PIX
advertisement
Internetworking with PIX™ mbehring_pix_rev5 © 1999, Cisco Systems, Inc. 1 Internetworking with PIX Agenda • Overview of the PIX • The “Inside” of the PIX • Advanced Configurations • PIX and IPSec • PIX Management • Last Words mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 22 Overview of the PIX Hardware, Software and Capabilities mbehring_pix_rev5 CCIE’99 Vienna © 1999, Cisco Systems, Inc. 3 PIX Overview The Box Itself • 515-R (restricted) Target: Branch office • 515-UR (unrestricted) Target: Main office • 520 Target: Biiig main office mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 4 PIX Overview The Platform • 515-R: Pentium 200 MHz, no PCI, 32 M RAM max • 515-UR: Pentium 200 MHz, 2 PCI, 64 M RAM max • 520: Pentium 350 MHz, 4 PCI, 128 M RAM max, 1 ISA mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 5 PIX Overview Interfaces • 515-R: 2 FE, unchangable • 515-UR: Standard: 2 FE Extensible to up to 6 FE • 520: Standard: 2 FE plus 2 of: 4 FE card, Token Ring card, FDDI card mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 6 PIX Overview Private Link Cards • PL1: ISA based (16 bit, discontinued) • PL2: PCI based (32 bit) • PL3: (planned) PCI • Kodiak: (planned) PCI • PIX 520 has 1 ISA slot + 4 PCI slots PIX 515-UR has 2 PCI slots, no ISA mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 7 PIX Overview PIX Hardware Overview Max. simult. connect Max. RAM Max. through put Flash Max # i/f I/f Type Failover 515-R 50,000 32M 170 8M 2 FE no 515-UR 100,000 64M 170 16M 6 FE yes 6 FE TR FDDI yes 520 250,000 128M 170 16M (Mbps) mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 8 PIX Overview The PIX Philosophy Public Network nameif ethernet0 outside security0 0 50 PIX Firewall DMZ 100 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50 Private Network mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 9 PIX Overview The PIX Philosophy Public Network Default Actions: • Higher to Lower: PERMIT 0 50 • Lower to Higher: DENY DMZ 100 • Between Same: DENY Private Network mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 10 PIX Overview Strength of the PIX • No common OS • Small code -> Less chances for bugs • Appliance: No extra software • Easy configuration • Performance (170 Mbit/s !!) mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 11 PIX Overview PIX Certification • NSA TTAP Certification • ICSA Certification • SRI International testing “SRI International failed to uncover any security vulnerabilities in the Cisco PIX firewall ” • Turnkey appliance — no software installation risks mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 12 PIX Overview Licensing • 520: Session based (128, 1024, ) (will be feature based in the future) • 515: Feature based: Basic license plus: DES license (free), 3DES license (extra cost) mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 13 PIX Overview Around the PIX PIX Firewall Manager: Management Cisco Security Manager: Management WebSense: URL Filtering Private I: Logging and Alarming Verisign, Entrust, …: Certification Authority mbehring_pix_rev5 © 1999, Cisco Systems, Inc. CiscoSecure: Cut-Through-Proxy, AAA www.cisco.com 14 The “Inside” of the PIX Configuration Details mbehring_pix_rev5 NW’99 Vienna © 1999, Cisco Systems, Inc. 15 PIX “Inside” Only 4 Ways through the PIX 1: inside to outside; Public Network out side 2: 3: conduit user authentication AAA (Limit with ”outbound” and ”apply”) in side 4*: Private Network mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com Access List * since PIX IOS 5.0 16 PIX “Inside” Address Translation in the PIX: NAT / PAT Outside source address range to use Public Network outside global (outside) 1 204.31.17.40-204.31.17.50 1 204.31.17.51 NAT PAT* inside nat (inside) 1 0.0.0.0 0.0.0.0 0 0 NAT-ID Private Network Translate all inside source addresses * For PAT use only 1 outside Address mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 17 PIX “Inside” Destination Address Translation: Alias • NAT changes Source Address only • Use alias to change Destination address • DNS will be changed as well • Applications: Dual NAT Re-routing mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 18 PIX “Inside” How “alias” Works Company alias: 3.3.3.3 = 2.2.2.2 inside outside 2. DNS query 1. Access www.x.com 4. Reply: 3.3.3.3 3. Reply: 2.2.2.2 5. Destination NAT Inside User www.x.com Internet www 2.2.2.2 2.2.2.2 Conflict mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 19 PIX “Inside” Address Translation: Alias Configuration Use this destination address on the inside... …for this destination address on the outside Destination alias (inside) 3.3.3.3 2.2.2.2 255.255.255.255 NAT Map this source on outside... Source NAT mbehring_pix_rev5 static (inside,outside) 2.2.2.2 3.3.3.3 netmask 255.255.255.255 …to this one on inside © 1999, Cisco Systems, Inc. www.cisco.com 20 PIX “Inside” Address Translation: Static Public Network For Web or other Servers Outside address outside inside Private Network mbehring_pix_rev5 © 1999, Cisco Systems, Inc. static (inside,outside) 208.133.247.111 172.19.10.130 netmask 255.255.255.255 0 0 Inside address www.cisco.com 21 PIX “Inside” Conduits • To permit traffic from outside to this internal host*... from any external conduit permit tcp host 192.150.50.1 eq ftp any …. with FTP ... to any internal host... conduit permit tcp any eq ftp host 192.150.50.42 from this external * use global addresses mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 22 PIX “Inside” Outbound Access Lists • Deny Inside -> Outside connections with Outbound Access Lists list# Deny all outbound www traffic outbound 10 deny 0 0 www tcp outbound 10 permit 192.168.1.2 255.255.255.255 www tcp apply (dmz1) 10 outgoing_src But permit to proxy server Apply to interface dmz1 mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 23 Adaptive Security Algorithm™ (ASA) PIX “Inside” • Heart of stateful checking in PIX • Basic Rules: • • • • • • • • mbehring_pix_rev5 Allow TCP / UDP from inside Permit TCP / UDP return packets Drop and log connections from outside Drop and log source routed IP packets Allow some ICMP packets Silently drop pings to dynamic IP addresses Answer (PIX) pings to static connections Drop and log all other packets from outside © 1999, Cisco Systems, Inc. www.cisco.com 24 PIX “Inside” How the PIX works 1. Packet Arrives 2. Adressing: NAT / PAT / Alias / Static 3. Permissions: Conduit / ACLs / Outbound 4. -> Xlate Table (addressing info) 5. -> Connections Table (ports + proto) mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 25 PIX “Inside” Xlate: The Translation Table • PIX creates an xlate entry for every IP pair (host-host) • This is part of the “State” of the firewall • clear xlate after changes timeout xlate hh:mm:ss timeout conn hh:mm:ss … and: half-closed, udp, rpc, h323,uauth mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 26 PIX “Inside” Connections Table • Connection entries contain: Protocol and port numbers TCP state and sequence numbers state of connection (eg, embryonic) • Also part of the “State” of the firewall • clear xlate also clears the conns table • License check with # of connections! mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 27 PIX “Inside” Xlate and Conns Tables # conns # ebryonic show xlate Global 16.130.3.17 Local 16.130.3.17 static nconns 1 econns 0 Global 16.130.3.16 Local 16.130.3.16 static nconns 4 econns 0 show conn Licence check! (PIX 520) 6 in use, 6 most used TCP out 192.150.50.41:80 in 10.3.3.4:1404 idle 0:00:00 Bytes 11391 TCP out 192.150.50.41:80 in 10.3.3.4:1405 idle 0:00:00 Bytes 3709 TCP out 192.150.50.41:80 in 10.3.3.4:1406 idle 0:00:01 Bytes 2685 TCP out 192.150.50.41:80 in 10.3.3.4:1407 idle 0:00:01 Bytes 2683 TCP out 192.150.50.41:80 in 10.3.3.4:1403 idle 0:00:00 Bytes 15199 TCP out 192.150.50.41:80 in 10.3.3.4:1408 idle 0:00:00 Bytes 2688 UDP out 192.150.50.70:24 in 10.3.3.4:1402 idle 0:01:30 UDP out 192.150.50.70:23 in 10.3.3.4:1397 idle 0:01:30 UDP out 192.150.50.70:22 in 10.3.3.4:1395 idle 0:01:30 mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 28 Advanced Configurations mbehring_pix_rev5 NW’99 Vienna © 1999, Cisco Systems, Inc. 29 PIX Advanced Configuration User Authentication: Cut-Through-Proxy 1. HTTP request packet intercepted by PIX Public Network Outside User 2 1 2. PIX asks user for credentials, he responds out side HTTP Request 3 AAA in side 4 www mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Private Network 3. PIX sends credentials to AAA server, AAA server ack’s 4. PIX forwards packets www.cisco.com 30 PIX Advanced Configuration User Authentication: Cut-Through-Proxy • Addressing and Conduit must Exist! • FTP, HTTP, Telnet can be proxied • Other ports can be authorised after authentication • Watch Out: Timeout for authorisation! -> Other connections will be cut after primary timed out mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 31 PIX Advanced Configuration User Authentication: Configuration Define AAA server and key Define AAA protocol aaa-server Authinbound protocol tacacs+ aaa-server AuthInbound (inside) host 10.1.1.1 TheUauthKey aaa authentication ftp inbound 0 0 0 0 AuthInbound aaa authorization ftp inbound 0 0 0 0 AuthInbound Authenticate all inbound FTP traffic Install authorization Lists from Server* * only with TACACS+, not with RADIUS mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 32 PIX Advanced Configuration PIX Failover 192.168.236.x .1 .2 Failover Cable Primary Secondary Failover Link .1 .2 .1 10.0.1.x default gateway 10.0.1.1 mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 33 PIX Advanced Configuration Failover Configuration Failover Cable Primary Secondary .1 Failover Link .2 10.0.1.x Enable failover Address for Standby PIX (configured on primary) failover [active] failover ip address inside 10.0.1.1 failover link ethernet2 Enable statefulness (over link eth2) mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 34 PIX Advanced Configuration PIX Failover Primary .1 Failover Cable Failover Link Secondary .2 10.0.1.x • Only primary PIX is configured, wr mem auto-configures standby PIX • On failover, standby PIX assumes MAC and IP address from primary • Failover takes 15-45 seconds mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 35 PIX Advanced Configuration URL Filtering Corporate Network PIX Internet Inside User WebSense mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com www.sexy.girls 36 PIX Advanced Configuration URL Filtering Configuration • Outbound HTTP connections can be checked on URL • Interaction with 3rd Party Product, e.g., WebSense Interface Server IP url-server (inside) host 10.0.1.100 timeout 5 filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Filter any URL mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 37 PIX Advanced Configuration Various... • Flooding Prevention: floodguard enable|disable show floodguard • Fragmentation Attack Prevention: sysopt security fragguard • Mailguard (check SMTP commands): fixup protocol smtp 25 mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 38 PIX Advanced Configuration Example: Redundant PIX Set-Up Partners and Clients Internet NetRanger NetRanger NetRanger NetSonar DMZ mbehring_pix_rev5 © 1999, Cisco Systems, Inc. NetRanger www.cisco.com 39 PIX and IPSec mbehring_pix_rev5 NW’99 Vienna © 1999, Cisco Systems, Inc. 40 PIX and IPSec PIX and IPSec* Internet Branch Offices Remote User Access Intranet Extranet Host-to-host Access CA Main Office Certification Authority * since PIX IOS 5.0 mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 41 PIX and IPSec IPSec Configuration Steps 1: CA interoperation (opt) 2: IKE 3: IKE Mode (opt) 4: IPSec mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 42 PIX and IPSec IPSec Configuration what to encrypt... access-list 101 permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 …and how. crypto ipsec transform-set myset1 esp-des esp-sha-hmac For this traffic... crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 101 …use this crypto map mymap 10 set peer 2.2.2.2 endpoint crypto map mymap 10 set transform-set myset1 crypto map mymap interface outside apply to interface mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 43 PIX and IPSec Configuring the CA ca generate rsa key 512 generate key-pair define CA ca identity myca.mycompany.com 205.139.94.230 retry parameters ca configure myca.mycompany.com ca 1 20 crloptional get CA certificate and check it ca authenticate myca.mycompany.com [<fingerprint>] Send PIX’s pub key to CA ca enroll myca.mycompany.com mypassword1234567 ca save all mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 44 PIX and IPSec PIX IPSec: Attention!! • Avoid the use of “any” keyword • IPSec only on outside interface in 5.0 • No TED in 5.0 • Make sure clock is set correctly! mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 45 PIX and IPSec IPSec Hardware Accelerators • Software-only Mode • 30-40 Mbps DES (!) • 10-20 Mbps 3DES (!) • PIX Private Link Card (PL2/PL3) • 60-80 Mbps DES • (3DES not supported on PL2) • Kodiak (in development) •100 Mbps 3DES mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 46 PIX Management mbehring_pix_rev5 NW’99 Vienna © 1999, Cisco Systems, Inc. 47 PIX Management Cisco Security Manager • Policy-based, not Device-based • GUI • Scalable (<100 PIX) • Any Topology • Future: Management of all Security Products mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 48 PIX Management PIX Syslog • Reliable Logging (TCP): If Syslog server is full -> PIX will deny all new connections!! • Unreliable Loging: UDP • Config: Interface logging host dmz1 192.168.1.5 tcp logging trap debugging tcp / udp clock set 14:25:00 apr 1 1999 logging timestamp mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 49 PIX Management PIX SNMP • Almost like on Router: Interface snmp-server host outside 10.1.1.2 snmp-server community secret_xyz snmp-server syslog disable snmp-server log_level 5 But: PIX only sends traps, no config through SNMP mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 50 Last Words… mbehring_pix_rev5 NW’99 Vienna © 1999, Cisco Systems, Inc. 51 The Direction of Security in Cisco time • Integration: Security as an Integral Part in all Products • CiscoAssure: Combine Security, QoS, Voice in one Concept • DEN*: The Future is Based on Directories * Directory Enabled Networks mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 52 Last Words... • Security needs more than a Firewall… • Keep it simple -> More Secure Simple configurations Split functionality to different devices • Keep Up To Date! mbehring_pix_rev5 © 1999, Cisco Systems, Inc. www.cisco.com 53 © 1999, Cisco Systems, Inc. 54
