C H A P T E R 13
Overview of AAA and the
Cisco PIX Firewall
This chapter presents authentication, authorization, and accounting, more commonly known as AAA. It discusses how the Cisco PIX Firewall is incorporated with AAA servers and the relationship between the Cisco PIX Firewall and the AAA server(s). This chapter also introduces the Cisco Secure Access Control Server (CSACS), a AAA server product offered by Cisco.
Chapter 6, “Getting Started with the Cisco PIX Firewall,” addresses the commands necessary to configure the Cisco PIX Firewall. You might remember that the importance of remembering the PIX commands was mentioned in the Introduction. In the real world, it is possible to navigate your way around a PIX and figure out a command's correct syntax. This is not possible in the testing environment. You are asked to select a command that performs a certain function from a list of very similar commands. It is very important that you understand the correct syntax for each PIX command.
How to Best Use This Chapter
If you are very familiar with AAA, but you aren't very familiar with the CSACS, you should skim the first half of this chapter to reinforce your knowledge of AAA and focus on the installation of CSACS. The AAA process is relatively simple to understand, although there are quite a few different configuration options. This chapter explains the AAA process, discusses how the Cisco PIX Firewall fits into this process, and covers the installation of CSACS.
“Do I Know This Already?” Quiz
The purpose of this quiz is to help you determine your current understanding of the topics covered in this chapter. Write down your answers and compare them to the answers in Appendix A. If you have to look at any references to correctly answer the questions about PIX functionality, you should read that portion and double-check your thinking by reviewing the Foundation Summary. The concepts in this chapter are the foundation for much of what you need to understand to pass the CSPFA Certification Exam. Unless you
258 Chapter 13: Overview of AAA and the Cisco PIX Firewall
do exceptionally well on the “Do I Know This Already?” pretest and are 100% confident in your knowledge of this area, you should read through the entire chapter.
1What is the relationship between the Cisco PIX Firewall and the AAA server?
2What three methods are used to authenticate to the Cisco PIX Firewall?
3How does the Cisco PIX Firewall process cut-through proxy?
4What are the main differences between RADIUS and TACACS+?
5What patch level must you have Windows 2000 Professional configured to before you install CSACS?
6Why is it important to authenticate a user before completing authorization?
7What are the three layers of authentication?
8What is the purpose of the explain box during the CSACS installation?
9What do you need to verify before installing CSACS?
10Why is it important to have Internet Explorer up to date on your CSACS?
Overview of AAA and the Cisco PIX Firewall 259
Foundation Topics
Overview of AAA and the Cisco PIX Firewall
Authentication, authorization, and accounting (AAA) has become an extremely important component in any network infrastructure. AAA is used in our everyday lives not only for network security, but also for physical security, or any other function that requires access control. This chapter discusses the AAA process, its components, the responsibilities of each component, and how the Cisco PIX Firewall fits into the equation.
Definition of AAA
The best way to understand AAA is to break up the pieces and look at them individually. The three components of AAA are distinctly different, and each has its own responsibility. AAA is now integrated into nearly every situation that requires access control. Access control can be applied to users, hosts on a network (such as servers and workstations), networking components (such as routers, switches, VPN appliances, and firewalls), and other automated devices that require access and that perform a function. This chapter discusses AAA as it pertains to a user, but you will see how the principles can apply to many automated functions. The three components of AAA are as follows:
•Authentication—The process of validating an identity. The identity that is being validated could be a user, a computer, a networking component, and so on. Authentication is by far the most important step. No access is granted until the requestor has been authenticated. There are three layers of user authentication:
—What the user knows—This normally is a user password or passphrase.
—What a user has—This normally is a user token or badge issued to the user by whomever has authority over what the user is attempting to access.
—What a user is—This area includes biometrics—checking the user's fingerprint or retinal scan against a stored image in the database.
Many organizations do not incorporate all three layers of authentication; however, it is very common to use a minimum of two layers at one time.
•Authorization—After the user has been authenticated, he or she is granted access rights to perform specific functions.
•Accounting—After the user is granted access, the accounting function tracks what tasks the user performed and saves that information is a log that can be reviewed later. Accountability of users and their actions is an issue that is becoming increasingly important in the security of enterprise networks.
The three functions of AAA can be performed by a single server or can be divided among several servers. Most large enterprise networks create a hierarchy of AAA servers, with the lower-level servers tending to user functions and the upper-level servers working as a central point for updating and distributing user information.
260 Chapter 13: Overview of AAA and the Cisco PIX Firewall
AAA and the Cisco PIX Firewall
So how does the PIX factor into the AAA equation? Any user requesting access or a service that is configured for authentication and who goes through the PIX is prompted by the firewall for a username and password. If the PIX has a local database configured for user authentication, it matches this user information against that database and permits or denies access. If the PIX is configured to use a separate AAA server, it forwards the user information to that server for authentication and authorization. In this case, the PIX and the AAA server act in a client/server mode, with the PIX being the client. The PIX acts as a Network Access Server (NAS) but operates as a client to the AAA server. It is a common practice to configure redundant AAA servers. It is also possible to configure a local database on the PIX for use when no other AAA servers can be contacted.
NOTE The local user database on a Cisco PIX Firewall can be processor-intensive and should be used only for small organizations with a limited number of users.
Remember that the AAA server not only authenticates the user but also tells the firewall what the user is authorized to do. If a user is authorized to access websites via HTTP and attempts to connect to the same servers over FTP, that connection is dropped at the firewall even though that user has been authenticated. Additionally, the AAA server should log the fact that the user attempted to make a connection that was outside his or her authority.
Cut-Through Proxy
Cut-through proxy is a feature on the Cisco PIX Firewall that allows transparent AAA services and a seamless connection through the firewall to the destination. It provides significantly better performance than application proxy firewalls because it completes user authentication at the application layer, verifies authorization against the security policy, and then opens the connection as authorized by the security policy. In other words, the connection request needs to go up to the application layer only once to be authorized. After that, all authorized traffic is passed at the lower layers, dramatically increasing the rate at which it can pass through the firewall.
There are three ways to connect to the Cisco PIX Firewall and activate the cut-through proxy:
•
•
•
HTTP
FTP
Telnet
The firewall responds to each of these connections with a username and password prompt. Figure 13-1 shows the Telnet user authentication prompt. The user information is either authenticated against a local database on the PIX or forwarded to a AAA server for authen-
Overview of AAA and the Cisco PIX Firewall 261
tication. After the user is authenticated, the firewall completes the connection that is requested (if authorized).
Figure 13-1 Telnet Logon Prompt
Figure 13-2 shows the steps for cut-through proxy on a Cisco PIX Firewall.
Figure 13-2 Cut-Through Proxy Steps
Step 7: Communication is established between source and destination and ASA process begins.
Step 6: Connection completed with Web Server.
Step 1: The user initiates a connection to the Web Server.
Internal
Web Server
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Step 2: The PIX replies with a user logon prompt. |
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
User |
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
Workstation |
||||||
|
|
|
|
|
|
|
|
|
|
|
|
Step 3: The user completes the logon. |
|||||||
|
|
|
|
|
|
|
Step 5: Authentication complete. |
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
Step 4: Account information is sent to AAA server |
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
for authentication and authorization. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AAA Server