1 / 20

PIX Firewall

PIX Firewall. Features. Stateful Packet Filter Runs on its own Operating System Assigning varying security levels to interfaces (0 – 100) Access Control Lists Extensive Logging Capability Network Address Translation Stateful Failover Recovery Advanced Filtering.

Download Presentation

PIX Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PIX Firewall

  2. Features • Stateful Packet Filter • Runs on its own Operating System • Assigning varying security levels to interfaces (0 – 100) • Access Control Lists • Extensive Logging Capability • Network Address Translation • Stateful Failover Recovery • Advanced Filtering

  3. Adaptive Security Algorithm (ASA) • Foundation of PIX firewall • Keep track of connections forms from private network to public network • Allows traffic to go from private to public, and allow return traffic from public to private network • Does not allow public network to initiate traffic to private network, unless specified in ACL • Use following information to keep track of sessions passing through PIX: • IP packet source and destination • TCP sequence number and flags • UDP packet flow and timers

  4. TCP Initiation and Transmission

  5. TCP Termination

  6. UDP Transmission

  7. Lab Environment • Rented Lab at www.gigavelocity.com • Lab consists of routers, switches, PIX firewall, control console, etc

  8. Connecting to the Rack • Telnet to the main control console • From console, initiate connections to different devices

  9. Our test bed • Whole lab consists of many components • Needed to test PIX firewall only • Used PIX firewall with two routers • Set up Router address • Set up PIX firewall interfaces • Set up PIX routing • Ping from different components

  10. Showing Router 1’s IP Address Rack1R1#show ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 1.1.1.2 YES manual up up Serial0/0 unassigned YES NVRAM administratively down down BRI0/0 unassigned YES NVRAM administratively down down BRI0/0:1 unassigned YES unset administratively down down BRI0/0:2 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES NVRAM administratively down down Serial0/1 unassigned YES NVRAM administratively down down

  11. Showing Router 2’s IP Address Rack1R2#show ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 10.0.0.2 YES manual up up Serial0/0 unassigned YES NVRAM administratively down down BRI0/0 unassigned YES NVRAM administratively down down BRI0/0:1 unassigned YES unset administratively down down BRI0/0:2 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES NVRAM administratively down down Serial0/1 unassigned YES NVRAM administratively down down Virtual-Access1 unassigned YES unset up up

  12. Showing PIX’s IP Address pixfirewall# show config : Saved : Written by enable_15 at 21:02:07.582 UTC Sat Mar 5 2005 PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto shutdown interface ethernet3 auto shutdown …… ip address outside 1.1.1.1 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0

  13. Network Topology Router 1 1.1.1.2 PIX 1.1.1.1 10.0.0.1 10.0.0.2 Router 2

  14. PIX Configuration • See Configuration File

  15. Results • Pinging from Router 2 to PIX Rack1R2#ping 10.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1,timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

  16. Results • Pinging from PIX to Router 2 pixfirewall# ping 10.0.0.2 10.0.0.2 response received -- 0ms 10.0.0.2 response received -- 0ms 10.0.0.2 response received -- 0ms

  17. Results • Pinging from Router 2 to Router 1 Rack1R2#ping 1.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.2,timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

  18. Results • Pinging from Router 1 to Router 2 Rack1R1#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

  19. Conclusion • The PIX firewall is a highly configurable device • We used a simplified network model • Configured the PIX and two routers • Able to pass traffic to, from, and through the PIX firewall

More Related