Scaling PIX Configurations Using Object Groups and Turbo ACLs

Object groups (introduced in PIX 6.2) are a very useful mechanism for controlling the size of the PIX configurations and avoiding inputting redundant information in the PIX. Object grouping provides a way to reduce the number of access rules required to describe complex security policies. Object groups allow two main things to happen:

• Group several hosts that have similar access requirements such that a single access rule can be applied to all of them, rather than creating a separate rule for each host. This also helps make the configuration more meaningful and easily comparable to the network access policy.

• Group several services or protocols so that they can be applied to a range of hosts at the same time. This again avoids the need to create a separate rule for each host that needs to use these services.

TurboACL is a feature introduced with PIX Firewall version 6.2 that improves the average search time for access control lists containing a large number of entries. The TurboACL feature causes the PIX Firewall to compile tables for ACLs; this improves searching of long ACLs. If an ACL contains more than 19 entries and is set up for turbo access list compilation, PIX compiles the access list for faster processing. This is a useful feature to have in environments that require a large number of access lists to be set up.

Example 8-5 describes how object groups and Turbo ACLs are used. The implementation of LAN failover, meaning stateful failover using LAN instead of the serial cable, is also discussed. This feature allows the distance limitations between the primary and secondary PIX to be overcome among other things.

Figure 8-16 shows the network setup via the configuration.

Figure 8-16 Network Topology for This Case Study


Ethernet 2 L Ethernet 3 Ethernet1

Ethernet 2 L Ethernet 3 Ethernet1

World Wide Web World Wide Web World Wide Web World Wide Web & & & &

FTP Server FTP Server SMTP Server SMTP Server

Example 8-5 How Object Groups and Turbo ACLs Are Used pixfirewall#wr t Building configuration... : Saved

PIX Version 6.2(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 failstate security20 nameif ethernet3 LANfail security30 enable password <removed> encrypted passwd <removed> encrypted hostname pixfirewall domain-name fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720

Example 8-5 How Object Groups and Turbo ACLs Are Used (Continued)

Example 8-5 How Object Groups and Turbo ACLs Are Used (Continued)

access-list grp_2 permit tcp any object-group host_group_2 eq smtp

!The command below turns on the turbo access list feature for the access list !grp_2.

access-list grp_2 compiled access-list grp_1 permit tcp any object-group host_group_1 eq ftp access-list grp_1 compiled access-list all permit tcp any object-group all_groups eq www access-list all compiled

!The access list below is used to restrict outbound access from internal hosts. !All hosts except the servers are allowed only WWW and SMTP access outbound. The !services object group is used to define the services allowed for these hosts.

access-list access-list access-list access-list access-list

1.10 any any outbound_services_acl permit ip host 10.1 outbound_services_acl permit ip host 10.1 outbound_services_acl permit ip host 10.1 outbound_services_acl permit ip host 10.1 outbound_services_acl permit tcp object-group outbound_services access-list outbound_services_acl compiled pager lines 24 no logging console debugging no logging monitor debugging interface ethernet0 100full interface ethernet1 100full interface ethenret3 100full interface ethernet4 100full ip address outside ip address inside ip address failstate ip address LANfail

!The failover IP address commands below are used to define the IP addresses that !will be used by the primary PIX to talk to the secondary PIX.

failover ip address outside failover ip address inside failover ip address failstate failover ip address LANfail

!The first two failover commands are the same as the ones described in the earlier failover example. However, please note that four new failover lan commands have !been introduced that define the interface that will be used for the LAN failover Communications to occur. Also a key used to authenticate and encrypt messages !between the two PIXes.

failover failover poll 15 failover lan unit primary failover lan interface LANfail failover lan key L6nfa1lk4y

Example 8-5 How Object Groups and Turbo ACLs Are Used (Continued)

failover lan enable pdm history enable arp timeout 14400

static (inside,outside) netmask 0 0 static (inside,outside) netmask 0 0 static (inside,outside) netmask 0 0 static (inside,outside) netmask 0 0 access-group grp_2 in interface outside access-group outbound_services_acl in interface inside route outside 1 timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server AuthOutbound protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat isakmp identity address telnet inside telnet timeout 5

ssh outside ssh timeout 30 terminal width 80


Although the object groups reduce the complexity of the configuration, the show accesslist command can still be used to view the ACL configuration in its entirety with all the object groups expanded into individual elements.

0 0

Post a comment