CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Foundation Topics

Configuring Inbound Access Through the PIX Firewall

A two-step approach lets connections initiated from lower-security interfaces access higher-security interfaces:

Static Network Address Translation

Static Network Address Translation (NAT) creates a permanent, one-to-one mapping between an address on an internal network (a higher-security-level interface) and an external network (a lower-security-level interface) in all PIX versions. For an external host to initiate traffic to an inside host, a static translation rule needs to exist for the inside host. Without the persistent translation rule, the translation cannot occur.

Note

Access from a lower security level to a higher security level can also be configured using a nat 0 access-list address rule.

Note

Unlike NAT and Port Address Translation (PAT), static NAT requires a dedicated address on the outside network for each host, so it does not save registered Internet Protocol (IP) addresses.

The syntax for the static command is as follows:

 static   [(prenat-interface  ,   postnat-interface)]  { mapped-address  |  interface }
 real-address  [ dns ] [ netmask   mask] [max-conns [emb-limit]]  [ norandomseq ]

Table 7-2 describes the static command parameters.

The following example maps a server with an internal Internet Protocol (IP) address of 10.1.100.10 to the IP address 192.168.100.10:

PIXFIREWALL(conf)# static (inside, outside) 192.168.100.10 10.1.100.10 netmask 
 255.255.255.255 

The static command can also be used to translate an IP subnet:

PIXFIREWALL(conf)# static (inside, outside) 192.168.100.0 10.1.100.0 netmask 
 255.255.255.0 

The following syntax shows a server with an internal IP address of 10.1.100.10 translated to IP address 192.168.100.10.

PIXFIREWALL(conf)# static (inside, outside) 192.168.100.10 10.1.100.10 255.255.255.255 

Static Port Address Translation

In PIX Version 6.0, the port redirection feature was added to allow outside users to connect to a particular IP address/port and have the PIX Firewall redirect the traffic to the appropriate inside server; the static command was modified. The shared address can be a unique address or a shared outbound PAT address, or it can be shared with the external interface. For example, static PAT lets you redirect inbound Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) services. Using the interface option of the static command, you can use static PAT to permit external hosts to access TCP or UDP services residing on an internal host. (As always, though, an access list should also be in place to control access to the internal host.) The command to configure static PAT is as follows:

 static   [(internal-if-name, external-if-name)]  { tcp  |  udp }{ global-ip  |  interface }
 global-port local-ip local-port  [ netmask   mask][max-conns [emb-limit 
[ norandomseq ]]]

Static PAT supports all applications that are supported by (regular) PAT, including the same application constraints. Like PAT, static PAT does not support H.323 or multimedia application traffic. The following example enables static port address translation (static PAT) for File Transfer Protocol (FTP) traffic:

 static (inside, outside) tcp 192.168.1.14 ftp 10.1.2.8 ftp 

The next example shows the following:

• The PIX redirects external users'' Telnet requests to 192.168.1.24 to IP address 10.1.2.19.

• The PIX redirects external users'' Hypertext Transfer Protocol (HTTP) port 8080 requests to 192.168.1.24 to PAT address 10.1.2.20 port 80.

  
   static (inside,outside) tcp 192.168.1.24 telnet 10.1.2.19 telnet netmask 
   255.255.255.255 
   static (inside,outside) tcp 192.168.1.24 8080 10.1.2.20 www netmask 
   255.255.255.255 
   access-list 101 permit tcp any host 192.168.1.24 eq 8080 
   access-list 101 permit tcp any host 192.168.1.24 eq telnet 
  

Notice that the outside IP address 192.168.1.24 is the same for both mappings, but the internal IP address is different. Also notice that external users directed to 192.168.1.24:8080 are sent as HTTP requests to 10.1.2.20, which is listening on port 80.

Transmission Control Protocol Intercept Feature

Before Version 5.3, the Cisco PIX Firewall offered no mechanism to protect systems that could be reached using a static and TCP conduit from TCP SYN attacks. When the embryonic connection limit was configured in a static command statement, the earlier PIX versions simply dropped new connection attempts as soon as the embryonic threshold was reached. A mild TCP SYN attack could potentially create service disruption to the server in question. For static command statements without an embryonic connection limit, PIX Firewall passes all traffic. If the affected system does not have TCP SYN attack protection (most operating systems do not offer sufficient protection), the affected system''s embryonic connection table overloads, and all traffic stops.

With the TCP intercept feature, as soon as the optional embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, every SYN bound for the affected server is intercepted. For each SYN, the PIX Firewall responds on behalf of the server with an empty SYN/ACK segment. The PIX Firewall retains pertinent state information, drops the packet, and waits for the client''s acknowledgment. If the ACK is received, a copy of the client''s SYN segment is sent to the server, and a TCP three-way handshake is performed between the PIX Firewall and the server. If this three-way handshake completes, the connection resumes as normal. If the client does not respond during any part of the connection phase, PIX Firewall retransmits the necessary segment.

This feature requires no change to the Cisco PIX Firewall command set but demonstrates that the embryonic connection limit on the static command now has a new behavior.

nat 0 Command

As mentioned earlier in the text, one can configure access to higher-security subnets by using the nat 0 command. For instance, if you have a host with a public address on the inside network and the outside network needs access to this host, you can use nat 0 , which disables address translation so that inside IP addresses are visible to the outside. The following short example demonstrates the use of the nat 0 command:

 nat (inside) 0 192.168.1.10 255.255.255.255 

This can also be configured as follows:

 access-list 121 permit 192.168.1.10 255.255.255.255 any 
 nat (inside) 0 access-list 121 

Policy Network Address Translation

Policy NAT provides additional capabilities in configuring address translation. The Policy NAT feature lets you identify local traffic for address translation by specifying the source and destination addresses (or ports), whereas regular NAT uses only ports/source addresses. In other words, the same local traffic for address translation can have multiple "global" translations depending on the destination IP address or port. This is aptly demonstrated in Figure 7-1.

The translation configuration for Figure 7-1 is as follows:

pixfw(config)# access-list 120 permit ip 10.10.100.0 
 255.255.255.0 172.16.1.10 255.255.255.255 
pixfw(config)# access-list 130 permit ip 10.10.100.0 
 255.255.255.0 172.16.22.67 255.255.255.255 
pixfw(config)# nat (inside) 1 access-list 120 
pixfw(config)# global (outside) 1 192.168.100.62 255.255.255.255 
pixfw(config)# nat (inside) 2 access-list 130 
pixfw(config)# global (outside) 2 192.168.100.25 255.255.255.255 

There are constraints of which you have to be aware when configuring Policy NAT:

• A global address cannot be used concurrently for NAT and PAT.

• Access lists for policy NAT cannot contain deny statements. Access lists must contain only permit statements.

• Use an access list between the nat and static commands.

• static commands are matched and executed before nat commands.

Note

Policy NAT does not support SQL*Net, which is supported by regular NAT.

Access Lists

An access list typically consists of multiple access control entries (ACEs) organized internally by PIX Firewall as a linked list. When a packet is subjected to access list control, the Cisco PIX Firewall searches this linked list linearly to find a matching element. The matching element is then examined to determine if the packet is to be transmitted or dropped. By default, all access-list commands have an implicit deny unless you explicitly specify permit. In other words, by default, all access in an access list is denied unless you explicitly grant access using a permit statement.

The general syntax of the access-list command is as follows:

 access-list   id  [ line   line-num]   deny|permit  { protocol  |
 object-group   prot-obj-grp-id } { source-addr source-mask }  | 
 object-group   netw-grp-grp-id  [ operator   port  [port]  |   interface   if-name 
|  object-group   service-obj-grp-id  ]
{ destination-addr destination-mask }  |   object-group   new-obj-grp-id  |
[ operator   port  [ port ] |  object-group   service-obj-grp-id ]}
[ log [disable | default]  | [ level ]]

Table 7-3 describes the parameters for the access-list command.

The access-list command creates the rule you want. The created rule is applied by using the access-group command to the desired PIX interface. It is also important to note that unlike Cisco IOS software access lists, which use wildcards (that is, 0.0.0.255 for a Class C address) to identify their network masks, PIX software uses a regular subnet mask (that is, 255.255.255.0 for a Class C address) when defining the network mask.

Note

Specify only one access-group command for each interface. PIX Firewall allows you to configure only one access group per interface.

The syntax for the access-group command is as follows:

 access-group   id   in interface   interface-name 

The id is the same identifier that was specified in the access-list command. The interface-name parameter is the name of the interface.

Example 7-1 illustrates the use of the static and access-list commands to permit connections from lower-security interfaces to higher-security interfaces on the PIX Firewall.

Example 7-1. Permitting Connections from Lower-Security Interfaces to Higher-Security Interfaces on the PIX Firewall

pixfirewall(config)#  static (inside, outside) 192.168.1.10 10.1.100.10 
 netmask 255.255.255.255 
pixfirewall(config)#  access-list acl-out permit tcp any host 192.168.1.10 eq www 
pixfirewall(config)#  access-group acl-out in interface outside 

The static command statically translates 10.1.100.10 to 192.168.1.10. The access-list command permits HTTP access only to host 10.1.100.10 (translated into 192.168.1.10). The access-group command applies the access list acl-out to the outside interface.

To view the created access list, use the show access-list id command, where id is the access list name or number.

Access lists also can be used to control outbound access on the PIX Firewall. An outbound access list restricts users from starting connections from a trusted network to a less trusted network; for example, users from an inside interface accessing hosts or networks on the outside interface. By default, outbound access is permitted, so you use the deny action to restrict access when using an outbound access list.

For example, if you want to restrict users on the inside interface from accessing a website at address 172.16.68.20 on the outside interface, you would use the commands shown in Example 7-2.

Example 7-2. Restricting Inside Users'' Access to an External Web Server on Port 80

pixfirewall(config)#  access-list acl-in deny tcp any host 172.16.68.20 eq www 
pixfirewall(config)#  access-list acl-in permit ip any any 
pixfirewall(config)#  access-group acl-in in interface inside 

This access list configuration lets any user start World Wide Web (WWW) connections to any destination, with the exception of 172.16.68.20.

Note

Access lists are implemented by using the access-list and access-group commands. These commands are used instead of the conduit and outbound commands, which were used in earlier versions of PIX Firewall software. Pix Firewall software Version 6.3 does support the conduit and outbound commands. To convert PIX the configuration file that contains conduit and outbound commands to a supported configuration file that contains the equivalent access-list commands, Cisco Systems has created a tool. This tool can be found at http://www.cisco.com/cgi-bin/tablebuild.pl/pix (the link requires a cisco.com account).

Organizing and Managing Access Control Entries

It is quite common to have several access lists with several access-list elements in them on a PIX Firewall. To deal with this sometimes becomes arduous, especially in the following situations:

• When attempting to identify the reason for each ACE in the access list because no descriptions or comments are included for software releases earlier than Version 6.3

• When removing a single ACE from an access list at the command line on software earlier than Version 6.3, which becomes a several-step process

Configuring a remark or comment allows you and other administrators to understand and identify access-list entries. PIX Firewall Version 6.3 and later lets you include comments about entries in any access control list (ACL). A remark can be up to 100 characters and can precede or follow an access-list command. The following is the syntax for configuring an access-list remark:

 access-list   acl-id   remark   text 

The ACL remark can be placed before or after an access-list command statement, but it should be placed in a consistent position so that it is clear which remark describes which access-list command. For example, it would be confusing to have some remarks before the associated access-list commands and some remarks after the associated access-list commands. Example 7-3 shows a sample configuration on how to create comments for ACEs.

Example 7-3. Configuring Comments for ACEs

Pixfw(config)# access-list 115 remark Allow network engineering group to telnet 
PixfW(config)# access-list 115 permit tcp 192.168.1.0 255.255.255.224 host 
 10.10.100.20 telnet 
PixfW(config)# access-list 115 remark Allowsales group to login 
PixfW(config)# access-list 115 permit tcp 192.168.3.0 255.255.255.224 host 
 10.10.100.12 

In addition to adding remarks to access lists, Version 6.3 and later add numbering to access-list elements. Each ACE and remark has an associated line number. Line numbers can then be used to insert or delete elements at any position in an access list. These numbers are maintained internally in increasing order starting from 1. The line numbers are always maintained in increasing order, with an individual line number for each ACE.

Note

All ACEs resulting from a single object group access-list command statement have a single line number. Consequently, you cannot insert an ACE in the middle of object-group ACEs.

The show access-list command displays the line numbers. The line numbers, however, are not shown in the configuration. Example 7-4 shows a sample output from a show access-list command.

Example 7-4. Sample Output from the show access-list Command

pixfw(config)# show access-list 115 
access-list 115 ; 4 elements
access-list 115 line 1 remark-Allow network engineering group
to telnet (hitcnt=0)
access-list 115 line 2 permit tcp 192.168.1.0 255.255.255.224 host 10.10.100.20
telnet (hitcnt=0)
access-list 115 line 3 remark-Allow sales group to login (hitcnt=0)
access-list 115 line 4 permit tcp 192.168.3.0 255.255.255.224 host
10.10.100.12 (hitcnt=0)

To remove remarks from an access list, simply use the following command:

 no access-list   id   line   line-num   remark   text 

or

 no access-list   id   line   line-num 

Both remove the remark at the specified line number.

TurboACL

TurboACL is a feature introduced with Cisco PIX Firewall Version 6.2 that improves the average search time for ACLs containing a large number of entries. The search time for long ACLs is improved because this feature causes the PIX Firewall to compile tables for ACLs.

The TurboACL feature can be enabled globally on the entire PIX Firewall and then disabled for specific ACLs. It also can be enabled only for specific ACLs. Search performance improvement is realized in ACLs that have more than 19 ACEs. For ACLs that contain few ACEs, TurboACL does not improve performance. The TurboACL feature is applied only to ACLs with 19 or more entries. The implementation of TurboACL in PIX Firewall Version 6.2 supports access lists with up to 16,000 ACEs.

The minimum memory required for TurboACL is 2.1 megabytes (MB). Approximately 1 MB of memory is required for every 2000 ACE elements. High-end PIX Firewall models, such as the PIX 525 and PIX 535, are the most appropriate for memory-demanding TurboACL.

Note

Because some models of Cisco PIX Firewall, such as the PIX 501, have limited memory, implementing the TurboACL feature might cause problems, such as not being able to load Cisco PIX Device Manager (PDM).

Configuring Individual TurboACL

The individual TurboACL command can be used to enable Turbo configuration for individual ACLs when TurboACL is not globally enabled. The syntax of this command is as follows:

[ no ]  access-list   acl-name   compiled 

This command is used to enable or disable TurboACL on a specific ACL individually. The acl-name parameter in the command must specify an existing ACL. This command causes the TurboACL process to mark the ACL specified by acl-name as Turbo-configured and Turbo-compiles the ACL if the ACL has 19 or more ACEs and has not yet been Turbo-compiled.

If you enter the no form of this command, the TurboACL process deletes the TurboACL structures associated with the ACL and marks the ACL as non-Turbo.

Globally Configuring TurboACL

The syntax for enabling TurboACL for the entire PIX Firewall is as follows:

[  no ]  access-list compiled 

This configures TurboACL on all ACLs having 19 or more entries. This command causes the TurboACL process to scan all existing ACLs. During the scan, TurboACL marks and Turbo-compiles any ACL that has 19 or more ACEs and that has not yet been Turbo-compiled.

The command no access-list compiled , which is the default, causes the TurboACL process to scan all compiled ACLs and mark every one as non-Turbo. It also deletes all existing TurboACL structures.

Object Grouping

Another feature that is incorporated into the PIX Firewall Version 6.2 software is object grouping, which allows you to group objects such as hosts (servers and clients), services, and networks and apply security policies and rules to the group. Object grouping lets you apply access rules to logical groups of objects. When you apply an access list to an object group, the command affects all objects defined in the group. Object grouping provides a way to reduce the number of access rules required to describe complex security policies. This in turn reduces the time spent configuring and troubleshooting access rules in large or complex networks.

The syntax for creating object groups is as follows:

[ no ]  object-group   object-type grp-id 

Use the first parameter, object-type , to identify the type of object group you want to configure. There are four options:

• network

• protocol

• service

• icmp-type

Replace grp-id with a descriptive name for the group.

network Object Type

The network object type is used to group hosts and subnets. Server and client hosts can be grouped by functions. For example, mail servers, web servers, or a group of client hosts that have special privileges on the network can be grouped accordingly.

Example 7-5 shows a web servers object group.

Example 7-5. Configuring an Object Group

pixfirewall(config)# object-group network web-servers 
pixfirewall(config-network)# description Public web servers 
pixfirewall(config-network)# network-object host 192.168.1.12 
pixfirewall(config-network)# network-object host 192.168.1.14 
pixfirewall(config-network)#  exit 
pixfirewall(config)# access-list 102 permit tcp any object-group web-servers eq www 
pixfirewall(config)# access-group 102 in interface outside 

Notice that when you enter the object-group command, the system enters the appropriate subcommand mode for the type of object you are configuring. In this case, you see the config-network subcommand prompt. The network-object host subcommand adds the host to the network object group. The description is optional, but it is helpful to include it.

Note

It is also possible to use a name instead of an IP address when defining the network host. For example:

pixfw(config)#  object-group network mis-ftp-servers 
pixfw(config-network)# network-object host 10.10.100.154 
pixfw(config-network)# network-object host 10.10.100.155 
pixfw(config-network)# network-object host 10.10.100.156 
pixfw(config-network)# exit 

To display the configured object group, use the show object-group command, as shown in Example 7-6.

Example 7-6. Displaying Configured Object Groups

pix(config)#  show object-group 
object-group network web-servers
description: Public web servers
network-object host 192.168.1.12
network-object host 192.168.1.14

protocol Object Type

The protocol object type identifies a group of IP protocols using keywords such as icmp, tcp, udp , or an integer in the range of 1 to 254 representing an IP protocol number. The syntax for the command is object-group protocol grp-id . To add a single protocol to the current protocol object group, use the protocol-object protocol command. Example 7-7 shows how to use object-group protocol subcommand mode to create a new protocol object group.

Example 7-7. Creating a New Protocol Object Group

pixfw(config)# object-group protocol grp-citrix 
pixfw(config-protocol)# protocol-object tcp 
pixfw(config-protocol)# protocol-object 1494 
pixfw(config-protocol)# exit 

service Object Type

The service object type identifies port numbers that can be grouped. This is particularly useful when you are managing an application. The syntax for service object-type is

[ no ]  object-group   service obj-grp-id   tcp  |  udp  |  tcp-udp 

As soon as you are in the service subcommand, the command port-object eq service adds a single TCP or UDP port number to the service object group. The port-object range begin-service end-service command adds a range of TCP or UDP port numbers to the service object group. Example 7-8 shows how to use object-group service subcommand mode to create a new port (service) object group.

Example 7-8. Creating a New Port (Service) Object Group

pixfw(config)# object-group service mis-service tcp 
pixfw(config-service)# port-object eq ftp 
pixfw(config-service)# port-object range 5200 6000 
pixfw(config-service)# exit 

icmp-type Object Type

Internet Control Message Protocol (ICMP) object groups can be created to group certain types of ICMP messages. For example, ICMP messages of ECHO-REQUEST, ECHO-REPLY, and DESTINATION-UNREACHABLE with numerical type values of 8, 0, and 3, respectively, can be grouped as shown in Example 7-9.

Example 7-9. Grouping ICMP Messages

pix(config)#  object-group icmp-type icmp-test 
pix(config-icmp-type)#  icmp-object 0 
pix(config-icmp-type)#  icmp-object 3 
pix(config-icmp-type)#  icmp-object 8 

Nesting Object Groups

You can add an object group within an object group. The object-group command allows logical grouping of the same type of objects and construction of hierarchical object groups for structured configuration. To nest an object group within another object group, use the group-object command. Example 7-10 illustrates the use of nested object groups.

Example 7-10. Configuring Nested Object Groups

pixfirewall(config)#  object-group network web-servers 
pixfirewall(config-network)#  description web servers 
pixfirewall(config-network)#  network-object host 192.168.1.12 
pixfirewall(config-network)#  network-object host 192.168.1.14 
pixfirewall(config-network)#  exit 
pixfirewall(config)#  object-group network Public-servers 
pixfirewall(config-network)#  description Public servers 
pixfirewall(config-network)#  network-object host 192.168.1.18 
pixfirewall(config-network)#  group-object web-servers 
pixfirewall(config-network)#  exit 

Access Control List Logging

The ACL logging feature is part of PIX Firewall Version 6.3 that lets you log the number of permits or denies of a flow during a specific period of time. A flow is defined by protocol, source IP address, source port, destination IP address, and destination port. When a flow is permitted or denied, the system checks to see if the flow already exists in the system. If not, an initial syslog message with a hit count of 1 for the flow is generated. The flow entry is then created and the hit count for the flow is incremented every time the flow is permitted or denied. The command syntax to enable logging of the number of permits or denies of a flow by an ACL entry is as follows:

 access-list   acl-id  [ log [disable | default]  | [ level]  [ interval   seconds ]]

For an existing flow, a syslog message is generated at the end of each configurable interval to report the nonzero hit count for the flow in the current interval. After the syslog message is generated, the hit count for the flow is reset to 0 for the next interval. If there is no hit recorded during the interval, the flow is deleted and no syslog message is generated. Large numbers of flows may concurrently exist at any point in time. To prevent unlimited consumption of memory and central processing unit (CPU) resources, a limit is placed on the number of concurrent deny flows. When the limit is reached, no new deny flow will be created until the existing deny flows expire. To specify the maximum number of concurrent deny flows that can be created, enter the following command:

 access-list deny-flow-max   num-of-flows 

The deny-flow-max keyword specifies the maximum number of concurrent deny flows that can be created. New values for this option go into effect immediately. The default is set for the maximum number of flows allowed, which depends on the amount of memory available on the PIX Firewall, as follows:

64 MB or greater Maximum value/default value is 4096.

16 MB or greater Maximum value/default value is 1024.

Less than 16 MB Maximum value/default value is 256.

When the maximum number of flows has been reached, a syslog message (106101) is generated. By default, this message is repeated once every 300 seconds.

The syslog message generated for the ACL entry has the following format:

106101:  access-list  < acl-id >  <  grant  >   <  prot  >   <  intf  /  src-ip ( src-port )> ->
< intf/dst-ip(dest-port)> hit-cnt <nnn>  ( first hit|n-second interval )

Using the fixup Command

The ports that are specified by the fixup command are the services that the PIX Firewall listens for. The fixup command can be used to change the default port assignments or to enable or disable application inspection for the following protocols and applications:

• FTP

• H.323

• HTTP

• Internet Locator Service (ILS)

• Remote Shell (RSH)

• Real-Time Streaming Protocol (RTSP)

• Session Initiation Protocol (SIP)

• Skinny (or Simple) Client Control Protocol (SCCP)

• Simple Mail Transfer Protocol (SMTP)

• SQL*Net

• Domain Name System (DNS)

• Trivial File Transfer Protocol (TFTP)

• Computer Telephony Integration Quick Buffer Encoding (CTIQBE)

The basic syntax for the fixup command is as follows:

[ no ]  fixup protocol   [protocol] [port] 

To change the default port assignment, identify the protocol and the new port number to assign. Use the no fixup protocol command to reset the application inspection entries to the default configuration. The clear fixup command removes fixup commands from the configuration you added. However, it does not remove the default fixup protocol commands.

The following example shows how to define multiple ports for HTTP by entering separate commands:

 fixup protocol http 8080 
 fixup protocol http 8888 

These commands do not change the standard HTTP port assignment (80). After you enter these commands, the PIX Firewall listens for HTTP traffic on ports 80, 8080, and 8888. You can view the explicit (configurable) fixup protocol settings by using the show fixup command, as shown in Example 7-11.

Example 7-11. Displaying Configurable fixup protocol Settings

Pixfirewall#  show fixup 
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521

Advanced Protocol Handling

Some applications require special handling by the Cisco PIX Firewall application inspection function. These types of applications typically embed IP addressing information in the user data packet or open secondary channels on dynamically assigned ports. The application inspection function works with NAT to help identify the location of embedded addressing information.

In addition to identifying embedded addressing information, the application inspection function monitors sessions to determine the port numbers for secondary channels. Many protocols open secondary TCP or UDP ports to improve performance. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application inspection function monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session. Multimedia applications and FTP applications exhibit this kind of behavior.

File Transfer Protocol

The FTP application inspection inspects FTP sessions and performs four tasks:

• Prepares a dynamic secondary data connection

• Tracks the ftp command-response sequence

• Generates an audit trail

• Translates the embedded IP address using NAT

FTP application inspection prepares secondary channels for FTP data transfer. The channels are allocated in response to a file upload, a file download, or a directory listing event, and they must be prenegotiated. The port is negotiated through the PORT or PASV (227) commands.

You can use the fixup command to change the default port assignment for FTP. The command syntax is as follows:

 [no] fixup protocol ftp [strict] [port] 

The port option lets you configure the port at which the PIX Firewall listens for FTP traffic.

The strict option prevents web browsers from sending embedded commands in FTP requests. Each ftp command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. The strict option lets only the server generate the PASV reply command (227) and lets only the client generate the PORT command. The PASV reply and PORT commands are checked to ensure that they do not appear in an error string.

If you disable FTP fixups with the no fixup protocol ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.

Domain Name System

DNS uses a UDP connection. This makes DNS queries subject to generic UDP handling based on activity timeouts. DNS, therefore, requires application inspection. As soon as the first response is received for a DNS query, the UDP connection is terminated. This is known as DNS guard and is discussed further in Chapter 18, "Attack Guards and Advanced Protocol Handling." The DNS inspection task includes the following:

• Compares the ID of the DNS reply to the ID of the DNS query.

• Translates the DNS A record.

• Confirms the length of the DNS packet is less than the maximum length specified by the user. Otherwise, the packet is dropped.

Simple Mail Transfer Protocol

SMTP packets are closely monitored. An SMTP server responds to client requests with numeric reply codes and optional human-readable strings. SMTP application inspection controls and restricts the commands that the user can use as well as the messages that the server returns. SMTP inspection performs three primary tasks:

• Monitors the SMTP command-response sequence.

• Permits only 7 of the 14 SMTP commands (HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT).

• Generates an audit trail. Audit record 108002 is generated when an invalid character embedded in the mail address is replaced.

Multimedia Support

PIX Firewall supports several popular multimedia applications. Its application inspection function dynamically opens and closes UDP ports for secure multimedia connections. Supported multimedia applications include the following:

• Microsoft Netshow

• Microsoft Netmeeting

• Intel Internet Video Phone

• VDOnet VDOLive

• RealNetworks RealAudio and RealVideo

• VocalTech

• White Pine Meeting Point

• White Pine CuSeeMe

• Xing StreamWorks

• VXtreme WebTheatre