L2 - PIX-Firewall - 2(1)

8/2/2019 L2 - PIX-Firewall - 2(1)

http://slidepdf.com/reader/full/l2-pix-firewall-21 1/21

FIREWALL

1

8/2/2019 L2 - PIX-Firewall - 2(1)


PIX Firewall

1. NAT/PAT

2. Security Levels to Interfaces

3. Basic rules of Firewall

4. PIX NAT/PAT 5. Access Control List (ACL)

6. Authentication Cut-through

7. Basic Configuration

8. Attack and Preventions 9. Alias

10. Application Inspection (FIXUP)

11. PIX Proxy ARP

2

8/2/2019 L2 - PIX-Firewall - 2(1)


3

8. Attacks and Preventions

SYN Attacks Disable the victim by generating a large number of half-

open TCP connections.

PIX prevents the attacks by keeping track of half-openconnections when the limit on embryonic connection isreached.

If the number of half-open connections reaches thethreshold or the duration of the connection is too long, PIXstarts closing those connections.

PIX Proxy TCP Performs TCP connections on behalf of the end-stations

Only when the 3-way handshake is complete would the PIX allowthe connection through to the end stations behind it.

8/2/2019 L2 - PIX-Firewall - 2(1)


SYN Attacks

4

8/2/2019 L2 - PIX-Firewall - 2(1)



Hijacking Attack

The initial sequence number (ISN) of TCP is not random

Attacker can establish a TCP session with the victim as long

as knowing how the victim generate the ISN PIX proxy sequence number in an outgoing packet

Create a new and more random sequence number

Use the new number as the sequence number in the outgoingpacket, calculate the difference between the original and new

number

When return traffic for that packet is received, PIX restores thesequence number (using the difference) and forwards the packetto the destination on the inside network

5

8/2/2019 L2 - PIX-Firewall - 2(1)


6


Hijacking Attacks

SYN attack (DoS), disable the trusted host (or server)

SYN, Seq=12345

SYN-Ack, seq=24680

rlogin, SYN, seq=12345SYN-Ack, seq=24680

Ack, Ack #=24681

Reduce the security level

8/2/2019 L2 - PIX-Firewall - 2(1)



PIX proxy TCP and initial sequence number

7

8/2/2019 L2 - PIX-Firewall - 2(1)


8

8/2/2019 L2 - PIX-Firewall - 2(1)



UDP

Not state to monitor

Use idle timer to expire the idle connection

9

8/2/2019 L2 - PIX-Firewall - 2(1)


10

8. Attacks and Preventions Tiny fragment attack

Overlapping fragment attack

Old version of protection these two attacks:

FO=1 & PROTOCOL=TCP Discard the packet

8/2/2019 L2 - PIX-Firewall - 2(1)



New version of protection in PIX/ASA:

virtual re-assembly features since version 5.1:

full-reassembly of all ICMP error messages

virtual-reassembly of the remaining IP fragments that arerouted through the PIX Firewall.

The previous restriction with the FragGuard feature that the

initial fragment must arrive first has been relieved

Virtual reassembly is currently enabled by default and no

mechanism is provided to disable it

11

8/2/2019 L2 - PIX-Firewall - 2(1)



For Router

ACL rule

flowchart

12

8/2/2019 L2 - PIX-Firewall - 2(1)


9. Alias

Two-way of using Alias

Destination IP addresses (dNAT)

changes destination IP address to another address

use ‘alias’ command Alternative: ‘static’ command

DNS Doctoring

performs DNS re-writes

use ‘alias’ command Alternative: ‘static…..dns’ command with DNS inspection

enabled

13

8/2/2019 L2 - PIX-Firewall - 2(1)


9. Alias

Alias (interface) dnat_ip dforeign_ip

Destination IP addresses (dNAT) dnat_ip is the destination IP addr of packet

dforeign_ip is the translated destination IP addr of packet DNS Doctoring dnat_ip is DNS response IP addr if it starts from High zone;

o.w. it is the translated DNS response IP addr

dforeign_ip is DNS response IP addr if it starts from Low zone;

o.w. it is the translated DNS response IP addr If DNS sits in lower security zone, its A-record is public address

of server;

If DNS sits in higher security zone, it’s a-record is privateaddress of server

14

http://content.techrepublic.com.com/2347-10878_11-263392-273314.html?seq=12

8/2/2019 L2 - PIX-Firewall - 2(1)


15





8/2/2019 L2 - PIX-Firewall - 2(1)


16




8/2/2019 L2 - PIX-Firewall - 2(1)


10. Application Inspection (Fixup)

This feature handles issues with non-standard

connections, as well as embedded addresses and

port numbers.

If needed, It just open a tiny hole in the PIX to

allow just the connection itself between the user

and the resource on the service

17











8/2/2019 L2 - PIX-Firewall - 2(1)


Inspection feature is used to deal with special

behaviors exhibited by certain application-layer

protocols.

without FTP inspection

18


Control

(port=18000)

SYNs. port=20

d. port=18000

FTP standard mode
















8/2/2019 L2 - PIX-Firewall - 2(1)


19


With FTP inspection

PIX examines the ftp control packets and creates a

security hole for data channel dynamically

fixup protocol ftp

Control(port=18000)

SYNs. port=20

d. port=18000Open hole for

port=18000FTP standard mode


















8/2/2019 L2 - PIX-Firewall - 2(1)



DNS inspection

It performs:

Translates the DNS A-record in the DNS reply

Enforces the maximum DNS message length

Enforces a domain-name length of 255 bytes and a label length of 63 bytes

Verifies the integrity of the domain-name

Checks a compression pointer loop

remains enabled in PIX/ASA, you can configure DNS

doctoring using the alias, static, or nat commands

20
































8/2/2019 L2 - PIX-Firewall - 2(1)


11. PIX Proxy ARP

use the sysopt noproxyarp if_name command

the PIX Firewall will no longer responds to ARP requests

for the addresses in the static, global, and nat

0 commands for that interface, but does respond to ARP

requests for its interface IP addresses.

To disable Proxy ARPs on the inside interface:

sysopt noproxyarp inside To enable Proxy ARPs on the inside interface:

no sysopt noproxyarp inside (by default setup)

21



























Documents

L2 - PIX-Firewall - 2(1)