© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1 Lesson 10 Attack Guards, Intrusion Detection, and Shunning

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-2 Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-3 Objectives Upon completion of this lesson, you will be able to perform the following tasks: Name, describe, and configure the attack guards in the PIX Firewall. Define intrusion detection. Describe signatures. Name and identify signature classes supported by the PIX Firewall. Configure the PIX Firewall to use IDS signatures. Configure the PIX Firewall to shun.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-4 Attack Guards

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-5 Mail Guard fixup protocol smtp port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol smtp 2525 Allows only seven minimum commands: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT (RFC 821). Defines ports on which to activate Mail Guard (default = 25) If disabled, all SMTP commands are allowed through the firewall— potential mail server vulnerabilities are exposed. Internet Inside SMTP RFC 821 commands only Mail gateway

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-6 Client Server Src IP Dst IP Src Pt Dst Pt Src IP Dst IP Src Pt Dst Pt DNS Guard DNS Guard is always on. After the client does a DNS request, a dynamic pin hole allows UDP packets to return from the DNS server. The default UDP timer expires in two minutes. The DNS server response is recognized by the firewall, which closes the dynamic UDP pin hole immediately. The PIX Firewall does not wait for the UDP timer to expire.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-7 FragGuard and Virtual Reassembly The FragGuard and Virtual Reassembly feature has the following characteristics: Is on by default. Verifies each fragment set for integrity and completeness. Tags each fragment in a fragment set with the transport header. Performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIX Firewall. Uses Syslog to log fragment overlapping and small fragment offset anomalies.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-8 fragment Command Sets the maximum number of packets in the fragment database. fragment size database-limit [interface] pixfirewall (config)# pixfirewall(config)# fragment size 1 pixfirewall(config)# fragment chain 1 fragment chain chain-limit [interface] fragment timeout seconds [interface] pixfirewall (config)# Specifies the maximum number of packets into which a full IP packet can be fragmented. Specifies the maximum number of seconds that the PIX Firewall waits before discarding a packet that is waiting to be reassembled.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-9 AAA Flood Guard floodguard {enable | disable} pixfirewall (config)# pixfirewall(config)# floodguard enable Reclaims attacked or overused AAA resources to help prevent DoS attacks on AAA services (default = enabled).

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-10 DoS Protection PIX Firewall can mitigate TCP SYN flooding attacks: Release 5.2 introduced TCP Intercept: proxying of TCP sessions by the PIX Firewall Release 6.2 introduced TCP SYN cookies: more CPU friendly

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-11 TCP Three-Way Handshake Target Spoofed host SYN, SRC: , DST: SYN/ACK ACK SYN, SRC: , DST: Target DoS attack SYN, SRC: , DST: Normal Embryonic Connection ? Internet SYN/ACK ? ?

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-12 TCP Intercept Internet Embryonic connection count = 3 SYN SYN/ACK ACK SYN DoS Attack SYN Normal TCP Intercept SYN SYN/ACK ACK

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-13 SYN Cookies Internet SYN SYN/ACK (cookie) ACK (cookie) Normal TCP Intercept SYN SYN/ACK ACK PIX Firewall responds to the SYN itself, which includes a cookie in the TCP header of the SYN/ACK. The PIX Firewall keeps no state information. The cookie is a hash of parts of the TCP header and a secret key. A legitimate client completes the handshake by sending the ACK back with the cookie. If the cookie is authentic, the PIX Firewall proxies the TCP session.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-14 Embryonic Connection Limit Setting the embryonic connections (em) limit enables TCP proxying using either TCP Intercept or SYN cookies. –A value of 0 disables protection (default). –When embryonic connection limit is exceeded, all connections are proxied. pixfirewall(config)# nat (inside) pixfirewall(config)# static (inside,outside) static [(internal_if_name, external_if_name)] {global_ip | interface} local_ip [dns][max_conns] [emb_limit]] pixfirewall (config)# nat (if-name) id address [max_conns] [em_limit] pixfirewall (config)#

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-15 Intrusion Detection

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-16 Intrusion Detection Ability to detect attacks against networks Three types of network attacks: –Reconnaissance –Access –Denial of service

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-17 Signatures A signature is a set of rules pertaining to typical intrusion activity that, when matched, generates a unique response. The following signature classes are supported by the PIX Firewall: Informational—Triggers on normal network activity that in itself is not considered to be malicious, but can be used to determine the validity of an attack or for forensic purposes. Attack—Triggers on an activity known to be, or that could lead to, unauthorized data retrieval, system access, or privilege escalation.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-18 Intrusion Detection in the PIX Firewall C:\>nslookup Default server: server1.domain.com Address: ls -d domain.com DNS server (server1) Syslog server The intruder attempts a zone transfer from the DNS server on dmz. The PIX Firewall detects an attack. domain.com The PIX Firewall drops the connection and logs an IDS message to Internet 2 1

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-19 Configure IDS pixfirewall(config)# ip audit name ATTACKPOLICY attack action alarm reset pixfirewall(config)# ip audit interface outside ATTACKPOLICY pixfirewall(config)# ip audit name audit_name info [action [alarm] [drop] [reset]] Creates a policy for informational signatures. pixfirewall(config)# ip audit name audit_name attack [action [alarm] [drop] [reset]] Creates a policy for attack signatures. ip audit interface if_name audit_name pixfirewall(config)# Applies a policy to an interface. When the PIX Firewall detects an attack signature on its outside interface, it reports an event to all configured Syslog servers, drops the offending packet, and closes the connection if it is part of an active connection.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-20 Specify Default Actions for Signatures pixfirewall(config)# ip audit attack [action [alarm] [drop] [reset]] ip audit info [action [alarm] [drop] [reset]] Specifies the default actions for attack signatures. Specifies the default actions for informational signatures. pixfirewall(config)# ip audit info action alarm drop When the PIX Firewall detects an info signature, it reports an event to all configured Syslog servers and drops the offending packet.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-21 pixfirewall(config)# ip audit signature signature_number disable pixfirewall(config)# ip audit signature 6102 disable Disable Intrusion Detection Signatures Excludes a signature from auditing. Disables signature 6102.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-22 Shunning

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-23 shun Command Applies a blocking function to an interface under attack. pixfirewall(config)# shun src_ip [dst_ip sport dport [protocol]] pixfirewall(config)# shun No further traffic from is allowed.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-24 Shunning an Attacker pixfirewall(config)# shun Attacker Target X SRC: :4000, DST: :53 Port 4000 Port 53 Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-25 Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-26 Summary The PIX Firewall has the following attack guards to help protect systems from malicious attacks: Mail Guard, DNS Guard, FragGuard and Virtual Reassembly, AAA Flood Guard, and SYN Flood Guard. Cisco PIX Firewall Software Version 5.2 and higher support intrusion detection. Intrusion detection is the ability to detect attacks against a network, including reconnaissance, access, and DoS attacks. The PIX Firewall supports signature-based intrusion detection.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-27 Summary (Cont.) Each signature can generate a unique alarm and response. Informational signatures collect information to help determine the validity of an attack, or for forensics. Attack signatures trigger on an activity known to be, or that could lead to, unauthorized data retrieval, system access, or privileged escalation. The PIX Firewall can be configured to shun source address of attacking hosts.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-28 Lab Exercise

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2— Q P.0 Lab Visual Objective.2.1 Student PC Syslog server PIX Firewall PIX Firewall.1 Local: 10.0.P.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web FTP RBB.2 Bastion host: Web FTP P Q.0 Bastion host: Web FTP.1 Student PC Syslog server