6/1/2015 PIX in a Day. 6/1/2015 Objective This is a two part course designed for people with good knowledge of IP and some knowledge. It is presented.

04/18/23

PIX in a Day

04/18/23

Objective

This is a two part course designed for people with good knowledge of IP and some knowledge.

It is presented in two parts. The first part, this course, shows how how to configure a PIX V6 firewall in a number of scenarios. The second covers trouble shooting.

This is not a security course – base principles are not covered - a good knowledge of Networks. It will not teach anyone to design a firewall (leave that to experts like me) only how to implement one.

04/18/23

Marketing fluff

04/18/23

Pix Features according to Cisco• Embedded system (Cisco PIX firewall OS) is real-time and

secure; not subject to operating system vulnerabilities• Adaptive security Algorithm (ASA) provides stateful

connection control. Packet information is placed in a table; information from the packet must match information in the table

• Cut-through proxy; user-based authentication of inbound and outbound connections Improved performance over proxy filters Low overhead processing = better performance

• Stateful failover/hot standby Fully redundant topology (failover) can be configured

04/18/23

PIX Firewall ASA

Adaptive Security Algorithm is Cisco's name for the subroutines that performs stateful packet filtering.

A data packet is analyzed, and its information is placed in a table – the state table or xlate table.

On the receipt of return traffic, the incoming packet is checked against the table. In order for the connection to be established, there must be a match between the two. ASA is part of the PIX operating system.

04/18/23

PIX Firewall Cut-Through Proxy

The cut-through proxy provides a method for user-based authentication.Inbound and outbound connections can be authenticated.

Better performance than a proxy filter because the processing overhead on the PIX is reduced by using the cut-through proxy feature. Sockets are not terminated and re-opened – the device never becomes an end point.

After authentication by a TACACS+ or RADIUS server, per-user connection state information is maintained by the firewall. For protocols that don’t support authentication, a virtual telnet server exists. 

04/18/23

PIX: Stateful Filtering

PIX obtains the IP address and port from each layer 4 protocol. PIX logs the connection data in the statefull connection table. A session object is created at this stage of the process.

The inbound and outbound packets are compared to the table.If a connection entry exists, the packets are allowed to pass.

Once the connection is terminated, the connection information, including the session object, is eventually deleted .

For protocols where no state exists timers are used to “tear down” the connection object

04/18/23

PIX Firewall features

FailoverPix supports active-passive in a stateful and non-stateful mode.Two PIX Firewalls must be identical models. which are identically configured.In stateful failover, connections do not have to be restarted

04/18/23

PIX Firewall commandsThese are basically the Version 10 IOS commands

•enable – as IOS •configure terminal - changes PIX configuration; changes merged with running config in RAM and takes place at once•passwd - sets password for Telnet access option encrypted sets an encrypted password  show config - displays startup configuration   write terminal / show run

- shows running config on terminal write net - sends config to TFTP  write standby – writes config to standby PIX write erase - clears Flash memory configuration

(startup configuration)

04/18/23

PIX Firewall commands

show xlate - shows translation slots; IP addresses allocated for address translation•configure net - merges running configuration with TFTP server stored file of the same name •configure memory - merges running configuration with startup configuration in Flash •show interface - shows many parameters of the named interface •show history - shows recently entered commands •show ip address - shows all IP addresses

04/18/23

PIX Firewall commands

Clear xlate - clears translation slots; disrupts service

•Shun – temporary blocks IPS

•Reload - restarts

•kill – kills telnet /ssh sessions

04/18/23

The basic configuration

04/18/23

pixfirewall(config)# interface ethernet0 autopixfirewall(config)# interface ethernet1 100full pixfirewall(config)# nameif ethernet0 outside security0pixfirewall(config)# nameif ethernet1 inside security100pixfirewall(config)# ip address outside 61.2.93.93 255.255.255.240pixfirewall(config)# ip address inside 10.0.0.2 255.255.255.0pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 61.2.93.81 1

First 4 config commands

04/18/23

The IP address command adds an IP address to an interface

pixfirewall(config)# ip address inside 10.0.0.2 255.255.255.0

Usage: [no] ip address <if_name> <ip_address> [<mask>] [no] ip address <if_name> dhcp [setroute] [retry <retry_cnt>]

And everyone recognises a static route

Usage: route <if_name> <foreign_ip> <mask> <gateway> [<metric>]

pixfirewall(config)# route inside 0.0.0.0 0.0.0.0 61.2.93.81 1

In the above example inside is the interface that the packet will leave from

IP address & Route

04/18/23

Interface command

pixfirewall(config)# interface ethernet1 100full

Usage: interface <hardware_id> [<hw_speed> [shutdown]]

The interface command enables properties of an interface. Options includeAuto / 10baseT / 10full100baseTX / 100full / 1000auto1000full / 1000full nonegotiate

For dot1q virtual interfaces:

Usage: interface hardware_id vlan_id logical

pixfirewall(config)# interface ethernet1 vlan99 logical

04/18/23

PIX ASA Security Levels

One of two interfaces must be of a higher level. Packets can pass from lower to higher level interfaces but not from higher to lower level interfaces without an access list. (except ICMP)

Security levels range from 0 through 100.100 is most secure: default for inside interface: can't be changed 0 is least secure: default for outside interface: can't be changed

1 through 99 can be assigned to other interfaces such as a DMZ

04/18/23

PIX ASA Security Levels

Inside to outside: data traveling from more secure to less secure requires an address translation (only – see caveat)

Outside to inside: data traveling from a less secure to a more secure interface needs one of the following to pass through a Static translation AND an Access list

No traffic can pass through identical security level interfaces.For example, if two DMZS have a security level of 50, they can't talk to each other.

Don’t rely on this – it has changed in versions

04/18/23

EXCEPT ICMP

Inside to outside: data traveling from more secure to less secure requires an address translation (only)

Security people DON’T LIKE ICMP

THEREFORE WE MAKE IT DIFFICULT TO USE

TO GET A RETURNED ECHO-REPLY YOU NEED A ACCESS_LIST

04/18/23

PIX ASA Security Levels

Inside 100

Outside

0

DMZ 50

04/18/23

The Nameif command assigns a logical name or label to an interface. It also assigns a security value 0 – 100

Usage : nameif <hardware_id> < label > <security_lvl> nameif <vlan_id> < label > <security_lvl>

hardware_id = interface label = a logical name Security–level :-

0 is the dirtiest - Traditionally outside 100 is the cleanest – Traditionally inside

pixfirewall(config)# nameif ethernet1 inside security100

nameif command

04/18/23

But your firewall still won’t work

You need GLOBAL and NAT

04/18/23

Global & Nat

PIX relies on address translation to provide security. Under normal circumstances connection will have its:

•Source address translated on outbound connections

•Dest address translated on inbound connection

For the Exam – Global address is a valid outside address

- Local is a internal address

- Private is an 1918 address

04/18/23

Global & NatTypes of Address translation

• Static NAT (network address translation) – One2one translation based on a STATIC table - explained later

• Dynamic NAT – Dynamically translate a source address to an address selected from a GLOBAL address pool

a,b10.0.0.1 port1500 to196.1.1.1 port 80

c,b10.0.0.11 port1800 to196.1.1.1 port 80

a,b212.23.35.117 port1500 to196.1.1.1 port 80

c,b212.23.35.118 port1800 to196.1.1.1 port 80

A

S

A

global-pool: 212.23.35.117-118

Dynamic nat

04/18/23

Global & Nat

Dynamic PAT – Dynamically translate a source address to the address of the outbound interface and change the source port to a free ephemeral port

a,b10.0.0.1 port1500 to196.1.1.1 port 80

c,b10.0.0.11 port1800 to196.1.1.1 port 80

a,b212.23.35.117 port132,001 to196.1.1.1 port 80

c,b212.23.35.117 port132,002 to196.1.1.1 port 80

A

S

A

04/18/23

Global & Nat

Global command defines a a global pool of addresses to use for address translation

usage Global (if-label) pool-no ip_address [-to ipaddress | mask]

global (outside) 1 212.23.35.117 212.23.35.127

NAT command defines a range of source addresses that may use a particular global pool

usage nat (if-label) pool-no ip_address subnet-mask

nat (inside) 1 10.0.0.0 255.255.0.0

04/18/23

Global & NatExample

a,b10.0.0.1 port1500 to196.1.1.1 port 80

c,b10.0.0.11 port1800 to196.1.1.1 port 80

a,b212.23.35.117 port1500 to196.1.1.1 port 80

c,b212.23.35.118 port1800 to196.1.1.1 port 80

A

S

A

global-pool: 212.23.35.117-118

global (outside) 1 212.23.35.117 212.23.35.118 : create a translation pool on the outside interfacenat (inside) 1 10.0.0.0 255.255.255.0 : allow any address 10.0.0.* coming in on inside to use

outsideinside

04/18/23

Global & Nat

Only define 1 address in global for PAT

global (outside) 1 212.23.35.117or global (outside) 1 Interface

To turn of NAT use NAT 0

nat (inside) 0 0 0

04/18/23

Nat

Or to be a right smart arse use an access-list

nat (inside) 1 access-list natlist

04/18/23

You now know enough to get a basic firewall working

04/18/23

pixfirewall(config)# interface ethernet0 autopixfirewall(config)# interface ethernet1 100full pixfirewall(config)# nameif ethernet0 outside security0pixfirewall(config)# nameif ethernet1 inside security100pixfirewall(config)# ip address outside 61.2.93.93 255.255.255.240pixfirewall(config)# ip address inside 10.0.0.2 255.255.255.0pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 61.2.93.81 1pixfirewall(config)# global (outside) 1 interfacepixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0

But this configuration only allows information “out”

basic

04/18/23

Lab

• Configure a PIX to have the addresses provided

• So that it can browse the WWW

• PATs all requests to the outside interface

• Allows no traffic in

Time: 45 minutes

04/18/23

Allowing information “IN”

04/18/23

Static

The ASA will only allow traffic to travel from a “low” to a “high” interface if a static address translation is configured

This is done with the static command

usage: static (if-src, if-dest) ip-dest ip-src netmask netmask

static (inside,outside) 61.2.93.82 10.0.0.2 netmask 255.255.255.255 0 0

You now have an external address – but it has an implied access-list of

ip deny any any

04/18/23

Access-lists

04/18/23

access-list

Pix access-list are different from IOS access-lists. The key differences are:

•They are stateful – so they allow return traffic

•The mask is a genuine subnet mask

•The identifier (i.e. name) is alphanumeric –

IOS = access-list 101 permit

PIX = access-list one0one

•Line numbers can be used to edit access-lists

04/18/23

Example access list :access-list acl-outside permit tcp any host 217.64.230.186 eq https access-list acl-outside permit tcp any 217.64.230.0 255.255.255.0 eq https access-list acl-outside deny ip any any

Applying an access list to an interface : access-group acl-outside in interface outside

Removing an access list from an interface :

no access-group acl-outside in interface outside

access-list

04/18/23

Object-group

04/18/23

Object-group

With version 5, Pix worked brilliantly in small organisations. But larger organisations always chose Checkpoint firewall 1

One reason that was complexity, when I converted one small bank from FW1 to PIX – one screen of FW1access-lists turned into 7 pages of PIX access-list:-

• services could not be grouped

• addresses could not be grouped

Which resulted in pages of repetition

04/18/23

Imagineaccess-list oldlist permit tcp host 10.0.0.1 any eq wwwaccess-list oldlist permit tcp host 10.0.0.1 any eq https access-list oldlist permit tcp host 10.0.0.2 any eq wwwaccess-list oldlist permit tcp host 10.0.0.2 any eq https access-list oldlist permit tcp host 10.0.0.3 any eq wwwaccess-list oldlist permit tcp host 10.0.0.3 any eq httpsaccess-list oldlist permit tcp host 10.0.0.9 any eq wwwaccess-list oldlist permit tcp host 10.0.0.9 any eq httpsaccess-list oldlist permit tcp host 10.0.0.22 any eq wwwaccess-list oldlist permit tcp host 10.0.0.22 any eq https

Object-group

04/18/23

object-group network inside10 description inside 10 class objects network-object host 10.0.0.1 network-object host 10.0.0.2 network-object host 10.0.0.3 network-object host 10.0.0.9 network-object host 10.0.0.22

Object-group

04/18/23

pixfirewall(config)# show objectobject-group network inside10 description: inside 10 class objects network-object host 10.0.0.1 network-object host 10.0.0.2 network-object host 10.0.0.9 network-object host 10.0.0.22object-group service browsing tcp description: this is the web tcp ports port-object eq www port-object eq httpspixfirewall(config)# access-list obj-exmple permit tcp object-group inside10 any object-group browsingpixfirewall(config)#

Object-group access-list

04/18/23

Legacy access-lists

04/18/23

The access-list command was introduced at 5.4 to make it like IOS – At 6.3 these legacy commands were deprecated – not even in v7.0

Example access list :conduit permit tcp host 212.23.35.119 eq https any

“Old style” access list for an outbound interface :

usage: outbound ID permit | deny ip_address [netmask [port]][proto]

Pix# outbound 11 deny 161.73.0.0 255.255.0.0 412 tcp

Applying an outbound list to an interface :

usage: apply [(if_name)] ID outgoing_src | outgoing_dest Pix# apply (inside) 11 outgoing_src

Conduit, outbound + apply

04/18/23

Advanced PIXProto analysis

04/18/23

fixup

Protocols are not designed with security in mind – they often have features that are insecure or difficult to embody in access-list

Firewalls use packet inspection and protocol analysis to overcome these difficulties

Pix enables the protocol feature and assign the processing to a particular port with the fixup command

04/18/23

fixupfixup protocol ftp [strict] [port] fixup protocol http [port[-port] fixup protocol h323 {h225 | ras} port [-port] fixup protocol ils [port[-port]] fixup protocol rsh [514] fixup protocol rtsp [port] fixup protocol sip [5060] fixup protocol skinny [2000] fixup protocol smtp [port[-port]] fixup protocol sqlnet [port[-port]] fixup protocol skinny port [-port]

Add at version 6.3Add at version 6.3fixup protocol icmp errors <- theres always 1 smart arsefixup protocol ctiqbe 2748 [no] fixup protocol dns [maximum-length length] fixup protocol esp-ike fixup protocol snmp [161[-162]] fixup protocol tftp [port[-port]]

Fixup disappearswith version 7

04/18/23

Other protectionMailGuard (enabled by fixup protocol smtp ) only allows the smtp commands mail to, rcpt frm, data, end & quit

DnsGuard (enabled by fixup protocol dns or on by default pre 6.3 ) only accespts first dns datagram

FloodGuard (FloodGuard enable ) enables flood protection

FragGuard ( sysopt security fragguard replaced by the fragment command)

04/18/23

Advanced PIXDealing with attacks

04/18/23

Basic IDS/IPS functions are enabled by

pixfirewall(config)# ip audit info action alarmpixfirewall(config)# ip audit attack action alarmip audit attack action alarm drop ip audit signature 2000 disable ip audit signature 2001 disable ip audit signature 2004 disable ip audit signature 2005 disable Syslog<162>May 29 2005 10:24:15 10.0.0.2 : %PIX-2-106017: Deny IP due to Land Attack from 61.2.93.93 to 61.2.93.93

<162>May 29 2005 10:24:15 10.0.0.2 : %PIX-2-106017: Deny IP due to Land Attack from 61.2.93.93 to 61.2.93.93

<162>May 29 2005 10:24:15 10.0.0.2 : %PIX-2-106017: Deny IP due to Land Attack from 61.2.93.93 to 61.2.93.93

IDS/IPS

04/18/23

Anti spoofing is enabled by pixfirewall(config)# ip verify reverse-path

Syslog167>May 29 2005 10:21:21 10.0.0.2 : %PIX-7-710005: UDP request discarded from 61.2.93.87/137 to outside:61.2.93.95/netbios-ns

<161>May 29 2005 10:21:22 10.0.0.2 : %PIX-1-106021: Deny udp reverse path check from 10.0.0.55 to 61.2.93.93 on interface outside

<161>May 29 2005 10:21:22 10.0.0.2 : %PIX-1-106021: Deny udp reverse path check from 10.0.0.55 to 61.2.93.93 on interface outside

Getting a packet trace in pcap format pix# capture snifer access-list sniflist packet-length 74 interface inside

Anti-spoofing & investigations

04/18/23

04/18/23

Site 2 site VPN

04/18/23

Imagine 2 separate tunnels used for IPSEC vpnConstructed in 3 steps –covering 2 distinct IPSEC phases

IKE/

ISAKMP

1. Identify need for a VPN

2.Phase1- ISAKMP

-identify/authenticate peers

-establish IKE SA (security association)

3. Phase 2- IPSEC

- negotiate IPSEC SA (security association)

- Encrypt and transmit data

Encrypted data

04/18/23

pixfirewall(config)# access-list a1 permit ip any any

pixfirewall(config)# isakmp policy 10 authen pre-sharepixfirewall(config)# isakmp policy 10 encrypt despixfirewall(config)# isakmp policy 10 hash md5pixfirewall(config)# isakmp policy 10 lifetime 3600pixfirewall(config)# isakmp policy 10 group 2pixfirewall(config)# isakmp key my-secret address 10.0.0.1pixfirewall(config)# isakmp enable outside

ISAKMP

04/18/23

pixfirewall(config)# sysopt connection permit-ipsec pixfirewall(config)# sysopt ipsec pl-compatiblepixfirewall(config)# access-list a1 permit ip any anypixfirewall(config)# crypto ipsec transform-set mytrans esp-des esp-md5-hmacpixfirewall(config)# crypto map mymap 10 set transform-set mytranspixfirewall(config)# crypto map mymap 10 set peer 10.0.0.10pixfirewall(config)# crypto map mymap 10 match address a1pixfirewall(config)# crypto map mymap interface outside

IPSEC

04/18/23

Lab

Using the IPSEC site-2-site template configure your PIX to encrypt all traffic between it and the IOS router

Time: 1 hr 15 minutes

04/18/23

Secure client VPN

04/18/23

Cisco Secure client

1. Secure client software on the pc contact the pix

2. Authenticates using info in the vpngroup command

3. Sets up a virtual network interface on the pc with info from the IP LOCAL POOL

4. sets up an ipsec tunnel over it to the PIX as normal

vpnpool 10.0.1.1-10.0.1.30 61.2.93.91

10.0.1.1

ipsec tunnel mode212.1.3.88 <> 10.0.1.1212.1.3.88

04/18/23

access-list nonatlist permit ip any 10.0.1.0 255.255.255.0nat (inside) 0 access-list nonatlist

ip local pool vpnpool 10.0.1.1-10.0.1.30aaa-server vpnauth protocol radiusaaa-server vpnauth (inside) host 172.31.30.195 MYSECRET timeout 20

crypto dynamic-map vpn 10 set transform-set my-transcrypto map mynmap 10 ipsec-isakmp dynamic vpncrypto map mynmap client authentication vpnauthcrypto map mymap interface outside

vpngroup vpn1 address-pool vpnpoolvpngroup vpn1 dns-server x.x.x.x vpngroup vpn1 wins-server x.x.x.x vpngroup vpn1 default-domain x.comvpngroup vpn1 password ********

VPNGroupTurns off nat for

VPN clients

VPNAUTH labellinks to radius

VPN labellinks to dynamic map

vpnpool links to ip pool

Group name and password stored VPN clients

04/18/23

access-list nonatlist permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0nat (inside) 0 access-list nonatlistip local pool vpnpool 10.0.1.1-10.0.1.30aaa-server vpnauth protocol radiusaaa-server vpnauth (inside) host 172.31.30.195 MYSECRET timeout 20

crypto dynamic-map vpn 10 set transform-set my-transcrypto map mynmap 10 ipsec-isakmp dynamic vpncrypto map mynmap client authentication vpnauthcrypto map mymap interface outside

vpngroup vpn1 address-pool vpnpoolvpngroup vpn1 dns-server x.x.x.x vpngroup vpn1 wins-server x.x.x.x vpngroup vpn1 default-domain x.comvpngroup vpn1 idle-time 1800vpngroup vpn1 password ********

VPNGroup

04/18/23

Lab

Using the IPSEC Secure Client template configure your PIX to allow connection from secure client

Time: 1 hr 15 minutes

04/18/23

04/18/23

Additional

04/18/23

snmp-server host inside X.X.X.X snmp-server host inside X.X.X.X snmp-server host inside X.X.X.X snmp-server location Heathrow Data Center - Rack 31 snmp-server contact Network Support snmp-server community xxxxx

snmp-server enable traps

SNMP

04/18/23

IP:10.0.0.47 mac: 00-0C-F1-37-FF-FA

failover failover ip address outside 217.64.224.47 failover ip address inside 10.0.0.47

failover

IP:10.0.0.1 mac: 00-0C-F1-37-FF-F1

IP:217.64.224.47mac: 00-0C-F1-37-F5-F8

IP:217.64.224.01 mac: 00-0C-F1-37-F5-F7

04/18/23

failover

AfterBefore

pix(config)# show failoverFailover OnReconnect timeout 0:00:00Poll frequency 15 secondsLast Failover at: 18:32:16 UTC Mon Apr 7 2003This host: Primary – ActiveActive time: 510 (sec)Interface outside (192.168.1.1): Normal Interface inside (10.1.1.1): Normal Other host: Secondary – StandbyActive time: 0 (sec)Interface outside (192.168.1.2): Normal Interface inside (10.1.1.2): Normal

pix(config)# show failoverFailover OnReconnect timeout 0:00:00Poll frequency 15 secondsLast Failover at: This host: Primary – StandbyActive time: 510 (sec)Interface outside (192.168.1.2): Normal Interface inside (10.1.1.2): Normal Other host: Secondary – ActiveActive time: 0 (sec)Interface outside (192.168.1.1): Normal Interface inside (10.1.1.1): Normal

04/18/23

making a HA cluster

failover failover timeout 0:00:00 failover poll 15 failover ip address outside 217.64.224.47 failover ip address inside X.X.X.X failover ip address stateful 192.168.100.102 failover link stateful

failover

04/18/23

Educate your telnet

telnet 10.0.1.2 255.255.255.255 insidetelnet 61.2.93.81 255.255.255.255 insidetelnet 61.2.93.82 255.255.255.255 inside

Educate your ssh

ssh 10.0.1.2 255.255.255.255 inside ssh 61.2.93.81 255.255.255.255 inside ssh 61.2.93.82 255.255.255.255 inside

Telnet & ssh

04/18/23

Operating the Pix

04/18/23

pixfirewall# show xlate 2 in use, 79 most used

PAT Global 61.2.93.94(1134) Local 10.0.0.1(1038)

PAT Global 61.2.93.94(1321) Local 10.0.0.1(1219)

pixfirewall# show xlate debug

2 in use, 79 most used

Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, o - outside, r - portmap, s - static

UDP PAT from inside:10.0.0.1/1038 to outside:61.2.93.94/1134 flags ri idle 0:00: 08 timeout 0:00:30

TCP PAT from inside:10.0.0.1/1219 to outside:61.2.93.94/1321 flags ri idle 0:00:

00 timeout 0:00:30

04/18/23

pixfirewall# show conn2 in use, 17 most usedUDP out 61.2.93.81:161 in 10.0.0.1:1038 idle 0:00:16 flags -

TCP out 213.19.160.190:80 in 10.0.0.1:1219 idle 0:00:00 Bytes 14137527 flags UIO

04/18/23

• established tcp 9999 0 permitto tcp 1024-65535 permitfrom tcp 0

• established tcp 9998 0 permitto tcp 1024-65535 permitfrom tcp 0

• established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0

04/18/23

Alias

alias [<(if_name)>] <dnat_ip> <foreign_ip> [<mask>]

04/18/23

Alias

alias [<(if_name)>] <dnat_ip> <foreign_ip> [<mask>]alias (inside) 84.233.190.80 69.57.146.21 255.255.255.255

If the PIX Firewall gets a packet destined for the dnat_IP_address, send it to the

foreign_IP_address.• When the PIX gets a DNS packet containingforeign_network_address, it will change the contents of the

DNS packet - foreign network address to dnat_network_address.