Download - PiX Firewalls
-
8/6/2019 PiX Firewalls
1/26
PIX Firewall
An example of a statefulpacket filter.
Can also work on higher layers of protocols
(FTP, RealAudio, etc.)
Runs on its own OS
-
8/6/2019 PiX Firewalls
2/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt
2
Outline
The Adaptive Security Algorithm (ASA)
Basic Features of PIX
Advanced Features
Case studies
-
8/6/2019 PiX Firewalls
3/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt
3
Adaptive Security Algorithm
An algorithm that defines how PIX examines trafficpassing through it, and applies various rules to it.
Basic concept:
- Keep track of the connections being formed from thenetworks behind the PIX to the public network
- Based on info about these connections, ASA allows
packets to come back into the private network through thefirewall.
- All other traffic destined for the private network is blockedby the firewall (unless specifically allowed).
-
8/6/2019 PiX Firewalls
4/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt
4
ASA
ASA defines how the state and other information isused to track the sessions passing through the PIX.
ASA keeps track of the following information: Source and destination info of IP packets
TCP Sequence numbers and TCP flags
UDP packet flow and timers
-
8/6/2019 PiX Firewalls
5/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt
5
ASA and TCP
TCP is connection-oriented, and provides most ofthe information the firewall needs.
The firewall keeps track of each sessionbeing
formed, utilized, and terminated. ASA only allows for the packets confirming to the
state of a session to go through. All other packetsare dropped.
However, TCP has inherent weakness, whichrequires ASA to perform additional work managing
the sessions SYN flood, session hijacking
-
8/6/2019 PiX Firewalls
6/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt
6
ASA and TCP
SYN flooding
The SYN flood attack sends TCP connections requests
faster than a machine can process them.
(Internet Security Systems,
http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/default.htm)
SYN flood (as fefined in the Wikipedia,
http://en.wikipedia.org/wiki/SYN_flood)
Illustration: next
-
8/6/2019 PiX Firewalls
7/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 7
Syn Flood
A: the initiator; B: the destination
TCP connection multi-step
A: SYN to initiate
B: SYN+ACK to respond C: ACK gets agreement
Sequence numbers then
incremented for future messages
Ensures message order
Retransmit if lost
Verifies party really initiated
connection
-
8/6/2019 PiX Firewalls
8/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 8
Syn Flood
Implementation: A, the attacker;B: the victim
B
Receives SYN Allocate connection
Acknowledge
Wait for response
See the problem?
What if no response And many SYNs
All space for connectionsallocated
None left for legitimate ones
Time?
-
8/6/2019 PiX Firewalls
9/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 9
ASA vs Syn Flood
(Beginning in version 5.2 and later) When the number of incomplete connections through the
PIX reaches a pre-configured limit (the limit on embryonicconnections), ASA turns the PIX into a proxy forconnection attempts (SYNs) to servers or other resourcessitting behind it.
PIX responds to SYN requests with SYN ACKs andcontinues proxying the connection until the three-way TCPhandshake is complete.
Only when the three-way handshake is complete would thePIX allow the connection through to the server or resource onthe private or DMZ network.
Benefit: Limits the exposure of the servers behind the PIXto SYN floods
-
8/6/2019 PiX Firewalls
10/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 10
ASA and TCP
Problem with the ISN: The initial sequence number (ISN) of TCP isnot really random!
possible TCP session hijacking attack
case study: Kevin Metnicks attack on Tsutomu Shimomuras computersin 1994-1995
Six steps (pp.421-422):
1. an initial reconnaissance attack: gather info about the victim
2. a SYN flood attack: disable the login server; a DOS attack
3. A reconnaissance attack: determine how one of the x-termgenerated its TCP sequence numbers
4. Spoof the servers identity, and establish a session with the x-term (using the sequence number the x-term must have sent)
result: a one-way connection to the x-term5. modify the x-terms .rhosts file to trust every host
6. Gain root access to the x-term
-
8/6/2019 PiX Firewalls
11/26
-
8/6/2019 PiX Firewalls
12/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 12
initiator
-
8/6/2019 PiX Firewalls
13/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 13
PIX: Basic Features
ASAs stateful inspection of traffic
Assigning varying security levels to interfaces
ACL
Extensive logging
Basic routing capability (including RIP)
NAT
Failover and redundancy
Traffic authentication
-
8/6/2019 PiX Firewalls
14/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 14
PIX: Basic Features- ASAs stateful inspection of traffic
PIX uses a basic set of rules to control traffic flow: No packets can traverse the PIX w/o a translation,
connection, and state.
Outbound connections are allowed, except thosespecifically denied by the ACLs.
Inbound connections are denied, except for thosespecifically allowed.
All ICMP packets are denied unless specifically permitted.
All attempts to circumvent the rules are dropped, and amessage is sent to syslog.
To tighten or relax some of these default rules: nextfew slides
-
8/6/2019 PiX Firewalls
15/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 15
PIX: Basic Features Assigning varying security levels to interfaces
PIX allows varying security levels to be assigned to itsvarious interfaces, creating the so called security zones.
A PIX may have 2 to 10 interfaces.
Each i/f can be assigned a level from 0 (least secure,usually the Internet) to 100 (most secure, usually theinternal private network).
Default rules:
o Traffic from a higher security zone can enter a lower security
zone.
PIX keeps track of the connections for this traffic andallows the return traffic through.
o Traffic from a lower security zone is not allowed to enter a
higher security zone, unless explicitly permitted (such asusing ACLs).
-
8/6/2019 PiX Firewalls
16/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 16
PIX: Basic Features
ACL Mainly used to allow traffic from a less-secure portion ofthe network to enter a more-secure portion of the network.
Information used in ACLs:
Source address
Destination addressProtocol numbers
Port numbers
Examples:
To allow connections to be made to web or mail servers sitting onthe DMZ of the PIX from the public network
To allow a machine on a DMZ network to access the privatenetwork behind the DMZ
Use of ACLs must be governed by the network securitypolicy. (Only use them when necessary)
-
8/6/2019 PiX Firewalls
17/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 17
PIX: Basic Features Extensive logging
System logs are sent and recorded in a central location (forexample, the syslogserver).
PIX records the following types of syslog messages:
Connection events, AAA events, Failover events, FTP/URL events, Mail
Guard/SNMP events, PIX Firewall management events, Routing
errors
8 syslog logging levels:
0 (emergency), 1 (alert), 2 (critical condition), , 7 (debug message, log
FTP command, etc.)
A subset of the syslog messages may be displayed on the PIX
console or a Telnet session screen. 3rd party s/w (e.g., Private Eye) may be used to generate
extensive reporting from the syslog messages.
Info in the syslog may be used by PIX to help intrusion detection.
-
8/6/2019 PiX Firewalls
18/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 18
PIX: Basic Features
Basic routing capability
PIX supports some basic routing, including
the use of default routes,
static routes, andRouting Information Protocol (RIP)
However, routing functionality in PIX is limited.
-
8/6/2019 PiX Firewalls
19/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 19
PIX: Basic Features
NAT PIX can perform NAT for packets traversing any two of its
interfaces.
By default, NAT must be set up for a connection state to becreated.
Examples:
The most common use of NAT is sit between the private network
behind the PIX (using an RFC 1918 space) and the Internet translate and keep track of the addresses
NAT may also be used between two interfaces on the PIX, neither ofwhich is on the public network.
dynamic NAT vs static NAT: next
-
8/6/2019 PiX Firewalls
20/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 20
PIX: Basic Features
static NAT A type ofNAT in which a private IP address is mapped to a public IPaddress, where the public address is always the same IP address (i.e., ithas a static address). This allows an internal host, such as a Web server,to have an unregistered (private) IP address and still be reachable overthe Internet.
dynamic NAT A type ofNAT in which a private IP address is mapped to a public IP
address drawing from a pool of registered (public) IP addresses.Typically, the NAT routerin a network will keep a table of registered IPaddresses, and when a private IP address requests access to theInternet, the routerchooses an IP address from the table that is not atthe time being used by another private IP address.
Configuring NAT in PIX: http://www.cisco.com/warp/public/556/9.html
With dynamic NAT, translations do not exist in the NAT table until therouter receives traffic that requires translation. Dynamic translations havea timeout period after which they are purged from the translation table.
With static NAT, translations exist in the NAT translation table as soon asyou configure static NAT command(s), and they remain in the translationtable until you delete the static NAT command(s).
-
8/6/2019 PiX Firewalls
21/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 21
PIX: Basic Features
Terminology related to failover:
Active unit vs Standby unit
Primary unit vs Secondary unit
Question: relationships between
active/standby and
primary/secondary ?
System IP vs Failover IP
System IP: the address of the
primary unit upon bootup
Failover IP: that of the secondary
unit
Primary Secondary
Active
standby
Failover and redundancy
The failovercapability allows a standby PIX to take over thefunctionality of the primary PIX, as soon as it fails.
Statefulfailover: The connection info stored on the failing PIX is
transferred to the PIX taking over.
The standby PIX assumes the IP and MAC addresses of the
failed PIX.
-
8/6/2019 PiX Firewalls
22/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 22
PIX: Basic Features
- Failover and redundancy
How does failoverwork?
A failover cable(RS-232 serial) connects the primary unit
and the secondary unit, allowing the secondary unit todetect the primary units power status, and failover
communication in between.
(In the case of statefulfailover) The state info istransferred via an Ethernet cable connecting the primary
unit and the secondary unit.
Every 15 seconds, special failover hellopackets are sentin between the two units for synchronization.
Requirements: The h/w, s/w, and configurations on thetwo PIXes must be identical.
-
8/6/2019 PiX Firewalls
23/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 23
PIX: Basic Features
- Failover and redundancy Limitations of CISCO PIX failover?
Some info are not replicated between the two units: User authentication table
ISAKMP and IPsec SA table ARP table
Routing info
The secondary unit must rebuild the info to perform thefunctions of the failed unit.
-
8/6/2019 PiX Firewalls
24/26
http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 24
PIX: Basic Features
Traffic authentication on PIX: Cut-through proxy authentication
Only when the authentication occurring during theestablishment of a given connection succeeds would PIX
allows the data flow to be established through it.
A successfully authenticated connection is entered the ASAas a valid state.
As soon as an authenticated connection is established, PIX
lets the rest of the packets belong to that connection gothrough without further authentication.
PIX supports both TACACS+ and Radius as the AAA
servers.
-
8/6/2019 PiX Firewalls
25/26
http://sce.uhcl.edu/yang/teaching/.
../piX Firewalls.ppt
25
Advanced Features of PIX
Aliasing
NAT on the destination addresses
DNS doctoring (modification) of a DNS servers address
x Guards
flood guard, frag guard, mail guard, & DNS guard
Advanced filtering
Multimedia support
Spoof detection (via URPF)
Protocol fixup sysopt commands
Multicast support
Fragment handling
-
8/6/2019 PiX Firewalls
26/26
http://sce.uhcl.edu/yang/teaching/.
../piX Firewalls.ppt
26
Case studies
PIX with 3 interfaces, running a web server on the DMZ
PIX setup for failover to a secondary device
PIX setup to use the aliascommand for a server sitting on theDMZ (a case of NAT on the destination address)
PIX setup for cut-through proxy authentication and
authorization
Scaling PIX configurations using object groups and turbo
ACLs