configuring the pix firewall presented by drew spesard
TRANSCRIPT
Configuring the PIX Firewall
Presented
by
Drew Spesard
Firewall Design Criteria
• Hosts offering public services/access are insecure
• Internal network hosts should not offer public services/access
• Private networks and hosts should not be visible
• Stateful connection awareness
DemilitarizedZone (DMZ)
Firewall Design -PIX with 2 Interfaces
Firewall Design -PIX with 3 Interfaces
Network Address Translation (NAT)
• Translates IP addresses within private "internal" networks to "legal" IP addresses for transport over public "external" networks (such as the Internet).
• Multiple translation schemes are available:– “Many-to-One” or Port Address Translation (PAT)– “Many-to-Many” with pools of public IP addresses– Combination of PAT and pools
Port Address Translation(PAT)
Many “internal” IP addresses can be translated into a shared, single “external” IP address.
The PIX maintains “stateful” information about every IP session and creates a table that maintains source and destination TCP/UDP ports for each outbound IP session. This way, multiple IP sessions can share a single “external” IP address.
Port Address TranslationAssume the following connections are made from the internal network to the Internet:
Source IP: 10.1.1.19:4003, Dest IP: 209.30.130.12:23
Source IP: 10.1.1.42:2014, Dest IP: 199.1.1.30:80
Source IP: 10.1.2.34:3356, Dest IP: 200.1.2.3:110
SRC: 10.1.1.19:4003DST: 209.30.130.12:23
As packet returns from external host withdestination IP address = 200.200.200.1, the PIXwill find the destination port in its connection table and forward the packet to the correct inside host.
200.200.200.1
SRC: 209.30.130.12:23DST: 200.200.200.1:23004
SRC: 10.1.1.42:2014DST: 199.1.1.30:80
SRC: 199.1.1.30:80DST: 200.200.200.1:21234
SRC: 10.1.1.34:3356DST: 200.1.2.3:110
SRC: 200.1.2.3:110DST: 200.200.200.1:20008
PIX Translation Table:10.1.1.34:3356 - 200.200.200.1:2370810.1.1.42:2014 - 200.200.200.1:2383410.1.1.19:4003 - 200.200.200.1:23804
Configuring NATFirst, we create ‘nat’ statements that define the IP addresses of hosts onthe “inside” that are allowed to translate to “outside” addresses:
nat (inside) 1 192.168.0.0 255.255.0.0 0 0nat (inside) 1 10.1.0.0 255.0.0.0 0 0nat (dmz) 1 10.1.0.0 255.0.0.0
Now, we create “external/public” address ranges/pools to which insideaddresses will be translated. The “statement id” links the ‘global’statement with a ‘nat’ statement:
global (outside) 1 34.1.1.99-34.1.1.99 netmask 255.255.255.255global (outside) 1 34.1.1.20-34.1.1.98 netmask 255.255.255.0
Because ‘global’ PAT statement has higher IP address than the pool,it will only be used when the pool is exhausted.
NOTE: Global ranges can not include the PIX interface addresses. Unlike Cisco IOS NAT, you can not overload on the outside interfaceof the PIX.
Configuring NAT
By default, the PIX Firewall prevents all outside connections from accessing inside hosts or servers. To allow inbound connections to specific IP addresses, use the ‘static’ and ‘conduit’ statements:
The ‘static’ command defines which outside addresses are staticallytranslated specific inside hosts.
static (inside,outside) 34.1.1.201 10.1.1.201 netmask 255.255.255.255static (dmz,outside) 34.1.1.15 10.1.2.15 netmask 255.255.255.255
The ‘conduit’ statement defines the services that are allowed for the ‘static’ translation:
conduit permit ip host 34.1.1.201 anyconduit permit tcp host 34.1.1.15 eq smtp anyconduit permit tcp host 34.1.1.15 eq pop3 any
Configuring NATThe ‘show xlate’ command shows active translations and helps identify that NAT is working properly:pix-fw# sh xlatePAT Global 34.1.1.99(23792) Local 10.1.14.137 flags rPAT Global 34.1.1.99(23776) Local 10.1.252.143 flags rPAT Global 34.1.1.99(23856) Local 10.1.252.105 flags rPAT Global 34.1.1.99(23840) Local 10.1.250.128 flags rPAT Global 34.1.1.99(23824) Local 10.1.251.100 flags rPAT Global 34.1.1.99(23808) Local 10.1.114.109 flags rGlobal 34.1.1.23 Local 192.168.88.69 nconns 0 econns 0 flags -Global 34.1.1.24 Local 10.1.251.131 nconns 0 econns 0 flags -Global 34.1.1.25 Local 10.1.14.101 nconns 0 econns 0 flags -Global 34.1.1.26 Local 10.1.28.101 nconns 0 econns 0 flags -Global 34.1.1.27 Local 10.1.250.102 nconns 0 econns 0 flags -
PIX Firewall Authentication/Proxy
• The PIX Firewall uses ‘cut-through’ proxy. Users authenticate once, and then they are allowed through the firewall until timeouts are reached.
• No proxy server information is configured on client host (via browser or other means).
• The proxy service only uses an external authentication host (RADIUS or TACACS). There is no capability for ‘local’ users (like Cisco IOS).
• Outbound or Inbound connections (including DMZ) can be authenticated.
User Authentication/ProxyHow It Works
4. If authentication is successful, then the user can potentially communicate through the PIX Firewall without any limitations (assuming no other ACL prevent communications.
1. User launches Web browser, Telnet, or FTP to make connection to outside network.
2. If the PIX is configured to authenticate certain IP addresses, it will intercept theWeb, Telnet, or FTP session and promptthe user for authentication. Then it authenticates users via a RADIUS or TACACS server.
RADIUS or TACACSServer
User Authentication/ProxyHow It Works
In order to authenticate, users must first attempt to make a connection through the PIX via Telnet, FTP, or Web. The PIX intercepts the connection and displays the authentication prompt:
>telnet 209.30.130.140Trying 209.30.130.140 ... Open
PIX FirewallUsername: dspesard
Password:
ftp> open www.cisco.comConnected to cio-sys.cisco.com.220-PIX Firewall220User (cio-sys.cisco.com:(none)): dspesard331-Password:331Password:
Configuring Authentication/Proxy
First, define the radiusor tacacsserver that will provide user authentication information:radius-server (inside) host 10.1.1.201 test1234 timeout 5
Define the specific source and/or destination IP address ranges for which authentication is to occur:aaa authentication any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 radius
Define specific IP addresses that do not require authentication (for instance, outbound mail and DNS servers):aaa authentication except outbound 10.1.1.32 255.255.255.255 0.0.0.0
0.0.0.0 radius
Define timeout values. After the absolute or inactvity timer expires, users must re-authenticate. timeout uauth 3:00:00 absolute uauth 0:15:00 inactivity
Viewing Authentication/Proxy Information
To see current users that have authenticated use the ‘show uauth’ command.
pix-fw# sh uauth CURRENT MAX TOTALuxlate_cnt 1 9 4000uauth_cnt 14 106user 'dspesard' at 192.168.1.138, authenticateduser 'jsmith' at 10.1.1.45, authenticated
PIX Firewall Redundancy / FailoverThe PIX Firewall can be configured for failover, but not for load-balancing. That is, if one PIX fails, another PIX can assume the responsibility of forwarding packets.
One of the firewalls is set up as the ‘Primary’ and the other is set up as the ‘Secondary’. This is accomplished via a hardware serial cable that connects the two units. One end of the cable is labeled ‘Primary’ and the other end is labeled as ‘Secondary’.
ALL changes to the Firewall configuration(s) should be performed in the Primary, because the configuration is replicated to Secondary.
When (2) PIX Firewalls are configured for ‘failover’, one unit is ‘Active’ and the other unit is in ‘Standby’ mode (and does not forward packets).
PIX Firewall FailoverIf (2) Firewalls share the exact same configuration, how does IP addressing work for the interfaces? Within the configuration, a regular interface is assigned AND a standby IP address is configured. The ‘Active’ unit uses the regularly assigned IP address, and the ‘Standby’ unit uses the IP address defined by the ‘standby’ command.
When the ‘Active’ unit fails, the ‘Standby’ unit assumes the ‘normal’ IP address (and ‘Active’ status); when the failed unit becomes available again, it assumes ‘Standby’ status and the standby IP addresses.
The units monitor each other via the ‘failover’ cable and via the LAN ports on the units. If any failure is detected on the ‘Active’ unit (Power supply, NIC card, etc.), then the standby unit will become ‘Active’. A PIX Firewall is deemed to be failed in the event that (3) keepalives are not received.
PIX Firewall Failover Design
Traffic flows through Activer Unit
Standby Unit monitors Active,but doesn’t forward packets
Normal Scenario: Both PIX Firewalls UP
PIX Firewall Failover Design
‘Standby’ Unit becomes ‘Active’ andTraffic begins to flow through it.
Failed Scenario: ‘Active’ Unit Failed
Configuring Failover
Enable failover capability by issuing the following command:failover
Establish amount of time after failure that the newly ‘active’ unit will allow all traffic to pass in order to build a translation table.failover timeout 0:00:00
Configure failover IP addresses for each interface:failover ip address outside 34.1.1.2failover ip address inside 10.1.1.2failover ip address DMZ 10.1.2.2
Viewing Failover Information
Use the ‘show fail’ command to view failover information:Note that Primary is active in the following example:
pix-fw# show failFailover OnCable status: NormalReconnect timeout 0:00:00 This host: Primary - Active Active time: 248355 (sec) Interface DMZ (10.1.2.1): Normal Interface outside (34.1.1.1): Normal Interface inside (10.1.1.1): Normal Other host: Secondary - Standby Active time: 0 (sec) Interface DMZ (10.1.2.2): Normal Interface outside (34.1.1.2): Normal Interface inside (10.1.1.2): Normal
Viewing Failover InformationUse the ‘show fail’ command to view failover information:Secondary has become active in following example. Note that ‘Active’ unit always has the same IP addresses:
pix-fw# show failFailover OnCable status: NormalReconnect timeout 0:00:00 This host: Secondary - Active Active time: 248355 (sec) Interface DMZ (10.1.2.1): Normal Interface outside (34.1.1.1): Normal Interface inside (10.1.1.1): Normal Other host: Primary - Standby Active time: 0 (sec) Interface DMZ (10.1.2.2): Normal Interface outside (34.1.1.2): Normal Interface inside (10.1.1.2): Normal
Outbound/Inbound Access Lists
Inbound and Outbound access lists can be used to allow certain hosts to have access through the firewall for specific services. In addition to NAT and CONDUIT statements, access lists offer flexibility to configure the firewall to match the desired security policy.
outbound 1 deny 0.0.0.0 0.0.0.0 0 tcpoutbound 1 deny 0.0.0.0 0.0.0.0 0 udpoutbound 1 permit 10.1.8.2 255.255.255.255 0 tcpoutbound 1 deny 0.0.0.0 0.0.0.0 0 espoutbound 1 permit 10.0.0.0 255.0.0.0 110 tcpoutbound 1 permit 10.0.0.0 255.0.0.0 25 tcpapply (inside) 1 outgoing_src
PIX Version 4.2(2)201 Betanameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 DMZ security50enable password Bpbmt9ggUUsdgS3m encryptedpasswd jNIlGQCinDgAduNQ encryptedhostname pix-fwfixup protocol ftp 21fixup protocol http 80fixup protocol smtp 25fixup protocol h323 1720fixup protocol rsh 514fixup protocol sqlnet 1521failoverfailover timeout 0:00:00failover ip address outside 34.1.1.2failover ip address inside 10.1.1.2failover ip address DMZ 10.1.2.2interface ethernet0 autointerface ethernet1 autointerface ethernet2 autoip address outside 34.1.1.1 255.255.255.0ip address inside 10.1.1.1 255.255.255.0ip address DMZ 10.1.2.1 255.255.255.0arp timeout 14400global (outside) 1 34.1.1.20-34.1.1.98 netmask 255.255.255.0global (outside) 1 34.1.1.99-34.1.1.99 netmask 255.255.255.255nat (inside) 1 192.168.0.0 255.255.0.0 0 0nat (inside) 1 10.1.0.0 255.255.0.0 0 0
…continued
Example Configuration
static (inside,outside) 34.1.1.202 10.1.1.202 netmask 255.255.255.255 0 0static (dmz,outside) 34.1.1.200 10.1.2.200 netmask 255.255.255.255 0 0conduit permit tcp host 34.1.1.202 eq smtp anyconduit permit tcp host 34.1.1.202 eq pop3 anyconduit permit icmp any anyconduit permit tcp host 34.1.2.200 eq www anyno rip outside passiveno rip outside defaultno rip inside passiveno rip inside defaultno rip DMZ passiveno rip DMZ defaultroute outside 0.0.0.0 0.0.0.0 34.1.1.5 1timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00timeout rpc 0:10:00 h323 0:05:00timeout uauth 3:00:00 absolute uauth 0:15:00 inactivityradius-server (inside) host 10.1.1.205 test1234 timeout 5aaa authentication except outbound 10.1.1.0 255.255.255.0 0.0.0.0 0.0.0.0 radiusaaa authentication any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 radiustelnet 10.0.0.0 255.0.0.0telnet timeout 5mtu outside 1500mtu inside 1500mtu DMZ 1500floodguard 3fragguardno tcpchecksumauth-prompt PIX FirewallCryptochecksum:72641c500bbb1cd6b804758765c27614: end