1mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Internetworking with PIX™ PIX IOS 5.0.

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
KBOM Aim Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
RE © 2003, Cisco Systems, Inc. All rights reserved.
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Chapter 6: Packet Filtering
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Access Control List ACL. Access Control List ACL.
Mr. Mark Welton.  Firewalls are devices that prevent traffic from entering or leaving a network  Firewalls are often used between networks, or when.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 4 City College.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
PIX Firewall An example of a stateful packet filter. Can also work on higher layers of protocols (FTP, RealAudio, etc.) Runs on its own OS.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1.
© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1 PIX Firewall.
Configuring the PIX Firewall Presented by Drew Spesard.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 9: Implementing the Cisco Adaptive Security Appliance
Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1 Lesson 10 Attack Guards, Intrusion Detection, and Shunning.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-1 Lesson 7 Access Control Lists and Content Filtering.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1 Lesson 6 Translations and Connections.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX Firewall Remote Access Using Cisco Easy VPN.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—13-1 Lesson 13 Switching and Routing.
Virtual Private Network Configuration
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
Lesson 4 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-1 Understanding Translations and Connections.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—5-1 Lesson 5 Configuring Inbound Access Thru a Cisco Security Appliance.
© 2001, Cisco Systems, Inc. CSPFA 2.0—16-1 Chapter 16 Cisco PIX Device Manager.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
Cisco Routers Routers collectively provide the main feature of the network layer—the capability to forward packets end-to-end through a network. routers.
© 2001, Cisco Systems, Inc. CSPFA 2.0—6-1 Chapter 6 Configuring Multiple Interfaces.
PIX Firewall An example of a stateful packet filter.
Pare-feu Key things to talk about. Standards Update .A .G .N
Only Two Ways through the PIX Firewall
Access Control Configuration and Content Filtering
Cisco IOS Firewall Context-Based Access Control Configuration
Access Control Lists CCNA 2 v3 – Module 11
PIX Firewall An example of a stateful packet filter.
Presentation transcript:

1mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Internetworking with PIX™ PIX IOS 5.0

2mbehring_pix_rev5 © 1999, Cisco Systems, Inc. © 1999, Cisco Systems, Inc. 2 Internetworking with PIX Agenda Overview of the PIX The “Inside” of the PIX Advanced Configurations PIX and IPSec PIX Management Last Words

3mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Overview of the PIX Hardware, Software and Capabilities 3 CCIE’99 Vienna © 1999, Cisco Systems, Inc.

4mbehring_pix_rev5 © 1999, Cisco Systems, Inc. © 1999, Cisco Systems, Inc. The Box Itself 515-R (restricted) Target: Branch office 515-UR (unrestricted) Target: Main office 520 Target: Biiig main office PIX Overview

5mbehring_pix_rev5 © 1999, Cisco Systems, Inc. The Platform 515-R: Pentium 200 MHz, no PCI, 32 M RAM max 515-UR: Pentium 200 MHz, 2 PCI, 64 M RAM max 520: Pentium 350 MHz, 4 PCI, 128 M RAM max, 1 ISA PIX Overview

6mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Interfaces 515-R: 2 FE, unchangable 515-UR: Standard: 2 FE Extensible to up to 6 FE 520: Standard: 2 FE plus 2 of: 4 FE card, Token Ring card, FDDI card PIX Overview

7mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Private Link Cards PL1: ISA based (16 bit, discontinued) PL2: PCI based (32 bit) PL3: (planned) PCI Kodiak: (planned) PCI PIX 520 has 1 ISA slot + 4 PCI slots PIX 515-UR has 2 PCI slots, no ISA PIX Overview

8mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX Hardware Overview 515-R 515-UR R 515-UR 520 Max. simult. connect 50, , ,000 Max. simult. connect 50, , ,000 Max. RAM 32M 64M 128M Max. RAM 32M 64M 128M Max # i/f 2 6 Max # i/f 2 6 Flash 8M 16M Flash 8M 16M Failover no yes Failover no yes I/f Type FE TR FDDI I/f Type FE TR FDDI Max. through put 170 (Mbps) Max. through put 170 (Mbps) PIX Overview

9mbehring_pix_rev5 © 1999, Cisco Systems, Inc. The PIX Philosophy PIX Firewall Private Network Public Network DMZ nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security PIX Overview

10mbehring_pix_rev5 © 1999, Cisco Systems, Inc. The PIX Philosophy Private Network Public Network DMZ Default Actions: Higher to Lower: PERMIT Lower to Higher: DENY Between Same: DENY PIX Overview

11mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Strength of the PIX No common OS Small code -> Less chances for bugs Appliance: No extra software Easy configuration Performance (170 Mbit/s !!) PIX Overview

12mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX Certification NSA TTAP Certification ICSA Certification SRI International testing “SRI International failed to uncover any security vulnerabilities in the Cisco PIX firewall ” Turnkey appliance — no software installation risks PIX Overview

13mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Licensing 520: Session based (128, 1024,  ) (will be feature based in the future) 515: Feature based: Basic license plus: DES license (free), 3DES license (extra cost) PIX Overview

14mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Around the PIX PIX Overview WebSense: URL Filtering Private I: Logging and Alarming CiscoSecure: Cut-Through-Proxy, AAA Cisco Security Manager: Management Verisign, Entrust, …: Certification Authority PIX Firewall Manager: Management

15mbehring_pix_rev5 © 1999, Cisco Systems, Inc. The “Inside” of the PIX Configuration Details 15 NW’99 Vienna © 1999, Cisco Systems, Inc.

16mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Only 4 Ways through the PIX Private Network Public Network 1: inside to outside; (Limit with ”outbound” and ”apply”) 2: user authentication AAA 3: conduit out side in side PIX “Inside” 4*: Access List * since PIX IOS 5.0

17mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Address Translation in the PIX: NAT / PAT Private Network Public Network outside inside global (outside) nat (inside) Translate all inside source addresses Outside source address range to use NAT-ID * For PAT use only 1 outside Address PIX “Inside” PAT* NAT

18mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Destination Address Translation: Alias NAT changes Source Address only Use alias to change Destination address DNS will be changed as well Applications: Dual NAT Re-routing PIX “Inside”

19mbehring_pix_rev5 © 1999, Cisco Systems, Inc. How “alias” Works PIX “Inside” Inside User www Internet Company alias: = inside outside 1. Access 2. DNS query 3. Reply: Reply: Conflict 5. Destination NAT alias: = inside outside

20mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Address Translation: Alias Configuration alias (inside) static (inside,outside) netmask Use this destination address on the inside... …for this destination address on the outside PIX “Inside” Map this source on outside... …to this one on inside Destination NAT Source NAT

21mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Inside address Outside address Address Translation: Static Private Network Public Network outside inside static (inside,outside) netmask For Web or other Servers PIX “Inside”

22mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Conduits To permit traffic from outside PIX “Inside” conduit permit tcp host eq ftp any conduit permit tcp any eq ftp host to this internal host*...from any external …. with FTP... to any internal host... from this external * use global addresses

23mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Outbound Access Lists Deny Inside -> Outside connections with Outbound Access Lists outbound 10 deny 0 0 www tcp outbound 10 permit www tcp apply (dmz1) 10 outgoing_src Deny all outbound www traffic But permit to proxy server Apply to interface dmz1 list# PIX “Inside”

24mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Adaptive Security Algorithm™ (ASA) Heart of stateful checking in PIX Basic Rules: PIX “Inside” Allow TCP / UDP from inside Permit TCP / UDP return packets Drop and log connections from outside Drop and log source routed IP packets Allow some ICMP packets Silently drop pings to dynamic IP addresses Answer (PIX) pings to static connections Drop and log all other packets from outside

25mbehring_pix_rev5 © 1999, Cisco Systems, Inc. How the PIX works 1. Packet Arrives 2. Adressing: NAT / PAT / Alias / Static 3. Permissions: Conduit / ACLs / Outbound 4. -> Xlate Table (addressing info) 5. -> Connections Table (ports + proto) PIX “Inside”

26mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Xlate: The Translation Table PIX creates an xlate entry for every IP pair (host-host) This is part of the “State” of the firewall clear xlate after changes timeout xlate hh:mm:ss timeout conn hh:mm:ss … and: half-closed, udp, rpc, h323,uauth PIX “Inside”

27mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Connections Table Connection entries contain: Protocol and port numbers TCP state and sequence numbers state of connection (eg, embryonic) Also part of the “State” of the firewall clear xlate also clears the conns table License check with # of connections! PIX “Inside”

28mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Xlate and Conns Tables show xlate Global Local static nconns 1 econns 0 Global Local static nconns 4 econns 0 show conn 6 in use, 6 most used TCP out :80 in :1404 idle 0:00:00 Bytes TCP out :80 in :1405 idle 0:00:00 Bytes 3709 TCP out :80 in :1406 idle 0:00:01 Bytes 2685 TCP out :80 in :1407 idle 0:00:01 Bytes 2683 TCP out :80 in :1403 idle 0:00:00 Bytes TCP out :80 in :1408 idle 0:00:00 Bytes 2688 UDP out :24 in :1402 idle 0:01:30 UDP out :23 in :1397 idle 0:01:30 UDP out :22 in :1395 idle 0:01:30 PIX “Inside” Licence check! (PIX 520) # conns# ebryonic

29mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Advanced Configurations 29 NW’99 Vienna © 1999, Cisco Systems, Inc.

30mbehring_pix_rev5 © 1999, Cisco Systems, Inc. User Authentication: Cut-Through-Proxy Private Network Public Network AAA out side in side Outside User www HTTP Request 1. HTTP request packet intercepted by PIX 1 2. PIX asks user for credentials, he responds 2 3. PIX sends credentials to AAA server, AAA server ack’s 3 4. PIX forwards packets 4 PIX Advanced Configuration

31mbehring_pix_rev5 © 1999, Cisco Systems, Inc. User Authentication: Cut-Through-Proxy Addressing and Conduit must Exist! FTP, HTTP, Telnet can be proxied Other ports can be authorised after authentication Watch Out: Timeout for authorisation! -> Other connections will be cut after primary timed out PIX Advanced Configuration

32mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Authenticate all inbound FTP traffic User Authentication: Configuration Define AAA protocol Define AAA server and key Install authorization Lists from Server* * only with TACACS+, not with RADIUS PIX Advanced Configuration aaa-server Authinbound protocol tacacs+ aaa-server AuthInbound (inside) host TheUauthKey aaa authentication ftp inbound AuthInbound aaa authorization ftp inbound AuthInbound

33mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX Failover PrimarySecondary x x Failover Cable PIX Advanced Configuration Failover Link default gateway

34mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Failover Configuration PrimarySecondary x.1.2 Failover Cable PIX Advanced Configuration Failover Link failover [active] failover ip address inside failover link ethernet2 Enable failover Address for Standby PIX (configured on primary) Enable statefulness (over link eth2)

35mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX Failover PIX Advanced Configuration PrimarySecondary x.1.2 Failover Cable Failover Link Only primary PIX is configured, wr mem auto-configures standby PIX On failover, standby PIX assumes MAC and IP address from primary Failover takes seconds

36mbehring_pix_rev5 © 1999, Cisco Systems, Inc. URL Filtering PIX Advanced Configuration Corporate Network Inside User PIX Internet WebSense

37mbehring_pix_rev5 © 1999, Cisco Systems, Inc. URL Filtering Configuration Outbound HTTP connections can be checked on URL Interaction with 3rd Party Product, e.g., WebSense url-server (inside) host timeout 5 filter url http PIX Advanced Configuration InterfaceServer IP Filter any URL

38mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Various... Flooding Prevention: floodguard enable|disable show floodguard Fragmentation Attack Prevention: sysopt security fragguard Mailguard (check SMTP commands) : fixup protocol smtp 25 PIX Advanced Configuration

39mbehring_pix_rev5 © 1999, Cisco Systems, Inc. DMZ Example: Redundant PIX Set-Up Partners and Clients NetSonar NetRanger Internet PIX Advanced Configuration

40mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX and IPSec 40 NW’99 Vienna © 1999, Cisco Systems, Inc.

41mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX and IPSec* Remote User Access Branch Offices Intranet Extranet Host-to-host Access Main Office Internet PIX and IPSec * since PIX IOS 5.0 Certification Authority CA

42mbehring_pix_rev5 © 1999, Cisco Systems, Inc. IPSec Configuration Steps 1: CA interoperation (opt) 2: IKE 3: IKE Mode (opt) 4: IPSec PIX and IPSec

43mbehring_pix_rev5 © 1999, Cisco Systems, Inc. IPSec Configuration PIX and IPSec what to encrypt... …and how. …use this endpoint For this traffic... apply to interface access-list 101 permit ip crypto ipsec transform-set myset1 esp-des esp-sha-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 101 crypto map mymap 10 set peer crypto map mymap 10 set transform-set myset1 crypto map mymap interface outside access-list 101 permit ip crypto ipsec transform-set myset1 esp-des esp-sha-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 101 crypto map mymap 10 set peer crypto map mymap 10 set transform-set myset1 crypto map mymap interface outside

44mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Configuring the CA ca generate rsa key 512 ca identity myca.mycompany.com ca configure myca.mycompany.com ca 1 20 crloptional ca authenticate myca.mycompany.com [ ] ca enroll myca.mycompany.com mypassword ca save all PIX and IPSec generate key-pair define CA get CA certificate and check it retry parameters Send PIX’s pub key to CA

45mbehring_pix_rev5 © 1999, Cisco Systems, Inc. ! PIX IPSec: Attention!! Avoid the use of “any” keyword IPSec only on outside interface in 5.0 No TED in 5.0 Make sure clock is set correctly! PIX and IPSec

46mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Software-only Mode Mbps DES (!) Mbps 3DES (!) PIX Private Link Card (PL2/PL3) Mbps DES (3DES not supported on PL2) Kodiak (in development) 100 Mbps 3DES IPSec Hardware Accelerators PIX and IPSec

47mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX Management 47 NW’99 Vienna © 1999, Cisco Systems, Inc.

48mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX Management Cisco Security Manager Policy-based, not Device-based GUI Scalable (<100 PIX) Any Topology Future: Management of all Security Products

49mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX Syslog Reliable Logging (TCP): If Syslog server is full -> PIX will deny all new connections!! Unreliable Loging: UDP Config: logging host dmz tcp logging trap debugging clock set 14:25:00 apr logging timestamp PIX Management Interface tcp / udp

50mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX SNMP Almost like on Router: snmp-server host outside snmp-server community secret_xyz snmp-server syslog disable snmp-server log_level 5 PIX Management Interface But: PIX only sends traps, no config through SNMP

51mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Last Words… 51 NW’99 Vienna © 1999, Cisco Systems, Inc.

52mbehring_pix_rev5 © 1999, Cisco Systems, Inc. The Direction of Security in Cisco Integration: Security as an Integral Part in all Products CiscoAssure: Combine Security, QoS, Voice in one Concept DEN*: The Future is Based on Directories time * Directory Enabled Networks

53mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Last Words... Security needs more than a Firewall… Keep it simple -> More Secure Simple configurations Split functionality to different devices Keep Up To Date!

54 © 1999, Cisco Systems, Inc.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.