20. NAT/PAT Firewalls (Cont.) 10.2.0.0 /24 192.168.0.0 10.0.0.0/24 Global pool 192.168.0.17-30 Global pool 192.168.0.3-14 10.0.0.11 10.0.0.4 10.0.0.11 192.168.0.20 Port 2000 10.0.0.4 192.168.0.20 Port 2001 NAT PAT Internet Internet
28. PIX Firewall Licensing Cisco PIX Firewall licenses are available in Unrestricted, Restricted, and Fail-Over configurations. Unrestricted —PIX Firewall platforms in an Unrestricted ( UR ) license mode allow installation and use of the maximum number of interfaces and RAM supported by the platform. The Unrestricted license supports a redundant 'hot standby' system for Fail-over operation to minimize network downtime .
29. PIX Firewall Licensing (cont..) Restricted — PIX Firewall platforms in a Restricted ( R ) license mode limit the number of interfaces supported and the amount of RAM available within the system. A restricted license provides a cost-optimized firewall solution for simplified network connectivity requirements, or where lower than the maximum number of user connections are acceptable. A Restricted licensed firewall does not support a redundant system for fail-over configurations. Fail-Over — The Fail-Over (FO) software licenses place the Cisco PIX Firewall in a 'hot-standby' mode for use along side another PIX Firewall with an Unrestricted license. Fail-Over software licensing provides stateful fail-over capabilities thus enabling high availability network architectures. The fail-over PIX firewall acts as a fully redundant system maintaining state with all active sessions on the primary PIX Firewall, thereby minimizing connection disruptions due to equipment or network failures.
30.
31.
32. User Authentication: Cut-Through-Proxy Private Network Public Network AAA out side in side Outside User www HTTP Request PIX Advanced Configuration 1. HTTP request packet intercepted by PIX 1 2. PIX asks user for credentials, he responds 2 3. PIX sends credentials to AAA server, AAA server ack’s 3 4. PIX forwards packets 4
33.
34.
35. Only 4 Ways through the PIX Private Network Public Network out side in side PIX “Inside” 1: inside to outside; (Limit with ”outbound” and ”apply”) 2: user authentication AAA 3: conduit 4*: Access List * since PIX IOS 5.0
36.
37. How “alias” Works PIX “Inside” Inside User www 2.2.2.2 Internet Company 2.2.2.2 www.x.com 1. Access www.x.com alias: 3.3.3.3 = 2.2.2.2 inside outside 2. DNS query 3. Reply: 2.2.2.2 4. Reply: 3.3.3.3 Conflict 5. Destination NAT alias: 3.3.3.3 = 2.2.2.2 inside outside
38. Address Translation: Alias Configuration alias (inside) 3.3.3.3 2.2.2.2 255.255.255.255 static (inside,outside) 2.2.2.2 3.3.3.3 netmask 255.255.255.255 Use this destination address on the inside... … for this destination address on the outside PIX “Inside” Map this source on outside... … to this one on inside Destination NAT Source NAT
39.
40.
41.
42. PIX Failover Primary Secondary .1 10.0.1. x 192.168.236. x .2 .1 .2 Failover Cable PIX Advanced Configuration Failover Link default gateway 10.0.1.1 .1
43. Failover Configuration Primary Secondary 10.0.1. x .1 .2 Failover Cable PIX Advanced Configuration Failover Link failover [active] failover ip address inside 10.0.1.1 failover link ethernet2 Enable failover Address for Standby PIX (configured on primary) Enable statefulness (over link eth2)
50. Table nat Command Parameters Here are some examples of the nat command: nat (inside) 1 10.10.10.0 255.255.255.0 nat (inside) 1 172.16.1.0 255.255.255.0 ‘ Global’ Command The global command is used to define the address or range of addresses that the addresses defined by the nat command are translated into. It is important that the nat_id be identical to the nat_id used in the nat command. The nat_id pairs the IP address defined by the global and nat commands so that network translation can take place. The syntax of the global command is global ( if_name ) nat_id global_ip | global_ip-global_ip [ netmask ] Network mask for the local IP address. netmask The IP address that is translated. This is usually the inside network IP address. It is possible to assign all the inside network for the local_ip through nat (inside) 1 0 0 . local_ip The ID number to match with the global address pool. nat_id The internal network interface name. (if_name) Description Command Parameter
51. Table global Command Parameters There should be enough global IP addresses to match the local IP addresses specified by the nat command. If there aren't, you can leverage the shortage of global addresses by PAT entry, which permits up to 64,000 hosts to use a single IP address. PAT divides the available ports per global IP address into three ranges: 0 to 511 512 to 1023 1024 to 65535 PAT assigns a unique source port for each UDP or TCP session. It attempts to assign the same port value of the original request, but if the original source port has already been used, PAT starts scanning from the beginning of the particular port range to find the first available port and assigns it to the conversation. PAT has some restrictions in its use. For example, it cannot support H.323 or caching name server use. The following example shows a configuration using a range of global IP and single IP for PAT: nat (inside) 1 10.0.0.0 255.0.0.0 global (outside) 1 192.168.10.15-192.168.1.62 netmask 255.255.255.0 global (outside) 1 192.168.10.65 netmask 255.255.255.0 When a host or device tries to start a connection, the PIX Firewall checks the translation table if there is an entry for that particular IP. If there is no existing translation, a new translation slot is created. The default time that a translated IP is kept in the translation table is 3 hours. You can change this with the timeout xlate hh:mm:ss command. To view the translated addresses, use the show xlate command. The network mask for the global IP address(es). netmask Defines a range of global IP addresses to be used by the PIX to NAT. global_ip-global_ip A single IP address. When a single IP address is specified, the PIX automatically performs Port Address Translation (PAT). A warning message indicating that the PIX will PAT all addresses is displayed on the console. global_ip Identifies the global address and matches it with the nat command it is pairing with. nat_id The external network where you use these global addresses. (if_name) Description Command Parameter
52. route Command The route command tells the Cisco PIX Firewall where to send information that is forwarded on a specific interface and that is destined for a particular network address. You add static routes to the PIX using the route command. Table 6-6 describes the route command parameters, the syntax of which is as follows: route if_name ip_address netmask gateway_ip [ metric ] Table : route Command Parameters The following example shows a default route configuration on a Cisco PIX Firewall: route outside 0.0.0.0 0.0.0.0 192.168.1.3 1 The 1 at the end indicates that the gateway router is only one hop away. If a metric is not specified in the route command, the default is 1. You can configure only one default route on the PIX Firewall. It is good practice to use the clear arp command to clear the PIX Firewall's ARP cache before testing your new route configuration. Specifies the number of hops to gateway_ip. metric The IP address of the next-hop address. Usually this is the IP address of the perimeter router. gateway_ip The network mask of the IP address to be routed. netmask The IP address to be routed. ip_address The name of the interface where the data leaves from. if_name Description Command Parameter
53. Summary Table provides a quick reference to the commands needed to configure the Cisco PIX Firewall, time server and NTP support, and the DNS server. Lets you specify the time, month, day, and year for use with time-stamped syslog messages. clock Synchronizes the PIX Firewall with the network time server that is specified and authenticates according to the authentication options that are set. ntp server Controls the DHCP server feature. dhcpd Enables IP routing table updates from received RIP broadcasts. rip Displays the current configuration on the terminal. write terminal Used to enter a default or static route for an interface. route Defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection and for inbound connections resulting from outbound connections. Ensure that associated nat and global command statements have the same nat_id . global Lets you associate a network with a pool of global IP addresses. nat Identifies addresses for network interfaces and lets you set how many times the PIX Firewall polls for DHCP information. ip address Lets you name interfaces and assign security levels. nameif Identifies the speed and duplex settings of the network interface boards. interface Specifies to activate a process, mode, or privilege level. enable Descriptions Commands
NOTE: it is important to note that Cisco no longer provides a vulnerability scanning product/service (though many have suggested we should re-enter this mkt segment) Make point that all these security aspects relate to networking function. Without the network, most security breaches could not happen. For that reason the network security is clearly a major component of any security system.
nat (inside) 1 0.0.0.0 0.0.0.0 nat (inside) 2 192.168.3.0 255.255.255.0 Permit all inside users to start outbound connections using the translated IP addresses from the global pool. global (outside) 1 209.165.201.6-209.165.201.8 netmask 255.255.255.224 global (outside) 2 209.165.200.225-209.165.200.254 netmask 255.255.255.224 Create pools of global addresses to let the nat command statements use the address pools for translating internal IP addresses to external addresses. Each pool is designated by the number from the nat command statement, in this case, 1 and 2.
The Cut-Through feature of the PIX firewall allows authentication with a AAA server of users that traverse the firewall to access internal servers. This check does not require special software on either client nor server side. The PIX terminates the incoming session, sends an authentication request to the user, and forwards the user’s username and password to the AAA server. This server checks the credentials of the user and tells the PIX whether the user is authorised or not. All subsequent connections from this users can then be let through without further authentication (until a defined timeout). User authentication and authorization starts with your security policy and the respective inside RADIUS or TACACS+ server that you have. Authentication verifies that a user is who they say they are. Authorization determines what services a user can use to access a host. From the configuration on this server you need to determine which users can access the network, which services they can use, and what hosts they can access. Once you have this information, you can configure the PIX Firewall to either enable or disable authentication or authorization. In addition, you can also configure the firewall to permit users access to specific hosts or services. However, if you configure the firewall to this degree, you risk the information being different between the authentication server and the firewall. After you enable authentication and authorization, the PIX Firewall provides credential prompts to inbound or outbound users for FTP, Telnet, or HTTP (Web) access. The actual decision about who can access the system and with what services is handled by the authentication and authorization servers.
As opposed to a router, the PIX does not by default forward packets. In fact there is only a small number of defined ways packets can traverse the PIX. Other ways are by default denied. These ways are: 1. Inside to Outside: If a user from the inside starts a connection to the outside (or to be more precise, to an interface with a lower security level), this connection will by default be permitted, and the return packets of this connection too. This can be limited with the “outbound” and “apply” commands. 2. User Authentication: This is the cut-through proxy feature that will be treated in more detail later in the presentation. Typically used from a lower security level to a higher one. Interaction with a AAA server is used for authentication. 3. Conduit: This is a kind of tunnel to allow outside users to access inside resources without defining the outside. Typical application is giving access to a web server to the Internet. Since version 5.0 there is an additional way through the PIX, namely access lists. The functionality is similar to conduits. The reason that this command has been added is IPSec, it does on this level strictly speaking not add functionality, but only in conjunction with IPSec, where access lists are used to define traffic to be secured by IPSec.
The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 192.150.50.1, you can use alias to redirect traffic to another address, such as, 192.150.50.42. Note: You can use the sysopt nodnsalias command to disable inbound embedded DNS A record fixups according to aliases that apply to the A record address and outbound replies. After changing or removing an alias command statement, use the clear xlate command. There must be an A (address) record in the DNS zone file for the "dnat" address in the alias command. The alias command has two uses which can be summarized in the following ways of reading an alias command statement: If the PIX Firewall gets a packet destined for the dnat_IP_address, send it to the foreign_IP_address. If' the PIX Firewall gets a DNS packet returned to the PIX Firewall destined for foreign_network_address, alter the DNS packet to change the foreign network address to dnat_network_address.
The main use of the alias feature is dual NAT, in situations where for example two offices with overlapping address ranges need to communicate over the Internet. In this case the overlapping address range of the remote office can be mapped to a different, free, address range by the PIX. The content of the DNS queries will be changed as well by the PIX, but not the content of the zone transfers. For this reason DNS queries for this address range must be resolved outside the PIX. This feature can also be used for re-routing. In this case, the internal DNS server must point to an external address, so that traffic will be sent to the PIX instead of the internal network.
To access an alias dnat_ip address with static and conduit command statements, specify the dnat_ip address in the conduit command statement as the address from which traffic is permitted from. The example above illustrates this note: Usage: Administer overlapping addresses with dual NAT. (Configuration mode.) alias [(if_name)] dnat_ip foreign_ip [netmask] no alias [[(if_name)] dnat_ip foreign_ip [netmask]] show alias Syntax Description if_name The internal network interface name in which the foreign_ip overlaps. dnat_ip An IP address on the internal network that provides an alternate IP address for the external address that is the same as an address on the internal network. foreign_ip IP address on the external network that has the same address as a host on the internal network. Netmask Network mask applied to both IP addresses. Use 255.255.255.255 for host masks.
A conduit command statement creates an exception to the PIX Firewall Adaptive Security mechanism by permitting connections from one firewall network interface to access hosts on another. The clear conduit command removes all conduit command statements from your configuration. The conduit command can permit or deny access to either the global or static commands; however, neither is required for the conduit command. You can associate a conduit command statement with a global or static command statement through the global address, either specifically to a single global address, a range of global addresses, or to all global addresses. When used with a static command statement, a conduit command statement permits users on a lower security interface to access a higher security interface. When not used with a static command statement, a conduit command statement permits both inbound and outbound access. If you associate a conduit command statement with a static command statement, only the interfaces specified on the static command statement have access to the conduit command statement. For example, if a static command statement lets users on the dmz interface access a server on the inside interface, only users on the dmz interface can access the server via the static command statement. Users on the outside do not have access. Note: The conduit command statements are processed in the order entered into the configuration. After changing or removing a conduit command statement, use the clear xlate command. You can remove a conduit command statement with the no conduit command. Use the show conduit command to view the conduit command statements in the configuration.
Failover lets you add a secondary PIX Firewall that takes control if the Primary unit fails. With version 5.0, you can choose the Stateful Failover option if you have100 Mbps LAN interfaces so that connection states are automatically relayed between the two units. Both units in a failover pair communicate through the failover cable, which is a modified RS-232 serial link cable that transfers data at 9600 baud. The data provides the unit identification of Primary or Secondary, the power status of the other unit, and serves as a communication link for various failover communications between the two units. The two units send special failover "hello" packets to each other over all network interfaces and the failover cable every 15 seconds. The failover feature in PIXFirewall monitors failover communication, the power status of the other unit, and hello packets received at each interface. If two consecutive hello packets are not received within a time determined by the failover feature, failover starts testing the interfaces to determine which unit has failed, and transfers active control to the Standby unit. When a failover occurs, each unit changes state. The newly Active unit assumes the IP and MAC addresses of the previously Active unit and begins accepting traffic. The new Standby unit assumes the failover IP and MAC addresses of the unit that was previously the Active unit. Because network devices see no change in these addresses, no ARP entries change or timeout anywhere on the network. If you are using Stateful Failover, connection states are relayed from the Primary unit to the Secondary unit. Without Stateful Failover, the Standby unit does not maintain the state information of each connection. This means that all active connections will be dropped when failover occurs and that client systems must reestablish connections.
The unit that has the cable end labeled "primary" becomes the default Primary unit. Configure a failover IP address for each interface on the Active unit using the ip address command. From the Active unit, configure a failover IP address for each interface on the Standby unit using the failover ip address command. Use the failover command without an argument after you connect the optional failover cable between your primary firewall and a secondary firewall. The default is the failover off command. Use the failover link command to enable Stateful Failover. If you are not using the failover feature, enter the no failover command in the configuration file for the PIX Firewall if you will not be using the failover feature. Use the failover timeout command to specify the length of time during which if a failover occurs, the Standby unit lets certain traffic through without requiring a prior xlate to exist. Use the show failover command to verify the status of the connection and to determine which unit is active. PIX Firewall configurations using failover require a separate IP address for each network interface on the Standby unit. The system IP address is the address of the Active unit. When the show ip address command is executed on the Active unit, the current IP address is the same as the system IP address. When the show ip address command is executed on the Standby unit, the system IP address is the failover IP address configured for the Standby unit. Use the write standby command to manually save the configuration of the active failover unit to the standby failover unit from RAM to RAM.You can force an update by using the write standby command on the Active unit. If you make changes to the Standby unit, it displays a warning but does not update the Active unit. To save the configuration of the Active unit to Flash memory (permanent memory) on the Standby unit, use the write memory command on the Active unit. The write memory command results are replicated on the Standby unit.