Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Cisco Secure PIX Firewall Advanced Exam Certification Guide - Cisco press.pdf
15.78 Mб

Attack Guards 317

fixup protocol h323 Command

The Cisco PIX Firewall inspects port 1720 (default) connections for H.323 traffic. If you need to change port 1720 because you have applications using H.323 on other ports, use the fixup command:

fixup protocol h323 7430-7450

Use the no form of this command to disable the inspection of traffic on the indicated port.

An H.323 client might initially establish a TCP connection to an H.323 server using TCP port 1720 to request Q.931 call setup. The H.323 terminal supplies a port number to the client to use for an H.245 TCP connection.

The two major functions of H.323 inspection are as follows:

Performs Network Address Translation (NAT) on the embedded IP addresses in the H.225 and H.245 messages. In other words, it translates the H.323 payload to a NAT address. (PIX Firewall uses an ASN.1 decoder to decode the H.323 messages.)

Dynamically creates conduits for TCP and UDP channels to allocate the negotiated H.245 and RTP/RTCP connections.

Each UDP connection with a packet going through H.323 inspection is marked as an H.323 connection and times out with the H.323 timeout as configured by the administrator using the timeout command. To clear all previous fixup protocol h323 commands and reset port 1720 as the default, use the clear fixup protocol h323 command.

Attack Guards

Hackers use several methods to cause network service disruption. Denial of service (DoS) is a popular way of causing network disruption. The Cisco PIX Firewall has some attack mitigation features to combat against some of the following attacks:


Domain Name System (DNS) attacks

SMTP-based attacks

SYN flooding

Authentication and authorization attacks

Fragmentation Guard and Virtual Reassembly

Breaking a single IP datagram into two or more smaller IP datagrams is called IP fragmentation. DoS attacks overwhelm the host with fragmented IP datagrams. The sysopt security fragguard command enables the IP fragmentation guard feature on the PIX. This feature cannot be selectively enabled or disabled at the interface. The sysopt security fragguard

318 Chapter 15: Attack Guards and Multimedia Support

command is disabled by default. To enable the IP fragmentation guard on the PIX, enter the following:

sysopt security fragguard

The fragguard feature enforces the checks recommended by RFC 1858, with two additional security checks protecting against many IP fragment-style attacks, such as teardrop:

The checks ensure that each noninitial IP fragment has an associated valid initial IP fragment.

IP fragments of more than 12 elements cannot pass through the PIX. IP fragments are rated 100 full fragmented packets per second to each internal host. This means that the PIX can process 1200 packet fragments a second.

Virtual reassembly is enabled by default. This feature uses syslog to log any fragment overlapping and small fragment offset anomalies. Here is an example of such a message:

%PIX-2-106020: Deny IP teardrop fragment (size=num, offset=num)from IP_addr to


Domain Name System (DNS) Guard

To understand the DNS attack protection provided by the Cisco PIX Firewall, it helps to understand how DNS can be exploited to cause a DoS attack. DNS queries are sent from the attacker to each of the DNS servers. These queries contain the target’s spoofed address. The DNS servers respond to the small query with a large response. These responses are routed to the target, causing link congestion and possible denial of Internet connectivity.

The port assignment for DNS cannot be configured on the Cisco PIX Firewall. DNS requires application inspection so that DNS queries will not be subject to generic UDP handling based on activity timeouts. The PIX allows only a single DNS response for outgoing DNS requests. The UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query is received, dropping all other responses and averting a DoS attack. This functionality is called DNS Guard. DNS Guard is enabled by default.

DNS inspection performs two tasks:

It monitors the message exchange to ensure that the DNS reply’s ID matches the DNS query’s ID.

It translates the DNS A-record on behalf of the alias command.

Only forward lookups are translated via NAT, so pointer (PTR) records are not touched. Alarms can also be set off in the Intrusion Detection System (IDS) module for DNS zone transfers.


A pointer record is also called a reverse record. A PTR record associates an IP address with


a canonical name.



Attack Guards 319

Cisco PIX Firewall version 6.2 introduces full support for NAT and PAT of DNS messages originating from either inside (more-secure) or outside (less-secure) interfaces. This means that if a client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface, the DNS A-record is translated correctly. This also means that the use of the alias command is now unnecessary.

Mail Guard

An SMTP server responds to client requests with numeric reply codes and optional humanreadable strings. SMTP application inspection controls and reduces the commands that the user can use, as well as the messages the server returns. SMTP inspection performs three primary tasks:

SMTP requests are restricted to seven commands—HELO, MAIL, RCPT, DATA,


It monitors the SMTP command-response sequence.

It generates an audit trail—audit record 108002—when an invalid character embedded in the mail address is replaced. For more information, see RFC 821.

By default, the Cisco PIX Firewall inspects port 25 connections for SMTP traffic. SMTP inspection monitors the command-response sequence for the following anomalous signatures:

Truncated commands.

Incorrect command termination (those not terminated with <CR><LR>).

The MAIL and RCPT commands specify the mail’s sender and recipient. Mail addresses are scanned for strange characters. The pipe character (|) is deleted (changed to a blank space), and < and > are allowed only if they are used to define a mail address (> must be preceded by <).

An unexpected transition by the SMTP server.

For unknown commands, the PIX changes all the characters in the packet to X. In this case, the server generates an error code to the client. Because of the change in the packet, the TCP checksum has to be recalculated or adjusted.

The fixup command is used to change the default port assignment for SMTP. The command syntax is as follows:

fixup protocol smtp [port[-port]]

The fixup protocol smtp command enables the Mail Guard feature. This restricts mail servers to receiving only the seven commands defined in RFC 821, section 4.5.1 (HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT). All other commands are rejected.

The strict implementation of RFC 821, section 4.5.1 sometimes causes problems for mail servers that do not adhere to the standard. For example, Microsoft Exchange Server does not strictly comply with RFC 821 section 4.5.1, using extended SMTP commands such as HELO. The Cisco PIX Firewall converts any such commands into NOOP commands,

320 Chapter 15: Attack Guards and Multimedia Support

which, as specified by the RFC, forces SMTP servers to fall back to using minimal SMTP commands only. This might cause Microsoft Outlook clients and Exchange servers to function unpredictably when their connection passes through the PIX.

Mail Guard, however, is not the magic bullet for all mail server-related attacks. It protects your mail server only from known attacks.

Flood Defender

The Flood Defender feature of the PIX protects inside systems from a DoS attack that floods an interface with half-open TCP (embryonic) connections, otherwise known as SYN flooding. Creating a threshold for the number of embryonic connections or limiting the number of connections to the host mitigates such attacks. When the configured embryonic limit is reached, the PIX intercepts the SYN bound for the host and responds with a SYN/ ACK on the host’s behalf.

You enable this feature by setting the emb_limit (maximum embryonic connections) option or max_conn (maximum connection) option on the nat and static commands. For example:

static (inside,outside) netmask max_conn 300 emb_limit 500000

This example sets the maximum connection to host to 300 and sets the embryonic connection limit to 500,000.

If you set max_conn too low, you deny legitimate user access, creating a denial of service for yourself. There is no magic number for the max_conn and emb_limit arguments, because every network has a unique environment. The best number is a number that does not negatively affect the network. You can observe the number of connections and embryonic connections to your host, preand post- max_conn and emb_limit implementation, using the show local-host host_ip command.

The static command with the maximum connection or embryonic connection mitigates inbound DoS. The nat command with the same arguments can prevent the users in your network from committing TCP SYN attacks on someone else.

AAA Floodguard

The Cisco PIX Firewall has a Floodguard feature that helps it monitor and recover resources tied up in the user authentication (auth) subsystem. As with DNS, the service of authentication is maliciously exploited to create a DoS attack. Authentication attacks are done on the premise that each authentication request has to be processed. Sending an enormous number of authentication requests bogs down the target’s finite resources, forcing a shutdown in the worst case.