Internetworking with PIX
Download
Report
Transcript Internetworking with PIX
Internetworking with
PIX™
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
1
Internetworking with PIX
Agenda
• Overview of the PIX
• The “Inside” of the PIX
• Advanced Configurations
• PIX and IPSec
• PIX Management
• Last Words
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
22
Overview of the PIX
Hardware, Software and
Capabilities
mbehring_pix_rev5
CCIE’99 Vienna
© 1999, Cisco Systems, Inc.
3
PIX Overview
The Box Itself
• 515-R (restricted)
Target: Branch office
• 515-UR (unrestricted)
Target: Main office
• 520
Target: Biiig main office
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
4
PIX Overview
The Platform
• 515-R: Pentium 200 MHz, no PCI,
32 M RAM max
• 515-UR: Pentium 200 MHz, 2 PCI,
64 M RAM max
• 520: Pentium 350 MHz, 4 PCI,
128 M RAM max, 1 ISA
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
5
PIX Overview
Interfaces
• 515-R: 2 FE, unchangable
• 515-UR: Standard: 2 FE
Extensible to up to 6 FE
• 520: Standard: 2 FE plus 2 of:
4 FE card, Token Ring card, FDDI card
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
6
PIX Overview
Private Link Cards
• PL1: ISA based (16 bit, discontinued)
• PL2: PCI based (32 bit)
• PL3: (planned) PCI
• Kodiak: (planned) PCI
• PIX 520 has 1 ISA slot + 4 PCI slots
PIX 515-UR has 2 PCI slots, no ISA
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
7
PIX Overview
PIX Hardware Overview
Max.
simult.
connect
Max.
RAM
Max.
through
put
Flash
Max #
i/f
I/f
Type
Failover
515-R
50,000
32M
170
8M
2
FE
no
515-UR
100,000
64M
170
16M
6
FE
yes
6
FE
TR
FDDI
yes
520
250,000
128M
170
16M
(Mbps)
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
8
PIX Overview
The PIX Philosophy
Public
Network
nameif ethernet0
outside security0
0
50
PIX
Firewall
DMZ
100
nameif ethernet1
inside security100
nameif ethernet2
DMZ security50
Private
Network
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
9
PIX Overview
The PIX Philosophy
Public
Network
Default Actions:
• Higher to Lower:
PERMIT
0
50
• Lower to Higher:
DENY
DMZ
100
• Between Same:
DENY
Private
Network
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
10
PIX Overview
Strength of the PIX
• No common OS
• Small code -> Less chances for bugs
• Appliance: No extra software
• Easy configuration
• Performance (170 Mbit/s !!)
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
11
PIX Overview
PIX Certification
• NSA TTAP Certification
• ICSA Certification
• SRI International testing
“SRI International failed to uncover any security
vulnerabilities in the Cisco PIX firewall ”
• Turnkey appliance — no software
installation risks
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
12
PIX Overview
Licensing
• 520: Session based (128, 1024, )
(will be feature based in the future)
• 515: Feature based:
Basic license plus:
DES license (free),
3DES license (extra cost)
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
13
PIX Overview
Around the PIX
PIX Firewall Manager:
Management
Cisco Security Manager:
Management
WebSense:
URL Filtering
Private I:
Logging and Alarming
Verisign, Entrust, …:
Certification Authority
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
CiscoSecure:
Cut-Through-Proxy, AAA
www.cisco.com
14
The “Inside” of the
PIX
Configuration Details
mbehring_pix_rev5
NW’99 Vienna
© 1999, Cisco Systems, Inc.
15
PIX “Inside”
Only 4 Ways through the PIX
1:
inside to
outside;
Public
Network
out side
2:
3:
conduit
user
authentication
AAA
(Limit with
”outbound”
and
”apply”)
in side
4*:
Private
Network
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
Access List
* since PIX IOS 5.0
16
PIX “Inside”
Address Translation in the
PIX: NAT / PAT
Outside source address
range to use
Public
Network
outside
global (outside)
1 204.31.17.40-204.31.17.50
1 204.31.17.51
NAT
PAT*
inside
nat (inside)
1 0.0.0.0 0.0.0.0 0 0
NAT-ID
Private
Network
Translate all
inside source addresses
* For PAT use only 1 outside Address
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
17
PIX “Inside”
Destination Address
Translation: Alias
• NAT changes Source Address only
• Use alias to change Destination
address
• DNS will be changed as well
• Applications:
Dual NAT
Re-routing
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
18
PIX “Inside”
How “alias” Works
Company
alias:
3.3.3.3 = 2.2.2.2
inside outside
2. DNS query
1. Access
www.x.com
4. Reply:
3.3.3.3
3. Reply:
2.2.2.2
5. Destination
NAT
Inside User
www.x.com
Internet
www
2.2.2.2
2.2.2.2
Conflict
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
19
PIX “Inside”
Address Translation:
Alias Configuration
Use this destination
address on the inside...
…for this destination
address on the outside
Destination alias (inside) 3.3.3.3 2.2.2.2 255.255.255.255
NAT
Map this source on outside...
Source
NAT
mbehring_pix_rev5
static (inside,outside) 2.2.2.2 3.3.3.3
netmask 255.255.255.255
…to this one on inside
© 1999, Cisco Systems, Inc.
www.cisco.com
20
PIX “Inside”
Address Translation: Static
Public
Network
For Web or other Servers
Outside address
outside
inside
Private
Network
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
static (inside,outside)
208.133.247.111 172.19.10.130
netmask 255.255.255.255 0 0
Inside address
www.cisco.com
21
PIX “Inside”
Conduits
• To permit traffic from outside
to this internal host*...
from any external
conduit permit tcp host 192.150.50.1 eq ftp any
…. with FTP ...
to any internal host...
conduit permit tcp any eq ftp host 192.150.50.42
from this external
* use global addresses
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
22
PIX “Inside”
Outbound Access Lists
• Deny Inside -> Outside connections
with Outbound Access Lists
list#
Deny all outbound
www traffic
outbound 10 deny 0 0 www tcp
outbound 10 permit 192.168.1.2 255.255.255.255 www tcp
apply (dmz1) 10 outgoing_src
But permit to
proxy server
Apply to interface
dmz1
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
23
Adaptive Security Algorithm™
(ASA)
PIX “Inside”
• Heart of stateful checking in PIX
• Basic Rules:
•
•
•
•
•
•
•
•
mbehring_pix_rev5
Allow TCP / UDP from inside
Permit TCP / UDP return packets
Drop and log connections from outside
Drop and log source routed IP packets
Allow some ICMP packets
Silently drop pings to dynamic IP addresses
Answer (PIX) pings to static connections
Drop and log all other packets from outside
© 1999, Cisco Systems, Inc.
www.cisco.com
24
PIX “Inside”
How the PIX works
1. Packet Arrives
2. Adressing: NAT / PAT / Alias / Static
3. Permissions: Conduit / ACLs /
Outbound
4. -> Xlate Table (addressing info)
5. -> Connections Table (ports + proto)
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
25
PIX “Inside”
Xlate: The Translation Table
• PIX creates an xlate entry for every IP
pair (host-host)
• This is part of the “State” of the
firewall
• clear xlate after changes
timeout xlate hh:mm:ss
timeout conn hh:mm:ss
… and: half-closed, udp, rpc, h323,uauth
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
26
PIX “Inside”
Connections Table
• Connection entries contain:
Protocol and port numbers
TCP state and sequence numbers
state of connection (eg, embryonic)
• Also part of the “State” of the firewall
• clear xlate also clears the conns table
• License check with # of connections!
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
27
PIX “Inside”
Xlate and Conns Tables
# conns # ebryonic
show xlate
Global 16.130.3.17 Local 16.130.3.17 static nconns 1 econns 0
Global 16.130.3.16 Local 16.130.3.16 static nconns 4 econns 0
show conn
Licence check! (PIX 520)
6 in use, 6 most used
TCP out 192.150.50.41:80 in 10.3.3.4:1404 idle 0:00:00 Bytes 11391
TCP out 192.150.50.41:80 in 10.3.3.4:1405 idle 0:00:00 Bytes 3709
TCP out 192.150.50.41:80 in 10.3.3.4:1406 idle 0:00:01 Bytes 2685
TCP out 192.150.50.41:80 in 10.3.3.4:1407 idle 0:00:01 Bytes 2683
TCP out 192.150.50.41:80 in 10.3.3.4:1403 idle 0:00:00 Bytes 15199
TCP out 192.150.50.41:80 in 10.3.3.4:1408 idle 0:00:00 Bytes 2688
UDP out 192.150.50.70:24 in 10.3.3.4:1402 idle 0:01:30
UDP out 192.150.50.70:23 in 10.3.3.4:1397 idle 0:01:30
UDP out 192.150.50.70:22 in 10.3.3.4:1395 idle 0:01:30
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
28
Advanced
Configurations
mbehring_pix_rev5
NW’99 Vienna
© 1999, Cisco Systems, Inc.
29
PIX Advanced
Configuration
User Authentication:
Cut-Through-Proxy
1. HTTP request packet
intercepted by PIX
Public
Network
Outside User
2
1
2. PIX asks user for
credentials, he responds
out side
HTTP
Request
3
AAA
in side
4
www
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
Private
Network
3. PIX sends credentials
to AAA server,
AAA server ack’s
4. PIX forwards packets
www.cisco.com
30
PIX Advanced
Configuration
User Authentication:
Cut-Through-Proxy
• Addressing and Conduit must Exist!
• FTP, HTTP, Telnet can be proxied
• Other ports can be authorised after
authentication
• Watch Out: Timeout for
authorisation! -> Other connections
will be cut after primary timed out
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
31
PIX Advanced
Configuration
User Authentication:
Configuration
Define AAA server
and key
Define AAA protocol
aaa-server Authinbound protocol tacacs+
aaa-server AuthInbound (inside) host 10.1.1.1 TheUauthKey
aaa authentication ftp inbound 0 0 0 0 AuthInbound
aaa authorization ftp inbound 0 0 0 0 AuthInbound
Authenticate all
inbound FTP traffic
Install authorization
Lists from Server*
* only with TACACS+, not with RADIUS
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
32
PIX Advanced
Configuration
PIX Failover
192.168.236.x
.1
.2
Failover Cable
Primary
Secondary
Failover Link
.1
.2
.1
10.0.1.x
default gateway
10.0.1.1
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
33
PIX Advanced
Configuration
Failover
Configuration
Failover Cable
Primary
Secondary
.1
Failover Link
.2
10.0.1.x
Enable failover
Address for Standby PIX
(configured on primary)
failover [active]
failover ip address inside 10.0.1.1
failover link ethernet2
Enable statefulness
(over link eth2)
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
34
PIX Advanced
Configuration
PIX Failover
Primary
.1
Failover Cable
Failover Link
Secondary
.2
10.0.1.x
• Only primary PIX is configured,
wr mem auto-configures standby PIX
• On failover, standby PIX assumes MAC and IP
address from primary
• Failover takes 15-45 seconds
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
35
PIX Advanced
Configuration
URL Filtering
Corporate
Network
PIX
Internet
Inside
User
WebSense
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
www.sexy.girls
36
PIX Advanced
Configuration
URL Filtering
Configuration
• Outbound HTTP connections can be
checked on URL
• Interaction with 3rd Party Product,
e.g., WebSense
Interface
Server IP
url-server (inside) host 10.0.1.100 timeout 5
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
Filter any URL
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
37
PIX Advanced
Configuration
Various...
• Flooding Prevention:
floodguard enable|disable
show floodguard
• Fragmentation Attack Prevention:
sysopt security fragguard
• Mailguard (check SMTP commands):
fixup protocol smtp 25
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
38
PIX Advanced
Configuration
Example:
Redundant PIX Set-Up
Partners and Clients
Internet
NetRanger
NetRanger
NetRanger
NetSonar
DMZ
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
NetRanger
www.cisco.com
39
PIX and IPSec
mbehring_pix_rev5
NW’99 Vienna
© 1999, Cisco Systems, Inc.
40
PIX and IPSec
PIX and IPSec*
Internet
Branch
Offices
Remote
User Access
Intranet
Extranet
Host-to-host
Access
CA
Main Office
Certification
Authority
* since PIX IOS 5.0
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
41
PIX and IPSec
IPSec Configuration Steps
1: CA interoperation (opt)
2: IKE
3: IKE Mode (opt)
4: IPSec
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
42
PIX and IPSec
IPSec Configuration
what to encrypt...
access-list 101 permit ip 1.1.1.0 255.255.255.0
2.2.2.0 255.255.255.0
…and how.
crypto ipsec transform-set myset1 esp-des esp-sha-hmac
For this traffic...
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
…use this
crypto map mymap 10 set peer 2.2.2.2
endpoint
crypto map mymap 10 set transform-set myset1
crypto map mymap interface outside
apply to interface
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
43
PIX and IPSec
Configuring the CA
ca generate rsa key 512
generate key-pair
define CA
ca identity myca.mycompany.com 205.139.94.230
retry parameters
ca configure myca.mycompany.com ca 1 20 crloptional
get CA certificate and check it
ca authenticate myca.mycompany.com [<fingerprint>]
Send PIX’s pub key to CA
ca enroll myca.mycompany.com mypassword1234567
ca save all
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
44
PIX and IPSec
PIX IPSec: Attention!!
• Avoid the use of “any” keyword
• IPSec only on outside interface in 5.0
• No TED in 5.0
• Make sure clock is set correctly!
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
45
PIX and IPSec
IPSec Hardware Accelerators
• Software-only Mode
• 30-40 Mbps DES (!)
• 10-20 Mbps 3DES (!)
• PIX Private Link Card (PL2/PL3)
• 60-80 Mbps DES
• (3DES not supported on PL2)
• Kodiak (in development)
•100 Mbps 3DES
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
46
PIX Management
mbehring_pix_rev5
NW’99 Vienna
© 1999, Cisco Systems, Inc.
47
PIX Management
Cisco Security Manager
• Policy-based,
not Device-based
• GUI
• Scalable (<100
PIX)
• Any Topology
• Future:
Management of all
Security Products
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
48
PIX Management
PIX Syslog
• Reliable Logging (TCP):
If Syslog server is full ->
PIX will deny all new connections!!
• Unreliable Loging: UDP
• Config:
Interface
logging host dmz1 192.168.1.5 tcp
logging trap debugging
tcp / udp
clock set 14:25:00 apr 1 1999
logging timestamp
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
49
PIX Management
PIX SNMP
• Almost like on
Router:
Interface
snmp-server host outside 10.1.1.2
snmp-server community secret_xyz
snmp-server syslog disable
snmp-server log_level 5
But: PIX only sends traps, no config through SNMP
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
50
Last Words…
mbehring_pix_rev5
NW’99 Vienna
© 1999, Cisco Systems, Inc.
51
The Direction of Security in
Cisco
time
• Integration: Security as an Integral
Part in all Products
• CiscoAssure: Combine Security,
QoS, Voice in one Concept
• DEN*: The Future is Based on
Directories
* Directory Enabled Networks
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
52
Last Words...
• Security needs more than a Firewall…
• Keep it simple -> More Secure
Simple configurations
Split functionality to different devices
• Keep Up To Date!
mbehring_pix_rev5
© 1999, Cisco Systems, Inc.
www.cisco.com
53
© 1999, Cisco Systems, Inc.
54