Upload
hasan-mahmud
View
239
Download
0
Embed Size (px)
Citation preview
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 1/21
FIREWALL
1
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 2/21
PIX Firewall
1. NAT/PAT
2. Security Levels to Interfaces
3. Basic rules of Firewall
4. PIX NAT/PAT 5. Access Control List (ACL)
6. Authentication Cut-through
7. Basic Configuration
8. Attack and Preventions 9. Alias
10. Application Inspection (FIXUP)
11. PIX Proxy ARP
2
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 3/21
3
8. Attacks and Preventions
SYN Attacks Disable the victim by generating a large number of half-
open TCP connections.
PIX prevents the attacks by keeping track of half-openconnections when the limit on embryonic connection isreached.
If the number of half-open connections reaches thethreshold or the duration of the connection is too long, PIXstarts closing those connections.
PIX Proxy TCP Performs TCP connections on behalf of the end-stations
Only when the 3-way handshake is complete would the PIX allowthe connection through to the end stations behind it.
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 4/21
SYN Attacks
4
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 5/21
8. Attacks and Preventions
Hijacking Attack
The initial sequence number (ISN) of TCP is not random
Attacker can establish a TCP session with the victim as long
as knowing how the victim generate the ISN PIX proxy sequence number in an outgoing packet
Create a new and more random sequence number
Use the new number as the sequence number in the outgoingpacket, calculate the difference between the original and new
number
When return traffic for that packet is received, PIX restores thesequence number (using the difference) and forwards the packetto the destination on the inside network
5
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 6/21
6
8. Attacks and Preventions
Hijacking Attacks
SYN attack (DoS), disable the trusted host (or server)
SYN, Seq=12345
SYN-Ack, seq=24680
rlogin, SYN, seq=12345SYN-Ack, seq=24680
Ack, Ack #=24681
Reduce the security level
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 7/21
8. Attacks and Preventions
PIX proxy TCP and initial sequence number
7
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 8/21
8
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 9/21
8. Attacks and Preventions
UDP
Not state to monitor
Use idle timer to expire the idle connection
9
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 10/21
10
8. Attacks and Preventions Tiny fragment attack
Overlapping fragment attack
Old version of protection these two attacks:
FO=1 & PROTOCOL=TCP Discard the packet
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 11/21
8. Attacks and Preventions
New version of protection in PIX/ASA:
virtual re-assembly features since version 5.1:
full-reassembly of all ICMP error messages
virtual-reassembly of the remaining IP fragments that arerouted through the PIX Firewall.
The previous restriction with the FragGuard feature that the
initial fragment must arrive first has been relieved
Virtual reassembly is currently enabled by default and no
mechanism is provided to disable it
11
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 12/21
8. Attacks and Preventions
For Router
ACL rule
flowchart
12
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 13/21
9. Alias
Two-way of using Alias
Destination IP addresses (dNAT)
changes destination IP address to another address
use ‘alias’ command Alternative: ‘static’ command
DNS Doctoring
performs DNS re-writes
use ‘alias’ command Alternative: ‘static…..dns’ command with DNS inspection
enabled
13
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 14/21
9. Alias
Alias (interface) dnat_ip dforeign_ip
Destination IP addresses (dNAT) dnat_ip is the destination IP addr of packet
dforeign_ip is the translated destination IP addr of packet DNS Doctoring dnat_ip is DNS response IP addr if it starts from High zone;
o.w. it is the translated DNS response IP addr
dforeign_ip is DNS response IP addr if it starts from Low zone;
o.w. it is the translated DNS response IP addr If DNS sits in lower security zone, its A-record is public address
of server;
If DNS sits in higher security zone, it’s a-record is privateaddress of server
14
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 15/21
15
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 16/21
16
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 17/21
10. Application Inspection (Fixup)
This feature handles issues with non-standard
connections, as well as embedded addresses and
port numbers.
If needed, It just open a tiny hole in the PIX to
allow just the connection itself between the user
and the resource on the service
17
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 18/21
Inspection feature is used to deal with special
behaviors exhibited by certain application-layer
protocols.
without FTP inspection
18
10. Application Inspection (Fixup)
Control
(port=18000)
SYNs. port=20
d. port=18000
FTP standard mode
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 19/21
19
10. Application Inspection (Fixup)
With FTP inspection
PIX examines the ftp control packets and creates a
security hole for data channel dynamically
fixup protocol ftp
Control(port=18000)
SYNs. port=20
d. port=18000Open hole for
port=18000FTP standard mode
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 20/21
10. Application Inspection (Fixup)
DNS inspection
It performs:
Translates the DNS A-record in the DNS reply
Enforces the maximum DNS message length
Enforces a domain-name length of 255 bytes and a label length of 63 bytes
Verifies the integrity of the domain-name
Checks a compression pointer loop
remains enabled in PIX/ASA, you can configure DNS
doctoring using the alias, static, or nat commands
20
8/2/2019 L2 - PIX-Firewall - 2(1)
http://slidepdf.com/reader/full/l2-pix-firewall-21 21/21
11. PIX Proxy ARP
use the sysopt noproxyarp if_name command
the PIX Firewall will no longer responds to ARP requests
for the addresses in the static, global, and nat
0 commands for that interface, but does respond to ARP
requests for its interface IP addresses.
To disable Proxy ARPs on the inside interface:
sysopt noproxyarp inside To enable Proxy ARPs on the inside interface:
no sysopt noproxyarp inside (by default setup)
21