![](/user_photo/1438_p9ksI.png)
- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU357x1.jpg)
330 Appendix A Introduction to the PIX Firewall
Finally, let’s check the contents of the ARP cache to make sure that the MAC address for the host you pinged in the preceding example is present:
toddfw#show arp
inside 172.16.10.45 00d0.b78f.3553
toddfw#
Saving Your Configuration
Those of you who remember the old router commands for saving and displaying the configuration files will find this refreshing. To save the current firewall configuration to flash memory, do the following:
toddfw#write memory
Building configuration…
[OK]
toddfw#
You can also save the configuration to a floppy disk or to a TFTP (Trivial File Transfer Protocol) server on the network.
To erase the configuration stored in flash memory, you can use this command:
toddfw#write erase
Erase PIX configuration in Flash Memory? [confirm] y
toddfw#
And finally, to show the current running configuration, use this command:
toddfw#write terminal
Building configuration…
…
If you remember these commands from the old IOS days, great! You are so old that you probably drive 10 miles per hour under the speed limit in the left lane, with your turn signal on! If you know the new router commands such as show running-config and copy running-config startup-config, well, once upon a time, this is how we used to do it.
Configuring Access through the PIX Firewall
Now that you’ve mastered the basics of firewall configuration, named and addressed the interfaces, and saved your configuration, the next task at hand is to configure access through the PIX
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU358x1.jpg)
Configuring Access through the PIX Firewall |
331 |
Firewall. As mentioned earlier, when interfaces are defined, they are given a security level number between 0 and 100. 0 is used for the outside interface, and 100 is used for the inside interface. Perimeter or DMZ interfaces are assigned numbers between 1 and 99.
As traffic goes between interfaces, it is placed into one of two categories: outbound or inbound. Which category it falls into depends on the security levels of the interfaces it is traversing:
Outbound connections are for higher security to lower security interfaces.
Inbound connections are for lower security to higher security interfaces.
The PIX Firewall uses different methods for passing traffic in each of these categories. Let’s look at each category and talk about how to allow traffic in that direction.
Configuring Outbound Access
You may recall from the introduction of the ASA earlier in this appendix that outbound connections are allowed unless specifically prohibited. However, you need to do a bit of configuration to start traffic flowing in outbound situations. In most instances, you use the nat and global commands to accomplish this.
The PIX Firewall anticipates that you are using Network Address Translation (NAT). Although it is possible to run the firewall without using NAT, Cisco strongly recommends against it. Use NAT on the firewall if at all possible.
To configure outbound access using the nat and global commands, you must first start with a diagram of your PIX Firewall, showing all interfaces and their associated names and security levels. Consider the diagram shown here:
|
PIX Firewall |
|
Inside 100 |
|
Outside 0 |
172.16.10.1 |
|
192.168.30.1 |
|
|
Perimeter 50 |
|
|
192.168.40.1 |
|
|
|
Here is a summary of the configuration of this PIX Firewall:
Interface |
Security Level |
IP Address |
Inside |
100 |
172.16.10.1 |
Outside |
0 |
192.168.30.1 |
Perimeter |
50 |
192.168.40.1 |
Now you must decide where you will have outbound access. Remember that outbound access is where traffic originates on an interface with a higher security level destined for an interface with a lower security level. This occurs in only the following situations:
Inside to outside
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU359x1.jpg)
332 Appendix A Introduction to the PIX Firewall
Inside to perimeter
Perimeter to outside
There will never be outbound traffic originating on the outside interface because its security level is 0. Traffic from the outbound interface can never go to another interface with a lower security level!
The nat Command
You use the nat command to specify each higher security level interface you want to be able to access lower security level interfaces. Here is your configuration:
toddfw#config t
toddfw(config)#nat (inside) 1 0 0
toddfw(config)#nat (perimeter) 1 0 0
toddfw(config)#^Z
toddfw#
Notice that, once again, you did not specify the outside interface, because outbound connections cannot originate there. Each nat command allows users of the specified interface (in parentheses) to access lower security interfaces. So, in this example, the first nat command allows users on the inside interface to access both the perimeter and outside interfaces. The second nat command allows users on the perimeter interface to access the outside interface (the only other interface with a lower security level).
The global Command
Now you need to configure the lower-level interfaces with the global command to finalize the outbound traffic configuration. Here is the configuration:
toddfw#config t
toddfw(config)#global (outside) 1 192.168.30.2 netmask 255.255.255.0
toddfw(config)#global (perimeter) 1 192.168.40.10-192.168.40.100
netmask 255.255.255.0
toddfw(config)#^Z
toddfw#
In this configuration, you’ve done two different things. First, you’re assuming that the outbound interface IP address is a registered Internet address and that you do not have an unlimited number of registered Internet addresses to use for NAT. Therefore, in the preceding configuration of the external or outbound interface, you’re using Port Address Translation (PAT). With PAT, each outbound client connection can use a separate port on the single translated address, allowing you to service more than 64,000 connections from a single IP address!
On the perimeter interface (where you’re translating and have essentially unlimited address space), you have specified a range of addresses to be used in translation when this interface is accessed from other interfaces (in this outbound case, from the inside interface). The “Outbound Access Control” section later in this appendix discusses limiting outbound user access using access control lists (ACLs).
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU360x1.jpg)
Configuring Access through the PIX Firewall |
333 |
Configuring Inbound Access
Great! With the outbound connections configured, you’re halfway done. Recall that inbound connections are denied unless specifically allowed. This is the opposite of outbound behavior. You need to do a bit of configuration to allow any inbound connections. You use the static and conduit commands to accomplish this.
As with outbound access, let’s begin with a diagram. Consider the network shown here:
|
PIX Firewall |
|||||
Inside 100 |
|
Outside 0 |
||||
172.16.10.1 |
|
192.168.30.1 |
||||
|
|
Perimeter 50 |
||||
|
|
192.168.40.1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Web server
With many configuration tasks, using a network diagram can help prevent configuration errors. It’s always easier to start with a diagram of the PIX Firewall showing all the interfaces, their names, and their security levels. Put this information in a table and then decide where inbound and outbound access must be configured.
This example uses the same configuration as the diagram for outbound access, with the addition of a web server in the DMZ at IP address 192.168.40.2. You want to allow external users to access this server through the outbound interface. Here is the configuration you must add:
toddfw#config t
toddfw(config)#static (perimeter, outside) 192.168.30.5 192.168.40.2 netmask
255.255.255.255
toddfw(config)#conduit permit host 192.168.30.5 eq www any toddfw(config)#^Z
toddfw#
You may need to do a clear xlate before configuring inbound access—to ensure that the translation entry isn’t already taken dynamically—so that you can do the static translation.
Let’s take a closer look at the static and conduit commands, as well as another command you can add for protocol control: fixup protocol.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
![](/html/1438/356/html_23OY49ciqg.iQJr/htmlconvd-veJkuU361x1.jpg)
334 Appendix A Introduction to the PIX Firewall
The static Command
In the preceding example, the static command statically translates the outside address 192
.168.30.5 to the perimeter address 192.168.40.2. You then register the address 192.168.30.5 in your external DNS server as the IP address of your web server to be accessed from the Internet (not the actual server at 192.168.40.2).
The static command specifies the involved interfaces and addresses using the following formula:
static (inside, outside) outside_addr inside_addr
Remember this formula! Everyone all together: inside, outside, outside, inside. Inside, outside, outside, inside. Again? Inside, outside, outside, inside. Good! If you follow this formula, you can’t go wrong with the static commands on the exam. (But be aware that this static functionality changes with NAT disabled!)
The conduit Command
The conduit command in the preceding example looks similar to the access-list syntax from the IOS; however, the two are not interchangeable. This conduit command permits any host to access the static address 192.168.30.5 on the www port.
The conduit commands can become more complex as you add interfaces. Additionally, some services require multiple conduit statements, including the following services:
discard
dns
echo
ident
pptp
rpc
syslog
tacacs-ds
talk
time
The fixup protocol Command
Do you know every potential security hole on every service you must allow through the firewall? I certainly don’t! The PIX Firewall allows you to use the fixup protocol command to further control Application-layer protocols.
For example, suppose that you want to add a mail server to your network diagram at 192.168.40.6, but you also want to use the PIX Mail Guard feature with this server. The Mail Guard feature allows only certain SMTP commands to be sent to the mail server. Here is the configuration:
toddfw#config t
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |