Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1 PIX Firewall.

Published byArleen Richardson Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1 PIX Firewall."— Presentation transcript:

1 © 2002, Cisco Systems, Inc. CSPFA 2.1—3-1 PIX Firewall

2 What Is a Firewall? A firewall is a system or group of systems that manages access between two networks.

3 Firewall Technologies Firewall operations are based on one of three technologies: Packet filtering Proxy server Stateful packet filtering

4 ACL Packet Filtering Limits information into a network based on destination and source address

5 Proxy Server Requests connections between a client on the inside of the firewall and the outside

6 Stateful Packet Filtering Limits information into a network based not only on destination and source address, but also on packet data content

7 PIX Firewall—What Is it? Stateful firewall with high security and fast performance Adaptive security algorithm provides stateful security Cut-through proxy eliminates application-layer bottlenecks Secure, real-time, embedded operating system

8 Adaptive Security Algorithm Provides “stateful” connection control through the PIX Firewall Tracks source and destination ports and addresses, TCP sequences, and additional TCP flags TCP sequence numbers are randomized to minimize the risk of attack Tracks UDP and TCP session state Connections allowed out—allows return session back flow (TCP ACK bit)

9 ASA Security Level Example Internet PIX Firewall Outside network e0 Security level 0 Interface name = outside e0 Security level 0 Interface name = outside Perimeter network e2 Security level 50 Interface name = pix/intf2 e2 Security level 50 Interface name = pix/intf2 Inside network e1 Security level 100 Interface name = inside e1 Security level 100 Interface name = inside e0 e1 e2

10 Cut-Through Proxy Operation Authenticates once at the application layer (OSI Layer 7) for each supported service Connection is passed back to the PIX Firewall high-performance ASA engine, while maintaining session state Internal/ external user IS resource 1.The user makes a request to an IS resource. 2.The PIX Firewall intercepts the connection. 3.The PIX Firewall prompts the user for a username and password, authenticates the user, and checks the security policy on a RADIUS or TACACS+ server. 5.The PIX Firewall directly connects the internal or external user to the IS resource via ASA. 4.The PIX Firewall initiates a connection from the PIX Firewall to the destination IS resource. Cisco Secure PIX Firewall Username and Password Required Enter username for CCO at www.com User Name: Password: OKCancel student 123@456 3.

11 Stateful Failover Internet Secondary PIX Firewall Primary PIX Firewall 10.0.0.0 /24 192.168.0.0 /24 Backbone, web, FTP, and TFTP server 172.26.26.0 /24 e2.1 e0.2 e0.7 e1.7e1.1.2 DMZ Failover cable 172.16.0.0/24.1 e2.7 e3.1e3.7 172.17.0.0 /24.50.3

12 Summary There are three firewall technologies: packet filtering, proxy server, and stateful packet filtering. The PIX Firewall features include: Secure operating system, Adaptive Security Algorithm, cut-through proxy, stateful failover, and stateful packet filtering.

13 © 2002, Cisco Systems, Inc. CSPFA 2.1—3-13 PIX Command Line Interface

14 Access Modes The PIX Firewall has four administrative access modes: Unprivileged mode Privileged mode Configuration mode Monitor mode

15 enable Command pixfirewall> enable password: pixfirewall# configure terminal pixfirewall(config)# pixfirewall(config)# exit pixfirewall# enable pixfirewall> Enables you to enter different access modes

16 enable password password passwd password pixfirewall# enable password and passwd Commands The enable password command is used to control access to the privileged mode. The passwd command is used to set a Telnet password. pixfirewall#

17 hostname and ping Commands pixfirewall (config)# hostname proteus proteus(config)# hostname pixfirewall hostname command hostname newname pixfirewall(config)# pixfirewall(config)# ping 10.0.0.3 10.0.0.3 response received -- 0Ms ping command ping [if_name] ip_address pixfirewall(config)#

18 write Commands The following are the write commands: write net write erase write floppy write memory write standby write terminal

19 show? show Commands The following are show commands: show history show memory show version show xlate show cpu usage show interface show ip address

20 © 2002, Cisco Systems, Inc. CSPFA 2.1—3-20 PIX Configuration Commands

21 Six Primary Configuration Commands nameif interface ip address nat global route

22 nameif hardware_id if_name security_level pixfirewall(config)# pixfirewall(config)# nameif ethernet2 dmz sec50 nameif command The nameif command assigns a name to each interface on the PIX Firewall and specifies its security level.

23 interface hardware_id hardware_speed pixfirewall(config)# interface command The interface command configures the speed and duplex. pixfirewall(config)# interface ethernet0 100full pixfirewall(config)# interface ethernet1 100full The outside and inside interfaces are set for 100 Mbps Ethernet full-duplex communication.

24 ip address if_name ip_address [netmask] pixfirewall(config)# ip address command The ip address command assigns an IP address to each interface. pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0

25 © 2002, Cisco Systems, Inc. CSPFA 2.1—3-25 PIX Firewall Translations

26 Sessions in an IP World In an IP world, a network session is a transaction between two end systems. It is carried out over two transport layer protocols: TCP (Transmission Control Protocol) UDP (User Datagram Protocol)

27 TCP TCP is a connection-oriented, reliable-delivery, robust, and high performance transport layer protocol. TCP features –Sequencing and acknowledgement of data –A defined state machine (open connection, data flow, retransmit, close connection) –Congestion management and avoidance mechanisms

28 PIX Firewall TCP header IP header The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created. 10.0.0.3 The PIX Firewall follows the Adaptive Security Algorithm: (Src IP, Src Port, Dest IP, Dest Port ) check Sequence number check Translation check If the code bit is not syn-ack, PIX drops the packet. # 1 172.30.0.50 # 2 # 3 # 4 Start the embryonic connection counter No data TCP Initialization—Inside to Outside Private network Source port Destination addr Source addr Initial sequence # Destination port Flag Ack 172.30.0.50 10.0.0.3 1026 23 49091 Syn 10.0.0.3 172.30.0.50 23 1026 92513 Syn-Ack 49092 Public network 172.30.0.50 192.168.0.20 49769 Syn 192.168.0.20 172.30.0.50 23 1026 92513 Syn-Ack 49770 1026 23

29 Private network Public network PIX Firewall Reset the embryonic counter for this client. It then increments the connection counter for this host. 10.0.0.3 # 5 172.30.0.50 # 6 Strictly follows the Adaptive Security Algorithm Data flows TCP Initialization—Inside to Outside (cont.) 172.30.0.50 192.168.0.20 1026 23 49770 Ack 92514 Source port Destination addr Source addr Initial sequence # Destination port Flag Ack 172.30.0.50 10.0.0.3 1026 23 49092 Ack 92514 TCP header IP header

30 UDP Connectionless protocol Efficient protocol for some services Resourceful but difficult to secure

31 PIX Firewall TCP header IP header The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created. 10.0.0.3 The PIX Firewall follows the Adaptive Security Algorithm: (Src IP, Src Port, Dest IP, Dest Port ) check Translation check # 1 172.30.0.50 # 2 # 3 # 4 UDP (cont.) Private network Source port Destination addr Source addr Destination port 172.30.0.50 10.0.0.3 1028 45000 10.0.0.3 172.30.0.50 45000 1028 Public network 172.30.0.50 192.168.0.20 172.30.0.50 45000 1028 45000 All UDP responses arrive from outside and within UDP user-configurable timeout. (default=2 minutes)

32 Internet Static Translations 10.0.0.10 DNS Server 192.168.0.1 192.168.0.2 10.0.0.1 PIX Firewall Perimeter router pixfirewall(config)# static (inside, outside) 192.168.0.18 10.0.0.10 Packet from 10.0.0.10 has source address of 192.168.0.18 Permanently maps a single IP address Recommended for internal service hosts like a DNS server

33 Internet Dynamic Translations Configures dynamic translations –nat (inside) 1 0.0.0.0 0.0.0.0 –global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 192.168.0.20-192.168.0.254 Global Pool 10.0.0.3 192.168.0.1 192.168.0.2 10.0.0.1

34 Connections vs. Translations Translations—xlate –IP address to IP address translation –65,536 translations supported Connections—conns –TCP or UDP sessions

35 xlate Command clear xlate [global_ip [local_ip]] The clear xlate command clears the contents of the translation slots. pixfirewall(config)#

36 Summary The PIX Firewall manages the TCP and UDP protocols through the use of a translation table. Static translations assign a permanent IP address to an inside host. Mapping between local and global addresses is done dynamically with the nat command. Dynamic translations use NAT for local clients and their outbound connections and hides the client address from others on the Internet.

37 NAT terminology when using the PIX NAT terminology – an inside (or local) network is the network, from which we translate addresses (local addresses) – an outside (or global) network is the network, to which we translate local addresses which become global addresses – a translation is a one-to-one mapped pair of (local, global) IP addresses

38 NAT terminology when using the PIX – a translation slot (xlate slot)is a software structure inside PIX/OS used to describe active translations – a connection slot is a software structure inside PIX/OS describing an active connection (many connection slots can be bound to a translation slot) – the translation table (xlate table) is the software structure inside PIX/OS containing all active translation and connection slot objects

39 23 NAT Example 10.0.0.3 49090 Source port Destination addr Source addr Destination port 200.200.200.10 49090 Source port Destination addr Source addr Destination port 192.168.0.20 200.200.200.10 23 InsideOutside Inside Local IP Address Global IP Pool 10.0.0.3 10.0.0.4 192.168.0.20 192.168.0.21 Internet 10.0.0.3 10.0.0.4 Translation table 10.0.0.3 192.168.0.20

40 nat [(if_name)] nat_id local_ip [netmask] pixfirewall(config)# nat command The nat command defines which addresses can be translated. pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0

41 global command Works with the nat command to assign a registered or public IP address to an internal host with the same nat_id. pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 pixfirewall(config)# global[(if_name)] nat_id {global_ip[-global_ip] [netmask global_mask]} | interface When internal hosts access the outside network through the firewall, they are assigned addresses from the 192.168.0.20–192.168.0.254 range.

42 Two Interfaces with NAT (Multiple Internal Networks) Backbone, web, FTP, and TFTP server Pod perimeter router PIX Firewall 192.168.0.0/24.1 10.0.0.0 /24 e0 outside.2 security level 0 172.26.26.50 Internet e1 inside.1 security level 100 10.1.0.0 /24 pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# nat (inside) 2 10.1.0.0 255.255.255.0 pixfirewall(config)# global(outside) 1 192.168.0.1-192.168.0.14 netmask 255.255.255.240 pixfirewall(config)# global(outside) 2 192.168.0.17-192.168.0.30 netmask 255.255.255.240 Use separate nat_id’s to assign different global address pools. The mask used in the nat and global commands is not a mask for host ranges but the mask for each address.

43 Three Interfaces with NAT Inside host, and web and FTP server Backbone, web, FTP, and TFTP server Pod perimeter router PIX Firewall 192.168.0.0/24.1.3 10.0.0.0 /24 e0 outside.2 security level 0 e2 dmz.1 security level 50 Bastion host, and web and FTP server 172.26.26.50.2 172.16.0.0/24 Internet e1 inside.1 security level 100 pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pixfirewall(config)# global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0 Inside users can start outbound connections to both the DMZ and the Internet. DMZ users can start outbound connections to the Internet.

44 172.30.0.50 192.168.0.15 PAT Global Port Address Translation 172.30.0.50 10.0.0.2 49090 23 10.0.0.3 172.30.0.50 2000 23 192.168.0.15 172.30.0.50 2001 23 192.168.0.15 Source port Destination addr Source addr Destination port Source port Destination addr Source addr Destination port 10.0.0.3 49090 Source port Destination addr Source addr Destination port 23 10.0.0.2 Source port Destination addr Source addr Destination port Internet

45 PAT Example pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0 pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1 pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.9 netmask 255.255.255.0 Assign a single IP address (192.168.0.9) as a global pool Source addresses of hosts in network 10.0.0.0 are translated to 192.168.0.9 for outgoing access Source port changes to a unique number greater than 1024 Sales Engineering 10.0.1.0 10.0.2.0 Information systems 192.168.0.1 192.168.0.2 172.16.0.2 Bastion host PIX Firewall Perimeter router 10.0.0.1

46 PAT Using Outside Interface Address pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0 pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1 pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# global (outside) 1 interface Sales Engineering 10.0.1.0 10.0.2.0 Information systems 192.168.0.1 192.168.0.2 172.16.0.2 Bastion host PIX Firewall Perimeter router 10.0.0.1 Use the interface option to enable use of the outside interface ip address as the PAT address. Source addresses of hosts in network 10.0.0.0 are translated to 192.168.0.2 for outgoing access. The source port is changed to a unique number greater than 1024.

47 pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0 pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1 pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.19 netmask 255.255.255.0 Augmenting a Global Pool with PAT Sales Engineering 10.0.1.0 10.0.2.0 Information systems 192.168.0.1 192.168.0.2 172.16.0.2 Bastion host PIX Firewall Perimeter router 10.0.0.1 10.0.0.0 When hosts on the 10.0.0.0 network access the outside network through the firewall, they are assigned public addresses from the 192.168.0.20-192.168.0.254 range. When the addresses from the global pool are exhausted, PAT begins. Make sure PAT address is not part of global pool.

48 route if_name ip_address netmask gateway_ip [metric] pixfirewall(config)# route The route command defines a static or default route for an interface. pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

49 Other Configuration Commands static conduit name fixup protocol

50 Outside Security 0 Inside Security 100 Statics and Conduits The static and conduit commands allow connections from a lower security interface to a higher security interface. The static command is used to create a permanent mapping between an inside IP address and a global IP address. The conduit command is an exception in the ASA’s inbound security policy for a given host.

51 static Command pixfirewall(config)# static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_mask][max_conns[em_limit]][norandomseq] Maps a local IP address to a global IP address 10.0.0.3 192.168.0.1 192.168.0.2 10.0.0.1 PIX Firewall Perimeter router pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.3 netmask 255.255.255.255 0 1000 Packet sent from 10.0.0.3 has a source address of 192.168.0.10 Permanently maps a single IP address (external access) Recommended for internal service hosts

52 pixfirewall(config)# conduit permit tcp host 192.168.0.10 eq ftp any conduit permit|deny protocol global_ip global_mask [operator port[port]] foreign_ip foreign_mask[operator port[port]] conduit Command A conduit maps specific IP address and TCP/UDP connection from the outside host to the inside host. pixfirewall(config) # 10.0.0.3 192.168.0.1 192.168.0.2 10.0.0.1 PIX Firewall Perimeter router The conduit statement is backwards from an ACL.

53 Port Redirection pixfirewall(config)# static [(internal_if_name, external_if_name)] {tcp|udp}{global_ip|interface}global-port local_ip local- port[netmask mask][max_conns[emb_limit [norandomseq]]] Allows outside users to connect to a particular IP address or port and have the PIX redirect traffic to the appropriate inside server. The external user directs an HTTP port 8080 request to the PIX Firewall PAT address, 192.168.0.9. The PIX Firewall redirects this request to host 172.16.0.2 port 80. pixfirewall(config)# static (inside,outside) tcp 192.168.0.9 8080 172.16.0.2 www netmask 255.255.255.255 0 0 http://192.168.0.9:8080 http://172.16.0.2:80 172.16.0.2 Web Server

54 Conduit Example pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# ip address outside 192.168.0.2 255.255.255.0 pixfirewall(config)# ip address inside 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0 pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pixfirewall(config)# global (dmz) 1 172.16.0.20- 172.16.0.254 netmask 255.255.255.0 pixfirewall(config)# static (dmz,outside) 192.168.0.11 172.16.0.2 pixfirewall(config)# conduit permit tcp host 192.168.0.11 eq http any pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# ip address outside 192.168.0.2 255.255.255.0 pixfirewall(config)# ip address inside 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0 pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pixfirewall(config)# global (dmz) 1 172.16.0.20- 172.16.0.254 netmask 255.255.255.0 pixfirewall(config)# static (dmz,outside) 192.168.0.11 172.16.0.2 pixfirewall(config)# conduit permit tcp host 192.168.0.11 eq http any e0 e2 e1 Bastion host.2.1.2 172.16.0.0/24 10.0.0.0/24 192.168.0.0/24 Internet

55 Another Conduit Example pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# nameif ethernet3 partnernet sec40 pixfirewall(config)# ip address outside 192.168.0.2 255.255.255.0 pixfirewall(config)# ip address inside 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0 pixfirewall(config)# ip address partnernet 172.18.0.1 255.255.255.0 pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pixfirewall(config)# global (dmz) 1 172.16.0.20- 172.16.0.254 netmask 255.255.255.0 pixfirewall(config)# static (dmz,outside) 192.168.0.11 172.16.0.2 pixfirewall(config)# conduit permit tcp host 192.168.0.11 eq http any pixfirewall(config)# static (dmz,partnernet) 172.18.0.11 172.16.0.2 pixfirewall(config)# conduit permit tcp host 172.18.0.11 eq http any pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# nameif ethernet3 partnernet sec40 pixfirewall(config)# ip address outside 192.168.0.2 255.255.255.0 pixfirewall(config)# ip address inside 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0 pixfirewall(config)# ip address partnernet 172.18.0.1 255.255.255.0 pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pixfirewall(config)# global (dmz) 1 172.16.0.20- 172.16.0.254 netmask 255.255.255.0 pixfirewall(config)# static (dmz,outside) 192.168.0.11 172.16.0.2 pixfirewall(config)# conduit permit tcp host 192.168.0.11 eq http any pixfirewall(config)# static (dmz,partnernet) 172.18.0.11 172.16.0.2 pixfirewall(config)# conduit permit tcp host 172.18.0.11 eq http any Partnernet e0 e2 e1 Bastion host DMZ.2.1.2 172.16.0.0/24 10.0.0.0/24 192.168.0.0/24 e3 172.18.0.0/24.1 Internet

56 Fixup Protocol Command PIX has a protocol fixup feature to recognize applications running on non-standard ports fixup protocol [- ] NAT uses the fixup information for badly behaved protocols to handle those connections properly fixup protocol ftp 2021 fixup protocol sqlnet 1600

57 Attack Guards The PIX has special handling for DNS and SMTP using the fixup protocol command. fixup protocol DNS [- ] fixup protocol SMTP [- ] DNS will only allow one response back to a query. SMTP will only allow RFC 821 specified commands such as HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT.

58 Defending against denial-of-service attacks The PIX can defend against inbound SYN- flooding (excess connection requests) attacks with the option for maximum number of embryonic (SYN only) connections per translation slot static (int_if_name, out_if_name) global_ip local_ip [max_conn [max_embr]][norandomseq]

59 AAA and SYN Floodguards AAA Floodguard protects against DoS attacks of authorization requests. It is enabled by default. Floodguard enable | disable SYN Floodgaurd protects against DoS half-open connection attacks. Nat(inside) 1 0 0 [max_conns [em_limit]] static(inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255 [max_conns [em_limit]] Max_conns is the maximum connections permitted to hosts accessed from local_ip. Em_limit is the maximum embryonic connections permitted to hosts accessed from local_ip.

60 Summary The PIX Firewall has four administrative access modes: unprivileged, privileged, configuration, and monitor. Interfaces with a higher security level can access interfaces with a lower security level, while interfaces with a lower security level cannot access interfaces with a higher security level unless given permission. The primary commands necessary to configure the PIX Firewall are the following: nameif, interface, ip address, nat, global, static, conduit, and route.

61 Summary (continued) The nat and global commands work together to hide internal IP addresses. The nat 0 command allows an address to go out of the PIX untranslated while providing ASA security features for inbound requests. The static and conduit commands work together to provide access though the PIX. The PIX firewall supports protocol redirection and has advanced protocol handling features. The PIX firewall has DoS attack guards and Floodguards.

62 © 2002, Cisco Systems, Inc. CSPFA 2.1—3-62 Configuring Failover

63 Internet Secondary PIX Firewall Primary PIX Firewall failover cable Failover The primary and secondary units must: be the same model number. have identical software versions and activation key types. have the same amount of Flash memory and RAM.

64 Internet Secondary PIX Firewall (standby/active) (failover IP/system IP) Primary PIX Firewall (active/standby) (system IP/failover IP) 192.168.0.0 /24.1e0.2 e0.7 10.0.0.0 /24 e1.1 e1.7.3 IP Address for Failover on PIX Firewalls

65 Configuration Replication Configuration replication occurs: When the standby firewall completes its initial bootup. As commands are entered on the active firewall. By entering the write standby command.

66 Failover and Stateful Failover Failover –Connections are dropped. –Client applications must reconnect. –Provides redundancy. Stateful failover –Connections remain active. –No client applications need to reconnect. –Provides redundancy and stateful connection.

67 failover Commands failover link [stateful_if_name] pixfirewall(config)# The failover link command enables stateful failover. failover ip address if_name ip_address pixfirewall(config)# The failover ip address command creates an IP address for the standby PIX Firewall. failover pixfirewall(config)# The failover command enables failover between the active and standby PIX Firewalls. pixfirewall# failover ip address inside 10.0.0.4 The failover active command makes a PIX Firewall the primary firewall. failover [active] pixfirewall(config)#

68 failover poll Command Specifies how long failover waits before sending special failover “hello” packets between the primary and standby units over all network interfaces and the failover cable. Failover waits ten seconds before sending special failover "hello“ packets. pixfirewall(config)# pixfirewall(config)# failover poll 10 failover poll seconds

69 show failover Command pixfirewall(config)# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 This host: Primary - Active Active time: 360 (sec) Interface dmz (172.16.0.1): Normal Interface outside (192.168.0.2): Normal Interface inside (10.0.0.1): Normal Other host: Secondary - Standby Active time: 0 (sec) Interface dmz (172.16.0.4): Normal Interface outside (192.168.0.4): Normal Interface inside (10.0.0.4): Normal Stateful Failover Logical Update Statistics Link : dmz pixfirewall(config)# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 This host: Primary - Standby Active time: 0 (sec) Interface dmz (172.16.0.4): Normal Interface outside (192.168.0.4): Normal Interface inside (10.0.0.4): Normal Other host: Secondary - Active Active time: 150 (sec) Interface dmz (172.16.0.1): Normal Interface outside (192.168.0.2): Normal Interface inside (10.0.0.1): Normal Stateful Failover Logical Update Statistics Link : dmz Before failoverAfter failover

70 Summary The primary and secondary PIX Firewalls are the two firewalls used for failover. The primary PIX Firewall is usually active, while the secondary PIX Firewall is usually standby, but during failover the primary PIX Firewall goes on standby while the secondary becomes active. The configuration of the primary PIX Firewall is replicated to the secondary PIX Firewall during configuration replication. During failover, connections are dropped, while during stateful failover, connections remain active.

71 © 2002, Cisco Systems, Inc. CSPFA 2.1—3-71 Access Control Configuration and Content Filtering

72 Access Control List An ACL enables you to determine what traffic will be allowed or denied through the PIX Firewall. ACLs are applied per interface (traffic is analyzed inbound relative to an interface). The access-list and access-group commands are used to create an ACL. The access-list and access-group commands are an alternative for the conduit and outbound commands.

73 ACL Usage Guidelines Higher to lower security level –Use an ACL to restrict outbound traffic. –The ACL source address is the actual (un- translated) address of the host or network. Lower to higher security level –Use an ACL to restrict inbound traffic. –The destination host must have a statically mapped address. –The ACL destination address is the “global ip” assigned in the static command.

74 access-list Command access-list acl_name [deny | permit] protocol {src_addr | local_addr} {src_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port pixfirewall(config)# Enables you to create an ACL ACLs associated with IPSec are known as “crypto” ACLs ACL “dmz1” denies access from the 192.168.1.0 network to TCP ports less than 1025 on host 192.168.0.1 pixfirewall(config)# access-list dmz1 deny tcp 192.168.1.0 255.255.255.0 host 192.168.0.1 lt 1025

75 access-group Command pixfirewall(config)# access-group acl_name in interface interface_name Binds an ACL to an interface The ACL is applied to traffic inbound to an interface ACL “dmz1” is bound to interface “dmz” pixfirewall(config)# access-group dmz1 in interface dmz

76 ACL An ACL applies to a single interface, affecting all traffic entering that interface regardless of its security level. Conduit A conduit creates an exception to the PIX Firewall Adaptive Security Algorithm by permitting connections from one interface to access hosts on another. ACL It is recommended to use ACLs to maintain future compatibility. conduitconduit ACLs Versus Conduits

77 Convert Conduits to ACLs access-list acl_name [deny | permit] protocol {src_addr | local_addr} {src_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask[operator port[port]] global_ ip = destination_addr foreign_ip = src_addr pixfirewall(config)# conduit permit tcp host 192.168.0.10 eq www any pixfirewall(config)# access-list acl_in permit tcp any host 192.168.0.10 eq www pixfirewall(config)#

78 ACLs pixfirewall(config)# nat (dmz) 1 0 0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pixfirewall(config)# static (inside,dmz) 172.16.0.10 10.0.0.3 netmask 255.255.255.255 pixfirewall(config)# static (inside,dmz) 172.16.0.12 10.0.0.4 netmask 255.255.255.255 pixfirewall(config)# access-list 102 permit tcp 172.16.0.0 255.255.255.0 172.16.0.10 255.255.255.255 eq ftp pixfirewall(config)# access-list 102 permit tcp 172.16.0.0 255.255.255.0 172.16.0.12 255.255.255.255 eq smtp pixfirewall(config)# access-list 102 permit tcp 172.16.0.0 255.255.255.0 any eq www pixfirewall(config)# access-group 102 in interface dmz Users on the DMZ are able to access the Internet, the internal FTP server, and the internal mail server.

79 nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 access-list acl_out deny tcp any any eq www access-list acl_out permit ip any any access-group acl_out in interface inside nat (inside) 1 10.0.0.0 255.255.255.0 global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 Deny Web Access to the Internet Denies web traffic on port 80 from the inside network to the Internet Permits all other IP traffic from the inside network to the Internet www Internet IP Internet

80 Permit Web Access to the DMZ nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 nameif ethernet2 dmz sec50 ip address outside 192.168.0.2 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 172.16.0.1 255.255.255.0 static (dmz,outside) 192.168.0.11 172.16.0.2 access-list acl_in_dmz permit tcp any host 192.168.0.11 eq www access-list acl_in_dmz deny ip any any access-group acl_in_dmz in interface outside Web server.2.1.2 172.16.0.0/24 10.0.0.0/24 192.168.0.0/24 Internet The ACL acl_in_dmz permits web traffic on port 80 from the Internet to the DMZ web server. The ACL acl_in_dmz denies all other IP traffic from the Internet.

81 icmp Command Enables or disables pinging to an interface pixfirewall(config)# icmp deny any echo-reply outside pixfirewall(config)# icmp permit any unreachable outside pixfirewall(config)# icmp permit | deny [host] src_addr [src_mask] [type] int_name All ping requests are denied at the outside interface, and all unreachable messages are permitted at the outside interface

82 Summary ACLs enable you to determine which systems can establish connections through your PIX Firewall. Cisco recommends migrating from conduits to ACLs. Existing conduits can easily be converted to ACLs. With ICMP ACLs, you can disable pinging to a PIX Firewall interface so that your PIX Firewall cannot be detected on your network. The PIX Firewall can work with URL-filtering software to control and monitor Internet activity.

Download ppt "© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1 PIX Firewall."

Similar presentations

CCNA – Network Fundamentals

CCNA – Network Fundamentals
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
SIS - Security Lab Introductory Session University of Pittsburgh 2006.

SIS - Security Lab Introductory Session University of Pittsburgh 2006.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
PIX Firewall. Stateful Packet Filter Runs on its own Operating System Assigning varying security levels to interfaces (0 – 100) Access Control Lists Extensive.

PIX Firewall. Stateful Packet Filter Runs on its own Operating System Assigning varying security levels to interfaces (0 – 100) Access Control Lists Extensive.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:

ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.

Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.

CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.

Similar presentations

Ads by Google