Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations


Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 9 – Configure Filtering on a PIX Security Appliance

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives –9.1 Configure ACLs and Content Filters –9.2 Object Grouping –9.3 Configure a Security Appliance Modular Policy –9.4 Configure Advanced Protocol Inspection

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.1 Configure ACLs and Content Filters

5 5 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance ACLs

6 6 © 2005 Cisco Systems, Inc. All rights reserved. access-list command

7 7 © 2005 Cisco Systems, Inc. All rights reserved. access-group command

8 8 © 2005 Cisco Systems, Inc. All rights reserved. nat 0 access-list command

9 9 © 2005 Cisco Systems, Inc. All rights reserved. ACL Line Numbers

10 10 © 2005 Cisco Systems, Inc. All rights reserved. icmp command

11 11 © 2005 Cisco Systems, Inc. All rights reserved. NAT 0 ACLs – NAT Zero or No NAT

12 12 © 2005 Cisco Systems, Inc. All rights reserved. Turbo ACL – Not supported by PIX 7.x OS access-list compiled access-list acl_ID compiled pixfirewall(config)# Enables the Turbo ACL feature for a specific ACL. Enables the Turbo ACL feature on all ACLs. Turbo compiles all ACLs with 19 or more entries.

13 13 © 2005 Cisco Systems, Inc. All rights reserved. Java Applet Filtering –Java applet filtering enables an administrator to prevent the downloading of Java applets by an inside system. –Java programs can provide a vehicle through which an inside system can be invaded. –Java applets are executable programs that are banned within some security policies.

14 14 © 2005 Cisco Systems, Inc. All rights reserved. ActiveX Blocking ActiveX controls are applets that can be inserted in web pages or other applications. ActiveX controls can provide a way for someone to attack servers. The PIX Security Appliance can be used to block ActiveX controls.

15 15 © 2005 Cisco Systems, Inc. All rights reserved. filter activex | java Command –Filters out ActiveX usage from outbound packets. –Filters out Java applets that return to the PIX Security Appliance from an outbound connection. pixfirewall(config)# filter activex | java port [-port] local_ip mask foreign_ip mask

16 16 © 2005 Cisco Systems, Inc. All rights reserved. pixfirewall(config)# url-server [(if_name)] [vendor websense] host local_ip [timeout seconds] [protocol TCP | UDP version [1 | 4]] Designate the URL-Filtering Server –Designates a server that runs a Websense URL- filtering application. –The URL-filtering host is on the DMZ interface at IP address The PIX Security Appliance performs a username lookup and then the URL-filtering server handles URL filtering and username logging. pixfirewall(config)# url-server (dmz) host protocol TCP version 4 pixfirewall(config)# url-server [(if_name)] vendor n2h2 host local_ip [port number][timeout seconds][protocol TCP | UDP] Designates a server that runs an N2H2 URL-filtering application.

17 17 © 2005 Cisco Systems, Inc. All rights reserved. Configure the PIX Security Appliance to Work with a URL-Filtering Server –Prevents outbound users from accessing URLs that are designated with the URL-filtering application. pixfirewall(config)# pixfirewall(config)# filter url http allow filter url port[-port] | except local_ip local_mask foreign_ip foreign_mask [allow] [proxy-block] [longurl-truncate | longurl-deny][cgi-truncate] Tells the PIX Security Appliance how to filter requests.

18 18 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.2 Object Grouping

19 19 © 2005 Cisco Systems, Inc. All rights reserved. Grouping Objects of Similar Types –Services SMTP FTP –Protocols UDP IPSec –Networks/Hosts Subnet / –ICMP-type –MYSERVICES –MYPROTOCOLS –MYCLIENTS –PING

20 20 © 2005 Cisco Systems, Inc. All rights reserved. Using Object Groups in ACLs pixfirewall(config)# access-list ACLOUT permit object-group MYPROTOCOLS object-group CLIENTS object-group SERVERS pixfirewall(config)# access-list ACLOUT permit tcp host pixfirewall(config)# access-list ACLOUT permit icmp host pixfirewall(config)# access-list ACLOUT permit tcp host pixfirewall(config)# access-list ACLOUT permit icmp host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host

21 21 © 2005 Cisco Systems, Inc. All rights reserved. Using Object Groups in ACLs Pix1(config)# object-group ? configure mode commands/options: icmp-type Specifies a group of ICMP types, such as echo network Specifies a group of host or subnet IP addresses protocol Specifies a group of protocols, such as TCP, etc service Specifies a group of TCP/UDP ports/services Pix1(config)# object-group network INSIDE-HOSTS Pix1(config-network)# Pix1(config)# object-group network INSIDE-HOSTS Pix1(config-network)# network-object Pix1(config-network)# network-object host insidehost Pix1(config-network)# show run ! object-group network INSIDE-HOSTS network-object network-object network-object host insidehost

22 22 © 2005 Cisco Systems, Inc. All rights reserved. Using Object Groups in ACLs Creating groups of services Pix1(config)# object-group service SERV tcp Pix1(config-service)# port-object eq 80 Pix1(config-service)# port-object eq https Pix1(config-service)# port-object eq ftp Pix1(config-service)# sh run ! object-group service SERV tcp port-object eq www port-object eq https port-object eq ftp !

23 23 © 2005 Cisco Systems, Inc. All rights reserved. Nested Object Groups Do not confuse the object-group command with the group- object command. The group-object command adds existing objects to an object group ! object-group network INSIDE-HOSTS network-object network-object host insidehost object-group network DMZ-HOSTS network-object network-object object-group network ALL-HOSTS group-object INSIDE-HOSTS group-object DMZ-HOSTS !

24 24 © 2005 Cisco Systems, Inc. All rights reserved. Configuring and Using Object Groups Complete the following tasks to create object groups and use them in your configuration: –Task 1Use the object-group command to enter the appropriate subcommand mode for the type of group you want to configure. –Task 2In subcommand mode, define the members of the object group. –Task 3(Optional.) Use the description sub-command to describe the object group. –Task 4Use the exit or quit command to return to configuration mode. –Task 5(Optional.) Use the show object-group command to verify that the object group has been configured successfully. –Task 6Apply the access-list command to the object group. –Task 7(Optional.) Use the show access-list command to display the expanded access-list entries.

25 25 © 2005 Cisco Systems, Inc. All rights reserved. object-group Command –Assigns a name to an ICMP-type group and enables the ICMP-type subcommand mode. pixfirewall(config)# object-group network CLIENTS pixfirewall(config)# object-group network grp_id object-group service grp_id tcp | udp | tcp-udp object-group protocol grp_id object-group icmp-type grp_id pixfirewall(config)# Assigns a name to a Protocol group and enables the Protocol subcommand mode. Assigns a name to a Service group and enables the Service subcommand mode. Assigns a name to a Network group and enables the Network subcommand mode. Assigns the name CLIENTS to a Network group and enables the Network subcommand mode.

26 26 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Network Object Groups –Creates a Network object group named CLIENTS which consists of host , and network pixfirewall(config)# object-group network CLIENTS pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object network-object host host_addr | host_name pixfirewall(config-network)# pixfirewall(config)# object-group network grp_id Assigns hosts to the Network object group. Assigns a name to the group and enables the Network sub-command mode. network-object net_addr netmask pixfirewall(config-network)# Assigns networks to the Network object group.

27 27 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Service Object Groups pixfirewall(config)# object-group service MYSERVICES tcp pixfirewall(config-service)# port-object eq http pixfirewall(config-service)# port-object eq ftp port-object eq service pixfirewall(config-service)# Assigns a single TCP or UDP port number to the Service object group. Creates a Service group named MYSERVICES, which contains HTTP and FTP. port-object range begin_service end_service pixfirewall(config-service)# Assigns a range of TCP or UDP port numbers to the Service object group. object-group service grp_id tcp | udp | tcp-udp pixfirewall(config)# Assigns a name to a Service group and enables the Service sub-command mode.

28 28 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Protocol Object Groups pixfirewall(config)# object-group protocol MYPROTOCOLS pixfirewall(config-protocol)# protocol-object icmp pixfirewall(config-protocol)# protocol-object tcp protocol-object protocol pixfirewall(config-protocol)# Assigns a protocol to the Protocol object group. Creates a Protocol group named MYPROTOCOLS, which contains ICMP and TCP. object-group protocol grp_id pixfirewall(config)# Assigns a name to a Protocol group and enables the Protocol sub-command mode.

29 29 © 2005 Cisco Systems, Inc. All rights reserved. Configuring ICMP-Type Object Groups pixfirewall(config)# object-group icmp-type PING pixfirewall(config-icmp-type)# icmp-object echo pixfirewall(config-icmp-type)# icmp-object echo-reply icmp-object icmp-type pixfirewall(config-icmp-type)# Assigns an ICMP message type to the object group. Creates an ICMP-Type group named PING which contains echo and echo-reply message types. object-group icmp-type grp_id pixfirewall(config)# Assigns a name to an ICMP-Type group and enables the icmp-type sub-command mode.

30 30 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Nested Object Groups Complete the following steps to configure nested object groups: –Step 1Assign a group identity to the object group that you want to nest within another object group. –Step 2Add the appropriate type of objects to the object group. –Step 3Assign a group identity to the object group within which you want to nest another object group. –Step 4Add the first object group to the group that will contain it. –Step 5Add any other objects that are required to the group.

31 31 © 2005 Cisco Systems, Inc. All rights reserved. group-object Command pixfirewall(config)# object-group service SERVICESA tcp pixfirewall(config-service)# port-object eq smtp pixfirewall(config-service)# port-object eq ftp pixfirewall(config-service)# exit pixfirewall(config)# object-group service SERVICES tcp pixfirewall(config-service)# group-object SERVICESA group-object object_group_id pixfirewall(config-group-type)# Nests an object group within another object group.

32 32 © 2005 Cisco Systems, Inc. All rights reserved. access-list Command for Object Grouping pixfirewall(config)# access-list ACLIN permit tcp object-group REMOTECLIENTS object-group LOCALSERVERS object-group MYSERVICES access-list acl_ID deny | permit object-group protocol_obj_grp_id object-group network_obj_grp_id [object-group service_obj_grp_id] object-group network_obj_grp_id object-group service_obj_grp_id pixfirewall(config)# Create an access list containing object groups.

33 33 © 2005 Cisco Systems, Inc. All rights reserved. Nested Object Group Example pixfirewall(config)# object-group network HOSTGROUP1 pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object host pixfirewall(config-network)# exit pixfirewall(config)# object-group network HOSTGROUP2 pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object host pixfirewall(config-network)# exit pixfirewall(config)# object-group network ALLHOSTS pixfirewall(config-network)# group-object HOSTGROUP1 pixfirewall(config-network)# group-object HOSTGROUP2 pixfirewall(config-network)# exit pixfirewall(config)# access-list ALL permit tcp object-group ALLHOSTS any eq ftp pixfirewall(config)# access-group ALL in interface inside

34 34 © 2005 Cisco Systems, Inc. All rights reserved. Multiple Object Groups in ACLs pixfirewall(config)# show object- group object-group network REMOTES network-object host network-object host object-group network LOCALS1 network-object host network-object host object-group network LOCALS2 network-object host network-object host object-group network ALLLOCALS group-object LOCALS1 group-object LOCALS2 object-group service BASIC port-object eq ftp port-object eq smtp pixfirewall(config)# access-list INBOUND permit tcp object-group REMOTES object-group ALLLOCALS object-group BASIC pixfirewall(config)# show static static(inside,outside) netmask static(inside,outside) netmask static(inside,outside) netmask static(inside,outside) netmask

35 35 © 2005 Cisco Systems, Inc. All rights reserved. no object-group service grp_id tcp | udp | tcp-udp Removing Configured Object Groups –Removes a specific service object group. pixfirewall(config)# no object-group network ALLHOSTS pixfirewall(config)# Removes object group ALLHOSTS and all Protocol object groups. Removes a specific protocol, network or icmp-type object group. no object-group protocol | network | icmp-type grp_id pixfirewall(config)#

36 36 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.3 Configure a Security Appliance Modular Policy

37 37 © 2005 Cisco Systems, Inc. All rights reserved. Modular Policy Overview

38 38 © 2005 Cisco Systems, Inc. All rights reserved. Modular Policy

39 39 © 2005 Cisco Systems, Inc. All rights reserved. Assign a Class Map Name

40 40 © 2005 Cisco Systems, Inc. All rights reserved. Class Map – Define a Class of Traffic

41 41 © 2005 Cisco Systems, Inc. All rights reserved. Policy Map Overview

42 42 © 2005 Cisco Systems, Inc. All rights reserved. Assign a Policy Map Name

43 43 © 2005 Cisco Systems, Inc. All rights reserved. Assign a Policy Map Name

44 44 © 2005 Cisco Systems, Inc. All rights reserved. Service Policy

45 45 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.4 Configure Advanced Protocol Inspection

46 46 © 2005 Cisco Systems, Inc. All rights reserved. Need for Advanced Protocol Handling Some popular protocols or applications behave as follows: Negotiate connections to dynamically assigned source or destination ports or IP addresses. Embed source or destination port or IP address information above the network layer. A good firewall has to inspect packets above the network layer and do the following as required by the protocol or application: Securely open and close negotiated ports or IP addresses for legitimate client-server connections through the firewall. Use NAT-relevant instances of IP addresses inside a packet. Use PAT-relevant instances of ports inside a packet. Inspect packets for signs of malicious application misuse.

47 47 © 2005 Cisco Systems, Inc. All rights reserved. inspect Command

48 48 © 2005 Cisco Systems, Inc. All rights reserved. FTP Inspection FTP uses two channels: Command connection (TCP) Data connection (TCP) FTP Inspection Address translation in the message Dynamically create openings for FTP data connections Stateful tracking of request and response messages OptionallyFTP strict prevents web browsers from sending embedded commands in FTP requests. FTP Deep Packet Inspection: Added to strict inspection functionality Command filtering--disallow specific commands.

49 49 © 2005 Cisco Systems, Inc. All rights reserved. Active FTP Inspection

50 50 © 2005 Cisco Systems, Inc. All rights reserved. Passive FTP Inspection

51 51 © 2005 Cisco Systems, Inc. All rights reserved. FTP Deep Packet Inspection – Command Filtering

52 52 © 2005 Cisco Systems, Inc. All rights reserved. Adding an ftp-map to a policy-map

53 53 © 2005 Cisco Systems, Inc. All rights reserved. HTTP Inspection

54 54 © 2005 Cisco Systems, Inc. All rights reserved. Enhanced HTTP Inspection

55 55 © 2005 Cisco Systems, Inc. All rights reserved. ICMP Inspection

56 56 © 2005 Cisco Systems, Inc. All rights reserved. SNMP Inspection

57 57 © 2005 Cisco Systems, Inc. All rights reserved. Why Multimedia Is an Issue –Multimedia applications behave in unique ways: Use dynamic ports. Transmit a request using TCP and get responses in UDP or TCP. Use the same port for source and destination. –The PIX Security Appliance: Dynamically opens and closes conduits for secure multimedia connections. Supports multimedia with or without NAT.

58 58 © 2005 Cisco Systems, Inc. All rights reserved. Real-Time Streaming Protocol –Real-Time audio and video delivery protocol uses one TCP and two UDP channels. –Transport options: Real-Time Transport Protocol (RTP). Real Data Transport Protocol (RDT). –Sync or resend channel: Real-Time Control Protocol (RTCP). UDP resend. –RTSP-TCP-only mode does not require special handling by the PIX Security Appliance. –Supported applications: Cisco IP/TV. Apple QuickTime 4. RealNetworks: –RealAudio. –RealPlayer. –RealServer. –RDT Multicast is not supported.

59 59 © 2005 Cisco Systems, Inc. All rights reserved. Standard RTP Mode –In standard RTP mode, RTSP uses the following three channels: Control connection (TCP). RTP data (simplex UDP). RTCP reports (duplex UDP). –For outbound connections, the PIX Security Appliance opens inbound ports for RTP data and RTCP reports. –For inbound connections, the PIX Security Appliance handles standard RTP mode as follows: If outbound traffic is allowed, no special handling is required. If outbound traffic is not allowed, it opens outbound ports for RTP and RTCP.

60 60 © 2005 Cisco Systems, Inc. All rights reserved. RealNetworks RDT Mode –In RealNetworks RDT mode, RTSP uses the following three channels: Control connection (TCP). UDP data (simplex UDP). UDP resend (simplex UDP). –For outbound connections, the PIX Security Appliance handles RealNetworks RDT mode as follows: If outbound traffic is allowed, it opens an inbound port for UDP data. If outbound traffic is not allowed, it opens an inbound port for UDP data and an outbound port for UDP resend. –For inbound connections, the PIX Security Appliance handles RealNetworks RDT mode as follows: If outbound traffic is allowed, it opens an inbound port for UDP resend. If outbound traffic is not allowed, it opens an outbound port for UDP data and an inbound port for UDP resend.

61 61 © 2005 Cisco Systems, Inc. All rights reserved. H.323 –Real-time multimedia communications delivery specification uses two TCP and several UDP sessions for a single call. –H.323 protocols and standards: H.225Registration, Admission, and Status (RAS). H.225Call Signaling. H.245Control Signaling. TPKT Header. Q.931 Messages. Abstract Syntax Notation (ASN.1) (PIX Security Appliance 5.2). –Supported H.323 versions: H.323 v1. H.323 v2 (software versions 5.2 and higher). –Supported applications: Cisco Multimedia Conference Manager. Microsoft NetMeeting. Intel Video Phone. CUseeMe Networks: MeetingPoint. CUseeMe Pro. VocalTec: Internet Phone. Gatekeeper.

62 62 © 2005 Cisco Systems, Inc. All rights reserved. Cisco IP Phones and the PIX Security Appliances DHCP Server –Cisco IP phones: Download their configurations from a TFTP server. Request an IP address and the IP address of a TFTP server from a DHCP server. –The PIX Security Appliance: Supports DHCP option 150 for providing the IP addresses of a list of TFTP servers. Supports DHCP option 66 for providing the IP address of a single TFTP server.

63 63 © 2005 Cisco Systems, Inc. All rights reserved. DNS Inspection

64 64 © 2005 Cisco Systems, Inc. All rights reserved. DNS Record Translation

65 65 © 2005 Cisco Systems, Inc. All rights reserved. 65 © 2005, Cisco Systems, Inc. All rights reserved.


Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved."

Similar presentations


Ads by Google