Upload
laila-monks
View
234
Download
3
Tags:
Embed Size (px)
Citation preview
1mbehring_pix_rev5 © 1999, Cisco Systems, Inc.
Internetworking with PIX™
Internetworking with PIX™
PIX IOS 5.0
2mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com© 1999, Cisco Systems, Inc. 2
Internetworking with PIX
AgendaAgenda
• Overview of the PIX
• The “Inside” of the PIX
• Advanced Configurations
• PIX and IPSec
• PIX Management
• Last Words
3mbehring_pix_rev5 © 1999, Cisco Systems, Inc.
Overview of the PIXOverview of the PIX
Hardware, Software and Capabilities
Hardware, Software and Capabilities
3CCIE’99 Vienna © 1999, Cisco Systems, Inc.
4mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com© 1999, Cisco Systems, Inc.
The Box ItselfThe Box Itself
• 515-R (restricted)
Target: Branch office
• 515-UR (unrestricted)
Target: Main office
• 520
Target: Biiig main office
PIX Overview
5mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
The PlatformThe Platform
• 515-R: Pentium 200 MHz, no PCI, 32 M RAM max
• 515-UR: Pentium 200 MHz, 2 PCI, 64 M RAM max
• 520: Pentium 350 MHz, 4 PCI, 128 M RAM max, 1 ISA
PIX Overview
6mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
InterfacesInterfaces
• 515-R: 2 FE, unchangable
• 515-UR: Standard: 2 FE
Extensible to up to 6 FE
• 520: Standard: 2 FE plus 2 of:
4 FE card, Token Ring card, FDDI card
PIX Overview
7mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Private Link CardsPrivate Link Cards
• PL1: ISA based (16 bit, discontinued)
• PL2: PCI based (32 bit)
• PL3: (planned) PCI
• Kodiak: (planned) PCI
• PIX 520 has 1 ISA slot + 4 PCI slots PIX 515-UR has 2 PCI slots, no ISA
PIX Overview
8mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
PIX Hardware OverviewPIX Hardware Overview
515-R
515-UR
520
515-R
515-UR
520
Max.simult.
connect
50,000
100,000
250,000
Max.simult.
connect
50,000
100,000
250,000
Max.RAM
32M
64M
128M
Max.RAM
32M
64M
128M
Max #i/f
2
6
6
Max #i/f
2
6
6
Flash
8M
16M
16M
Flash
8M
16M
16M
Failover
no
yes
yes
Failover
no
yes
yes
I/fType
FE
FE
FETR
FDDI
I/fType
FE
FE
FETR
FDDI
Max.through
put
170
170
170
(Mbps)
Max.through
put
170
170
170
(Mbps)
PIX Overview
9mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
The PIX PhilosophyThe PIX Philosophy
PIX Firewall
Private Network
Public Network
DMZ
nameif ethernet0outside security0
nameif ethernet1inside security100
nameif ethernet2DMZ security50
050
100
PIX Overview
10mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
The PIX PhilosophyThe PIX Philosophy
Private Network
Public Network
DMZ
Default Actions:
• Higher to Lower:PERMIT
• Lower to Higher:DENY
• Between Same:DENY
050
100
PIX Overview
11mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Strength of the PIXStrength of the PIX
• No common OS
• Small code -> Less chances for bugs
• Appliance: No extra software
• Easy configuration
• Performance (170 Mbit/s !!)
PIX Overview
12mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
PIX CertificationPIX Certification
• NSA TTAP Certification
• ICSA Certification
• SRI International testing“SRI International failed to uncover any security vulnerabilities in the Cisco PIX firewall ”
• Turnkey appliance — no software installation risks
PIX Overview
13mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
LicensingLicensing
• 520: Session based (128, 1024, )
(will be feature based in the future)
• 515: Feature based:
Basic license plus:
DES license (free),
3DES license (extra cost)
PIX Overview
14mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Around the PIXAround the PIXPIX Overview
WebSense:URL Filtering
Private I:Logging and Alarming
CiscoSecure: Cut-Through-Proxy, AAA
Cisco Security Manager:Management
Verisign, Entrust, …:Certification Authority
PIX Firewall Manager:Management
15mbehring_pix_rev5 © 1999, Cisco Systems, Inc.
The “Inside” of the PIX
The “Inside” of the PIX
Configuration DetailsConfiguration Details
15NW’99 Vienna © 1999, Cisco Systems, Inc.
16mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Only 4 Ways through the PIXOnly 4 Ways through the PIX
Private Network
Public Network
1:
inside to outside;
(Limit with ”outbound” and”apply”)
2:user authentication
AAA
3:conduit
out side
in side
PIX “Inside”
4*:Access List
* since PIX IOS 5.0
17mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Address Translation in the PIX: NAT / PAT
Address Translation in the PIX: NAT / PAT
Private Network
Public Network
outside
inside
global (outside) 1 204.31.17.40-204.31.17.50 1 204.31.17.51
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Translate all inside source addresses
Outside source addressrange to use
NAT-ID
* For PAT use only 1 outside Address
PIX “Inside”
PAT*
NAT
18mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Destination Address Translation: Alias
Destination Address Translation: Alias
• NAT changes Source Address only
• Use alias to change Destination address
• DNS will be changed as well
• Applications:Dual NATRe-routing
PIX “Inside”
19mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
How “alias” WorksHow “alias” WorksPIX “Inside”
Inside User
www
2.2.2.2Internet
Company
2.2.2.2
alias:3.3.3.3 = 2.2.2.2 inside outside
www.x.com1. Access
www.x.com
2. DNS query
3. Reply: 2.2.2.2
4. Reply: 3.3.3.3
Conflict
5. DestinationNAT
alias:3.3.3.3 = 2.2.2.2 inside outside
20mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Address Translation:Alias Configuration
Address Translation:Alias Configuration
alias (inside) 3.3.3.3 2.2.2.2 255.255.255.255
static (inside,outside) 2.2.2.2 3.3.3.3 netmask 255.255.255.255
Use this destinationaddress on the inside...
…for this destinationaddress on the outside
PIX “Inside”
Map this source on outside...
…to this one on inside
DestinationNAT
Source NAT
21mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Inside address
Outside address
Address Translation: StaticAddress Translation: Static
Private Network
Public Network
outside
inside
static (inside,outside) 208.133.247.111 172.19.10.130 netmask 255.255.255.255 0 0
For Web or other Servers
PIX “Inside”
22mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
ConduitsConduits
• To permit traffic from outside
PIX “Inside”
conduit permit tcp host 192.150.50.1 eq ftp any
conduit permit tcp any eq ftp host 192.150.50.42
to this internal host*... from any external
…. with FTP ...to any internal host...
from this external* use global addresses
23mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Outbound Access ListsOutbound Access Lists
• Deny Inside -> Outside connections with Outbound Access Lists
outbound 10 deny 0 0 www tcpoutbound 10 permit 192.168.1.2 255.255.255.255 www tcpapply (dmz1) 10 outgoing_src
Deny all outboundwww traffic
But permit to proxy serverApply to interface
dmz1
list#
PIX “Inside”
24mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Adaptive Security Algorithm™(ASA)
Adaptive Security Algorithm™(ASA)
• Heart of stateful checking in PIX
• Basic Rules:
PIX “Inside”
• Allow TCP / UDP from inside• Permit TCP / UDP return packets• Drop and log connections from outside• Drop and log source routed IP packets• Allow some ICMP packets• Silently drop pings to dynamic IP addresses• Answer (PIX) pings to static connections• Drop and log all other packets from outside
25mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
How the PIX worksHow the PIX works
1. Packet Arrives
2. Adressing: NAT / PAT / Alias / Static
3. Permissions: Conduit / ACLs / Outbound
4. -> Xlate Table (addressing info)
5. -> Connections Table (ports + proto)
PIX “Inside”
26mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Xlate: The Translation TableXlate: The Translation Table
• PIX creates an xlate entry for every IP pair (host-host)
• This is part of the “State” of the firewall
• clear xlate after changes
timeout xlate hh:mm:ss timeout conn hh:mm:ss … and: half-closed, udp, rpc, h323,uauth
PIX “Inside”
27mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Connections TableConnections Table
• Connection entries contain:
Protocol and port numbers
TCP state and sequence numbers
state of connection (eg, embryonic)
• Also part of the “State” of the firewall
• clear xlate also clears the conns table
• License check with # of connections!
PIX “Inside”
28mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Xlate and Conns TablesXlate and Conns Tables
show xlateGlobal 16.130.3.17 Local 16.130.3.17 static nconns 1 econns 0 Global 16.130.3.16 Local 16.130.3.16 static nconns 4 econns 0
show conn6 in use, 6 most usedTCP out 192.150.50.41:80 in 10.3.3.4:1404 idle 0:00:00 Bytes 11391 TCP out 192.150.50.41:80 in 10.3.3.4:1405 idle 0:00:00 Bytes 3709 TCP out 192.150.50.41:80 in 10.3.3.4:1406 idle 0:00:01 Bytes 2685 TCP out 192.150.50.41:80 in 10.3.3.4:1407 idle 0:00:01 Bytes 2683 TCP out 192.150.50.41:80 in 10.3.3.4:1403 idle 0:00:00 Bytes 15199 TCP out 192.150.50.41:80 in 10.3.3.4:1408 idle 0:00:00 Bytes 2688 UDP out 192.150.50.70:24 in 10.3.3.4:1402 idle 0:01:30 UDP out 192.150.50.70:23 in 10.3.3.4:1397 idle 0:01:30 UDP out 192.150.50.70:22 in 10.3.3.4:1395 idle 0:01:30
PIX “Inside”
Licence check! (PIX 520)
# conns # ebryonic
29mbehring_pix_rev5 © 1999, Cisco Systems, Inc.
Advanced Configurations
Advanced Configurations
29NW’99 Vienna © 1999, Cisco Systems, Inc.
30mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
User Authentication:Cut-Through-Proxy
User Authentication:Cut-Through-Proxy
Private Network
Public Network
AAA
out side
in side
Outside User
www
HTTPRequest
1. HTTP request packet intercepted by PIX
12. PIX asks user for credentials, he responds2
3. PIX sends credentials to AAA server, AAA server ack’s
3
4. PIX forwards packets
4
PIX AdvancedConfiguration
31mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
User Authentication: Cut-Through-Proxy
User Authentication: Cut-Through-Proxy
• Addressing and Conduit must Exist!
• FTP, HTTP, Telnet can be proxied
• Other ports can be authorised after authentication
• Watch Out: Timeout for authorisation! -> Other connections will be cut after primary timed out
PIX AdvancedConfiguration
32mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Authenticate allinbound FTP traffic
User Authentication:Configuration
User Authentication:Configuration
Define AAA protocolDefine AAA server
and key
Install authorizationLists from Server*
* only with TACACS+, not with RADIUS
PIX AdvancedConfiguration
aaa-server Authinbound protocol tacacs+aaa-server AuthInbound (inside) host 10.1.1.1 TheUauthKeyaaa authentication ftp inbound 0 0 0 0 AuthInboundaaa authorization ftp inbound 0 0 0 0 AuthInbound
33mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
PIX FailoverPIX Failover
Primary Secondary
.1
10.0.1.x
192.168.236.x
.2
.1 .2
Failover Cable
PIX AdvancedConfiguration
Failover Link
default gateway10.0.1.1
.1
34mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
FailoverConfiguration
FailoverConfiguration
Primary Secondary
10.0.1.x
.1 .2
Failover Cable
PIX AdvancedConfiguration
Failover Link
failover [active]failover ip address inside 10.0.1.1failover link ethernet2
Enable failoverAddress for Standby PIX(configured on primary)
Enable statefulness(over link eth2)
35mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
PIX FailoverPIX FailoverPIX AdvancedConfiguration
Primary Secondary
10.0.1.x
.1 .2
Failover Cable
Failover Link
• Only primary PIX is configured, wr mem auto-configures standby PIX
• On failover, standby PIX assumes MAC and IP address from primary
• Failover takes 15-45 seconds
36mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
URL FilteringURL FilteringPIX AdvancedConfiguration
Corporate Network
InsideUser
PIXInternet
WebSense www.sexy.girls
37mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
URL FilteringConfigurationURL FilteringConfiguration
• Outbound HTTP connections can be checked on URL
• Interaction with 3rd Party Product, e.g., WebSense
url-server (inside) host 10.0.1.100 timeout 5filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
PIX AdvancedConfiguration
Interface Server IP
Filter any URL
38mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Various...Various...
• Flooding Prevention:
floodguard enable|disableshow floodguard
• Fragmentation Attack Prevention:
sysopt security fragguard
• Mailguard (check SMTP commands):
fixup protocol smtp 25
PIX AdvancedConfiguration
39mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
DMZ
Example:Redundant PIX Set-Up
Example:Redundant PIX Set-Up
Partners and Clients
NetSonar
NetRanger
NetRanger
NetRanger
NetRanger
Inte
rnet
PIX AdvancedConfiguration
40mbehring_pix_rev5 © 1999, Cisco Systems, Inc.
PIX and IPSecPIX and IPSec
40NW’99 Vienna © 1999, Cisco Systems, Inc.
41mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
PIX and IPSec*PIX and IPSec*
RemoteUser Access
Branch Offices
Intranet
Extranet
Host-to-hostAccess
Main Office
Internet
PIX and IPSec
* since PIX IOS 5.0
Certification Authority
CA
42mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
IPSec Configuration StepsIPSec Configuration Steps
1: CA interoperation (opt)
2: IKE
3: IKE Mode (opt)
4: IPSec
PIX and IPSec
43mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
IPSec ConfigurationIPSec ConfigurationPIX and IPSec
what to encrypt...
…and how.
…use this endpoint
For this traffic...
apply to interface
access-list 101 permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
crypto ipsec transform-set myset1 esp-des esp-sha-hmac
crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set peer 2.2.2.2crypto map mymap 10 set transform-set myset1
crypto map mymap interface outside
access-list 101 permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
crypto ipsec transform-set myset1 esp-des esp-sha-hmac
crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set peer 2.2.2.2crypto map mymap 10 set transform-set myset1
crypto map mymap interface outside
44mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Configuring the CAConfiguring the CA
ca generate rsa key 512
ca identity myca.mycompany.com 205.139.94.230
ca configure myca.mycompany.com ca 1 20 crloptional
ca authenticate myca.mycompany.com [<fingerprint>]
ca enroll myca.mycompany.com mypassword1234567
ca save all
PIX and IPSec
generate key-pair
define CA
get CA certificate and check it
retry parameters
Send PIX’s pub key to CA
45mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
!PIX IPSec: Attention!!PIX IPSec: Attention!!
• Avoid the use of “any” keyword
• IPSec only on outside interface in 5.0
• No TED in 5.0
• Make sure clock is set correctly!
PIX and IPSec
46mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
• Software-only Mode• 30-40 Mbps DES (!)
• 10-20 Mbps 3DES (!)
• PIX Private Link Card (PL2/PL3)• 60-80 Mbps DES
• (3DES not supported on PL2)
• Kodiak (in development)
•100 Mbps 3DES
IPSec Hardware AcceleratorsIPSec Hardware AcceleratorsPIX and IPSec
47mbehring_pix_rev5 © 1999, Cisco Systems, Inc.
PIX ManagementPIX Management
47NW’99 Vienna © 1999, Cisco Systems, Inc.
48mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
PIX Management
Cisco Security ManagerCisco Security Manager
• Policy-based, not Device-based
• GUI
• Scalable (<100 PIX)
• Any Topology
• Future: Management of all Security Products
49mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
PIX SyslogPIX Syslog
• Reliable Logging (TCP):
If Syslog server is full -> PIX will deny all new connections!!
• Unreliable Loging: UDP
• Config:
logging host dmz1 192.168.1.5 tcplogging trap debuggingclock set 14:25:00 apr 1 1999logging timestamp
PIX Management
Interface
tcp / udp
50mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
PIX SNMPPIX SNMP
• Almost like on Router:
snmp-server host outside 10.1.1.2snmp-server community secret_xyzsnmp-server syslog disablesnmp-server log_level 5
PIX Management
Interface
But: PIX only sends traps, no config through SNMP
51mbehring_pix_rev5 © 1999, Cisco Systems, Inc.
Last Words…Last Words…
51NW’99 Vienna © 1999, Cisco Systems, Inc.
52mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
The Direction of Security in Cisco
The Direction of Security in Cisco
• Integration: Security as an Integral Part in all Products
• CiscoAssure: Combine Security, QoS, Voice in one Concept
• DEN*: The Future is Based on Directories
tim
e
* Directory Enabled Networks
53mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com
Last Words...Last Words...
• Security needs more than a Firewall…
• Keep it simple -> More Secure
Simple configurations
Split functionality to different devices
• Keep Up To Date!
54© 1999, Cisco Systems, Inc.