CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] - نسخه متنی

Greg Bastien; Earl Carter; Christian Degu

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Copyright

About the Authors

About the Technical Reviewers

Acknowledgments

Icons Used in This Book

Command Syntax Conventions

Introduction

Why the "Second Edition"?

Who Should Read This Book?

How to Use This Book

Certification Exam and This Preparation Guide

Overview of the Cisco Certification Process

Cisco Security Specialist in the Real World

PIX AND Cisco IOS Commands

Rules of the Road

Chapter 1. Network Security

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 2. Firewall Technologies and the Cisco PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 3. Cisco PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 4. System Management/Maintenance

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 5. Understanding Cisco PIX Firewall Translation and Connection

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 6. Getting Started with the Cisco PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 7. Configuring Access

How Best to Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 8. Syslog and the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 9. Routing and the PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 10. Cisco PIX Firewall Failover

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 11. Virtual Private Networks

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Scenario

Chapter 12. Configuring Access VPNs

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 13. PIX Device Manager

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 14. CiscoWorks Management Center for Firewalls (PIX MC)

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 15. Content Filtering on the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 16. Overview of AAA and the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 17. Configuration of AAA on the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 18. Attack Guards and Advanced Protocol Handling

How To Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 19. Firewall Services Module

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 20. Case Study and Sample Configuration

Remote Offices

Firewall

Growth Expectation

Task 1: Basic Configuration for the Cisco PIX Firewall

Task 2: Configuring Access Rules on HQ

Task 3: Configuring Authentication

Task 4: Configuring Logging

Task 5: Configuring a VPN Between HQ and Remote Sites

Task 6: Configuring a Remote Access VPN to HQ

Task 7: Configuring Failover

What Is Wrong with This Picture?

Appendix A. Answers to the "Do I Know This Already?" Quizzes and Q&A Sections

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

Chapter 10

Chapter 11

Chapter 12

Chapter 13

Chapter 14

Chapter 15

Chapter 16

Chapter 17

Chapter 18

Chapter 19

Chapter 20

Index
توضیحات
افزودن یادداشت جدید












  • Foundation Topics



    Multimedia Support on the Cisco PIX Firewall


    Chapter 7, "Configuring Access," begins a discussion of some applications that require special handling by the Cisco PIX Firewall. Multimedia applications have special behaviors that require special handling by the PIX inspection feature.

    During normal mode of operation, multimedia application protocols open more than one communication channel and several data channels. For example, a client might transmit a request on Transmission Control Protocol (TCP), get responses on User Datagram Protocol (UDP), or use dynamic ports. The fixup protocol command is used to help the PIX Firewall identify such protocols so that it can perform inspections.

    Here are the multimedia applications supported by the PIX Firewall:

    • Microsoft Netshow

    • Microsoft NetMeeting

    • Intel Internet Video Phone

    • VDOnet VDOLive

    • RealNetworks RealAudio and RealVideo

    • VocalTech

    • White Pine Meeting Point

    • White Pine CuSeeMe

    • Xing StreamWorks

    • VXtreme WebTheatre


    The PIX Firewall dynamically opens and closes UDP ports for secure multimedia connections. There is no need to open a range of ports, which creates a security risk, or to reconfigure any application clients.

    The PIX Firewall supports multimedia with or without Network Address Translation (NAT). Many firewalls that cannot support multimedia with NAT limit multimedia usage to only registered users or require exposure of inside Internet Protocol (IP) addresses to the Internet.

    Many popular multimedia applications use Real-Time Streaming Protocol (RTSP) or the H.323 suite protocol standard.

    Real-Time Streaming Protocol


    RTSP, described in RFC 2326, controls the delivery of real-time data, such as audio and video. It is used for large-scale broadcasts and audio- or video-on-demand streaming. It supports applications such as Cisco IP/TV, RealNetworks RealAudio G2 Player, and Apple QuickTime 4 software.

    RTSP applications use port 554 with TCP (and rarely UDP) as a control channel. The TCP control channel is used to negotiate the two UDP data channels that are used to transmit audio/video traffic. RTSP does not typically deliver continuous data streams over the control channel, usually relying on a UDP-based data transport protocol such as standard Real-Time Transport Protocol (RTP) to open separate channels for data and for RTP Control Protocol (RTCP) messages. RTCP carries status and control information, and RTP carries the actual data.

    The fixup protocol command is used for RTSP connections to let the Cisco PIX Firewall do inspection. The fixup protocol rtsp command lets the PIX dynamically create conduits for RTSP UDP channels. For example, the standard RTSP port 554 is enabled by the following command:


     fixup protocol rtsp 554


    Application Inspection Support for Voice over IP


    The steady growth of Voice over IP (VoIP) technology has also seen the development of new standards. IP phones and devices, unlike their regular phone counterparts, are not fixed to a specific switch device, so they must contain processors that enable them to function and be intelligent on their own, independent from a central switching location. Regular phones are relatively inexpensive because they do not need to be complex; they are fixed to a specific switch at a central switching location. Why is this important to you? Well, you might be running a network that supports VoIP and would want a firewall that supports the different protocols that are involved with it. PIX Firewall Version 6.3 and later support application inspection of the major protocols and applications that provide VoIP services including the following, each of which is discussed in the following sections.

    • Computer Telephony Interface Quick Buffer Encoding (CTIQBE)

    • H.323

    • Media Gateway Control Protocol (MGCP)

    • Skinny Client Control Protocol (SCCP)

    • Session Initiation Protocol (SIP)


    Computer Telephony Interface Quick Buffer Encoding


    The Telephony Application Programming Interface (TAPI) and Java Telephony Application Programming Interface (JTAPI) are used by many Cisco VoIP applications. Cisco TAPI Service Provider (TSP) uses CTIQBE to communicate with Cisco CallManager. CTIQBE protocol is disabled by default. The fixup protocol ctiqbe 2748 command enables CTIQBE protocol inspection that supports NAT, Port Address Translation (PAT), and bidirectional NAT. This enables Cisco IP SoftPhone and other Cisco TAPI/JTAPI applications to work successfully with Cisco CallManager for call setup across the firewall.

    There are, however, instances when CTIQBE application inspection has limits or does not support some configuration types. CTIQBE application inspection does not support the following:

    • Stateful failover of CTIQBE calls

    • CTIQBE messages fragmented in multiple TCP packets

    • Configurations that use the alias command


    The following summarizes special considerations when using CTIQBE application inspection in specific scenarios:

    • If two Cisco IP SoftPhones are registered with different Cisco CallManagers, which are connected to different interfaces of a PIX Firewall, calls between these two phones will fail.

    • When Cisco CallManager is located on the higher-security interface compared to Cisco IP SoftPhones, if NAT or outside NAT is required for the Cisco CallManager IP address, the mapping must be static because Cisco IP SoftPhone requires the Cisco CallManager IP address to be specified explicitly in its Cisco TSP configuration on the PC.

    • When using PAT or outside PAT, if the Cisco CallManager IP address is to be translated, its TCP port 2748 must be statically mapped to the same port of the PAT (interface) address for Cisco IP SoftPhone registrations to succeed. The CTIQBE listening port (TCP 2748) is fixed and is not user-configurable on Cisco CallManager, Cisco IP SoftPhone, or Cisco TSP.


    H.323


    The H.323 collection of protocols collectively uses up to two TCP connections and four to six UDP connections. Most of the ports, with the exception of one TCP port, are negotiated just for that particular session. Figure 18-1 shows the H.323 protocols in relation to the Open System Interconnection (OSI) reference model.


    Figure 18-1. H.323 Protocols Mapped to the OSI Reference Model

    As shown in Figure 18-1:

    • H.225 Registration, Admission, and Status (RAS) messages define communications between endpoints and gatekeepers.

    • H.225 administers security and authentication.

    • H.245 negotiates channel usage.


    The content of the streams in H.323 is far more difficult for firewalls to understand than existing protocols because H.323 encodes packets using Abstract Syntax Notation (ASN.1).

    The H.323 control channel handles H.225 and H.245, and H.323 RAS. H.323 inspection uses the following ports:

    • 1718 Gatekeeper discovery UDP port

    • 1719 RAS UDP port

    • 1720 TCP control port


    Note

    PAT support for H.323 is available in PIX Firewall Version 6.2 software.

    fixup protocol h323 Command


    The Cisco PIX Firewall inspects port 1720 (default) connections for H.323 traffic. If you need to change port 1720 because you have applications using H.323 on other ports, use the fixup command:


     fixup protocol h323 h225 7430-7450

    Use the no form of this command to disable the inspection of traffic on the indicated port.

    An H.323 client might initially establish a TCP connection to an H.323 server using TCP port 1720 to request Q.931 call setup. The H.323 terminal supplies a port number to the client to use for an H.245 TCP connection.

    The two major functions of H.323 inspection are as follows:

    • Performs NAT on the embedded IP addresses in the H.225 and H.245 messages. In other words, it translates the H.323 payload to a NAT address. (PIX Firewall uses an ASN.1 decoder to decode the H.323 messages.)

    • Dynamically creates conduits for TCP and UDP channels to allocate the negotiated H.245 and RTP/RTCP connections.


    Each UDP connection with a packet going through H.323 inspection is marked as an H.323 connection and times out with the H.323 timeout as configured by the administrator using the timeout command. To clear all previous fixup protocol h323 commands and reset port 1720 as the default, use the clear fixup protocol h323 command.

    Media Gateway Control Protocol


    MGCP is a voice protocol that runs in conjunction with Signaling System 7 (SS7), an interoffice signaling protocol for circuit-switched services, and an IP protocol such as H.323 or SIP to bridge circuit-switched and packet networks. MGCP separates the signaling and call control from the media gateway. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and the data packets carried over the Internet or over other packet networks, such as trunking gateways, residential gateways, and business gateways.

    Application inspection for MGCP is disabled by default. To use MGCP, you typically need to configure at least two ports: one on which the gateway receives commands and one for the port on which the call agent receives commands. Normally, a call agent will send commands to port 2427, whereas a gateway will send commands to port 2727.

    To enable MGCP application inspection for call agents and gateways using the default ports, enter the following commands:


     fixup protocol mgcp 2427 
     fixup protocol mgcp 2727

    MGCP messages are transmitted over UDP. A response is sent back to the source address (IP address and UDP port number) of the command, but the response may not be sent from the same address to which the command was sent. Multiple MGCP call agents can be supported by the PIX Firewall.


     mgcp call-agent   ip-address group-id 
     mgcp command-queue   limit 
     mgcp gateway   ip-address group-id

    The mgcp call-agent command specifies a group of call agents that can manage one or more gateways. The mgcp command-queue command specifies the maximum number of MGCP commands that will be queued waiting for a response. The range of allowed values for the limit option is 1 to 4,294,967,295. The default is 200. The mgcp gateway command is used to specify which group of call agents are managing a particular gateway.

    Example 18-1 limits the MGCP command queue to 320 commands, allows call agents 10.1.1.30 and 10.1.1.35 to control gateway 10.1.2.20, and allows call agents 10.1.1.12 and 10.1.1.14 to control gateway 10.1.2.21.

    Example 18-1. Sample MGCP Configuration



     mgcp call-agent  10.1.1.30 101
     mgcp call-agent  10.1.1.35 101
     mgcp call-agent  10.1.1.12 102
     mgcp call-agent  10.1.1.14 102
     mgcp command-queue  320
     mgcp gateway  10.1.2.20 101
     mgcp gateway  10.1.2.21 102

    Skinny Client Control Protocol


    Cisco IP Phones using SCCP can coexist in an H.323 environment. When used with Cisco CallManager, the SCCP client can interoperate with H.323-compliant terminals. Application layer functions in the PIX Firewall recognize SCCP Version 3.3. The functionality of the application layer software ensures that all SCCP signaling and media packets can traverse the firewall by providing NAT of the SCCP signaling packets.

    Application inspection for SCCP is enabled by default. You can use the fixup command to change the default port assignment for SCCP. The command syntax is as follows:


     fixup protocol   skinny [port[-port]]

    To change the default port assignments from 2000, use the port option. Use the - port option to apply SCCP application inspection to a range of port numbers.

    Although the PIX Firewall does support PAT and NAT for SCCP, it does have limitations, including the following:

    • PAT will not work with configurations using the alias command.

    • Stateful failover of SCCP calls is not supported.

    • Using the debug skinny command may delay sending messages, which can have a performance impact in a real-time environment.

    • No support for fragmented SCCP messages is provided.

    • Outside NAT or PAT is not supported.


    PIX Firewall does not support NAT or PAT of the file content transferred using Trivial File Transfer Protocol (TFTP), if the address of a Cisco CallManager server is configured for NAT or PAT to a different address or port and outside phones register to it using TFTP. Even though PIX Firewall does support NAT of TFTP messages and opens holes for the TFTP file to pass through the firewall, PIX Firewall cannot translate the Cisco CallManager IP address and port embedded in the Cisco IP Phone's configuration files that are transferred using TFTP during phone registration.

    Note

    Cisco IP Phones need to reregister with the Cisco CallManager to establish calls through the PIX Firewall if the clear xlate command is entered. This is because the xlates for the Cisco CallManager are permanently deleted.

    Session Initiation Protocol


    SIP, RFC 2543, is a signaling protocol for Internet conferencing, telephony, presence, events notification, and instant messaging. SIP was developed in the mid-1990s by the Internet Engineering Task Force (IETF) as a real-time communication protocol for IP voice, and it has expanded into video and instant-messaging applications. SIP works with Session Description Protocol (SDP), RFC 2327, for call signaling. SDP specifies the ports for the media stream. Using SIP, the PIX Firewall can support any SIP VoIP gateways and VoIP proxy servers.

    To support SIP calls through the PIX Firewall, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because although the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses.

    Application inspection for SIP is enabled by default. You can use the fixup command to change the default TCP port assignment for SIP. The command syntax is as follows:


     fixup protocol sip <udp>  [ port [ -port ]]


    Attack Guards


    Hackers use several methods to cause network service disruption. Denial of service (DoS) is a popular way of causing network disruption. Cisco PIX Firewall has some attack mitigation features to combat against some of the following attacks:

    • Fragmentation

    • Domain Name System (DNS) attacks

    • Simple Mail Transfer Protocol (SMTP)based attacks

    • SYN flooding

    • Authentication and authorization attacks


    Fragmentation Guard and Virtual Reassembly


    Breaking a single IP datagram into two or more smaller IP datagrams is called IP fragmentation . DoS attacks overwhelm the host with fragmented IP datagrams. By using the fragment command on the PIX Firewall, you can prevent fragmented packets from traversing it. The IP Fragguard feature is enabled by default. To specify the maximum number of packets into which a full IP packet can be fragmented, use the following syntax:


     fragment chain   chain-limit  [ interface ]

    Setting the chain limit to 1 means that all packets must be whole; that is, unfragmented. The default is 24. The following example shows a configuration that prevents fragmented packets from entering on the outside interface:


     pixfirewall (config)#  fragment chain 1 outside

    The Fragguard feature enforces the checks recommended by RFC 1858, with two additional security checks protecting against many IP fragment-style attacks such as teardrop:

    • The checks ensure that each noninitial IP fragment has an associated valid initial IP fragment.

    • In Version 6.2, by default IP fragments of more than 24 elements cannot pass through the PIX; however, this is configurable. The fragment database can process 200 fragmented packets at a time. This value is also configurable but should be set less than the total number of blocks in the 1550 or 16384 pools.


    Virtual reassembly is enabled by default. This feature uses syslog to log any fragment overlapping and small fragment offset anomalies. Here is an example of such a message:


    % PIX-2-106020: Deny IP teardrop fragment
     (size =num,  offset =num )   from   IP-addr   to   IP-addr

    Domain Name System Guard


    To understand the DNS attack protection provided by Cisco PIX Firewall, it helps to understand how DNS can be exploited to cause a DoS attack. DNS queries are sent from the attacker to each of the DNS servers. These queries contain the target's spoofed address. The DNS servers respond to the small query with a large response. These responses are routed to the target, causing link congestion and possible denial of Internet connectivity.

    The port assignment for DNS cannot be configured on the Cisco PIX Firewall. DNS requires application inspection so that DNS queries will not be subject to generic UDP handling based on activity timeouts. The PIX allows only a single DNS response for outgoing DNS requests. The UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query is received, dropping all other responses and averting a DoS attack. This functionality is called DNS Guard . DNS Guard is enabled by default.

    DNS inspection performs two tasks:

    • It monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.

    • It translates the DNS A record on behalf of the alias command.


    Only forward lookups are translated using NAT, so pointer (PTR) records are not touched. DNS zone transfers can also trigger built-in intrusion detection signatures on the PIX Firewall.

    Note

    A pointer record is also called a reverse record. A PTR record associates an IP address with a canonical name.

    Cisco PIX Firewall Version 6.2 introduces full support for NAT and PAT of DNS messages originating from either inside (more-secure) or outside (less-secure) interfaces. This means that if a client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface, the DNS A record is translated correctly. This also means that the use of the alias command is now unnecessary.

    Mail Guard


    An SMTP server responds to client requests with numeric reply codes and optional human-readable strings. SMTP application inspection controls and reduces the commands that the user can use, as well as the messages the server returns. SMTP inspection performs three primary tasks:

    • It restricts SMTP requests to seven commands: HELO, MAIL, RCPT, DATA, RSET, NOOP , and QUIT.

    • It monitors the SMTP command-response sequence.

    • It generates an audit trailaudit record 108002 when an invalid character embedded in the mail address is replaced. For more information, see RFC 821.


    By default, the Cisco PIX Firewall inspects port 25 connections for SMTP traffic. SMTP inspection monitors the command-response sequence for the following anomalous signatures:

    • Truncated commands.

    • Incorrect command termination (those not terminated with <CR><LF>).

    • Unallowed characters. The MAIL and RCPT commands specify the sender and recipient of the mail. Mail addresses are scanned for strange characters. The pipe character (|) is deleted (changed to a blank space), and < and > are allowed only if they are used to define a mail address (> must be preceded by <).

    • An unexpected transition by the SMTP server.

    • Unknown commands, for which the PIX Firewall changes all the characters in the packet to X. In this case, the server generates an error code to the client. Because of the change in the packet, the TCP checksum has to be recalculated or adjusted.


    The fixup command is used to change the default port assignment for SMTP. The command syntax is as follows:


     fixup protocol smtp  [ port [ -port ]]

    The fixup protocol smtp command enables the Mail Guard feature. This restricts mail servers to receiving only the seven commands defined in RFC 821 section 4.5.1 ( HELO, MAIL, RCPT, DATA, RSET, NOOP , and QUIT ). All other commands are rejected.

    The strict implementation of RFC 821 section 4.5.1 sometimes causes problems for mail servers that do not adhere to the standard. For example, Microsoft Exchange Server does not strictly comply with RFC 821 section 4.5.1 and uses extended SMTP commands such as EHLO . The Cisco PIX Firewall converts any such commands into NOOP commands, which, as specified by the RFC, forces SMTP servers to fall back to using minimal SMTP commands only. This might cause Microsoft Outlook clients and Exchange servers to function unpredictably when their connection passes through the PIX Firewall.

    Mail Guard, however, is not the magic bullet for all mail serverrelated attacks. It protects your mail server only from known attacks.

    Flood Defender


    The Flood Defender feature of PIX Firewall protects inside systems from a DoS attack that floods an interface with half-open TCP (embryonic) connections, otherwise known as SYN flooding . Creating a threshold for the number of embryonic connections or limiting the number of connections to the host mitigates such attacks. When the configured embryonic limit is reached, the PIX Firewall intercepts the SYN bound for the host and responds with a SYN/ACK on the host's behalf.

    You enable this feature by setting the emb-limit (maximum embryonic connections) option or max-conn (maximum connection) option on the nat and static commands. For example:


     static (inside,outside) 192.168.10.10 10.10.10.10 netmask 255.255.255.255 
     300 500000

    This example sets the maximum connection to host 10.10.10.10 to 300 and sets the embryonic connection limit to 500,000.

    If you set max-conn too low, you deny legitimate user access, creating a denial of service for yourself. There is no magic number for the max-conn and emb-limit arguments because every network has a unique environment. The best number is one that does not negatively affect the network. You can observe the number of connections and embryonic connections to your host, before and after max-conn and emb-limit implementation, using the show local-host host-ip command.

    The static command with the maximum connection or embryonic connection arguments set mitigates inbound DoS. The nat command with the same arguments can prevent the users in your network from committing TCP SYN attacks on someone else.

    AAA Floodguard


    Cisco PIX Firewall has a Floodguard feature that helps it monitor and recover resources tied up in the user authentication (auth) subsystem. As with DNS, the service of authentication is maliciously exploited to create a DoS attack. Authentication attacks are done on the premise that each authentication request has to be processed. Sending an enormous number of authentication requests bogs down the target's finite resources, forcing a shutdown in the worst case.

    When the Cisco PIX Firewall is inundated with authentication requests, it displays messages indicating that it is out of resources or out of TCP users. TCP user resources in different states are reclaimed in the following order depending on urgency:

    1. Timewait

    2. LastAck

    3. Finwait

    4. Embryonic

    5. Idle

    The Floodguard is enabled by default. It can be disabled using the floodguard disable command.


    PIX Firewall Intrusion Detection Feature


    Cisco PIX Firewall includes an IP-only intrusion detection feature. It provides visibility at network perimeters or for locations where additional security between network segments is required.

    The PIX IDS identifies more than 53 common attacks using signatures to detect patterns of misuse in network traffic. Traffic passing through the PIX Firewall can be identified to be audited, logged, and/or dropped.

    After it is configured, the IDS feature watches packets and sessions as they flow through the firewall, scanning each for a match with any of the IDS signatures. When suspicious activity is detected, the PIX Firewall responds immediately and can be configured to do the following:

    1. Send an alarm to a syslog server.

    2. Drop the packet.

    3. Reset the TCP connection.

    Cisco PIX Firewall supports both inbound and outbound auditing. Auditing is performed by examining the IP packets as they arrive at an input interface. If a packet triggers a signature and the configured action does not drop the packet, the same packet can trigger other signatures. The IDS feature allows a signature to be acted upon differently depending on the interface on which it was detected. It also allows signatures to be individually disabled if reoccurring false positives are detected.

    Tip

    You can find an excellent explanation of the IDS messages that are generated from IDS events in the section "Messages 400000 to 407002" of the document "System Log Messages" at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix-sw/v-63/63syslog/pixemsgs#1138590

    Intrusion Detection Configuration


    An audit policy (audit rule) defines the attributes of all signatures that can be applied to an interface, along with a set of actions. Using an audit policy can limit the traffic that is audited or specify actions to be taken when the signature matches. Each audit policy is identified by a name and can be defined for informational or attack signatures. Each interface can have two policiesone for informational signatures and one for attack signatures. If a policy is defined without actions, the configured default actions take effect. Each policy requires a different name.

    The ip audit command enables the IDS feature on the Cisco PIX Firewall. The ip audit command can be used to create a global audit policy or a per-interface policy.

    The global audit policy specifies the default actions to be taken when an attack or informational signature is matched.

    In all the ip audit commands, the action can be any combination of alarm, drop , and reset . If nothing is configured, the default action is alarm . The alarm option indicates that when a signature match is detected in a packet, the PIX Firewall reports the event to all configured syslog servers. The drop option drops the offending packet. The reset option drops the offending packet and closes the connection if it is part of an active connection.

    The syntax of the ip audit attack command is as follows:


     ip audit attack  [ action  [ alarm ] [ drop ] [ reset ]]

    The syntax of the ip audit info command is as follows:


     ip audit info  [[ action  [ alarm ] [ drop ] [ reset ]]

    Table 18-2 describes the complete command parameters for the ip audit command.

    Table 18-2. ip audit Command Parameters

    Command Parameter

    Description

    attack

    Specifies the default actions to be taken for attack signatures

    action actions

    alarm, drop, reset

    info

    Specifies the default actions to be taken for informational signatures

    interface

    Applies an audit specification or policy (using the ip audit name command) to an interface

    audit name

    Specifies informational signatures, except those disabled or excluded by the ip audit signature command, as part of the policy

    audit signature

    Specifies which messages to display, attaches a global policy to a signature, and disables or excludes a signature from auditing

    name audit-name

    The name assigned by the PIX Firewall admin for the audit policy

    clear

    Resets name, signature, interface, and attack information to default values

    signature-number

    IDS signature number

    The following example shows the creation and application of policy1 and policy2 on the outside and inside interface:


    ip audit name policy1 info action alarm
    ip audit name policy1 attack action alarm drop reset
    ip audit name policy2 attack action alarm drop
    ip audit interface outside policy1
    ip audit interface inside policy2

    Table 18-3 describes the show commands used to verify the IP audit configuration.

    Table 18-3. show Commands to Verify IP Audit Configuration

    Command

    What the Output Displays

    show ip audit attack

    The default attack actions

    show ip audit info

    The default informational actions

    show ip audit interface

    The interface configuration

    show ip audit audit-name [ name [ info | attack ]]

    All audit policies or specific policies referenced by name and possibly type

    show ip audit signature [ signature-number ]

    Disabled signatures

    The Cisco PIX Firewall IDS feature does not cover the entire set of intrusion detection signatures that is available to a Cisco IDS unit.

    Dynamic Shunning


    The dynamic shunning functionality allows a Cisco PIX Firewall, when combined with a Cisco IDS 3.0 or later sensor that is configured appropriately, to respond dynamically to an attacking host by preventing new connections and disallowing packets from any existing connection. Just like a router, the IDS unit tells the PIX Firewall to stop any new connections and to time out existing connections with the sources of traffic that are determined to be malicious. The shun command applies a blocking function to the interface receiving the attack. Packets containing the IP source address of the attacking host are dropped and are logged until the blocking function is removed manually or by the Cisco Secure IDS master unit. The shun feature is disabled by the no shun command. The syntax for the shun command is as follows:


     shun   src-ip [dst-ip sport dport [protocol]]

    Note

    The protocol parameter is optional and is either UDP or TCP when used.

    In the following example, the offending host (10.10.10.14) makes a connection with the victim (10.25.25.32) using TCP. The connection in the PIX Firewall connection table contains a line similar to the following:


    TCP out 10.10.10.14:555 in 10.25.25.32:666 idle 0:00:01 bytes 3905

    Applying the following shun command:


     shun 10.10.10.14 10.25.25.32 555 666 tcp

    deletes the connection from the PIX Firewall connection table and also prevents packets from 10.10.10.14 from going through the PIX Firewall. The offending host can be inside or outside the PIX Firewall.

    The application of the blocking function of the shun command does not require the specified host to be in active connection. Because the shun command is used to block attacks dynamically, it is not displayed in your PIX configuration. Shun statistics are available by using show commands, syslog messages, and PIX Device Manager (PDM) monitoring. The following is a sample output of the show shun command applied to the outside interface:


    Outside=ON, cnt=2, time=(20:14:02)

    Although the idea of dynamic shunning seems be an innovative way of dealing with offending hosts, it sometimes produces false positives that might cause a denial of service to legitimate users. This feature is available only on PIX Firewall Version 6.0(2) and later.


    ip verify reverse-path Command


    The ip verify reverse-path command is a security feature that does a route lookup based on the source address. Usually, the route lookup is based on the destination address. This is why it is called reverse path forwarding . With this command enabled, packets are dropped if no route is found for the packet or the route found does not match the interface on which the packet arrived. This command is disabled by default and provides Unicast Reverse Path Forwarding (Unicast RPF) functionality for the PIX Firewall.

    The ip verify reverse-path command provides both ingress and egress filtering. Ingress filtering checks inbound packets for IP source address integrity and is limited to addresses for networks in the enforcing entity's local routing table. If the incoming packet does not have a source address represented by a route, it is impossible to know whether the packet has arrived on the best possible path back to its origin. This is often the case when routing entities cannot maintain routes for every network.

    Egress filtering verifies that packets destined for hosts outside the managed domain have IP source addresses that can be verified by routes in the enforcing entity's local routing table. If an exiting packet does not arrive on the best return path back to the originator, the packet is dropped, and the activity is logged. Egress filtering prevents internal users from launching attacks using IP source addresses outside the local domain, because most attacks use IP spoofing to hide the identity of the attacking host. Egress filtering makes the task of tracing an attack's origin much easier. When employed, egress filtering enforces which IP source addresses are obtained from a valid pool of network addresses. Addresses are kept local to the enforcing entity and therefore are easily traceable.

    Unicast RPF is implemented as follows:

    • Internet Control Message Protocol (ICMP) packets have no session, so each packet is checked.

    • UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Noninitial packets are checked to ensure that they arrived on the same interface used by the initial packet.


    Note

    Before using this command, add static route command statements for every network that can be accessed on the interfaces you want to protect. Enable this command only if routing is fully specified. Otherwise, the Cisco PIX Firewall stops traffic on the interface you specify if routing is not in place.

    The following example protects traffic between the inside and outside interfaces and provides route command statements for two networks, 10.1.2.0 and 10.1.3.0, that connect to the inside interface by a hub:


     ip address inside 10.1.1.1 255.255.255.0 
     route inside 10.1.2.0 255.255.255.0 10.1.1.1 1 
     route inside 10.1.3.0 255.255.255.0 10.1.1.1 1 
     ip verify reverse-path interface outside 
     ip verify reverse-path interface inside

    The ip verify reverse-path interface outside command protects the outside interface from network ingress attacks from the Internet, whereas the ip verify reverse-path interface inside command protects the inside interface from network egress attacks from users on the internal network.

    The clear ip verify command removes ip verify commands from the configuration. Unicast RPF is a unidirectional input function that screens inbound packets arriving on an interface. Outbound packets are not screened.

    Because of the danger of IP spoofing in the IP protocol, measures need to be taken to reduce this risk when possible. Unicast RPF, or reverse route lookup, prevents such manipulation under certain circumstances.


      • / 191