esiksha.com - Computers - CISCO Certification - Cisco Secure Pix Firewall Fundamentals

Cisco Secure Pix Firewall Fundamentals

PIX Firewall Features

cut-through proxy
1. challenges a user initially at the application layer
2. user is authenticated against an industry-standard database based on the Terminal Access Controller Access Control System (TACACS) or Remote Authentication Dial-In User Service (RADIUS)
3. after authentication and the policy check the PIX Firewall shifts the session flow and all traffic thereafter flows directly and quickly between the two parties while maintaining session state
4. performs dramatically faster than proxy servers
"stateful" information
1. each time a TCP connection is established information about the connection is logged in a stateful session flow table
2. the session flow table contains the source and destination addresses, port numbers, TCP sequencing information, and additional flags for each TCP connection associated with a particular host, and creates a connection object in the PIX Firewall
3. inbound packets are compared against session flows in the connection table and are permitted through the Cisco PIX Firewall only if an appropriate connection exists to validate their passage
IP address depletion
1. mapping between local and global addresses is done dynamically or selectively
2. after a user-configurable timeout period an entry is removed and the global address is freed for use by another inside host
3. dynamic address allocation is port specific

PIX Firewall Installation

you need an ASCII terminal or a computer with serial communications software installed - Windows workstation, Macintosh system, or UNIX system
using a Macintosh requires a special cable that can be obtained from an Apple computer vendor
on the computer or terminal you configure its terminal emulation program and also configure the serial port with these settings: 9600 baud, 8 data bits, no parity, and 1 stop bit
inside network cable must be connected to the interface connector labeled Ethernet1 or Token1, and outside network cable must be connected to Ethernet0 or Token0
You can run the PIX Firewall Setup Wizard on a Windows PC connected to the PIX Firewall console port, the PIX Firewall Manager which is an HTTP-based graphical user interface for administering multiple PIX Firewalls on a Windows NT machine connected to the PIX Firewall's inside network, or access the command line interface from a PC or workstation connected to the PIX Firewall console port using a terminal emulator
At the pixfirewall> prompt, enter the following commands to enter configuration mode:

pixfirewall> enable
Password:
pixfirewall# configure terminal

to view the PIX Firewall help: pixfirewall(config)# ?
if you are installing PIX Firewall version 4.1 or later and have a Windows NT version 4.0 or later server, you can install the PIX Firewall Manager to monitor one or more local and foreign PIX Firewall units from a single management facility
Upgrades for PIX can be downloaded from Cisco Connection Online:
1. pix4nn.bin--- PIX Firewall binary file
2. rawrite.exe--- conversion utility to create diskette that can be read by the PIX Firewall from the binary file
3. readme.txt
4. relnotes---release notes
to install 2 PIX Firewall units in a failover configuration, you must connect the serial cable to the primary unit and not the secondary unit
if your network has a WebSENSE server on any network interface, you can provide URL filtering through the PIX Firewall using the url-sever command
to log FTP commands and WWW URLs when syslog is enabled, use “show fixup” to ensure that the fixup protocol commands for FTP and HTTP are in the configuration
“snmp-server” command causes the PIX Firewall to send SNMP traps, making the firewall remotely manageable.

Failover Configuration

works by passing control to the Standby unit should the Active unit fail
supported only between identical PIX Firewall models running the same software version and having the same config
use the failover command without an argument, after you connect the optional failover cable between your primary firewall and a secondary firewall, to activate the feature
use “no failover” in the configuration file for the PIX Firewall if you will not be using the failover feature
use “show failover” to verify the status of the connection and to determine which unit is active
when a failover occurs, each unit changes state - the newly Active unit assumes the IP and MAC addresses of the previously Active unit and begins accepting traffic. The new Standby unit assumes the failover IP and MAC addresses of the unit that was previously the Active unit. Because network devices see no change in these addresses, no ARP entries change and there are no timeouts anywhere on the network
use “write memory” on the Active unit to save configuration changes to Flash memory on both the Active and Standby units
Configuration changes made on the Standby unit are not replicated on the Active unit
use the “write standby” command to manually save the configuration of the active failover unit to the standby failover unit from RAM to RAM
Standby unit does not maintain the state information of each connection, and all active connections will be dropped when failover occurs, meaning that client systems must reestablish connections
syslog messages are generated when a failover occurs
when a failure is due to a condition other than power loss, failover will begin a series of tests when hello messages are not heard for two consecutive 15-second intervals – tests include Link Up/Down test, Network Activity test, ARP test and Broadcast Ping test

Private Link

works by checking packets that arrive at the PIX Firewall inside interface - “link” command creates an encrypted path between Private Link-equipped PIX Firewall units
you can specify up to seven encryption keys - if you want seven keys, enter the link command in the configuration seven times
key-ID and key values must be the same on each side of the Private Link
after using the link command to add or delete link entries you should use “write memory” to store the configuration and reboot the PIX Firewall

Established Command

allows the PIX Firewall to deliver traffic associated with protocols for which the firewall software does not have specific support
only used in relatively unusual situations
permitto and permitfrom parameters can be used to control which ports on the inside host can be reached from the outside – to be safe, the established command should always be used together with the permitto and/or permitfrom keywords
there is no way to designate specific inside hosts to which the established command should or should not apply
conduits created with the static and conduit commands allow the administrator to permit access from outside the firewall to selected ports on hosts inside the firewall

Other commands

A list of PIX Firewall commands and the level of support within the Cisco Secure Policy Manager

A complete set of command references

Command panel
1. associated with each PIX Firewall node in the Network Topology tree
2. allows you to define device-specific commands that are not supported natively by Cisco Security Manager
3. present status messages about command set downloads, views of the currently published command sets
4. preserve existing command sets that you have defined for active PIX Firewalls
5. to publish a new command set to the PIX Firewall and change the existing password, in the Command panel click “Approve Now”. You must then specify the new enable password in the Enable password box in the Enforcement panel to allow future command sets to be published

Cisco Security Manager

Process overview
1. Define your Network Topology - Use the Topology Wizard to define the PIX Firewall, specify the Internet settings, and create required connecting networks. Also define the Cisco Security Manager server, define special hosts, define address hiding rules, and finally define static mapping rules
2. Define and apply your security policies - Populate the Security Policy Enforcement branch, then define and apply security policies
3. Define your logging and notification settings - specify audit event settings and verify PIX Firewall log settings
4. Generate, verify, and publish device-specific command sets - Perform Save and Update operation and Verify the generated command sets, then approve the command sets and publish them to the PIX Firewall
Cisco Security Manager servers
1. at least one must be defined in the Network Topology tree
2. responsible for generating and distributing network policies
3. also for monitoring network traffic for suspicious activities and reporting
Policy-based management
1. a high-level network policy enforced universally across your network devices without you having to understand all the device-specific rules and settings - you specify what you want to do without having to know the how-to
Policy Database
1. proprietary knowledge-based subsystem
2. persistently stores configuration information as well as information and audit records generated by the Cisco Security Manager system
3. configuration information includes network objects, policies, administrative and user authentication accounts, as well as settings for the various Cisco Security Manager architecture subsystems and components
4. when an agent connects to the Policy Database, the agent and the Policy Database authenticate to each other using a bi-directional authentication method with a public-private key handshake
Policy Enforcement Point PEP
1. identify a network device that accepts a policy from the Policy Distribution Point
2. enforces that policy against the network traffic traversing that network device
Security policy abstract
1. template that identifies the rules about whether or not you want to allow network services across your network
2. abstract in nature as they are not dependent on the enforcement point - it actually represents a collection of condition branches
3. two states: active and inactive
4. active security policy abstract is applied to network objects within the Security Policy Enforcement branch of the Network Policy tree and are enforced by PEPs
5. inactive security policy abstract is defined under the Security Policy Abstracts branch of the Tools and Services tree and is representing a template for a specific implementation
6. bundled network service - collection of two or more network services
Condition branch
1. represents a test that a PEP performs against a session request
2. determines whether to allow a particular session
3. comprises one or more conditions terminated by two terminal nodes
4. request is either accepted, rejected, processed by the next condition branch, or passed up to the next policy for further evaluation
Policy Distribution Point
1. abstract term used to identify an installed subsystem in the Cisco Security Manager architecture
2. accepts intermediate policy descriptions from a Policy Generation Point and translates the policy description into a device-specific command set, then publishes the device-specific command sets to the PEPs
Policy Monitor Point
1. an installed subsystem in the Cisco Security Manager architecture that monitors event streams produced by one or more PEPs
Policy inheritance
1. use hierarchical lists of policies - ability is transferred all the way up to the Policy Enforcement branch if the policies below that branch use the “Use Next Policy action”
2. Dominance - an attribute of the lowest node to which a policy is applied
3. if parameters of a session request match two policies within a direct path, the one applied to the lowest node in that path is applied
Internet node
1. represents the interconnected global network outside the control of the Cisco Security Manager
2. a gateway with a set of access points to the controlled networks where a network packet enters from one access point and leaves out another access point – a cloud
3. cloud network - special type of network that resides inside of a cloud, exists only as part of a cloud but not as a network in the Network Topology tree
4. you must attach at least one network to the Internet, and attach a gateway device to that network as well
Security Policies Evaluation
1. the most specific security policy in relation to the network object is enforced first - the security policy that references the network object most specifically with the implicit “If Source is” statement is the one that regulates it
Address hiding
1. Enhances network security by hiding your network's internal structure from external users
2. Permits almost unlimited number of users for one class D network address
3. No need to register IP address from the Internet Network Information Center
4. to define a hiding rule, you map one or more external IP addresses to an internal network address of any class
5. before hiding a network address the Policy Enforcement Point must have a route defined to access that network
Secure communication
1. supports secure communications between independent web browsers and the reporting agent
2. all communication requests made from a web browser require the user to use a Cisco Security Manager administrative account
3. encryption mechanisms used between Cisco Policy Manager and the reporting agent are different from those used between a web browser and the reporting agent - all Cisco Policy Manager sessions are encrypted using a symmetric algorithm for bulk encryption
4. Cisco Policy Manager uses Microsoft Crypto API to perform encryption
5. session between a web browser and the reporting agent is encrypted using Secure Sockets Layer (SSL) 40-bit
Troubleshooting
1. Cisco Policy Manager can import and export current configuration information into a flat file rather than storing it in the Policy Database. Apart from troubleshooting, this can act as a supplemental backup scheme for some types configuration information
6 key concepts of using Cisco Security Manager:
1. Define network topology from the outside to the inside
2. Keep global view of the network policy rather than a device-specific one
3. Understand the security stance
4. Apply security policies to have them enforced
5. Define logging and notification settings from a global view
6. Define all Cisco Security Manager servers in the network topology

Planning with Cisco Security Manager

use the Topology Wizard to define the initial outside-to-inside structure - you define from the point of the access router belonging to your Internet service provider down into your network
Policy Database is examined to determine whether it contains audit records that are older than the values specified in Event Purging - optimal value dependent on the number of audit records being generated versus the amount of disk space available
address hiding rules map between an external, exposed IP address and an internal network or host address
network Policy is not synchronized with Policy Database contents
to ensure external hosts can reach the internal corporate web server and corporate e-mail server, a static translation rule is needed for each host
static translation rules apply to all forms of IP traffic, and will override address hiding rules for a specific host

Designing Policies

Instead of defining conduits and outbound, you define security policies that describe what traffic you want to allow into and out of your networks
Process:
1. populate your Network Topology tree and add the network objects on which you want to enforce security policies to the Security Policy Enforcement branch of the Network Policy tree
2. construct security policies that permit or deny network services to the network objects on which you plan to enforce those security policies
3. instantiate those security policies by applying them in the Security Policy Enforcement tree
Cisco Security Manager represents security policies, routing information, and other device-specific settings in a way not directly interpretable by a PEP, meaning that a translation process must take place to ensure that the device-specific command sets are generated – use the Save and Update command on the File menu
you can publish the command to the PIX Firewall by approving them manually - the default publishing method
you may configure auto publishing as well

Traffic Flow Rulings

Routes panel
1. identifies the static rules that your Policy Enforcement Points use to route network packets correctly
2. Secure Policy Manager automatically presents all routes marked as "Implicit" on the basis of network interfaces and networks directly connected to a gateway object, and automatically derives all routes marked as "Derived" on the basis of your Network Topology definition
3. derived routing rules are published to the Policy Enforcement Points as part of the generated command sets
4. all static routing rules that have been defined using interfaces other than Cisco Secure Policy Manager are replaced by those routing rules that are defined using Cisco Secure Policy Manager
5. if you define a MANUAL routing rule that overrides a derived routing rule, the derived routing rule will no longer appear in the Routes panel. Also, no command set will be generated to enable that derived route
6. you can delete the MANUAL routing rule to have the derived routing rule generated and distributed as part of the command set
as dynamic routing rules are updated via router-to-router communications, the dynamic routes are vulnerable to attack
if you define a static translation rule for a Policy Distribution Point, you can cause a temporary command set publishing problem - the connection to the Policy Enforcement Point is broken after the new command set is published, as it effectively changes the address of the Cisco Secure Policy Manager host. To solve the problem, you can either define a temporary policy that permits the administrative network service from the old Policy Distribution Point address to the administrative network interface on the Policy Enforcement Points that use that Policy Distribution Point. Or you can use the Prologue option in the Command panel for the affected Policy Enforcement Points to specify that you want to accept administrative connections manually from the old IP address used by the affected Policy Enforcement Points

PIX hardware platform and its adaptive Security feature

contains two Ethernet interfaces, one for inside and one for outside
when packets arrive at the inside Ethernet, PIX checks to see if previous packets have come from the inside host. If not, a dynamic translation slot is created in its state table that includes the inside IP address and the new globally unique IP address drawn from the virtual network of up to 64K host addresses. It then changes the IP address, the checksums, and other aspects of the packet and forwards the packet to the outside interface
when a packet arrives at the outside interface, it must first pass the PIX Firewall Adaptive Security criteria. If passed, PIX removes the destination IP address and the internal IP address is inserted in its place for forwarding to the inside interface
Adaptive Security (AS) = stateful approach of inspection:
1. allows any TCP connections that originate from the inside network
2. ensures that there is already an FTP control connection between that translation slot and the remote host if an FTP data connection is initiated to a translation slot
3. drops and logs attempts to initiate TCP connections to a translation slot from the outside, as well as source routed IP packets sent to any translation slot on the PIX Firewall
4. allows ICMP of types 0, 3, 4, 8, 11, 12, 17 and 18 and ICMP type 5 and others
5. drops ping requests to dynamic translation slots
6. answers ping requests directed to static translation slots
exceptions to the previously described rules can be created with the conduit command, and multiple exceptions are possible

PIX Command Guidelines and Summary

When entering commands, you can:
1. erase characters with the Backspace and Del keys
2. erase a previous word with ^W
3. erase a previous line with ^U
4. redisplay a line with ^R
Commands
1. Apply - apply an access list
2. access_list – create an access list
3. no access_list – delete an access list
4. show access_list – view the access list
5. arp – adjust the arp setting
6. clear arp-cache - flush the arp cache
7. show config – display current configuration
8. ifconfig – configure ethernet interface
9. ifstat - interface statistics
10. clear_config - clear flash memory
11. restore – reload config info from flash
12. save - write configuration to flash
13. kill - terminate a login session
14. who – view IP address origination
15. reboot – reboot PIX
16. route – adjust routing table
17. link / no link – enable or disable private link
18. link_stat – show private link status
19. rip / no rip – enable or disable RIP settings
20. loghost – view or assign syslog
21. telnet / no telnet – enable or disable telnet access
22. mem – show the uptime for PIX

Different Models of PIX

4 models: PIX Firewall 515-R, PIX Firewall 515-UR, PIX Firewall 520, PIX Firewall 520-DC
detailed hardware specs can be found at http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pie_ds.htm

PIX Private Link encryption card

Data Encryption Between Multiple PIX Firewall Systems – for building VPN
uses Data Encryption Standard (DES) plus incorporates the IETF Authentication Header/Encapsulating Security Payload (AH/ESP) protocols
up to seven preshared keys can be changed at preset times
can directly connect up to 256 other sites

PFM PIX Firewall Manager

To install, you should log into the Windows NT machine locally (not the domain) as "administrator"
PFM installation needs to create a local SAM (Security Access Management) database for PFM access, which is usually not possible with default PDC or BDC installations
if after installing the PFM NT keeps on beeping - an application port conflict - a syslog application such as Cisco Works, PIX Firewall Syslog Server [PFSS], or a third-party application may already be listening on UDP 514, or a web server is already occupying the PFM default TCP port 8080. Try to uninstall, find a clean port and reinstall.
you are suggested not to install PFM on a machine running Internet Information Server (IIS) so as to avoid possible server ports conflicts
Firewall Manager requires a static IP Address rather than a DHCP one
the default administrator name is “pixadmin” and the default password is “cisco”, with read/write configuration abilities.
default user username/password is pixuser/cisco, with read only capability
User manager on the server allows you to add, change, or delete users to the pixadmins or pixusers groups
pfm.log is the log file for troubleshooting problems
if you lose your password......... to use the password recovery procedure, you need the PIX Password Lockout Utility - rawrite.exe, plus one of the following files depending on the PIX software version you are running - nppix.bin (4.3 and earlier releases)/np44.bin (4.4 release)/np50.bin (5.0 release)/np51.bin (5.1 release). A registered user can download these files from Cisco. Also, the user can open a case with Technical Assistance Center (TAC) to obtain the files.