Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Cisco Secure PIX Firewall Advanced Exam Certification Guide - Cisco press.pdf
15.78 Mб

C H A P T E R 15

Attack Guards and Multimedia


The primary function of the Cisco PIX Firewall is to prevent and protect internal hosts from malicious attacks from the outside network. Some hackers try to gain access to the internal network, but others attack network resources to disrupt network services. This chapter describes some of the features of the Cisco PIX Firewall that are used to mitigate known attacks against network resources. This chapter also discusses how the PIX handles multimedia application protocols.

“Do I Know This Already?” Quiz

The purpose of this quiz is to help you determine your current understanding of the topics covered in this chapter. Write down your answers and compare them to the answers in Appendix A. It is strongly recommended that you go through this self-assessment quiz before you read the ”Foundation Topics” section. The concepts in this chapter are the foundation of much of what you need to understand to pass the CSPFA Certification Exam. Unless you do exceptionally well on the ”Do I Know This Already?” pretest and are 100% confident in your knowledge of this area, you should read through the entire chapter.

1What PIX feature mitigates a denial of service (DoS) attack using an incomplete IP datagram?

2What default port does the PIX inspect for H.323 traffic?

3How do you enable the PIX’s Mail Guard feature?

4True or false: Floodguard is enabled by default.

5What is an embryonic connection?

6Which actions are available in the PIX IDS configuration?

7How does DNS Guard on the Cisco PIX Firewall prevent DoS attacks that exploit DNS?

8How does ip verify reverse-path secure the PIX?

9How does the Mail Guard feature prevent SMTP-related attacks?

10True or false: The shunning feature on the Cisco PIX Firewall does not require the aid of the Cisco IDS device.

314 Chapter 15: Attack Guards and Multimedia Support

Foundation Topics

Multimedia Support on the Cisco PIX Firewall

Chapter 7, ”Configuring Access,” began a discussion of some applications that require special handling by the Cisco PIX Firewall. Multimedia applications have special behaviors that require special handling by the PIX inspection feature.

During normal mode of operation, multimedia application protocols open more than one communication channel and several data channels. For example, a client might transmit a request on TCP, get responses on UDP, or use dynamic ports. The fixup protocol command is used to help the PIX identify such protocols so that it can perform inspections.

Here are some of the multimedia applications supported by the PIX Firewall:

Microsoft Netshow

Microsoft Netmeeting

Intel Internet Video Phone

VDOnet VDOLive

RealNetworks RealAudio and RealVideo


White Pine Meeting Point

White Pine CuSeeMe

Xing StreamWorks

VXtreme WebTheatre

The PIX dynamically opens and closes UDP ports for secure multimedia connections. There is no need to open a range of ports, which creates a security risk, or to reconfigure any application clients.

The PIX supports multimedia with or without NAT. Many firewalls that cannot support multimedia with NAT limit multimedia usage to only registered users or require exposure of inside IP addresses to the Internet.

Many popular multimedia applications use Real-Time Streaming Protocol (RTSP) or the H.323 suite protocol standard.

Multimedia Support on the Cisco PIX Firewall 315

Real-Time Streaming Protocol (RTSP)

RTSP, described in RFC 2326, controls the delivery of real-time data such as audio and video. It is used for large-scale broadcasts and audioor video-on-demand streaming. It supports applications such as Cisco IP/TV, RealNetworks RealAudio G2 Player, and Apple QuickTime 4 software.

RTSP applications use port 554 with TCP (and rarely UDP) as a control channel. The TCP control channel is used to negotiate the two UDP data channels that are used to transmit audio/video traffic. RTSP does not typically deliver continuous data streams over the control channel, usually relying on a UDP-based data transport protocol such as standard Real-Time Transport Protocol (RTP) to open separate channels for data and for RTP Control Protocol (RTCP) messages. RTCP carries status and control information, and RTP carries the actual data.

The fixup protocol command is used for RTSP connections to let the Cisco PIX Firewall do inspection. The fixup protocol rtsp command lets the PIX dynamically create conduits for RTSP UDP channels. For example, the standard RTSP port 554 is enabled by the following command:

fixup protocol rtsp 554


The H.323 collection of protocols collectively uses up to two TCP connections and four to six UDP connections. Most of the ports, with the exception of one TCP port, are negotiated just for that particular session. Figure 15-1 shows the H.323 protocols in relation to the OSI reference model.

316 Chapter 15: Attack Guards and Multimedia Support

Figure 15-1 H.323 Protocols Mapped to the OSI Reference Model







Audio Signal














Video Signal













































Supplementary Services














































Data Link


As shown in Figure 15-1:

RAS manages registration, admission, and status

Q.931 manages call setup and termination

H.235 security and authentication

H.245 negotiates channel usage

The content of the streams in H.323 is far more difficult for firewalls to understand than existing protocols because H.323 encodes packets using Abstract Syntax Notation (ASN.1).

The H.323 control channel handles H.225 and H.245 and H.323 RAS. H.323 inspection uses the following ports:

1718—Gatekeeper discovery UDP port

1719—RAS UDP port

1720—TCP control port

NOTE PAT support for H.323 is available on the PIX version 6.2 software.