Tài Liệu CCNA - Cisco PIX Firewall _www.bit.ly/taiho123

pixfirewallconfig# pixfirewallconfig# Configure Message Output to the PIX Firewall Buffer logging buffered level • Step 3—Clear the internal buffer.. Configure Message Outputto a Syslog

Cisco PIX Firewall

John Joo APAC Channels Technical Operations

PIX Technical Development Program Agenda

• Product Review

• Six Primary Commands

• VLAN Support

• Syslog Configuration

• Access Control Lists

• Java and Active X filtering

• URL Filtering

• Fixup Protocols

PIX Technical Development Program Agenda

PIX Firewall—Review

Stateful firewall with high security and fast performance

• Secure, real-time, embedded operating system—

no UNIX or NT security holes

• Adaptive security algorithm provides stateful

PIX Firewall Family Lineup

SMB

Gigabit Ethernet Enterprise

Functionality

PIX Firewall Product Line Overview

1 300 32

2 10BaseT No

20 16

SMB

$7,495 Unlimited 2,000 1 433 64 6 Yes 188 63

Enterprise

$13,995 Unlimited 2,000 2 600 256 8 Yes 360 70

Ent.+, SP

$37,995 Unlimited 2,000 3

1 GHz

1 GB

10 Yes 1.7 Gbps 95

SOHO

$595 or $845

10, 50 or Unlimited 10

< 1 133 16

1 10BT + 4 FE No

10 3

GigE Enabled

501

NEW Multi-Gigabit Firewall Module

Multi-Gigabit Firewall Acceleration Module for Securing

Enterprise Campus, Data Center & SP Networks

Applications

• Enterprise Campus/WAN Perimeter Security

• Data Center Security

• Service Provider Edge Security Services

High performance

- 3Mpps (5Gbps) Packet Processing Performance

- 100,000 Conn Per Sec, 1 million sessions/ sec for HTTP&DNS

- VLANs, DMZ, Dynamic Routing, Failover Capabilities

- Multiple blades per chassis supported

The Six Primary Commands

(Review)

PIX Firewall Primary Commands

There are six primary configuration commands for the PIX Firewall:

Command 1: nameif

nameif hardware_id if_name security_level

pixfirewall(config)#

interface on the PIX Firewall and specifies its security

level.

dmz sec50

Command 2: interface

pixfirewall(config)#

interface hardware_id hardware_speed

• The interface command configures the type and capability of each perimeter interface.

pixfirewall(config)# interface ethernet0 auto

pixfirewall(config)# interface ethernet1 10

pixfirewall(config)# interface ethernet2 100

Command 4: nat

nat [(if_name)] nat_id local_ip [netmask]

pixfirewall(config)#

inside network from the outside network.

pixfirewall(config)#

1 0.0.0.0 0.0.0.0

Command 5: global

pixfirewall(config)#

global[(if_name)] nat_id {global_ip[-global_ip]

[netmask global_mask]} | interface

• Works with the nat command to assign a registered or public IP

address to an internal host when accessing the outside network

through the firewall

pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0

pixfirewall(config)# global (outside) 1

192.168.0.20-192.168.0.254

• When internal hosts access the outside network through the firewall, they are assigned public addresses from the 192.168.0.20–

192.168.0.254 range

Three Interfaces with NAT

Inside host, and web and FTP server

Backbone, web, FTP, and TFTP server

Pod perimeter router

PIX Firewall 192.168.0.0/24

.1

.3 10.0.0.0 /24

e0 outside 2 security level 0

e2 dmz 1 security level 50

Bastion host, and web and FTP server

pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0

pixfirewall(config)# global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0

• Inside users can start outbound connections to both the DMZ and the Internet.

• The nat (dmz) command gives DMZ services access to the Internet

• The global (dmz) command gives inside users access to the web server on the DMZ.

Command 6: route

pixfirewall(config)#

route if_name ip_address netmask gateway_ip

[metric]

• The route command defines a static or default route for an interface.

pixfirewall(config)# route outside 0.0.0.0

0.0.0.0 192.168.0.1 1

New 6.3 feature VLAN SUPPORT(802.1Q tagging)

PIX VLAN SUPPORT

Supports IEEE 802.1Q encapsulation for trunking and tagging

Supported on all PIX adapters except for the Intel 82557 adapter

since it does not understand frame sizes greater than 1500 bytes

Number of VLANs supported

VLAN Feature with Restricted License

Interfaces

Maximum Interfaces

(Physical + Logical interfaces

Number of VLANs supported

VLAN Feature with Unrestricted License

Interfaces

Maximum Interfaces

(Physical + Logical interfaces

Logical interface

Logical interfaces have been added to support the

VLAN feature.

Multiple logical IP interfaces per physical interface

Layer 3 attributes such as IP addressing and security levels can be configured.

layer 2 attributes such as MTU and failover will be

available only on the physical interface.

Creating a logical interface

Create a logical interface for it or add it to a physical interface

interface ethernet0 vlan10 [physical | logical ]

physical : Permanent interface.

physical interface 0

Can send and receive both tagged and untagged VLAN traffic.

Associated with interface 0 and assign VLAN ID 10 to it.

Can send receive only tagged traffic

An IP address can be assigned to each VLAN interface and

it will have its own security level

Different security zones can be defined with VLAN interface

VLAN Configuration Example

interface ethernet0 vlan100 physical interface ethernet0 vlan200 logical interface ethernet1 vlan300 logical

nameif vlan200 dmz2 security20

Ip address dmz2 192.168.1.10 255.255.255.0 nameif vlan300 dmz3 security30

ip address dmz3 192.168.2.10 255.255.255.0

Syslog Messages

show logging

• Step 1—Send Syslog messages to an internal buffer.

• Step 2—View messages in the internal buffer.

pixfirewall(config)#

pixfirewall(config)#

Configure Message Output

to the PIX Firewall Buffer

logging buffered level

• Step 3—Clear the internal buffer.

clear logging pixfirewall(config)#

• Enable or disable specific Syslog message type logging.

[no] logging message syslog_id

pixfirewall(config)#

pixfirewall(config)#

logging standby

Configure Message Output

to a Syslog Server

logging trap level

• Step 1—Designate the Syslog host server.

• Step 2—Set the logging level.

pixfirewall(config)#

pixfirewall(config)#

logging host [in_if_name] ip_address {protocol/port]

pixfirewall(config)#

logging facility facility

• Step 3—Set the facility marked on all messages.

pixfirewall(config)#

[no] logging timestamp

• Step 4—Start and stop sending timestamp messages.

pixfirewall(config)#

[no] logging on

• Step 5—Start or stop sending messages to the Syslog server.

Modifiable syslog levels (6.3)

Gives user ability to modify the level at which a particular syslog is issued

Modifiable syslog levels (6.3)

[ no] logging message <syslog_id> level <level>

pix(config)# logging message 111008 level emergencies

pix(config)# clear logging level

To restore all of the currently changed syslogs back to their default levels

pix# show logging level

Logging message 111008 level emergencies

pix# show logging message 111008

syslog 111008 enabled

syslog 111008 is at level emergencies

Syslog by ACL (6.3)

COMMAND

access-list <acl_id> permit|deny <protocol> <src_ip> [<src_port>]

<dst_ip> [<dst_port>] [log [disable|default] | [<level>] [interval <secs>]]

access-list outside-acl permit ip host 1.1.1.1 any log 7 interval 600 access-list outside-acl deny ip any any log 2

level : An optional syslog level (0 - 7) may be specified

default level is 6 (informational)

[interval <secs>]] : the time interval in seconds (1 - 600) to generate

an ACL logging message default is 300 seconds

any Syslog server.

Access Control Lists

Access Control List

• An ACL enables you to determine what traffic will be

allowed or denied through the PIX Firewall.

• ACLs are applied per interface (traffic is analyzed

inbound relative to an interface).

• The access-list and access-group commands are used to create an ACL.

• The access-list and access-group commands are an

alternative for the conduit and outbound commands.

ASA Security Level Example

Internet

PIX Firewall

Outside network e0

ACL Usage Guidelines

• Higher to lower security level

– Use an ACL to restrict outbound traffic.

– The ACL source address is the actual

(un-translated) address of the host or network.

• Lower to higher security level

– Use an ACL to allow inbound traffic.

– The destination host must have a statically

mapped address.

– The ACL destination address is the “global ip” assigned in the static command.

access-list Command

pixfirewall(config)#

access-list acl_name [deny | permit] protocol

{src_addr | local_addr} {src_mask |

local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port

• Enables you to create an ACL

• ACLs associated with IPSec are known as “crypto” ACLs

• ACL “dmz1” denies access from the 192.168.1.0 network to

TCP ports less than 1025 on host 192.168.0.1

pixfirewall(config)# access-list dmz1 deny

tcp 192.168.1.0 255.255.255.0 host

192.168.0.1 lt 1025

access-group Command

pixfirewall(config)#

access-group acl_name in interface

interface_name

• Binds an ACL to an interface

• The ACL is applied to traffic inbound to an interface

• ACL “dmz1” is bound to interface “dmz”

pixfirewall(config)# access-group dmz1 in interface dmz

Converting Conduits to Access Lists

ACLs Versus Conduits

A conduit creates an exception to the PIX Firewall Adaptive Security Algorithm by permitting connections from one interface

to access hosts on another

An ACL applies to a single interface,

affecting all traffic entering that interface

regardless of its security level

c o n d u i t ACL

It is recommended to use ACLs to maintain future compatibility.

Do not mix ACLs and Conduits in the same PIX

The Problem: ACLs Collide with Conduits

pixfirewall(config)# access-group 102 in interface dmz

Due to the ACL bound to the DMZ interface,

• Users on the DMZ are unable to access the internal FTP server.

• Users on the DMZ are unable to access the Internet.

• Users on the DMZ are only able to access the internal mail server.

The Solution: Convert Conduits to ACLs

pixfirewall(config)#

conduit permit | deny protocol global_ip global_mask [operator port

[port]] foreign_ip foreign_mask[operator port[port]]

Making ACLs Work for You

pixfirewall(config)# access-group 102 in interface dmz

• Users on the DMZ are able to access the Internet, the internal FTP server, and the internal mail server.

Configuring Access Control

pixfirewall(config)# write terminal

nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 access-list acl_out deny tcp any any eq www access-list acl_out permit ip any any

access-group acl_out in interface inside nat (inside) 1 10.0.0.0 255.255.255.0 global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0

Denies web traffic on port 80 from the inside network to the Internet

• Permits all other IP traffic from the inside network to the Internet

www

Deny Web Access to the Internet

Internet

Permit Web Access to the DMZ

Web server 2

.1 1

.2

172.16.0.0/24 10.0.0.0/24

ip address outside 192.168.0.2 255.255.255.0

ip address inside 10.0.0.1 255.255.255.0

ip address dmz 172.16.0.1 255.255.255.0 static (dmz,outside) 192.168.0.11 172.16.0.2 access-list acl_in_dmz permit tcp any host 192.168.0.11 eq www

access-list acl_in_dmz deny ip any any access-group acl_in_dmz in interface outside

• The ACL acl_in_dmz permits web traffic

on port 80 from the Internet to the DMZ web server.

• The ACL acl_in_dmz denies all other IP traffic from the Internet.

Turbo ACL –New in 6.2

New commands

• Access-list compiled

• Global command that turns on the Turbo ACL feature on all access-lists and turbo compiles all ACLs with 19 or more entries

(automatically enables when there are 19 or more acl)

• Access-list <acl_name> compiled

• Turns on the Turbo ACL feature on the individual access-list

[no] debug access-list all | standard | turbo

• PDM only supports all on or all off

-Group the Group Object (up to 10 levels)

Introduction of Sub mode

(config-proto), (config-icmp-type), (config-service) and

(config-network)

Object Grouping

Grouping of network objects and services to simplify access rule configuration and management

Access list TEST configuration

• access-list TEST permit tcp 12.0.0.0 255.0.0.0 host 11.0.0.1

• access-list TEST permit icmp 12.0.0.0 255.0.0.0 host 11.0.0.1

• access-list TEST permit tcp 12.0.0.0 255.0.0.0 host 11.0.0.2

• access-list TEST permit icmp 12.0.0.0 255.0.0.0 host 11.0.0.2

• access-list TEST permit tcp host 14.0.0.1 host 11.0.0.1

• access-list TEST permit icmp host 14.0.0.1 host 11.0.0.1

• access-list TEST permit tcp host 14.0.0.1 host 11.0.0.2

• access-list TEST permit icmp host 14.0.0.1 host 11.0.0.2

• access-list TEST permit tcp host 14.0.0.2 host 11.0.0.1

• access-list TEST permit icmp host 14.0.0.2 host 11.0.0.1

• access-list TEST permit tcp host 14.0.0.2 host 11.0.0.2

• access-list TEST permit icmp host 14.0.0.2 host 11.0.0.2

• access-list TEST permit object-group p1 object-group s1 object-group d1

This will generate the previous access list entries

Hierarchical grouping is also supported i.e object group can also contain groups (up to 10 nest)

icmp Command

pixfirewall(config)#

• Enables or disables pinging to an interface

icmp permit | deny [host] src_addr [src_mask]

• All ping requests are denied at the outside interface, and all

unreachable messages are permitted at the outside interface

• Allow ICMP unreachable’s so that ICMP PathMTU Discovery still operates

Securing Remote Configuration with SSH

10.0.0.0/24 192.168.0.0/24

SSH client

• Specifies the host or network authorized

to initiate an SSH connection to the PIX

Firewall.

• An RSA key pair is generated for the PIX

Firewall using the default key modulus

size of 768.

• Host 172.26.26.50 is authorized to initiate

an SSH connection to the PIX Firewall.

Comments in ACLs and

PIX ACL Line numbers (6.3)

Comments in ACLs

any IP standard or extended ACL

• Each remark line is limited to 100 characters

• The remark can go any part of ACL lines

Commands for Comments in ACLs

For IP numbered ACLs:

access-list access-list number remark remark global

configuration command to include a comment about an access

access-list 1 remark Permit only Jones workstation through

access-list 1 permit 171.69.2.88

For an entry in a named IP ACL :

access-list named remark Do not allow Jones subnet to telnet out deny tcp host 171.69.2.88 any eq telnet

PIX ACL Line numbers

Before 6.3:

If a user wants to enter an element in the middle of an

access-list all the elements after the particular ACE need

to be removed and re-applied

After 6.3:

Iine number can be used to insert or delete elements at any position in an access-list

PIX ACL Line numbers

All the access list elements (ACE) resulting from a single

object-group access-list statement have a single line number

These numbers would be maintained internally in a

increasing order starting from 1(1, 2, 3 )

A user can enter a new entry between two consecutive

ACEs, by choosing to insert at the line number of the ACE with higher line number

line-numbers are not stored in config and the output of

'write t' is unchanged

PIX ACL Line numbers

[no] access-list id [line line-num] remark text

show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300 access-list 101; 2 elements

access-list 101 line 1 permit ip any any (hitcnt=0)

access-list 101 line 2 permit icmp any any (hitcnt=0)