Advanced PIX Configuration 5 Points

In any security exam, you can be sure that the PIX will be a core device (only one PIX Firewall in the real CCIE exam), so the next few question highlight the areas of the PIX you should be proficient with to ensure that you are ready for the many scenarios that you might be asked to configure. The next section concentrates on a sample PIX topology to guide you in areas you should concentrate on in your study preparation.

Configuring SSH on the PIX

Configure the PIX to accept SSH connections. Make sure sessions are killed after 2 hours of inactivity. Limit only VLAN_D hosts to SSH to the PIX. The domain name is cisco.com. Set all passwords to cisco.

Configuring SSH on the PIX Solution

Four steps are required when enabling SSH on a Cisco PIX Firewall:

Step 1 Assign a host name and a domain name. This is required so that an RSA key is generated. The PIX commands are as follows:

hostname PIX1 domain-name cisco.com

Step 2 Generate the RSA key with the following PIX command:

ca generate any-key-name rsa key 2048

Step 3 Define the hosts that are permitted access with the following PIX command: ssh ip_address [netmask] [ interface_name]

Step 4 Set the enable and Telnet password (optional).

Example 8-100 configures the PIX Firewall for SSH connections from VLAN_D or network 144.254.4.0/26. To set a timeout value, use the PIX command ssh timeout seconds, in this case 2 minutes or 120 seconds.

Example 8-100 SSH Configuration on the PIX

Pixfirewall(config)#hostname PIX1 PIX1(config)#domain-name cisco.com PIX1(config)#ca generate rsa key 2048 PIX1(config)#ssh 144.254.4.0 255.255.255.192 inside PIX1(config)#ssh timeout 120

Configuring the PIX for Intrusion Detection

Configure the PIX according to the following Cisco Secure Intrusion Detection System (IDS) policy:

■ For the outside interface, enable all informational signatures but drop the packet, and send a message to the syslog server. Attack signatures should be enabled on both the outside and inside interface. More specifically, for the outside interface, drop the packet, send a syslog message, and generate TCP resets in both directions.

■ For the inside interface, drop the packet and send an alert to the syslog server.

Configuring the PIX for Intrusion Detection Solution

The PIX command syntax to enable IDS is as follows:

ip audit attack [action [alarm] [drop] [reset]]

ip audit interface if_name audit_name ip audit name audit_name attack [action [alarm] [drop] [reset]]

ip audit name audit_name info [action [alarm] [drop] [reset]]

ip audit signature signature_number disable

Table 8-6 summarizes the command's syntax.

Table 8-6 IP Audit Syntax Description

Syntax

Description

audit attack

Specify the default actions to be taken for attack signatures.

audit info

Specify the default actions to be taken for informational signatures.

audit interface

Apply an audit specification or policy (using the ip audit name command) to an interface.

audit name

Specify informational signatures, except those disabled or excluded by the ip audit signature command, as part of the policy.

audit signature

Specify which messages to display, attach a global policy to a signature, and disable or exclude a signature from auditing.

action actions

The alarm option indicates that when a signature match is detected in a packet, the PIX Firewall reports the event to all configured syslog servers. The drop option drops the offending packet. The reset option drops the offending packet and closes the connection if it is part of an active connection. The default is alarm.

audit_name

Audit policy name viewed with the show ip audit name command.

signature_number

IDS signature number.

Example 8-101 enables the PIX for IDS configuration matching the conditions outlined in the task. Example 8-101 IDS Configuration on the PIX Named PIX1

PIX1(config)# ip audit name Attack-outside attack action alarm drop PIX1(config)# ip audit name Information-inside info action alarm drop PIX1(config)# ip audit name Attack-inside attack action alarm reset PIX1(config)# ip audit interface inside Attack-inside PIX1(config)# ip audit interface inside Information-inside PIX1(config)# ip audit interface outside Attack-outside PIX1(config)# ip audit info action alarm PIX1(config)# ip audit attack action alarm

Table 8-7 displays the available show commands that monitor IDS on a Cisco PIX Firewall. Table 8-7 show ip audit Commands and Output

show Command

show Command Output

show ip audit attack

Displays the default attack actions:

■ PIX1# show ip audit attack

■ ip audit attack action alarm

show ip audit info

Displays the default informational actions:

■ ip audit info action alarm

show ip audit interface

Displays the interface configuration:

■ PIX1# show ip audit interface

■ ip audit interface outside Attack-inside

■ ip audit interface inside Information-inside

■ ip audit interface inside Attack-outside

show ip audit name

[name [info | attack]]

Displays all audit policies or specific policies referenced by name and possibly type:

■ ip audit name Attack-inside attack action alarm reset

■ ip audit name Information-inside info action alarm drop

■ ip audit name Attack-outside attack action alarm drop

NOTE For more details on IDS, go to:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ gl.htm#wp1101884

0 0

Post a comment