Network Security (Part 2)Professional Certification NetworkSims
PIX/ASA ConfigurationInterfaces. Fixup. Static Routes.
Access-lists. Failover. VPN.
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Prof Bill Buchanan, Leader, Centre for Distributed Computing and
Security http://www.dcs.napier.ac.uk/~bill Room: C.63
Academic Element On-line test: 40% MCQ Test Coursework:
Agent-based IDS Web-CT submission: 40% Web-CT submission .NET
Security On-line test: 20% Network Security On-line test: 20%
On-line testAuthor: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
W 2 3
Date 9 Feb 16 Feb
Academic 1: Security Fundamentals 2: IDS
Assessment
Lab/Tutorial Lab 1: Packet Capture Lab 2: Packet Capture
(Filter) Lab 3: Packet Capture (IDS)
4 5 6 7 8 10 11 12 13 14
23 Feb 2 Mar 9 Mar 16 Mar 23 Mar 6 Apr 27 Apr 4 May 11 May 18
May
3: Encryption 4: Authentication (Part 1) MCQ Test 5. Software
Security 6. Network Security
Lab 5: IDS Snort 1 Lab 6: IDS Snort 2 Lab 7: Private-key
Encryption Lab 8: Public-key Encryption Lab 9: Log/Process/Hashing
Lab 10: TCP Forensics Lab 11: Binary Analysis/Sig Det
Security Specialism Security Specialism MCQ Test
Security Specialism Security Specialism
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Network Security (Part 2)Professional Certification NetworkSims
PIX/ASA ConfigurationInterfaces. Fixup. Static Routes.
Access-lists. Failover. VPN.
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Bob
Alice
CIAApplications (Integrated Security) Services (Integrated
Security)
AAA
Application Communications (TCP, IP, and so on)
Network Infrastructure (Firewalls, Proxies, and so on)Author:
Bill Buchanan
Eve
Eve
Integration between the levels often causes the most
problemsAuthor: Prof Bill Buchanan Author: Prof Bill Buchanan
CIA and AAAfirewall Stateful PIX/ASA
Firewall Switch Internet
Bob
Intrusion Detection System
Alice
Router Firewall Switch
Web server Email server FTP server Proxy server
Intrusion Detection System
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
Switch
Firewall (Packet filter) Internet
Bob
Intrusion Detection System
Alice
Router (NAT)
Firewall (Statefull)
Web server Email server FTP server Proxy server
DMZ
Intrusion Detection System
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
Cisco Switch
Cisco Firewall
Internet
Bob
Intrusion Detection System
Alice
Router (NAT)
Cisco PIX Cisco ASA 5500 Web server Email server FTP server
Proxy server
DMZ
Intrusion Detection System
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
BobFirewall (Packet filter) Internet
Switch
Application (FTP, Telnet, etc) L4. Transport (TCP) L3. Internet
(IP)
Intrusion Detection System
L2. Network (Ethernet)
Physical security requires restricted areas and padlocked
equipmentFirewall (Stateful)
Router (NAT)
Restricted areas
Web server Email server
DMZ
Restricted areas
Proxy server
VLAN 1
VLAN 2Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
FTP server
BobFirewall (Packet filter) Internet
Switch
Application (FTP, Telnet, etc) L4. Transport (TCP) L3. Internet
(IP)
Intrusion Detection System
L2. Network (Ethernet)
Different VLANs cannot communication directly, and need to go
through a router to communicateFirewall (Stateful)
Router (NAT)
Web server Email server
DMZ
Proxy server
VLAN 1
VLAN 2Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
FTP server
BobFirewall (Packet filter) Internet
Switch
VLAN 1Intrusion Detection System
Different VLANs cannot communication directly, and need to go
through a router to communicateFirewall (Stateful)
Router (NAT)
802.1q Trunk
Web server Email server
DMZ
Proxy server
VLAN 1
VLAN 2Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
FTP server
BobFirewall (Packet filter) Internet
Switch
Application (FTP, Telnet, etc) L4. Transport (TCP) L3. Internet
(IP)
Intrusion Detection System
L2. Network (Ethernet)
Screening Firewalls filter for IP and TCP packet details, such
as addresses and TCP ports, for incoming/outgoing traffic
Router (NAT)
Firewall (Stateful)
Web server Email server FTP server
DMZIntrusion Detection System Proxy server
Alice
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
BobFirewall (Packet filter) Internet
Switch
Application (FTP, Telnet, etc) L4. Transport (TCP) L3. Internet
(IP)
Intrusion Detection System
L2. Network (Ethernet)
Stateful Firewalls filter for Application, IP and TCP packet
details. They remember previous data packets, and keep track of
connections
Router (NAT)
Firewall (Stateful)
Web server Email server FTP server
DMZAlice Intrusion Detection System Proxy serverAuthor: Bill
Buchanan
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
BobSwitch
Firewall (Packet filter) Internet
Application (FTP, Telnet, etc) L4. Transport (TCP) L3. Internet
(IP)
Intrusion Detection System
L2. Network (Ethernet)
All Application-layer traffic goes through the Proxy (eg FTP,
Telnet, and so on) aka Application Gateways
Router (NAT) Firewall (Stateful)
Web server Email server FTP server
DMZAlice Intrusion Detection System Proxy server
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
Professional Cert.Author: Prof Bill Buchanan Author: Prof Bill
Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Routing & Switching
Design
Net Security
Service Provider
Storage Network
Voice
Wireless
CCIE Security
CCSP
CCNA Security
Author: Prof Bill Buchanan
Cisco Certification Stateful firewall PIX/ASA
Author: Bill Buchanan
CCNA ENT
CCNA
CCNA Security
CCSP
Core
642-504 SNRS Securing Networks with Cisco Routers and
Switches
642-524 SNAF Securing Networks with ASA Foundation
642-533 IPS Implementing Cisco Intrusion Prevention System
(IPS)
Option (select one)
Author: Prof Bill Buchanan
Cisco Certification Stateful firewall PIX/ASA
Author: Bill Buchanan
642-591 CANAC Implementing Cisco NAC Appliance
642-545 MARS Implementing Cisco Security Monitoring, Analysis
and Response System
642-515 SNAA Securing Networks with ASA Advanced
Network Security
Stateful firewall CCSP Cert.
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall NetworkSims Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Software firewallHost-based: Zone alarm
Hardware firewall
Cisco router With firewall (non-stateful)
CheckPoint firewall (software)Runs within: Windows Server,
VMWare LINUX
Cisco PIX/ASA (stateful)
LINUX iptables CheckPoint firewall (dedicated) Nokia
Hardware firewall: Optimized engine/architecture Copes better
with large trafficBill Buchanan Author: Prof conditions Improved
failoverStateful firewall Firewalls PIX/ASA
Author: Bill Buchanan
Software firewall: Easy to reconfigure Slower Less expensive Can
be used with a range of computers/OSs
Firewall rules. These are contained within ACLs (using the
access-list and access-group commands), and block or permit
traffic. A key feature of this is the usage of URL filtering which
defines the Web pages which are allowed and which are not. Port
blocking. These use the fixup command to change, enable or disable
network services. Cut-through proxy. This allows the definition of
the users who are allowed services such as HTTP, Telnet and FTP.
This authentication is a single initial authentication, which
differs from the normal proxy operation which checks every single
packet.Bob
Intrusion detection. These use the ip audit command to detect
intrusions. Shunning. This, along with intrusion detection, allows
a defined response to an intrusion.
Stateful firewall PIX/ASA
Author: Bill Buchanan
Encryption. This allows the PIX firewall to support enhanced
encryption, such as being a server for VPN connections, typically
with IPSec and tunnelling techniques such as PPTP.
Failover. This allows other devices to detect that a PIX device
has crashed, and that another device needs to take its place.
Author: Prof Bill Buchanan
Network Security Stateful firewall
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Enterprise PIX 525. This has a 600MHz processor with 256MB RAM,
and handles a throughput of 360Mbps for a maximum of 280,000
connections. It supports failover, and has the support for up to
eight connections.
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Enterprise PIX 535. This has a 1GHz processor with 1GB RAM, and
handles a throughput of 1Gbps for a maximum of 500,000 connections.
It supports failover, and has the support for up to ten network
interfaces.
ASA 5520 Intel Pentium 4, 2GHz 512MB RAM PIX 7.x, ASA 8.x IOS 8
interfaces Integrated VPN SSL VPN Throughput: 450Mbps 3DES: 225Mbps
Max conn: 280,000 VPN peers: 750
PIX/ASA ConfigurationAuthor: Prof Bill Buchanan Author: Prof
Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Network Security PIX/ASAfirewall Stateful Config
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Network Security PIX/ASAfirewall Stateful Config
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Author: Prof Bill Buchanan
PIX/ASA firewall (ASDM) Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
PIX/ASA firewall (ASDM) Stateful firewall PIX/ASA
Author: Bill Buchanan
PIX 6.x # config t (config)# hostname freds (config)#
domain-name fred.com (config)# ip address outside 192.168.1.1
255.255.255.0 (config)# interface e0 auto
(config)# hostname freds PIX/ASA 7.x/8.x (config)# domain-name
fred.com (config)# int e0 (config-if)# ip address 192.168.2.1
255.255.255.0 (config-if)# no shutdown (config-if)# exit
E1 (inside) E0 (outside)
E2 (inf2)Author: Bill Buchanan
Author: Prof Bill Buchanan
PIX/ASA firewall Stateful firewall PIX/ASA
PIX 6.x # config t (config)# hostname freds (config)#
domain-name fred.com (config)# ip address outside 192.168.1.1
255.255.255.0 (config)# interface e0 auto
(config)# hostname freds PIX/ASA 7.x/8.x (config)# domain-name
fred.com (config)# int e0 (config-if)# ip address 192.168.2.1
255.255.255.0 (config-if)# no shutdown (config-if)# exit
E1 (inside) E0 (outside)
E2 (inf2)Author: Bill Buchanan
Author: Prof Bill Buchanan
PIX/ASA firewall Stateful firewall PIX/ASA
PIX 6.x
PIX/ASA 7.x/8.x
E1 (inside)
E2 (inf2)Author: Prof Bill Buchanan
PIX/ASA PIX/ASA firewall Stateful firewall
Author: Bill Buchanan
E0 (outside)
PIX 6.x
PIX/ASA 7.x/8.x
E1 (inside)
E2 (inf2)Author: Prof Bill Buchanan
PIX/ASA Configuring the interfaces Stateful firewall
Author: Bill Buchanan
E0 (outside)
E0 (outside)
E2 (inf2)Author: Prof Bill Buchanan
PIX/ASA firewall Stateful firewall PIX/ASA
Author: Bill Buchanan
E1 (inside)
E0 (outside)
E1 (inside)
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Setting the default route Stateful firewall PIX/ASA
Author: Bill Buchanan
E2 (inf2)
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
E0 (outside)
E1 (inside)
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Setting the default route Stateful firewall PIX/ASA
Author: Bill Buchanan
E2 (inf2)
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
192.168.2.5
176.10.1.2Author: Prof Bill Buchanan
Stateful firewall Setting routes PIX/ASA
Author: Bill Buchanan
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
192.168.2.5
176.10.1.2Author: Prof Bill Buchanan
Stateful firewall Setting routes PIX/ASA
Author: Bill Buchanan
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
192.168.2.5
176.10.1.2
Author: Prof Bill Buchanan
Stateful firewall Setting routes PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
(config)# show fixup fixup protocol ftp 21 fixup protocol h323
h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80
fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp
554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup
protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet
1521 (config)# fixup protocol http 161 (config)# fixup protocol ftp
60 (config)# fixup protocol smtp 84
FTP requires a server port on the initiator. SQL*Net requires a
negiotation on the connected port.
E2 (inf2)Author: Prof Bill Buchanan
Stateful firewall PIX/ASA Fixup
Author: Bill Buchanan
E0 (outside)
E1 (inside)
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA NAT
Author: Bill Buchanan
192.168.2.5
176.10.1.2
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA PAT
Author: Bill Buchanan
192.168.2.5
176.10.1.2
Do not NAT!
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA PAT
Author: Bill Buchanan
192.168.2.5
176.10.1.2
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Static mappings Stateful firewall PIX/ASA
Author: Bill Buchanan
192.168.2.5
176.10.1.2
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Static mappings Stateful firewall PIX/ASA
Author: Bill Buchanan
192.168.2.5
176.10.1.2
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Static mappings Stateful firewall PIX/ASA
Author: Bill Buchanan
192.168.2.5
176.10.1.2
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Static mappings Stateful firewall PIX/ASA
Author: Bill Buchanan
192.168.2.5
176.10.1.2
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA ACL
Author: Bill Buchanan
192.168.2.5
176.10.1.2
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Static mappings Stateful firewall PIX/ASA
Author: Bill Buchanan
192.168.2.5
176.10.1.2
PIX/ASA FailoverAuthor: Prof Bill Buchanan Author: Prof Bill
Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Power supply failures, Primary reboot. Interface problems Memory
Overflow.40 U
UPS 1
5U
1U
1U
UPS 2
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA Failure
Author: Bill Buchanan
E2 (inf2) E0 (outside) E1 (inside)
MAINFailover cable
Either Prim (UR)/Sec (UR) Or: Prim (UR)/Sec (FO) Activation key
is required!
STANDBY
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA Failover
Author: Bill Buchanan
UR Unrestricted licence (must be used for primary). FO Failover
licence (for secondary). R Restricted licence (cannot be used).
Same PIX type Same RAM Same Flash memory. Same type and
interfaces. Same software version. Same activation keys for DES or
3DES
E2 (inf2) E0 (outside) E1 (inside)
Hello
Failover cable
Hello
Sent on ALL interfaces, including failover connection.Author:
Prof Bill Buchanan
Stateful firewall PIX/ASA Failover
Author: Bill Buchanan
Hello messages are sent every 1-15 seconds on every interface.
Hello time. (PIX default 15 second, ASA default 1 second) If
messages are not received with the holdtime Holdtime (PIX default:
45 seconds 3 times hello time, ASA default: 15 seconds), failover
happens. If secondary doesnt work, primary assumes control, and no
failover.
Tests: Test 1. NIC status test. Up/down status of interface.
Test 2. Network activity. Monitor for 5 seconds. If detected,
cancel tests. Test 3. ARP test. Requests last 10 IP addresses in
the ARP table. Test 4. Ping test. Broadcast ping of
255.255.255.255. If any replies the test is quit.
Failover cable Or Ethernet (LAN-based)
Standby
outside
e0 e2inf2
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
On start-up config is automated copied over. All new commands
are replicated. The write startby command sends the config to the
secondary.
Either Prim (UR) Sec (UR) Or Prim (UR) Sec (FO) Activation key
is required!
Failover cable Or Ethernet (LAN-based)
Standby
outside
e0 e2inf2
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Stateful Restores everything. ARP table, Xlate, Fixup tables,
ARP, routing information, IPSec/ISAKMP tables, MAC addresses, Hello
messages. Secondary Inherits: IP addresses and MAC addresses of the
primary. Primary Inherits: IP addresses and MAC addresses of the
secondary. Require an additional Ethernet connection
e3
Stateful connectione3
Failover cableAuthor: Bill Buchanan
outside
e0 e2inf2
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Non-stateful Only RAM config and session details. Secondary
Inherits: IP addresses and MAC addresses of the primary. Primary
Inherits: IP addresses and MAC addresses of the secondary. Lost:
NAT translations and connections.
Failover cable Or Ethernet (LAN-based)
Standby
outside
e0 e2inf2
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
.
Standby
e2
Dedicated switch/hub
e2 outside
e0
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Non-stateful Only RAM config and session details. Secondary
Inherits: IP addresses and MAC addresses of the primary. Primary
Inherits: IP addresses and MAC addresses of the secondary. Lost:
NAT translations and connections.
e3
Failover cablee3Author: Bill Buchanan
outside
e0 e2inf2
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
myPIX (config)# failover active myPIX (config)# failover active
myPIX (config)# failover ip address outside 157.202.212.2 myPIX
(config)# failover ip address outside 157.202.212.2 myPIX (config)#
failover ip address inside 73.105.56.11 myPIX (config)# failover ip
address inside 73.105.56.11 myPIX (config)# failover ip address
inf2 166.209.230.11 myPIX (config)# failover ip address inf2
166.209.230.11 myPIX (config)# failover poll 2 myPIX (config)#
failover poll 2 myPIX (config)# show failover myPIX (config)# show
failover
e3
Stateful connectione3
Failover cableAuthor: Bill Buchanan
outside
e0 e2inf2
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
myPIX (config)# ip address outside 157.202.212.1 myPIX (config)#
ip address LAN-based Failover outside 157.202.212.1
myPIX (config)# ip address inside 73.105.56.1 myPIX (config)# ip
address inside 73.105.56.1 myPIX (config)# ip address inf2
166.209.230.1 myPIX (config)# ip address inf2 166.209.230.1 myPIX
(config)# failover active myPIX (config)# failover active myPIX
(config)# failover ip address outside 157.202.212.2 myPIX (config)#
failover ip address outside 157.202.212.2 myPIX (config)# failover
ip address inside 73.105.56.2 myPIX (config)# failover ip address
inside 73.105.56.2 myPIX (config)# failover ip address inf2
166.209.230.2 myPIX (config)# failover ip address inf2
166.209.230.2 myPIX (config)# failover lan key mypix myPIX
(config)# failover lan key mypix myPIX (config)# failover lan unit
primary myPIX (config)# failover lan unit primary myPIX (config)#
failover lan interface inf2 myPIX (config)# failover lan interface
inf2 myPIX (config)# failover lan enable myPIX (config)# failover
lan enable
e2
Stateful connectione2
outside
e0
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
myPIX (config)# ip address inf2 166.209.230.2 myPIX (config)# ip
address inf2 166.209.230.2 myPIX (config)# failover active myPIX
(config)# failover active myPIX (config)# failover lan key mypix
myPIX (config)# failover lan key mypix myPIX (config)# failover lan
unit secondary myPIX (config)# failover lan unit secondary myPIX
(config)# failover lan interface inf2 myPIX (config)# failover lan
interface inf2 myPIX (config)# failover lan enable myPIX (config)#
failover lan enable
LAN-based Failover
e2
Stateful connectione2
outside
e0
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
VPNAuthor: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Eve
Eve could eavesdrop on the public communications Untrusted
networkBob Alice
Gateway
Gateway
What is required is: Encryption. Authentication of devices (to
overcome spoofing) Authentication of packets (for integrity)
Eve
Eve could change the data packetsGateway
Eve
Author: Prof Bill Buchanan
Stateful firewall Issues involved PIX/ASA
Author: Bill Buchanan
Eve could setup an alternative gateway
Eve
Bob
Alice
Gateway
Gateway
Untrusted network What is required is: Encryption.
Authentication of devices (to overcome spoofing) Authentication of
packets (for integrity)PPTP (Point-to-point Tunneling Protocol).
Created by Microsoft and is routable. It uses MPPE (Microsoft
Point-to-point Encryption) and user authentication. L2TP (Layer 2
Tunneling Protocol). Works at Layer 2 to Forward IP, IPX and
AppleTalk (RFC2661). Cisco, Microsoft, Ascent and 3Com developed
it. User and machine authentication, but no encryption (but can be
used with L2TP over IPSec). IPSec. An open standard. Includes both
encryption and Authentication.Author: Prof Bill Buchanan
Tunnellingfirewall Stateful methods PIX/ASA
Author: Bill Buchanan
Traffic is encrypted over the untrusted network.
Bob
Alice
Encrypted traffic Unencrypted traffic Tunelling mode (over
untrusted connections) Unencrypted traffic
Bob
Alice
Author: Prof Bill Buchanan
Tunnelling mode or transport mode Stateful firewall PIX/ASA
Author: Bill Buchanan
Transport mode. End-to-end (host-tohost) tunnelling
Bob Co. VPN VPN Alice Co.
Extranet VPNVPN VPN Bob Co.
Bob Co.
Intranet VPN
VPN Bob Co.
Bob@ home
Remote Access VPNAuthor: Prof Bill Buchanan
Statefultypes VPN firewall PIX/ASA
Author: Bill Buchanan
Firewall Switch Internet
Bob
Intrusion Detection System
Traffic only encrypted over the public channelAlice
Traffic is encrypted and cannot be checked by firewalls, IDS,
and so on
Router Firewall Switch
Web server Email server FTP server Proxy server
Intrusion Detection System
Author: Prof Bill Buchanan
Tunnelling mode or transport mode Stateful firewall PIX/ASA
Author: Bill Buchanan
Firewall Switch Internet
Bob
Intrusion Detection System
Traffic only encrypted over the public channelAlice
Firewall blocks all encrypted content and any negation of a
tunnel
Router Firewall Switch
For IPSec (one of the most popular tunnelling Web methods):
server UDP Port 500 is the port. If it is blocked there can be no
tunnel. FTP server TCP Port 50 for IPSec ESP (Encapsulated Security
Proxy server Protocol). TCP Port 51 for IPSec AH (Authentication
Header)Email server key exchange
Intrusion Detection System
Author: Prof Bill Buchanan
Blocking end-to-end encryption Stateful firewall PIX/ASA
Author: Bill Buchanan
Authentication scope ESP Auth. ESP trailer IP packet (encrypted)
ESP header IP header
The IPSec protocol has: ESP (Encapsulated Security Protocol).
ESP takes the original data packet, and breaks off the IP header.
The rest of the packet is encrypted, with the original header added
at the start, along with a new ESP field at the start, and one at
the end. It is important that the IP header is not encrypted as the
data packet must still be read by routers as it travels over the
Internet. Only the host at the other end of the IPSec tunnel can
decrypt the contents of the IPSec data packet. AH (Authentication
Header). This encrypts the complete contents of the IP data packet,
and adds a new packet header. ESP has the weakness that an intruder
can replay previously sent data, whereas AH provides a mechanism of
sequence numbers to reduce this problem.
ESP transport mode method (Weakness: Replay attack)
IP packet contents
IP header
Authentication scope AH header New IP header
IP packet contents
AH transport method (Provides complete authentication for the
packet) IP packet contents IP headerAuthor: Bill Buchanan
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA IPSec
IP IP
TCP TCP
Higher-level protocol/data Higher-level protocol/data
Version Version
Header length Header length
Type of service Type of service
Total length Total length Identification Identification 0 D M 0
D M Time-to-Live Time-to-Live Fragment Offset Fragment Offset
Protocol Protocol
Header Checksum Header Checksum Source IP Address Source IP
Address Destination IP Address Destination IP Address
1 ICMP Internet Control Message [RFC792] 6 TCP Transmission
Control [RFC793] 8 EGP Exterior Gateway Protocol [RFC888] 9 IGP any
private interior gateway [IANA] 47 GRE General Routing
Encapsulation (PPTP) 50 ESP Encap Security Payload [RFC2406] 51 AH
Authentication Header [RFC2402] 55 MOBILE IP Mobility 88 EIGRP
EIGRP [CISCO] 89 OSPFIGP OSPFIGP [RFC1583] 115 L2TP Layer Two
Tunneling ProtocolAuthor: Bill Buchanan
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA IPSec
VPN Bob Co.Bob@ home
Remote Access VPN
Phase 1 (IKE Internet Key Exchange)UDP port 500 is used for IKE
Define the policies between the peers
IKE PoliciesHashing algorithm (SHA/MD5) Encryption (DES/3DES)
Diffie-Hellman agreements Authentication (pre-share, RSA nonces,
RSA sig).
isakmp enable outside isakmp key ABC&FDD address 176.16.0.2
netmask 255.255.255.255 isakmp identity address isakmp policy 5
authen pre-share isakmp policy 5 encrypt des isakmp policy 5 hash
sha isakmp policy 5 group 1 isakmp policy 5 lifetime 86400 sysopt
connection permit-ipsec
Phase 2Defines the policies for transform sets, peer IP
addresses/hostnames and lifetime settings. Crypto maps are
exchangedAH, ESP (or both) Encryption (DES, 3DES) ESP (tunnel or
transport) Authentication (SHA/MD5) SA lifetimes defined Define the
traffic of interestcrypto ipsec transform-set MYIPSECFORMAT esp-des
esp-sha-hmac crypto map MYIPSEC 10 ipsec-isakmp access-list 111
permit ip 10.0.0.0 255.255.255.0 176.16.0.0 255.255.255.0 crypto
map MYIPSEC 10 match address 111 crypto map MYIPSEC 10 set peer
176.16.0.2 crypto map MYIPSEC 10 set transform-set MYIPSECFORMAT
crypto map MYIPSEC interface outside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA IPSec
Author: Bill Buchanan
Public Key (Kpb1)
Public Key (Kpb2)
Shared key passed (DiffieHellman) used to encrypt all the data
Kpv1 Public key is used to authenticate the device Hashed value
Hashed value
Result
Challenge?Author: Bill Buchanan
Author: Prof Bill Buchanan
Blocking end-to-end encryption Stateful firewall PIX/ASA
10.0.0.1
172.16.0.1
172.16.0.2
192.168.0.1
Author: Prof Bill Buchanan
Stateful firewall IPSec (PIX) PIX/ASA
Author: Bill Buchanan
10.0.0.1
172.16.0.1
172.16.0.2
192.168.0.1
Author: Prof Bill Buchanan
IPSec (PIX and Router) Stateful firewall PIX/ASA
Author: Bill Buchanan
No. Time 81 5.237402
Source 192.168.0.3
Destination 146.176.210.2
Protocol Info ISAKMP Aggressive
Frame 81 (918 bytes on wire, 918 bytes captured) Ethernet II,
Src: IntelCor_34:02:f0 (00:15:20:34:62:f0), Dst: Netgear_b0:d6:8c
(00:18:4d:b0:d6:8c) Internet Protocol, Src: 192.168.0.3
(192.168.0.3), Dst: 146.176.210.2 (146.176.210.2)
10.0.0.1
172.16.0.1
172.16.0.2
192.168.0.1
Author: Prof Bill Buchanan
IPSec (PIX and Router) Stateful firewall PIX/ASA
Author: Bill Buchanan
Internet Security Association and Key Management Protocol
Initiator cookie: 5ABABE2D49A2D42A Responder cookie:
0000000000000000 Next payload: Security Association (1) Version:
1.0 Exchange type: Aggressive (4) Flags: 0x00 Message ID:
0x00000000 Length: 860 Security Association payload Next payload:
Key Exchange (4) Payload length: 556 Domain of interpretation:
IPSEC (1) Situation: IDENTITY (1) Proposal payload # 1 Next
payload: NONE (0) Payload length: 544 Proposal number: 1 Protocol
ID: ISAKMP (1) SPI Size: 0 Proposal transforms: 14 Transform
payload # 1 Next payload: Transform (3) Payload length: 40
Transform number: 1 Transform ID: KEY_IKE (1) Encryption-Algorithm
(1): AES-CBC (7) Hash-Algorithm (2): SHA (2) Group-Description (4):
Alternate 1024-bit MODP group (2) Authentication-Method (3):
XAUTHInitPreShared (65001) Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (2147483) Key-Length (14):
Key-Length (256)
VPN Bob Co.Bob@ home
Remote Access VPN
C:\>route print
===========================================================================
Interface List 10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM)
Fast Ethernet 7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless
3945ABG Network Connection 1 ........................... Software
Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes: Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25 127.0.0.0 255.0.0.0
On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1
306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.3 281 192.168.0.3
255.255.255.255 On-link 192.168.0.3 281 192.168.0.255
255.255.255.255 On-link 192.168.0.3 281 224.0.0.0 240.0.0.0 On-link
127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.0.3 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.3 281
===========================================================================
Persistent Routes: None Author: Prof Bill BuchananBefore Stateful
firewall VPN connecting to the PIX/ASA
Author: Bill Buchanan
VPN Bob Co.Bob@ home
Remote Access VPNC:\>route print
===========================================================================
Interface List 21 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN
Adapter 10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast
Ethernet 7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless
3945ABG Network Connectio 1 ........................... Software
Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes: Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25 127.0.0.0 255.0.0.0
On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1
306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
146.176.0.0 255.255.0.0 On-link 146.176.212.218 281 146.176.1.0
255.255.255.0 146.176.0.1 146.176.212.218 100 146.176.2.0
255.255.255.0 146.176.0.1 146.176.212.218 100 ... 146.176.210.2
255.255.255.255 192.168.0.1 192.168.0.3 100 146.176.211.0
255.255.255.0 146.176.0.1 146.176.212.218 100 146.176.212.218
255.255.255.255 On-link 146.176.212.218 281 ... 255.255.255.255
255.255.255.255 On-link 127.0.0.1 306 255.255.255.255
255.255.255.255 On-link 192.168.0.3 281 255.255.255.255
255.255.255.255 On-link 146.176.212.218 281 Author: Prof Bill
Buchanan
===========================================================================
PersistAfter connecting to the VPN Stateful firewall PIX/ASA
Author: Bill Buchanan
VPN Bob Co.Bob@ home
Remote Access VPN 146.176.212.218 192.168.0.3 VPN connection
146.176.0.1
C:\>route print
===========================================================================
Interface List 21 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN
Adapter 10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast
Ethernet 7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless
3945ABG Network Connectio 1 ........................... Software
Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes: Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25 127.0.0.0 255.0.0.0
On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1
306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
146.176.0.0 255.255.0.0 On-link 146.176.212.218 281 146.176.1.0
255.255.255.0 146.176.0.1 146.176.212.218 100 146.176.2.0
255.255.255.0 146.176.0.1 146.176.212.218 100 Author: Prof Bill
Buchanan ...
===========================================================================
Persist After connecting to the VPN Stateful firewall PIX/ASA
All other traffic goes not on 146.176.0.0 network goes through
non-VPN connection
Author: Bill Buchanan
VPN Bob Co.Bob@ home
Remote Access VPN 146.176.212.218C:\>tracert www.napier.ac.uk
Tracing route to www.napier.ac.uk [146.176.222.174] over a maximum
of 30 hops: 1 2 3 4 5 6 7 8 9 10 11 2 36 31 43 48 45 49 58 59 57 ms
ms ms ms ms ms ms ms ms ms 2 38 31 43 45 44 79 56 57 59 ms ms ms ms
ms ms ms ms ms ms 6 38 30 43 45 45 49 56 57 58 ms ms ms ms ms ms ms
ms ms msBefore VPN connection
VPN connection
146.176.0.1
192.168.0.1 cr0.escra.uk.easynet.net [87.87.249.224]
ip-87-87-146-129.easynet.co.uk [87.87.146.129]
be2.er10.thlon.ov.easynet.net [195.66.224.43] linx-gw1.ja.net
[195.66.224.15] so-0-1-0.lond-sbr4.ja.net [146.97.35.129]
so-2-1-0.leed-sbr1.ja.net [146.97.33.29] EastMAN-E1.site.ja.net
[146.97.42.46] vlan16.s-pop2.eastman.net.uk [194.81.56.66]
gi0-1.napier-pop.eastman.net.uk [194.81.56.46]
C:\>tracert www.napier.ac.uk Tracing route to
www.napier.ac.uk [146.176.222.174] over a maximum of 30 hops: 1 2 3
57 ms 58 ms 58 ms 58 ms 56 ms 59 ms 57 ms 57 ms 56 ms 146.176.210.2
www.napier.ac.uk [146.176.222.174] www.napier.ac.uk
[146.176.222.174]Author: Prof Bill Buchanan
After VPN connectionAuthor: Bill Buchanan
Traceroute for VPN Stateful firewall PIX/ASA
VPN Bob Co.Bob@ home
Remote Access VPN 146.176.212.218C:\>tracert www.intel.com
Tracing route to a961.g.akamai.net [90.223.246.33] over a maximum
of 30 hops: 1 2 3 4 5 3 35 32 46 46 ms ms ms ms ms 1 43 31 45 47 ms
ms ms ms ms 1 36 32 45 47 ms ms ms ms msBefore VPN connection
VPN connection
146.176.0.1
192.168.0.1 cr0.escra.uk.easynet.net [87.87.249.224]
ip-87-87-146-129.easynet.co.uk [87.87.146.129]
te7-0-0.sr0.enlcs.ov.easynet.net [89.200.132.109]
5adff621.bb.sky.com [90.223.246.33]
C:\>tracert www.intel.com Tracing route to a961.g.akamai.net
[90.223.246.33] over a maximum of 30 hops: 1 2 3 4 5 3 35 32 46 46
ms ms ms ms ms 1 43 31 45 47 ms ms ms ms ms 1 36 32 45 47 ms ms ms
ms msAfter VPN connection
Author: Prof Bill Buchanan
Traceroute for VPN Stateful firewall PIX/ASA
Author: Bill Buchanan
192.168.0.1 cr0.escra.uk.easynet.net [87.87.249.224]
ip-87-87-146-129.easynet.co.uk [87.87.146.129]
te7-0-0.sr0.enlcs.ov.easynet.net [89.200.132.109]
5adff621.bb.sky.com [90.223.246.33]
Network Security (Part 2)Professional Certification NetworkSims
PIX/ASA ConfigurationInterfaces. Fixup. Static Routes.
Access-lists. Failover. VPN.
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Prof Bill Buchanan, Leader, Centre for Distributed Computing and
Security http://www.dcs.napier.ac.uk/~bill Room: C.63