Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-1 Lesson 9 Advanced Protocol Handling.

Published byVirgil Horton Modified over 7 years ago

Similar presentations

Presentation on theme: "© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-1 Lesson 9 Advanced Protocol Handling."— Presentation transcript:

1 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-1 Lesson 9 Advanced Protocol Handling

2 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-2 Objectives

3 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-3 Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the need for advanced protocol handling. Describe the fixup protocol command. Describe how the PIX Firewall handles FTP, RSH, and SQL*Net traffic. Configure FTP, RSH, and SQL*Net fixup protocols. Describe the issues with multimedia applications. Describe how the PIX Firewall handles RTSP and H.323 multimedia protocols. Configure RTSP and H.323 fixup protocols. Describe how the PIX Firewall supports call handling sessions and VoIP call signaling.

4 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-4 Advanced Protocols

5 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-5 Need for Advanced Protocol Handling Some popular protocols or applications behave as follows: –Negotiate connections to dynamically assigned source or destination ports or to IP addresses. –Embed source or destination port or IP address information above the network layer. A good firewall has to inspect packets above the network layer and do the following as required by the protocol or application: –Securely open and close negotiated ports or IP addresses for legitimate client-server connections through the firewall. –Use NAT-relevant instances of IP addresses inside a packet. –Use PAT-relevant instances of ports inside a packet. –Inspect packets for signs of malicious application misuse.

6 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-6 fixup Command Server Client Control port 2008 Data port 2010 Data port 20 Control port 21 Port 2010 Port 2010 OK Data NO FTP protocol fixup TCP S/21- C/2008 TCP S/20- ???? X Server Client Control port 2008 Data port 2010 Data port 20 Control port 21 Port 2010 Port 2010 OK Data FTP protocol fixup TCP S/21- C/2008 TCP S/20- C/2010 PIX Firewall opens return port for dataNo return port for data

7 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-7 DNS Fixup DNS server Client 105053 UDP A/1050-> B/53 Monitors all UDP transactions on port 53: Tracks DNS request ID and opens a connection slot Closes connection slot immediately after answer is received Optionally, performs translation of embedded IP addresses - Prior to version 6.2 — alias command - Version 6.2 or later — DNS record translation Request Response

8 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-8 DNS Doctoring with the alias Command Student PC pix1(config)# nat (inside) 1 10.0.0.0 255.255.255.0 pix1(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pix1(config)# static (inside,outside) 192.168.0.17 10.0.0.10 pix1(config)# access-list all permit tcp any host 192.168.0.17 eq www pix1(config)# alias (inside) 10.0.0.10 192.168.0.17 255.255.255.255 192.168.0.20 10.0.0.5 (Host) 192.168.0.17 10.0.0.10 (DNS) Source: 172.26.26.50 Destination: 10.0.0.5 192.168.0.0.2.1 172.26.26.0.50 DNS server 10.0.0.0 Web server www.cisco.com.10 http://www.cisco.com.5 2 1 10.0.0.5 192.168.0.20 Who is www.cisco.com? Source: 192.168.0.20 Destination: 172.26.26.50 cisco.com=192.168.0.17 Source: 172.26.26.50 Destination: 192.168.0.20 3 4

9 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-9 DNS Record Translation Student PC pix1(config)# nat (inside) 1 10.0.0.0 255.255.255.0 dns pix1(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pix1(config)# static (inside,outside) 192.168.0.17 10.0.0.10 dns pix1(config)# access-list all permit tcp any host 192.168.0.17 eq www 192.168.0.0.2.1 Web client.1 172.26.26.0.50 DNS server 10.0.0.0 Web server cisco.com.10 http://cisco.com.5 2 1 10.0.0.5 192.168.0.20 Who is cisco.com? Source: 192.168.0.20 Destination: 172.26.26.50 cisco.com=192.168.0.17 Source: 172.26.26.50 Destination: 192.168.0.20 3 192.168.0.20 10.0.0.5 (host) 192.168.0.17 10.0.0.10 (DNS) Source: 172.26.26.50 Destination: 10.0.0.5 4

10 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-10 Active Mode FTP Active mode FTP uses two channels: –Client-initiated command connection (TCP) –Server-initiated data connection (TCP) For outbound connections, the PIX Firewall handles active mode FTP by opening a temporary inbound channel for the data. For inbound connections, if an FTP ACL exists, the PIX Firewall handles active mode FTP as follows: –If outbound traffic is allowed, no special handling is required. –If outbound traffic is not allowed, it opens a temporary outbound connection for the data. Server Client Control port 2008 Data port 2010 Data port 20 Control port 21 Data - Port 2010 Port 2010 OK Data Server Client Control port 2008 Data port 2010 Data port 20 Control port 21 Data - Port 2010 Port 2010 OK Data

11 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-11 Passive Mode FTP PFTP uses two channels: –Client-initiated command connection (TCP) –Client-initiated data connection (TCP) For outbound connections, the PIX Firewall handles PFTP as follows: –If outbound traffic is allowed, no special handling is required. –If outbound traffic is not allowed, it opens an outbound port for the data channel. For inbound connections if an FTP ACL exists, the PIX Firewall opens an inbound port for the data channel. Data port 1490 Passive OK port 1490 Server Client Control port 2008 Data port 2010 Control port 21 Outbound PFTP? Data port 1490 Passive OK port 1490 Server Client Control port 2008 Data port 2010 Control port 21 Inbound PFTP? Data

12 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-12 FTP Fixup Configuration Use FTP fixup to change port numbers (default = 21). When FTP fixup is disabled: –Outbound active mode FTP will not work. –Inbound active mode FTP will work if ACL exists. –Outbound PFTP will work if not explicitly disallowed. –Inbound PFTP will not work. fixup protocol ftp [strict] port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol ftp 2021 1490 Passive OK port 1490 Server Client 2008201021 Outbound PFTP? Data Server Client 200820102021 Inbound Active FTP Port 2010 OK Data Active mode FTP PFTP

13 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-13 Remote Shell RSH uses two channels: –Client-initiated command connection (TCP). –Server-initiated standard error connection (TCP). For outbound connections, the PIX Firewall opens an inbound port for standard error output. For inbound connections if an RSH ACL exists, the PIX Firewall handles RSH as follows: –If outbound traffic is allowed, no special handling is required. –If outbound traffic is not allowed, it opens the outbound port for standard error output. Outbound connection request Port 2010 OK Standard error output 1490 Server Client 20082010514 Inbound connection request Port 2010 OK Standard error output 149020082010514 Server Client

14 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-14 Outbound connection request Port 2010 OK Standard error output 1490 Server Client 20082010514 Inbound connection request Port 2010 OK Standard error output Server Client 1490 2008 2010514 Defines ports for RSH connections (default = 514)—Dynamically opens a port for RSH standard error connections. If RSH fixup is disabled: –Inbound RSH will work if ACL exists. –Outbound RSH will not work. pixfirewall (config)# fixup protocol rsh port [-port] X pixfirewall(config)# fixup protocol rsh 1540 RSH Fixup Configuration

15 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-15 SQL*Net Initially the client connects to a well-known port on the server. –Oracle uses port 1521. –IANA-compliant applications use port 66. The server may assign another port or another host to serve the client. For outbound connections, the PIX Firewall handles SQL*Net connections as follows: –If outbound traffic is allowed, no special handling is required. –If outbound traffic is not allowed, it opens an outbound port for a redirected channel. For inbound connections if an ACL exists, the PIX Firewall opens an inbound port for a redirected channel. 200810301521 Outbound TCP: Connection request Redirect port = 1030 TCP: Tear down TCP: Connection request Server Client 200810301521 Inbound TCP: Connection request Redirect port = 1030 TCP: Tear down TCP: Connection request Server Client

16 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-16 SQL*Net Fixup Configuration Defines ports for SQL*Net connections (default = 1521): –Use the fixup command to change the port number –Oracle uses port 1521—IANA-compliant applications use port 66. If disabled: –Outbound SQL*Net is allowed if not explicitly disallowed. –Inbound SQL*Net is disallowed. fixup protocol sqlnet port [-port] pixfirewall (config)# 200810301521 Outbound TCP: Connection request Redirect port = 1030 TCP: Tear down TCP: Connection request Server Client 200810301521 Inbound TCP: Connection request Redirect port = 1030 TCP: Tear down TCP: Connection request Server Client pixfirewall(config)# fixup protocol sqlnet 66

17 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-17 Multimedia Support

18 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-18 Additional UDP or TCP high ports may be opened. TCP or UDP request Why Multimedia Is an Issue Multimedia applications behave in unique ways: –Use dynamic ports –Transmit request using TCP and get responses in UDP or TCP –Use same port for source and destination The PIX Firewall: –Dynamically opens and closes ports for secure multimedia connections –Supports multimedia with or without NAT

19 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-19 Real-Time Streaming Protocol Real-time audio and video delivery protocol uses one TCP and two UDP channels. Transport options: –RTP –RDT Sync or resend channel: –RTCP –UDP resend RTSP-TCP-only mode does not require special handling by the PIX Firewall. Supported applications: –Cisco IP/TV –Apple QuickTime 4 –RealNetworks: RealAudio RealPlayer RealServer RDT multicast not supported

20 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-20 Standard RTP Mode In standard RTP mode, RTP uses three channels: –Control connection (TCP) –RTP data (simplex UDP) –RTCP reports (duplex UDP) For outbound connections, the PIX Firewall opens inbound ports for RTP data and RTCP reports. For inbound connections if an ACL exists, the PIX Firewall handles standard RTP mode as follows: –If outbound traffic is allowed, no special handling is required. –If outbound traffic is not allowed, it opens outbound ports for RTP and RTCP. 200830575000554 Outbound TCP: Control Setup transport = rtp/avp/udp 30565001 UDP: RTCP reports UDP: RTP data Server Client 200830575000554 Inbound TCP: Control Setup transport = rtp/avp/udp 30565001 UDP: RTCP reports UDP: RTP data Server Client

21 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-21 RealNetworks RDT Mode In RealNetworks RDT mode, RTSP uses three channels: –Control connection (TCP) –UDP data (simplex UDP) –UDP resend (simplex UDP) For outbound connections, the PIX Firewall handles RealNetworks RDT mode as follows: –If outbound traffic is allowed, it opens an inbound port for UDP data. –If outbound traffic is not allowed, it opens an inbound port for UDP data and an outbound port for UDP resend. For inbound connections if an ACL exists, the PIX Firewall handles RealNetworks RDT mode as follows: –If outbound traffic is allowed, it opens an inbound port for UDP resend. –If outbound traffic is not allowed, it opens an outbound port for UDP data and an inbound port for UDP resend. 2008554 Outbound TCP: Control UDP: Resend Setup transport= x-real-rdt/udp UDP: Data Server Client 2008554 Inbound TCP: Control UDP: Resend Setup transport= x-real-rdt/udp UDP: Data Server Client

22 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-22 RTSP Fixup Configuration By default, the PIX Firewall inspects RTSP connections. RTSP dynamically opens UDP connections as required. If disabled: –UDP transport modes are disallowed. –TCP transport modes are allowed (TCP connection rules apply). fixup protocol rtsp port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol rtsp 554 2008554 Outbound TCP: Control UDP: Resend Setup transport= x-real-rdt/udp UDP: Data Server Client 2008554 Inbound TCP: Control UDP: Resend Setup transport= x-real-rdt/udp UDP: Data Server Client

23 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-23 H.323 Fixup Configuration Defines ports for H.323 connections (default = 1720) H.323: –Uses signaling channel (H.225/Q.931) –Negotiates endpoint capabilities (H.245) –Opens dynamic media sessions (RTP/RTCP) If disabled, H.323 applications disallowed fixup protocol h323 [h255 | ras] port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol h323 1720 H.225—Call signal H.245—Capabilities RTCP session Gatekeeper Client 2008 1720 RTP sessions

24 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-24 SIP Fixup Configuration Enables SIP Default port = 5060 Enables PIX Firewall to support any SIP VoIP gateways and VoIP proxies –Signaling mechanism (SIP) –Multimedia (RTP / RTCP) fixup protocol sip port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol sip 5060 Outbound SIP RTP RTCP IP Phone 20085060 IP Phone

25 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-25 SCCP Fixup Configuration Supports SCCP protocol used by Cisco IP Phones Enables SCCP signaling and media packets to traverse the PIX Firewall (default port 2000) Dynamically opens negotiated ports for media sessions Can coexist in an H.323 environment fixup protocol skinny port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol skinny 2000 Phone to Call Manager Call Manager to phone RTCP Call Manager 20006058 IP Phone PIX Firewall 501 SOHO RTP

26 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-26 CTIQBE Fixup Configuration Supports CTIQBE protocol used by Cisco IP SoftPhones for desktop or laptop PC applications, such as collaboration Enables signaling and media packets to traverse the PIX Firewall (default port 2748) Dynamically opens negotiated ports for media sessions Support disabled by default fixup protocol ctiqbe 2748 pixfirewall (config)# pixfirewall(config)# fixup protocol ctiqbe 2748 Phone to Call Manager Call Manager to phone RTCP Call Manager 27486058 SoftPhone PIX Firewall 501 SOHO RTP

27 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-27 MGCP Fixup Configuration Inspect messages passing between Call Agents and media gateways - Port 2427 on which gateway receives commands - Port 2727 on which Call Agent receives commands Dynamically opens negotiated ports for media sessions Disabled by default fixup protocol mgcp port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol mgcp 2427 pixfirewall(config)# fixup protocol mgcp 2727 Call Agent to gateway Gateway to Call Agent RTCP Media gateway 2427 2727 RTP Call Agent

28 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-28 Summary

29 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-29 Summary The fixup command enables you to view, change, enable, or disable the use of a service or protocol. The PIX Firewall uses special handling for some advanced protocols: FTP, RSH, and SQL*Net. The PIX Firewall handles multimedia protocols such as RTSP, RTP, SCCP, SIP, MGCP, H.323, and so on. The PIX Firewall SIP fixup supports call handling sessions. The PIX Firewall SCCP fixup supports VoIP call signaling. You can change the port value for each protocol, including the multimedia protocols; however, you should not change the port values for RSH and SIP.

30 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-30 Lab Exercise

31 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-31 192.168.Q.0 192.168.P.0 Lab Visual Objective Student PC.2.1 Student PC PIX Firewall Web/FTP CSACS.1.2.1 PIX Firewall.1 Local: 10.0.P.11 Local: 10.0.Q.11 10.0.P.0 10.0.Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6–10 172.26.26.0.150.50 Web/FTP RBB.2 “bastionhost”: Web/FTP 172.16.P.0172.16.Q.0 “bastionhost”: Web/FTP.1

Download ppt "© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-1 Lesson 9 Advanced Protocol Handling."

Similar presentations

© 2004, Cisco Systems, Inc. All rights reserved.

© 2004, Cisco Systems, Inc. All rights reserved.
©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.
Voice over IP Fundamentals

Voice over IP Fundamentals
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
29.1 Chapter 29 Multimedia Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

29.1 Chapter 29 Multimedia Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-1 111 © 2003, Cisco Systems, Inc. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.

CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
3. VoIP Concepts.

3. VoIP Concepts.
IP Ports and Protocols used by H.323 Devices Liane Tarouco.

IP Ports and Protocols used by H.323 Devices Liane Tarouco.
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.

Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.

Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
1 How Streaming Media Works Bilguun Ginjbaatar IT 665 Nov 14, 2006.

1 How Streaming Media Works Bilguun Ginjbaatar IT 665 Nov 14, 2006.
Multimedia Over IP: RTP, RTCP, RTSP “Computer Science” Department of Informatics Athens University of Economics and Business Λουκάς Ελευθέριος.

Multimedia Over IP: RTP, RTCP, RTSP “Computer Science” Department of Informatics Athens University of Economics and Business Λουκάς Ελευθέριος.
TCP/IP Protocol Suite 1 Chapter 25 Upon completion you will be able to: Multimedia Know the characteristics of the 3 types of services Understand the methods.

TCP/IP Protocol Suite 1 Chapter 25 Upon completion you will be able to: Multimedia Know the characteristics of the 3 types of services Understand the methods.
Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.

Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations

Ads by Google