1mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Internetworking with PIX™ PIX IOS 5.0.

Internetworking with PIX™

PIX IOS 5.0

Internetworking with PIX

AgendaAgenda

• Overview of the PIX

• The “Inside” of the PIX

• Advanced Configurations

• PIX and IPSec

• PIX Management

• Last Words

Overview of the PIXOverview of the PIX

Hardware, Software and Capabilities

The Box ItselfThe Box Itself

• 515-R (restricted)

Target: Branch office

• 515-UR (unrestricted)

Target: Main office

• 520

Target: Biiig main office

PIX Overview

The PlatformThe Platform

• 515-R: Pentium 200 MHz, no PCI, 32 M RAM max

• 515-UR: Pentium 200 MHz, 2 PCI, 64 M RAM max

• 520: Pentium 350 MHz, 4 PCI, 128 M RAM max, 1 ISA

PIX Overview

InterfacesInterfaces

• 515-R: 2 FE, unchangable

• 515-UR: Standard: 2 FE

Extensible to up to 6 FE

• 520: Standard: 2 FE plus 2 of:

4 FE card, Token Ring card, FDDI card

PIX Overview

Private Link CardsPrivate Link Cards

• PL1: ISA based (16 bit, discontinued)

• PL2: PCI based (32 bit)

• PL3: (planned) PCI

• Kodiak: (planned) PCI

• PIX 520 has 1 ISA slot + 4 PCI slots PIX 515-UR has 2 PCI slots, no ISA

PIX Overview

PIX Hardware OverviewPIX Hardware Overview

515-UR

Max.simult.

connect

50,000

100,000

250,000

Max.simult.

connect

50,000

100,000

250,000

Max.RAM

Max #i/f

Failover

I/fType

Max.through

(Mbps)

Max.through

(Mbps)

PIX Overview

The PIX PhilosophyThe PIX Philosophy

PIX Firewall

Private Network

Public Network

nameif ethernet0outside security0

nameif ethernet1inside security100

nameif ethernet2DMZ security50

PIX Overview

The PIX PhilosophyThe PIX Philosophy

Private Network

Public Network

Default Actions:

• Higher to Lower:PERMIT

• Lower to Higher:DENY

• Between Same:DENY

PIX Overview

Strength of the PIXStrength of the PIX

• No common OS

• Small code -> Less chances for bugs

• Appliance: No extra software

• Easy configuration

• Performance (170 Mbit/s !!)

PIX Overview

PIX CertificationPIX Certification

• NSA TTAP Certification

• ICSA Certification

• SRI International testing“SRI International failed to uncover any security vulnerabilities in the Cisco PIX firewall ”

• Turnkey appliance — no software installation risks

PIX Overview

LicensingLicensing

• 520: Session based (128, 1024, )

(will be feature based in the future)

• 515: Feature based:

Basic license plus:

DES license (free),

3DES license (extra cost)

PIX Overview

Around the PIXAround the PIXPIX Overview

WebSense:URL Filtering

Private I:Logging and Alarming

CiscoSecure: Cut-Through-Proxy, AAA

Cisco Security Manager:Management

Verisign, Entrust, …:Certification Authority

PIX Firewall Manager:Management

The “Inside” of the PIX

Configuration DetailsConfiguration Details

Only 4 Ways through the PIXOnly 4 Ways through the PIX

Private Network

Public Network

inside to outside;

(Limit with ”outbound” and”apply”)

2:user authentication

3:conduit

out side

in side

PIX “Inside”

4*:Access List

* since PIX IOS 5.0

Address Translation in the PIX: NAT / PAT

Private Network

Public Network

outside

inside

global (outside) 1 204.31.17.40-204.31.17.50 1 204.31.17.51

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Translate all inside source addresses

Outside source addressrange to use

NAT-ID

* For PAT use only 1 outside Address

PIX “Inside”

Destination Address Translation: Alias

• NAT changes Source Address only

• Use alias to change Destination address

• DNS will be changed as well

• Applications:Dual NATRe-routing

PIX “Inside”

How “alias” WorksHow “alias” WorksPIX “Inside”

Inside User

2.2.2.2Internet

Company

2.2.2.2

alias:3.3.3.3 = 2.2.2.2 inside outside

www.x.com1. Access

www.x.com

2. DNS query

3. Reply: 2.2.2.2

4. Reply: 3.3.3.3

Conflict

5. DestinationNAT

alias:3.3.3.3 = 2.2.2.2 inside outside

Address Translation:Alias Configuration

alias (inside) 3.3.3.3 2.2.2.2 255.255.255.255

static (inside,outside) 2.2.2.2 3.3.3.3 netmask 255.255.255.255

Use this destinationaddress on the inside...

…for this destinationaddress on the outside

PIX “Inside”

Map this source on outside...

…to this one on inside

DestinationNAT

Source NAT

Inside address

Outside address

Address Translation: StaticAddress Translation: Static

Private Network

Public Network

outside

inside

static (inside,outside) 208.133.247.111 172.19.10.130 netmask 255.255.255.255 0 0

For Web or other Servers

PIX “Inside”

ConduitsConduits

• To permit traffic from outside

PIX “Inside”

conduit permit tcp host 192.150.50.1 eq ftp any

conduit permit tcp any eq ftp host 192.150.50.42

to this internal host*... from any external

…. with FTP ...to any internal host...

from this external* use global addresses

Outbound Access ListsOutbound Access Lists

• Deny Inside -> Outside connections with Outbound Access Lists

outbound 10 deny 0 0 www tcpoutbound 10 permit 192.168.1.2 255.255.255.255 www tcpapply (dmz1) 10 outgoing_src

Deny all outboundwww traffic

But permit to proxy serverApply to interface

PIX “Inside”

Adaptive Security Algorithm™(ASA)

• Heart of stateful checking in PIX

• Basic Rules:

PIX “Inside”

• Allow TCP / UDP from inside• Permit TCP / UDP return packets• Drop and log connections from outside• Drop and log source routed IP packets• Allow some ICMP packets• Silently drop pings to dynamic IP addresses• Answer (PIX) pings to static connections• Drop and log all other packets from outside

How the PIX worksHow the PIX works

1. Packet Arrives

2. Adressing: NAT / PAT / Alias / Static

3. Permissions: Conduit / ACLs / Outbound

4. -> Xlate Table (addressing info)

5. -> Connections Table (ports + proto)

PIX “Inside”

Xlate: The Translation TableXlate: The Translation Table

• PIX creates an xlate entry for every IP pair (host-host)

• This is part of the “State” of the firewall

• clear xlate after changes

timeout xlate hh:mm:ss timeout conn hh:mm:ss … and: half-closed, udp, rpc, h323,uauth

PIX “Inside”

Connections TableConnections Table

• Connection entries contain:

Protocol and port numbers

TCP state and sequence numbers

state of connection (eg, embryonic)

• Also part of the “State” of the firewall

• clear xlate also clears the conns table

• License check with # of connections!

PIX “Inside”

Xlate and Conns TablesXlate and Conns Tables

show xlateGlobal 16.130.3.17 Local 16.130.3.17 static nconns 1 econns 0 Global 16.130.3.16 Local 16.130.3.16 static nconns 4 econns 0

show conn6 in use, 6 most usedTCP out 192.150.50.41:80 in 10.3.3.4:1404 idle 0:00:00 Bytes 11391 TCP out 192.150.50.41:80 in 10.3.3.4:1405 idle 0:00:00 Bytes 3709 TCP out 192.150.50.41:80 in 10.3.3.4:1406 idle 0:00:01 Bytes 2685 TCP out 192.150.50.41:80 in 10.3.3.4:1407 idle 0:00:01 Bytes 2683 TCP out 192.150.50.41:80 in 10.3.3.4:1403 idle 0:00:00 Bytes 15199 TCP out 192.150.50.41:80 in 10.3.3.4:1408 idle 0:00:00 Bytes 2688 UDP out 192.150.50.70:24 in 10.3.3.4:1402 idle 0:01:30 UDP out 192.150.50.70:23 in 10.3.3.4:1397 idle 0:01:30 UDP out 192.150.50.70:22 in 10.3.3.4:1395 idle 0:01:30

PIX “Inside”

Licence check! (PIX 520)

# conns # ebryonic

Advanced Configurations

User Authentication:Cut-Through-Proxy

Private Network

Public Network

out side

in side

Outside User

HTTPRequest

1. HTTP request packet intercepted by PIX

12. PIX asks user for credentials, he responds2

3. PIX sends credentials to AAA server, AAA server ack’s

4. PIX forwards packets

PIX AdvancedConfiguration

User Authentication: Cut-Through-Proxy

• Addressing and Conduit must Exist!

• FTP, HTTP, Telnet can be proxied

• Other ports can be authorised after authentication

• Watch Out: Timeout for authorisation! -> Other connections will be cut after primary timed out

Authenticate allinbound FTP traffic

User Authentication:Configuration

Define AAA protocolDefine AAA server

and key

Install authorizationLists from Server*

* only with TACACS+, not with RADIUS

aaa-server Authinbound protocol tacacs+aaa-server AuthInbound (inside) host 10.1.1.1 TheUauthKeyaaa authentication ftp inbound 0 0 0 0 AuthInboundaaa authorization ftp inbound 0 0 0 0 AuthInbound

PIX FailoverPIX Failover

Primary Secondary

10.0.1.x

192.168.236.x

Failover Cable

Failover Link

default gateway10.0.1.1

FailoverConfiguration

Primary Secondary

10.0.1.x

Failover Cable

Failover Link

failover [active]failover ip address inside 10.0.1.1failover link ethernet2

Enable failoverAddress for Standby PIX(configured on primary)

Enable statefulness(over link eth2)

PIX FailoverPIX FailoverPIX AdvancedConfiguration

Primary Secondary

10.0.1.x

Failover Cable

Failover Link

• Only primary PIX is configured, wr mem auto-configures standby PIX

• On failover, standby PIX assumes MAC and IP address from primary

• Failover takes 15-45 seconds

URL FilteringURL FilteringPIX AdvancedConfiguration

Corporate Network

InsideUser

PIXInternet

WebSense www.sexy.girls

URL FilteringConfigurationURL FilteringConfiguration

• Outbound HTTP connections can be checked on URL

• Interaction with 3rd Party Product, e.g., WebSense

url-server (inside) host 10.0.1.100 timeout 5filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

Interface Server IP

Filter any URL

Various...Various...

• Flooding Prevention:

floodguard enable|disableshow floodguard

• Fragmentation Attack Prevention:

sysopt security fragguard

• Mailguard (check SMTP commands):

fixup protocol smtp 25

Example:Redundant PIX Set-Up

Partners and Clients

NetSonar

NetRanger

PIX and IPSecPIX and IPSec

PIX and IPSec*PIX and IPSec*

RemoteUser Access

Branch Offices

Intranet

Extranet

Host-to-hostAccess

Main Office

Internet

PIX and IPSec

* since PIX IOS 5.0

Certification Authority

IPSec Configuration StepsIPSec Configuration Steps

1: CA interoperation (opt)

2: IKE

3: IKE Mode (opt)

4: IPSec

PIX and IPSec

IPSec ConfigurationIPSec ConfigurationPIX and IPSec

what to encrypt...

…and how.

…use this endpoint

For this traffic...

apply to interface

access-list 101 permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

crypto ipsec transform-set myset1 esp-des esp-sha-hmac

crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set peer 2.2.2.2crypto map mymap 10 set transform-set myset1

crypto map mymap interface outside

access-list 101 permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

crypto ipsec transform-set myset1 esp-des esp-sha-hmac

crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set peer 2.2.2.2crypto map mymap 10 set transform-set myset1

crypto map mymap interface outside

Configuring the CAConfiguring the CA

ca generate rsa key 512

ca identity myca.mycompany.com 205.139.94.230

ca configure myca.mycompany.com ca 1 20 crloptional

ca authenticate myca.mycompany.com [<fingerprint>]

ca enroll myca.mycompany.com mypassword1234567

ca save all

PIX and IPSec

generate key-pair

define CA

get CA certificate and check it

retry parameters

Send PIX’s pub key to CA

!PIX IPSec: Attention!!PIX IPSec: Attention!!

• Avoid the use of “any” keyword

• IPSec only on outside interface in 5.0

• No TED in 5.0

• Make sure clock is set correctly!

PIX and IPSec

• Software-only Mode• 30-40 Mbps DES (!)

• 10-20 Mbps 3DES (!)

• PIX Private Link Card (PL2/PL3)• 60-80 Mbps DES

• (3DES not supported on PL2)

• Kodiak (in development)

•100 Mbps 3DES

IPSec Hardware AcceleratorsIPSec Hardware AcceleratorsPIX and IPSec

PIX ManagementPIX Management

PIX Management

Cisco Security ManagerCisco Security Manager

• Policy-based, not Device-based

• GUI

• Scalable (<100 PIX)

• Any Topology

• Future: Management of all Security Products

PIX SyslogPIX Syslog

• Reliable Logging (TCP):

If Syslog server is full -> PIX will deny all new connections!!

• Unreliable Loging: UDP

• Config:

logging host dmz1 192.168.1.5 tcplogging trap debuggingclock set 14:25:00 apr 1 1999logging timestamp

PIX Management

Interface

tcp / udp

PIX SNMPPIX SNMP

• Almost like on Router:

snmp-server host outside 10.1.1.2snmp-server community secret_xyzsnmp-server syslog disablesnmp-server log_level 5

PIX Management

Interface

But: PIX only sends traps, no config through SNMP

Last Words…Last Words…

The Direction of Security in Cisco

• Integration: Security as an Integral Part in all Products

• CiscoAssure: Combine Security, QoS, Voice in one Concept

• DEN*: The Future is Based on Directories

* Directory Enabled Networks

Last Words...Last Words...

• Security needs more than a Firewall…

• Keep it simple -> More Secure

Simple configurations

Split functionality to different devices

• Keep Up To Date!

1mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Internetworking with PIX™ PIX IOS 5.0.

Documents

Transcript of 1mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Internetworking with PIX™ PIX IOS 5.0.

01 internetworking

KID PIX DELUXE 3 About Kid Pix Deluxe 3 · 2019. 10. 25. · KID PIX DELUXE 3 ABOUT KID PIX DELUXE 31 About Kid Pix Deluxe 3 In this chapter, you’ll learn about: • Getting Started

INTERNETWORKING PROTOCOL

termet solar package to support d.h.w. termet termet termet p duct pix pix pix vessel 2/250 3/300 4/400 termet termet termet pix 2/250 pix 3/300 pix 4/400 a-4 people for 4-5 people

Sub-Hourly Impacts of High Solar Penetrations in …Cover Photos: (left to right) PIX 16416, PIX 17423, PIX 16560, PIX 17613, PIX 17436, PIX 17721 Printed on paper containing at least

CISCO Internetworking

PIX Firewall

Internetworking - unipi.it

1 K. Salah Module 5.0: Internetworking & Network Layer Basic concepts Congestion Control Routing Protocols –Flooding –Source routing –Distance vector routing.

Cisco PIX HOWTO - Lobotomo PIX HOWTO.pdf · Cisco PIX VPN Setup (Terminal CLI) ... If you prefer to setup the Cisco PIX from the command line, ... Cisco PIX HOWTO ...

Gaurav Projects 6-1 Internetworking Technologies & Services (I) Overview –Definitions –Internetworking Architecture Models –Internetworking Standards –Network.

Renewable Energy in Alaska - nrel.gov · Cover Photos: (left to right) PIX 16416, PIX 17423, PIX 16560, PIX 17613, PIX 17436, PIX 17721 ... deployment and development and new enterprise

Internetworking Design Basics - TEILAMusers.teilam.gr/~skontos/tei_site/html/pdf_cisco/internetwork... · Internetworking Design Basics ... Overview of Internetworking Devices Network

PIX Project

The Value of Energy Storage for Grid Applications/67531/metadc...Cover Photos: (left to right) PIX 16416, PIX 17423, PIX 16560, PIX 17613, PIX 17436, PIX 17721 ... Ramteen Sioshansi

Module 5.0: Internetworking & Network Layer

Configuring the PIX Firewall · Step 1 - Get a Console Terminal 2-2 Configuration Guide for the Cisco Secure PIX Firewall Version 5.0 Step 1 - Get a Console Terminal If the computer

Internetworking Devices

Internetworking Multimedia

Internetworking I: Basics April 13, 2000 Topics Internetworking with repeaters, bridges and gateways Internetworking with routers –the Internet Protocol.