Upload
souvik-santra
View
2.012
Download
4
Embed Size (px)
Citation preview
Firewall Basics & Internetworking with Cisco PIX -Firewall
Presented by : Souvik Santra[Manager, 3i Infotech Consultancy Services Ltd]
Agenda
Introduction to FirewallsTypes of FirewallsModes and DeploymentsInternetworking with Cisco PIX
What Is a Firewall
A firewall is an access control device that looks at the IP packet, compares with policy rules and decides whether to allow, deny or take some other action on the packet
Outside Network
DMZ Network
Inside Network
Internet
A Simple Analogy The Firewall as the Premise Guard
444
PIX Firewall topology options :-Scenario-1,
Think of your network as an office building with security desks at each entry point. At the desks, security guards check identification and make sure visitors aren’t carrying anything unauthorised in or out of the building. They may also ask you what your purpose is in the building and log the time that you came in or went out. This is exactly what firewalls do at the entry points to your network.The most common use of a firewall is restricting access to your private network from a public network, such as the Internet. Figure A shows an example of this type of topology.
Figure A
Scenario-2,You may also want to create a DMZ (demilitarised zone) between the Internet and your private network. You'd use this segment as the home for servers (like Web servers or external mail servers) that are accessed over the Internet, but still need some protection. Figure B shows an example of this topology.
Scenario-3,A less common—but still very important—use for a firewall is to protect the borders between internal networks. Perhaps you share a network with a business partner, do e-commerce with a vendor through a leased line, or just want to control access between departments (like human resources or accounting and everyone else). A firewall can serve this purpose as well, as illustrated in Figure C.
Agenda
Introduction to FirewallsTypes of FirewallsModes and DeploymentsInternetworking with Cisco PIX Firewall
Firewall Technologies
Packet filtering gateways routers with simple ACLs
Stateful inspection firewalls Cisco PIX, Cisco routers with firewall feature set,
check point Proxy firewalls
Gauntlet, Sidewinder Personal firewalls
Symantec, Check Point Zone, Sygate…. NAT firewalls
PIX, ASA, Linksys, Netgear
Packet Filtering Gateways
In packet filtering, only the protocol and the address information of each packet is examined. Its contents and context (its relation to other packets and to the intended application) are ignored. The firewall pays no attention to applications on the host or local network and it "knows" nothing about the sources of incoming data.
Filtering consists of examining incoming or outgoing packets and allowing or disallowing their transmission or acceptance on the basis of a set of configurable rules, called policies.Packet filtering policies may be based upon any of the following:
Allowing or disallowing packets on the basis of the source IP address Allowing or disallowing packets on the basis of their destination port Allowing or disallowing packets according to protocol.
Packet Filtering Gateways (cont.)
Stateless—Two Separate ACLs Are Required1. Permit HTTP traffic from 10.0.0.0 to www.yahoo.com2. Permit HTTP traffic from www.yahoo.com to 10.0.0.0
InsideOutside
10.0.0.15
www.yahoo.comGet Sports Page (Request)
Sports Page (Reply)
Internet
Stateful Inspection Firewalls Also referred to as dynamic packet filtering.
A Stateful firewall may examine not just the header information but also the contents of the packet up through the application layer in order to determine more about the packet than just information about its source and destination. A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table.
With Stateful Packet Inspection (SPI), every time a packet is sent out of the computer, the firewall keeps track of it. When a packet comes back to the firewall, the firewall can tell whether or not the in-bound packet is a reply to the packet that was sent out.This way, the firewall can handle most network traffic safely without a complex configuration of firewall rules.
As an added security measure against port scanning, stateful inspection firewalls close off ports until connection to the specific port is requested.
Packet filters operate at the network layer (layer-3) and function more efficiently because they only look at the header part of a packet.
State TableState Table
Stateful firewalls maintain aStateful firewalls maintain a state table state table showing the showing the current connectionscurrent connections
Stateful Inspection Firewalls (cont.)
Stateful—Only One ACL Is Required1. Permit HTTP traffic from 10.0.0.0 to www.yahoo.com
InsideOutside
10.0.0.15
www.yahoo.comGet Sports Page (Request)
Sports Page (Reply)
Internet
InsideNetwork
OutsideNetwork
Internet
Proxy Firewalls
All requests and replies pass though a proxy server; no direct connection between a client and the server; everything is proxied—thus the name
Proxy Server
Proxy Firewalls (Cont.)
Two Separate TCP Connections Client to proxy firewall Proxy firewall to www.yahoo.com
InsideNetwork
Internet
Proxy Server
11
4433
22 Get Sports Page (Request)
Sports Page (Reply)www.yahoo.com
Personal Firewalls
A version of network firewalls for laptops and desktops
Disallow inbound connections unless explicitly allowed Watches inbound/outbound traffic Protect laptops and desktops from attacks. Example : Trend Micro, Symantec, AVG, McAfee…
NAT Firewalls NAT Firewalls hide all internal addresses—thus protect small networks from
external attacks as internal addresses are not exposed. Network Address Translation (NAT) is simply that – it takes a network address, and
“translates” it to another network address. It is a simple lookup table, where each row is created by a router command with the two addresses. The user address is behind the router on the LAN interface, and the Internet address is sent out across the serial interface.The NAT table (lookup table) in the router can be configured in two ways.
Static NAT - for security - requires n Internet IP addresses - assign unique, unregistered local IP addresses to all users, and use unique Internet addresses as well. Users can all use the same port !!!
Dynamic NAT (NAT & PAT) - for overloading - requires 1 outside Internet IP address - assign unique, unregistered local IP addresses to all users. Must use unique ports for each user !!!Dynamic NAT allows overloading - multiple users access the Internet via one IP address. This is used by Microsoft ICS (Internet Connection Sharing) and by DSL routers that have several home user PC’s connected. In fact, every Cable/DSL Broadband Router on the market accomplishes its job with NAT.
PAT is a subset of NAT, and is closely related to the concept of Network Address Translation. PAT is also known as NAT Overload. In PAT there is generally only one publicly exposed IP address and multiple private hosts connecting through the exposed address. Incoming packets from the public network are routed to their destinations on the private network by reference to a table held within the PAT device which keeps track of public and private port pairs.
NAT/PAT Firewalls (Cont.)
10.2.0.0 /24
192.168.0.0
10.0.0.0/24
Global pool192.168.0.17-30
Global pool192.168.0.3-14
10.0.0.11
10.0.0.4
10.0.0.11192.168.0.20
Port 2000
10.0.0.4192.168.0.20
Port 2001
NAT
PAT
Internet
Internet
Cisco PIX 515E Firewall Overview
Cisco PIX (Private Internet eXchange) is a popular IP
firewall and network address translation (NAT) appliance On January 28, 2008, Cisco announced the end-of-sale and end-of-life
dates for all Cisco PIX Security Appliances, software, accessories, and licenses. The last day for purchasing Cisco PIX Security Appliance platforms and bundles was July 28, 2008. The last day to purchase accessories and licenses was January 27, 2009. It is important to note that Cisco will continue to support Cisco PIX Security Appliance customers through July 27, 2013.
In May 2005, Cisco introduced the Adaptive Security Appliance (ASA) which combines functionality from the PIX, VPN 3000 series and IPS product lines. The ASA series of devices run PIX code 7.0 and later. Through PIX OS release 7.x the PIX and the ASA use the same software images. Beginning with PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination.
Packet contains…
How it connects …
PIX Firewall Comparison Chart
PIX Firewall Licensing
Cisco PIX Firewall licenses are available in Unrestricted, Restricted, and Fail-Over configurations.
Unrestricted—PIX Firewall platforms in an Unrestricted (UR) license mode allow installation and use of the maximum number of interfaces and RAM supported by the platform.
The Unrestricted license supports a redundant 'hot standby' system for Fail-over operation to minimize network downtime.
PIX Firewall Licensing (cont..)
Restricted— PIX Firewall platforms in a Restricted (R) license mode limit the number of interfaces supported and the amount of RAM available within the system. A restricted license provides a cost-optimized firewall solution for simplified network connectivity requirements, or where lower than the maximum number of user connections are acceptable. A Restricted licensed firewall does not support a redundant system for fail-over configurations.
Fail-Over— The Fail-Over (FO) software licenses place the Cisco PIX Firewall in a 'hot-standby' mode for use along side another PIX Firewall with an Unrestricted license. Fail-Over software licensing provides stateful fail-over capabilities thus enabling high availability network architectures. The fail-over PIX firewall acts as a fully redundant system maintaining state with all active sessions on the primary PIX Firewall, thereby minimizing connection disruptions due to equipment or network failures.
Multiple Interfaces and Security Levels
All PIX Firewalls provide at least two interfaces assigned a security level of 0 and 100, respectively
Cut-Through Proxy
Unique feature of a PIX Firewall Allows user-based authentication of inbound or
outbound connections A PIX Firewall uses cut-through proxy to
authenticate a connection and then allow traffic to flow quickly and directly
User Authentication:Cut-Through-Proxy
Private Network
Public Network
AAAout side
in side
Outside User
www
HTTPRequest
1. HTTP request packet intercepted by PIX
12. PIX asks user for credentials, he responds2
3. PIX sends credentials to AAA server, AAA server ack’s
3
4. PIX forwards packets
4
PIX AdvancedConfiguration
Access Lists
Uses standard and extend ACL’sImplemented using access-list and
access-group commands
Standard IP Access Lists Example : The standard IP access lists filter the network by using the source IP address in an IP packet.
You could create a standard IP access list by using the access list numbers 1-99. Router # configure terminal
Router (config) # access-list 10 deny 172.16.40.0 0.0.0.255Router (config) # access-list 10 permit anyRouter (config) # interface e0Router (config-if) # ip access-group 10 out
Extended IP Access Lists Example : The extended IP access lists allow you to choose your source and destination IP address as
well as the protocol and the logical port number, which identify the upper-layer protocol or application. By using extended IP access lists, you can effectively allow access to a physical LAN and stop them from using certain services. You'll use the extended IP access list range from 100 to 199.
Router # configure terminalRouter (config) # access-list 110 deny tcp any host 172.16.10.5 eq 21Router (config) # access-list 110 deny tcp any host 172.16.10.5 eq 23Router (config) # access-list 110 permit ip any any
Monitoring IP Access Lists :
Show access-list: This command displays all access lists and their parameters configured on the router. This command does not show you that on which interface the list is set.
Show ip access-list: This command shows only the IP access lists configured on the router. Show ip access-list access list no: This command displays the detail of the specific IP
access list configured on the router. Show ip interface interface no: This command shows that which interfaces have access lists
set and in which direction. Show running-config : This command shows the access lists configuration and the interfaces
status
Only 4 Ways through the PIX
Private Network
Public Network
1:
inside to outside;
(Limit with ”outbound” and”apply”)
2:user authentication
AAA
3:conduit
out side
in side
PIX “Inside”
4*:Access List
* since PIX IOS 5.0
Destination Address Translation: Alias The PIX's alias feature is used to set up a mechanism
whereby the destination IP addresses contained in packets going from one interface to another are NATed (translated).
This is necessary in various situations, especially where an external DNS server is used to resolve the names for servers on the inside or DMZ networks, where an IP address is being illegally used in the private network behind the PIX, or where two enterprise networks are marged to form one network across a PIX firewall.
The alias command not only translate the destination IP address, but can also doctor the DNS responses passing through the PIX to comply with the translation taking place on the destination IP address.
PIX “Inside”
How “alias” WorksPIX “Inside”
Inside User
www
2.2.2.2Internet
Company
2.2.2.2
alias:3.3.3.3 = 2.2.2.2 inside outside
www.x.com1. Access
www.x.com
2. DNS query
3. Reply: 2.2.2.2
4. Reply: 3.3.3.3
Conflict
5. DestinationNAT
alias:3.3.3.3 = 2.2.2.2 inside outside
Address Translation:Alias Configuration
alias (inside) 3.3.3.3 2.2.2.2 255.255.255.255
static (inside,outside) 2.2.2.2 3.3.3.3 netmask 255.255.255.255
Use this destinationaddress on the inside...
…for this destinationaddress on the outside
PIX “Inside”
Map this source on outside...
…to this one on inside
DestinationNAT
Source NAT
Conduits When you have private addresses on your LAN and public
addresses on the outside of the Pix, you can allow connectivity to the LAN on a port by port basis!
(1)Adding a Static Route Type "conf t" to enter terminal-configuration mode.
Type "static (high-security_if_name,low-security_if_name) outside_ip inside_ip"
Examples: static (inside,outside) 100.100.100.130 10.1.1.130
Type "wr mem" to save changes to flash memory (otherwise they will be lost if pix is restarted.
PIX “Inside”
Conduits (Cont.) (2)Adding a Conduit:
Type "conf t" to enter terminal-configuration mode.
Type: "conduit permit|deny protocol outside_ip operator port any" "permit" allows access and "deny" blocks it. "protocol" is either "tcp", "udp", or "ip". "operator" is "eq" or "range". "port" is either a port number, the common name of a service (www, telnet, pop3, etc.),
or a range (Port 80 to 90 would be: 80 90).
Type "wr mem" to save changes to flash memory (otherwise they will be lost if pix is restarted.
For example, if we have a web server at 10.1.1.27 internally, and we want it to be available externally at 100.100.100.27 on port 80 only, here are the exact commands:
static (inside,outside) 100.100.100.27 10.1.1.27
conduit permit tcp host 100.100.100.27 eq www any
That's it!
Fail-over The failover feature allows us to use a standby PIX Firewall to take over the
functionality of a failed PIX Firewall. When the active unit fails, it changes to the standby state, while the standby unit changes to the active state. The unit that becomes active takes over the active unit's IP addresses and MAC addresses, and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network. (See the "Primary and Secondary Vs. Active and Standby" section for more information about MAC addresses).
The PIX Firewall supports two types of failover:
• Regular Failover—When a failover occurs, all active connections are dropped and clients need to reestablish connections when the new active unit takes over.
• Stateful Failover—During normal operation, the active unit continually passes per-connection stateful information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.
PIX Failover
Primary Secondary
.1
10.0.1.x
192.168.236.x.2
.1 .2
Failover Cable
PIX AdvancedConfiguration
Failover Link
default gateway10.0.1.1
.1
Failover Configuration
Primary Secondary
10.0.1.x
.1 .2
Failover Cable
PIX AdvancedConfiguration
Failover Link
failover [active]failover ip address inside 10.0.1.1failover link ethernet2
Enable failover Address for Standby PIX(configured on primary)
Enable statefulness(over link eth2)
CISCO PIX Configuration Commands
Basic Configuration Commands
Some commands share the same syntax in PIX OS and IOS, but have different functionality. The six primary commands that you need to watch out for are:
nameif —assigns a name and security level to an interface
interface —used to assign hardware parameters (like full or half duplex) and to shutdown interfaces
ip address —assigns an IP address and other IP parameters to an interface
nat —does network address translation between the inside interfaces and outside interfaces
global —does network address translation between the outside and inside interfaces
route —configures an IP route
‘interface’ CommandThe interface command identifies the interface hardware card, sets the speed of the interface, and enables the interface all in one command. All interfaces on a Cisco PIX Firewall are shut down by default and are explicitly enabled by the interface command. The basic syntax of the interface command is as follows:interface hardware_id hardware_speed [shutdown] Table describes the command parameters for the interface command.
Command Parameter Description
hardware_id Indicates the interface's physical location on the Cisco PIX Firewall.
hardware_speed Sets the connection speed, depending on which medium is being used. 1000auto sets Ethernet speeds automatically. However, it is recommended that you configure the speed manually.1000sxfull—Sets full-duplex Gigabit Ethernet.1000basesx—Sets half-duplex Gigabit Ethernet.1000auto—Automatically detects and negotiates full-/half-duplex Gigabit Ethernet.10baset—Sets 10 Mbps half-duplex Ethernet (very rare these days).10full—Sets 10 Mbps full-duplex Ethernet.100full—Sets 100 Mbps full-duplex Ethernet.100basetx—Sets 100 Mbps half-duplex Ethernet.Make sure that the hardware_speed setting matches the port speed on the Catalyst switch the interface is connected to.
shutdown The shutdown parameter administratively shuts down the interface. This parameter performs a very similar function in Cisco IOS Software. However, unlike with IOS, the command no shutdown cannot be used here. To place an interface in an administratively up mode, you reenter the interface command without the shutdown parameter.
Here are some examples of the interface command:
interface ethernet0 100fullinterface ethernet1 100fullinterface ethernet2 100full
‘nameif’ CommandAs the name intuitively indicates, the nameif command is used to name an interface and assign a security value from 1 to 99. The outside and inside interfaces are named by default and have default security values of 0 and 100, respectively. By default, the interfaces have their hardware ID. Ethernet 0 is the outside interface, and Ethernet 1 is the inside interface. The names that are configured by the nameif command are user-friendly and are easier to use for advanced configuration later.The syntax of the nameif command is,
nameif hardware_id if_name security_level
Table describes the command parameters for the nameif command.
CommandParameter
Description
hardware_id
Indicates the interface's physical location on the Cisco PIX Firewall.
if_name The name by which you refer to this interface. The name cannot have any spaces and must not exceed 48 characters.
security_level
A numerical value from 1 to 99 indicating the security level.
Here are some examples of the nameif command:nameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security20
The security_level value controls how hosts/devices on the different interfaces interact with each other. By default, hosts/devices connected to interfaces with higher security levels can access hosts/devices connected to interfaces with lower-security interfaces. Hosts/devices connected to interfaces with lower-security interfaces cannot access hosts/devices connected to interfaces with higher-security interfaces without the assistance of access lists or conduits.You can verify your configuration by using the show nameif command.
‘ip address’ Command
All the interfaces on the Cisco PIX Firewall that will be used must be configured with an IP address. The IP address can be configured manually or through Dynamic Host Configuration Protocol (DHCP). The DHCP feature is usually used on Cisco PIX Firewall small office/home office (SOHO) models. DHCP is discussed later in this chapter.The ip address command is used to configure IP addresses on the PIX interfaces. The ip address command binds a logical address (IP address) to the hardware ID. Table describes the parameters for the ip address command, the syntax of which is as follows:
ip address if_name ip_address [netmask]
Table ip address Command Parameters
Command Parameter
Description
if_name The interface name that was configured using the nameif command.
ip_address The interface's IP address.
netmask The appropriate network mask. If the mask value is not entered, the PIX assigns a classful network mask.
Here's an example of the ip address command: ip address inside 10.10.10.14 255.255.255.0
Use the show ip command to view the configured IP address on the PIX interface.
‘nat’ Command
The nat (Network Address Translation) command lets you translate a set of IP addresses to another set of IP addresses.NOTEPIX 6.2 supports bidirectional translation of inside network IP addresses to global IP addresses and translation of outside IP addresses to inside network IP addresses.The nat command is always paired with a global command, with the exception of the nat 0 command. Table describes the command parameters for the nat command, the syntax of which is as follows:
nat (if_name) nat_id local_ip [netmask]
Table nat Command Parameters
Command Parameter Description(if_name) The internal network interface name.nat_id The ID number to match with the global address pool.local_ip The IP address that is translated. This is usually the inside network IP address.
It is possible to assign all the inside network for the local_ip through nat (inside) 1 0 0.
netmask Network mask for the local IP address.
Here are some examples of the nat command:
nat (inside) 1 10.10.10.0 255.255.255.0 nat (inside) 1 172.16.1.0 255.255.255.0
‘Global’ Command
The global command is used to define the address or range of addresses that the addresses defined by the nat command are translated into. It is important that the nat_id be identical to the nat_id used in the nat command. The nat_id pairs the IP address defined by the global and nat commands so that network translation can take place. The syntax of the global command is
global (if_name) nat_id global_ip | global_ip-global_ip [netmask]
Table global Command ParametersCommand Parameter Description(if_name) The external network where you use these global addresses.nat_id Identifies the global address and matches it with the nat command it is pairing with.global_ip A single IP address. When a single IP address is specified, the PIX automatically
performs Port Address Translation (PAT). A warning message indicating that the PIX will PAT all addresses is displayed on the console.
global_ip-global_ip Defines a range of global IP addresses to be used by the PIX to NAT.netmask The network mask for the global IP address(es).
There should be enough global IP addresses to match the local IP addresses specified by the nat command. If there aren't, you can leverage the shortage of global addresses by PAT entry, which permits up to 64,000 hosts to use a single IP address. PAT divides the available ports per global IP address into three ranges:0 to 511512 to 10231024 to 65535PAT assigns a unique source port for each UDP or TCP session. It attempts to assign the same port value of the original request, but if the original source port has already been used, PAT starts scanning from the beginning of the particular port range to find the first available port and assigns it to the conversation. PAT has some restrictions in its use. For example, it cannot support H.323 or caching name server use. The following example shows a configuration using a range of global IP and single IP for PAT:
nat (inside) 1 10.0.0.0 255.0.0.0global (outside) 1 192.168.10.15-192.168.1.62 netmask 255.255.255.0global (outside) 1 192.168.10.65 netmask 255.255.255.0
When a host or device tries to start a connection, the PIX Firewall checks the translation table if there is an entry for that particular IP. If there is no existing translation, a new translation slot is created. The default time that a translated IP is kept in the translation table is 3 hours. You can change this with the timeout xlate hh:mm:ss command. To view the translated addresses, use the show xlate command.
route CommandThe route command tells the Cisco PIX Firewall where to send information that is forwarded on a specific interface and that is destined for a particular network address. You add static routes to the PIX using the route command.Table 6-6 describes the route command parameters, the syntax of which is as follows:
route if_name ip_address netmask gateway_ip [metric]
Table : route Command ParametersCommand Parameter Description
if_name The name of the interface where the data leaves from.
ip_address The IP address to be routed.
netmask The network mask of the IP address to be routed.
gateway_ip The IP address of the next-hop address. Usually this is the IP address of the perimeter router.
metric Specifies the number of hops to gateway_ip.
The following example shows a default route configuration on a Cisco PIX Firewall:route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
The 1 at the end indicates that the gateway router is only one hop away. If a metric is not specified in the route command, the default is 1. You can configure only one default route on the PIX Firewall. It is good practice to use the clear arp command to clear the PIX Firewall's ARP cache before testing your new route configuration.
Commands Descriptions
enable Specifies to activate a process, mode, or privilege level.
interface Identifies the speed and duplex settings of the network interface boards.
nameif Lets you name interfaces and assign security levels.
ip address Identifies addresses for network interfaces and lets you set how many times the PIX Firewall polls for DHCP information.
nat Lets you associate a network with a pool of global IP addresses.
global Defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection and for inbound connections resulting from outbound connections. Ensure that associated nat and global command statements have the same nat_id.
route Used to enter a default or static route for an interface.
write terminal
Displays the current configuration on the terminal.
rip Enables IP routing table updates from received RIP broadcasts.
dhcpd Controls the DHCP server feature.
ntp server Synchronizes the PIX Firewall with the network time server that is specified and authenticates according to the authentication options that are set.
clock Lets you specify the time, month, day, and year for use with time-stamped syslog messages.
SummaryTable provides a quick reference to the commands needed to configure the Cisco PIX Firewall, time server and NTP support, and the DNS server.
THANK YOU