Documentos de Académico
Documentos de Profesional
Documentos de Cultura
A firewall is a
system or group
of systems that
manages access
between two
networks.
Firewall Technologies
Firewall operations
are based on one of
three technologies:
• Packet filtering
• Proxy server
• Stateful packet
filtering
Packet Filtering
ACL
Proxy Server
Requests
connections
between a client
on the inside of
the firewall and
the outside
Stateful Packet Filtering
Limits information
into a network
based not only
on destination
and source
address, but also
on packet data
content
PIX Firewall—What Is it?
Outside network
Internet e0
• Security level 0
• Interface name = outside
e0
PIX Firewall
e2
e1
Inside network Perimeter network
e1 e2
• Security level 100 • Security level 50
• Interface name = inside • Interface name = pix/intf2
Cut-Through Proxy Operation
1. The user makes a
2. The PIX Firewall
request to an
Internal/ intercepts the connection.
IS resource.
external 3. The PIX Firewall prompts the
user user for a username and
password, authenticates the
3. Username and Password Required user, and checks the security
PIX Firewall policy on a RADIUS or TACACS+
Enter username for CCO at www.com server.
IS resource
Cisco
User Name: student Secure
Password: 123@456 4. The PIX Firewall initiates
a connection from the
OK Cancel PIX Firewall to the
destination IS resource.
172.26.26.0 /24
Internet .50
Backbone, web,
FTP, and
TFTP server
.1 192.168.0.0 /24
Failover cable
e0 .2 e0 .7
e3 .1 172.17.0.0 /24 e3 .7
Primary e2 .7
PIX Firewall e2 .1 Secondary
e1 .1 PIX Firewall e1 .7 .2
172.16.0.0/24 DMZ
10.0.0.0 /24
.3
Summary
pixfirewall>
enable
• Enables you to enter different
access modes
pixfirewall> enable
password:
pixfirewall# configure terminal
pixfirewall(config)#
pixfirewall(config)# exit
pixfirewall#
enable password and passwd
Commands
pixfirewall#
enable password password
• The enable password command is used to
control access to the privileged mode.
pixfirewall#
passwd password
• The passwd command is used to set a
Telnet password.
hostname and ping
Commands
pixfirewall(config)#
hostname newname
• hostname command
pixfirewall(config)#
ping [if_name] ip_address
• ping command
• nameif
• interface
• ip address
• nat
• global
• route
nameif command
pixfirewall(config)#
nameif hardware_id if_name security_level
pixfirewall(config)#
pixfirewall(config)#
ip address if_name ip_address [netmask]
• The ip address command assigns an IP address to
each interface.
• TCP is a connection-oriented,
reliable-delivery, robust, and high performance
transport layer protocol.
• TCP features
– Sequencing and acknowledgement of data
– A defined state machine (open connection,
data flow, retransmit, close connection)
– Congestion management and avoidance
mechanisms
TCP Initialization—Inside
to Outside
Private network The PIX Firewall checks for Public network
Source addr 10.0.0.3 a translation slot. If one is 192.168.0.20
not found, it creates one
Destination addr 172.30.0.50 after verifying NAT, global, 172.30.0.50
access control, and
Source port 1026 authentication or 1026
Destination port 23 authorization, if any. If OK, 23
a connection is created.
Initial sequence # 49091 49769
#1
Ack PIX Firewall #2
10.0.0.3 Flag Syn Syn 172.30.0.50
Start the embryonic
No data connection counter
#4 172.30.0.50 172.30.0.50
#3
10.0.0.3
The PIX Firewall follows the 192.168.0.20
Adaptive Security Algorithm:
23 • (Src IP, Src Port, 23
Dest IP, Dest Port ) check
1026 1026
• Sequence number check
IP header 92513 92513
• Translation check
TCP header 49092 49770
If the code bit is not syn-ack,
Syn-Ack PIX drops the packet. Syn-Ack
TCP Initialization—Inside to
Outside (cont.)
Private network Public network
Source addr 10.0.0.3 192.168.0.20
Reset the embryonic
Destination addr 172.30.0.50 counter for this client. It 172.30.0.50
then increments
Source port 1026 1026
the connection counter
Destination port 23 for this host. 23
• Connectionless protocol
• Efficient protocol for some services
• Resourceful but difficult to secure
UDP (cont.)
#1 PIX Firewall #2
10.0.0.3 172.30.0.50
All UDP responses arrive
from outside and within UDP
user-configurable timeout.
#4 (default=2 minutes) #3
172.30.0.50 The PIX Firewall follows the 172.30.0.50
Adaptive Security Algorithm:
10.0.0.3 192.168.0.20
• (Src IP, Src Port,
45000 Dest IP, Dest Port ) check 45000
1028 • Translation check 1028
IP header
TCP header
Static Translations
Internet
Perimeter router
192.168.0.1
192.168.0.2
PIX Firewall
10.0.0.1
Internet 192.168.0.1
192.168.0.2
Global Pool
10.0.0.1 192.168.0.20-192.168.0.254
10.0.0.3
Connections vs. Translations
• Translations—xlate
– IP address to IP address translation
– 65,536 translations supported
• Connections—conns
– TCP or UDP sessions
xlate Command
pixfirewall(config)#
Inside Outside
Source addr 10.0.0.3 Source addr 192.168.0.20
10.0.0.3 192.168.0.20
Internet
10.0.0.3
pixfirewall(config)#
nat [(if_name)] nat_id local_ip
[netmask]
• The nat command defines which addresses can
be translated.
PAT Global
192.168.0.15
Internet
Source addr 10.0.0.3 192.168.0.15 Source addr
Destination Destination
172.30.0.50 172.30.0.50
addr addr
Information systems
PAT Using Outside Interface
Address
pixfirewall(config)# ip address (inside) 10.0.0.1
255.255.255.0
pixfirewall(config)# ip address (outside) 192.168.0.2
255.255.255.0
pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0
Perimeter router 192.168.0.1
pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
192.168.0.1 pixfirewall(config)# global (outside) 1 interface
192.168.0.2
PIX Firewall Bastion host
• Use the interface option to enable use of the
10.0.0.1 172.16.0.2 outside interface ip address as the PAT
address.
Engineering Sales
• Source addresses of hosts in network
10.0.0.0 are translated to 192.168.0.2 for
10.0.1.0 10.0.2.0 outgoing access.
• The source port is changed to a unique
number greater than 1024.
Information systems
Augmenting a Global Pool
with PAT
pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0
pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0
pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1
pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254
Perimeter router netmask 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.19 netmask
255.255.255.0
192.168.0.1
192.168.0.2
PIX Firewall • When hosts on the 10.0.0.0 network access
Bastion host
the outside network through the firewall,
10.0.0.1 172.16.0.2 they are assigned public addresses from the
Engineering 192.168.0.20-192.168.0.254 range.
Sales
• When the addresses from the global pool
10.0.1.0 10.0.2.0 are exhausted, PAT begins.
• Make sure PAT address is not part of global
10.0.0.0 pool.
Information systems
route
pixfirewall(config)#
route if_name ip_address netmask gateway_ip
[metric]
• The route command defines a static or default route for an
interface.
• static
• conduit
• name
• fixup protocol
Statics and Conduits
Perimeter router
pixfirewall(config)# static
192.168.0.1
(inside,outside) 192.168.0.10 10.0.0.3
netmask 255.255.255.255 0 1000 192.168.0.2
• Packet sent from 10.0.0.3 has a source PIX Firewall
address of 192.168.0.10 10.0.0.1
• Permanently maps a single IP address
(external access)
• Recommended for internal service hosts 10.0.0.3
conduit Command
pixfirewall(config) #
10.0.0.3
Port Redirection
pixfirewall(config)#
static [(internal_if_name, external_if_name)] {tcp|udp}
{global_ip|interface}global-port local_ip local-port[netmask
mask][max_conns[emb_limit [norandomseq]]]
• Allows outside users to connect to a particular IP address or port and
have the PIX redirect traffic to the appropriate inside server.
pixfirewall(config)# static (inside,outside) tcp
192.168.0.9 8080 172.16.0.2 www netmask
255.255.255.255 0 0
• The external user directs an HTTP port 8080 request to the
PIX Firewall PAT address, 192.168.0.9. The PIX Firewall
redirects this request to host 172.16.0.2 port 80.
172.16.0.2
http://192.168.0.9:8080 http://172.16.0.2:80
Web Server
Conduit Example
Internet
pixfirewall(config)# nameif ethernet0 outside
sec0
pixfirewall(config)# nameif ethernet1 inside
sec100
pixfirewall(config)# nameif ethernet2 dmz sec50
192.168.0.0/24 pixfirewall(config)# ip address outside
192.168.0.2 255.255.255.0
e0 .2 pixfirewall(config)# ip address inside 10.0.0.1
Bastion 255.255.255.0
e2 .2 host pixfirewall(config)# ip address dmz 172.16.0.1
.1 255.255.255.0
e1 .1 172.16.0.0/24 pixfirewall(config)# nat (inside) 1 10.0.0.0
255.255.255.0
10.0.0.0/24 pixfirewall(config)# global (outside) 1
192.168.0.20-192.168.0.254 netmask
255.255.255.0
pixfirewall(config)# global (dmz) 1 172.16.0.20-
172.16.0.254 netmask 255.255.255.0
pixfirewall(config)# static (dmz,outside)
192.168.0.11 172.16.0.2
pixfirewall(config)# conduit permit tcp host
192.168.0.11 eq http any
Another Conduit Example
pixfirewall(config)# nameif ethernet0 outside sec0
pixfirewall(config)# nameif ethernet1 inside sec100
Internet pixfirewall(config)# nameif ethernet2 dmz sec50
pixfirewall(config)# nameif ethernet3 partnernet
sec40
pixfirewall(config)# ip address outside 192.168.0.2
255.255.255.0
pixfirewall(config)# ip address inside 10.0.0.1
255.255.255.0
192.168.0.0/24
pixfirewall(config)# ip address dmz 172.16.0.1
255.255.255.0
e0 .2
e3 e2 .2 Bastion pixfirewall(config)# ip address partnernet
host 172.18.0.1 255.255.255.0
.1 .1 pixfirewall(config)# nat (inside) 1 10.0.0.0
172.18.0.0/24 e1 .1 172.16.0.0/24 255.255.255.0
pixfirewall(config)# global (outside) 1
Partnernet DMZ 192.168.0.20-192.168.0.254 netmask 255.255.255.0
pixfirewall(config)# global (dmz) 1 172.16.0.20-
172.16.0.254 netmask 255.255.255.0
10.0.0.0/24 pixfirewall(config)# static (dmz,outside)
192.168.0.11 172.16.0.2
pixfirewall(config)# conduit permit tcp host
192.168.0.11 eq http any
pixfirewall(config)# static (dmz,partnernet)
172.18.0.11 172.16.0.2
pixfirewall(config)# conduit permit tcp host
172.18.0.11 eq http any
Fixup Protocol Command
PIX has a protocol fixup feature to recognize
applications running on non-standard ports
fixup protocol <protocol> <port>[-
<port>]
NAT uses the fixup information for badly
behaved protocols to handle those connections
properly
fixup protocol ftp 2021
fixup protocol sqlnet 1600
Attack Guards
The PIX has special handling for DNS and SMTP
using the fixup protocol command.
fixup protocol DNS <port>[-<port>]
fixup protocol SMTP <port>[-<port>]
DNS will only allow one response back to a
query.
SMTP will only allow RFC 821 specified
commands such as HELO, MAIL, RCPT, DATA,
RSET, NOOP, and QUIT.
Defending against
denial-of-service attacks
The PIX can defend against inbound SYN-
flooding (excess connection requests) attacks
with the option for maximum number of
embryonic (SYN only) connections per
translation slot
Primary
PIX Firewall
Internet
failover
cable
The primary and secondary units
must:
• be the same model number.
• have identical software versions and Secondary
activation key types. PIX Firewall
• have the same amount of Flash
memory and RAM.
IP Address for Failover
on PIX Firewalls
e0 .7 e1 .7
• Failover
– Connections are dropped.
– Client applications must reconnect.
– Provides redundancy .
• Stateful failover
– Connections remain active.
– No client applications need to reconnect.
– Provides redundancy and stateful connection.
failover Commands
pixfirewall(config)#
failover
• The failover command enables failover between the active and standby PIX
Firewalls.
pixfirewall(config)#
failover ip address if_name ip_address
• The failover ip address command creates an IP address for the standby
PIX Firewall.
pixfirewall# failover ip address inside 10.0.0.4
pixfirewall(config)#
failover link [stateful_if_name]
• The failover link command enables stateful failover.
pixfirewall(config)#
failover [active]
• The failover active command makes a PIX Firewall the primary firewall.
failover poll Command
pixfirewall(config)#
failover poll seconds
•Specifies how long failover waits before sending special
failover “hello” packets between the primary and standby units
over all network interfaces and the failover cable.
Stateful Failover Logical Update Statistics Stateful Failover Logical Update Statistics
Link : dmz Link : dmz
Summary
pixfirewall(config)#
pixfirewall(config)# access-group
dmz1 in interface dmz
• ACL “dmz1” is bound to interface “dmz”
ACLs Versus Conduits
ACL Conduit
A conduit creates an exception to the PIX
An ACL applies to a single interface, Firewall Adaptive Security Algorithm by
affecting all traffic entering that interface permitting connections from one interface to
regardless of its security level. access hosts on another.
c
o
n
d
ACL u
i
t
pixfirewall(config)#
access-list acl_name [deny | permit] protocol {src_addr | local_addr}
{src_mask | local_mask} operator port {destination_addr | remote_addr}
{destination_mask | remote_mask} operator port
• global_ ip = destination_addr
• foreign_ip = src_addr
• Denies web traffic on port 80 from the inside network to the Internet
• Permits all other IP traffic from the inside network to the Internet
www
IP Internet
Internet
Permit Web Access
to the DMZ
nameif ethernet0 outside sec0
Internet nameif ethernet1 inside sec100
nameif ethernet2 dmz sec50
ip address outside 192.168.0.2
255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 172.16.0.1 255.255.255.0
192.168.0.0/24 static (dmz,outside) 192.168.0.11
172.16.0.2
.2 Web server
access-list acl_in_dmz permit tcp any
.2 host 192.168.0.11 eq www
.1 access-list acl_in_dmz deny ip any any
.1 172.16.0.0/24 access-group acl_in_dmz in interface
10.0.0.0/24 outside
pixfirewall(config)#
icmp permit | deny [host] src_addr [src_mask]
[type] int_name
• Enables or disables pinging to an interface