CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] - نسخه متنی

Greg Bastien; Earl Carter; Christian Degu

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Copyright

About the Authors

About the Technical Reviewers

Acknowledgments

Icons Used in This Book

Command Syntax Conventions

Introduction

Why the "Second Edition"?

Who Should Read This Book?

How to Use This Book

Certification Exam and This Preparation Guide

Overview of the Cisco Certification Process

Cisco Security Specialist in the Real World

PIX AND Cisco IOS Commands

Rules of the Road

Chapter 1. Network Security

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 2. Firewall Technologies and the Cisco PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 3. Cisco PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 4. System Management/Maintenance

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 5. Understanding Cisco PIX Firewall Translation and Connection

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 6. Getting Started with the Cisco PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 7. Configuring Access

How Best to Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 8. Syslog and the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 9. Routing and the PIX Firewall

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 10. Cisco PIX Firewall Failover

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 11. Virtual Private Networks

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Scenario

Chapter 12. Configuring Access VPNs

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 13. PIX Device Manager

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 14. CiscoWorks Management Center for Firewalls (PIX MC)

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 15. Content Filtering on the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 16. Overview of AAA and the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 17. Configuration of AAA on the PIX

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 18. Attack Guards and Advanced Protocol Handling

How To Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation Topics

Foundation Summary

Q&A

Chapter 19. Firewall Services Module

How to Best Use This Chapter

"Do I Know This Already?" Quiz

Foundation and Supplemental Topics

Foundation Summary

Q&A

Chapter 20. Case Study and Sample Configuration

Remote Offices

Firewall

Growth Expectation

Task 1: Basic Configuration for the Cisco PIX Firewall

Task 2: Configuring Access Rules on HQ

Task 3: Configuring Authentication

Task 4: Configuring Logging

Task 5: Configuring a VPN Between HQ and Remote Sites

Task 6: Configuring a Remote Access VPN to HQ

Task 7: Configuring Failover

What Is Wrong with This Picture?

Appendix A. Answers to the "Do I Know This Already?" Quizzes and Q&A Sections

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

Chapter 10

Chapter 11

Chapter 12

Chapter 13

Chapter 14

Chapter 15

Chapter 16

Chapter 17

Chapter 18

Chapter 19

Chapter 20

Index
توضیحات
افزودن یادداشت جدید












  • Foundation Topics



    How Syslog Works


    The syslog message facility in the Cisco PIX Firewall is a useful means to view troubleshooting messages and to watch for network events such as attacks and denials of service. The Cisco PIX Firewall reports on events and activities using syslog messages, which report on the following:

    • System status When the Cisco PIX Firewall reboots or a connection by Telnet or the console is made or disconnected

    • Accounting The number of bytes transferred per connection

    • Security Dropped User Datagram Protocol (UDP) packets and denied Transmission Control Protocol (TCP) connections

    • Resources Notification of connection and translation slot depletion


    It is important to become familiar with the logging process and logging command parameters on the PIX before you dive in and start configuring the PIX for logging. Syslog messages can be sent to several different output destinations on or off the PIX unit:

    • PDM logging Logging messages can be sent to the PIX Device Manager (PDM).

    • Console Syslog messages can be configured to be sent to the console interface, where the PIX administrator (you) can view the messages in real time as they happen when you are connected to the console interface.

    • Internal memory buffer Syslog messages can be sent to the buffer.

    • Telnet console Syslog messages also can be configured to be sent to Telnet sessions. This configuration helps you remotely administer and troubleshoot PIX units without being physically present at the location of the firewall.

    • Syslog servers This type of configuration is particularly useful for storing syslog messages for analysis on performance, trends, and packet activities on the PIX unit. Syslog messages are sent to UNIX servers/workstations running a syslog daemon or to Windows servers running PIX Firewall Syslog Server (PFSS).

    • SNMP management station Syslog traps can be configured to be sent to an SNMP management station.


    After you decide where to send the syslog messages, you have to decide what type of messages you want to see at the output destination.

    All syslog messages have a severity level; however, not all syslog messages are required to have a facility.

    Logging Facilities


    When syslog messages are sent to a server, it is important to indicate through which pipe the PIX will send the messages. The single syslog service, syslogd, can be thought of as having multiple pipes. It uses the pipes to decide where to send incoming information based on the pipe through which the information arrives. Syslogd is a daemon/service that runs on UNIX machines. In this analogy, the logging facilities are the pipes by which syslogd decides where to send information it receivesthat is, to which file to write.

    Eight logging facilities (16 through 23) are commonly used for syslog on the PIX. On the syslog server, the facility numbers have a corresponding identificationlocal0 to local7. The following are the facility numbers and their corresponding syslog identification:

    • local0 (16)

    • local1 (17)

    • local2 (18)

    • local3 (19)

    • local4 (20)

    • local5 (21)

    • local6 (22)

    • local7 (23)


    The default facility is local4 (20). To change the default logging facility on the PIX you use the logging facility facility command. The following command shows the logging facility changed to 21:


    Pix(config)#  logging facility 21

    Logging Levels


    Different severity levels are attached to incoming messages. You can think of these levels as indicating the type of message. The PIX can be configured to send messages at different levels. Table 8-2 lists these levels from highest to lowest importance.

    Table 8-2. Logging Severity Levels

    Level/Keyword

    Numeric Code

    System Condition

    Emergency

    0

    System unusable message

    Alert

    1

    Take immediate action

    Critical

    2

    Critical condition

    Error

    3

    Error message

    Warning

    4

    Warning message

    Notification

    5

    Normal but significant condition

    Informational

    6

    Information message

    Debug

    7

    Debug message, log FTP commands, and WWW URLs

    Many of the logging commands require that you specify a severity level threshold to indicate which syslog messages can be sent to the output locations. The lower the level number, the more severe the syslog message. The default severity level is 3 (error). During configuration, you can specify the severity level as either a number or a keyword, as described in Table 8-2. The level you specify causes the Cisco PIX Firewall to send the messages of that level and below to the output location. For example, if you specify severity level 3 (error), the PIX sends severity level 0 (emergency), 1 (alert), 2 (critical), and 3 (error) messages to the output location.

    Changing Syslog Message Levels


    PIX Firewall Version 6.3 gives you the option to modify the level at which a specific syslog message is issued and to disable specific syslog messages. Previous versions of PIX Firewall let you specify only the message level or disable all messages to a specific syslog server. This new feature provides you with more flexibility because you can specify which message you are logging and at what level. To change the logging level for all syslog servers, enter the following command syntax:


     logging message   syslog_id  [ level   levelid ]

    To change the level of a specific syslog message, enter the following command syntax:


     logging message   syslog_id   level   levelid

    The variables syslogid and levelid represent the numeric identifier and severity level assigned to the syslog message, respectively, as shown in Table 8-2.

    Example 8-1 shows how you can view the level of a syslog message and display its current and default levels:

    Example 8-1. Changing the Level of a Syslog Message



    pixfirewall(config)#n
    syslog 403503: default-level errors (enabled)
    pixfirewall(config)#logging message 403503 level 6
    pixfirewall(config)#show logging message 403503
    syslog 403503: default-level errors, current-level informational (enabled)

    To disable a particular syslog message, enter the following command:


     no logging message   messageid

    How Log Messages Are Organized


    Syslog messages are listed numerically by message code. Each message is followed by a brief explanation and a recommended action. If several messages share the same explanation and recommended action, the messages are presented together, followed by the common explanation and recommended action.

    The explanation of each message indicates what kind of event generated the message. Possible events include the following:

    • Authentication, authorization, and accounting (AAA) events

    • Connection events (for example, connections denied by the PIX configuration or address translation errors)

    • Failover events reported by one or both units of a failover pair

    • File Transfer Protocol (FTP)/Uniform Resource Locator (URL) events (for example, successful file transfers or blocked Java applets)

    • Mail Guard/SNMP events

    • PIX management events (for example, configuration events or Telnet connections to the PIX console port)

    • Routing errors


    How to Read System Log Messages


    System log messages received at a syslog server begin with a percent sign (%) and are structured as follows:


     %PIX - level-message-number :  message-text

    • PIX identifies the message facility code for messages generated by the PIX Firewall.

    • level reflects the severity of the condition described by the message. The lower the number, the more serious the condition.

    • message-number is the numeric code that uniquely identifies the message.

    • message-text is a text string describing the condition. This portion of the message sometimes includes IP addresses, port numbers, or usernames.


    You can find more information on syslog messages at http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_book09186a00801582a9l


    Configuring Syslog on the Cisco PIX Firewall


    The logging command is used to configure logging on the PIX Firewall. Logging is disabled by default. Table 8-3 describes the parameters of the logging command.

    Table 8-3. logging Command Parameters

    Command

    Description

    logging on

    Enables the transmission of syslog messages to all output locations. You can disable sending syslog messages with the no logging on command.

    no logging message n

    Allows you to disable specific syslog messages. Use the logging message message_number command to resume logging of specific disabled messages.

    logging buffered n

    Stores syslog messages in the PIX Firewall so that you can view them with the show logging command. Cisco Systems recommends that you use this command to view syslog messages when the PIX Firewall is in use on a network.

    clear logging

    Clears the message buffer created with the logging buffered command.

    clear logging message

    Reenables all disabled syslog messages.

    logging console n

    Displays syslog messages on the PIX Firewall console as they occur. Use this command when you are debugging problems or when there is minimal load on the network. Do not use this command when the network is busy because it can reduce the PIX Firewall performance.

    logging monitor n

    Displays syslog messages when you access the PIX Firewall console with Telnet.

    logging host [ interface] ip_address [ protocol/port ]

    Specifies the host that receives the syslog messages. The PIX Firewall can send messages across UDP or TCP (which you specify by setting the protocol variable). The default UDP port is 514. The default TCP port is 1470.

    logging history severity_level

    Sets the logging level for SNMP traps.

    logging queue msg_count

    Specifies how many syslog messages can appear in the message queue while waiting for processing. The default is 512 messages. Use the show logging queue command to view queue statistics.

    logging timestamp

    Specifies that each message sent to the syslog server should include a timestamp to indicate when the event occurred.

    logging trap n

    Sets the logging level for syslog messages.

    show logging disabled

    Displays a complete list of disabled syslog messages.

    show logging

    Lists the current syslog messages and which logging command options are enabled.

    logging standby

    Lets the failover standby unit send syslog messages.


    Configuring the PIX Device Manager to View Logging


    The PDM Log panel, shown in Figure 8-1, allows you to view syslog messages that are captured in the PDM Log buffer in the PIX Firewall memory. You may select the level of syslog messages you want to view. When you view the PDM Log, all the buffered syslog messages at and below the logging level you choose are displayed.


    Figure 8-1. PDM Log Viewer Screen

    The PDM logging panel has the following fields:

    • Logging Level Enables you to choose the level of syslog messages to view.

      To view the logs using the PDM interface, click the View button shown in Figure 8-1. Figure 8-2 shows a sample output of logs viewed from the PDM logging panel.


      Figure 8-2. Sample PDM Logging Output

      Chapter 13, "PIX Device Manager."


    Configuring Syslog Messages at the Console


    Configuring logging on the console interface is useful when you are troubleshooting or observing traffic patterns directly from the PIX Firewall. This gives you real-time information about what is happening on the PIX Firewall. To configure logging at the PIX console interface, use the logging console command as follows. After logging into configuration mode, enter the following:


    Pixfw(config) #logging on 
    Pixfw(config) #logging console 5

    The 5 indicates the logging level. In this case, it is logging notification. From the console you can see the logs in real time.

    Sending Syslog Messages to a Telnet Session


    Remotely troubleshooting or viewing real-time PIX traffic patterns can be done by configuring the PIX to send logging information to a Telnet session. The logging monitor command configures the PIX to send syslog messages to Telnet sessions. For example, after logging into configuration mode, enter the following:


     Pixfirewall (config)#logging monitor 6 
     Pixfirewall(config)#terminal monitor

    In this example, syslog messages 0 to 6, or emergency to informational, are sent to a Telnet session. To disable logging to Telnet, you use the no logging monitor command.

    The terminal monitor displays messages directly to the Telnet session. You can disable the direct display of messages by entering the terminal no monitor command. A Telnet session sometimes is lost in busy networks when the logging monitor command is used.

    Configuring the Cisco PIX Firewall to Send Syslog Messages to a Log Server


    Configuring the PIX to send logging information to a server helps you collect and maintain data that can later be used for forensic and data traffic analysis. PIX syslog messages are usually sent to a syslog server or servers. PIX uses UDP port 514 by default to send syslog messages to a syslog server. The syntax for configuring the PIX Firewall to send syslog messages to a syslog server is as follows:


     Pixfirewall(config)#Logging host  [ interface ]  ip_address  [ tcp [/port] | udp [/port]]
     [format emblem]

    The variables [interface] and ip-address are replaced with the name of the interface on which the syslog resides and the Internet Protocol (IP) address of the syslog server, respectively. PIX Firewall Version 6.3 introduces support for EMBLEM format. EMBLEM syslog format is designed to be consistent with the Cisco IOS® Software format and is more compatible with CiscoWorks management applications such as Resource Manager Essentials (RME) syslog analyzer. Use the option format emblem to send messages to the specified server in EMBLEM format.

    Note

    This option is available only for UDP syslog messages, used by the RME syslog analyzer.

    The following steps show you how to configure the PIX to send syslog messages:


    Step 1.

    Designate a host to receive the messages with the logging host command:


     Pixfirewall(config)#logging host inside 10.1.1.10

    You can specify additional servers so that if one goes offline, another is available to receive messages.

    Step 2.

    Set the logging level with the logging trap command:


    Pixfirewall(config)#logging trap informational

    If needed, set the logging facility command to a value other than its default of 20. Most UNIX systems expect the messages to arrive at facility 20.

    Note

    In the event that all syslog servers are offline, the Cisco PIX Firewall stores up to 100 messages in its memory. Subsequent messages that arrive overwrite the buffer starting from the first line. PIX buffer logging is enabled by the command logging buffered level .

    Step 3.

    Start sending messages with the logging on command. To disable sending messages, use the no logging command.

    Step 4.

    To view your logging setting enter show logging .


    Centrally managing several PIX Firewalls can be challenging if you cannot identify the origin of a particular message that is sent to the central log server. PIX Firewall Version 6.2(3) and later support defining a unique device ID for log messages sent to a syslog server. If several PIX Firewalls are configured to send their syslog messages to a single syslog server, a unique identification can be configured so the message source can be identified. To enable this option, use the following command:


     logging device-id  { hostname  |  ipaddress   if_name  |  string text }

    Table 8-4 gives a description of the parameters of the logging device-id command.

    Table 8-4. logging device-id Command Parameters

    Parameter

    Description

    hostname

    The name of the PIX Firewall

    ipaddress

    Specifies to use the IP address of the specified PIX Firewall interface to uniquely identify the syslog messages from the PIX Firewall

    if-name

    The name of the interface with the IP address that is used to uniquely identify the syslog messages from the PIX Firewall

    string text

    Specifies the text string to uniquely identify the syslog messages from the PIX Firewall

    When this feature is enabled, the message will include the specified device ID (either the hostname or IP address of the specified interfaceeven if the message comes from another interfaceor a string) in messages sent to a syslog server. The PIX Firewall will insert the specified device ID into all non-EMBLEM-format syslog messages.

    Note

    The device ID does not appear in EMBLEM-formatted messages, Simple Network Management Protocol (SNMP) traps, or on the firewall console, management session, or buffer. This command does not affect the syslog message text in EMBLEM format or its display on the PIX Firewall console or in the log file.

    To disable this feature, use the following command:


     no logging device-id

    Configuring SNMP Traps and SNMP Requests


    SNMP requests can be used to query the PIX on its system status information. If you want to send only the cold start, link up, and link down generic traps, no further configuration is required. SNMP traps send information about a particular event only when the configured threshold is reached.

    To configure the PIX to receive SNMP requests from a management station, you must do the following:

    • Configure the IP address of the SNMP management station with the snmp-server host command.

    • Set the snmp-server options for location, contact , and the community password as required.


    To configure SNMP traps on the PIX, you must do the following:

    • Configure the IP address of the SNMP management station with the snmp-server host command.

    • Set the snmp-server options for location, contact , and the community password as required.

    • Set the trap with the snmp-server enable traps command.

    • Set the logging level with the logging history command.



    Configuring a Syslogd Server


    Because syslogd was originally a UNIX concept, the features available in the syslogd products on non-UNIX systems depend on the vendor implementation. Features might include dividing incoming messages by facility or debug level or both, resolving the names of the sending devices, and reporting facilities. For information on configuring the non-UNIX syslog server, refer to the vendor's documentation.

    Note

    Configuring the syslog server is not covered on the PIX CSPFA 642-521 exam.

    To configure syslog on UNIX, follow these steps:


    Step 1.

    On SunOS, AIX, HPUX, or Solaris, as root, make a backup of the /etc/syslog.conf file before modifying it.

    Step 2.

    Modify/etc/syslog.conf to tell the UNIX system how to sort out the syslog messages coming in from the sending devicesthat is, which logging-facility.level goes in which file. Make sure there is a tab between the logging-facility.level and file-name .

    Step 3.

    Make sure the destination file exists and is writable.

    Step 4.

    The #Comment section at the beginning of syslog.conf usually explains the syntax for the UNIX system.

    Step 5.

    Do not put file information in the ifdef section.

    Step 6.

    As root, restart syslogd to pick up changes.


    For example, if /etc/syslog.conf is set for


     local7.warn    /var/log/local7.warn

    warning, error, critical, alert, and emergency messages coming in on the local7 logging facility are logged in the local7.warn file. Notification, informational, and debug messages coming in on the local7 facility are not logged anywhere.

    If /etc/syslog.conf is set for


     *.debug       /var/log/all.debug

    all message levels from all logging facilities go to this file.

    PIX Firewall Syslog Server


    PFSS lets you view PIX Firewall event information from a Windows NT system. It includes special features not found on other syslog servers:

    • The ability to receive syslog messages by TCP or UDP

    • Full reliability, because messages can be sent using TCP



      • / 191