740 likes | 995 Views
PIX in a Day . Objective. This is a two part course designed for people with good knowledge of IP and some knowledge. It is presented in two parts. The first part, this course, shows how how to configure a PIX V6 firewall in a number of scenarios. The second covers trouble shooting.
E N D
Objective This is a two part course designed for people with good knowledge of IP and some knowledge. It is presented in two parts. The first part, this course, shows how how to configure a PIX V6 firewall in a number of scenarios. The second covers trouble shooting. This is not a security course – base principles are not covered - a good knowledge of Networks. It will not teach anyone to design a firewall (leave that to experts like me) only how to implement one.
Pix Features according to Cisco • Embedded system (Cisco PIX firewall OS) is real-time and secure; not subject to operating system vulnerabilities • Adaptive security Algorithm (ASA) provides stateful connection control. Packet information is placed in a table; information from the packet must match information in the table • Cut-through proxy; user-based authentication of inbound and outbound connections Improved performance over proxy filters Low overhead processing = better performance • Stateful failover/hot standby Fully redundant topology (failover) can be configured
PIX Firewall ASA Adaptive Security Algorithm is Cisco's name for the subroutines that performs stateful packet filtering. A data packet is analyzed, and its information is placed in a table – the state table or xlate table. On the receipt of return traffic, the incoming packet is checked against the table.In order for the connection to be established, there must be a match between the two.ASA is part of the PIX operating system.
PIX Firewall Cut-Through Proxy The cut-through proxy provides a method for user-based authentication. Inbound and outbound connections can be authenticated. Better performance than a proxy filter because the processing overhead on the PIX is reduced by using the cut-through proxy feature. Sockets are not terminated and re-opened – the device never becomes an end point. After authentication by a TACACS+ or RADIUS server, per-user connection state information is maintained by the firewall. For protocols that don’t support authentication, a virtual telnet server exists.
PIX: Stateful Filtering PIX obtains the IP address and port from each layer 4 protocol. PIX logs the connection data in the statefull connection table.A session object is created at this stage of the process. The inbound and outbound packets are compared to the table. If a connection entry exists, the packets are allowed to pass. Once the connection is terminated, the connection information, including the session object, is eventually deleted . For protocols where no state exists timers are used to “tear down” the connection object
PIX Firewall features Failover Pix supports active-passive in a stateful and non-stateful mode. Two PIX Firewalls must be identical models. which are identically configured. In stateful failover, connections do not have to be restarted
PIX Firewall commandsThese are basically the Version 10 IOS commands • enable – as IOS • configure terminal - changes PIX configuration; changes merged with running config in RAM and takes place at once • passwd - sets password for Telnet access • option encrypted sets an encrypted password • ·show config - displays startup configuration • ·write terminal / show run • - shows running config on terminal • ·write net - sends config to TFTP • ·write standby – writes config to standby PIX • ·write erase - clears Flash memory configuration • (startup configuration)
PIX Firewall commands • show xlate - shows translation slots; IP addresses allocated for address translation • configure net - merges running configuration with TFTP server stored file of the same name • configure memory - merges running configuration with startup configuration in Flash • show interface - shows many parameters of the named interface • show history - shows recently entered commands • show ip address - shows all IP addresses
PIX Firewall commands • Clear xlate - clears translation slots; disrupts service • Shun – temporary blocks IPS • Reload - restarts • kill – kills telnet /ssh sessions
First 4 config commands pixfirewall(config)# interface ethernet0 autopixfirewall(config)# interface ethernet1 100full pixfirewall(config)# nameif ethernet0 outside security0pixfirewall(config)# nameif ethernet1 inside security100pixfirewall(config)# ip address outside 61.2.93.93 255.255.255.240pixfirewall(config)# ip address inside 10.0.0.2 255.255.255.0pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 61.2.93.81 1
IP address & Route The IP address command adds an IP address to an interfacepixfirewall(config)# ip address inside 10.0.0.2 255.255.255.0Usage: [no] ip address <if_name> <ip_address> [<mask>] [no] ip address <if_name> dhcp [setroute] [retry <retry_cnt>]And everyone recognises a static routeUsage: route <if_name> <foreign_ip> <mask> <gateway> [<metric>] pixfirewall(config)# route inside 0.0.0.0 0.0.0.0 61.2.93.81 1In the above example inside is the interface that the packet will leave from
Interface command pixfirewall(config)#interface ethernet1 100full Usage: interface <hardware_id> [<hw_speed> [shutdown]] The interface command enables properties of an interface. Options includeAuto / 10baseT / 10full100baseTX / 100full / 1000auto 1000full / 1000full nonegotiate For dot1q virtual interfaces: Usage: interface hardware_id vlan_id logical pixfirewall(config)#interface ethernet1 vlan99 logical
PIX ASA Security Levels • One of two interfaces must be of a higher level.Packets can pass from lower to higher level interfaces but not from higher to lower level interfaces without an access list. (except ICMP) • Security levels range from 0 through 100. • 100 is most secure: default for inside interface: can't be changed • 0 is least secure: default for outside interface: can't be changed • 1 through 99 can be assigned to other interfaces such as a DMZ
PIX ASA Security Levels Inside to outside: data traveling from more secure to less secure requires an address translation (only – see caveat) Outside to inside: data traveling from a less secure to a more secure interface needs one of the following to pass through a Static translation AND an Access list No traffic can pass through identical security level interfaces. For example, if two DMZS have a security level of 50, they can't talk to each other. Don’t rely on this – it has changed in versions
EXCEPT ICMP Inside to outside: data traveling from more secure to less secure requires an address translation (only) Security people DON’T LIKE ICMP THEREFORE WE MAKE IT DIFFICULT TO USE TO GET A RETURNED ECHO-REPLY YOU NEED A ACCESS_LIST
PIX ASA Security Levels Inside 100 DMZ 50 Outside 0
nameif command The Nameif command assigns a logical name or label to an interface. It also assigns a security value 0 – 100Usage : nameif <hardware_id> < label > <security_lvl> nameif <vlan_id> < label > <security_lvl>hardware_id = interface label = a logical name Security–level :- 0 is the dirtiest - Traditionally outside 100 is the cleanest – Traditionally inside pixfirewall(config)# nameif ethernet1 inside security100
Global & Nat • PIX relies on address translation to provide security. Under normal circumstances connection will have its: • Source address translated on outbound connections • Dest address translated on inbound connection • For the Exam – Global address is a valid outside address • - Local is a internal address • - Private is an 1918 address
Global & NatTypes of Address translation • Static NAT (network address translation) – One2one translation based on a STATIC table - explained later • Dynamic NAT – Dynamicallytranslate a source address to an address selected from a GLOBAL address pool Dynamic nat a,b 212.23.35.117 port1500 to196.1.1.1 port 80 c,b 212.23.35.118 port1800 to196.1.1.1 port 80 a,b 10.0.0.1 port1500 to196.1.1.1 port 80 c,b 10.0.0.11 port1800 to196.1.1.1 port 80 A S A global-pool: 212.23.35.117-118
Global & Nat Dynamic PAT – Dynamicallytranslate a source address to the address of the outbound interface and change the source port to a free ephemeral port a,b 10.0.0.1 port1500 to196.1.1.1 port 80 c,b 10.0.0.11 port1800 to196.1.1.1 port 80 A S A a,b 212.23.35.117 port132,001 to196.1.1.1 port 80 c,b 212.23.35.117 port132,002 to196.1.1.1 port 80
Global & Nat Global command defines a a global pool of addresses to use for address translation usage Global (if-label) pool-no ip_address [-to ipaddress | mask] global (outside) 1 212.23.35.117 212.23.35.127 NAT command defines a range of source addresses that may use a particular global pool usage nat (if-label) pool-no ip_address subnet-mask nat (inside) 1 10.0.0.0 255.255.0.0
Global & NatExample global (outside) 1 212.23.35.117 212.23.35.118 : create a translation pool on the outside interface nat (inside) 1 10.0.0.0 255.255.255.0 : allow any address 10.0.0.* coming in on inside to use a,b 212.23.35.117 port1500 to196.1.1.1 port 80 c,b 212.23.35.118 port1800 to196.1.1.1 port 80 a,b 10.0.0.1 port1500 to196.1.1.1 port 80 c,b 10.0.0.11 port1800 to196.1.1.1 port 80 A S A outside inside global-pool: 212.23.35.117-118
Global & Nat Only define 1 address in global for PAT global (outside) 1 212.23.35.117 or global (outside) 1 Interface To turn of NAT use NAT 0 nat (inside) 0 0 0
Nat Or to be a right smart arse use an access-list nat (inside) 1 access-list natlist
basic pixfirewall(config)# interface ethernet0 autopixfirewall(config)# interface ethernet1 100full pixfirewall(config)# nameif ethernet0 outside security0pixfirewall(config)# nameif ethernet1 inside security100pixfirewall(config)# ip address outside 61.2.93.93 255.255.255.240pixfirewall(config)# ip address inside 10.0.0.2 255.255.255.0pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 61.2.93.81 1pixfirewall(config)# global (outside) 1 interfacepixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0But this configuration only allows information “out”
Lab • Configure a PIX to have the addresses provided • So that it can browse the WWW • PATs all requests to the outside interface • Allows no traffic in Time: 45 minutes
Static The ASA will only allow traffic to travel from a “low” to a “high” interface if a static address translation is configured This is done with the static command usage: static (if-src, if-dest)ip-destip-src netmask netmask static (inside,outside) 61.2.93.82 10.0.0.2 netmask 255.255.255.255 0 0 You now have an external address – but it has an implied access-list of ip deny any any
access-list • Pix access-list are different from IOS access-lists. The key differences are: • They are stateful – so they allow return traffic • The mask is a genuine subnet mask • The identifier (i.e. name) is alphanumeric – • IOS = access-list 101 permit • PIX = access-list one0one • Line numbers can be used to edit access-lists
access-list Example access list :access-list acl-outside permit tcp any host 217.64.230.186 eq https access-list acl-outside permit tcp any 217.64.230.0 255.255.255.0 eq https access-list acl-outside deny ip any any Applying an access list to an interface :access-group acl-outside in interface outsideRemoving an access list from an interface : no access-group acl-outside in interface outside
Object-group • With version 5, Pix worked brilliantly in small organisations. But larger organisations always chose Checkpoint firewall 1 • One reason that was complexity, when I converted one small bank from FW1 to PIX – one screen of FW1access-lists turned into 7 pages of PIX access-list:- • services could not be grouped • addresses could not be grouped • Which resulted in pages of repetition
Object-group Imagineaccess-list oldlist permit tcp host 10.0.0.1 any eq wwwaccess-list oldlist permit tcp host 10.0.0.1 any eq https access-list oldlist permit tcp host 10.0.0.2 any eq wwwaccess-list oldlist permit tcp host 10.0.0.2 any eq https access-list oldlist permit tcp host 10.0.0.3 any eq wwwaccess-list oldlist permit tcp host 10.0.0.3 any eq httpsaccess-list oldlist permit tcp host 10.0.0.9 any eq wwwaccess-list oldlist permit tcp host 10.0.0.9 any eq httpsaccess-list oldlist permit tcp host 10.0.0.22 any eq wwwaccess-list oldlist permit tcp host 10.0.0.22 any eq https
Object-group object-group network inside10 description inside 10 class objects network-object host 10.0.0.1 network-object host 10.0.0.2 network-object host 10.0.0.3 network-object host 10.0.0.9 network-object host 10.0.0.22
Object-group access-list pixfirewall(config)# show objectobject-group network inside10 description: inside 10 class objects network-object host 10.0.0.1 network-object host 10.0.0.2 network-object host 10.0.0.9 network-object host 10.0.0.22object-group service browsing tcp description: this is the web tcp ports port-object eq www port-object eq httpspixfirewall(config)# access-list obj-exmple permit tcp object-group inside10 any object-group browsingpixfirewall(config)#
Conduit, outbound + apply The access-list command was introduced at 5.4 to make it like IOS – At 6.3 these legacy commands were deprecated – not even in v7.0 Example access list :conduit permit tcp host 212.23.35.119 eq https any“Old style” access list for an outbound interface :usage: outbound ID permit | deny ip_address [netmask [port]][proto]Pix# outbound 11 deny 161.73.0.0 255.255.0.0 412 tcpApplying an outbound list to an interface : usage: apply [(if_name)] ID outgoing_src | outgoing_destPix#apply (inside) 11 outgoing_src
fixup Protocols are not designed with security in mind – they often have features that are insecure or difficult to embody in access-list Firewalls use packet inspection and protocol analysis to overcome these difficulties Pix enables the protocol feature and assign the processing to a particular port with the fixup command
fixup fixup protocol ftp [strict] [port] fixup protocol http [port[-port] fixup protocol h323 {h225 | ras} port [-port] fixup protocol ils [port[-port]] fixup protocol rsh [514] fixup protocol rtsp [port] fixup protocol sip [5060] fixup protocol skinny [2000] fixup protocol smtp [port[-port]] fixup protocol sqlnet [port[-port]] fixup protocol skinny port [-port] Add at version 6.3 fixup protocol icmp errors <- theres always 1 smart arse fixup protocol ctiqbe 2748 [no] fixup protocol dns [maximum-length length] fixup protocol esp-ike fixup protocol snmp [161[-162]] fixup protocol tftp [port[-port]] Fixup disappears with version 7
Other protection MailGuard (enabled by fixup protocol smtp ) only allows the smtp commands mail to, rcpt frm, data, end & quit DnsGuard (enabled by fixup protocol dns or on by default pre 6.3 ) only accespts first dns datagram FloodGuard (FloodGuardenable ) enables flood protection FragGuard (sysopt security fragguard replaced by the fragment command)
IDS/IPS Basic IDS/IPS functions are enabled bypixfirewall(config)# ip audit info action alarmpixfirewall(config)# ip audit attack action alarmip audit attack action alarm drop ip audit signature 2000 disable ip audit signature 2001 disable ip audit signature 2004 disable ip audit signature 2005 disable Syslog<162>May 29 2005 10:24:15 10.0.0.2 : %PIX-2-106017: Deny IP due to Land Attack from 61.2.93.93 to 61.2.93.93<162>May 29 2005 10:24:15 10.0.0.2 : %PIX-2-106017: Deny IP due to Land Attack from 61.2.93.93 to 61.2.93.93<162>May 29 2005 10:24:15 10.0.0.2 : %PIX-2-106017: Deny IP due to Land Attack from 61.2.93.93 to 61.2.93.93
Anti-spoofing & investigations Anti spoofing is enabled by pixfirewall(config)# ip verify reverse-pathSyslog167>May 29 2005 10:21:21 10.0.0.2 : %PIX-7-710005: UDP request discarded from 61.2.93.87/137 to outside:61.2.93.95/netbios-ns<161>May 29 2005 10:21:22 10.0.0.2 : %PIX-1-106021: Deny udp reverse path check from 10.0.0.55 to 61.2.93.93 on interface outside<161>May 29 2005 10:21:22 10.0.0.2 : %PIX-1-106021: Deny udp reverse path check from 10.0.0.55 to 61.2.93.93 on interface outsideGetting a packet trace in pcap format pix# capture snifer access-list sniflist packet-length 74 interface inside