Internetworking With Pix FirewallPresentation Transcript
Firewall Basics & Internetworking with Cisco PIX -Firewall Presented by : Souvik Santra [Manager, 3i Infotech Consultancy Services Ltd]
Introduction to Firewalls
Types of Firewalls
Modes and Deployments
Internetworking with Cisco PIX
What Is a Firewall
A firewall is an access control device that looks at the IP packet, compares with policy rules and decides whether to allow, deny or take some other action on the packet
Outside Network DMZ Network Inside Network Internet
A Simple Analogy The Firewall as the Premise Guard
PIX Firewall topology options :-
Think of your network as an office building with security desks at each entry point. At the desks, security guards check identification and make sure visitors aren’t carrying anything unauthorised in or out of the building. They may also ask you what your purpose is in the building and log the time that you came in or went out. This is exactly what firewalls do at the entry points to your network.
The most common use of a firewall is restricting access to your private network from a public network , such as the Internet. Figure A shows an example of this type of topology.
You may also want to create a DMZ (demilitarised zone) between the Internet and your private network. You'd use this segment as the home for servers (like Web servers or external mail servers) that are accessed over the Internet, but still need some protection. Figure B shows an example of this topology.
A less common—but still very important—use for a firewall is to protect the borders between internal networks. Perhaps you share a network with a business partner, do e-commerce with a vendor through a leased line, or just want to control access between departments (like human resources or accounting and everyone else). A firewall can serve this purpose as well, as illustrated in Figure C.
Introduction to Firewalls
Types of Firewalls
Modes and Deployments
Internetworking with Cisco PIX Firewall
Packet filtering gateways
routers with simple ACLs
Stateful inspection firewalls
Cisco PIX, Cisco routers with firewall feature set, check point
Symantec, Check Point Zone, Sygate….
PIX, ASA, Linksys, Netgear
Packet Filtering Gateways
In packet filtering, only the protocol and the address information of each packet is examined. Its contents and context (its relation to other packets and to the intended application) are ignored . The firewall pays no attention to applications on the host or local network and it "knows" nothing about the sources of incoming data.
Filtering consists of examining incoming or outgoing packets and allowing or disallowing their transmission or acceptance on the basis of a set of configurable rules, called policies .
Packet filtering policies may be based upon any of the following:
Allowing or disallowing packets on the basis of the source IP address
Allowing or disallowing packets on the basis of their destination port
Allowing or disallowing packets according to protocol .
Packet Filtering Gateways (cont.)
Stateless—Two Separate ACLs Are Required
Permit HTTP traffic from 10.0.0.0 to www.yahoo.com
Permit HTTP traffic from www.yahoo.com to 10.0.0.0
Inside Outside 10.0.0.15 www.yahoo.com Get Sports Page (Request) Sports Page (Reply) Internet
Stateful Inspection Firewalls
Also referred to as dynamic packet filtering .
A Stateful firewall may examine not just the header information but also the contents of the packet up through the application layer in order to determine more about the packet than just information about its source and destination. A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table.
With Stateful Packet Inspection (SPI), every time a packet is sent out of the computer, the firewall keeps track of it. When a packet comes back to the firewall, the firewall can tell whether or not the in-bound packet is a reply to the packet that was sent out.
This way, the firewall can handle most network traffic safely without a complex configuration of firewall rules.
As an added security measure against port scanning , stateful inspection firewalls close off ports until connection to the specific port is requested.
Packet filters operate at the network layer (layer-3) and function more efficiently because they only look at the header part of a packet .
Stateful firewalls maintain a state table showing the current connections
Stateful Inspection Firewalls (cont.)
Stateful—Only One ACL Is Required
Permit HTTP traffic from 10.0.0.0 to www.yahoo.com
Inside Outside 10.0.0.15 www.yahoo.com Get Sports Page (Request) Sports Page (Reply) Internet
All requests and replies pass though a proxy server; no direct connection between a client and the server; everything is proxied—thus the name
Inside Network Outside Network Internet Proxy Server
Proxy Firewalls (Cont.)
Two Separate TCP Connections
Client to proxy firewall
Proxy firewall to www.yahoo.com
Inside Network Internet Proxy Server 1 4 3 2 Get Sports Page (Request) Sports Page (Reply) www.yahoo.com
A version of network firewalls for laptops and desktops
NAT Firewalls hide all internal addresses—thus protect small networks from external attacks as internal addresses are not exposed.
Network Address Translation (NAT) is simply that – it takes a network address, and “translates” it to another network address. It is a simple lookup table, where each row is created by a router command with the two addresses. The user address is behind the router on the LAN interface, and the Internet address is sent out across the serial interface.
The NAT table (lookup table) in the router can be configured in two ways.
Static NAT - for security - requires n Internet IP addresses - assign unique, unregistered local IP addresses to all users, and use unique Internet addresses as well. Users can all use the same port !!!
Dynamic NAT (NAT & PAT) - for overloading - requires 1 outside Internet IP address - assign unique, unregistered local IP addresses to all users. Must use unique ports for each user !!!
Dynamic NAT allows overloading - multiple users access the Internet via one IP address. This is used by Microsoft ICS (Internet Connection Sharing) and by DSL routers that have several home user PC’s connected. In fact, every Cable/DSL Broadband Router on the market accomplishes its job with NAT.
PAT is a subset of NAT, and is closely related to the concept of Network Address Translation. PAT is also known as NAT Overload. In PAT there is generally only one publicly exposed IP address and multiple private hosts connecting through the exposed address. Incoming packets from the public network are routed to their destinations on the private network by reference to a table held within the PAT device which keeps track of public and private port pairs.
NAT/PAT Firewalls (Cont.) 10.2.0.0 /24 192.168.0.0 10.0.0.0/24 Global pool 192.168.0.17-30 Global pool 192.168.0.3-14 10.0.0.11 10.0.0.4 10.0.0.11 192.168.0.20 Port 2000 10.0.0.4 192.168.0.20 Port 2001 NAT PAT Internet Internet
Cisco PIX 515E Firewall Overview
Cisco PIX ( Private Internet eXchange ) is a popular IP firewall and network address translation (NAT) appliance
On January 28, 2008, Cisco announced the end-of-sale and end-of-life dates for all Cisco PIX Security Appliances, software, accessories, and licenses. The last day for purchasing Cisco PIX Security Appliance platforms and bundles was July 28, 2008 . The last day to purchase accessories and licenses was January 27, 2009. It is important to note that Cisco will continue to support Cisco PIX Security Appliance customers through July 27, 2013 .
In May 2005, Cisco introduced the Adaptive Security Appliance (ASA) which combines functionality from the PIX, VPN 3000 series and IPS product lines. The ASA series of devices run PIX code 7.0 and later. Through PIX OS release 7.x the PIX and the ASA use the same software images. Beginning with PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination.
How it connects …
PIX Firewall Comparison Chart
PIX Firewall Licensing Cisco PIX Firewall licenses are available in Unrestricted, Restricted, and Fail-Over configurations. Unrestricted —PIX Firewall platforms in an Unrestricted ( UR ) license mode allow installation and use of the maximum number of interfaces and RAM supported by the platform. The Unrestricted license supports a redundant 'hot standby' system for Fail-over operation to minimize network downtime .
PIX Firewall Licensing (cont..) Restricted — PIX Firewall platforms in a Restricted ( R ) license mode limit the number of interfaces supported and the amount of RAM available within the system. A restricted license provides a cost-optimized firewall solution for simplified network connectivity requirements, or where lower than the maximum number of user connections are acceptable. A Restricted licensed firewall does not support a redundant system for fail-over configurations. Fail-Over — The Fail-Over (FO) software licenses place the Cisco PIX Firewall in a 'hot-standby' mode for use along side another PIX Firewall with an Unrestricted license. Fail-Over software licensing provides stateful fail-over capabilities thus enabling high availability network architectures. The fail-over PIX firewall acts as a fully redundant system maintaining state with all active sessions on the primary PIX Firewall, thereby minimizing connection disruptions due to equipment or network failures.
Multiple Interfaces and Security Levels
All PIX Firewalls provide at least two interfaces assigned a security level of 0 and 100, respectively
Unique feature of a PIX Firewall
Allows user-based authentication of inbound or outbound connections
A PIX Firewall uses cut-through proxy to authenticate a connection and then allow traffic to flow quickly and directly
User Authentication: Cut-Through-Proxy Private Network Public Network AAA out side in side Outside User www HTTP Request PIX Advanced Configuration 1. HTTP request packet intercepted by PIX 1 2. PIX asks user for credentials, he responds 2 3. PIX sends credentials to AAA server, AAA server ack’s 3 4. PIX forwards packets 4
Uses standard and extend ACL’s
Implemented using access-list and access-group commands
Standard IP Access Lists Example :
The standard IP access lists filter the network by using the source IP address in an IP packet. You could create a standard IP access list by using the access list numbers 1-99.
The extended IP access lists allow you to choose your source and destination IP address as well as the protocol and the logical port number, which identify the upper-layer protocol or application. By using extended IP access lists, you can effectively allow access to a physical LAN and stop them from using certain services. You'll use the extended IP access list range from 100 to 199.
Router # configure terminal Router (config) # access-list 110 deny tcp any host 172.16.10.5 eq 21 Router (config) # access-list 110 deny tcp any host 172.16.10.5 eq 23 Router (config) # access-list 110 permit ip any any
Monitoring IP Access Lists :
Show access-list: This command displays all access lists and their parameters configured on the router. This command does not show you that on which interface the list is set.
Show ip access-list: This command shows only the IP access lists configured on the router.
Show ip access-list access list no: This command displays the detail of the specific IP access list configured on the router.
Show ip interface interface no: This command shows that which interfaces have access lists set and in which direction.
Show running-config : This command shows the access lists configuration and the interfaces status
Only 4 Ways through the PIX Private Network Public Network out side in side PIX “Inside” 1: inside to outside; (Limit with ”outbound” and ”apply”) 2: user authentication AAA 3: conduit 4*: Access List * since PIX IOS 5.0
Destination Address Translation: Alias
The PIX's alias feature is used to set up a mechanism whereby the destination IP addresses contained in packets going from one interface to another are NATed (translated).
This is necessary in various situations, especially where an external DNS server is used to resolve the names for servers on the inside or DMZ networks, where an IP address is being illegally used in the private network behind the PIX, or where two enterprise networks are marged to form one network across a PIX firewall.
The alias command not only translate the destination IP address, but can also doctor the DNS responses passing through the PIX to comply with the translation taking place on the destination IP address.
How “alias” Works PIX “Inside” Inside User www 184.108.40.206 Internet Company 220.127.116.11 www.x.com 1. Access www.x.com alias: 18.104.22.168 = 22.214.171.124 inside outside 2. DNS query 3. Reply: 126.96.36.199 4. Reply: 188.8.131.52 Conflict 5. Destination NAT alias: 184.108.40.206 = 220.127.116.11 inside outside
Address Translation: Alias Configuration alias (inside) 18.104.22.168 22.214.171.124 255.255.255.255 static (inside,outside) 126.96.36.199 188.8.131.52 netmask 255.255.255.255 Use this destination address on the inside... … for this destination address on the outside PIX “Inside” Map this source on outside... … to this one on inside Destination NAT Source NAT
When you have private addresses on your LAN and public addresses on the outside of the Pix, you can allow connectivity to the LAN on a port by port basis!
(1)Adding a Static Route
Type "conf t" to enter terminal-configuration mode.
Type " wr mem " to save changes to flash memory (otherwise they will be lost if pix is restarted.
(2)Adding a Conduit:
Type "conf t" to enter terminal-configuration mode.
Type: "conduit permit | deny protocol outside_ip operator port any"
"permit" allows access and "deny" blocks it.
"protocol" is either "tcp", "udp", or "ip".
"operator" is "eq" or "range".
"port" is either a port number, the common name of a service (www, telnet, pop3, etc.), or a range (Port 80 to 90 would be: 80 90).
Type "wr mem" to save changes to flash memory (otherwise they will be lost if pix is restarted.
For example, if we have a web server at 10.1.1.27 internally, and we want it to be available externally at 100.100.100.27 on port 80 only, here are the exact commands: static (inside,outside) 100.100.100.27 10.1.1.27 conduit permit tcp host 100.100.100.27 eq www any That's it!
The failover feature allows us to use a standby PIX Firewall to take over the functionality of a failed PIX Firewall. When the active unit fails, it changes to the standby state, while the standby unit changes to the active state. The unit that becomes active takes over the active unit's IP addresses and MAC addresses, and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network. (See the "Primary and Secondary Vs. Active and Standby" section for more information about MAC addresses).
The PIX Firewall supports two types of failover:
• Regular Failover—When a failover occurs, all active connections are dropped and clients need to reestablish connections when the new active unit takes over.
• Stateful Failover—During normal operation, the active unit continually passes per-connection stateful information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.
PIX Failover Primary Secondary .1 10.0.1. x 192.168.236. x .2 .1 .2 Failover Cable PIX Advanced Configuration Failover Link default gateway 10.0.1.1 .1
Failover Configuration Primary Secondary 10.0.1. x .1 .2 Failover Cable PIX Advanced Configuration Failover Link failover [active] failover ip address inside 10.0.1.1 failover link ethernet2 Enable failover Address for Standby PIX (configured on primary) Enable statefulness (over link eth2)
CISCO PIX Configuration Commands
Basic Configuration Commands
Some commands share the same syntax in PIX OS and IOS, but have different functionality. The six primary commands that you need to watch out for are:
nameif —assigns a name and security level to an interface
interface —used to assign hardware parameters (like full or half duplex) and to shutdown interfaces
ip address —assigns an IP address and other IP parameters to an interface
nat —does network address translation between the inside interfaces and outside interfaces
global —does network address translation between the outside and inside interfaces
route —configures an IP route
‘ interface’ Command
The interface command identifies the interface hardware card, sets the speed of the interface, and enables the interface all in one command. All interfaces on a Cisco PIX Firewall are shut down by default and are explicitly enabled by the interface command. The basic syntax of the interface command is as follows:
interface hardware_id hardware_speed [ shutdown ]
Table describes the command parameters for the interface command.
The shutdown parameter administratively shuts down the interface. This parameter performs a very similar function in Cisco IOS Software. However, unlike with IOS, the command no shutdown cannot be used here. To place an interface in an administratively up mode, you reenter the interface command without the shutdown parameter. shutdown Sets the connection speed, depending on which medium is being used. 1000auto sets Ethernet speeds automatically. However, it is recommended that you configure the speed manually. 1000sxfull —Sets full-duplex Gigabit Ethernet. 1000basesx —Sets half-duplex Gigabit Ethernet. 1000auto —Automatically detects and negotiates full-/half-duplex Gigabit Ethernet. 10baset —Sets 10 Mbps half-duplex Ethernet (very rare these days). 10full —Sets 10 Mbps full-duplex Ethernet. 100full —Sets 100 Mbps full-duplex Ethernet. 100basetx —Sets 100 Mbps half-duplex Ethernet. Make sure that the hardware_speed setting matches the port speed on the Catalyst switch the interface is connected to. hardware_speed Indicates the interface's physical location on the Cisco PIX Firewall. hardware_id Description Command Parameter
Here are some examples of the interface command:
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
‘ nameif’ Command
As the name intuitively indicates, the nameif command is used to name an interface and assign a security value from 1 to 99. The outside and inside interfaces are named by default and have default security values of 0 and 100, respectively. By default, the interfaces have their hardware ID. Ethernet 0 is the outside interface, and Ethernet 1 is the inside interface. The names that are configured by the nameif command are user-friendly and are easier to use for advanced configuration later.
The syntax of the nameif command is,
nameif hardware_id if_name security_level
Table describes the command parameters for the nameif command.
A numerical value from 1 to 99 indicating the security level. security_level The name by which you refer to this interface. The name cannot have any spaces and must not exceed 48 characters. if_name Indicates the interface's physical location on the Cisco PIX Firewall. hardware_id Description Command Parameter
Here are some examples of the nameif command:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security20
The security_level value controls how hosts/devices on the different interfaces interact with each other. By default, hosts/devices connected to interfaces with higher security levels can access hosts/devices connected to interfaces with lower-security interfaces. Hosts/devices connected to interfaces with lower-security interfaces cannot access hosts/devices connected to interfaces with higher-security interfaces without the assistance of access lists or conduits.
You can verify your configuration by using the show nameif command.
‘ ip address’ Command
All the interfaces on the Cisco PIX Firewall that will be used must be configured with an IP address. The IP address can be configured manually or through Dynamic Host Configuration Protocol (DHCP). The DHCP feature is usually used on Cisco PIX Firewall small office/home office (SOHO) models. DHCP is discussed later in this chapter.
The ip address command is used to configure IP addresses on the PIX interfaces. The ip address command binds a logical address (IP address) to the hardware ID. Table describes the parameters for the ip address command, the syntax of which is as follows:
ip address if_name ip_address [ netmask ]
Table ip address Command Parameters
Here's an example of the ip address command: ip address inside 10.10.10.14 255.255.255.0 Use the show ip command to view the configured IP address on the PIX interface. ‘ nat’ Command The nat (Network Address Translation) command lets you translate a set of IP addresses to another set of IP addresses. NOTE PIX 6.2 supports bidirectional translation of inside network IP addresses to global IP addresses and translation of outside IP addresses to inside network IP addresses. The nat command is always paired with a global command, with the exception of the nat 0 command. Table describes the command parameters for the nat command, the syntax of which is as follows: nat ( if_name ) nat_id local_ip [ netmask ] The appropriate network mask. If the mask value is not entered, the PIX assigns a classful network mask. netmask The interface's IP address. ip_address The interface name that was configured using the nameif command. if_name Description Command Parameter
Table nat Command Parameters Here are some examples of the nat command: nat (inside) 1 10.10.10.0 255.255.255.0 nat (inside) 1 172.16.1.0 255.255.255.0 ‘ Global’ Command The global command is used to define the address or range of addresses that the addresses defined by the nat command are translated into. It is important that the nat_id be identical to the nat_id used in the nat command. The nat_id pairs the IP address defined by the global and nat commands so that network translation can take place. The syntax of the global command is global ( if_name ) nat_id global_ip | global_ip-global_ip [ netmask ] Network mask for the local IP address. netmask The IP address that is translated. This is usually the inside network IP address. It is possible to assign all the inside network for the local_ip through nat (inside) 1 0 0 . local_ip The ID number to match with the global address pool. nat_id The internal network interface name. (if_name) Description Command Parameter
Table global Command Parameters There should be enough global IP addresses to match the local IP addresses specified by the nat command. If there aren't, you can leverage the shortage of global addresses by PAT entry, which permits up to 64,000 hosts to use a single IP address. PAT divides the available ports per global IP address into three ranges: 0 to 511 512 to 1023 1024 to 65535 PAT assigns a unique source port for each UDP or TCP session. It attempts to assign the same port value of the original request, but if the original source port has already been used, PAT starts scanning from the beginning of the particular port range to find the first available port and assigns it to the conversation. PAT has some restrictions in its use. For example, it cannot support H.323 or caching name server use. The following example shows a configuration using a range of global IP and single IP for PAT: nat (inside) 1 10.0.0.0 255.0.0.0 global (outside) 1 192.168.10.15-192.168.1.62 netmask 255.255.255.0 global (outside) 1 192.168.10.65 netmask 255.255.255.0 When a host or device tries to start a connection, the PIX Firewall checks the translation table if there is an entry for that particular IP. If there is no existing translation, a new translation slot is created. The default time that a translated IP is kept in the translation table is 3 hours. You can change this with the timeout xlate hh:mm:ss command. To view the translated addresses, use the show xlate command. The network mask for the global IP address(es). netmask Defines a range of global IP addresses to be used by the PIX to NAT. global_ip-global_ip A single IP address. When a single IP address is specified, the PIX automatically performs Port Address Translation (PAT). A warning message indicating that the PIX will PAT all addresses is displayed on the console. global_ip Identifies the global address and matches it with the nat command it is pairing with. nat_id The external network where you use these global addresses. (if_name) Description Command Parameter
route Command The route command tells the Cisco PIX Firewall where to send information that is forwarded on a specific interface and that is destined for a particular network address. You add static routes to the PIX using the route command. Table 6-6 describes the route command parameters, the syntax of which is as follows: route if_name ip_address netmask gateway_ip [ metric ] Table : route Command Parameters The following example shows a default route configuration on a Cisco PIX Firewall: route outside 0.0.0.0 0.0.0.0 192.168.1.3 1 The 1 at the end indicates that the gateway router is only one hop away. If a metric is not specified in the route command, the default is 1. You can configure only one default route on the PIX Firewall. It is good practice to use the clear arp command to clear the PIX Firewall's ARP cache before testing your new route configuration. Specifies the number of hops to gateway_ip. metric The IP address of the next-hop address. Usually this is the IP address of the perimeter router. gateway_ip The network mask of the IP address to be routed. netmask The IP address to be routed. ip_address The name of the interface where the data leaves from. if_name Description Command Parameter
Summary Table provides a quick reference to the commands needed to configure the Cisco PIX Firewall, time server and NTP support, and the DNS server. Lets you specify the time, month, day, and year for use with time-stamped syslog messages. clock Synchronizes the PIX Firewall with the network time server that is specified and authenticates according to the authentication options that are set. ntp server Controls the DHCP server feature. dhcpd Enables IP routing table updates from received RIP broadcasts. rip Displays the current configuration on the terminal. write terminal Used to enter a default or static route for an interface. route Defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection and for inbound connections resulting from outbound connections. Ensure that associated nat and global command statements have the same nat_id . global Lets you associate a network with a pool of global IP addresses. nat Identifies addresses for network interfaces and lets you set how many times the PIX Firewall polls for DHCP information. ip address Lets you name interfaces and assign security levels. nameif Identifies the speed and duplex settings of the network interface boards. interface Specifies to activate a process, mode, or privilege level. enable Descriptions Commands