply to each command received.

■

Only servers can generate “227” messages (protection against reply spoofing) and only clients can generate PASV and PORT commands (protection against command spoofing).The reason here is that without strict, a client can send any garbage to the server, including fake “227” messages—for example, 227 foobar A1, A2, A3, A4, a1, a2, and although the server replies with an error message, the firewall could be fooled into permitting the connection with the parameters specified.

■

Extra checking of “227” and PORT commands is performed to ensure that they are really commands/replies, not a part of some error message.

■

Truncated commands; PORT and PASV commands are checked for the correct number of commas in them. Each should contain only five commas (see previous examples).

■

Size of RETR and STORE commands; their length (including the filename for download/upload) should not be greater than an embedded constant.This is done to provide protection against possible buffer overflows.

■

Invalid port negotiation; the port number used for the data connection must be a high port (that is, a port with number greater than 1024).

■

Every FTP command sent by the client must end with characters, as specified by RFC 959.

To enable FTP inspection, first create a traffic class that matches port 23: PIX1(config)# class-map ftp1 PIX1(config-cmap)# match port tcp eq 23

Next, create an FTP map to configure the FTP-specific parameters of the inspection engine.The various options are displayed: PIX1(config)# ftp-map ftpmap1

To deny specific FTP commands from being executed, for example, you have the following options with the FTP map configuration: PIX1(config-ftp-map)# request-command deny ?

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 249

Application Inspection • Chapter 5 ftp-map mode commands/options: appe

Append to a file

cdup

Change to parent of current directory

dele

Delete a file at server site

get

FTP client command for the retr command - retrieve a file

help

Help information from server

mkd

Create a directory

put

FTP client command for the stor command - store a file

rmd

Remove a directory

rnfr

Rename from

rnto

Rename to

site

Specify server specific command

stou

Store a file with a unique name

Next, create a policy map that specifies the traffic class created in the previous example and defines the inspection to perform, including the FTP map: PIX1(config)# policy-map ftpppol1 PIX1(config-pmap)# class ftp1 PIX1(config-pmap-c)# inspect ftp ftpmap1

Finally, apply this inspection configuration to the desired interface, in this case outside: PIX1(config)# service-policy ftppol1 interface outside

ESMTP Inspection ESMTP is an enhanced version of SMTP that is very similar to SMTP, but offers features such as delivery status notification messages to improve performance and security. ESMTP inspection works by limiting the commands that can be executed and by monitoring ESMTP connections.The commands that are permitted are AUTH, DATA, EHLO, ETRN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY. All other commands are not permitted, since they are not required for ESMTP operation and therefore could be malicious. To enable ESMTP inspection, first create a traffic class that matches port 25: PIX1(config)# class-map esmtp1 PIX1(config-cmap)# match port tcp eq 25

Next, create a policy map that specifies the traffic class created in the previous example and defines the inspection to perform: PIX1(config)# policy-map esmtppol1 PIX1(config-pmap)# class esmtp1 PIX1(config-pmap-c)# inspect esmtp

249

326_PIX_2e_05.qxd

250

5/7/05

11:58 AM

Page 250

Chapter 5 • Application Inspection

Finally, apply this inspection configuration to the desired interface, in this case outside: PIX1(config)# service-policy esmtppol1 interface outside

ICMP Inspection Although ICMP is a useful tool for determining device availability and network latency, it is possible for ICMP to be used maliciously. For example, a malicious user may attempt to flood your network with replies to ICMP requests that you never actually sent. Fortunately, the PIX includes an ICMP inspection engine that instructs the PIX to treat ICMP connections as stateful, matching outgoing queries to incoming responses. To enable ICMP inspection, first create an access-list that matches ICMP traffic: PIX1(config)# access-list icmp1

permit icmp any any

Next, create a traffic class that matches this access-list: PIX1(config)# class-map icmp1 PIX1(config-cmap)# match access-list icmp1

Next, create a policy map that specifies the traffic class created in the previous example and defines the inspection to perform: PIX1(config)# policy-map icmppol1 PIX1(config-pmap)# class icmp1 PIX1(config-pmap-c)# inspect icmp

Finally, apply this inspection configuration to the desired interface, in this case outside: PIX1(config)# service-policy icmppol1 interface outside

H.323 H.323 is actually a suite of protocols rather than a single protocol. It was designed for establishing multimedia conferences, and is used by such application as Cisco CallManagers.This protocol embeds IP addresses within its packets, making it a challenge to NAT, and also uses dynamically allocated RTP connections to function.The PIX H.323 inspection engine allows H.323 to function securely, despite these factors. To enable H.323 inspection, first create an access-list that matches H.323 traffic: PIX1(config)# access-list h323 permit udp any any eq 1720 PIX1(config)# access-list h323 permit udp any any eq 1721

Next, create a traffic class that matches this access-list: PIX1(config)# class-map h323-1 PIX1(config-cmap)# match access-list h323

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 251

Application Inspection • Chapter 5

Next, create a policy map that specifies the traffic class created in the preceding example and defines the inspection to perform: PIX1(config)# policy-map h323pol1 PIX1(config-pmap)# class h323-1 PIX1(config-pmap-c)# inspect h323 ras PIX1(config-pmap-c)# inspect h323 h225

Finally, apply this inspection configuration to the desired interface, in this case outside: PIX1(config)# service-policy h323pol1 interface outside

Simple Network Management Protocol (SNMP) SNMP is used for managing and monitoring network nodes. Network management and monitoring tools may query devices via SNMP, and the device will return information about its current state. There have been a number of iterations of SNMP, including versions 1, 2, 2c, and 3. Because older versions of SNMP are less secure, it is desirable to enable SNMP inspection and to deny all versions but the most recent, assuming all devices on your network are running that version. To enable SNMP protocol inspection, first create a traffic class that matches this protocol: PIX1(config)# class-map snmp1 PIX1(config-cmap)# match port tcp range 161-162

If you wish to deny certain versions of SNMP, create an SNMP map.The versions that you may deny are displayed: PIX1(config)# snmp-map snmpmap1 PIX1(config-snmp-map)# deny version ?

snmp-map mode commands/options: 1

SNMP version 1

2

SNMP version 2 (party based)

2c

SNMP version 2c (community based)

3

SNMP version 3

Next, create a policy map that specifies the traffic class created in the preceding example and defines the inspection to perform: PIX1(config)# policy-map snmppol1 PIX1(config-pmap)# class snmp1 PIX1(config-pmap-c)# inspect snmp snmpmap1

Finally, apply this inspection configuration to the desired interface, in this case outside: PIX1(config)# service-policy snmppol1 interface outside

251

326_PIX_2e_05.qxd

252

5/7/05

11:58 AM

Page 252

Chapter 5 • Application Inspection

Voice and Video Protocols The PIX supports the inspection of a number of voice and video protocols. Because networks are used more and more frequently for voice and video, rather than just data, it is important to be able to apply the same security measures to this traffic to maintain the integrity of your security policy.

SIP The SIP protocol is used by voice-over-IP gateways to establish calls between parties.The PIX firewall is able to inspect SIP traffic, including the dynamically allocated ports used for streaming the media packets between hosts. Also, the inspection applies network address translation to the IP addresses embedded in the SIP packets. To enable SIP protocol inspection, first create a traffic class that matches this protocol: PIX1(config)# class-map sip1 PIX1(config-cmap)# match port tcp eq 5060

Next, create a policy map that specifies the traffic class created in the preceding example and defines the inspection to perform: PIX1(config)# policy-map sippol1 PIX1(config-pmap)# class sip1 PIX1(config-pmap-c)# inspect sip

Finally, apply this inspection configuration to the desired interface, in this case outside: PIX1(config)# service-policy sippol1 interface outside

CTIQBE CTIQBE, which stands for Computer Telephony Interface Quick Buffer Encoding, is used to allow Cisco SoftPhones or other similar applications to communicate with a Cisco CallManager. Enabling application inspection of CTIQBE allows the PIX firewall to apply network address translation to the IP addresses embedded in the CTIQBE packets. To enable CTIQBE protocol inspection, first create a traffic class that matches this protocol: PIX1(config)# class-map ctiqbe1 PIX1(config-cmap)# match port tcp eq 2748

Next, create a policy map that specifies the traffic class created in the preceding example and defines the inspection to perform: PIX1(config)# policy-map ctiqbepol1 PIX1(config-pmap)# class ctiqbe1 PIX1(config-pmap-c)# inspect ctiqbe

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 253

Application Inspection • Chapter 5

Finally, apply this inspection configuration to the desired interface, in this case outside: PIX1(config)# service-policy ctiqbepol1 interface outside

NOTE If you have two PIX firewalls in failover mode, and a stateful failover occurs, CTIQBE calls will drop since stateful failover of this protocol is not a supported feature.

SCCP SCCP, which stands for Skinny Client Control Protocol and runs on TCP port 2000, is an alternative Cisco proprietary protocol used for communication between Cisco IP phones and Cisco CallManagers.The PIX firewall supports all five versions of SCCP (through 3.3.2), and allows for network address translation and port address translation. To enable SCCP protocol inspection, first create a traffic class that matches this protocol: PIX1(config)# class-map sccp1 PIX1(config-cmap)# match port tcp eq 2000

Next, create a policy map that specifies the traffic class created in the preceding example and defines the inspection to perform: PIX1(config)# policy-map sccppol1 PIX1(config-pmap)# class sccp1 PIX1(config-pmap-c)# inspect skinny

Finally, apply this inspection configuration to the desired interface, in this case outside: PIX1(config)# service-policy sccppol1 interface outside

Real-Time Streaming Protocol (RTSP), NetShow, and VDO Live RTSP is a protocol used by applications such as RealAudio, QuickTime, RealPlayer, and Cisco IP/TV to transmit real-time, streaming media from server to client.The PIX firewalls support inspection of RTSP, although NAT and PAT of RTSP connections is not supported due to the nature of the embedded IP addresses within the RTSP packets. RTSP inspection involves parsing the setup response messages to apply normal stateful inspection, matching queries and responses to eliminate the possibility of malicious behavior. To enable RTSP inspection, first create an access-list that matches RTSP traffic: PIX1(config)# access-list rtsp permit tcp any any eq 554

253

326_PIX_2e_05.qxd

254

5/7/05

11:58 AM

Page 254

Chapter 5 • Application Inspection PIX1(config)# access-list rtsp permit tcp any any eq 8554

Next, create a traffic class that matches this access-list: PIX1(config)# class-map rtsp1 PIX1(config-cmap)# match access-list rtsp

Next, create a policy map that specifies the traffic class created in the preceding example and defines the inspection to perform: PIX1(config)# policy-map rtsppol1 PIX1(config-pmap)# class rtsp1 PIX1(config-pmap-c)# inspect rtsp

Finally, apply this inspection configuration to the desired interface, in this case outside: PIX1(config)# service-policy rtsppol1 interface outside

Summary The Cisco PIX firewall is an advanced product and has many different options for supporting various application-layer protocols as well as protecting against network-layer attacks. It also supports content filtering for outbound Web access, intrusion detection, and various routing options such as RIP, OSPF, and multicast routing. Many protocols embed extra IP address information inside the exchanged packets or negotiate additional connections on nonfixed ports in order to function properly.These functions are handled by the PIX application inspection feature. PIX supports FTP clients and servers in active and passive modes, DNS, RSH, RPC, SQL*Net, and LDAP protocols. It also supports various streaming protocols such as Real-Time Streaming Protocol. Another set of supported protocols includes all H.323, SCCP, and SIP—all used in VoIP applications. The PIX monitor passes packets for the embedded information and updates its tables or permits embryonic connections according to this information. It is also able to NAT these embedded addresses in several cases. The PIX can also participate in RIP and OSPF dynamic routing. Although the PIX does not have all routing features present in a full-fledged router, in some cases its routing functionality will satisfy basic routing requirements.The same goes for multicast routing; although in many cases a true multicast router is required, having basic multicast routing support built-in to the PIX can allow your multicast network to function without additional devices adding complexity to your network.

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 255

Application Inspection • Chapter 5

Solutions Fast Track New Features in PIX 7.0 With the release of the PIX 7.0 software, the “fixup” functionality of prior releases has been replaced with Modular Policy Framework (MPF). MPF allows for flexibility and the convenience of reusing different aspects of the inspection configuration. Although “fixup” commands are still permitted, they will automatically be translated into the MPF command set.

Supporting and Securing Protocols The PIX firewall is able to monitor various aspects of ICMP,TCP, and UDP connections in order to provide high-level security features that go beyond simple access control. Many applications use more than one connection to operate; only one of these connections occurs on a well-known port, whereas others use dynamically assigned port numbers, which are negotiated in the process of communication. This makes firewalling by means of access lists very difficult.The PIX supports application inspection for many such protocols, which allows it to operate correctly with them. The PIX has a number of built-in inspection engines that function on predefined ports that are most commonly used by each protocol.

Application Layer Protocol Inspection Configuring application inspection, with the release of the PIX 7.0 software, is done via the Modular Policy Framework.This configuration structure allows for flexibility and the convenience of reusing different aspects of the inspection configuration. The three steps required to enable an application layer protocol inspection engine are to identify traffic with a class-map, specify the action to be taken with a policy-map, and apply the policy to an interface with a service-policy. The PIX firewall offers support for various VoIP protocols, such as H.323, SCCP, and SIP.

255

326_PIX_2e_05.qxd

256

5/7/05

11:58 AM

Page 256

Chapter 5 • Application Inspection

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. You will also gain access to thousands of other FAQs at ITFAQnet.com.

Q: What happens when FTP protocol inspection is not enabled? A: There are several cases: ■

Outbound active FTP sessions will not work because the outside servers will not be able to open a data channel to an inside client.

■

Outbound passive FTP sessions will work normally if outbound traffic is not explicitly disabled, because all connections in this case are initiated by an inside client.

■

Inbound FTP active connections will work normally if there are static NAT entry and an access list allowing outside clients to connect to the inside server.

■

Inbound FTP passive FTP connections will not work because outside clients will not be able to open data connections to the inside server.

Q: I have a PIX and an SMTP server configured on its inside network. Sometimes I get two copies of incoming mail messages. What is wrong with my server?

A: Nothing is wrong; there is a slight misbehavior on the PIX side.You probably have SMTP protocol inspection configured. Some versions of PIX software send an error message to relaying servers when a final dot in the message body and are not in the same IP packet. In this case, your internal server accepts the message for delivery, but the outside relaying server treats this as an error and attempts delivery again. Most of the time, this condition does not happen twice in a row, so the second time delivery goes without error and you receive two copies of the same message. If this really irritates you, you can turn SMTP protocol inspection off.

Q: The old way of configuring application inspection, with the fixup command, seemed more straightforward. Why do I have to enter so many commands now to accomplish the same result?

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 257

Application Inspection • Chapter 5

A: Although it may seem that the MPF is more complex than the old way of configuring application inspection, there are several advantages to it. For example, with MPF you can reuse traffic class definitions or policy maps to actually simplify repetitive application inspection configurations. Also, the MPF used for application inspection is very similar to the MPF used to configure quality of service on IOS-based routers.Therefore, knowledge of one will result in instant familiarity with the other.

Q: Since the PIX firewall supports so much routing functionality, why do I need routers on my network? Can’t I just use the PIX for any routing requirements?

A: Although the PIX does support a number of routing features, there are still others that are not present. For example, auto-RP and BSR for PIM multicast routing are not supported. As well, dynamic routing with RIP and OSPF is not as robust, in that the number of options and subfeatures present in the PIX are less than those in a true router. Finally, many routers participate in routing protocols over non-Ethernet interfaces such as frame-relay or ATM; the PIX firewall does not have these interface options.

257

326_PIX_2e_05.qxd

5/7/05

11:58 AM

Page 258

326_PIX_2e_06.qxd

5/7/05

12:55 PM

Page 259

Chapter 6

Filtering, Intrusion Detection, and Attack Management Solutions in this chapter: ■

New Features in PIX 7.0

■

Filtering Web and FTP Traffic

■

TCP Attack Detection and Response

■

Configuring Intrusion Detection

■

Attack Containment and Management

Summary Solutions Fast Track Frequently Asked Questions 259

326_PIX_2e_06.qxd

260

5/7/05

12:55 PM

Page 260

Chapter 6 • Filtering, Intrusion Detection, and Attack Management

Introduction The PIX firewall can filter and block potentially harmful Web traffic, including Java and ActiveX applications. In this chapter, we look at how the PIX firewall can integrate with virus-filtering, spam-blocking, and adware mechanisms.The PIX firewall provides integrated intrusion detection for common information-gathering stacks and network attacks. We also look at how to use IDS signatures in the PIX firewall to detect common network attacks.

Filtering Web and FTP Traffic Often, more resources are allocated to protecting internal networks from external malicious attempts, yet equal care and attention needs to be devoted to monitoring and filtering outbound connections initiated from internal networks. Such content inspection allows the firewall to enforce security policies such as an Acceptable Use Policy, which might be used to limit browsing to certain sets and types of Web sites. URL filtering is one such mechanism where the firewall is configured to pass each HTTP or HTTPS request to a filter server for a permit or deny decision.The firewall then acts accordingly: if the request is approved, it is forwarded to the outside server and the client receives the asked-for content. If the request is denied, it is silently dropped or the user is informed that the request violates policy. Another reason for filtering is “active content” such as ActiveX or Java applets, which could be malicious.The PIX can protect your users from malicious sites that embed these executable applets (viruses or Trojan horses) in their pages. Content filtering can scan incoming applets and block or drop them if any harmful applets are found.The PIX firewall cannot provide content filtering by itself, but it can be configured to interoperate with content filtering servers that provide this protection.

Filtering URLs It is possible to use access lists to filter certain Web sites, but management will become difficult and performance will suffer as the access control list (ACL) grows. Moreover, the use of Dynamic DNS enables attackers to rapidly change IP addresses, yet retain the same name. Access lists are also inflexible in that they cannot filter by specific pages, but must filter by the IP address associated with a Web site. Another limitation of ACLs is that they cannot handle multiple Web sites hosted on a single physical server, all of which have unique names, but use the same IP address. Denying or permitting access to a particular Web site hosted in such a fashion affects all Web sites on that server.

NOTE If user authentication is enabled on the PIX, the PIX also sends the username to the filtering server. The filtering server can use user-specific filtering settings or provide enhanced reporting regarding usage.

326_PIX_2e_06.qxd

5/7/05

12:55 PM

Page 261

Filtering, Intrusion Detection, and Attack Management • Chapter 6

Enter dedicated filtering servers! The PIX firewall essentially hands the workload and authority for content filtering to a dedicated URL filtering server, which specializes in the task.This reduces the burden on the PIX firewall, and allows for fine-tuning of Web access controls.The filtering process is: 1. A client establishes a TCP connection to a Web server. 2. The client sends an HTTP request for a page on this server. 3. The PIX intercepts this request and hands it over to the filtering server. 4. The filtering server decides if the client should be allowed access to the requested page. 5. If the decision is positive, the PIX forwards the request to the server and the client receives the requested content. 6. If the decision is negative, the client’s request is dropped. There are several steps for setting up the filtering partnership between the PIX and the filtering server: 1. Identify the filtering server to the PIX. 2. (Optional) Buffer responses from the Web server. 3. (Optional) Cache addresses of Web servers to improve performance. 4. Configure HTTP filtering and the different options available. 5. Configure HTTPS filtering (Websense only). 6. Configure FTP filtering (Websense only).

Websense and Sentian by N2H2 The PIX can interact with two types of filtering servers: Websense (www.websense.com) and Sentian by N2H2 (www.n2h2.com). Websense has been supported since version 5.3 and later, and has been enhanced for greater speed in version 7.0. Sentian by N2H2 support was added in version 6.2. PIX URL filtering in version 7.0 can also be applied to FTP requests if a Websense server is being used. In PIX 7.0, support for inspecting FTP and HTTPS connections is also available, but only if you are using a Websense server. To configure URL filtering: 1. Specify the server to use for URL processing. 2. Identify the traffic that the firewall is to inspect—ports and IP addresses. 3. (Optional) Configure some server-specific parameters. 4. Configure filtering rules on the filtering server. To specify a filtering server for Websense: url-server () host [timeout <seconds>] [protocol | [version 1|4]]

261

326_PIX_2e_06.qxd

262

5/7/05

12:55 PM

Page 262

Chapter 6 • Filtering, Intrusion Detection, and Attack Management

For example, the following example specifies that the PIX should use a server with IP address 10.0.0.1, located on the interface inside, and connect to it using UDP Websense protocol v4: PIX1(config)# url-server (inside) host 10.0.0.1 protocol udp version 4

Particularly, if_name is an interface on which the server is located; the default here is the inside interface. local_ip is the IP address of the filtering server.The PIX uses timeout (default is five seconds) to decide how long it has to wait for a reply from the server until it gives up and switches to the next configured server or takes a default action if there are no more servers available. Up to four servers may be configured, as long as they are all the same type. It is not possible to mix Websense and Sentian filtering servers in the same configuration.The first server configured is a primary filtering server and is attempted first. Protocol type and version parameters specify the Websense protocol that should be used for communication with the server. It can be either TCP protocol v1 (default) or 4, or UDP protocol v4.The version numbers refer to the version of the Websense communication protocol to be used by the PIX. As you will be deploying Websense 4 or later, v4 is the appropriate choice. UDP protocol v4 is the recommended choice if the Websense server is directly connected to a firewall interface and you want to achieve maximum throughput. The Sentian by N2H2 server is specified by the command: url-server (if_name) vendor n2h2 host [timeout <seconds>] <port_number>] [protocol tcp | udp]

[port

The meaning of parameters is the same.The parameter vendor n2h2 states that the server is a Sentian by N2H2 filtering server. The default is vendor websense. Sentian by N2H2 servers have only one communication protocol version available, so it is not specified.You can change the port used for communicating with the N2H2 server via the port_number parameter.

NOTE If you switch the application type (that is, change from N2H2 server to Websense or vice versa), all filtering configuration is lost and will need to be reentered.

Fine-Tuning and Monitoring the Filtering Process When a user issues a request, the PIX firewall sends the request to the Web server and to the filtering server at the same time. If the filtering server does not respond before the Web server, the server response is dropped.This delays the response, which can cause the client to retry the request.

326_PIX_2e_06.qxd

5/7/05

12:55 PM

Page 263

Filtering, Intrusion Detection, and Attack Management • Chapter 6

By enabling the HTTP response buffer, such replies are buffered and forwarded to the client if the filtering server allows it.This prevents the delay that might otherwise occur. To enable buffering of responses to HTTP or FTP requests while awaiting a decision from the filtering server, enter the following command: url-block block block-buffer-limit

The block-buffer-limit is the maximum number of 1550-byte blocks that will be buffered, from 0 to 128.

NOTE Buffering URLs longer than 1159 bytes is only supported for the Websense filtering server.

To configure the amount of memory available for buffering pending URLs (for Websense only—this command is not available for Sentian by N2H2 servers), enter the following command: url-block url-mempool memory-pool-size

where memory-pool-size is a value from 2 to 10240 for a maximum memory allocation of 2 KB to 10 MB. Make sure to use a size that leaves your PIX firewall enough memory for all of its other functions. The url-block command addresses the problem of long URLs, which can result from the practice of storing session and other information in the URL itself. A typical long URL could look like this: http://www.somebettingcompany.com/?action=GoEv&class_id=1&type_id=2&ev_id=42 88&class_name=%7CFootball%7C&type_name=%7CChampions+League%7C+%7CQualifying+ Matches%7C&ev_name=%7CGenk%7C+v+%7CSparta+Prague%7C

In v7.0, the maximum URL length for Websense filtering is 4KB, and 1159 bytes for N2H2.To change the maximum URL length: url-block url-size long_url_size

where long_url_size is the maximum allowed URL size for Websense filtering in KB—2, 3, or 4 KB. The PIX supports options to the filter url command to adapt for URLs that exceed 1159 bytes when using a Websense server. We will look at the filter url command, which sets up the actual filtering of URLs, in detail in the next section “Configuring HTTP URL Filtering.” The options we’re concerned with here are those that pertain to handling long URLs: filter url http | <port>[-<port>] [allow] [cgi-truncate] [longurl-truncate | longurl-deny] [proxy-block]

263

326_PIX_2e_06.qxd

264

5/7/05

12:55 PM

Page 264

Chapter 6 • Filtering, Intrusion Detection, and Attack Management

The cgi-truncate and longurl-truncate / longurl-deny parameters help us to deal with the problem of long URLs, which are common nowadays as session and other information is stored in the URL itself. A typical long URL could look like this: http://www.somebettingcompany.com/?action=GoEv&class_id=1&type_id=2&ev_id=42 88&class_name=%7CFootball%7C&type_name=%7CChampions+League%7C+%7CQualifying+ Matches%7C&ev_name=%7CGenk%7C+v+%7CSparta+Prague%7C

In v7, the maximum URL length for Websense filtering is 4KB, and 1159 bytes for N2H2.The longurl-truncate parameter specifies that when the URL length exceeds the maximum, only the IP address or hostname from the request is sent to the filtering server.This truncation is prone to “false negatives” and “false positives” if a Web server hosts a number of sites that belong to different categories.The Web server IP is likely to be in a category that does not accurately reflect the sites hosted on it.The longurl-deny parameter specifies that all URL requests that exceed the buffer size should be dropped.The cgi-truncate parameter specifies that only the CGI script name and its location (the part of the URL before the ? sign) should be passed as the URL to the Websense server.This skips the CGI parameter list, which can be quite long. Without this option enabled, the entire URL, including the parameter list, is passed. For example, to strip CGI parameters from the URL being sent to Websense, we would use: filter url http 0 0 0 0 cgi-truncate

The url-cache command can improve filtering performance. After a client initiates a request, the PIX can cache the Web server information for a certain amount of time, as long as every site hosted at the address is permitted by the filtering server. When a client accesses the Web site again, the PIX does not need to consult the filtering server again for a decision. The url-cache command looks like this: url-cache dst | src_dst size

where size is a value for the cache size within the range of 1 to 128 (KB). The dst parameter caches entries based on the URL destination address. Select this mode if all users share the same URL filtering policy on the Websense server. The src_dst keyword caches entries based on both the source address initiating the URL request and the URL destination address. Select this mode if users do not share the same URL filtering policy on the Websense server.

NOTE Requests for cached IP addresses are not passed to the filtering server and are not logged. This activity does not appear in any reports.

326_PIX_2e_06.qxd

5/7/05

12:55 PM

Page 265

Filtering, Intrusion Detection, and Attack Management • Chapter 6

You can view statistics of the caching process, including the hit ratio, by executing the show url-cache stat command. For example, the following command enables a cache of 32KB for all outgoing HTTP requests: PIX1(config)# url-cache dst size 32

The following are cache statistics: PIX1# show url-cache stat URL Filter Cache Stats ---------------------Size : 32KB Entries : 360 In Use : 200 Lookups : 2000 Hits : 1000

Usage statistics for the memory pool can be viewed by using the show urlblock block stat command. For example: pix(config)# show url-block block stat

URL Pending Packet Buffer Stats with max block

128

----------------------------------------------------Cumulative number of packets held:

0

Maximum number of packets held (per URL):

0

Current number of packets held (global):

0

Packets dropped due to exceeding url-block buffer limit:

0

Packet drop due to retransmission:

0

Another command for viewing filtering statistics is show url-server statistics. PIX1# show url-server stat URL Server Statistics: ---------------------Vendor

websense

URLs total/allowed/denied

0/0/0

HTTPSs total/allowed/denied

0/0/0

FTPs total/allowed/denied

0/0/0

URL Server Status: -----------------192.168.1.10

DOWN

URL Packets Sent and Received Stats:

265

326_PIX_2e_06.qxd

266

5/7/05

12:55 PM

Page 266

Chapter 6 • Filtering, Intrusion Detection, and Attack Management ----------------------------------Message

Sent

Received

STATUS_REQUEST

20

0

LOOKUP_REQUEST

0

0

LOG_REQUEST

0

NA

Commands such as show perfmon, show memory, and show chunks will also provide performance information of the URL filtering process.

Configuring HTTP URL Filtering Now that the filtering servers have been defined, and we’ve tackled buffering, caching, and the handling of long URLs, the remaining task is to configure the filtering policy itself. It will determine the source and destination hosts and networks that are going to be subject to filtering, and allow us to enter exceptions.The relevant command for HTTP filtering is: filter url http | <port>[-<port>] [allow] [cgi-truncate] [longurl-truncate | longurl-deny] [proxy-block]

This command specifies port numbers on which HTTP connections should be inspected. local_ip and local_mask specify which local clients are subject to monitoring (that is, the requests by the machines from this network will be checked with a URL filtering server).The foreign_ip and foreign_mask parameters specify that only requests to a specific set of servers are checked.The allow parameter defines that the PIX should permit traffic through if it is unable to contact the primary URL filtering server. Finally, the proxy-block parameter specifies that all requests from any clients to proxy servers will be denied. We discussed the cgi-truncate and longurl parameters previously. For example, the following command defines that all HTTP requests to port 80 will be inspected: PIX1(config)# filter url http 0 0 0 0

The following command configures inspection of all HTTP requests to port 8080 from clients on network 10.100.1.0/24 to any server, and allows the request to pass by default should the filtering server become unavailable: PIX1(config)# filter url 8080 10.100.1.0 255.255.255.0 0 0 allow

Another variant of the filter command can specify that certain traffic be exempt from filtering. filter url except

When entered after the filter command, this command exempts specified traffic from the policy. For example, the following sequence of commands means that all HTTP traffic to port 8080 will be inspected, but not traffic from network 10.100.1.0/24: PIX1(config)# filter url 8080 0 0 0 0 allow PIX1(config)# filter url except 10.100.1.0 255.255.255.0 0 0

326_PIX_2e_06.qxd

5/7/05

12:55 PM

Page 267

Filtering, Intrusion Detection, and Attack Management • Chapter 6

NOTE You would use exemptions to deal with Web pages that will not load if subject to URL filtering. One set of Web pages that is notorious for this issue is WindowsUpdate. Finding all the IP addresses of the servers used for WindowsUpdate can be a challenge—one that can be overcome by using the logging tools of the PIX.

Configuring HTTPS Filtering Version 7.0 introduces the ability to filter HTTPS traffic, but only with Websense servers. Since HTTPS content is encrypted, the PIX sends the URL lookup without directory and filename information. When the filtering server approves an HTTPS request, the PIX allows the completion of SSL connection negotiation and reply to the client. If the filtering server denies the request, the PIX blocks the completion of SSL connection.The browser displays an error message such as “The Page or the content cannot be displayed.” The relevant command for HTTPS filtering is: filter https https | <port>[-port] [allow]

As with HTTP filtering, allow will allow the session if none of the filtering servers is available.There are no options to truncate long URLs. HTTPS URLs are encrypted and cannot be transmitted to the filtering server. The following command defines that all HTTPS requests to port 443 will be inspected: PIX1(config)# filter https https 0 0 0 0

The filter https except command works the same for HTTPS as it does for the filter url except command for HTTP.

NOTE The PIX does not provide an authentication prompt for HTTPS. If user authentication is used, a user must first authenticate using HTTP or FTP before accessing an HTTPS server.

Setting Up FTP Filtering Version 7.0 provides the ability to filter FTP traffic, but only via Websense servers. When the filtering server approves an FTP connection request, the PIX allows the successful FTP reply to the client, such as “250: CWD command successful.” If the request is

267

326_PIX_2e_06.qxd

268

5/7/05

12:55 PM

Page 268

Chapter 6 • Filtering, Intrusion Detection, and Attack Management

denied, the PIX alters the FTP response to show the connection was denied, such as “550 Requested file is prohibited by URL filtering policy.” The relevant command for FTP filtering is: filter ftp ftp | port localIP local_mask foreign_IP foreign_mask [allow] [interact-block]

The interact-block parameter can block interactive FTP sessions that do not provide the entire directory path. An interactive FTP client allows the user to change directories without typing the entire path. For example, the user might enter cd ./files instead of cd /public/files. The following command defines that all FTP requests to port 21 will be inspected: PIX1(config)# filter ftp ftp 0 0 0 0

Exceptions can be set up using filter ftp except, with the syntax otherwise being identical to the filter url except command.

Active Code Filtering Active content in Web pages could contain harmful applets.The PIX firewall provides an effective way to prevent this content from reaching clients. In HTML, active content is denoted by two types of tags.The first is:

These tags are more common for ActiveX content, but can also be used by Java applets. In addition, they are used for multimedia content.There are Java-only tags: …

When configured to look for active content, the PIX simply comments out both of these tags inside a TCP packet and the content between them.This commenting out causes the active content to be skipped by the client browser: the embedded code is not run.The PIX cannot perform this cleansing if the first tag is in one packet and the closing tag is in another packet; the Web page is passed to the client unmodified. The following example shows the applet inactivation feature in action.The sample HTML code contains an applet reference. <param name="bgcolor" value="8,51,128"> <param name="enddelay" value="4000">

326_PIX_2e_06.qxd

5/7/05

12:55 PM

Page 269

Filtering, Intrusion Detection, and Attack Management • Chapter 6 <param name="scrolldelay" value="25"> <param name="scrolljump" value="5"> <param name="speed" value="2"> <param name="size" value="11"> <param name="hlcolor" value="255,0,0"> <param name="centertext" value="false">

After being transformed by PIX, it becomes the code in the following output:

After modification, the client browser will ignore everything between the and tags.

Filtering Java Applets While Java has a more or less robust security model for its active code,“sandboxing” the code so it cannot do harm on the user’s machine, it is as prone to security vulnerabilities as any other piece of networking code.You might want to filter Java applets and allow Java only on certain sites that you know are benign. Note, also, that this filtering is not perfect—it looks for applet HTML tags, which are not the only way to embed Java code into a Web site. To configure filtering of Java applets, use the following command: filter java <port>[-<port>] <mask> <mask>

Here are two examples: PIX1(config)# filter java 80 0 0 0 0

PIX1(config)# filter java 80 192.168.2.17 255.255.255.255 0 0

The first command configures the PIX to drop all Java applets from incoming Web pages. The second is an alternative that prohibits only one host 192.168.2.17 from downloading Java

269

326_PIX_2e_06.qxd

270

5/7/05

12:55 PM

Page 270

Chapter 6 • Filtering, Intrusion Detection, and Attack Management

applets.You would either use a “catch-all” command or be more specific—never both.The port parameter specifies the TCP port on which to perform the inspection. Like the other filter commands, this command lets you specify exceptions. Use the following command to specify an exception: filter java except <mask> <mask>

For example, these two commands would filter all Java applets with the exception of the applet on www.time.gov: PIX1(config)# filter java 80 0 0 0 0 PIX1(config)# filter java except 0 0 129.6.13.35 255.255.255.255 PIX1(config)# filter java except 0 0 132.163.4.203 255.255.255.255

Filtering ActiveX Objects By design, ActiveX objects have almost unrestricted access to the client’s machine.The concern here is not just about security vulnerabilities, but also the inherent design risk of ActiveX. Keep in mind, however, that ActiveX is widely used, and that restricting your users from legitimate activity will only drive them to find ways around the firewall. Examples of Web applications that use ActiveX extensively are Windows Update and almost all SSL VPN appliances. Furthermore, because of the way ActiveX filtering works—it looks for an object HTML tag— this filter will also catch many Java applets and many forms of embedded multimedia. The command to filter ActiveX code (and all active content that is embedded in “object” tags) is similar to Java filtering: filter activex <port>[-<port>] <mask> <mask> PIX1(config)# filter activex 80 0 0 0 0

This command configures the PIX to comment out all pairs of object tags from all incoming Web pages, disabling ActiveX, many embedded multimedia objects, and many Java applets. Exemptions to blocking object tags work just like exemptions to blocking applet tags: filter activex except <mask> <mask>

Virus Filtering; Spam, Adware, Malware, and Other-Ware Filtering The PIX will not forward traffic transparently to content-inspection servers that scan e-mail, Web and FTP traffic for viruses and other malware, as it can for URL filtering. However, you can place content-inspection servers in a DMZ and configure clients (e.g., by using Active Directory group policies) to use these servers as proxy servers. An example configuration might look something like Figure 6.1.

326_PIX_2e_06.qxd

5/7/05

12:55 PM

Page 271

Filtering, Intrusion Detection, and Attack Management • Chapter 6

Figure 6.1 Content Inspection Server in a DMZ Cisco PIX Outside: 192.168.0.0/24

LAN: 172.16.0.0/20

Internet DMZ: 10.0.0.0/24

Client on LAN

Content inspection server on DMZ

As with all DMZ servers, you will want to configure the PIX to allow traffic between the internal LAN and the DMZ server without address translation to avoid the overhead of NAT where it is not needed.

TCP Attack Detection and Response TCP normalization will drop packets that do not appear normal; that is, packets that use options or flags that are not typically seen in everyday traffic.TCP normalization is used with the Modular Policy Framework to create a security policy applied. Once a policy for TCP has been created using the policy-map command, it is applied to an interface using the service-policy command. For example, we can set a policy for TCP to allow the URG (URGent) pointer for certain applications, such as rsh, rlogin, FTP, and Telnet, but not for other traffic. Modular Policy Framework commands are used to set advanced TCP connection settings as follows: 1.

Create a TCP map that allows urgent flag and urgent offset packets. PIX1(config)# tcp-map tmap PIX1(config-tmap)# urgent-flag allow

TCP normalization includes the following settings, which are configurable in tcp-map configuration mode. ■

queue-limit Maximum number of out-of-order packets that can be queued for a TCP connection.

■

urgent-flag Allows or clears the URG pointer through the PIX.

271

326_PIX_2e_06.qxd

272

5/7/05

12:55 PM

Page 272

Chapter 6 • Filtering, Intrusion Detection, and Attack Management ■

tcp-options {selective-ack | timestamp | window-scale} Allows or clears the selective-ack, timestamps, or window-scale TCP options.

■

window-variation Drops a connection that has changed its window size unexpectedly.

■

ttl-evasion-protection Enables or disables the TTL evasion protection offered by PIX.

■

reserved-bits Sets the reserved flags policy in the security appliance.

■

check-retransmission Enables and disables the retransmit data checks.

■

exceed-mss Allows or drops packets that exceed MSS set by peer.

■

syn-data Allows or drops SYN packets with data.

■

checksum-verification Enables and disables checksum verification.

NOTE Microsoft Internet Explorer will send data in the SYN packet, and Microsoft IIS is designed to respond to this. Using the TCP normalization feature syn-data clear in a TCP map may slow browsing with Internet Explorer considerably.

2. Identify traffic by creating a class map using the class-map command. PIX1(config)# class-map urg-class PIX1(config-cmap)# match port tcp range ftp-data telnet

3. Add a policy map that references the class map and the TCP map. PIX1(config)# policy-map pmap PIX1 (config-pmap)# class urg-class PIX1 (config-pmap-c)# set connection advanced-options tmap

4. Activate the policy map globally, or apply it to a specific interface. To activate the policy map globally, use this command: PIX1(config)# service-policy pmap global

To apply the policy map to a specific interface, use this command: PIX1(config)# service-policy pmap interface

Here is an example that would apply the policy map to the outside interface: PIX1(config)# service-policy pmap interface outside

326_PIX_2e_06.qxd

5/7/05

12:55 PM

Page 273

Filtering, Intrusion Detection, and Attack Management • Chapter 6

5. To show the TCP map statistics, enter the following command: PIX1# show service-policy set connection

PIX Intrusion Detection The PIX firewall offers a basic intrusion detection system (IDS) capability. Cisco has a specialized IDS product called Cisco Secure IDS (former NetRanger appliance), and a limited part of its functionality is implemented in both Cisco IOS and Cisco PIX. Because the PIX is basically an OSI Layer 3 and 4 filtering device, it supports detection of only simpler attacks that happen at these layers. It can detect attacks by inspecting a single packet in the traffic. IDS signatures (that is, descriptions of attacks) that the PIX supports are a subset of the Cisco Secure IDS signature set and are embedded in PIX software. To upgrade this set of signatures, you need to upgrade the entire PIX firmware using a general upgrade procedure.These signatures describe very general and simple attacks, which may not occur very often. Intrusion detection can be configured on each interface in inbound and outbound directions. When the PIX detects each signature, the device produces an alert (“information” or “attack”) depending on the severity of the attack, and records its occurrence to any configured syslog server.

Supported Signatures The list of supported signatures has not changed since v6.2. If full intrusion detection and prevention (IDP) is desired, a separate IDP device should be deployed.The PIX will not be able to detect some of the new attacks that have been developed since PIX v6.2 was released. For version 7.0, syslog messages numbered from 400 000 to 400 050 are reserved for IDS messages.Their format is shown here: %PIX-4-4000: : <sig_num> <sig_msg> from to on interface

This syslog message means that PIX has detected an attack with number sig_num and name sig_msg.The two IP addresses show the origin and the destination of this attack.The interface on which the attack was detected is listed as well. %PIX-4-400013 IDS:2003 ICMP redirect from 1.2.3.4 to 10.2.3.1 on interface dmz

Table 6.2 lists all signatures detected by PIX, with short descriptions.

273

326_PIX_2e_06.qxd

274

5/7/05

12:55 PM

Page 274

Chapter 6 • Filtering, Intrusion Detection, and Attack Management

Table 6.2 PIX IDS Signatures Message Number Signature ID Signature Title

Signature Type

400000

1000

IP options-Bad Option List

Informational

400001

1001

IP options-Record Packet Route

Informational

400002

1002

IP options-Timestamp

Informational

400003

1003

IP options-Security

Informational

400004

1004

IP options-Loose Source Route

Informational

400005

1005

IP options-SATNET ID

Informational

400006

1006

IP options-Strict Source Route

Informational

400007

1100

IP Fragment Attack

Attack

400008

1102

IP Impossible Packet

Attack

400009

1103

IP Fragments Overlap

Attack

400010

2000

ICMP Echo Reply

Informational

400011

2001

ICMP Host Unreachable

Informational

400012

2002

ICMP Source Quench

Informational

400013

2003

ICMP Redirect

Informational

400014

2004

ICMP Echo Request

Informational

400015

2005

ICMP Time Exceeded for a Datagram

Informational

400016

2006

ICMP Parameter Problem on Datagram

Informational

400017

2007

ICMP Timestamp Request

Informational

400018

2008

ICMP Timestamp Reply

Informational

400019

2009

ICMP Information Request

Informational

400020

2010

ICMP Information Reply

Informational

400021

2011

ICMP Address Mask Request

Informational

400022

2012

ICMP Address Mask Reply

Informational

400023

2150

Fragmented ICMP Traffic

Attack

400024

2151

Large ICMP Traffic

Attack

400025

2154

Ping of Death Attack

Attack

400026

3040

TCP NULL flags

Attack

400027

3041

TCP SYN+FIN flags

Attack

400028

3042

TCP FIN only flags

Attack

400029

3153

FTP Improper Address Specified

Informational

400030

3154

FTP Improper Port Specified

Informational Continued

326_PIX_2e_06.qxd

5/7/05

12:55 PM

Page 275

Filtering, Intrusion Detection, and Attack Management • Chapter 6

Table 6.2 continued PIX IDS Signatures Message Number Signature ID Signature Title

Signature Type

400031

4050

UDP Bomb attack

Attack

400032

4051

UDP Snork attack

Attack

400033

4052

UDP Chargen DoS attack

Attack

400034

6050

DNS HINFO Request

Attack

400035

6051

DNS Zone Transfer

Attack

400036

6052

DNS Zone Transfer from High Port Attack

400037

6053

DNS Request for All Records

Attack

400038

6100

RPC Port Registration

Informational

400039

6101

RPC Port Unregistration

Informational

400040

6102

RPC Dump

Informational

400041

6103

Proxied RPC Request

Attack

400042

6150

ypserv (YP server daemon) Portmap Request

Informational

400043

6151

ypbind (YP bind daemon) Portmap Request

Informational

400044

6152

yppasswdd (YP password daemon) Portmap Request

Informational

400045

6153

ypupdated (YP update daemon) Portmap Request

Informational

400046

6154

ypxfrd (YP transfer daemon) Portmap Request

Informational

400047

6155

mountd (mount daemon) Portmap Request

Informational

400048

6175

rexd (remote execution daemon) Portmap Request

Informational

400049

6180

rexd (remote execution daemon) Attempt

Informational

400050

6190

statd Buffer Overflow

Attack

The signature IDs listed in Table 6.2 correspond to signature numbers on the Cisco Secure IDS appliance. See www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids1/ csidsug/sigs.htm (Cisco Secure Intrusion Detection System Version 2.2.1 User Guide) for a complete reference. All signatures are divided into two classes: informational and attack.The division is rather deliberate and cannot be changed, but it makes sense most of the time. For example, all DoS attacks are listed as attacks, and all information requests only have informational

275

326_PIX_2e_06.qxd

276

5/7/05

12:55 PM

Page 276

Chapter 6 • Filtering, Intrusion Detection, and Attack Management

status. While you might feel that obtaining information on RPC services on one of your hosts is an attack, Cisco lists it as informational. Generalizing a little, it is possible to suggest the following reasoning on attack classification (from top to bottom in Table 6.2): ■

Packets with IP options will not do any harm because they are always dropped by the PIX, so if these packets are detected, send only an informational message.

■

Fragmented packets can pass through the firewall and are generally difficult to inspect, so they constitute an attack attempt.

■

Legitimate ICMP traffic, although unwanted and maybe revealing some information about your network (e.g., ICMP Information Request), is not classified as an attack.

■

Fragmented ICMP, Ping of Death, and so on are considered attacks.

■

Invalid TCP flag combinations, such as SYN and FIN, or FIN only, are considered attacks because they are sometimes used for stealth scanning of networks.

■

All floods/DoS attempts are classified as attacks.

■

DNS transfers are classified as attacks; they reveal too much about the network.

■

General RPC requests and all information requests for various RPC services are not considered that harmful and are classified as informational.

■

Some specific one-packet attacks on RPC services are recognized separately.

Configuring Intrusion Detection/Auditing Intrusion detection by the PIX is referred to as “auditing” by Cisco, and is configured via the ip audit command. Auditing can be disabled or enabled, different auditing policies can be created, the policies can be applied to specific interfaces, and specific signatures can be turned on or off.The easiest configuration requires you to assign a name for the auditing policy, specify actions (one for informational signatures and one for attack signatures) to be taken, and apply the policy to an interface.The actions that can be taken are: ■

Alarm When PIX detects a signature in the packet, it reports with the message described previously to all configured syslog servers.

■

Drop When this action is configured, PIX drops the offending packet.

■

Reset This action means that PIX should drop the packet and close the connection if this packet was a part of an open connection.

The default action is alarm. Policy configuration usually takes no more than two commands: ip audit name info action [drop | alarm | reset ] ip audit name attack action [drop | alarm | reset ]

326_PIX_2e_06.qxd

5/7/05

12:55 PM

Page 277

Filtering, Intrusion Detection, and Attack Management • Chapter 6

For example, the following commands create a policy with the name myaudit and specify that when an informational signature is matched, the PIX should send an alarm to syslog, and when an attack signature is matched, the PIX should drop the packet: PIX1(config)# ip audit name myaudit info action alarm PIX1(config)# ip audit name myaudit attack action drop

It is possible to omit the action in the configuration. In this case, the default action is applied. Default actions are configured via these commands: ip audit info action [drop | alarm | reset ] ip audit attack action [drop | alarm | reset ]

The default action is alarm. Note that if you issue only the following command but not the corresponding attack command, no attack signatures will be matched: PIX1(config)# ip audit name myaudit info action alarm

However, if you configure the policy in the following manner, omitting the action for informational signatures, both informational and attack signatures will be matched, and the default action (alarm) will be applied when a packet is matched with an informational signature: PIX1(config)# ip audit name myaudit info PIX1(config)# ip audit name myaudit attack action drop

After creating a policy, you need to apply it to an interface to activate IDS on the interface. For example: PIX1(config)# ip audit interface outside myaudit

This means that all signatures and actions configured should be matched on the outside interface.The general form of this command is: ip audit interface ■

if_name is the name of an interface where the IDS has to check for packets.

■

audit_name is the name of the policy that describes which actions to take.

The following configures an elementary IDS on the outside interface, which will send an alarm when an informational signature is matched and drop the connection when an attack signature is matched: PIX1(config)# ip audit name myaudit info alarm PIX1(config)# ip audit name myaudit attack action drop PIX1(config)# ip audit interface outside myaudit

Each command has its no equivalent, which removes the command from the configuration. For example:

277

326_PIX_2e_06.qxd

278

5/7/05

12:55 PM

Page 278

Chapter 6 • Filtering, Intrusion Detection, and Attack Management PIX1(config)# no ip audit interface outside myaudit PIX1(config)# no ip audit name myaudit info

You can clear IDS configuration related to an interface, policy, or default action: clear ip audit [name | signature| interface | audit | info | attack ]

The following set of commands displays the corresponding configuration of IDS related to the interface, audit, or default action.This code simply shows the commands you entered when configuring these parameters: show ip audit interface show ip audit info show ip audit attack show ip audit name

Disabling Signatures Imagine the following situation:You want to be alerted when the informational signature 6102, “RPC Dump” is matched. This means that you have to include all informational signatures in your policy with a command such as: PIX1(config)# ip audit name myaudit info action alarm

Here comes the problem: Many other signatures are listed as informational, and some of them are very “noisy”—generating many alarms—for example, number 2000, “ICMP echo reply,” which is simply a response to a ping. Chances are, you will be flooded with alarms on this latter signature and will not notice the former one, which is the one you are actually interested in.You can ignore the noisy signatures with the following command, which disables the detection of the signature with number sig_number: ip audit signature <sig_number> disable

In our case, to disable the “ICMP echo reply” signature, use the following command: PIX1(config)# ip audit signature 2000 disable

After this command is executed, signature number 2000 (“ICMP echo reply”) will not be detected by the PIX. Note that disabling a signature means disabling it globally, not for a specific interface or audit. It is possible to see the list of all disabled signatures with the command: PIX1(config)# show ip audit signature

You can enable a disabled signature with a no command in Configuration mode: no ip audit signature <sig_number> disable

326_PIX_2e_06.qxd

5/7/05

12:55 PM

Page 279

Filtering, Intrusion Detection, and Attack Management • Chapter 6

Configuring Shunning Shunning is a term used in the IDS context to describe blocking traffic from an attacking host; it is configured on the PIX using the following command: shun <src_ip> [ <sport> [<protocol>]]

This technique temporarily blocks all traffic from the specified source IP address.To block all traffic from the source IP address of 10.0.1.1, use the following command: PIX1(config)# shun 10.0.1.1

You can also deny specific traffic by specifying a source port, destination IP address, and destination port number. After the shun command is entered, the PIX deletes all matching connections from its internal connection table and drops all further packets that match the command’s parameters.The action of this command takes priority over access list entries and even security levels on interfaces; all specified traffic is blocked, whether the offending host is on the inside or outside of the interface.To remove this blocking action, use the corresponding no command. For example: PIX1(config)# no shun 10.0.1.1

This command is dynamic and is not displayed or stored in the configuration. If you want to view active shuns, use the show shun command.The clear shun command deletes all shun entries.

Attack Containment and Management The Cisco PIX firewall has many other security features, some of which can be used to protect the network against various DoS attacks. Some of them are related to the processing of routing information—both unicast and multicast.

Placing Limits on Fragmentation Fragmented packets are a challenge to firewalls. For example, nothing in the current Internet standards prevents a person from sending IP packets so fragmented that IP addresses of source and destination and TCP port information are located in different fragments or even in overlapping fragments.The firewall cannot determine what to do with the packet until it sees the entire TCP/IP header. Some firewalls simply pass the fragments without trying to reassemble the original packets, whereas others try to perform this reassembly. Reassembly can be a dangerous process; for example, it is very easy to send fragments that will cause the reassembled packet to be of illegal size, possibly crashing internal buffers of the IP stack implementation.

279

326_PIX_2e_06.qxd

280

5/7/05

12:55 PM

Page 280

Chapter 6 • Filtering, Intrusion Detection, and Attack Management

NOTE The PIX always performs reassembly of fragmented packets before they are checked against access lists and can impose some restrictions on the fragmented traffic that passes through it. The global FragGuard feature found in v6.3 was too restrictive in practice and has been removed from v7. The “fragment” commands are now used to place limits on fragments passing the firewall. Their syntax is as follows: fragment size [] fragment chain [] fragment timeout <seconds> [] clear fragment

The fragment commands allow you to specify an interface by name, such as outside. If the interface parameter is left off a fragment command, it will apply globally to all interfaces. The first command sets the maximum number of blocks that can be used for fragment reassembly. If an interface is not specified, the setting is global; otherwise, this setting is for the specific interface.The default number of blocks is 200 and should never be greater than the total number of available blocks of 1550 bytes’ size. In general, a bigger database makes PIX more vulnerable to a DoS attack by flooding it with fragments and exhausting its memory. The second command sets the maximum allowed number of fragments into which one IP packet is split.The default setting is 24 fragments; the maximum is 8200. Further fragments will be discarded and the packet will not be reassembled.The timeout setting specifies the timeframe in which all fragments of one IP packet should be received.The default timeout is 5 seconds and can be up to 30 seconds.

NOTE If you know that your application does not fragment packets and you want to disallow fragments altogether, you can do so with the command fragment chain 1 .

The last command, clear fragment, resets all three settings to their default values.The state of the fragments database can be displayed with the show fragment command: pix(config)# show fragment outside Interface:outside Size:200, Chain:24, Timeout:5 Queue:150, Assemble:300, Fail:0, Overflow:0

326_PIX_2e_06.qxd

5/7/05

12:55 PM

Page 281

Filtering, Intrusion Detection, and Attack Management • Chapter 6

This output shows that the database has default settings: the size of 200 blocks, 24 fragments in a chain, five-second timeout.There are 150 packets waiting to be reassembled, 300 were already successfully reassembled, and there were no failures or database overflows.

SYN FloodGuard Another well-known DoS attack is SYN flooding, which occurs when an attacker sends large numbers of initial SYN packets to the host and neither closes nor confirms these halfopen connections.This attack is a TCP attack.This causes some TCP/IP implementations to consume a great deal of resources while waiting for connection confirmation, preventing them from accepting any new connections until the backlog of these half-open connections is cleared.To curtail this attack, control the rate at which new connections are opened or the number of connections that are half-open (other names for this are SYN Received or embryonic) at any given time.This can be performed by specifying a limit on the number of embryonic connections in the static and nat configuration commands.The PIX uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. For example: PIX1(config)# static (dmz, outside) 123.4.5.6 10.1.1.0 netmask 255.255.255.255 100 50

This creates a static NAT entry for the DMZ server 10.1.1.0 with an external IP address of 123.4.5.6.The number 100 means that only 100 connections to this server from the outside can be in an open state at any given time, and the number 50 is the number of halfopen or embryonic connections to this server that can exist at any given time.The nat command is similar:Two numbers at the end specify the number of open and embryonic connections that can exist at any given time to each translated host: nat (inside) 1 10.0.0.0 255.0.0.0 100 50

When any of these numbers is zero, the number of connections is not limited. Embryonic connections per host should be set to a small value for slow systems, and a bigger value for faster systems.

NOTE This configuration applies only to hosts or servers that are not on the outside interface. If you set an embryonic limit for a server on the outside, it will be ignored.

The TCP Intercept Feature Since version 5.3, PIX uses a feature called TCP Intercept to contain SYN Flood attacks. If the number of embryonic connections for a host is reached, each new SYN packet to the

281

326_PIX_2e_06.qxd

282

5/7/05

12:55 PM

Page 282

Chapter 6 • Filtering, Intrusion Detection, and Attack Management

affected host is intercepted, until the number of embryonic connections falls below threshold.Then, the PIX itself replies to the sender instead of the destination server with SYN/ACK. If the client finally replies with a legitimate ACK, the PIX firewall sends the original SYN to its destination (the server), performs a correct three-way handshake between the PIX and the server, and the connection is resumed between a client and a server.

Preventing IP Spoofing To prevent IP spoofing, we will enable Unicast Reverse Path Forwarding (RPF) on an interface. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table. Normally, the PIX only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the PIX to also look at the source address. For any traffic that we want to allow through the PIX, the PIX routing table must include a route back to the source address—which will be the case for all legitimate traffic. See RFC 2267 for more information. For outside traffic, for example, the PIX can use the default route to satisfy the Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known to the routing table, the PIX uses the default route to correctly identify the outside interface as the source interface. If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, the PIX drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the PIX drops the packet because the matching route (the default route) indicates the outside interface. Unicast RPF is implemented as follows: ■

ICMP packets have no session, so each packet is checked.

■

UDP and TCP have sessions, although they are “virtual sessions” in the case of UDP, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Noninitial packets are checked to ensure they arrived on the same interface used by the initial packet.

To enable Unicast RPF, the following command is used: PIX1(config)# ip verify reverse-path interface interface_name

Typically, we would want to enable Unicast RPF on all interfaces of the PIX. To see statistics on anti-spoofing, this command can be used: PIX1 # show ip verify statistics interface outside: 0 unicast rpf drops interface inside: 0 unicast rpf drops

326_PIX_2e_06.qxd

5/7/05

12:55 PM

Page 283

Filtering, Intrusion Detection, and Attack Management • Chapter 6

Other Ways the PIX Can Prevent, Contain, or Manage Attacks In PIX v7, new options have been added to protect inside hosts from attack. Most notable here is the class map feature, which allows you to specify “classes” of traffic and apply restrictions to that traffic. Some of these features overlap with features previously available, such as the SYN FloodGuard feature just discussed.

Configuring Connection Limits and Timeouts Next, we look at how to set maximum TCP and UDP connections, maximum embryonic connections, connection timeouts, and how to disable TCP sequence randomization. TCP sequence randomization should only be disabled if another in-line firewall is also randomizing sequence numbers and the result is scrambling the data. Each TCP connection has two Initial Sequence Numbers (ISNs): one generated by the client and one generated by the server.The PIX randomizes the ISN that is generated by the host/server. At least one of the ISNs must be randomly generated so attackers cannot predict the next ISN and potentially hijack the session.

NOTE Maximum connections, maximum embryonic connections, and TCP sequence randomization can also be set in the NAT configuration. If these settings are configured for the same traffic using both methods, the security appliance uses the lower limit. For TCP sequence randomization, if it is disabled using either method, the security appliance disables TCP sequence randomization.

To set connection limits: 1.

Identify the traffic, and add a class map using the class-map command. We’ll assume the matching criteria for the map is an access list: PIX1(config)# class-map name PIX1(config-cmap) match access-list

2. Add or edit a policy map that sets the actions to take with the class map traffic. PIX1(config)# policy-map name

3. Identify the class map from step 1 to which you want to assign an action. PIX1(config-pmap)# class class_map_name

4. Set the maximum connections (both TCP and UDP), maximum embryonic connections, or whether to disable TCP sequence randomization.

283

326_PIX_2e_06.qxd

284

5/7/05

12:55 PM

Page 284

Chapter 6 • Filtering, Intrusion Detection, and Attack Management hostname(config-pmap-c)# set connection {[conn-max number] [embryonic-conn-max number] [random-sequence-number {enable | disable}}

where number is an integer between 0 and 65535.The default is 0, which means no limit on connections.You can enter this command all on one line (in any order), or you can enter each attribute as a separate command.The command is combined onto one line in the running configuration. 5. Set the timeout for connections, embryonic connections (half-opened), and halfclosed connections. PIX1(config-pmap-c)# set connection {[embryonic hh[: mm[: ss]]] [half-closed hh[: mm[: ss]]] [tcp hh[: mm[: ss]]]} ■

Where embryonic hh[:mm[:ss] is a time between 0:0:5 and 1192:59:59.The default is 0:0:30.You can also set this value to 0, which means the connection never times out.

■

The half-closed hh[:mm[:ss] and tcp hh[:mm[:ss] values are a time between 0:5:0 and 1192:59:59.The default for half-closed is 0:10:0 and the default for tcp is 1:0:0.You can also set these values to 0, which means the connection never times out. You can enter this command all on one line (in any order), or you can enter each attribute as a separate command.The command is combined onto one line in the running configuration. 6. Activate the policy map on one or more interfaces. hostname(config)# service-policy policymap_name {global | interface interface_name}

Where global applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed.You can override the global policy on an interface by applying a service policy to that interface.You can only apply one policy map to each interface.

Preventing MAC Address Spoofing MAC address spoofing, also known as ARP spoofing, is an attack on the Layer-2 Ethernet addressing on the local segment. An attacker could spoof his MAC address and thus facilitate a man-in-the-middle attack, or fool a switch into sending packets to the attacker. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address.The attacker, however, sends another ARP response to the host with the attacker MAC address instead of the router MAC address.The attacker can now intercept all the host traffic before forwarding it on to the router. ARP inspection prevents malicious users from impersonating other hosts or routers. ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address, as long as the correct MAC address and the associated IP address are in the static ARP table.

326_PIX_2e_06.qxd

5/7/05

12:55 PM

Page 285

Filtering, Intrusion Detection, and Attack Management • Chapter 6

ARP inspection relies on a static one-to-one relationship between IP address and MAC address. It is most applicable on security-critical and static network segments. A typical LAN interface containing PCs assigned IP addresses from a DHCP server would not be suitable for this configuration. A good match for ARP inspection is a mission-critical DMZ interface with a defined number of servers on static IPs. To enable ARP inspection for transparent firewall mode, use the arp-inspection command in global configuration mode.To disable ARP inspection, use the no form of this command. ARP inspection checks all ARP packets against static ARP entries (see the arp command) and blocks mismatched packets.This feature prevents ARP spoofing. arp-inspection interface_name enable [flood | no-flood] no arp-inspection interface_name enable ■

enable Enables ARP inspection.

■

flood (default) Specifies that packets that do not match any element of a static ARP entry are flooded out all interfaces except the originating interface. If there is a mismatch between the MAC address, the IP address, or the interface, the PIX drops the packet.

NOTE The management-specific interface, if present, never floods packets even if this parameter is set to flood.

■

interface_name The interface on which we want to enable ARP inspection.

■

no-flood (optional) Specifies that packets that do not exactly match a static ARP entry are dropped.

By default, ARP inspection is disabled on all interfaces; all ARP packets are allowed through the PIX. When you enable ARP inspection, the default is to flood nonmatching ARP packets. Before enabling ARP inspection, we need to configure static ARP entries using the arp command. When we enable ARP inspection, the security appliance compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions: ■

If the IP address, MAC address, and source interface match an ARP entry, the packet is passed through.

■

If there is a mismatch between the MAC address, the IP address, or the interface, the PIX drops the packet.

285

326_PIX_2e_06.qxd

286

5/7/05

12:55 PM

Page 286

Chapter 6 • Filtering, Intrusion Detection, and Attack Management ■

If the ARP packet does not match any entries in the static ARP table, we can set the PIX to either forward the packet out all interfaces (flood) or drop the packet.

The following example enables ARP inspection on the DMZ interface and sets the PIX to drop any ARP packets that do not match the static ARP entry: PIX1(config)# arp dmz 192.168.1.10 000a.8cdf.3215 PIX1(config)# arp-inspection dmz enable no-flood

Summary The Cisco PIX firewall is an advanced product and has many different options for protecting against network layer attacks. It also supports content filtering for outbound Web and FTP access and a limited form of intrusion detection. Content filtering features on the PIX can be used to enforce a company’s acceptable use policy.The PIX can interface with Websense (www.websense.com) or Sentian by N2H2 (www.n2h2.com) servers and deny or allow internal clients to access specific Web sites.The PIX is also able to filter out Java applets and ActiveX code from incoming Web pages to protect clients against malicious code. Finally, the PIX has embedded protection against various DoS attacks, such as SYN floods, excessive fragmentation, and excessive connection establishment. IP address antispoofing is supported by the reverse-path forwarding feature

Solutions Fast Track New Features in PIX 7.0 TCP attack detection and response through the use of TCP maps is new in PIX v7.0. The performance of the integration of PIX with a Websense filtering server has been improved in PIX v7.0. PIX v7.0 supports HTTPS and FTP filtering in conjunction with a Websense filtering server.

Filtering Web and FTP Traffic Filtering Web and FTP traffic can be useful in two main cases.The first is if you want to use your firewall to enforce security policies such as an acceptable use policy, which may specify that internal users cannot use the company’s Internet connection to browse certain categories of Web or FTP sites.The second is to protect internal users from malicious Web or FTP servers that embed these executable applets in their Web pages, because such executable content can contain viruses or Trojan horses.

326_PIX_2e_06.qxd

5/7/05

12:55 PM

Page 287

Filtering, Intrusion Detection, and Attack Management • Chapter 6

The PIX supports two types of content filtering servers: Websense and Sentian by N2H2.The main commands for configuring this feature are filter –url, filter https, filter ftp, and url-server.The PIX also provides many commands for monitoring and tuning the filtering process. Active code filtering is limited to stripping