Presentation is loading. Please wait.

Presentation is loading. Please wait.

1mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Internetworking with PIX™ PIX IOS 5.0.

Published byLaila Monks Modified over 10 years ago

Similar presentations

Presentation on theme: "1mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Internetworking with PIX™ PIX IOS 5.0."— Presentation transcript:

1 1mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Internetworking with PIX™ PIX IOS 5.0

2 2mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com © 1999, Cisco Systems, Inc. 2 Internetworking with PIX Agenda Overview of the PIX The “Inside” of the PIX Advanced Configurations PIX and IPSec PIX Management Last Words

3 3mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Overview of the PIX Hardware, Software and Capabilities 3 CCIE’99 Vienna © 1999, Cisco Systems, Inc.

4 4mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com © 1999, Cisco Systems, Inc. The Box Itself 515-R (restricted) Target: Branch office 515-UR (unrestricted) Target: Main office 520 Target: Biiig main office PIX Overview

5 5mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com The Platform 515-R: Pentium 200 MHz, no PCI, 32 M RAM max 515-UR: Pentium 200 MHz, 2 PCI, 64 M RAM max 520: Pentium 350 MHz, 4 PCI, 128 M RAM max, 1 ISA PIX Overview

6 6mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Interfaces 515-R: 2 FE, unchangable 515-UR: Standard: 2 FE Extensible to up to 6 FE 520: Standard: 2 FE plus 2 of: 4 FE card, Token Ring card, FDDI card PIX Overview

7 7mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Private Link Cards PL1: ISA based (16 bit, discontinued) PL2: PCI based (32 bit) PL3: (planned) PCI Kodiak: (planned) PCI PIX 520 has 1 ISA slot + 4 PCI slots PIX 515-UR has 2 PCI slots, no ISA PIX Overview

8 8mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com PIX Hardware Overview 515-R 515-UR 520 515-R 515-UR 520 Max. simult. connect 50,000 100,000 250,000 Max. simult. connect 50,000 100,000 250,000 Max. RAM 32M 64M 128M Max. RAM 32M 64M 128M Max # i/f 2 6 Max # i/f 2 6 Flash 8M 16M Flash 8M 16M Failover no yes Failover no yes I/f Type FE TR FDDI I/f Type FE TR FDDI Max. through put 170 (Mbps) Max. through put 170 (Mbps) PIX Overview

9 9mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com The PIX Philosophy PIX Firewall Private Network Public Network DMZ nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50 0 50 100 PIX Overview

10 10mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com The PIX Philosophy Private Network Public Network DMZ Default Actions: Higher to Lower: PERMIT Lower to Higher: DENY Between Same: DENY 0 50 100 PIX Overview

11 11mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Strength of the PIX No common OS Small code -> Less chances for bugs Appliance: No extra software Easy configuration Performance (170 Mbit/s !!) PIX Overview

12 12mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com PIX Certification NSA TTAP Certification ICSA Certification SRI International testing “SRI International failed to uncover any security vulnerabilities in the Cisco PIX firewall ” Turnkey appliance — no software installation risks PIX Overview

13 13mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Licensing 520: Session based (128, 1024,  ) (will be feature based in the future) 515: Feature based: Basic license plus: DES license (free), 3DES license (extra cost) PIX Overview

14 14mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Around the PIX PIX Overview WebSense: URL Filtering Private I: Logging and Alarming CiscoSecure: Cut-Through-Proxy, AAA Cisco Security Manager: Management Verisign, Entrust, …: Certification Authority PIX Firewall Manager: Management

15 15mbehring_pix_rev5 © 1999, Cisco Systems, Inc. The “Inside” of the PIX Configuration Details 15 NW’99 Vienna © 1999, Cisco Systems, Inc.

16 16mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Only 4 Ways through the PIX Private Network Public Network 1: inside to outside; (Limit with ”outbound” and ”apply”) 2: user authentication AAA 3: conduit out side in side PIX “Inside” 4*: Access List * since PIX IOS 5.0

17 17mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Address Translation in the PIX: NAT / PAT Private Network Public Network outside inside global (outside) 1 204.31.17.40-204.31.17.50 1 204.31.17.51 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 Translate all inside source addresses Outside source address range to use NAT-ID * For PAT use only 1 outside Address PIX “Inside” PAT* NAT

18 18mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Destination Address Translation: Alias NAT changes Source Address only Use alias to change Destination address DNS will be changed as well Applications: Dual NAT Re-routing PIX “Inside”

19 19mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com How “alias” Works PIX “Inside” Inside User www 2.2.2.2 Internet Company 2.2.2.2 alias: 3.3.3.3 = 2.2.2.2 inside outside www.x.com 1. Access www.x.com 2. DNS query 3. Reply: 2.2.2.2 4. Reply: 3.3.3.3 Conflict 5. Destination NAT alias: 3.3.3.3 = 2.2.2.2 inside outside

20 20mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Address Translation: Alias Configuration alias (inside) 3.3.3.3 2.2.2.2 255.255.255.255 static (inside,outside) 2.2.2.2 3.3.3.3 netmask 255.255.255.255 Use this destination address on the inside... …for this destination address on the outside PIX “Inside” Map this source on outside... …to this one on inside Destination NAT Source NAT

21 21mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Inside address Outside address Address Translation: Static Private Network Public Network outside inside static (inside,outside) 208.133.247.111 172.19.10.130 netmask 255.255.255.255 0 0 For Web or other Servers PIX “Inside”

22 22mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Conduits To permit traffic from outside PIX “Inside” conduit permit tcp host 192.150.50.1 eq ftp any conduit permit tcp any eq ftp host 192.150.50.42 to this internal host*...from any external …. with FTP... to any internal host... from this external * use global addresses

23 23mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Outbound Access Lists Deny Inside -> Outside connections with Outbound Access Lists outbound 10 deny 0 0 www tcp outbound 10 permit 192.168.1.2 255.255.255.255 www tcp apply (dmz1) 10 outgoing_src Deny all outbound www traffic But permit to proxy server Apply to interface dmz1 list# PIX “Inside”

24 24mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Adaptive Security Algorithm™ (ASA) Heart of stateful checking in PIX Basic Rules: PIX “Inside” Allow TCP / UDP from inside Permit TCP / UDP return packets Drop and log connections from outside Drop and log source routed IP packets Allow some ICMP packets Silently drop pings to dynamic IP addresses Answer (PIX) pings to static connections Drop and log all other packets from outside

25 25mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com How the PIX works 1. Packet Arrives 2. Adressing: NAT / PAT / Alias / Static 3. Permissions: Conduit / ACLs / Outbound 4. -> Xlate Table (addressing info) 5. -> Connections Table (ports + proto) PIX “Inside”

26 26mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Xlate: The Translation Table PIX creates an xlate entry for every IP pair (host-host) This is part of the “State” of the firewall clear xlate after changes timeout xlate hh:mm:ss timeout conn hh:mm:ss … and: half-closed, udp, rpc, h323,uauth PIX “Inside”

27 27mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Connections Table Connection entries contain: Protocol and port numbers TCP state and sequence numbers state of connection (eg, embryonic) Also part of the “State” of the firewall clear xlate also clears the conns table License check with # of connections! PIX “Inside”

28 28mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Xlate and Conns Tables show xlate Global 16.130.3.17 Local 16.130.3.17 static nconns 1 econns 0 Global 16.130.3.16 Local 16.130.3.16 static nconns 4 econns 0 show conn 6 in use, 6 most used TCP out 192.150.50.41:80 in 10.3.3.4:1404 idle 0:00:00 Bytes 11391 TCP out 192.150.50.41:80 in 10.3.3.4:1405 idle 0:00:00 Bytes 3709 TCP out 192.150.50.41:80 in 10.3.3.4:1406 idle 0:00:01 Bytes 2685 TCP out 192.150.50.41:80 in 10.3.3.4:1407 idle 0:00:01 Bytes 2683 TCP out 192.150.50.41:80 in 10.3.3.4:1403 idle 0:00:00 Bytes 15199 TCP out 192.150.50.41:80 in 10.3.3.4:1408 idle 0:00:00 Bytes 2688 UDP out 192.150.50.70:24 in 10.3.3.4:1402 idle 0:01:30 UDP out 192.150.50.70:23 in 10.3.3.4:1397 idle 0:01:30 UDP out 192.150.50.70:22 in 10.3.3.4:1395 idle 0:01:30 PIX “Inside” Licence check! (PIX 520) # conns# ebryonic

29 29mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Advanced Configurations 29 NW’99 Vienna © 1999, Cisco Systems, Inc.

30 30mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com User Authentication: Cut-Through-Proxy Private Network Public Network AAA out side in side Outside User www HTTP Request 1. HTTP request packet intercepted by PIX 1 2. PIX asks user for credentials, he responds 2 3. PIX sends credentials to AAA server, AAA server ack’s 3 4. PIX forwards packets 4 PIX Advanced Configuration

31 31mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com User Authentication: Cut-Through-Proxy Addressing and Conduit must Exist! FTP, HTTP, Telnet can be proxied Other ports can be authorised after authentication Watch Out: Timeout for authorisation! -> Other connections will be cut after primary timed out PIX Advanced Configuration

32 32mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Authenticate all inbound FTP traffic User Authentication: Configuration Define AAA protocol Define AAA server and key Install authorization Lists from Server* * only with TACACS+, not with RADIUS PIX Advanced Configuration aaa-server Authinbound protocol tacacs+ aaa-server AuthInbound (inside) host 10.1.1.1 TheUauthKey aaa authentication ftp inbound 0 0 0 0 AuthInbound aaa authorization ftp inbound 0 0 0 0 AuthInbound

33 33mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com PIX Failover PrimarySecondary.1 10.0.1.x 192.168.236.x.2.1.2 Failover Cable PIX Advanced Configuration Failover Link default gateway 10.0.1.1.1

34 34mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Failover Configuration PrimarySecondary 10.0.1.x.1.2 Failover Cable PIX Advanced Configuration Failover Link failover [active] failover ip address inside 10.0.1.1 failover link ethernet2 Enable failover Address for Standby PIX (configured on primary) Enable statefulness (over link eth2)

35 35mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com PIX Failover PIX Advanced Configuration PrimarySecondary 10.0.1.x.1.2 Failover Cable Failover Link Only primary PIX is configured, wr mem auto-configures standby PIX On failover, standby PIX assumes MAC and IP address from primary Failover takes 15-45 seconds

36 36mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com URL Filtering PIX Advanced Configuration Corporate Network Inside User PIX Internet WebSense www.sexy.girls

37 37mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com URL Filtering Configuration Outbound HTTP connections can be checked on URL Interaction with 3rd Party Product, e.g., WebSense url-server (inside) host 10.0.1.100 timeout 5 filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 PIX Advanced Configuration InterfaceServer IP Filter any URL

38 38mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Various... Flooding Prevention: floodguard enable|disable show floodguard Fragmentation Attack Prevention: sysopt security fragguard Mailguard (check SMTP commands) : fixup protocol smtp 25 PIX Advanced Configuration

39 39mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com DMZ Example: Redundant PIX Set-Up Partners and Clients NetSonar NetRanger Internet PIX Advanced Configuration

40 40mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX and IPSec 40 NW’99 Vienna © 1999, Cisco Systems, Inc.

41 41mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com PIX and IPSec* Remote User Access Branch Offices Intranet Extranet Host-to-host Access Main Office Internet PIX and IPSec * since PIX IOS 5.0 Certification Authority CA

42 42mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com IPSec Configuration Steps 1: CA interoperation (opt) 2: IKE 3: IKE Mode (opt) 4: IPSec PIX and IPSec

43 43mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com IPSec Configuration PIX and IPSec what to encrypt... …and how. …use this endpoint For this traffic... apply to interface access-list 101 permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 crypto ipsec transform-set myset1 esp-des esp-sha-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 101 crypto map mymap 10 set peer 2.2.2.2 crypto map mymap 10 set transform-set myset1 crypto map mymap interface outside access-list 101 permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 crypto ipsec transform-set myset1 esp-des esp-sha-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 101 crypto map mymap 10 set peer 2.2.2.2 crypto map mymap 10 set transform-set myset1 crypto map mymap interface outside

44 44mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Configuring the CA ca generate rsa key 512 ca identity myca.mycompany.com 205.139.94.230 ca configure myca.mycompany.com ca 1 20 crloptional ca authenticate myca.mycompany.com [ ] ca enroll myca.mycompany.com mypassword1234567 ca save all PIX and IPSec generate key-pair define CA get CA certificate and check it retry parameters Send PIX’s pub key to CA

45 45mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com ! PIX IPSec: Attention!! Avoid the use of “any” keyword IPSec only on outside interface in 5.0 No TED in 5.0 Make sure clock is set correctly! PIX and IPSec

46 46mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Software-only Mode 30-40 Mbps DES (!) 10-20 Mbps 3DES (!) PIX Private Link Card (PL2/PL3) 60-80 Mbps DES (3DES not supported on PL2) Kodiak (in development) 100 Mbps 3DES IPSec Hardware Accelerators PIX and IPSec

47 47mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX Management 47 NW’99 Vienna © 1999, Cisco Systems, Inc.

48 48mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com PIX Management Cisco Security Manager Policy-based, not Device-based GUI Scalable (<100 PIX) Any Topology Future: Management of all Security Products

49 49mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com PIX Syslog Reliable Logging (TCP): If Syslog server is full -> PIX will deny all new connections!! Unreliable Loging: UDP Config: logging host dmz1 192.168.1.5 tcp logging trap debugging clock set 14:25:00 apr 1 1999 logging timestamp PIX Management Interface tcp / udp

50 50mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com PIX SNMP Almost like on Router: snmp-server host outside 10.1.1.2 snmp-server community secret_xyz snmp-server syslog disable snmp-server log_level 5 PIX Management Interface But: PIX only sends traps, no config through SNMP

51 51mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Last Words… 51 NW’99 Vienna © 1999, Cisco Systems, Inc.

52 52mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com The Direction of Security in Cisco Integration: Security as an Integral Part in all Products CiscoAssure: Combine Security, QoS, Voice in one Concept DEN*: The Future is Based on Directories time * Directory Enabled Networks

53 53mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Last Words... Security needs more than a Firewall… Keep it simple -> More Secure Simple configurations Split functionality to different devices Keep Up To Date!

54 54 © 1999, Cisco Systems, Inc.

Download ppt "1mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Internetworking with PIX™ PIX IOS 5.0."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
KBOM Aim Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy.

KBOM Aim Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:

ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.

Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.

CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
RE161 111 © 2003, Cisco Systems, Inc. All rights reserved.

RE © 2003, Cisco Systems, Inc. All rights reserved.

Similar presentations

Ads by Google