We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byLaila Monks
Modified about 1 year ago
1mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Internetworking with PIX™ PIX IOS 5.0
2mbehring_pix_rev5 © 1999, Cisco Systems, Inc. © 1999, Cisco Systems, Inc. 2 Internetworking with PIX Agenda Overview of the PIX The “Inside” of the PIX Advanced Configurations PIX and IPSec PIX Management Last Words
3mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Overview of the PIX Hardware, Software and Capabilities 3 CCIE’99 Vienna © 1999, Cisco Systems, Inc.
4mbehring_pix_rev5 © 1999, Cisco Systems, Inc. © 1999, Cisco Systems, Inc. The Box Itself 515-R (restricted) Target: Branch office 515-UR (unrestricted) Target: Main office 520 Target: Biiig main office PIX Overview
5mbehring_pix_rev5 © 1999, Cisco Systems, Inc. The Platform 515-R: Pentium 200 MHz, no PCI, 32 M RAM max 515-UR: Pentium 200 MHz, 2 PCI, 64 M RAM max 520: Pentium 350 MHz, 4 PCI, 128 M RAM max, 1 ISA PIX Overview
6mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Interfaces 515-R: 2 FE, unchangable 515-UR: Standard: 2 FE Extensible to up to 6 FE 520: Standard: 2 FE plus 2 of: 4 FE card, Token Ring card, FDDI card PIX Overview
7mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Private Link Cards PL1: ISA based (16 bit, discontinued) PL2: PCI based (32 bit) PL3: (planned) PCI Kodiak: (planned) PCI PIX 520 has 1 ISA slot + 4 PCI slots PIX 515-UR has 2 PCI slots, no ISA PIX Overview
8mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX Hardware Overview 515-R 515-UR R 515-UR 520 Max. simult. connect 50, , ,000 Max. simult. connect 50, , ,000 Max. RAM 32M 64M 128M Max. RAM 32M 64M 128M Max # i/f 2 6 Max # i/f 2 6 Flash 8M 16M Flash 8M 16M Failover no yes Failover no yes I/f Type FE TR FDDI I/f Type FE TR FDDI Max. through put 170 (Mbps) Max. through put 170 (Mbps) PIX Overview
9mbehring_pix_rev5 © 1999, Cisco Systems, Inc. The PIX Philosophy PIX Firewall Private Network Public Network DMZ nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security PIX Overview
10mbehring_pix_rev5 © 1999, Cisco Systems, Inc. The PIX Philosophy Private Network Public Network DMZ Default Actions: Higher to Lower: PERMIT Lower to Higher: DENY Between Same: DENY PIX Overview
11mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Strength of the PIX No common OS Small code -> Less chances for bugs Appliance: No extra software Easy configuration Performance (170 Mbit/s !!) PIX Overview
12mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX Certification NSA TTAP Certification ICSA Certification SRI International testing “SRI International failed to uncover any security vulnerabilities in the Cisco PIX firewall ” Turnkey appliance — no software installation risks PIX Overview
13mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Licensing 520: Session based (128, 1024, ) (will be feature based in the future) 515: Feature based: Basic license plus: DES license (free), 3DES license (extra cost) PIX Overview
14mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Around the PIX PIX Overview WebSense: URL Filtering Private I: Logging and Alarming CiscoSecure: Cut-Through-Proxy, AAA Cisco Security Manager: Management Verisign, Entrust, …: Certification Authority PIX Firewall Manager: Management
15mbehring_pix_rev5 © 1999, Cisco Systems, Inc. The “Inside” of the PIX Configuration Details 15 NW’99 Vienna © 1999, Cisco Systems, Inc.
16mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Only 4 Ways through the PIX Private Network Public Network 1: inside to outside; (Limit with ”outbound” and ”apply”) 2: user authentication AAA 3: conduit out side in side PIX “Inside” 4*: Access List * since PIX IOS 5.0
17mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Address Translation in the PIX: NAT / PAT Private Network Public Network outside inside global (outside) nat (inside) Translate all inside source addresses Outside source address range to use NAT-ID * For PAT use only 1 outside Address PIX “Inside” PAT* NAT
18mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Destination Address Translation: Alias NAT changes Source Address only Use alias to change Destination address DNS will be changed as well Applications: Dual NAT Re-routing PIX “Inside”
19mbehring_pix_rev5 © 1999, Cisco Systems, Inc. How “alias” Works PIX “Inside” Inside User www Internet Company alias: = inside outside 1. Access 2. DNS query 3. Reply: Reply: Conflict 5. Destination NAT alias: = inside outside
20mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Address Translation: Alias Configuration alias (inside) static (inside,outside) netmask Use this destination address on the inside... …for this destination address on the outside PIX “Inside” Map this source on outside... …to this one on inside Destination NAT Source NAT
21mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Inside address Outside address Address Translation: Static Private Network Public Network outside inside static (inside,outside) netmask For Web or other Servers PIX “Inside”
22mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Conduits To permit traffic from outside PIX “Inside” conduit permit tcp host eq ftp any conduit permit tcp any eq ftp host to this internal host*...from any external …. with FTP... to any internal host... from this external * use global addresses
23mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Outbound Access Lists Deny Inside -> Outside connections with Outbound Access Lists outbound 10 deny 0 0 www tcp outbound 10 permit www tcp apply (dmz1) 10 outgoing_src Deny all outbound www traffic But permit to proxy server Apply to interface dmz1 list# PIX “Inside”
24mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Adaptive Security Algorithm™ (ASA) Heart of stateful checking in PIX Basic Rules: PIX “Inside” Allow TCP / UDP from inside Permit TCP / UDP return packets Drop and log connections from outside Drop and log source routed IP packets Allow some ICMP packets Silently drop pings to dynamic IP addresses Answer (PIX) pings to static connections Drop and log all other packets from outside
25mbehring_pix_rev5 © 1999, Cisco Systems, Inc. How the PIX works 1. Packet Arrives 2. Adressing: NAT / PAT / Alias / Static 3. Permissions: Conduit / ACLs / Outbound 4. -> Xlate Table (addressing info) 5. -> Connections Table (ports + proto) PIX “Inside”
26mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Xlate: The Translation Table PIX creates an xlate entry for every IP pair (host-host) This is part of the “State” of the firewall clear xlate after changes timeout xlate hh:mm:ss timeout conn hh:mm:ss … and: half-closed, udp, rpc, h323,uauth PIX “Inside”
27mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Connections Table Connection entries contain: Protocol and port numbers TCP state and sequence numbers state of connection (eg, embryonic) Also part of the “State” of the firewall clear xlate also clears the conns table License check with # of connections! PIX “Inside”
28mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Xlate and Conns Tables show xlate Global Local static nconns 1 econns 0 Global Local static nconns 4 econns 0 show conn 6 in use, 6 most used TCP out :80 in :1404 idle 0:00:00 Bytes TCP out :80 in :1405 idle 0:00:00 Bytes 3709 TCP out :80 in :1406 idle 0:00:01 Bytes 2685 TCP out :80 in :1407 idle 0:00:01 Bytes 2683 TCP out :80 in :1403 idle 0:00:00 Bytes TCP out :80 in :1408 idle 0:00:00 Bytes 2688 UDP out :24 in :1402 idle 0:01:30 UDP out :23 in :1397 idle 0:01:30 UDP out :22 in :1395 idle 0:01:30 PIX “Inside” Licence check! (PIX 520) # conns# ebryonic
29mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Advanced Configurations 29 NW’99 Vienna © 1999, Cisco Systems, Inc.
30mbehring_pix_rev5 © 1999, Cisco Systems, Inc. User Authentication: Cut-Through-Proxy Private Network Public Network AAA out side in side Outside User www HTTP Request 1. HTTP request packet intercepted by PIX 1 2. PIX asks user for credentials, he responds 2 3. PIX sends credentials to AAA server, AAA server ack’s 3 4. PIX forwards packets 4 PIX Advanced Configuration
31mbehring_pix_rev5 © 1999, Cisco Systems, Inc. User Authentication: Cut-Through-Proxy Addressing and Conduit must Exist! FTP, HTTP, Telnet can be proxied Other ports can be authorised after authentication Watch Out: Timeout for authorisation! -> Other connections will be cut after primary timed out PIX Advanced Configuration
32mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Authenticate all inbound FTP traffic User Authentication: Configuration Define AAA protocol Define AAA server and key Install authorization Lists from Server* * only with TACACS+, not with RADIUS PIX Advanced Configuration aaa-server Authinbound protocol tacacs+ aaa-server AuthInbound (inside) host TheUauthKey aaa authentication ftp inbound AuthInbound aaa authorization ftp inbound AuthInbound
33mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX Failover PrimarySecondary x x Failover Cable PIX Advanced Configuration Failover Link default gateway
34mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Failover Configuration PrimarySecondary x.1.2 Failover Cable PIX Advanced Configuration Failover Link failover [active] failover ip address inside failover link ethernet2 Enable failover Address for Standby PIX (configured on primary) Enable statefulness (over link eth2)
35mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX Failover PIX Advanced Configuration PrimarySecondary x.1.2 Failover Cable Failover Link Only primary PIX is configured, wr mem auto-configures standby PIX On failover, standby PIX assumes MAC and IP address from primary Failover takes seconds
36mbehring_pix_rev5 © 1999, Cisco Systems, Inc. URL Filtering PIX Advanced Configuration Corporate Network Inside User PIX Internet WebSense
37mbehring_pix_rev5 © 1999, Cisco Systems, Inc. URL Filtering Configuration Outbound HTTP connections can be checked on URL Interaction with 3rd Party Product, e.g., WebSense url-server (inside) host timeout 5 filter url http PIX Advanced Configuration InterfaceServer IP Filter any URL
38mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Various... Flooding Prevention: floodguard enable|disable show floodguard Fragmentation Attack Prevention: sysopt security fragguard Mailguard (check SMTP commands) : fixup protocol smtp 25 PIX Advanced Configuration
39mbehring_pix_rev5 © 1999, Cisco Systems, Inc. DMZ Example: Redundant PIX Set-Up Partners and Clients NetSonar NetRanger Internet PIX Advanced Configuration
40mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX and IPSec 40 NW’99 Vienna © 1999, Cisco Systems, Inc.
41mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX and IPSec* Remote User Access Branch Offices Intranet Extranet Host-to-host Access Main Office Internet PIX and IPSec * since PIX IOS 5.0 Certification Authority CA
42mbehring_pix_rev5 © 1999, Cisco Systems, Inc. IPSec Configuration Steps 1: CA interoperation (opt) 2: IKE 3: IKE Mode (opt) 4: IPSec PIX and IPSec
43mbehring_pix_rev5 © 1999, Cisco Systems, Inc. IPSec Configuration PIX and IPSec what to encrypt... …and how. …use this endpoint For this traffic... apply to interface access-list 101 permit ip crypto ipsec transform-set myset1 esp-des esp-sha-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 101 crypto map mymap 10 set peer crypto map mymap 10 set transform-set myset1 crypto map mymap interface outside access-list 101 permit ip crypto ipsec transform-set myset1 esp-des esp-sha-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 101 crypto map mymap 10 set peer crypto map mymap 10 set transform-set myset1 crypto map mymap interface outside
44mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Configuring the CA ca generate rsa key 512 ca identity myca.mycompany.com ca configure myca.mycompany.com ca 1 20 crloptional ca authenticate myca.mycompany.com [ ] ca enroll myca.mycompany.com mypassword ca save all PIX and IPSec generate key-pair define CA get CA certificate and check it retry parameters Send PIX’s pub key to CA
45mbehring_pix_rev5 © 1999, Cisco Systems, Inc. ! PIX IPSec: Attention!! Avoid the use of “any” keyword IPSec only on outside interface in 5.0 No TED in 5.0 Make sure clock is set correctly! PIX and IPSec
46mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Software-only Mode Mbps DES (!) Mbps 3DES (!) PIX Private Link Card (PL2/PL3) Mbps DES (3DES not supported on PL2) Kodiak (in development) 100 Mbps 3DES IPSec Hardware Accelerators PIX and IPSec
47mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX Management 47 NW’99 Vienna © 1999, Cisco Systems, Inc.
48mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX Management Cisco Security Manager Policy-based, not Device-based GUI Scalable (<100 PIX) Any Topology Future: Management of all Security Products
49mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX Syslog Reliable Logging (TCP): If Syslog server is full -> PIX will deny all new connections!! Unreliable Loging: UDP Config: logging host dmz tcp logging trap debugging clock set 14:25:00 apr logging timestamp PIX Management Interface tcp / udp
50mbehring_pix_rev5 © 1999, Cisco Systems, Inc. PIX SNMP Almost like on Router: snmp-server host outside snmp-server community secret_xyz snmp-server syslog disable snmp-server log_level 5 PIX Management Interface But: PIX only sends traps, no config through SNMP
51mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Last Words… 51 NW’99 Vienna © 1999, Cisco Systems, Inc.
52mbehring_pix_rev5 © 1999, Cisco Systems, Inc. The Direction of Security in Cisco Integration: Security as an Integral Part in all Products CiscoAssure: Combine Security, QoS, Voice in one Concept DEN*: The Future is Based on Directories time * Directory Enabled Networks
53mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Last Words... Security needs more than a Firewall… Keep it simple -> More Secure Simple configurations Split functionality to different devices Keep Up To Date!
54 © 1999, Cisco Systems, Inc.
Firewalls Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
CTT Corp. Derechos reservados CHANNEL READINESS PROGRAM FOR CISCO PARTNERS Selling Cisco SMB Solutions Advanced Security Selling SMB Solutions.
1 © 2009 Cisco Learning Institute. CCNA Security Chapter Eight Implementing Virtual Private Networks.
UNIT 2: Firewalls Content : Firewalls in general basic operation and architecture Main border firewalls using stateful inspection Screening firewalls.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2001, Cisco Systems, Inc. All rights reserved. SEC _05_2001_c1 VoIP over IPSec VPNs.. and some general Security tips Kjetil Berge Systems Engineer.
Networking Fundamentals John Bellavance CCNI. Data Networks Developed because companies wanted to exchange info over long distances. At first they used.
Version 4.1 CCNA Discovery 2– Chapter 7. Contents 7.1: ISP Services : TCP / IP Protocols 7.2: 7.3: DNS 7.3: 7.4: Application Layer Protocols 7.4.
Network Security DMZ (De-Militarized Zone). J. Wang. Computer Network Security Theory and Practice. Springer 2008 General Framework.
DMZ (De-Militarized Zone) Network Security. Privilege levels in Cisco routers Cisco IOS offers 16 privilege levels ◦ User Exec mode: Level 1 ◦ Privilege.
Where firewalls fit in the corporate landscape. Firewall topics Why firewall? What is a firewall? What is the perfect firewall? What types of firewall.
1 IP Based Network Concepts & Overview Faculty of Network Planning ALTTC, Ghaziabad.
Enabling Secure Internet Access with ISA Server. Enabling Secure Access to Internet Resources What Is Secure Access to Internet Resources? –Users can.
Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.
Winter 2001 VoN Developers Conference -- January 24, 2001 SIP Proxies Jonathan Rosenberg Chief Scientist.
© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public ROUTE v6 Chapter 7 1 Chapter 7: Implementing Routing Facilities for Branch Offices.
© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public ROUTE v6 Chapter 5 1 Chapter 5: Implement Path Control CCNP ROUTE: Implementing IP.
Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.
1 A Tutorial on Web Security for E-Commerce. 2 Web Concepts for E-Commerce Client/Server Applications Communication Channels TCP/IP.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 8 City College.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Its a Network Introduction to Networking 11.0.
Internet Protocol Security (IP Sec). Securing Intranets and Extranets at all levels.
© 1999, Cisco Systems, Inc. 1-1 Securing Routers Against Hackers and Denial of Service Attacks Lou Ronnau
Branch Repeater 5.6, 5.7 & VPX Technical Presentation.
VON Developers Conference -- July 2000 SIP Proxies Jonathan Rosenberg Chief Scientist.
Compiled by : S. Agarwal Lecturer & Systems Incharge St. Xaviers Computer Centre St. Xaviers College, Kolkata. INTERNET PROTOCOLS.
© 2016 SlidePlayer.com Inc. All rights reserved.