Network Security Fundamentals [Electronic resources]

Gert De Laet, Gert Schauwers

نسخه متنی -صفحه : 196/ 81
نمايش فراداده

Case Study: Placing Filtering Routers and Firewalls

The Internet has allowed the whole world, including unauthorized individuals, to connect from any device with an IP address. Crackers and intruders have access to any network in the world using the IP protocol. CNN and Yahoo regularly publicize websites defaced by clever IP experts. To bring the concepts of this chapter into the current world of crackers and intruders, this section presents as a case study a typical complex network, shown in Figure 9-12. Figure 9-12 shows a PIX Firewall and a Cisco router that have been placed as the first line of defense at the entry point of the network to the outside world. This defense ensures that the network is protected from crackers and individuals wanting to cause private companies network outages. A LAN connects to the PIX and the Cisco intrusion detection system (IDS) sensor.

Figure 9-12. Placing Routers and Firewalls

[View full size image]

The campus network in Figure 9-12 houses a number of remote sites, including the Class A network address 10.0.0.0/8 or the range from 10.0.0.0 to 10.255.255.255. Remember the /8 notation only identifies the number of bits (from 1 to 32) of the subnet mask that are set to a binary value of 1.

To connect this private, nonroutable network to the Internet, the network architects must ensure the following:

  • The network is secure. They can ensure security by using a PIX or Cisco IOS firewall. In this scenario, a Cisco PIX Firewall is placed as the second line of defense behind a Cisco IOS firewall-enabled router.

  • The network allows users with nonregistered IP address spaces to access the Internet by configuring NAT on the PIX Firewall.

Typically, the Internet service provider (ISP) supplies some form of WAN service to your network. Therefore, for this case study, a router is required to connect to the ISP. The LAN segment between the router and the PIX also houses Internet services, such as an HTTP server and an IDS sensor, to monitor and block traffic from outside. Configuration and placement of the IDSs in the network are discussed in Chapter 10.

Remember that a PIX Firewall permits a connection-based security policy. For instance, you might allow Telnet sessions to be initiated from within your network but not allow them to be initiated into your network from outside. This would stop an unauthorized individual from ever initializing a Telnet session. TCP sessions with a TCP packet with the SYN bit set to 1 would be blocked. (The PIX Firewall rejects such sessions.) In other words, firewalls prohibit outsiders from initiating TCP sessions by disallowing incoming packets with the SYN bit on.

NOTE

DMZs usually exist as a part of a network that can be accessed by the Internet community or the general public, such as web, FTP, or SMTP servers. FTP servers, for instance, allow external users access to public files such as Cisco IOS software, which is available online at ftp.cisco.com. Your remaining servers are protected by the firewall.

In this scenario, the DMZ zone is collapsed for ease of use and to allow the reader to absorb the typical design in its most simple form.

The steps that follow are required to enable the PIX for NAT and to provide full Internet connectivity for users with private addresses. The steps show you how the PIX Firewall is configured for the scenario in Figure 9-12.

Step 1.

Name the inside and outside interfaces.

Name interfaces and assign the security level (configuration mode):

nameif  
hardware_id if_name security_level

The

nameif command lets you assign a name to an interface. You can use this command to assign interface names if you have more than two network interface circuit boards in your PIX Firewall. The first two interfaces have the default names

inside and

outside . For now, leave the default names and values. The

inside interface has default security level 100, and the

outside interface has default security level 0.

Table 9-2 describes the PIX command

nameif as documented on the Cisco documentation CD, which is delivered with the device. The Cisco documentation CD can also be found at http://www.cisco.com/univercd/home/home.

Table 9-2.

nameif Command and Required Fields

Syntax

Description

hardware_id

The hardware name for the network interface that specifies the interface's slot location on the PIX Firewall motherboard. Interface boards are numbered from the leftmost slot nearest the power supply as slot 0. The internal network interface must be in slot 1. The lowest security_level external interface board is in slot 0, and the next lowest security_level external interface board is in slot 2.

Possible choices are

Ethernet for Ethernet or

Token-ring for Token Ring.

The internal interface is

ethernet1 . These names can be abbreviated with any leading characters in the name, for example,

ether1, e2, token0 , or

t0 .

if_name

A name for the internal or external network interface up to 48 characters in length. This name can be uppercase or lowercase. By default, PIX Firewall names the inside interface "inside," the outside interface "outside," and any perimeter interface "intf

n " where

n is 2 through 5.

security_level

Either

0 for the outside network or

100 for the inside network. Perimeter interfaces can use any number between

1 and

99 . By default, PIX Firewall sets the security level for the inside interface to

security100 and the outside interface to

security0 . The first perimeter interface is initially set to

security10 , the second to

security15 , the third to

security20 , and the fourth perimeter interface to

security25 . (A total of six interfaces are permitted, with a total of four perimeter interfaces permitted.)

In this example, the names are assigned as follows:

nameif  ethernet0 outside security0

nameif  ethernet1 inside security100

Step 2.

Identify the hardware interfaces, speed, and duplex type installed with the interface command.

interface  
hardware_id  [
hardware_speed ] [
shutdown ]

Table 9-3 defines and describes the options for the

interface command.

Table 9-3.

interface Command Options

Options

Description

hardware_id

Identifies the network interface type. Possible values are

ethernet0, ethernet1 to

ethernet

n ,

gb-ethernet

n ,

fddi0 , or

fddi1 , depending on how many network interfaces are in the firewall.

hardware_speed

Network interface speed (optional). Do not specify

hardware_speed for a Fiber Distributed Data Interface interface.

Possible Ethernet values are as follows:

10baset Set for 10 Mbps Ethernet half duplex communication.

10full Set for 10 Mbps Ethernet full duplex communication.

100basetx Set for 100 Mbps Ethernet half duplex communication.

100full Set for 100 Mbps Ethernet full duplex communication.

1000sxfull Set for 1000 Mbps Gigabit Ethernet full duplex operation.

1000basesx Set for 1000 Mbps Gigabit Ethernet half duplex operation.

1000auto Set for 1000 Mbps Gigabit Ethernet to autonegotiate full or half duplex.

aui Set for 10 Mbps Ethernet half duplex communication with an AUI cable interface.

auto Set Ethernet speed automatically. The

auto keyword can only be used with the Intel 10/100 automatic speed sensing network interface card, which shipped with the PIX Firewall units manufactured after November 1996.

bnc Set for 10 Mbps Ethernet half duplex communication with a BNC cable interface.

Possible Token Ring values are:

4mbps 4 Mbps data transfer speed. You can specify this as

4 .

16mbps (default) 16 Mbps data transfer speed. You can specify this as

16 .

shutdown

Disable an interface.

For the case study in Figure 9-12, you need to have the following commands configured:

interface  ethernet0 10full

interface  ethernet1 10full

Step 3.

Define the IP addresses.

The next step involves defining the inside and outside IP address. The

ip address

if_name ip_address [

netmask ] command lets you assign an IP address to each interface.

Use the

show ip command to view which addresses are assigned to the network interfaces.

The IP address assignment for the devices in Figure 9-12 is defined as follows:

ip address inside 10.0.0.1 255.0.0.0

This assignment assumes that the entire private network is a flat IP network, and for the purposes of this design example, this is adequate.

ip address outside 131.108.1.1 255.255.255.0

Table 9-4 defines the options and meaning of the

interface command.

Table 9-4. interface Command

Options

Description

if_name

The internal or external interface name designated by the

nameif command.

ip_address

PIX Firewall unit's network interface IP address.

netmask

Network mask of

ip_address .

Step 4.

Define NAT with the

nat command.

The

nat command lets you enable or disable address translation for one or more internal addresses. With address translation, when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses. NAT lets your network have any IP addressing scheme, and the firewall protects these addresses from visibility on the external network.

The command syntax is as follows:

nat  [(
if_name )] 
nat_id local_ip  [
netmask  [
max_conns  [
em_limit ]]] [
norandomseq ]

Table 9-5 defines the options of the

nat command as documented on Cisco documentation CD.

Table 9-5.

nat Command Options

Options

Description

if_name

Any internal network interface name.

nat_id

The

nat_id is an arbitrary positive number between 0 and 2 billion.

Specify

0 with IP addresses and netmasks to identify internal networks that require only outbound identity address translation. Specify

0 with the

access-list option to specify traffic that should be exempted from NAT. The access list should already be defined; otherwise, PIX gives an error message.

access-list

Associate an

access-list command statement to the

nat 0 command.

local_ip

Internal network IP address to be translated. You can use

0.0.0.0 to allow all hosts to start outbound connections. The

0.0.0.0

local_ip can be abbreviated as

0 .

netmask

Network mask for

local_ip . You can use

0.0.0.0 to allow all outbound connections to translate using IP addresses from the global pool.

max_conns

The maximum TCP connections permitted from the interface you specify.

em_limit

The embryonic connection limit. The default is 0, which means unlimited connections. Set it lower for slower systems, higher for faster systems.

Norandomseq

Do not randomize the TCP packet's sequence number. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Use of this option opens a security hole in the PIX Firewall.

In Figure 9-12, the following pool is assigned to the PIX:

nat  (inside) 1 0.0.0.0 0.0.0.0

This command enables all inside hosts to have access to the Internet.

Step 5.

Define the global pool.

The

global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection and for those inbound connections resulting from outbound connections.

If the

nat command is used, you must use the

global command as well. Basically, when an outbound IP packet is sent from the inside network, the PIX extracts the source address and compares that address to the list of current NAT translations. If there is no entry, a new entry is created. If a NAT translation entry already exists, the packet is forwarded. (An alternative to the

global command is

nat 0 .)

The PIX syntax for the

global command is defined as follows:

global  [
if_name ] 
nat_id global_ip  [
-global_ip ] [
netmask  
global_mask ]

In Figure 9-12, the pool of addresses is defined as follows:

global (outside) 1 192.192.1.2-192.192.1.30 netmask 255.255.255.224

The pool of addresses is typically assigned to you by the InterNIC or by your ISP.

Table 9-6 defines the options of the

global command as documented on the Cisco documentation CD.

Table 9-6.

global Command Options

Options

Description

if_name

The external network where you use these global addresses.

nat_id

A positive number shared with the

nat command that groups the

nat and

global command statements together. The valid ID numbers can be any positive number up to 2,147,483,647.

global_ip

One or more global IP addresses that the PIX Firewall shares among its connections.

If the external network is connected to the Internet, each global IP address must be registered with the Network Information Center (NIC). You can specify a range of IP addresses by separating the addresses with a dash (-).

You can create a PAT

global command statement by specifying a single IP address. You can have one PAT

global command statement per interface. A PAT can support up to 65,535 xlate objects.

netmask

Reserved word that prefaces the network

global_mask variable.

global_mask

The network mask for

global_ip . If subnetting is in effect, use the subnet maskfor example, 255.255.255.128. If you specify an address range that overlaps subnets,

global does not use the broadcast or network addresses in the pool of global addresses. For example, if you use 255.255.255.224 and an address range of 209.165.201.1 to 209.165.201.30, the 209.165.201.31 broadcast address and the 209.165.201.0 network address are included in the pool of global addresses.

Step 6.

Finally, you must define how to route IP data with the

route command.

Use the

route command to enter a default or static route for an interface. The PIX syntax is as follows:

route  
if_name ip_address netmask gateway_ip  [
metric ]

Now you need to configure static routing on a PIX Firewall.

In Figure 9-12, you define all routes via the perimeter router as

route outside 0.0.0.0 0.0.0.0 131.108.1.2

Table 9-7 defines the options of the

route command as documented on the Cisco documentation CD.

Table 9-7.

route Command Options

Syntax

Description

if_name

The internal or external network interface name.

ip_address

The internal or external network IP address. Use

0.0.0.0 to specify a default route. The

0.0.0.0 IP address can be abbreviated as

0 .

netmask

Specify a network mask to apply to

ip_address . Use

0.0.0.0 to specify a default route. The

0.0.0.0 netmask can be abbreviated as

0 .

gateway_ip

Specify the IP address of the gateway router (the next hop address for this route).

metric

Specify the number of hops to

gateway_ip . In Figure 9-12, this is 1.

The PIX Firewall is now configured for NAT, and only users in the private network are permitted access to the web. At this stage, there is no access permitted from the Internet to HTTP hosts, for example. You can allow access for external hosts by configuring the

conduit or

access-list commands. You can find more details on this advanced feature at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/index.

Example 9-4 displays the full working configuration of the PIX in Figure 9-12. The highlighted portions of this display are configuration commands that you have entered, and the nonhighlighted portions are default configurations. One of the advantages of the PIX Firewall is that you can view the full working and default configuration. This is unlike Cisco IOS routers, on which the default configuration is not displayed.

Example 9-4. PIX Full Working Configuration
pix# 
write terminal 

nameif ethernet0 outside security0 

nameif ethernet1 inside security100 
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
logging timestamp
no logging standby
logging console debugging
no logging monitor
logging buffered debugging
no logging trap
logging facility 20
logging queue 512

interface ethernet0 10full 

interface ethernet1 10full 
mtu outside 1500
mtu inside 1500

ip address inside 10.0.0.1 255.0.0.0 

ip address outside 131.108.1.1 255.255.255.0 
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400

global (outside) 1 192.192.1.2-192.192.1.30 netmask 255.255.255.248 

nat  (inside) 1 0.0.0.0 0.0.0.0 
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default

route outside 0.0.0.0 0.0.0.0 131.108.1.2 1 
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:00:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
terminal width 80
: end