CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Foundation Topics

PDM Overview

PDM is a browser-based configuration tool that is designed to help you set up, configure, and monitor your Cisco PIX Firewall graphically. It is installed as a separate software image on the PIX Firewall and resides in the Flash memory of all PIX units running PIX Firewall Version 6.0 and higher. PDM uses tables, drop-down menus, and task-oriented selection menus to assist you in administering your PIX Firewall. Additionally, PDM maintains compatibility with the PIX Firewall CLI and includes a tool for using the standard CLI commands within the PDM application. PDM also lets you print or export graphs of traffic through the PIX Firewall and system activity.

Note

PDM is a signed Java applet that downloads from the PIX Firewall to your web browser.

Figure 13-1 shows the PDM GUI with the three main buttons: Home, Configuration, and Monitoring.

If your Cisco PIX Firewall unit is new and came with PIX Firewall Version 6.3, the software is already loaded in Flash memory. If you are upgrading from a previous version of Cisco PIX Firewall, you need to use Trivial File Transfer Protocol (TFTP) from the PIX Firewall unit's inside interface to copy the PDM image to your PIX Firewall. PDM works with PIX Firewall Version 6.0 and later, and it can operate on the PIX 501, 506E, 515E, 520, 525, and 535 units as soon as they are upgraded to Version 6.0 or later.

PDM is designed to assist you in managing your network security by

• Letting you visually monitor your Cisco PIX Firewall system, connections, IDS, and traffic on the interfaces.

• Creating new PIX Firewall configurations or modifying existing configurations that were originally implemented using the PIX Firewall CLI or Cisco Secure Policy Manager.

• Using visual tools such as task-oriented selections and drop-down menus to configure your Cisco PIX Firewall.

• Using Secure Sockets Layer (SSL) to secure communication between PDM and the PIX Firewall.

• Monitoring and configuring PIX Firewall units individually.

Multiple Cisco PIX Firewalls can be monitored and configured from a single workstation via the web browser. It is also possible to have up to five administrators accessing a given PIX Firewall via PDM at the same time.

Three versions of PDM are available:

• PDM Version 1.1 Requires PIX Firewall software Version 6.0 or later

• PDM Version 2.1 Requires PIX Firewall software Version 6.2 or later

• PDM Version 3.0 Requires PIX Firewall software Version 6.3

For the CSPFA exam, this chapter focuses on PDM Version 3.0 running on PIX Firewall Version 6.3.

PIX Firewall Requirements to Run PDM

Like all software, PDM 3.0 has minimum hardware and software requirements for it to work. PDM 3.0 is available on all PIX 501, PIX 506/506E, PIX 515/515E, PIX 520, PIX 525, and PIX 535 platforms running PIX Firewall Version 6.3. Depending on the type of model PDM will be running on, it must have at least 16 MB of RAM and the Flash memory sizes listed in Table 13-2.

To use PDM version 3.0 to manage your PIX Firewall, you must meet the following minimum requirements:

• You must have an activation (license) key that enables Data Encryption Standard (DES) or the more secure 3DES, which PDM requires for support of the SSL protocol.

• PIX Firewall software Version 6.0 or higher.

• Minimum of 8 MB of Flash memory on the PIX unit.

The optimal configuration file size to use with PDM is less than 100 KB (which is approximately 1500 lines). Cisco PIX Firewall configuration files larger than 100 KB might interfere with PDM's performance on your workstation. You can determine the size of your configuration file by entering the command show flashfs at a PIX CLI prompt. Then, look for a line in the output that begins with file 1. The length number on the same line is the configuration file size in bytes. Example 13-1 provides sample output from show flashfs.

Example 13-1. show flashfs Command Output

pix#  show flashfs 
flash file system:  version:2  magic:0x12345679
file 0: origin:       0 length:1540152
file 1: origin: 1572864 length:6458
file 2: origin:       0 length:0
file 3: origin: 2752512 length:4539600
file 4: origin:16646144 length:280
pix#

PDM Workstation Requirement

PDM, as mentioned earlier, is accessed via a browser interface. The following sections provide an overview of PDM requirements for:

• Browser

• Windows-based workstation

• Sun Solarisbased workstation

• Linux-based workstation

PDM 3.0 does not support Windows 3.1 or Windows 95 operating systems.

Browser Requirements

The following are the requirements to access PDM from a browser:

• JavaScript and Java must be enabled. If you are using Microsoft Internet Explorer, your JDK version should be 1.1.4 or higher. To check which version you have, launch PDM. When the PDM information window comes up, the field JDK Version indicates your JDK version. If you have an older JDK version, you can get the latest JVM from Microsoft by downloading the product called Virtual Machine.

• Browser support for SSL must be enabled. The supported versions of Internet Explorer and Netscape Navigator support SSL without requiring additional configuration.

Windows Requirements

The following are required to access PDM from a Windows NT/2000 operating system:

• Windows 2000 (Service Pack 3), Windows NT 4.0 (Service Pack 4 and higher), Windows 98, Windows ME, or Windows XP.

• Supported browsers: Internet Explorer 5.0 (Service Pack 1) or higher (5.5 recommended), Netscape Communicator 4.51 or higher (4.76 recommended). Internet Explorer is recommended because of its faster load times.

• Any Pentium III or equivalent processor running at 450 MHz or higher.

• At least 256 MB of RAM.

• A 1024x768-pixel display and at least 256 colors are recommended.

SUN Solaris Requirements

The following requirements apply to the use of PDM with Sun SPARC:

• Sun Solaris 2.8 or later running CDE or OpenWindows window manager.

• SPARC microprocessor.

• Supported browser: Netscape 4.78.

• At least 128 MB of RAM.

• A 1024x768-pixel display and 256 colors are recommended.

Note

PDM does not support Solaris on IBM PCs.

Linux Requirements

The following requirements apply to the use of PDM with Linux:

• Pentium III or equivalent running at 450 MHz or higher.

• Red Hat Linux 7.0 running the GNOME or KDE 2.0 desktop environment.

• Supported browser: Netscape Communicator 4.7x on Red Hat 7.x and Mozilla 1.0.1 on Red Hat 8.x.

• At least 128 MB of RAM.

• A 1024x768-pixel display and 256 colors.

PDM Installation

Before installing PDM, follow these steps:

The install procedure is very similar to that of the Cisco PIX Firewall image upgrade. Example 13-2 shows the installation procedures for PDM installation.

Example 13-2. PDM Installation Procedures

PIXFIREWALL(config)#  copy tftp flash:pdm 
Address or name of remote host [127.0.0.1]  192.168.1.2 
Source file name [cdisk]  pdm-301.bin 
copying tftp://192.168.1.2/ pdm-301.bin to flash:pdm
[yes | no | again]y

After you successfully install your PDM, you are ready to access it using your web browser. On a browser running on a workstation that has a network connection to the PIX unit, enter the following:

 https://PIX_Inside_Interface_IP_Address 

This launches the PDM applet, as shown in Figure 13-2. Use your enable password and leave the username blank to access the PDM interface when prompted to provide a username and password.

Note

When you access PDM, the PIX Firewall prompts you for login credentials. You can restrict access via the enable password, which is encrypted and stored locally on the PIX Firewall. You can also use an external authentication server to store username and password information, which you will be asked by PDM to provide when you request access.

Note

Remember that you have to use HTTPS, not HTTP, when accessing PDM. Otherwise, the browser cannot connect.

Using PDM to Configure the Cisco PIX Firewall

The Cisco PIX Firewall Device Manager Startup Wizard, shown in Figure 13-3, walks you through the initial configuration of your Cisco PIX Firewall. You are prompted to enter information about your PIX Firewall. The Startup Wizard applies these settings, so you should be able to start using your PIX Firewall right away.

The Startup Wizard configures the following attributes on your Cisco PIX Firewall:

• A host name for your PIX Firewall.

• A domain name for your PIX Firewall.

• A default gateway for your PIX Firewall.

• An enable password that is required to access PDM or the PIX Firewall's CLI.

• The speed and IP address information of the outside interface on the PIX Firewall.

• Your PIX Firewall's other interfaces, such as the inside or DMZ interfaces, can be configured from the Startup Wizard.

• Network Address Translation (NAT) or Port Address Translation (PAT) rules for your PIX.

• Dynamic Host Configuration Protocol (DHCP) settings for the inside interface, as a DHCP server.

• If you are using a PIX 501 or 506E, the Startup Wizard lets you configure Cisco Easy VPN Remote device settings, which let the PIX Firewall act as a VPN client and establish a VPN tunnel to the VPN server.

The Startup Wizard helps you set up a shell configuration a basic configuration for your Cisco PIX Firewall, as the initial "setup" program does for the CLI. To customize and modify your PIX Firewall configuration, PDM provides the Configuration button. After you click the Configuration button on PDM, you see five main tabs for configuring and modifying the PIX Firewall configuration:

• System Properties

• Hosts/Networks

• Translation Rules

• Access Rules

• VPN

The sections that follow examine in more detail the System Properties, Hosts/Networks, Translation Rules, and Access Rules tabs. The section "Using PDM to Create a Site-to-Site VPN," later in the chapter, describes all actions associated with the VPN tab.

System Properties

The System Properties tab, shown in Figure 13-4, lets you view and configure all the parameters that can be configured using the Startup Wizard. Basic configurations such as interface definition, password, clock, and Telnet configuration are all done on this tab. In addition to the basic configuration, the System Properties tab lets you perform advanced configuration that is typically done at the CLI. You can configure logging; authentication, authorization, and accounting (AAA); DHCP services; routing; failover; multicast; intrusion detection; and more through the user-friendly interface of the System Properties tab.

Complicated configurations such as AAA have been made significantly more intuitive and easier with the system properties under AAA. The AAA Server Groups pane, shown in Figure 13-5, allows you to specify up to 14 AAA server groups for your network.

Each AAA server group directs different types of traffic to the authentication servers in its group. If the first authentication server listed in the group fails, the PIX Firewall seeks authentication from the next server in the group. You can have up to 14 groups, and each group can have up to 14 AAA servers, for a total of up to 196 AAA servers.

The Authentication Prompt pane lets you change the AAA challenge text for HTTP, FTP, and Telnet access. Figure 13-6 shows prompt messages that can be configured when users authenticate by an AAA server.

Chapter 15, "Content Filtering on the PIX Firewall."

Hosts/Networks

The Hosts/Networks tab, shown in Figure 13-7, lets you view, edit, add to, and delete from the list of hosts and networks defined for the selected interface defined previously on the System Properties tab.

PDM requires that you define any host or network that you intend to use in access rules and translations. These hosts or networks are organized below the interface from which they can be reached.

Access rules reference these hosts or networks in a rule's source and destination conditions, whereas translation rules reference them in a rule's original address condition. When defining either type of rule, you can reference a host or a network by clicking Browse in the appropriate Add or Edit Rule dialog box. Additionally, you can reference the host or network by name if a name is defined for it.

In addition to defining the basic information for these hosts or networks, you can define route settings and NAT rules for any host or network. You also can configure route settings on the System Properties tab and configure translation rules on the Translation Rules tab. These different configuration options accomplish the same results. The Hosts/Networks tab provides another way to modify these settings on a per-host or per-network basis.

Translation Rules

The Translation Rules tab, shown in Figure 13-8, lets you view all the address translation rules or NAT exemption rules applied to your network.

The Cisco PIX Firewall supports both NAT, which provides a globally unique address for each outbound host session, and PAT, which provides a single, unique global address for more than 64,000 simultaneous outbound or inbound host sessions. The global addresses used for NAT come from a pool of addresses to be used specifically for address translation. The unique global address that is used for PAT can be either one global address or the IP address of a given interface.

From the Translation Rules tab, you also can create a translation exemption rule, which lets you specify traffic that is exempt from being translated. The exemption rules are grouped by interface in the table, and then by direction. If you have a group of IP addresses that will be translated, you can exempt certain addresses from being translated by using the exemption rules. If you have a previously configured access list, you can use that to define your exemption rule. PDM writes a nat 0 command to the CLI. You can re-sort your exemption's view by clicking the column heading.

It is important to note that the order in which you apply translation rules can affect how the rules operate. PDM lists the static translations first and then the dynamic translations. When processing NAT, the Cisco PIX Firewall first translates the static translations in the order they are configured. You can select Rules > Insert Before or Rules > Insert After to determine the order in which static translations are processed. Because dynamically translated rules are processed on a best-match basis, the option to insert a rule before or after a dynamic translation is disabled.

Access Rules

The Access Rules tab, shown in Figure 13-9, shows your entire network security policy expressed in rules. This tab combines the concepts of access lists, outbound lists, and conduits to describe how a specific host or network interacts with another host or network to permit or deny a specific service and/or protocol. This tab also lets you define AAA rules and filter rules for ActiveX and Java.

Note

PDM does not support conduits and ACLs simultaneously on the same configuration.

Keep in mind the following points when creating access rules with PDM:

• It is important to remember that you cannot define any access rules until static or dynamic NAT has been configured for the hosts or networks on which you want to permit or deny traffic.

• You cannot use unavailable commands until your rule meets certain conditions, such as defining hosts or networks. Unavailable commands appear dimmed on the Rules menu. For example, Insert Before and Insert After are available only after a rule is highlighted. Paste is available only when a rule has been copied or cut.

• Access rules are listed in sequential order and are applied in the order in which they appear on the Access Rules tab. This is the order in which the PIX Firewall evaluates them. An implicit, unwritten rule denies all traffic that is not permitted. If traffic is not explicitly permitted by an access rule, it is denied.

Null Rules

A null rule indicates that an access rule was configured for a host that is not visible on another interface. This rule is null because no traffic can flow between these two hosts even though the access rule would permit it. Table 13-3 shows an example of how a null rule is displayed on the Access Rules tab.

A rule can become null when PDM reads in an existing configuration where any of the following exists:

• Rules for inbound traffic without a static translation

• Rules for outbound traffic that is not NATed

• Rules that have no hosts or networks are defined for either source or destination

Monitoring

The Monitoring button, shown in Figure 13-10, is one of the most useful tools to help you make sense of the different statistics that the Cisco PIX Firewall can generate. The different panes on the Monitoring tab help you to analyze your PIX Firewall's performance using colorful graphs.

• The Monitoring tab enables you to examine the operation of the PIX Firewall. When monitoring the operation of the PIX Firewall, you can directly view the settings or statistics for many features and parameters. For other features, you have the option of displaying a graph that represents the features usage over time. The left hand column in Figure 13-10 shows the different categories of information that you can monitor on your PIX Firewall.

Note

After specifying the information to be graphed, the graphical information is displayed in a separate window (New Graph window) when you click the Graph It! button (see Figure 13-10). The graphical information displayed in the New Graph window can be printed or bookmarked in your browser for later recall. The data may also be exported for use by other applications.

Selecting any of the following options in the Categories list (left column in Figure 13-10) provides a corresponding pane of monitoring statistics for the Cisco PIX Firewall:

• PDM Log Displays the syslog messages currently in the PDM Log buffer on the PIX Firewall. A snapshot of the PDM Log buffer contents on the PIX Firewall can be displayed.

• PDM/HTTPS Enables you to monitor connections made to the PIX Firewall using PDM. A snapshot of the current PDM user sessions to the PIX Firewall is displayed.

• Telnet Sessions Enables you to monitor connections made to the PIX Firewall using Telnet. A snapshot of current Telnet sessions to the PIX Firewall is displayed.

• Secure Shell Sessions Enables you to monitor connections made to the PIX Firewall using Secure Shell (SSH). When the Secure Shell pane is displayed, a snapshot of the current SSH sessions to the PIX Firewall is available.

• User Licenses Displays the number of current users, which is subtracted from the maximum number of users for your PIX Firewall licensing agreement.

• DHCP Client Displays DHCP-assigned interface parameters when DHCP addressing is configured on the outside interface of the PIX Firewall. A snapshot of the current DHCP lease information is displayed.

• PPPoE Client Enables you to configure the PIX Firewall to automatically connect users on the inside interface to ISPs via the outside interface. The PPPoE Client pane displays information about current PPPOE client connections.

• VPN Statistics Lets you graphically monitor the following functions:

  - Number of active IPSec tunnels

  - Layer 2 Tunneling Protocol (L2TP) active tunnels

  - L2TP active sessions

  - Point-to-Point Tunneling Protocol (PPTP) active tunnels

  - PPTP active sessions

  - Detailed IPSec information (similar to the CLI command show ipsec sa detail)

• System Graphs Enables you to build the New Graph window, which monitors the PIX Firewall's system resources, including block utilization, CPU utilization, failover statistics, and memory utilization.

• Connection Graphs Enables you to monitor a wide variety of performance statistics for PIX Firewall features, including statistics for xlates, connections, AAA, fixups, URL filtering, and TCP intercept.

• IDS (located under Miscellaneous Graphs) Enables you to monitor intrusion detection statistics, including packet counts for each Intrusion Detection System (IDS) signature supported by the PIX Firewall.

• Interface Graphs Enables you to monitor per-interface statistics, such as packet counts and bit rates, for each enabled interface on the PIX Firewall.

Note

If an interface is not enabled using the System Properties tab, no graphs are available for that interface.

Using PDM for VPN Configuration

Chapter 11, "Virtual Private Networks," explained how to configure VPN on the Cisco PIX Firewall via the CLI. One of the difficult configuration and troubleshooting issues occurs with VPNs. Quite often, typos occur when you create a VPN configuration via the CLI. For novice administrators of the Cisco PIX Firewall, remembering the commands and their sequence can sometimes be difficult. PDM presents a user-friendly VPN Wizard that creates both site-to-site and remote-access VPNs for the Cisco PIX Firewall (accessible via the Wizards menu on PDM). Administrators are prompted for unique parameters such as IP addresses, and they use drop-down menus to configure their VPN. The following sections discuss the steps involved in creating a site-to-site VPN and a remote-access VPN using the VPN Wizard on PDM.

Using PDM to Create a Site-to-Site VPN

The following steps and corresponding figures show a sample site-to-site VPN configuration using the VPN Wizard on PDM:

Using PDM to Create a Remote-Access VPN

With a remote-access VPN, your local Cisco PIX Firewall provides secure connectivity between individual remote users and the LAN resources protected by your local PIX Firewall. To start the VPN Wizard, go to the Wizards menu on PDM and select the VPN Wizard option.