Case Study: Placing Filtering Routers and Firewalls
The Internet has allowed the whole world, including unauthorized individuals, to connect from any device with an IP address. Crackers and intruders have access to any network in the world using the IP protocol. CNN and Yahoo regularly publicize websites defaced by clever IP experts. To bring the concepts of this chapter into the current world of crackers and intruders, this section presents as a case study a typical complex network, shown in Figure 9-12. Figure 9-12 shows a PIX Firewall and a Cisco router that have been placed as the first line of defense at the entry point of the network to the outside world. This defense ensures that the network is protected from crackers and individuals wanting to cause private companies network outages. A LAN connects to the PIX and the Cisco intrusion detection system (IDS) sensor.Figure 9-12. Placing Routers and Firewalls
[View full size image]
The campus network in Figure 9-12 houses a number of remote sites, including the Class A network address 10.0.0.0/8 or the range from 10.0.0.0 to 10.255.255.255. Remember the /8 notation only identifies the number of bits (from 1 to 32) of the subnet mask that are set to a binary value of 1.To connect this private, nonroutable network to the Internet, the network architects must ensure the following:- The network is secure. They can ensure security by using a PIX or Cisco IOS firewall. In this scenario, a Cisco PIX Firewall is placed as the second line of defense behind a Cisco IOS firewall-enabled router.
- The network allows users with nonregistered IP address spaces to access the Internet by configuring NAT on the PIX Firewall.
Typically, the Internet service provider (ISP) supplies some form of WAN service to your network. Therefore, for this case study, a router is required to connect to the ISP. The LAN segment between the router and the PIX also houses Internet services, such as an HTTP server and an IDS sensor, to monitor and block traffic from outside. Configuration and placement of the IDSs in the network are discussed in Chapter 10.Remember that a PIX Firewall permits a connection-based security policy. For instance, you might allow Telnet sessions to be initiated from within your network but not allow them to be initiated into your network from outside. This would stop an unauthorized individual from ever initializing a Telnet session. TCP sessions with a TCP packet with the SYN bit set to 1 would be blocked. (The PIX Firewall rejects such sessions.) In other words, firewalls prohibit outsiders from initiating TCP sessions by disallowing incoming packets with the SYN bit on.NOTEDMZs usually exist as a part of a network that can be accessed by the Internet community or the general public, such as web, FTP, or SMTP servers. FTP servers, for instance, allow external users access to public files such as Cisco IOS software, which is available online at ftp.cisco.com. Your remaining servers are protected by the firewall.In this scenario, the DMZ zone is collapsed for ease of use and to allow the reader to absorb the typical design in its most simple form.The steps that follow are required to enable the PIX for NAT and to provide full Internet connectivity for users with private addresses. The steps show you how the PIX Firewall is configured for the scenario in Figure 9-12.
| Step 1. | Name the inside and outside interfaces.Name interfaces and assign the security level (configuration mode):
nameif hardware_id if_name security_level
The nameif command lets you assign a name to an interface. You can use this command to assign interface names if you have more than two network interface circuit boards in your PIX Firewall. The first two interfaces have the default names inside and outside . For now, leave the default names and values. The inside interface has default security level 100, and the outside interface has default security level 0.Table 9-2 describes the PIX command nameif as documented on the Cisco documentation CD, which is delivered with the device. The Cisco documentation CD can also be found at http://www.cisco.com/univercd/home/home.Table 9-2. nameif Command and Required Fields | Syntax | Description |
|---|
| hardware_id | The hardware name for the network interface that specifies the interface's slot location on the PIX Firewall motherboard. Interface boards are numbered from the leftmost slot nearest the power supply as slot 0. The internal network interface must be in slot 1. The lowest security_level external interface board is in slot 0, and the next lowest security_level external interface board is in slot 2.Possible choices are Ethernet for Ethernet or Token-ring for Token Ring.The internal interface is ethernet1 . These names can be abbreviated with any leading characters in the name, for example, ether1, e2, token0 , or t0 . | | if_name | A name for the internal or external network interface up to 48 characters in length. This name can be uppercase or lowercase. By default, PIX Firewall names the inside interface "inside," the outside interface "outside," and any perimeter interface "intfn " where n is 2 through 5. | | security_level | Either 0 for the outside network or 100 for the inside network. Perimeter interfaces can use any number between 1 and 99 . By default, PIX Firewall sets the security level for the inside interface to security100 and the outside interface to security0 . The first perimeter interface is initially set to security10 , the second to security15 , the third to security20 , and the fourth perimeter interface to security25 . (A total of six interfaces are permitted, with a total of four perimeter interfaces permitted.) |
In this example, the names are assigned as follows:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
|
| Step 2. | Identify the hardware interfaces, speed, and duplex type installed with the interface command.
interface hardware_id [hardware_speed ] [shutdown ]
Table 9-3 defines and describes the options for the interface command.Table 9-3. interface Command Options | Options | Description |
|---|
| hardware_id | Identifies the network interface type. Possible values are ethernet0, ethernet1 to ethernet n , gb-ethernet n , fddi0 , or fddi1 , depending on how many network interfaces are in the firewall. | | hardware_speed | Network interface speed (optional). Do not specify hardware_speed for a Fiber Distributed Data Interface interface.Possible Ethernet values are as follows:10baset
Set for 10 Mbps Ethernet half duplex communication.10full
Set for 10 Mbps Ethernet full duplex communication.100basetx
Set for 100 Mbps Ethernet half duplex communication.100full
Set for 100 Mbps Ethernet full duplex communication.1000sxfull
Set for 1000 Mbps Gigabit Ethernet full duplex operation.1000basesx
Set for 1000 Mbps Gigabit Ethernet half duplex operation.1000auto
Set for 1000 Mbps Gigabit Ethernet to autonegotiate full or half duplex.aui
Set for 10 Mbps Ethernet half duplex communication with an AUI cable interface.auto
Set Ethernet speed automatically. The auto keyword can only be used with the Intel 10/100 automatic speed sensing network interface card, which shipped with the PIX Firewall units manufactured after November 1996.bnc
Set for 10 Mbps Ethernet half duplex communication with a BNC cable interface.Possible Token Ring values are:4mbps
4 Mbps data transfer speed. You can specify this as 4 .16mbps
(default) 16 Mbps data transfer speed. You can specify this as 16 . | | shutdown | Disable an interface. |
For the case study in Figure 9-12, you need to have the following commands configured:
interface ethernet0 10full
interface ethernet1 10full
|
| Step 3. | Define the IP addresses.The next step involves defining the inside and outside IP address. The ip address if_name ip_address [netmask ] command lets you assign an IP address to each interface.Use the show ip command to view which addresses are assigned to the network interfaces.The IP address assignment for the devices in Figure 9-12 is defined as follows:
ip address inside 10.0.0.1 255.0.0.0
This assignment assumes that the entire private network is a flat IP network, and for the purposes of this design example, this is adequate.
ip address outside 131.108.1.1 255.255.255.0
Table 9-4 defines the options and meaning of the interface command.Table 9-4. interface Command | Options | Description |
|---|
| if_name | The internal or external interface name designated by the nameif command. | | ip_address | PIX Firewall unit's network interface IP address. | | netmask | Network mask of ip_address . |
|
| Step 4. | Define NAT with the nat command.The nat command lets you enable or disable address translation for one or more internal addresses. With address translation, when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses. NAT lets your network have any IP addressing scheme, and the firewall protects these addresses from visibility on the external network.The command syntax is as follows:
nat [(if_name )] nat_id local_ip [netmask [max_conns [em_limit ]]] [norandomseq ]
Table 9-5 defines the options of the nat command as documented on Cisco documentation CD.Table 9-5. nat Command Options | Options | Description |
|---|
| if_name | Any internal network interface name. | | nat_id | The nat_id is an arbitrary positive number between 0 and 2 billion.Specify 0 with IP addresses and netmasks to identify internal networks that require only outbound identity address translation. Specify 0 with the access-list option to specify traffic that should be exempted from NAT. The access list should already be defined; otherwise, PIX gives an error message. | | access-list | Associate an access-list command statement to the nat 0 command. | | local_ip | Internal network IP address to be translated. You can use 0.0.0.0 to allow all hosts to start outbound connections. The 0.0.0.0 local_ip can be abbreviated as 0 . | | netmask | Network mask for local_ip . You can use 0.0.0.0 to allow all outbound connections to translate using IP addresses from the global pool. | | max_conns | The maximum TCP connections permitted from the interface you specify. | | em_limit | The embryonic connection limit. The default is 0, which means unlimited connections. Set it lower for slower systems, higher for faster systems. | | Norandomseq | Do not randomize the TCP packet's sequence number. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Use of this option opens a security hole in the PIX Firewall. |
In Figure 9-12, the following pool is assigned to the PIX:
nat (inside) 1 0.0.0.0 0.0.0.0
This command enables all inside hosts to have access to the Internet. |
| Step 5. | Define the global pool.The global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection and for those inbound connections resulting from outbound connections.If the nat command is used, you must use the global command as well. Basically, when an outbound IP packet is sent from the inside network, the PIX extracts the source address and compares that address to the list of current NAT translations. If there is no entry, a new entry is created. If a NAT translation entry already exists, the packet is forwarded. (An alternative to the global command is nat 0 .)The PIX syntax for the global command is defined as follows:
global [if_name ] nat_id global_ip [-global_ip ] [netmask global_mask ]
In Figure 9-12, the pool of addresses is defined as follows:
global (outside) 1 192.192.1.2-192.192.1.30 netmask 255.255.255.224
The pool of addresses is typically assigned to you by the InterNIC or by your ISP.Table 9-6 defines the options of the global command as documented on the Cisco documentation CD.Table 9-6. global Command Options | Options | Description |
|---|
| if_name | The external network where you use these global addresses. | | nat_id | A positive number shared with the nat command that groups the nat and global command statements together. The valid ID numbers can be any positive number up to 2,147,483,647. | | global_ip | One or more global IP addresses that the PIX Firewall shares among its connections.If the external network is connected to the Internet, each global IP address must be registered with the Network Information Center (NIC). You can specify a range of IP addresses by separating the addresses with a dash (-).You can create a PAT global command statement by specifying a single IP address. You can have one PAT global command statement per interface. A PAT can support up to 65,535 xlate objects. | | netmask | Reserved word that prefaces the network global_mask variable. | | global_mask | The network mask for global_ip . If subnetting is in effect, use the subnet maskfor example, 255.255.255.128. If you specify an address range that overlaps subnets, global does not use the broadcast or network addresses in the pool of global addresses. For example, if you use 255.255.255.224 and an address range of 209.165.201.1 to 209.165.201.30, the 209.165.201.31 broadcast address and the 209.165.201.0 network address are included in the pool of global addresses. |
|
| Step 6. | Finally, you must define how to route IP data with the route command.Use the route command to enter a default or static route for an interface. The PIX syntax is as follows:
route if_name ip_address netmask gateway_ip [metric ]
|
Now you need to configure static routing on a PIX Firewall.In Figure 9-12, you define all routes via the perimeter router as
route outside 0.0.0.0 0.0.0.0 131.108.1.2
Table 9-7 defines the options of the route command as documented on the Cisco documentation CD.Table 9-7.
route Command Options | Syntax | Description |
|---|
| if_name | The internal or external network interface name. |
| ip_address | The internal or external network IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 IP address can be abbreviated as 0 . |
| netmask | Specify a network mask to apply to ip_address . Use 0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0 . |
| gateway_ip | Specify the IP address of the gateway router (the next hop address for this route). |
| metric | Specify the number of hops to gateway_ip . In Figure 9-12, this is 1. |
The PIX Firewall is now configured for NAT, and only users in the private network are permitted access to the web. At this stage, there is no access permitted from the Internet to HTTP hosts, for example. You can allow access for external hosts by configuring the conduit or access-list commands. You can find more details on this advanced feature at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/index.Example 9-4 displays the full working configuration of the PIX in Figure 9-12. The highlighted portions of this display are configuration commands that you have entered, and the nonhighlighted portions are default configurations. One of the advantages of the PIX Firewall is that you can view the full working and default configuration. This is unlike Cisco IOS routers, on which the default configuration is not displayed.Example 9-4. PIX Full Working Configuration
pix# write terminal
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
logging timestamp
no logging standby
logging console debugging
no logging monitor
logging buffered debugging
no logging trap
logging facility 20
logging queue 512
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address inside 10.0.0.1 255.0.0.0
ip address outside 131.108.1.1 255.255.255.0
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 192.192.1.2-192.192.1.30 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 131.108.1.2 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:00:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
terminal width 80
: end
لطفا منتظر باشید ...
