- •Icons Used in This Book
- •Network Security
- •Vulnerabilities
- •Threats
- •Types of Attacks
- •Network Security Policy
- •AVVID and SAFE
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Firewall Technologies
- •Cisco PIX Firewall
- •Foundation Summary
- •The Cisco Secure PIX Firewall
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of the Cisco PIX Firewall
- •Cisco PIX Firewall Models and Features
- •Foundation Summary
- •System Maintenance
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Accessing the Cisco PIX Firewall
- •Installing a New Operating System
- •Upgrading the Cisco PIX OS
- •Creating a Boothelper Diskette Using a Windows PC
- •Auto Update Support
- •Password Recovery
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How the PIX Firewall Handles Traffic
- •Address Translation
- •Translation Versus Connection
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Access Modes
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •TurboACL
- •Object Grouping
- •Advanced Protocol Handling
- •Foundation Summary
- •Syslog
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How Syslog Works
- •How Log Messages Are Organized
- •How to Read System Log Messages
- •Disabling Syslog Messages
- •Foundation Summary
- •Cisco PIX Firewall Failover
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •What Causes a Failover Event
- •What Is Required for a Failover Configuration
- •Failover Monitoring
- •Stateful Failover
- •LAN-Based Failover
- •Foundation Summary
- •Virtual Private Networks
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of VPN Technologies
- •Cisco VPN Client
- •PPPoE Support
- •Foundation Summary
- •Scenario
- •Completed PIX Configurations
- •PIX Device Manager
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •PDM Overview
- •PIX Firewall Requirements to Run PDM
- •Foundation Summary
- •Content Filtering with the Cisco PIX Firewall
- •“Do I Know This Already?” Quiz
- •Filtering Java Applets
- •Filtering ActiveX Objects
- •Filtering URLs
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of AAA and the Cisco PIX Firewall
- •Cisco Secure Access Control Server (CSACS)
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Specifying Your AAA Servers
- •Troubleshooting Your AAA Setup
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Multimedia Support on the Cisco PIX Firewall
- •Attack Guards
- •PIX Firewall’s Intrusion Detection Feature
- •ip verify reverse-path Command
- •Foundation Summary
- •Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
- •Chapter 1
- •Chapter 2
- •Chapter 3
- •Chapter 4
- •Chapter 5
- •Chapter 6
- •Chapter 7
- •Chapter 8
- •Chapter 9
- •Chapter 10
- •Chapter 11
- •Chapter 12
- •Chapter 13
- •Chapter 14
- •Chapter 15
- •Appendix B
- •What’s Wrong with This Picture?
C H A P T E R 15
Attack Guards and Multimedia
Support
The primary function of the Cisco PIX Firewall is to prevent and protect internal hosts from malicious attacks from the outside network. Some hackers try to gain access to the internal network, but others attack network resources to disrupt network services. This chapter describes some of the features of the Cisco PIX Firewall that are used to mitigate known attacks against network resources. This chapter also discusses how the PIX handles multimedia application protocols.
“Do I Know This Already?” Quiz
The purpose of this quiz is to help you determine your current understanding of the topics covered in this chapter. Write down your answers and compare them to the answers in Appendix A. It is strongly recommended that you go through this self-assessment quiz before you read the ”Foundation Topics” section. The concepts in this chapter are the foundation of much of what you need to understand to pass the CSPFA Certification Exam. Unless you do exceptionally well on the ”Do I Know This Already?” pretest and are 100% confident in your knowledge of this area, you should read through the entire chapter.
1What PIX feature mitigates a denial of service (DoS) attack using an incomplete IP datagram?
2What default port does the PIX inspect for H.323 traffic?
3How do you enable the PIX’s Mail Guard feature?
4True or false: Floodguard is enabled by default.
5What is an embryonic connection?
6Which actions are available in the PIX IDS configuration?
7How does DNS Guard on the Cisco PIX Firewall prevent DoS attacks that exploit DNS?
8How does ip verify reverse-path secure the PIX?
9How does the Mail Guard feature prevent SMTP-related attacks?
10True or false: The shunning feature on the Cisco PIX Firewall does not require the aid of the Cisco IDS device.
314 Chapter 15: Attack Guards and Multimedia Support
Foundation Topics
Multimedia Support on the Cisco PIX Firewall
Chapter 7, ”Configuring Access,” began a discussion of some applications that require special handling by the Cisco PIX Firewall. Multimedia applications have special behaviors that require special handling by the PIX inspection feature.
During normal mode of operation, multimedia application protocols open more than one communication channel and several data channels. For example, a client might transmit a request on TCP, get responses on UDP, or use dynamic ports. The fixup protocol command is used to help the PIX identify such protocols so that it can perform inspections.
Here are some of the multimedia applications supported by the PIX Firewall:
•
•
•
•
•
•
•
•
•
•
Microsoft Netshow
Microsoft Netmeeting
Intel Internet Video Phone
VDOnet VDOLive
RealNetworks RealAudio and RealVideo
VocalTech
White Pine Meeting Point
White Pine CuSeeMe
Xing StreamWorks
VXtreme WebTheatre
The PIX dynamically opens and closes UDP ports for secure multimedia connections. There is no need to open a range of ports, which creates a security risk, or to reconfigure any application clients.
The PIX supports multimedia with or without NAT. Many firewalls that cannot support multimedia with NAT limit multimedia usage to only registered users or require exposure of inside IP addresses to the Internet.
Many popular multimedia applications use Real-Time Streaming Protocol (RTSP) or the H.323 suite protocol standard.
Multimedia Support on the Cisco PIX Firewall 315
Real-Time Streaming Protocol (RTSP)
RTSP, described in RFC 2326, controls the delivery of real-time data such as audio and video. It is used for large-scale broadcasts and audioor video-on-demand streaming. It supports applications such as Cisco IP/TV, RealNetworks RealAudio G2 Player, and Apple QuickTime 4 software.
RTSP applications use port 554 with TCP (and rarely UDP) as a control channel. The TCP control channel is used to negotiate the two UDP data channels that are used to transmit audio/video traffic. RTSP does not typically deliver continuous data streams over the control channel, usually relying on a UDP-based data transport protocol such as standard Real-Time Transport Protocol (RTP) to open separate channels for data and for RTP Control Protocol (RTCP) messages. RTCP carries status and control information, and RTP carries the actual data.
The fixup protocol command is used for RTSP connections to let the Cisco PIX Firewall do inspection. The fixup protocol rtsp command lets the PIX dynamically create conduits for RTSP UDP channels. For example, the standard RTSP port 554 is enabled by the following command:
fixup protocol rtsp 554
H.323
The H.323 collection of protocols collectively uses up to two TCP connections and four to six UDP connections. Most of the ports, with the exception of one TCP port, are negotiated just for that particular session. Figure 15-1 shows the H.323 protocols in relation to the OSI reference model.
316 Chapter 15: Attack Guards and Multimedia Support
Figure 15-1 H.323 Protocols Mapped to the OSI Reference Model
Application |
|
|
|
|
|
Audio Signal |
|
|
|
Data |
|
G.711 |
G.728 |
|
|
|
T.127 |
G.722 |
G.729 |
|
Video Signal |
|
|
|
|
|
H.261 |
H.263 |
T.126 |
G.723.1 |
|
|
|
||
|
|
|
|
|
|
Presentation |
|
|
|
|
|
Session |
|
|
|
|
|
Transport |
|
|
|
|
|
RTCP |
RAS |
RTP |
|
T.124 |
|
|
|
||||
|
|
|
Supplementary Services |
T.125/T.122 |
|
|
|
|
H.450.3 |
H.450.2 |
|
|
|
|
H.450.1 |
X.224.0 |
|
|
H.235 |
|
|
|
|
|
|
Control |
|
|
|
|
|
H.245 |
H.225 |
|
|
UDP |
|
|
|
TCP |
|
|
|
|
|
|
|
Network |
|
|
|
|
|
Data Link
Physical
As shown in Figure 15-1:
•
•
•
•
RAS manages registration, admission, and status
Q.931 manages call setup and termination
H.235 security and authentication
H.245 negotiates channel usage
The content of the streams in H.323 is far more difficult for firewalls to understand than existing protocols because H.323 encodes packets using Abstract Syntax Notation (ASN.1).
The H.323 control channel handles H.225 and H.245 and H.323 RAS. H.323 inspection uses the following ports:
•
•
•
1718—Gatekeeper discovery UDP port
1719—RAS UDP port
1720—TCP control port
NOTE PAT support for H.323 is available on the PIX version 6.2 software.