- •Using Your Sybex Electronic Book
- •Acknowledgments
- •Introduction
- •Assessment Test
- •Answers to Assessment Test
- •Types of Network Security Threats
- •Types of Security Weaknesses
- •Technology Weaknesses
- •Configuration Weaknesses
- •Policy Weaknesses
- •Types of Network Attacks
- •Eavesdropping
- •Denial-of-Service Attacks
- •Unauthorized Access
- •WareZ
- •Masquerade Attack (IP Spoofing)
- •Session Hijacking or Replaying
- •Rerouting
- •Repudiation
- •Smurfing
- •Password Attacks
- •Man-in-the-Middle Attacks
- •Application-Layer Attacks
- •Trojan Horse Programs, Viruses, and Worms
- •HTML Attacks
- •The Corporate Security Policy
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Authentication Methods
- •Windows Authentication
- •Security Server Authentication
- •PAP and CHAP Authentication
- •PPP Callback
- •Configuring the NAS for AAA
- •Securing Access to the Exec Mode
- •Enable AAA Locally on the NAS
- •Authentication Configuration on the NAS
- •Authorization Configuration on the NAS
- •Accounting Configuration on the NAS
- •Verifying the NAS Configuration
- •Troubleshooting AAA on the Cisco NAS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 2.1: Setting the Line Passwords
- •Lab 2.2: Setting the Enable Passwords
- •Lab 2.3: Encrypting your Passwords
- •Lab 2.4: Creating Usernames and Logging In
- •Lab 2.5: Configuring AAA Authentication on the NAS
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the CiscoSecure ACS
- •Using User Databases for Authentication
- •Populating the User Database Population
- •New ACS Features
- •Installing CiscoSecure ACS 3.0
- •Administering CiscoSecure ACS
- •TACACS+ Overview
- •Configuring TACACS+
- •Using RADIUS
- •CiscoSecure User Database NAS Configuration for RADIUS
- •Verifying TACACS+
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Solving Eavesdropping and Session Replay Problems
- •Fighting Rerouting Attacks
- •Fighting Denial-of-Service Attacks
- •Turning Off and Configuring Network Services
- •Blocking SNMP Packets
- •Disabling Echo
- •Turning Off BOOTP and Auto-Config
- •Disabling the HTTP Interface
- •Disabling IP Source Routing
- •Disabling Proxy ARP
- •Disabling Redirect Messages
- •Disabling the Generation of ICMP Unreachable Messages
- •Disabling Multicast Route Caching
- •Disabling the Maintenance Operation Protocol (MOP)
- •Turning Off the X.25 PAD Service
- •Enabling the Nagle TCP Congestion Algorithm
- •Logging Every Event
- •Disabling Cisco Discovery Protocol
- •Disabling the Default Forwarded UDP Protocols
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 4.1: Controlling TCP/IP Services
- •Answers to Written Lab
- •Answers to Review Questions
- •Understanding the Cisco IOS Firewall
- •Authentication Proxy and IDS
- •Context-Based Access Control
- •CBAC Compared to ACLs
- •CBAC-Supported Protocols
- •Introduction to CBAC Configuration
- •Using Audit Trails and Alerts
- •Configuring Global Timeouts and Thresholds
- •Configuring PAM
- •Defining Inspection Rules
- •Applying Inspection Rules and ACLs to Router Interfaces
- •Configuring IP ACLs at the Interface
- •Testing and Verifying CBAC
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 5.1: Configure Logging and Audit Trails
- •Lab 5.2: Define and Apply Inspection Rules and ACLs
- •Lab 5.3: Test and Verify CBAC
- •Answers to Written Lab
- •Answers to Review Questions
- •Introduction to the Cisco IOS Firewall Authentication Proxy
- •Configuring the AAA Server
- •Configuring AAA
- •Configuring the Authentication Proxy
- •Testing and Verifying Your Configuration
- •show Commands
- •Clearing the Cache
- •Introduction to the Cisco IOS Firewall IDS
- •Initializing Cisco IOS Firewall IDS
- •Configuring, Disabling, and Excluding Signatures
- •Creating and Applying Audit Rules
- •Setting Default Actions
- •Creating an Audit Rule
- •Applying the Audit Rule
- •Verifying the Configuration
- •Stopping the IOS Firewall IDS
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 6.1: Enabling the IOS Firewall Authentication Proxy
- •Lab 6.2: Enabling the IOS Firewall IDS
- •Answers to Written Lab
- •Answers to Review Questions
- •What is a Virtual Private Network?
- •Introduction to Cisco IOS IPSec
- •IPSec Transforms
- •IPSec Operation
- •The Components of IPSec
- •IPSec Encapsulation
- •Internet Key Exchange (IKE)
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Answers to Written Lab
- •Answers to Review Questions
- •Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site
- •Preparing for IKE and IPSec
- •Configuring IKE
- •Configuring IPSec
- •Testing and Verifying IPSec
- •Configuring IPSec Manually
- •Configuring IPSec for RSA-Encrypted Nonces
- •Configuring Cisco IOS IPSec Certificate Authority Support Site-to-Site
- •Configuring CA Support Tasks
- •Preparing for IKE and IPSec
- •Configuring CA Support
- •Configuring IKE Using CA
- •Configuring IPSec for CA
- •Testing and Verifying IPSec for CA
- •Summary
- •Exam Essentials
- •Key Terms
- •Commands Used in This Chapter
- •Written Lab
- •Review Questions
- •Hands-On Labs
- •Lab 8.1: Configure IKE on Lab_A and Lab_B
- •Lab 8.2: Configure IPSec on Lab_A and Lab_B
- •Answers to Written Lab
- •Answers to Review Questions
- •Answers to Hands-On Labs
- •Answer to Lab 8.1
- •Answer to Lab 8.2
- •Introduction to Cisco Easy VPN
- •The Easy VPN Server
- •Introduction to the Cisco VPN 3.5 Client
- •Easy VPN Server Configuration Tasks
- •Pre-Configuring the Cisco VPN 3.5 Client
- •Summary
- •Exam Essentials
- •Key Terms
- •Written Lab
- •Review Questions
- •Hands-On Lab
- •Lab 9.1: Installing the Cisco VPN 3.5 Client Software on Windows
- •Answers to Written Lab
- •Answers to Review Questions
- •Network Separation
- •Three Ways through a PIX Firewall
- •PIX Firewall Configuration Basics
- •Configuring Interfaces
- •Saving Your Configuration
- •Configuring Access through the PIX Firewall
- •Configuring Outbound Access
- •Configuring Inbound Access
- •Configuring Multiple Interfaces and AAA on the PIX Firewall
- •Configuring Multiple Interfaces
- •Implementing AAA on the PIX Firewall
- •Configuring Advanced PIX Firewall Features
- •Failover
- •Outbound Access Control
- •Logging
- •SNMP Support
- •Java Applet Blocking
- •URL Filtering
- •Password Recovery
- •Glossary
Configuring Advanced PIX Firewall Features |
339 |
The PIX Firewall now sends attribute-value pairs to the security server on all inbound traffic. This information can then be used as an audit trail for billing information, security information, or network management information.
Configuring Advanced PIX Firewall
Features
There are many additional features included in the PIX Firewall, and new ones are being added all the time. This section looks at some of the possibilities and presents a quick look at the configuration for a few of them.
The PIX Firewall is obviously intended to be a central component in your network topology. Any such device deserves a bit of additional attention with respect to fault tolerance and manageability. Fortunately, the PIX Firewall supports both of these needs with its failover, or hot standby, capability and the Cisco Security Manager utility. Other features covered in this section include outbound access, logging, SNMP support, Java applet blocking, URL filtering, and password recovery.
Failover
You can provide fault tolerance to your system by adding a standby PIX Firewall. Consider this network (it’s the same one used as an example earlier in the appendix):
DNS server
DMZ |
E-mail server |
PIX Firewall
External router
Internal LAN
In this situation, should the PIX Firewall fail, all access between the internal network and the DMZ (and the outside world, for that matter) would fail. Such an outage would certainly not be desirable and may provide you with extensive blocks of free time (in other words, unemployment).
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
340 Appendix A Introduction to the PIX Firewall
Now, consider the network diagram shown here:
PIX Firewall
DMZ
|
cable |
|
|
Failover |
|
Internal LAN |
||
|
||
|
|
PIX Firewall
External router
In this network, there are two PIX Firewalls, connected by a failover cable. This cable must be present for this configuration to work! When running properly, the configurations between the two firewalls are synchronized, and the second, or standby, PIX Firewall will not take over until the first one has failed.
When you use the PIX Firewall’s failover feature, the active (primary) firewall must have an Unrestricted license. The backup (secondary) firewall can have a Failover license.
Cisco Security Manager
The Cisco Security Manager (CSM) utility allows for the centralized management of up to 100 PIX Firewalls. A Windows application, CSM requires Microsoft Windows NT Server 4.0 to run.
CSM provides the following:
Real-time event notification using e-mail, paging gateways, or scripts
Filtered event notifications
Policy-consistency checking
Backup
Distribution
Web-based reporting
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Configuring Advanced PIX Firewall Features |
341 |
Outbound Access Control
Outbound access is the equivalent of an ACL. However, the syntax for ACLs here is different from the router syntax with which you may already be familiar. PIX Firewall uses two commands— outbound and apply—to enforce ACLs. Let’s jump back to a sample network used earlier in this appendix, which looks like this:
|
PIX Firewall |
Inside |
Outside |
172.16.10.1 |
192.168.30.1 |
Now, suppose that you want to deny your inside users access to the external web pages. Here is how you could implement this policy:
toddfw#config t
toddfw(config)#outbound 12 deny 172.16.10.1 255.255.255.0 80 tcp
toddfw(config)#apply (inside) 12 outgoing_src
toddfw(config)#^Z
toddfw#
The outbound command has a number of parameters. The 12 specifies a list ID, same as with an ACL. The deny keyword—well, denies the specified traffic. The IP addresses are not source or destination addresses yet; that is determined by the apply command. Finally, TCP port 80 is specified.
The apply command must first specify which interface the policy will be applied to. In the preceding example, you used the outgoing_src parameter to indicate that addresses in the outbound command are source addresses. Had you used the outgoing_dest parameter instead, the IP addresses specified in the outbound command would have been interpreted as destination addresses. Using these commands, you can limit many types of outbound traffic, much as you would control access by using ACLs on a router.
Logging
PIX Firewalls support a number of logging options. From the previous example, here is a sample configuration of how to add logging to the PIX Firewall:
toddfw#config t
toddfw(config)#logging on
toddfw(config)#logging facility 20
toddfw(config)#logging host 172.16.10.50
toddfw(config)#^Z
toddfw#
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
342 Appendix A Introduction to the PIX Firewall
Using these commands, you have enabled logging, specified the logging facility on the Syslog server, and specified the IP address of the security server where Syslog messages are to be sent.
SNMP Support
The PIX Firewall can be configured to support SNMP messages, as in the following example:
toddfw#config t
toddfw(config)#snmp-server community todd1
toddfw(config)#snmp-server contact Todd Lammle
toddfw(config)#snmp-server enable traps
toddfw(config)#^Z
toddfw#
In this example, you have entered the community string, specified a contact for problems, and told the PIX Firewall to enable the sending of traps (traps are sent via Syslog).
Java Applet Blocking
Java may present a problem to your network security. When you allow your internal users to download port 80 (HTTP) objects, these objects might contain hidden Java code that could be harmful to your internal data. The PIX Firewall allows you to block these hidden Java programs. This is achieved using the outbound and apply commands. Here is the configuration:
toddfw#config t
toddfw(config)#outbound 13 deny 172.16.10.1 255.255.255.0 java
toddfw(config)#apply (inside) 13 outgoing_src
toddfw(config)#^Z
toddfw#
As you can see, this is simply an ACL in the format introduced in the “Outbound Access” section earlier in this appendix, but in this example, the type of access is specified as java.
URL Filtering
URL filtering is a new command in the PIX Firewall release 4.2. It gives you the ability to use a third-party URL filter list (from WebSENSE) to control the content your users may be accessing. Here is the configuration:
toddfw#config t
toddfw(config)#url-server (inside) 172.16.10.55
toddfw(config)#filter url http 0 0 0 0
toddfw(config)#^Z
toddfw#
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |