![](/user_photo/1438_p9ksI.png)
- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU354x1.jpg)
PIX Firewall Configuration Basics |
327 |
Adaptive Security Algorithm
The Adaptive Security Algorithm (ASA) uses a “stateful” approach to connection security. ASA checks each inbound packet against connection state information stored in memory.
The ASA follows a set of rules:
No packets can cross the firewall without a connection and state, and the connection and state must be recorded in the ASA table.
Outbound connections (connections from a higher security to a lower security interface) are allowed, except those specifically denied using outbound lists.
Inbound connections (connections from a lower security to a higher security interface) are denied, except those specifically allowed using conduits.
Any packet attempting to bypass the previous rules is dropped and logged to Syslog.
All ICMP packets are denied unless specifically permitted using the conduit permit icmp command.
PIX Firewall Configuration Basics
Anyone familiar with configuring Cisco routers using Cisco’s IOS will be at home when configuring a PIX Firewall. The command-line interface (CLI) is similar for the two products, but as mentioned earlier, it is not exactly the same. There are a number of differences, such as the ability to enter any command while in configuration mode on the PIX Firewall. Here, you’ll start your configuration by first changing from user to enable mode, then to configuration mode:
toddfw>enable
toddfw#config t
toddfw(config)#^Z
toddfw#disable
toddfw>
First, you enter privileged mode using the enable command, and then you enter configuration mode using the config t command. Notice how the prompt changes, just as during router configuration. Then you enter ^Z (Ctrl-Z) to go back to privileged mode, after which you enter the disable command to go back to user mode (called unprivileged mode). Now, you need to set an enable password:
toddfw>enable
toddfw#config t
toddfw(config)#enable password todd
toddfw(config)#^Z
toddfw#show password
Notice that you set the password from privileged mode. Also, when you enter the show passwd command, the password is shown encrypted.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU355x1.jpg)
328 Appendix A Introduction to the PIX Firewall
Configuring Interfaces
Now, let’s configure some interfaces! You need to assign duplex settings, interface names, and IP addresses. Take a look at a simple firewall:
|
PIX Firewall |
Inside |
Outside |
172.16.10.1 |
192.168.30.1 |
This PIX Firewall has two interfaces: one internal and one external. The internal interface is meant to have IP address 172.16.10.1, and the external interface is to have the IP address 192.168.30.1. Here is how you configure these interfaces:
toddfw#config t
toddfw(config)#nameif ethernet0 inside sec100 toddfw(config)#nameif ethernet1 outside sec0 toddfw(config)#interface ethernet0 auto toddfw(config)#interface ethernet1 auto
toddfw(config)#ip address inside 172.16.10.1 255.255.255.0 toddfw(config)#ip address outside 192.168.30.1 255.255.255.0 toddfw(config)#^Z
toddfw#
In this example, you use three commands to configure these interfaces: the nameif command, the interface command, and the ip address command. Let’s take a closer look at the arguments for each of these commands and how these arguments are used.
The nameif Command
The nameif command is used to give the interface a name and specify its security level. It has the following syntax:
nameif hardware_id if_name security_level
The interface name is then used throughout the configuration whenever referencing that interface.
The security_level parameter specifies the security level of the interface on a scale of 0 to 100. You use 0 for the outside network and 100 for the inside network. DMZ or perimeter networks have some number between 1 and 99. You’ll learn more about security levels in the “Configuring Access through the PIX Firewall” section later in this appendix.
The interface Command
The interface command is used to specify the speed on the interface and can be used to enable or disable the interface. It has the following syntax:
interface hardware_id hardware_speed
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU356x1.jpg)
PIX Firewall Configuration Basics |
329 |
In the previous example, you set each Ethernet interface to auto. You can set the interface to 10-megabit half duplex using the following command:
toddfw(config)#interface ethernet0 10baset
Or you can set the interface to 100-megabit full duplex using this command:
toddfw(config)#interface ethernet0 100full
The ip address Command
The ip address command, as you might expect, is used to assign an IP address to the interface. Here is its syntax:
ip address if_name ip_address [netmask]
Unlike with a router, where you use an interface-configuration mode to set the IP address on an interface, for the PIX Firewall, you specify the name you gave that interface using the name-if command. Other than this difference, the command is similar to the router command and is straightforward.
Default Gateway Assignment
One last thing you need to do is to assign a default gateway using the route command (mentioned in the “Static Route” section earlier in this appendix). Here is how you set the default gateway:
toddfw(config)#route outside 0.0.0.0 0.0.0.0 192.168.30.2
toddfw(config)#^Z
toddfw#
Testing the Configuration with Ping and ARP
Now that you have the IP addresses configured, you can do a bit of testing. Let’s start with a ping:
toddfw#ping inside 172.16.10.45
172.16.10.45 response received -- Oms 172.16.10.45 response received -- Oms 172.16.10.45 response received -- Oms toddfw#
Note that you specify the name of the interface closest to the ping target. The ping command makes three attempts to reach the specified IP address.
If you want to ping through a PIX Firewall, you must create an ICMP conduit, covered in the “Configuring Inbound Access” section later in this appendix.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |