© 1999, Cisco Systems, Inc. 5-1 Configuring PIX Firewall Basics Chapter 5.

Презентация:



Advertisements
Похожие презентации
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 3 Cisco PIX Firewall Technology and Features.
Advertisements

© 2000, Cisco Systems, Inc. 7-1 Chapter 7 Access Configuration Through the Cisco Secure PIX Firewall.
© 2000, Cisco Systems, Inc. CSPFF Chapter 5 Cisco Secure PIX Firewall Configuration.
© 2000, Cisco Systems, Inc. CSPFF Chapter 8 Configuration of Multiple Interfaces.
© 2000, Cisco Systems, Inc. CSPFF Chapter 2 Cisco Secure PIX Firewall Models and Features.
© 1999, Cisco Systems, Inc. 1-1 Chapter 1 Introduction.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 8 Object Grouping.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 3 Cisco PIX Firewall Technology and Features.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 8 Object Grouping.
© 1999, Cisco Systems, Inc Configuring Cisco Secure Integrated Software Chapter 10.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Configuring Cisco IOS Firewall Authentication Proxy.
© 2000, Cisco Systems, Inc. CSPFF Chapter 4 Image Upgrade of the Cisco Secure PIX Firewall Software.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 9 Routing.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 6 Translations and Connections.
© 2000, Cisco Systems, Inc. CSPFF Chapter 6 Cisco Secure PIX Firewall Translations.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Operating and Configuring Cisco IOS Devices Configuring a Router.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring a Cisco IOS Firewall Configuring a Cisco IOS Firewall with the Cisco SDM Wizard.
© 2000, Cisco Systems, Inc. CSPFF Chapter 10 Cisco Secure PIX Firewall Advanced Features.
© 1999, Cisco Systems, Inc. 8-1 Configuring Advanced PIX Firewall Features Chapter 8.
© 2001, Cisco Systems, Inc. CSIDS Chapter 10 IP Blocking Configuration.
Транксрипт:

© 1999, Cisco Systems, Inc. 5-1 Configuring PIX Firewall Basics Chapter 5

© 1999, Cisco Systems, Inc. MCNSv Objectives Upon completion of this chapter, you will be able to perform the following tasks: Identify PIX Firewall features and components Configure a PIX Firewall to work with a Cisco router Configure basic PIX Firewall features to protect Internet access to an enterprise based on a case study network design Test and verify basic PIX Firewall operation

© 1999, Cisco Systems, Inc. MCNSv CA Server PIX Firewall Web Surfer Remote Branch Internet Web Server Protected DMZ Dirty DMZ NetRanger Sensor Dialup R2 NAS ClientServer Campus Router Bastion Host SMTP Server DNS Server IS NetRanger Director NetSonar Dialup Client Sales XYZ Companys PIX Implementation Plan Bastion Host R1 Perimeter Router Internet NT Server: CiscoSecure, Web, FTP, TFTP, Syslog Server

© 1999, Cisco Systems, Inc. MCNSv © 1999, Cisco Systems, Inc PIX Firewall Security Features and Operation

© 1999, Cisco Systems, Inc. MCNSv Stateful firewall with high security and fast performance: Secure, real-time, embedded operating systemNo UNIX or NT security holes Adaptive security algorithm provides stateful security Cut-through proxy eliminates application-layer bottlenecks Pentium Pro (515) or Pentium II (520) processor-based system PIX FirewallWhat Is It?

© 1999, Cisco Systems, Inc. MCNSv Only Three Ways through the PIX Firewall from the Outside Cut-Through Proxy User Authentication –Against RADIUS or TACACS+ database Static Route commands Adaptive Security Algorithm (ASA) –Protected by NAT –Valid user request determined by PIX Firewall administrator

© 1999, Cisco Systems, Inc. MCNSv Cut-Through Proxy User Authentication Enables high-performance throughput Initially performs authentication and authorization at application layer Authenticates against TACACS+ and RADIUS security servers After authentication, cuts through to transparent, high-performance session Authenticates inbound and outbound connections

© 1999, Cisco Systems, Inc. MCNSv Cut-Through Proxy Operation Authenticates once at the application layer (OSI Layer 7) for each supported service Connection is passed back to the PIX high-performance ASA engine, while maintaining session state Internal/ External User IS Resource 1. User makes a request to an IS resource 2. PIX intercepts connection 3. PIX prompts user for username and password, authenticates user and checks security policy on RADIUS or TACACS+ server 5. PIX directly connects internal/external user to IS resource via ASA 4. PIX initiates connection from PIX to the destination IS resource CiscoSecure PIX Firewall Username and Password Required Enter username for CCO at User Name: Password: OKCancel student 3.

© 1999, Cisco Systems, Inc. MCNSv Static Route Commands Used to enter static routes for PIX interfaces Specify destination network IP address, next hop IP address route outside route inside route outside route inside Bastion Host PIX Firewall Perimeter Router Internet

© 1999, Cisco Systems, Inc. MCNSv Adaptive Security Algorithm Provides stateful connection security Tracks source and destination ports and addresses, TCP sequences, and additional TCP flags TCP sequence numbers are randomized Tracks UDP and TCP session state Connections allowed outallows return session backflow (TCP ACK bit) Supports authentication, authorization, syslog accounting

© 1999, Cisco Systems, Inc. MCNSv © 1999, Cisco Systems, Inc PIX Firewall Capacities and Capabilities

© 1999, Cisco Systems, Inc. MCNSv PIX Firewall Models PIX 515 Processor:200 MHz Pentium Pro Memory:32 MB (515-R) 64 MB (515-UR) Ethernet:2 (515-R) 6 (515-UR) Flash:8 MB (515-R) 16 MB (515-UR) Connections:50,000 (515-R) 100,000 (515-UR) PIX 515 Processor:200 MHz Pentium Pro Memory:32 MB (515-R) 64 MB (515-UR) Ethernet:2 (515-R) 6 (515-UR) Flash:8 MB (515-R) 16 MB (515-UR) Connections:50,000 (515-R) 100,000 (515-UR) PIX-520 Processor:350 MHz Pentium II Memory:128 MB SDRAM (Std. after 1 June 1999) Ethernet:6 Configurable Token Ring4 configurable FDDI2 configurable Ethernet/TR6 total Flash:2 MB Power:-48 VDC input power optional Connections: 256,000+ PIX-520 Processor:350 MHz Pentium II Memory:128 MB SDRAM (Std. after 1 June 1999) Ethernet:6 Configurable Token Ring4 configurable FDDI2 configurable Ethernet/TR6 total Flash:2 MB Power:-48 VDC input power optional Connections: 256,000+

© 1999, Cisco Systems, Inc. MCNSv PIX 515 Firewall Supported Network Interfaces Up to 6 Ethernet ports with license upgrade 2 Ethernet ports with basic license

© 1999, Cisco Systems, Inc. MCNSv PIX 520 Firewall Supported Network Interfaces 2 FDDI Up to 4 Ethernet and 2 Token Ring Up to 6 Ethernet Up to 4 Token Ring FDDI

© 1999, Cisco Systems, Inc. MCNSv © 1999, Cisco Systems, Inc Essential PIX Configuration

© 1999, Cisco Systems, Inc. MCNSv PIX Command-Line Interface Unprivileged (user) mode – View current running settings – Enter privileged mode Privileged mode – Change current settings – Write to Flash memory – Enter any unprivileged commands Configuration mode – Change system configurations – Enter any privileged commands Help – Enter ? by itself for full listing – Enter ? with command for syntax – Enter in any mode pixfirewall> uptime pixfirewall> enable pixfirewall# ping pixfirewall# config t pixfirewall(config)# interface pixfirewall(config)# ^z pixfirewall# ? pixfirewall# ping ? pixfirewall# disable pixfirewall> pixfirewall> uptime pixfirewall> enable pixfirewall# ping pixfirewall# config t pixfirewall(config)# interface pixfirewall(config)# ^z pixfirewall# ? pixfirewall# ping ? pixfirewall# disable pixfirewall>

© 1999, Cisco Systems, Inc. MCNSv PIX Privileged mode Passwords Unprivileged (user) mode –View current running settings –Enter privileged mode Privileged mode –Change current settings –Write to Flash memory –Enter any unprivileged commands pixfirewall> enable password: pixfirewall# enable password wsDerrTL pixfirewall# pixfirewall> enable password: pixfirewall# enable password wsDerrTL pixfirewall# The enable password command sets the Privileged mode password

© 1999, Cisco Systems, Inc. MCNSv PIX Telnet Passwords Privileged mode –Change current settings –Write to Flash memory –Enter any unprivileged commands Password shown in encrypted form pixfirewall#passwd watag00s1am pixfirewall#show passwd passwd jMorNbk0514fadBh encrypted pixfirewall#passwd watag00s1am pixfirewall#show passwd passwd jMorNbk0514fadBh encrypted The passwd command sets the Telnet and PIX Firewall Manager password

© 1999, Cisco Systems, Inc. MCNSv nameif, interface, and ip address Commands interface hardware_id hardware_speed Configures interface type and speed ip address if_name ip_address [netmask] Configures IP address for PIX Firewall interfaces Outside interface PIX Firewall Inside interface nameif hardware_id if_name security_level pixfirewall(config) # Configures interface name and security level

© 1999, Cisco Systems, Inc. MCNSv nameif Command and Security Levels PIX Firewall Outside Network Perimeter Networks Inside Network Security Level 30 Interface Name = DMZ1 Security Level 30 Interface Name = DMZ1 Security Level 40 Interface Name = DMZ2 Security Level 40 Interface Name = DMZ2 Security Level 100 Interface Name = Inside Security Level 100 Interface Name = Inside E0 E1 E2 E3 Internet Security Level 0 Interface Name = Outside Security Level 0 Interface Name = Outside

© 1999, Cisco Systems, Inc. MCNSv global and nat Commands pixfirewall(config) # global [(if_name)] nat_id global_ip[-global_ip] [netmask global_mask] Define IP addresses in the global pool Used with NAT and PAT Must be NIC-registered addresses (for the interface connected to the Internet) nat [(if_name)] nat_id local_ip [netmask [max_conns [em_limit]]] [norandomseq] Associate an internal network with a pool of global IP addresses Specify lists of inside hosts that can use PIX for address translation

© 1999, Cisco Systems, Inc. MCNSv global and nat Example Creates a global pool of IP addresses for connections to the outside All inside addresses will be address translated to global addresses PIX assigns addresses from global pool starting at high end to low end of range specified in global command global (outside) netmask nat (inside) global (outside) netmask nat (inside) Bastion Host PIX Firewall Perimeter Router Sales Engineering Information Systems

© 1999, Cisco Systems, Inc. MCNSv Basic Configuration Commands pixfirewall # write net|floppy|memory Saves configuration to a TFTP Server with the IP address specified in the tftp-server command, to a floppy, or to Flash memory write terminal Views current configuration on console write erase Clears current configuration from Flash memory

© 1999, Cisco Systems, Inc. MCNSv Basic Configuration Example PIX Firewall and Web server reside inside DMZ created by perimeter router Company has one subnet of Class B registered address Company uses Class A private addresses on inside, corporate network 1. nameif ethernet0 outside sec0 2. nameif ethernet1 inside sec interface ethernet0 auto 4. interface ethernet1 auto 5. ip address inside ip address outside global (outside) netmask nat (inside) route outside route inside nameif ethernet0 outside sec0 2. nameif ethernet1 inside sec interface ethernet0 auto 4. interface ethernet1 auto 5. ip address inside ip address outside global (outside) netmask nat (inside) route outside route inside Bastion Host PIX Firewall Perimeter Router Sales Engineering Information Systems

© 1999, Cisco Systems, Inc. MCNSv © 1999, Cisco Systems, Inc Configuring the PIX Firewall Lab Exercise

© 1999, Cisco Systems, Inc. MCNSv Upon completion of this lab, you will be able to perform the following tasks: Configure basic PIX Firewall features to protect Internet access to an enterprise based on a case study network Test and verify basic PIX Firewall operation Lab Objectives

© 1999, Cisco Systems, Inc. MCNSv PIXX Firewall Protected DMZ Dirty DMZ X.0 /24.2 Outside X.0/24.1 DMZ Inside.3 NASX IS.1 10.X.2.1 /24 10.X.2.2 to 10.X.2.10 /24 Windows NT PC NT1 NT Server: CiscoSecure NT, IIS FTP and Web Server Cisco Security Manager, Syslog Server, TFTP Server.4 Instructor NT Server: FTP, HTTP, CA / X.1 /30 PerimeterX Router 10.X.1.0 /24 Bastion Host: Web Server FTP Server.3 Sales Dialup Frame Relay (Internet) Telco Simulator 100X MCNS Lab Environment Generic.1.2 X = POD #

© 1999, Cisco Systems, Inc. MCNSv © 1999, Cisco Systems, Inc Summary and Review Questions

© 1999, Cisco Systems, Inc. MCNSv Summary PIX provides stateful inspection Cut-through proxy eliminates application-layer bottlenecks Only three ways through the PIX from the outside: –User authentication (RADIUS or TACACS+) –Static –Response to a valid internal user request PIX 515 supports Ethernet only (6 I/f max) PIX 520 supports the following interfaces: –Ethernet (6 I/f max) –TR (4 I/f max) –FDDI (2 max) –combination of Ethernet and TR

© 1999, Cisco Systems, Inc. MCNSv Review Questions 1. Which PIX Firewall features enable PIX to have high performance? A. Stateful operation: adaptive security algorithm B. Cut-through proxy authentication C. Secure, real-time embedded system 2. What is the basic PIX Firewall security policy for inbound and outbound connections? A. Inbound: All inbound connections are denied unless specifically authenticated, enabled by a static or conduit, or as a response to a valid user request B. Outbound: All connections are allowed unless specifically denied by access lists

© 1999, Cisco Systems, Inc. MCNSv Review Questions (cont.) 3. What are three of the advantages of the PIX Adaptive Security Algorithm? A.Stateful connection security B.Tracks source and destination ports and addresses, TCP sequences, and additional TCP flags C.Random TCP sequence numbers D.Tracks TCP and UDP session state E.Outbound traffic return session backflow tracking F.Supports authentication, authorization, and syslog accounting

© 1999, Cisco Systems, Inc. MCNSv Review Questions (cont.) 4. List the six commands needed to get the PIX running and providing basic network security? A.nameif ethernetX B.interface ethernetX C.ip address D.global E.nat F.route

© 1999, Cisco Systems, Inc. MCNSv Review Questions (cont.) 5. Does the PIX 515 support FDDI and Token Ring interfaces? No. 6. What command is used to verify interface function and correct cable connection? show interface

© 1999, Cisco Systems, Inc. MCNSv Review Questions 1. What function does the nat 0 command serve? It disables address translation so that outside hosts can access inside hosts. 2. Two commands can be used to enable NAT. What are they? A. global B. static 3. PAT supports more than 64,000 hosts. What approximate percentage of that number can be connected at the same time? 25%

© 1999, Cisco Systems, Inc. MCNSv Review Questions (cont.) 4. When running multimedia applications through the PIX, does it matter if PAT is enabled? Yes. Some multimedia applications need access to specific ports. This may cause a conflict with the port mappings that PAT provides. 5. Which command has precedence, static, or nat and global? Why is this important? Static. It is important because a nat command only grants outbound access to hosts not specified in the static statement. 6. In V-4.4(1) of the PIX s/w, can the conduit command be used with either the global or static commands? Is either of them required with the conduit command? Yes. No.