1mbehring_pix_rev5 © 1999, cisco systems, inc. internetworking with pix™ pix ios 5.0

1mbehring_pix_rev5 © 1999, Cisco Systems, Inc.

Internetworking with PIX™

Internetworking with PIX™

PIX IOS 5.0

2mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com© 1999, Cisco Systems, Inc. 2

Internetworking with PIX

AgendaAgenda

• Overview of the PIX

• The “Inside” of the PIX

• Advanced Configurations

• PIX and IPSec

• PIX Management

• Last Words


Overview of the PIXOverview of the PIX

Hardware, Software and Capabilities

Hardware, Software and Capabilities

3CCIE’99 Vienna © 1999, Cisco Systems, Inc.

4mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com© 1999, Cisco Systems, Inc.

The Box ItselfThe Box Itself

• 515-R (restricted)

Target: Branch office

• 515-UR (unrestricted)

Target: Main office

• 520

Target: Biiig main office

PIX Overview

5mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com

The PlatformThe Platform

• 515-R: Pentium 200 MHz, no PCI, 32 M RAM max

• 515-UR: Pentium 200 MHz, 2 PCI, 64 M RAM max

• 520: Pentium 350 MHz, 4 PCI, 128 M RAM max, 1 ISA

PIX Overview


InterfacesInterfaces

• 515-R: 2 FE, unchangable

• 515-UR: Standard: 2 FE

Extensible to up to 6 FE

• 520: Standard: 2 FE plus 2 of:

4 FE card, Token Ring card, FDDI card

PIX Overview


Private Link CardsPrivate Link Cards

• PL1: ISA based (16 bit, discontinued)

• PL2: PCI based (32 bit)

• PL3: (planned) PCI

• Kodiak: (planned) PCI

• PIX 520 has 1 ISA slot + 4 PCI slots PIX 515-UR has 2 PCI slots, no ISA

PIX Overview


PIX Hardware OverviewPIX Hardware Overview

515-R

515-UR

520

515-R

515-UR

520

Max.simult.

connect

50,000

100,000

250,000

Max.simult.

connect

50,000

100,000

250,000

Max.RAM

32M

64M

128M

Max.RAM

32M

64M

128M

Max #i/f

2

6

6

Max #i/f

2

6

6

Flash

8M

16M

16M

Flash

8M

16M

16M

Failover

no

yes

yes

Failover

no

yes

yes

I/fType

FE

FE

FETR

FDDI

I/fType

FE

FE

FETR

FDDI

Max.through

put

170

170

170

(Mbps)

Max.through

put

170

170

170

(Mbps)

PIX Overview


The PIX PhilosophyThe PIX Philosophy

PIX Firewall

Private Network

Public Network

DMZ

nameif ethernet0outside security0

nameif ethernet1inside security100

nameif ethernet2DMZ security50

050

100

PIX Overview


The PIX PhilosophyThe PIX Philosophy

Private Network

Public Network

DMZ

Default Actions:

• Higher to Lower:PERMIT

• Lower to Higher:DENY

• Between Same:DENY

050

100

PIX Overview


Strength of the PIXStrength of the PIX

• No common OS

• Small code -> Less chances for bugs

• Appliance: No extra software

• Easy configuration

• Performance (170 Mbit/s !!)

PIX Overview


PIX CertificationPIX Certification

• NSA TTAP Certification

• ICSA Certification

• SRI International testing“SRI International failed to uncover any security vulnerabilities in the Cisco PIX firewall ”

• Turnkey appliance — no software installation risks

PIX Overview


LicensingLicensing

• 520: Session based (128, 1024, )

(will be feature based in the future)

• 515: Feature based:

Basic license plus:

DES license (free),

3DES license (extra cost)

PIX Overview


Around the PIXAround the PIXPIX Overview

WebSense:URL Filtering

Private I:Logging and Alarming

CiscoSecure: Cut-Through-Proxy, AAA

Cisco Security Manager:Management

Verisign, Entrust, …:Certification Authority

PIX Firewall Manager:Management


The “Inside” of the PIX

The “Inside” of the PIX

Configuration DetailsConfiguration Details

15NW’99 Vienna © 1999, Cisco Systems, Inc.


Only 4 Ways through the PIXOnly 4 Ways through the PIX

Private Network

Public Network

1:

inside to outside;

(Limit with ”outbound” and”apply”)

2:user authentication

AAA

3:conduit

out side

in side

PIX “Inside”

4*:Access List

* since PIX IOS 5.0


Address Translation in the PIX: NAT / PAT

Address Translation in the PIX: NAT / PAT

Private Network

Public Network

outside

inside

global (outside) 1 204.31.17.40-204.31.17.50 1 204.31.17.51

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Translate all inside source addresses

Outside source addressrange to use

NAT-ID

* For PAT use only 1 outside Address

PIX “Inside”

PAT*

NAT


Destination Address Translation: Alias

Destination Address Translation: Alias

• NAT changes Source Address only

• Use alias to change Destination address

• DNS will be changed as well

• Applications:Dual NATRe-routing

PIX “Inside”


How “alias” WorksHow “alias” WorksPIX “Inside”

Inside User

www

2.2.2.2Internet

Company

2.2.2.2

alias:3.3.3.3 = 2.2.2.2 inside outside

www.x.com1. Access

www.x.com

2. DNS query

3. Reply: 2.2.2.2

4. Reply: 3.3.3.3

Conflict

5. DestinationNAT

alias:3.3.3.3 = 2.2.2.2 inside outside


Address Translation:Alias Configuration

Address Translation:Alias Configuration

alias (inside) 3.3.3.3 2.2.2.2 255.255.255.255

static (inside,outside) 2.2.2.2 3.3.3.3 netmask 255.255.255.255

Use this destinationaddress on the inside...

…for this destinationaddress on the outside

PIX “Inside”

Map this source on outside...

…to this one on inside

DestinationNAT

Source NAT


Inside address

Outside address

Address Translation: StaticAddress Translation: Static

Private Network

Public Network

outside

inside

static (inside,outside) 208.133.247.111 172.19.10.130 netmask 255.255.255.255 0 0

For Web or other Servers

PIX “Inside”


ConduitsConduits

• To permit traffic from outside

PIX “Inside”

conduit permit tcp host 192.150.50.1 eq ftp any

conduit permit tcp any eq ftp host 192.150.50.42

to this internal host*... from any external

…. with FTP ...to any internal host...

from this external* use global addresses


Outbound Access ListsOutbound Access Lists

• Deny Inside -> Outside connections with Outbound Access Lists

outbound 10 deny 0 0 www tcpoutbound 10 permit 192.168.1.2 255.255.255.255 www tcpapply (dmz1) 10 outgoing_src

Deny all outboundwww traffic

But permit to proxy serverApply to interface

dmz1

list#

PIX “Inside”


Adaptive Security Algorithm™(ASA)

Adaptive Security Algorithm™(ASA)

• Heart of stateful checking in PIX

• Basic Rules:

PIX “Inside”

• Allow TCP / UDP from inside• Permit TCP / UDP return packets• Drop and log connections from outside• Drop and log source routed IP packets• Allow some ICMP packets• Silently drop pings to dynamic IP addresses• Answer (PIX) pings to static connections• Drop and log all other packets from outside


How the PIX worksHow the PIX works

1. Packet Arrives

2. Adressing: NAT / PAT / Alias / Static

3. Permissions: Conduit / ACLs / Outbound

4. -> Xlate Table (addressing info)

5. -> Connections Table (ports + proto)

PIX “Inside”


Xlate: The Translation TableXlate: The Translation Table

• PIX creates an xlate entry for every IP pair (host-host)

• This is part of the “State” of the firewall

• clear xlate after changes

timeout xlate hh:mm:ss timeout conn hh:mm:ss … and: half-closed, udp, rpc, h323,uauth

PIX “Inside”


Connections TableConnections Table

• Connection entries contain:

Protocol and port numbers

TCP state and sequence numbers

state of connection (eg, embryonic)

• Also part of the “State” of the firewall

• clear xlate also clears the conns table

• License check with # of connections!

PIX “Inside”


Xlate and Conns TablesXlate and Conns Tables

show xlateGlobal 16.130.3.17 Local 16.130.3.17 static nconns 1 econns 0 Global 16.130.3.16 Local 16.130.3.16 static nconns 4 econns 0

show conn6 in use, 6 most usedTCP out 192.150.50.41:80 in 10.3.3.4:1404 idle 0:00:00 Bytes 11391 TCP out 192.150.50.41:80 in 10.3.3.4:1405 idle 0:00:00 Bytes 3709 TCP out 192.150.50.41:80 in 10.3.3.4:1406 idle 0:00:01 Bytes 2685 TCP out 192.150.50.41:80 in 10.3.3.4:1407 idle 0:00:01 Bytes 2683 TCP out 192.150.50.41:80 in 10.3.3.4:1403 idle 0:00:00 Bytes 15199 TCP out 192.150.50.41:80 in 10.3.3.4:1408 idle 0:00:00 Bytes 2688 UDP out 192.150.50.70:24 in 10.3.3.4:1402 idle 0:01:30 UDP out 192.150.50.70:23 in 10.3.3.4:1397 idle 0:01:30 UDP out 192.150.50.70:22 in 10.3.3.4:1395 idle 0:01:30

PIX “Inside”

Licence check! (PIX 520)

# conns # ebryonic


Advanced Configurations

Advanced Configurations



User Authentication:Cut-Through-Proxy

User Authentication:Cut-Through-Proxy

Private Network

Public Network

AAA

out side

in side

Outside User

www

HTTPRequest

1. HTTP request packet intercepted by PIX

12. PIX asks user for credentials, he responds2

3. PIX sends credentials to AAA server, AAA server ack’s

3

4. PIX forwards packets

4

PIX AdvancedConfiguration


User Authentication: Cut-Through-Proxy

User Authentication: Cut-Through-Proxy

• Addressing and Conduit must Exist!

• FTP, HTTP, Telnet can be proxied

• Other ports can be authorised after authentication

• Watch Out: Timeout for authorisation! -> Other connections will be cut after primary timed out



Authenticate allinbound FTP traffic

User Authentication:Configuration

User Authentication:Configuration

Define AAA protocolDefine AAA server

and key

Install authorizationLists from Server*

* only with TACACS+, not with RADIUS


aaa-server Authinbound protocol tacacs+aaa-server AuthInbound (inside) host 10.1.1.1 TheUauthKeyaaa authentication ftp inbound 0 0 0 0 AuthInboundaaa authorization ftp inbound 0 0 0 0 AuthInbound


PIX FailoverPIX Failover

Primary Secondary

.1

10.0.1.x

192.168.236.x

.2

.1 .2

Failover Cable


Failover Link

default gateway10.0.1.1

.1


FailoverConfiguration

FailoverConfiguration

Primary Secondary

10.0.1.x

.1 .2

Failover Cable


Failover Link

failover [active]failover ip address inside 10.0.1.1failover link ethernet2

Enable failoverAddress for Standby PIX(configured on primary)

Enable statefulness(over link eth2)


PIX FailoverPIX FailoverPIX AdvancedConfiguration

Primary Secondary

10.0.1.x

.1 .2

Failover Cable

Failover Link

• Only primary PIX is configured, wr mem auto-configures standby PIX

• On failover, standby PIX assumes MAC and IP address from primary

• Failover takes 15-45 seconds


URL FilteringURL FilteringPIX AdvancedConfiguration

Corporate Network

InsideUser

PIXInternet

WebSense www.sexy.girls


URL FilteringConfigurationURL FilteringConfiguration

• Outbound HTTP connections can be checked on URL

• Interaction with 3rd Party Product, e.g., WebSense

url-server (inside) host 10.0.1.100 timeout 5filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0


Interface Server IP

Filter any URL


Various...Various...

• Flooding Prevention:

floodguard enable|disableshow floodguard

• Fragmentation Attack Prevention:

sysopt security fragguard

• Mailguard (check SMTP commands):

fixup protocol smtp 25



DMZ

Example:Redundant PIX Set-Up

Example:Redundant PIX Set-Up

Partners and Clients

NetSonar

NetRanger

NetRanger

NetRanger

NetRanger

Inte

rnet



PIX and IPSecPIX and IPSec



PIX and IPSec*PIX and IPSec*

RemoteUser Access

Branch Offices

Intranet

Extranet

Host-to-hostAccess

Main Office

Internet

PIX and IPSec

* since PIX IOS 5.0

Certification Authority

CA


IPSec Configuration StepsIPSec Configuration Steps

1: CA interoperation (opt)

2: IKE

3: IKE Mode (opt)

4: IPSec

PIX and IPSec


IPSec ConfigurationIPSec ConfigurationPIX and IPSec

what to encrypt...

…and how.

…use this endpoint

For this traffic...

apply to interface

access-list 101 permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

crypto ipsec transform-set myset1 esp-des esp-sha-hmac

crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set peer 2.2.2.2crypto map mymap 10 set transform-set myset1

crypto map mymap interface outside

access-list 101 permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

crypto ipsec transform-set myset1 esp-des esp-sha-hmac

crypto map mymap 10 ipsec-isakmpcrypto map mymap 10 match address 101crypto map mymap 10 set peer 2.2.2.2crypto map mymap 10 set transform-set myset1

crypto map mymap interface outside


Configuring the CAConfiguring the CA

ca generate rsa key 512

ca identity myca.mycompany.com 205.139.94.230

ca configure myca.mycompany.com ca 1 20 crloptional

ca authenticate myca.mycompany.com [<fingerprint>]

ca enroll myca.mycompany.com mypassword1234567

ca save all

PIX and IPSec

generate key-pair

define CA

get CA certificate and check it

retry parameters

Send PIX’s pub key to CA


!PIX IPSec: Attention!!PIX IPSec: Attention!!

• Avoid the use of “any” keyword

• IPSec only on outside interface in 5.0

• No TED in 5.0

• Make sure clock is set correctly!

PIX and IPSec


• Software-only Mode• 30-40 Mbps DES (!)

• 10-20 Mbps 3DES (!)

• PIX Private Link Card (PL2/PL3)• 60-80 Mbps DES

• (3DES not supported on PL2)

• Kodiak (in development)

•100 Mbps 3DES

IPSec Hardware AcceleratorsIPSec Hardware AcceleratorsPIX and IPSec


PIX ManagementPIX Management



PIX Management

Cisco Security ManagerCisco Security Manager

• Policy-based, not Device-based

• GUI

• Scalable (<100 PIX)

• Any Topology

• Future: Management of all Security Products


PIX SyslogPIX Syslog

• Reliable Logging (TCP):

If Syslog server is full -> PIX will deny all new connections!!

• Unreliable Loging: UDP

• Config:

logging host dmz1 192.168.1.5 tcplogging trap debuggingclock set 14:25:00 apr 1 1999logging timestamp

PIX Management

Interface

tcp / udp


PIX SNMPPIX SNMP

• Almost like on Router:

snmp-server host outside 10.1.1.2snmp-server community secret_xyzsnmp-server syslog disablesnmp-server log_level 5

PIX Management

Interface

But: PIX only sends traps, no config through SNMP


Last Words…Last Words…



The Direction of Security in Cisco

The Direction of Security in Cisco

• Integration: Security as an Integral Part in all Products

• CiscoAssure: Combine Security, QoS, Voice in one Concept

• DEN*: The Future is Based on Directories

tim

e

* Directory Enabled Networks


Last Words...Last Words...

• Security needs more than a Firewall…

• Keep it simple -> More Secure

Simple configurations

Split functionality to different devices

• Keep Up To Date!

1mbehring_pix_rev5 © 1999, cisco systems, inc. internetworking with pix™ pix ios 5.0

Documents

pix pix ios

pix hardware overview

pix agenda overview

isa pix overview slide

mbps pix overview slide

cisco systems

planned pci pix

pci slots pix