would I allow our Exchange server to receive external mail if the server is located on the inside network and a PIX firewall is in place?. Axent’s Raptor Firewall is a full-featured secu
Trang 14 Warnings Warning message
5 Notifications Normal but significant condition
6 Informational Information message
7 Debugging Debug messages and log FTP commands and
WWW URLs
An example of sending warnings to a syslog server is:
pixfirewall>enable pixfirewall#configure terminal pixfirewall(config)#logging trap 4 pixfurewall(config)#logging host inside 172.16.0.38 tcp
NOTE
Syslog is not a secure protocol The syslog server should be secured and
network access to the syslog server should be restricted
Securing the PIX
Since the PIX is a security device, limiting access to the PIX to only thosewho need it is extremely important What would happen if individualswhere able to Telnet freely to the PIX from the inside network? Limiting
access to the PIX can be achieved by using the telnet command Telnet is
an insecure protocol Everything that is typed on a Telnet session,including passwords, is sent in clear text Individuals using a network-monitoring tool can then capture the packets and discover the password tologin and enable a password if issued If remote management of the PIX isnecessary, the network communication should be secured
It is also a good idea to limit the idle-time of a Telnet session and logany connections to the PIX through Telnet When possible, use a RADIUS,Kerberos, or TACACS+ server to authenticate connections on the console orvty (Telnet) ports:
Table 9.2Continued
Trang 2■ Ip_address is an IP address of a host or network that can access
the PIX Telnet console If an interface name is not specified, theaddress is assumed to be on the internal interface PIX automati-cally verifies the IP address against the IP addresses specified by
the ip address commands to ensure that the address you specify
is on an internal interface
■ Netmask is the bit mask of ip_address To limit access to a single
IP address, use 255.255.255.255 for the subnet mask
■ Interface_name is the name of the interface in which to apply the
security
■ Timeout is the number of minutes that a Telnet session can be
idle before being disconnected by the PIX Default is 5 minutes
TIP
When permitting Telnet access to an interface, be as specific as possible
If an administrative terminal uses a static IP address, permit only that IPaddress for Telnet access
The following is an example of limiting Telnet access to the PIX to onehost on the inside network
Finally, a security measure that is often forgotten is to keep the PIX asecure area By locking it away in a server room or wiring closet, only lim-ited individuals will be able to physically reach the PIX How would yoursecurity policy be enforced if an individual were able to walk up to the PIXand pull out the power cable?
Take the extra time to secure the PIX according to the security policy.The PIX is typically the device that enforces the majority of a company’s
Trang 3security policy If the PIX itself is not secured, and an unauthorized vidual gains access to it, the security of the network will be compromised
indi-Summary
The Cisco PIX Firewall is a very versatile security device From the PIX 506SOHO model to the Enterprise class PIX 520 model, the PIX can fulfill thesecurity needs of any size network
In this chapter we covered numerous topics including the design of asecurity policy and then implementing that security policy on the PIX It isextremely important to design a policy thoroughly before implementing it
Identifying the resources to protect, the services you wish to allow (HTTP,FTP etc), and requiring users to authenticate in order to access a resourceahead of time will permit an organization to implement the security policy
in a quick and efficient manner By creating a security policy on the fly,your resources can be compromised and data can be corrupted Instead ofbeing reactive to attacks and other security holes, creating a detailed secu-rity policy is a proactive measure in protecting your network
Remember the key security features of the PIX: URL, ActiveX, and Javafiltering; access control lists; DMZs; AAA authentication and authorization;
DNSGuard, IP FragGuard, MailGuard, Flood Defender, and Flood Guard;
IPSec; stateful filtering; securing access to the PIX; and syslog These tures will aid you in creating and implementing your security policy NATand NAPT should not be relied on as a security measure Using a syslogserver will allow you to archive all of the traffic that passes through yourfirewall By using syslog, you will always have a record of anyone
fea-attempting to attack your firewall from the inside or outside
Q:I am setting up my outbound access control lists to specify whichtraffic I will permit users to use How do I know which TCP or UDP port
Trang 4A:Usually the application vendor will have the TCP or UDP port(s) listed inthe documentation, or available on their Web site For a comprehensivelist of Well Known Ports, Registered Ports, and Dynamic/Private ports,visit www.isi.edu/in-notes/iana/assignments/port-numbers.
run-ning due to firewall restrictions After researching the application, I amunable to figure out which TCP or UDP port the application uses Howcan I find this information?
syslog on the PIX, you can query the syslog for instances of the IPaddress being denied From that output, you should be able to deter-mine the port in question The following is one line of output from thesyslog:
106019: IP packet from 172.16.0.39 to 212.214.136.27, protocol 17 received from interface "inside" deny by access-group "acl_out"
From this output you can clearly see that host 172.16.0.39 is trying
to access a foreign IP address on port 17 After checking to which vice port 17 corresponds, you find that the user is trying use an appli-cation that gives “Quote of the day” messages
would I allow our Exchange server to receive external mail if the server
is located on the inside network and a PIX firewall is in place?
translation will need to be created to assign the Exchange server aglobal IP address Once the translation has been created, use ACLs tolimit to the type of traffic able to reach the server; that is, SMTP Forexample, the Exchange server’s internal IP address is 172.16.0.16, andthe globally assigned IP address will be 207.139.221.40:
pixfirewall(config)#static (inside,outside) 207.139.221.40 172.16.0.16
>netmask 255.255.255.255 pixfirewall(config)#access-list acl_mailin permit tcp any host 207.139.221.40 eq smtp
pixfirewall(config)#access-group acl_mailin in interface outside
Trang 5Axent Technologies Raptor Firewall 6.5
Solutions in this chapter:
■ Configuring Axent Raptor Firewall
■ Applying the Firewall to Your Security Model
■ Avoiding Known Security Issues
Chapter 10
Trang 6Axent’s Raptor Firewall is a full-featured security package that will allowyou to protect your network from outside threats One of the nicest thingsabout this package is that it is available on many platforms includingWindows NT, Sun Solaris, HP-UX, and soon Windows 2000
The Raptor Firewall package is easy to install and configure It includesmany security measures like content filtering, Out Of Band Authentication(OOBA), Windows NT Domain Authentication, and Axent Defender, whichcan be used with SecureID or CRYPTOCard
This chapter will give you an overview of the firewall’s capabilities anddiscuss some common applications used; then it will discuss some of thesecurity issues associated with it and help you diagnose common problems
Configuring Axent Raptor Firewall 6.5
Before you get into the installation and configuration of Raptor, you need
to make sure that you have met the software requirements The currentminimum requirements for Raptor 6.5 to run on Windows NT are listed inTable 10.1
Table 10.1Raptor 6.5 Minimum System Requirements for Windows NT
with a 300MB paging file
If the site will have more than 200 users: 128MB RAM with a 500MB paging file
Note that these are the minimum requirements, and more memory is recommended for more efficient operation
at least 200MB free for Raptor installation files
If the site will have more than 200 users: 4GB HD
Trang 7Installing Raptor Firewall 6.5
To begin the installation process, go to the Axent software directory; we will
be concerning ourselves with the International folder for the time being Go
to International | Gateway | NT and you will see a Windows NT CommandScript (Setup.cmd) Double-click on the command script to begin the instal-lation process If you have downloaded the firewall package from Axent’sWeb site, the executable zip file will extract to the root of your drive Formore information on the discussed paths, please refer to Table 10.2
Notes on InstallationThere are a few important items to note regarding a Raptor 6.5 install
■ If you are installing Raptor 6.5 on Windows NT4 Server, itmust be a Member Server The current software packagedoes not support an install to a Domain Controller
■ If you have Service Pack 6a installed on your Windows NT 4machine, there is a known issue that could curtail function-ality It involves TCP sessions held in an infinite wait stateeven after a termination has been requested Microsoft hasreleased a patch to correct this issue, and a work-around isincluded with the Raptor 6.5 installation kit You can findmore information on this problem at http://support.microsoft.com/support/kb/articles/q254/9/30.asp
■ Raptor Firewall 6.5 currently does not support softwareredundant array of disks (RAID) or Disk Mirroring Installationwill have to take place on a system that does not have thisimplemented
■ You can install the firewall package with only one NIC, butdual NICs on separate subnets are recommended for installa-tion
If you find that your current setup does not meet all of these imum requirements, those issues will need to be corrected before youbegin with the software installation
Trang 8min-Table 10.2Default Directory Structure of the Axent Installation Software
1 After you have launched the Setup.cmd file, you will see a screensimilar to the one found in Figure 10.1 Click Next to advance intothe software setup
2 Click Yes for the software license agreement to continue Read theagreement thoroughly and make sure that you understand whatyou are agreeing to
3 The next screen is the setup for the Raptor License Key andProduct Serial Number As stated in Figure 10.2, if you leave thisfield blank you will have a 30-day evaluation period for the Raptorfirewall software
4 After you have entered your serial number, you are ready to selectthe package you would like to install For the purposes of thischapter, we will be concerned with the Raptor Firewall selection asseen in Figure 10.3 Make sure that the management console box
Figure 10.1Raptor Firewall initial setup screen
Trang 95 Once you have selected the software package, you must select thedesired installation location, as shown in Figure 10.4.
6 After you have selected your destination directory, the RaptorFirewall 6.5 package will be installed Once the installation hasfinished, you will need to select which of your installed NIC(s)should be set up for the external network and which NIC(s) should
Figure 10.2License Key setup dialog box
Figure 10.3Product selection dialog box
Figure 10.4Installation directory dialog box
Trang 107 After your NICs have been set up on the network, you will need toconfigure a local administration password for the Raptor
Management Console (RMC), as shown in Figure 10.6
8 After you have completed this step, the software installation will gothrough some final stages before you need to restart your computer.Upon restart you will be ready to configure the Raptor Firewall
9 Once you have restarted your system, you can verify proper lation in two ways You can double-click on the Raptor FirewallSetup, and verify the proper location for your NICs Alternatively,you may check your network settings On the desktop, right-click
instal-on Network Neighborhood and then select Properties Once theProperties screen is opened, go to the Adapters tab (see Figure
Figure 10.5Network selection for NICs
Figure 10.6Set the local administration password for the RaptorFirewall
Trang 11Configuring Raptor Firewall 6.5Once the Raptor Firewall has been installed, you are ready to configure therest of the settings to allow you to secure your network You will accessand modify the configuration options from the Raptor ManagementConsole During the installation, a shortcut was placed on the desktop forthe RMC.
1 Locate the RMC shortcut on your desktop, and double-click it tolaunch the RMC application When you open your first session,you will not have any connections to Raptor Firewalls configured
Expand AXENT Technologies, and you will find an icon for theRaptor Management Console Your first screen should look likeFigure 10.8
2 You will need to click on the New Connection button to bring upthe connection dialog box for the firewall Once you have donethat, you should see a dialog box like the one in Figure 10.9 If youare managing a local firewall (located on this system), you will
need to make sure that you enter localhost in the Name field of
the dialog box You will also be required to provide the passwordthat you used during the setup phase of the firewall
Figure 10.7Checking Network Properties for installation verification
Trang 123 After you have successfully logged into the Raptor Firewall, yourscreen should look like Figure 10.10 First of all, notice the
“nt4_srv(Connected)” icon to the left side of the screen This showsyou that you have successfully logged into the Raptor Firewall Tothe right, you will see several icons for QuickStart and SMTPWizard, wizards to help you set up some initial configurationparameters The last icon, Disconnect from nt4_srv, will allow you
to close a session while still keeping the RMC open
QuickStart Configuration Wizard
After you have logged in, it is recommended, but not required, that you gothrough the wizards to help you set up your firewall The QuickStartWizard will help you configure Web and File Transfer Protocol (FTP) access,
as well as assist you with setting up e-mail services
Figure 10.8Getting connected to the Raptor Firewall for the firsttime
Figure 10.9Creating a connection for a local firewall
Trang 131 After you click on the QuickStart button, your first screen shouldlook like Figure 10.11 Click Next to continue to the first configu-ration screen.
2 The next screen (see Figure 10.12) will allow you to select whichservices you would like to configure You may or may not need toconfigure either of these options, depending on your setup
3 The next screen will ask for the server’s Internet Protocol (IP) orDomain Name System (DNS) address for e-mail redirection (seeFigure 10.13)
Figure 10.10The initial configuration wizards available upon login
Figure 10.11Welcome screen for the QuickStart ConfigurationWizard
Trang 144 Next, select whether to allow internal users to send e-mail toexternal locations (see Figure 10.14) As the wizard states, if this isnot selected, any rules that allow mail to be sent to all systems will
Trang 155 After you have configured these settings, the wizard will configurethe proper rules for the firewall, and will restart the affected fire-wall services (see Figure 10.15) You have now completed thiswizard, and you may go on to the next one if desired
Figure 10.14Select whether or not internal users will be able tosend e-mail outside the internal network
Figure 10.15The QuickStart Wizard completes the desired settings
Trang 163 The next screen will allow you to set up anti-spam features for thefirewall; you can add or modify current Realtime Blackhole List(RBL) servers, which allows you to block mail from specific sitesthat are known to be spam sites Upon receipt of a message from
an included spam site, the message will not be relayed beyond thefirewall See Figure 10.17
4 The next screen, shown in Figure 10.18, will allow you to set upanti-relay settings for your e-mail rules This works in hand withthe anti-spam settings that you just set, but you may also addspecific domains at this time if you wish
Figure 10.16SMTP Configuration Wizard
Trang 175 The next screen allows you to set your system to check a Dial-upUser List (DUL) Utilizing a DUL is another way of keeping spamfrom riddling your network You may select from one of theincluded sites or add your own, as shown in Figure 10.19 Formore information on spam prevention, RBL, or DUL, checkwww.mail-abuse.org.
Figure 10.17Set up RBL servers to be included in your e-mail rules
Figure 10.18Set up anti-relay settings for e-mail
Trang 186 You have now completed the SMTP Configuration Wizard (Figure10.20) Save and reconfigure now, as some of the settings will nottake effect until you do.
Figure 10.19Set up DUL services with provided servers or add yourown
Figure 10.20Save your changes and reconfigure the RaptorFirewall
Trang 19DNS ConfigurationRaptor Firewall includes the capability to proxy DNS information for yourinternal network for IP to hostname translation
1 To verify that you are using DNS Proxy, go to Access Controls andthen go to Proxy Services On the right-hand side of the screen youwill see what proxy services are available To check on the status
of the DNS Proxy Daemon (DNSD), right-click on it and selectProperties, as shown in Figure 10.21
False Protection Against Spoofing and SYN AttacksNote that in the anti-relay screen of the SMTP Configuration Wizard (seeFigure 10.18) there is a checkbox for No Source Routed Address allowed
This box will cause the firewall to drop any of these packets that itreceives Source route addressing is where an incoming packet has asource address that is on the local subnet
Although this is a good security practice to have, it does not tect you from SYN flooding or IP spoofing To protect yourself fromthese threats, you should incorporate ingress filters on your routers
pro-Cisco has a considerable amount of information on these topics on theirWeb site, as do other network solution providers such as 3Com, Sun,and Nortel Networks
Figure 10.21Select DNSD and go to properties for current settings
Trang 202 The Status tab in the Properties menu will allow you to turn DNSD
on or off (see Figure 10.22)
3 The Start of Authority (SOA) tab allows you to set the DNS timerssuch as refresh, retry, and expiration, as well as the Time-to-Live(TTL)
4 The Miscellaneous tab, shown in Figure 10.23, will allow you tospecify a location for a Hosts file of your choice or use the default(which is the Windows NT 4 Host file) This tab will also allow you
to log any DNS requests or deny outside RFC1597 addresses
RFC1597 is the allocation of address spaces for internal networkuse These ranges include 10.0.0.0–10.255.255.255,
172.16.0.0–172.31.255.255, and 192.168.0.0–192.168.255.255.(Note that RFC 1597 was superceded by RFC 1918 in February of
1996, even though Raptor still shows 1597 in their dialog windows.)
WARNING
Do not configure a DNS server on the same server as the Raptor Firewall
if you are using DNSD This combination is not supported and will causeproblems within the Raptor Firewall
Figure 10.22Use this screen to select whether or not you will useDNSD
Trang 21Creating DNS Host Entries
To create DNS entries for servers or other devices, perform the followingsteps
1 Go to DNS Records and right-click in the right-hand section of thescreen Select New and then Host, as shown in Figure 10.24
Figure 10.23Set the location of the Hosts file
Figure 10.24Select Host from the New menu to create a new DNSHost entry
Trang 222 Next, select what type of entry this is to be If you select Private,only users on the internal network will have access to this entryand it will be added to the Hosts file If you select Public, this entrywill be added to the Hosts.pub file and it will be accessible toeveryone See Figure 10.25.
Network Interface Configuration
There are several options that you can configure on your installed NICs,including filters, IP addresses, and card names
1 To access the configuration options, select Network Interfacesunder Base Components (Figure 10.26)
2 Right-click on the desired NIC and go to Properties (we are ning with the internal network NIC) Under Properties, you will seeseveral tabs (Figure 10.27) The first tab is for general information.The NIC was given a name by Raptor, so you may want to change
begin-it if begin-it will help you remember begin-it better You may also enter aDescription or change the IP address
3 Under the Options tab (shown in Figure 10.28), you will be able toselect whether this NIC is part of the internal network or externalnetwork You may also allow Multicast Traffic, which is traffic des-tined to a group of nodes Two things to be sure you are aware
Figure 10.25Select the desired options for the new Host entry
Trang 23Chapter 5 for more information on SYN flooding Port Scan tion will allow the firewall to detect if someone is scanning thisinterface for open ports Since we are configuring an internal net-work NIC, we will not enable Port Scan Detection or SYN FloodProtection This, of course, is up to you and how you will set upyour network
detec-Figure 10.26Locate the Network Interfaces section of the Raptorconfiguration
Figure 10.27General options menu of a selected NIC
Trang 244 The Filters tab, shown in Figure 10.29, will allow you to set any ters you have created as input or output filters on this interface.Note that Raptor Firewall ships with a sample Denial of Service(DoS) filter
fil-Figure 10.28Select options for your NIC
Figure 10.29Select any filters that are to be applied to this interface
Trang 255 Under the Spoof Protected Networks tab (see Figure 10.30), youselect any network entities that should be spoof protected.
Universe* is the default network entity and is not protected bydefault If you have specific areas that should be protected, youshould create a network entity for that area and enable protectionhere Network entities will be covered later in this chapter
6 The In Use By tab lists the services and rules that are utilizing theselected NIC (see Figure 10.31)
External NIC Configuration
In this section, we will be configuring the external NIC that will interfacewith networks outside of your own
1 Select your NIC that is being used by the external network click on it and select Properties Once you are in the Propertiesscreen, there are several changes you can make that are differentfrom the default setup
Right-2 Under the Options tab (see Figure 10.32), you could also set upSYN Flood Protection and Port Scan Detection You should makesure that the This Address Is A Member Of The Internal Network
Figure 10.30Select any network entities that should be spoof tected
Trang 26pro-Figure 10.31This tab details the services and rules that are usingthis NIC.
Figure 10.32Interface options for setting up your external networkNIC