PIX Firewall’s Intrusion Detection Feature 321

When the Cisco PIX Firewall is inundated with authentication requests, it displays messages indicating that it is out of resources or out of TCP users. TCP user resources in different states are reclaimed depending on urgency in the following order:

1Timewait

2Finwait

3Embryonic

4Idle

The Floodguard is enabled by default. It can be disabled using the floodguard disable command.

PIX Firewall’s Intrusion Detection Feature

The Cisco PIX Firewall includes an IP-only intrusion detection feature. It provides visibility at network perimeters or for locations where additional security between network segments is required.

The PIX’s IDS identifies 53 common attacks using signatures to detect patterns of misuse in network traffic. Traffic passing through the PIX can be identified to be audited, logged, and/or dropped.

After it’s configured, the IDS feature watches packets and sessions as they flow through the firewall, scanning each for a match with any of the IDS signatures. When suspicious activity is detected, PIX responds immediately and can be configured to

1Send an alarm to a syslog server

2Drop the packet

3Reset the Transmission Control Protocol (TCP) connection

The Cisco PIX Firewall supports both inbound and outbound auditing. Auditing is performed by looking at the IP packets as they arrive at an input interface. If a packet triggers a signature and the configured action does not drop the packet, the same packet can trigger other signatures. The IDS feature allows a signature to be acted upon differently depending on the interface on which it was detected. It also allows signatures to be individually disabled if reoccurring false positives are detected.

322 Chapter 15: Attack Guards and Multimedia Support

Intrusion Detection Configuration

An audit policy (audit rule) defines the attributes of all signatures that can be applied to an interface, along with a set of actions. Using an audit policy can limit the traffic that is audited or specify actions to be taken when the signature matches. Each audit policy is identified by a name and can be defined for informational or attack signatures. Each interface can have two policies—one for informational signatures and one for attack signatures. If a policy is defined without actions, the configured default actions take effect. Each policy requires a different name.

The ip audit command enables the IDS feature on the Cisco PIX Firewall. The ip audit command can be used to create a global audit policy or a per-interface policy.

The global audit policy specifies the default actions to be taken when an attack or informational signature is matched. The global audit policy is enabled by

ip audit attack ip audit info

In all the ip audit commands, the action can be any combination of alarm, drop, and reset. If nothing is configured, the default action is alarm. The alarm option indicates that when a signature match is detected in a packet, the PIX reports the event to all configured syslog servers. The drop option drops the offending packet. The reset option drops the offending packet and closes the connection if it is part of an active connection.

The syntax of the ip audit attack command is

ip audit attack [[action [alarm] [drop] [reset]]

The syntax of the ip audit info command is

ip audit info [[action [alarm] [drop] [reset]]

Table 15-1 describes the complete command parameters for the ip audit command.

Table 15-1 ip audit Command Parameters

PIX Firewall’s Intrusion Detection Feature 323

Table 15-1 ip audit Command Parameters (Continued)

The following example shows the creation and application of policy1 and policy2 on the outside and inside interface:

ip audit name policy1_pol info

ip audit name attack_policy2 attack action alarm drop reset ip audit interface outside policy1_pol

ip audit interface inside policy2_pol

Table 15-2 describes the show commands used to verify the IP audit configuration.

Table 15-2 show Commands to Verify IP Audit Configuration

show ip audit name [name [info All audit policies or specific policies referenced by name

The Cisco PIX Firewall IDS feature does not cover the entire intrusion detection signature that is available to a Cisco IDS unit.

Dynamic Shunning

The dynamic shunning feature allows a Cisco PIX Firewall, when combined with a Cisco IDS 3.0 sensor that is configured appropriately, to dynamically respond to an attacking host by preventing new connections and disallowing packets from any existing connection. Just like a router, the IDS unit tells the PIX to stop any new connections and to time out existing connections with the sources of traffic that are determined to be malicious. The shun command applies a blocking function to the interface receiving the attack for a user-defined period of time. Packets containing the IP source address of the attacking host are dropped and are logged until the blocking function is removed by the Cisco Secure IDS master unit.

324 Chapter 15: Attack Guards and Multimedia Support

In the following example, the offending host (10.10.10.14) makes a connection with the victim (10.25.25.32) with TCP. The connection in the PIX connection table reads

10.10.10.14, 555-> 10.25.25.32, 666 PROT TCP

Applying the following shun command:

shun 10.1.1.27 10.2.2.89 555 666 tcp

deletes the connection from the PIX Firewall connection table and also prevents packets from 10.1.1.27 from going through the PIX. The offending host can be inside or outside the PIX.

The application of the blocking function of the shun command does not require the specified host to be in active connection. Because the shun command is used to block attacks dynamically, it is not displayed in your PIX configuration. Shun statistics are available via show commands, syslog messages, and PIX Device Manager (PDM) monitoring.

Although the idea of dynamic shunning seems be an innovative way of dealing with offending hosts, it sometimes produces false positives that might cause a denial of service to legitimate users. This feature is available only on PIX Firewall version 6.0(2) and later.

ip verify reverse-path Command

The ip verify reverse-path command is a security feature that does a route lookup based on the source address. Usually, the route lookup is based on the destination address. This is why it is called reverse path forwarding. With this command enabled, packets are dropped if no route is found for the packet or the route found does not match the interface on which the packet arrived. This command is disabled by default and provides Unicast Reverse Path Forwarding (Unicast RPF) functionality for the PIX.

The ip verify reverse-path command provides both ingress and egress filtering. Ingress filtering checks inbound packets for IP source address integrity and is limited to addresses for networks in the enforcing entity’s local routing table. If the incoming packet does not have a source address represented by a route, it is impossible to know whether the packet has arrived on the best possible path back to its origin. This is often the case when routing entities cannot maintain routes for every network.

Egress filtering verifies that packets destined for hosts outside the managed domain have IP source addresses that can be verified by routes in the enforcing entity’s local routing table. If an exiting packet does not arrive on the best return path back to the originator, the packet is dropped, and the activity is logged. Egress filtering prevents internal users from launching attacks using IP source addresses outside the local domain, because most attacks use IP spoofing to hide the identity of the attacking host. Egress filtering makes the task of tracing an attack’s origin much easier. When employed, egress filtering enforces what IP source addresses are obtained from a valid pool of network addresses. Addresses are kept local to the enforcing entity and therefore are easily traceable.

ip verify reverse-path Command 325

Unicast RPF is implemented as follows:

•ICMP packets have no session, so each packet is checked.

•UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Noninitial packets are checked to ensure that they arrived on the same interface used by the initial packet.

NOTE Before using this command, add static route command statements for every network that can be accessed on the interfaces you want to protect. Enable this command only if routing is fully specified. Otherwise, the Cisco PIX Firewall stops traffic on the interface you specify if routing is not in place.

The following example protects traffic between the inside and outside interfaces and provides route command statements for two networks, 10.1.2.0 and 10.1.3.0, that connect to the inside interface via a hub:

ip address inside 10.1.1.1 255.255.0.0 route inside 10.1.2.0 255.255.0.0 10.1.1.1 1 route inside 10.1.3.0 255.255.0.0 10.1.1.1 1 ip verify reverse-path interface outside

ip verify reverse-path interface inside

The ip verify reverse-path interface outside command protects the outside interface from network ingress attacks from the Internet, whereas the ip verify reverse-path interface inside command protects the inside interface from network egress attacks from users on the internal network.

The clear ip verify command removes ip verify commands from the configuration. Unicast RPF is a unidirectional input function that screens inbound packets arriving on an interface. Outbound packets are not screened.

Because of the danger of IP spoofing in the IP protocol, measures need to be taken to reduce this risk when possible. Unicast RPF, or reverse route lookup, prevents such manipulation under certain circumstances.