Saturday, 1 October 2011

PIX Firewall


Firewall
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass.
Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions.

Packet filtering : it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, the port number. Packet filtering firewalls work mainly on the first three layers of the OSI reference model, which means most of the work is done between the network and physical layers, with a little bit of peeking into the transport layer to figure out source and destination port numbers. When a packet originates from the sender and filters through a firewall, the device checks for matches to any of the packet filtering rules that are configured in the firewall and drops or rejects the packet accordingly. When the packet passes through the firewall, it filters the packet on a protocol/port number basis (GSS). For example, if a rule in the firewall exists to block telnet access, then the firewall will block the IP protocol for port number 23.
Application Layer : The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS, or web browsing), An application firewall is much more secure and reliable compared to packet filter firewalls because it works on all seven layers of the OSI model, from the application down to the physical Layer. This is similar to a packet filter firewall but here we can also filter information on the basis of content. Good examples of application firewalls are MS-ISA (Internet Security and Acceleration) server, McAfee Firewall Enterprise firewalls.
An application firewall can filter higher-layer protocols such as FTP, Telnet, DNS, DHCP, HTTP, TCP, UDP and TFTP (GSS).
Stateful Firewall : Third-generation firewalls, in addition to what first- and second-generation look for, regard placement of each individual packet within the packet series. This technology is generally referred to as a stateful packet inspection as it maintains records of all connections passing through the firewall and is able to determine whether a packet is the start of a new connection, a part of an existing connection, or is an invalid packet. Though there is still a set of static rules in such a firewall, the state of a connection can itself be one of the criteria which trigger specific rules.
In computing, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known active connection will be allowed by the firewall; others will be rejected.
A drawback of pure packet filters is that they are stateless; they have no memory of previous packets which makes them vulnerable to spoofing attacks. Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet. Modern firewalls are connection-aware (or state-aware), offering network administrators finer-grained control of network traffic.
The classic example of a network operation that may fail with a stateless firewall is the File Transfer Protocol (FTP). By design, such protocols need to be able to open connections to arbitrary high ports to function properly. Since a stateless firewall has no way of knowing that the packet destined to the protected network (to some host's destination port 4970, for example) is part of a legitimate FTP session, it will drop the packet. Stateful firewalls solve this problem by maintaining a table of open connections and intelligently associating new connection requests with existing legitimate connections. The stateful firewall depends on the three-way handshake of the TCP protocol when the protocol being used is TCP; when the protocol is UDP, the stateful firewall does not depend on anything related to TCP. When a client initiates a new connection, it sends a packet with the SYN bit set in the packet header. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the server, the service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client will then respond with a packet in which only the ACK bit is set, and the connection will enter the ESTABLISHED state. Such a firewall will pass all outgoing packets through but will only allow incoming packets if they are part of an ESTABLISHED connection, ensuring that hackers cannot start unsolicited connections with the protected machine

 
Cisco PIX firewall
Cisco PIX (Private Internet eXchange) is a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment.
In 2005, Cisco introduced the newer Adaptive Security Appliance (ASA), that inherited much of PIX features, and in 2008 announced PIX end-of-sale
 It is classified as a network layer firewall with stateful inspection, although technically the PIX would more precisely be called a Layer 4, or Transport Layer Firewall, as its access is not restricted to Network Layer routing, but socket based connections (a port and an IP Address - Port communications occur at Layer 4). By default it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an Access Control List (ACL) or a conduit. The PIX can be configured to perform many functions including network address translation (NAT) and port address translation (PAT), as well as being a virtual private network (VPN) endpoint appliance
The PIX was the first commercially available firewall product to introduce protocol specific filtering with the introduction of the "fixup" command. The PIX "fixup" capability allows the Firewall to apply additional security policies to connections identified as using specific protocols. Two protocols for which specific fixup behaviors were developed are DNS and SMTP. The DNS fixup originally implemented a very simple but effective security policy; it allowed just one DNS response from a DNS server on the Internet (known as outside interface) for each DNS request from a client on the protected (known as inside) interface. "Fixup" has been superseded by "Inspect" on later versions of PIX OS.
(The Cisco PIX was also one of the first commercially available security appliances to incorporate IPSec VPN gateway functionality.
The PIX can be managed by a command line interface (CLI) or a graphical user interface (GUI). The CLI is accessible from the serial console, telnet and SSH. GUI administration was introduced with version 4.1, and it has been through several incarnations: PIX Firewall Manager (PFM) for PIX OS versions 4.x and 5.x, which runs locally on a Windows NT client; PIX Device Manager (PDM) for PIX OS version 6.x, which runs over https and requires Java; and Adaptive Security Device Manager (ASDM) for PIX OS version 7 and greater, which can run locally on a client or in reduced-functionality mode over HTTPS.)
PIX firewalls provide a wide range of security and networking services including:
  • Network Address Translation (NAT) or Port Address Translation (PAT)
  • content filtering (Java/ActiveX)
  • URL filtering
  • IPsec VPN
  • support for leading X.509 PKI solutions
  • DHCP client/server
  • PPPoE support
  • advanced security services for multimedia applications and protocols including Voice over IP (VoIP), H.323, SIP, Skinny and Microsoft NetMeeting
  • AAA (RADIUS/TACACS+) integration
PIX terminology: we generally refer to the user segment as the Inside subnet. The interface connected to the Internet router is the outside subnet. As shown, we probably have DMZ (De-Militarized Zone) subnet, the subnet where we quarantine all servers that are accessible from the outside. We might also have a separate management subnet and a subnet tying to a redundant PIX for failover (if supported/licensed).
The PIX Command-Line Interface (CLI) is somewhat like the Cisco IOS interface, but different. Use colon (":") for comments (which, as usual, are not retained).  Newer PIX OS uses ACL's, replacing the former conduits

Commands


enable password myEnableSecret encrypted
Set the enable password (displays encrypted). Displays in encrypted form, with the word "encrypted" at the end. Note that when entering the command leave off  "encrypted" keyword or the PIX will assume that the string you are putting in is the encryption of the actual password. 
name 10.3.3.22 FMSWEBSERVER
Map address to name
nameif ethernet0 outside security0
Define the name of ethernet 0 and security level. 
nameif ethernet4 pix_failover security40
We've connected ethernet4 to another failover-capable PIX. The name reflects this
interface ethernet0 100full
Identify network interface speed and duplex. Activate the interface. 
interface ethernet5 100full shutdown
Note that this interface is shutdown.
ip address outside 1.1.1.1 255.255.255.0
Assign IP address and subnet mask for the interface
ip address inside 10.1.1.1 255.255.255.0

After the PIX has been addressed, we need to think about what it is to do with the addresses of other devices. Do we wish to use Network Address Translation (NAT)? Network Address Translation (NAT) lets your network have any IP addressing scheme and the firewall protects these addresses from visibility on the external network. If we have global Internet addressing and do not wish to re-address our computers, we can assign NAT ID 0 within the PIX to disable NAT. Let's assume for our sample configuration that we do wish to perform NAT. (Looking at the above diagram, we have to do NAT, network 10.0.0.0  /8 is a private address range.
We generally put a global command on each lower security interface we want our internal users to have access to, although statics can be preferable for internal-internal access (see below). The main decision (other than addressing design) is whether to use one or multiple NAT ID's. Using unique NAT ID's limits access to specific interfaces. Using one NAT ID is simpler and assumes the PIX will sort out which nat command (below) pairs up with which global command on which interface.
We put nat commands on the higher security interfaces, allowing users to start connections to lower security level interfaces with global commands on them. The NAT ID ties the inside addresses in the nat command to the pool of addresses in one or more global commands with the same NAT ID.
Port Address Translation is where all inside addresses appear as one outside address, with shifted ports. PAT has some restrictions, for example it cannot support H.323 or caching nameserver use, so you may want to use it to augment a range of global addresses rather than using it as your sole global address.
Let's see what that looks like:

global (outside) 1 1.1.1.51-1.1.1.100 netmask 255.255.255.0
Defines the routable addresses to be used for outbound connections. This pool defines 1.1.1.51 through .100 as being available on a first come first served basis. As connections are torn down the addresses become available again for use. These addresses are used before the PAT address specified below is used. The number "1" is the NAT ID for this pool.
global (outside) 1 1.1.1.50 netmask 255.255.255.0
Defines the port address translation (PAT) address to be used by outbound connections after all one-to-one translation address (defined above) are exhausted. This continues NAT ID (pool) 1. 
nat (inside) 0 access-list 101
A "NAT 0" means no NAT-ing is happening. This entry is used for the IPsec connection defined in the configuration. The nat command with access list lets you exempt traffic that is matched by the access-list command statements from the NAT services. Access list 101 (not shown) specifies IPsec traffic. This row may confuse users and if we are not going to touch IPsec now, I would leave it out. We'll cover IPsec on the PIX in a future article.
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
This command connects the global pool 1 to the networks allowed to tap into that pool. Subnet 10.1.1.0 on the inside interface will be allowed to use global pool 1 for its outbound connections.The nat command lets you enable or disable address translation for one or more internal addresses. The nat command will disable nat for an inside network if that net is not explicitly defined to use the pool. Address translation means that when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses.
nat (management) 1 10.2.2.0 255.255.255.0 0 0
Subnet 10.2.2.0 on the management interface will be allowed to use global pool 1 for its outbound connections.
Note that if acl 101 is undefined, no IPsec traffic will match and no traffic will go through the IPsec tunnel. All traffic would then be subjected to NAT.
If you've used NAT before, you'll recognize that servers on the inside that need to be connected to from the outside will need static mappings. The static command creates a permanent mapping (called a static translation slot or "xlate") between a local IP address and a global IP address. Use the static and access-list commands when you are accessing an interface of a higher security level from an interface of a lower security level. When NAT exists between two interfaces the command takes the form of "static (high,low) low high" . Without address translation, the format of the static command becomes different: "static (high,low) high high".

static (dmz,outside) 1.1.1.22 10.3.3.22 netmask 255.255.255.255 0 0
You need to specify the IP address users on the lower security interface's network will use to access the server on the higher security level interface's network. In this case, we make a DMZ web server at 10.3.3.22 accessible as outside address 1.1.1.22. 
static (inside,management) 10.1.1.13 10.1.1.13 netmask 255.255.255.255 0 0
This static command allows traffic from inside interface (address 10.1.1.13) to management subnet, or vice versa if an appropriate ACL exists for traffic coming from the lower security interface. There is no NAT change to the address. 
We also need some static routing, so the PIX knows which subnets are out which interface. Like Cisco routers, the PIX does know how to route to connected subnets, so you only have to specify subnets or address ranges behind other routers. You can only have one default route for the PIX Firewall.
route outside 0.0.0.0 0.0.0.0 1.1.1.254 1
Specifies a default route out the outside interface to a router at 1.1.1.254 which is 1 hop away.
route management 10.117.220.0 255.255.255.0 10.2.2.254
Specifies a route to the 10.117.220.0 network via the management interface with the next hop address set to 10.2.2.254 (assuming 10.117.220.0 is behind a router on the management subnet). 



*In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. Another kind of spoofing is "webpage spoofing," also known as phishing. In this attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another server under control of the attacker. The main intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest usernames and passwords.
*(TCP provides reliable, ordered delivery of a stream of bytes from a program on one computer to another program on another computer. TCP is the protocol that major Internet applications rely on, applications such as the World Wide Web, e-mail, and file transfer. Other applications, which do not require reliable data stream service, may use the User Datagram Protocol (UDP) which provides a datagram service that emphasizes reduced latency over reliability
*The Internet Protocol (IP) is the principal communications protocol used for relaying datagrams (packets) across an internetwork using the Internet Protocol Suite. Responsible for routing packets across network boundaries, it is the primary protocol that establishes the Internet)







0 comments: