328Chapter 7: Security Technologies
•Overloading—A form of dynamic NAT that maps multiple, unregistered IP addresses to a single registered IP address by using different ports.
•Overlapping—When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses.
For more quality examples on NAT, visit the following URL:
•www.cisco.com/warp/customer/556/index.shtml
•www.cisco.com/warp/customer/707/overload_private.shtml demonstrates when you can NAT over an IPSec tunnel. The following URLs give examples of when you can use NAT over an IPSec tunnel:
www.cisco.com/warp/public/556/index.shtml www.cisco.com/warp/public/707/overload_private.shtml
NOTE |
TCP load distribution is typically used in large IP networks that have server farms. You might |
|
want to distribute the network load across many servers but advise users to use only one IP |
|
address to target. TCP load distribution ensures that all servers are equally loaded. |
|
|
Cisco Private Internet Exchange (PIX)
Cisco Private Internet Exchange (PIX) and Cisco IOS feature sets are designed to further enhance a network’s security. The Private Internet Exchange (PIX) Firewall prevents unauthorized connections between two or more networks. The latest versions of Cisco code for the PIX Firewall also perform many advanced security features, such as AAA services, access lists, VPN Configuration (IPSec), FTP logging, and Cisco IOS-like interface commands. In addition, the PIX Firewall can support multiple outside or perimeter networks in the DMZs.
NOTE When reading Cisco documentation about PIX Firewalls, realize that inside networks and outside networks both refer to networks to which the PIX is connected.
For example, inside networks are protected by the PIX, but outside networks are considered the “bad guys.” Consider them as trusted and untrusted, respectively.
A PIX Firewall permits a connection-based security policy. For example, you might allow Telnet sessions from inside your network to be initiated from within your network but not allow them to be initiated into your network from outside your network.
Cisco Private Internet Exchange (PIX) 329
The PIX Firewall’s popularity stems from the fact that it is solely dedicated to security. A router is still required to connect to WANs, such as the Internet. Some companies use PIX Firewalls for internal use only where they might have sensitive networks, such as a payroll or human resources department.
Figure 7-3 shows a typical network scenario where a PIX Firewall is implemented between an inside network and an outside network.
Figure 7-3 PIX Location
Cisco IOS Feature
Set Enabled Router
|
|
|
Internet |
Outbound |
|
No Direct |
|
Connections |
PIX |
Inbound |
|
OK |
Connections |
|
|
Firewall |
|
||
Router |
|
Internet Attached |
|
|
|
||
|
|
|
Router |
Inside |
|
Outside |
|
|
Perimeter |
|
|
Protected Servers |
|
|
|
Server 1 |
|
|
|
Protected Clients |
|
|
Internet Accessible |
|
|
Server 2 |
Server |
BASTION Hosts
Although optional, it is recommended that you install the Cisco IOS Firewall software on the router directly connected to the Internet. The Cisco IOS Firewall feature is discussed later in this chapter.
Each connection through a PIX Firewall requires memory. You can support up to 32,768 connections with 16 MB of RAM installed on a PIX; 32 MB of memory can support up to 65,536 connections and support up to 260,000 connections with 128 MB.
330 Chapter 7: Security Technologies
NOTE Demilitarized zones (DMZs) usually exist as part of a network that the Internet community or general public can access, such as a Web, FTP, or SMTP servers. For example, FTP servers allow external users access to public files, such as Cisco IOS Software, which are available online at ftp.cisco.com. Your remaining servers are protected by the firewall.
The PIX Firewall logic is engineered around the Adaptive Security Algorithm (ASA). Every inbound packet is checked against the ASA and against connection state information in memory. This stateful approach to security is regarded in the industry as being far more secure than a stateless packet-screening approach.
Examples of the stateful approach to security include the following:
•No packets can traverse the PIX Firewall without a connection and state.
•Outbound connections or states are allowed, except those specifically denied by access control lists. An outbound connection is one where the originator, or client, is on a higher security interface than the receiver, or server. The highest security interface is always the inside interface (value 100), and the lowest is the outside interface (value 0). Any perimeter interfaces can have security levels between the inside and outside values (for example, 50).
•Inbound connections or states are denied, except those specifically allowed. An inbound connection or state is one where the originator, or client, is on a lower security interface/ network than the receiver, or server. You can apply multiple exceptions to a single xlate (translation). This lets you permit access from an arbitrary machine, network, or any host on the Internet to the host defined by the xlate.
•All Internet Control Message Protocol (ICMP) packets are denied unless specifically permitted.
•All attempts to circumvent the previous rules are dropped and a message is sent to syslog.
When an outbound packet arrives at a PIX Firewall higher-security-level interface (security levels can be viewed with the show nameif command; by default, the outside interface has a security level set to 100, or untrusted, and the inside interface is set to 0, or trusted), the PIX Firewall checks to see if the packet is valid based on the ASA, and whether or not previous packets have come from that host. If not, the packet is for a new connection, and the PIX Firewall creates a translation slot in its state table for the connection. The information that the PIX Firewall stores in the translation slot includes the inside IP address and a globally unique IP address assigned by NAT, PAT, or Identity (which uses the inside address as the outside address). The PIX Firewall then changes the packet’s source IP address to the globally unique address, modifies the checksum and other fields as required, and forwards the packet to the lower-security- level interface.
When an inbound packet arrives at an external interface such as the outside interface, it must first pass the PIX Firewall Adaptive Security criteria. If the packet passes the security tests, the PIX Firewall removes the destination IP address, and the internal IP address is inserted in its place. The packet is forwarded to the protected interface.
Cisco Private Internet Exchange (PIX) 331
NOTE |
The PIX Firewall supports NAT, which provides a globally unique address for each inside host, |
|
|
and PAT, which shares a single globally unique address for up to 64 K, simultaneously |
|
|
accessing inside hosts. The following is a list of current models that Cisco supports: |
|
|
• |
PIX 501 |
|
• |
PIX 506/506E |
|
• |
PIX 515/515E |
|
• |
PIX 520 |
|
• |
PIX 525 |
|
• |
PIX 535 |
For a full feature list of the PIX, visit the following:
www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/intro.htm#xtocid0
Figure 7-4 displays the PIX 520, which is used in the current CCIE Security lab exam. PIX Firewall devices are based on the Intel Pentium process, which is basically a PC with Ciscoinstalled PIX software.
Figure 7-4 Cisco PIX 520
Rear View
Power
Switch
Standard 1.44 MB
Floppy Drive
Front View
Interfaces are located here. Examples: Inside/outside perimeter/DMZ
332 Chapter 7: Security Technologies
Configuring a PIX
Take a look at configuring the PIX software and the six basic commands used to configure a PIX Firewall.
Figure 7-5 Typical PIX Logical Setup
Internet
|
|
Perimeter |
|||||
|
|
Router |
|||||
|
|
|
|
|
|
E0 |
|
131.108.1.2/24 |
|
|
|
|
|
|
DMZ |
|
|
|
|
|
|
||
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
PIX Interfaces E0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Outside (Security Level 0) |
E0 |
|
PIX Firewall |
||||
|
|||||||
131.108.1.1/24 |
|
|
|
|
|
|
|
E1 
PIX Interfaces E1 Inside (Security Level 100)
201.201.201.1 255.255.255.0
Figure 7-5 displays a typical DMZ and perimeter network between the inside (protected) and outside (public) networks.
PIX Firewall Configuration Task List
The following steps show you how the PIX software is configured for the scenario in Figure 7-5:
Step 1 Name the inside and outside interfaces.
Step 2 Name interfaces and assign the security levels. (Configuration mode):
nameif hardware_id if_name security_level
The nameif command lets you assign a name to an interface.You can use this command to assign interface names if you have more than two network interface circuit boards in your PIX Firewall. The first two interfaces have the default names inside and outside. The inside interface has default security level 100, and the outside interface has default security level 0.
|
|
Cisco Private Internet Exchange (PIX) 333 |
|
|
|
|
Table 7-3 describes the PIX command nameif as documented on the Cisco |
|
|
documentation CD. |
|
Table 7-3 |
nameif Command and Required Fields |
|
|
|
|
|
Syntax |
Description |
|
|
|
|
hardware_id |
The hardware name for the network interface that specifies the interface’s slot |
|
|
location on the PIX Firewall motherboard. Interface boards are numbered from the |
|
|
leftmost slot nearest the power supply as slot 0. The internal network interface |
|
|
must be in slot 1. The lowest security_level external interface board is in slot 0, |
|
|
and the next lowest security_level external interface board is in slot 2. |
|
|
Possible choices are Ethernet for Ethernet or Token-ring for Token Ring. |
|
|
The internal interface is ethernet1. These names can be abbreviated with any |
|
|
leading characters in the name; for example, ether1, e2, token0, or t0. |
|
|
|
|
if_name |
A name for the internal or external network interface of up to 48 characters in |
|
|
length. This name can be uppercase or lowercase. By default, the PIX Firewall |
|
|
names the inside interface inside, the outside interface outside, and any perimeter |
|
|
interface intfn, where n is 2 through 5. |
|
|
|
|
security_level |
Either 0 for the outside network or 100 for the inside network. Perimeter interfaces |
|
|
can use any number between 1 and 99. By default, the PIX Firewall sets the |
|
|
security level for the inside interface to security100, and the outside interface to |
|
|
security0. The first perimeter interface is initially set to security10, the second |
|
|
to security15, the third to security20, and the fourth perimeter interface to |
|
|
security25 (a total of 6 interfaces are permitted, with a total of 4 perimeter |
|
|
interfaces permitted). |
|
|
|
Step 3 Identify the hardware interfaces, speed, and duplex type installed with the following interface command:
interface hardware_id [hardware_speed] [shutdown]
In Figure 7-5, the following commands are configured:
interface ethernet0 10full interface ethernet1 10full
Table 7-4 defines and describes the options for the interface command, as documented on the Cisco documentation CD.
336 Chapter 7: Security Technologies
Table 7-6 |
nat Command Options (Continued) |
|
|
|
|
|
Option |
Description |
|
|
|
|
max_conns |
The maximum TCP connections permitted from the interface you specify. |
|
|
|
|
em_limit |
The embryonic connection limit. The default is 0, which means unlimited |
|
|
connections. Set it lower for slower systems and higher for faster systems. |
|
|
|
|
Norandomseq |
Do not randomize the TCP packet’s sequence number. Only use this option if |
|
|
another inline firewall is also randomizing sequence numbers and the result is |
|
|
scrambling the data. Use of this option opens a security hole in the PIX Firewall. |
|
|
|
Step 6 Define the global pool.
The global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections.
If the nat command is used, you must also use the global command. Basically, when an outbound IP packet is sent from the inside network, the PIX will extract the source address and compare that address to the list of current NAT translations. If there is no entry, a new entry is created. If a NAT translation entry already exists, the packet is forwarded.
The PIX syntax for the global command is defined as follows:
global [if_name] nat_id global_ip [-global_ip] [netmask global_mask]
In Figure 7-5, the pool of address is defined as follows:
global (outside) 1 192.192.1.2-192.192.1.30 netmask 255.255.255.224
The pool of addresses is typically assigned to you by the InterNIC or your ISP.
Table 7-7 defines the options of the global command, as documented on the
Cisco documentation CD.
Table 7-7 global Command Options
Option |
Description |
|
|
if_name |
The external network where you use these global addresses. |
|
|
nat_id |
A positive number shared with the nat command that groups the nat and global |
|
command statements together. The valid ID numbers can be any positive number |
|
up to 2,147,483,647. |
|
|
global_ip |
One or more global IP addresses that the PIX Firewall shares among its |
|
connections. |
|
If the external network is connected to the Internet, each global IP address must be |
|
registered with the Network Information Center (NIC). You can specify a range of |
|
IP addresses by separating the addresses with a dash (-). |
|
|
338 Chapter 7: Security Technologies
Ethernet switch, is that you can view the full working and default configuration, unlike Cisco IOS routers where the default configuration is not displayed.
Example 7-4 PIX Full Working Configuration
pix# write terminal
nameif ethernet0 outside security0 nameif ethernet1 inside security100
hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514
fixup protocol sqlnet 1521 names
name 1.1.1.1 abcd
name 1.1.1.2 a123456789
name 1.1.1.3 a123456789123456 pager lines 24
logging timestamp no logging standby
logging console debugging no logging monitor logging buffered debugging no logging trap
logging facility 20 logging queue 512 interface ethernet0 10full interface ethernet1 10full mtu outside 1500
mtu inside 1500
ip address inside 201.201.201.1 255.255.255.0 ip address outside 131.108.1.1 255.255.255.0
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400
global (outside) 1 192.192.1.2-192.192.1.30 netmask 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0
no rip outside passive no rip outside default no rip inside passive no rip inside default
route outside 0.0.0.0 0.0.0.0 131.108.1.2 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:00:00 absolute no snmp-server location
340 Chapter 7: Security Technologies
Table 7-9 route Command Options (Continued)
Option |
Description |
|
|
max_conns |
The maximum number of connections permitted through the static connection at |
|
the same time. |
|
|
em_limit |
The embryonic connection limit. An embryonic connection is one that has started |
|
but not yet completed. Set this limit to prevent attack by a flood of embryonic |
|
connections. The default is 0, which means unlimited connections. |
|
|
norandomseq |
Do not randomize the TCP/IP packet’s sequence number. Use only this option if |
|
another inline firewall is also randomizing sequence numbers and the result is |
|
scrambling the data. Use of this option opens a security hole in the PIX Firewall. |
|
|
An example of the command is as follows:
static (inside,outside) 192.192.1.33 201.201.201.10
The static command should be used in conjunction with either conduit or access-list.
A conduit command statement creates an exception to the PIX Firewall Adaptive Security mechanism by permitting connections from one firewall network interface to access hosts on another.
The clear conduit command removes all conduit command statements from your configuration.
The command syntax is defined as follows:
conduit {permit | deny} protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]]
Table 7-10 displays the options and command syntax for the conduit command, as documented on the Cisco documentation CD.
Table 7-10 conduit Command Options
Option |
Description |
|
|
permit |
Permits access if the conditions are matched. |
|
|
deny |
Denies access if the conditions are matched. |
|
|
protocol |
Specifies the transport protocol for the connection. Possible literal values are |
|
icmp, tcp, udp, or an integer in the range 0 through 255, representing an IP |
|
protocol number. Use ip to specify all transport protocols. |
|
|
global_ip |
A global IP address previously defined by a global or static command. You can use |
|
any if the global_ip and global_mask are 0.0.0.0 0.0.0.0. The any option applies |
|
the permit or deny parameters to the global addresses. |
|
|
|
|
Cisco Private Internet Exchange (PIX) 341 |
|
|
|
Table 7-10 conduit Command Options (Continued) |
||
|
|
|
|
Option |
Description |
|
|
|
|
global_mask |
Network mask of global_ip. The global_mask is a 32-bit, four-part dotted decimal, |
|
|
such as 255.255.255.255. Use 0s in a part to indicate bit positions to be ignored. |
|
|
Use subnetting, if required. If you use 0 for global_ip, use 0 for the global_mask; |
|
|
otherwise, enter the global_mask appropriate to global_ip. |
|
|
|
|
foreign_ip |
An external IP address (host or network) that can access the global_ip. You can |
|
|
specify 0.0.0.0 or 0 for any host. If both the foreign_ip and foreign_mask are |
|
|
0.0.0.0 0.0.0.0, you can use the shorthand any option. |
|
|
|
|
foreign_mask |
Network mask of foreign_ip. The foreign_mask is a 32-bit, four-part dotted |
|
|
decimal, such as 255.255.255.255. Use 0s in a part to indicate bit positions to be |
|
|
ignored. Use subnetting, if required. |
|
|
|
|
operator |
A comparison operand that lets you specify a port or a port range. Use without an |
|
|
operator and port to indicate all ports. For example, conduit permit tcp any any. |
|
|
By default, all ports are denied until explicitly permitted. |
|
|
|
|
port |
Service(s) you permit to be used while accessing global_ip or foreign_ip. Specify |
|
|
services by the port that handles them, such as smtp for port 25, www for port 80, |
|
|
and so on. You can specify ports by either a literal name or a number in the range |
|
|
of 0 to 65535. You can specify all ports by not specifying a port value (for |
|
|
example: conduit deny tcp any any). |
|
|
|
|
icmp_type |
The type of ICMP message. |
|
|
|
The alias command translates one address into another. The alias command is used when nonregistered addresses have been used in a private network and access is required to the registered address space in the Internet. Consider the following example: the inside network contains the IP subnet address 64.236.16.0/24. Assume this belongs to the website on www.cnn.com.
When inside clients try to access www.cnn.com, the packets do not go to the firewall because the client thinks 64.236.16.0/24 is on the local inside network. To correct this, a net alias is created as follows with the alias command:
alias (inside) 64.236.16.0 131.108.2.0 255.255.255.0
When the inside network client 64.236.16.0 connects to www.cnn.com, the DNS response from an external DNS server to the internal client’s query would be altered by the PIX Firewall to be 131.108.1.1-254/24.
342 Chapter 7: Security Technologies
Advanced Cisco PIX Commands
Table 7-11 summarizes some of the other useful features on a Cisco PIX Firewall, as documented on the Cisco Documentation CD.
Table 7-11 PIX Firewall Advanced Features
Command |
Description |
|
|
ca |
Configure the PIX Firewall to interoperate with a |
|
Certification Authority (CA). |
|
|
clear xlate |
Clears the contents of the translation slots. |
|
|
show xlate |
Displays NAT translations. The show xlate command |
|
displays the contents of only the translation slots. |
|
|
crypto dynamic-map |
Create, view, or delete a dynamic crypto map entry. |
|
|
failover [active] |
Use the failover command without an argument after you |
|
connect the optional failover cable between your primary |
|
firewall and a secondary firewall. |
|
|
fixup protocol |
The fixup protocol commands let you view, change, enable, |
|
or disable the use of a service or protocol through the PIX |
|
Firewall. |
|
|
kill |
Terminate a Telnet session. Telnet sessions to the PIX must |
|
be enabled. |
|
|
telnet ip_address [netmask] [if_name] |
Specify the internal host for PIX Firewall console access |
|
via Telnet from inside hosts only. |
|
|
Cisco PIX Firewall Software Features
A list of the current features of the Cisco PIX Firewall product follows:
•State-of-the-art Adaptive Security Algorithm (ASA) and stateful inspection firewalling.
•Cut-through proxy authenticates and authorizes connections, while enhancing performance.
•Easy-to-use web-based interface for managing PIX Firewalls remotely; the web-based interface is not a suggested practice by Cisco for medium to large networks.
•Support for up to 10 Ethernet interfaces ranging from 10-BaseT, 10/100 Fast Ethernet to Gigabit Ethernet.
•Stateful firewall failover capability with synchronized connection information and product configurations.
•True Network Address Translation (NAT), as specified in RFC 1631.
