A 15fX

Ciii, Group Setup Click Submit + Restart when finished J Click Submit + Restart when finished J specified protocol has been selected under Hetwoih r.niifi i ition. Forexample, RADIUS settings appear t jl Complete the following steps to add authorization rules for services to specific hosts in Cisco Secure ACS Step 1 In the navigation bar, click Group Setup. The Group Setup window opens. Step 2 Scroll down in Group Setup until you find IOS Commands. Step 4 Under Unmatched Cisco IOS commands,...

AAA Configuration

This section discusses how to configure The Cisco IOS Firewall to work with a AAA server and enable the authentication proxy feature. Enables the AAA functionality on the router (default disabled) Use the aaa new-model global configuration command to enable the AAA access control system. Use the no form of this command to disable the AAA access control model. Note After you have enabled AAA, TACACS and extended TACACS commands are no longer available. If you initialize AAA functionality and...

AAA Server Configuration

This section discusses how to configure the AAA server to provide authentication and authorization for the Cisco IOS Firewall authorization proxy. Create auth-proxy Service in CSACS-NT ift Us co be cure AL-b lor windows N 1 - Netscape lu- l I Interface tI 1 Configuration 1 i-i H , 1 Administration V f Control rl) J 1 External User 1 JO 1 Databases W Advanced TACACS+ Features P Display a Time-of-Day access service where you can oveirr .< j ar every TACACS+ fi' default Tlme-of-Oav 1 p& l...

Access Control List

An access control list (ACL) enables you to determine which systems can establish connections through your router or PIX Firewall. - Create an ACL with the access-list and access-groupcommands. - The access-list and access-group commands are an alternative for the conduit and outbound commands. 2000, Cisco Systems, Inc. WWW.cisco.com CSPFA 1.01 3-4 An ACL is a list kept by routers and the PIX Firewall to control access to and from the router or firewall (for example, to prevent packets with a...

Access Control List Example

Pixfirewall(config) access-list 101 deny tcp any any eq www pixfirewall(config) access-group 101 in interface inside Packet filtering rules (access control lists) restrict outbound access Filters on source or destination IP address, protocol, and port or application In the figure above, the PIX Firewall denies HTTP connections from an internal network, but lets all other traffic through.

Accesslist Command

Access-list acl_name deny permit protocol src_addr src_mask operator port dest_addr Allows you to create an access control list Access control lists associated with IPSec are known as crypto access control lists access-group acl_name in interface interfacename Binds an access control list to an interface The access-list command uses the same syntax as the Cisco IOS software accesslist command except that the subnet mask in the PIX Firewall access-list command is reversed from the Cisco IOS...

ActiveX Blocking

ActiveX controls are applets that can be inserted in Web pages or other applications. ActiveX controls can provide a way for someone to attack servers. The PIX Firewall can be used to block ActiveX controls. ActiveX controls, formerly known as Object Linking and Embedding (OLE) or Object Linking and Embedding control (OCX), are applets that can be inserted in web pages often used in animations or in other applications. ActiveX controls create a potential security problem because they can...

Adaptive Security Algorithm ASA

Implements stateful connection control through the PIX Firewall Allows one-way (inside to outside) connections without an explicit configuration for each internal system and application Monitors return packets to ensure they are valid Randomizes the TCP sequence number to minimize the risk of attack The ASA is a stateful approach to security. Every inbound packet is checked against the ASA and against connection state information in the PIX Firewall's memory. Knowledge of the ASA is fundamental...

Apply ACL on the inward direction that denies all traffic except traffic such as ICMP not inspected by CBAC

2000, Cisco Systems, Inc. www.cisco.co CSPFA 1.01-8-34 For the CISCO IOS Firewall to be effective, both inspection rules and ACLs must be strategically applied to all the router's interfaces. The following is the general rule of thumb for applying inspection rules and ACLs on the router On the interface where traffic initiates - Apply the ACL on the inward direction that only permits wanted traffic. - Apply the rule on the inward direction that inspects wanted traffic. - Apply the ACL on the...

Authentication Authorization and Accounting

- Can exist without authorization Authentication, Authorization, and Accounting (AAA) is used to tell the PIX Firewall who the user is, what the user can do, and what the user did. Authentication is valid without authorization. Authorization is never valid without authentication. Suppose you have 100 users inside and you want only six of these users to perform FTP, Telnet, or HTTP outside the network. Tell the PIX Firewall to authenticate outbound traffic and give all 6 users identifications on...

Authentication of Console Access

Aaa authentication serial enable telnet console group tag Defines a console access method that requires authentication aaa authentication serial enable telnet console group tag Defines a console access method that requires authentication Use the aaa authentication console command to require authentication verification to access the PIX Firewall's serial, enable, or Telnet consoles. The serial console options also log to a Syslog server change made to the configuration from the serial console....

Authentication Proxy

Network administrators can create specific security policies for each user with Cisco IOS Firewall LAN-based, dynamic, per-user authentication and authorization. Previously, user identity and related authorized access were determined by a user's fixed IP address, or a single security policy had to be applied to an entire user group or subnet. Now, per-user policy can be downloaded dynamically to the router from a TACACS+ or RADIUS authentication server using Cisco IOS software authentication,...

Authentication Proxy Configuration

Inward traffic from the inside except from the AAA server. Add an ACL to b lock inward traffic from the outside. Outbound Enable the authentication proxy to intercept inward HTTP traffic from the _inside._ Outbound Enable the authentication proxy to intercept inward HTTP traffic from the _inside._ Inbound Enab le the authentication proxy to intercept inward HTTP traffic from the outside. Apply the authentication proxy in the inward direction at any interface on the router where you want...

Authorization Rules Allo Wing Specific Services

Ciii Group Setup Unmatched Cisco I0S commands C Permit f* Deny Unmatched Cisco I0S commands C Permit f* Deny specified protocol has been selected under Netuoih Configuration. Forexample, RADIUS settings appear Click Submit + Restart when finished Click Submit + Restart when finished specified protocol has been selected under Netuoih Configuration. Forexample, RADIUS settings appear Complete the following steps to add authorization rules for specific services in Cisco Secure ACS Step 1 In the...

Available IPSec Transforms

Ah-md.5 -hmac ah-sha-hmac esp-des esp-3des e sp -md5 -hmac esp-sha-hmac AH-HMAC-MD5 transform AH-HMAC-SHA transform ESP transform using DES cipher (56 bits) ESP transform using 3DES cipher(168 bits) ESP transform using HMAC-MD5 auth ESP transform using HMAC-SHA auth The PIX Firewall supports the transform sets listed in the figure. Choosing IPSec transforms combinations can be complex. The following tips may help you select transforms that are appropriate for your situation. If you want to...

Basic Configuration

- RADIUS (Cisco) Access server name - Enter PIX Firewall name. Access server IP address - Enter PIX Firewall IP address - Must be the same in the PIX Firewall Step 14 Complete the following information Authenticate Users Using Type of security protocol to be used. TACACS+ (Cisco) is the default. Access Server Name Name of the network access server (NAS) that will be using the Cisco Secure ACS services. Access Server IP Address IP address of the NAS that will be using the Cisco Secure ACS...

CBAC Configuration

Define Port-to-Application Mapping (PAM). Apply inspection rules and ACLs to interfaces. The following are the tasks used to configure CBAC Set audit trails and alerts. Set global timeouts and thresholds. Define Port-to-Application Mapping (PAM). Apply inspection rules and ACLs to interfaces.

CBAC uses PAM to determine the application configured for a port

Port-to-Application Mapping (PAM) allows you to customize TCP or UDP port numbers for network services or applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application. Using the port information, PAM establishes a table of default port-to-application mapping information at the firewall. The information in the PAM table enables CBAC supported services to run on...

Client

Standard mode FTP uses two channels for communications. When a client first starts an FTP connection, it opens a standard TCP channel from one of its highorder ports to port 21 on the server. This is referred to as the command channel. When the client requests data from the server, it tells the server to send the data to a given high-order port. The server acknowledges the request and initiates a connection from its own port 20 to the high-order port that the client requested. This is referred...

Configuration of Virtual HTTP Authentication

- For inbound clients, this must be an unused global address. - For outbound clients, this must be an address routed directly to the PIX Firewall. pixfirewall(config) virtual http 192.168.0.3 2000, Cisco Systems, The syntax for the virtual http command is as follows virtual http ipaddress warn no virtual http ip address virtual http ipaddress warn no virtual http ip address PIX Firewall's network interface IP address. Informs virtual http command users that the command was redirected. This...

Configuration of Virtual Telnet Authentication

- For inbound clients, this must be an unused global address. - For outbound clients, this must be an unused global address routed directly to the PIX Firewall. pixfirewall(config) virtual telnet 192.168.0.3 When using virtual Telnet to authenticate inbound clients, the IP address must be an unused global address. When using virtual Telnet to authenticate outbound clients, this must be an unused global address routed directly to the PIX Firewall. The syntax for the virtual telnet command is as...

Configuration Replication

When the standby firewall completes its initial bootup. As commands are entered on the active firewall. By entering the write standby command. Configuration replication is when the configuration of the primary PIX Firewall is replicated to the secondary PIX Firewall. To perform configuration replication, both the primary and secondary PIX Firewalls must be configured exactly the same and running the same software release. Configuration replication occurs over the failover cable from the active...

Configuration Tasks

Task 1 AAA server configuration Task 2 AAA configuration on the router - Enable the router's HTTP server for AAA Task 3 Authenticate proxy configuration on the router - Create and apply authentication proxy rules Task 4 Verify the configuration The following are the tasks to configure the authentication proxy Task 1 AAA server configuration Task 2 AAA configuration on the router - Enable the router's HTTP server for AAA Task 3 Authenticate proxy configuration on the router - Create and apply...

Configure IKE Parameters

Perform the following steps to configure IKE on your PIX Firewall Ensure IKE is enabled on the outside interface Configure a basic IKE policy using pre-shared keys for authentication. pixP(config) isaknp policy 10 authentication pre-share pixP(config) isaknp identity address Configure the ISAKMP pre-shared key to point to the outside IP address of the peer PIX Firewall. pixP(config) isaknp key ciscol23 address 192.168.Q.2 netmask 255.255.255.255 (whereP pod number, and Q peer pod number)

Configure PAT

Pixfirewall(config) ip address (inside) 10.0.0.1 255.255.255.0 pixfirewall(config) ip address (outside) 192.168.0.2 255.255.255.0 pixfirewall(config) route (outside) 0.0.0.0 0.0.0.0 192.168.0.1 pixfirewall(config) global (outside) 1 192.168.0.9 netmask 255.255.255.0 pixfirewall(config) nat (inside) 1 10.0.0.0 255.255.255.0 Assign a single IP address (192.168.0.9) to global pool IP address must be registered with InterNIC Source addresses of hosts in network 10.0.0.0 are translated to...

Configure the PIX Firewall to Work with WebSENSE

Filter url http local_ip loca.l_ma.sk foreign_ip foreign mask allow Prevents outbound users from accessing World Wide Web URLs that are designated with the WebSENSE filtering application pixfirewall(config) filter url http 0 0 0 0 allow Use the filter url command to tell the PIX Firewall how to filter requests After designating which server uses WebSENSE, use the filter url command to tell the PIX Firewall to send URL requests to WebSENSE for filtering. The example command in the figure above...

Context Based Access Control

The Cisco IOS Firewall Context-Based Access Control (CBAC) engine provides secure, per-application access control across network perimeters. CBAC enhances security for TCP and UDP applications that use well-known ports, such as FTP and e-mail traffic, by scrutinizing source and destination addresses. CBAC allows network administrators to implement firewall intelligence as part of an integrated, single-box solution. For example, sessions with an extranet partner involving Internet applications,...

Course Agenda

Chapter 2 Cisco Secure PIX Firewall Configuration Chapter 3 Access Control Configuration and Content Filtering Chapter 4 AAA Configuration on the Cisco Secure PIX Firewall Chapter 5 Cisco Secure PIX Firewall Advanced Protocol Handling and Attack Guards Chapter 6 Cisco Secure PIX Firewall Failover Lunch Chapter 7 Cisco Internetwork Operating System Firewall Context-Based Access Control Configuration Chapter 8 Cisco IOS Firewall Authentication Proxy Configuration Chapter 8 Cisco IOS Firewall...

Course Objectives

Upon completion of this course, you will be able to perform the following tasks Configure the Cisco Secure PIX Firewall. Identify and configure AAA on the Cisco Secure PIX Firewall. Identify and configure access control and content filtering through the Cisco Secure PIX Firewall. Configure the Cisco Secure PIX Firewall for advanced protocol handling and attack guards

Create User Authorization Profile in Csacsnt

CiscoSecure ACS lor Windows NT - Netscape CiscoSecure ACS lor Windows NT - Netscape Enter ACLs to app ly after user authenticates Enter the privi lege leve I of the user must be 15 for a I I users Enter ACLs to app ly after user authenticates Enter the privi lege leve I of the user must be 15 for a I I users Step 6 In the navigation bar, click Group Setup. The Group Setup frame opens. Step 7 Scroll down in the Group Setup frame until you find the newly created auth-proxy service. Step 8 Select...

Custom URLs

When using the Master Database the list of URLs that should be blocked as determined and updated daily by the WebSENSE corporate office you may need to permit one of the blocked URLs. If you need to permit URLs that are normally blocked by the parameters of the Master Database, you can add the URLs to a special permit list. URLs in this list will never be blocked by WebSENSE. When accessing a URL that has been added to the permit list, WebSENSE logs the access as normal. To add a URL to the...

Cut Through Proxy Operation

1 The user makes a request to access the web server. 1 The user makes a request to access the web server. (7) The user is prompted by the PIX Firewall. queries CSACS for the remote username and password. If CSACS authenticates, the user is cut-through the PIX Firewall, and the local username and password are passed to the web server to authenticate. (7) The user is prompted by the PIX Firewall. queries CSACS for the remote username and password. If CSACS authenticates, the user is cut-through...

Debug Commands

To display messages about CBAC events, use the debug ip inspect EXEC command. The no form of this command disables debugging output. The syntax for the debug ip inspect command is as follows debug ip inspect function-trace object-creation object-deletion events timers protocol detailed debug ip inspect function-trace object-creation object-deletion events timers protocol detailed Displays messages about software functions called by CBAC. Displays messages about software objects being created by...

Debug crypto ipsec debug crypto isakmp

You can perform the following actions to test and verify that you have correctly Verify the correct crypto map configuration with the show crypto map command. Clear IPSec SAs for testing of SA establishment with the clear crypto sa command. Clear IKE SAs for testing of IKE SA establishment with the clear isakmp command. Debug IKE and IPSec traffic through the PIX Firewall with the debug crypto ipsec and debug crypto isakmpcommands.

Define a RADjIS Server and jts

Specifies the RADjIS server jP address Router(config) radius-server host 10.0.0.3 Router(config) radius-server key secretkey To specify the IP address of a RADIUS server, use the radius-server host global configuration command. Use the no form of this command to delete the specified IP address. You can use multiple radius-server host commands to specify additional servers. The Cisco IOS Firewall software searches for servers in the order in which you specify them. The syntax of the...

Define a Tacacs Server and Its

Specifies the TACACS+ server IP address Router(config) tacacs-server host 10.0.0.3 Router(config) tacacs-server key secretkey To specify the IP address of a TACACS+ server, use the tacacs-server host global configuration command. Use the no form of this command to delete the specified IP address. You can use multiple tacacs-server host commands to specify additional servers. The Cisco IOS Firewall software searches for servers in the order in which you specify them. The syntax of the...

Designate the WebSENSE Server

Url-server (lf_name) host ip_address timeout seconds The url-server command designates a server that runs WebSENSE. pixfirewall(config) url-server (inside) host 1O.O.O.3 timeout lO In this example, the WebSENSE host is on the inside interface at IP address 10.0.0.3. A time value of 10 seconds is specified as the maximum allowed idle time before the PIX Firewall switches to the next WebSENSE server. Before you can begin URL filtering by configuring WebSENSE or downloading the Master Database for...

Determine IPSec IKE Phase Two Policy

Determining network design details includes defining a more detailed security policy for protecting traffic. You can then use the detailed policy to help select IPSec transform sets and modes of operation. Your security policy should answer the following questions What protections are required or are acceptable for the protected traffic What traffic should or should not be protected Which PIX interfaces are involved in protecting internal nets, external nets, or both What are the peer IPSec...

Display PAM Configuration

Shows all port mapping information Router Shows port mapping information for a given application RouterG Shows port mapping information for a given application on a given port Default mapping ftpport 21 system defined Host specific ftpport 1000 in list 10 user To display the PAM information, use the show ip port-map privileged EXEC command. The syntax for the show ip port-map command is as follows show ip port-map applname port portnum show ip port-map applname port portnum Specifies the...

DNS Guard

After the client does a DNS request, a dynamic conduit allows UDP packets to return from the DNS server. - The default UDP timer expires in two minutes. The DNS server response is recognized by the firewall, which closes the dynamic UDP conduit immediately. - The DNS server does not wait for UDP timer to expire. DNS Guard identifies an outbound DNS query request and only allows a single DNS response back to the sender. A host may query several servers for a response in case the first server is...

Do not work with applications that negotiate ports dynamically

Before delving into CBAC, some basic ACL concepts need to be covered briefly. An ACL provides packet filtering it has an implied deny all at the end of the ACL and if the ACL is not configured, it permits all connections. Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer.

Enable Accounting

Aaa accounting include exclude acctg_service inbound outbound if_name local_ip local mask foreign ip foreign mask group tag Defines traffic that requires AAA server accounting acctg_service any, ftp, http, or telnet - any All TCP traffic The syntax for the aaa accounting command is as follows aaa accounting include exclude acctgservice inbound outbound ifname localip localmask foreignip foreign_mask grouptag no aaa accounting include exclude authenservice inbound outbound if name group tag...

Enable Audit Trail and Alert

Enables Syslog server and turns on logging Router(config) logging on Router(config) logging 10.0.0.3 Router(config) ip inspect audit-trail Turn on logging and audit trail to provide a record of network access through the firewall, including illegitimate access attempts, and inbound and outbound services. Use the ip inspect audit-trail and ip inspect alert-off commands to enable audit trail and alert, respectively. The syntax for the ip inspect audit-trail commands is as follows ip inspect...

Enable the Routers HTTP Server for AAA

Enables the HTTP server on the router Sets the HTTP server authentication method to AAA - Proxy uses the HTTP server for communication with a client Router(config) ip http authentication aaa To use the authentication proxy, use the ip http server command to enable the HTTP server on the router and the ip http authentication aaa command to make the HTTP server use AAA for authentication. The syntax of the ip http server command is as follows The syntax of the ip http authentication aaa command...

Example Configurations

The following tables show an example configuration for PIX1 and PIX2. You may experience differences between the example configuration and your own configuration. The example in the following table is a summary of the configuration for PIX1. Table 12-1. PIX1 Example Configuration Table 12-1. PIX1 Example Configuration ip address outside 192.168.1.2 255.255.255.0 ip address inside 10.0.1.1 255.255.255.0 ip address dmz 172.16.1.1 255.255.0.0 Configures the IP addresses for each PIX Firewall...

Example Crypto Access Lists

E0 192.168.1.2 eO 192.168.2.2 10.0.2.3 static (inside,outside) 192.168.1.10 10.0.1.3 netmask 255.255.255.255 0 0 access-list 110 permit ip host 192.168.1.10 host 192.168.2.10 PIX2 e0 192.168.1.2 eO 192.168.2.2 10.0.2.3 static (inside,outside) 192.168.1.10 10.0.1.3 netmask 255.255.255.255 0 0 access-list 110 permit ip host 192.168.1.10 host 192.168.2.10 PIX2 static (inside,outside) 192.168.2.10 10.0.2.3 netmask 255.255.255.255 0 0 access-list 101 permit ip host 192.168.2.10 host 192.168.1.10...

Example Crypto Map for PIX1

Crypto Map peer2 10 ipsec-isakmp access-list 101 permit ip host 192.168 Security association lifetime 4608000 2000, Cisco Systems, Inc. WWW.CiSCO.COITl CSPFA 1.01 7-28 Use the show crypto map command to verify the crypto map configuration. Consider the example of a crypto map for PIX1 in the figure.

Example Two Interface Firewall

Allow all general TCP and UDP traffic Allow all ICMP traffic Allow all general TCP and UDP traffic Allow all ICMP traffic Allow all ICMP and HTTP traffic only to 10.0.0.3 Allow all ICMP and HTTP traffic only to 10.0.0.3 As an example, configure the router to be a firewall between two networks inside and outside. The security policy to implement is as follows allow all general TCP and UDP traffic initiated on the inside (outbound) from network 10.0.0.0 to access the Internet. ICMP traffic will...

Failover

The failover function for the Cisco Secure PIX Firewall provides a safeguard in case a PIX Firewall fails. Specifically, when one PIX Firewall fails, another immediately takes its place. In the failover process, there are two PIX Firewalls the primary PIX Firewall and the secondary PIX Firewall. The primary PIX Firewall functions as the active PIX Firewall, performing normal network functions. The secondary PIX Firewall functions as the standby PIX Firewall, ready to take control should the...

Failover and Stateful Failover

- Client applications must reconnect - No client applications need to reconnect - Provides redundancy and stateful connection 2000, Cisco Systems, Inc. WWW.cisco.com CSPFA 1.01 6-7 As stated earlier in the chapter, failover enables the standby PIX Firewall to take over the duties of the active PIX Firewall when the active PIX Firewall fails. There are two types of failover Failover When the active PIX Firewall fails and the standby PIX Firewall becomes active, all connections are lost and...

Failover Commands

The failover command enables failover between the active and standby PIX Firewalls. failover ip address if_name ip_a.dd.ress The failover ip address command creates an IP address for the standby PIX Firewall. pixfirewall failover ip address inside 10.0.P.4 The failover link command enables stateful failover. Use the failover command to enable failover between two PIX Firewalls. The syntax for the failover command is as follows Use the failover ip address command to configure the failover IP...

Failover Interface Test

Link Up Down test Test the NIC card itself Network Activity test Received network activity test ARP test Reading the PIX Firewall's ARP cache for the 10 most recently acquired entries Broadcast Ping test Sending out a broadcast ping request Both the primary and secondary PIX Firewalls send special failover hello packets to each other over all network interfaces and the failover cable every 15 seconds to make sure that everything is working. When a failure occurs in the active PIX Firewall, and...

FTP FixUp Configuration

Default 21 - Performs NAT in packet pay load - Dynamically creates conduits for FTP-DATA connections - Logs FTP commands (when syslog is enabled) - Outbound standard FTP will not work - Outbound passive FTP will work if not explicitly disallowed - Inbound standard FTP will work if conduit exists - Inbound passive FTP will not work pixfirewall(config) fixup protocol ftp 2021 pixfirewall(config) fixup protocol ftp 2121-2141 pixfirewall(config) no fixup protocol...

Global Half Open Connection Limits

Ip inspect max-incomplete high number * Defines the number of existing half-open sessions that cause the software to start deleting half-open sessions (aggressive mode) ip inspect max-incomplete low number * Defines the number of existing half-open sessions that cause the software to stop deleting half-open sessions (normal mode) An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a DoS attack is occurring. For TCP, half-open...

Global Timeouts and Thresholds

This section discusses how to configure the following global timeouts and thresholds TCP, SYN, and FIN wait times TCP, UDP, and Domain Name System (DNS) idle times Specifies time CSIS waits for a TCP session to reach the established state Specifies time CSIS waits for a FIN exchange to complete before quitting the session 2000, Cisco Systems, Inc. WWW.ClsCO.CO CSPFA 1.01 8-17 CBAC uses timeouts and thresholds to determine how long to manage state information for a session, and to determine when...

Half Open Connection Limits by Host

Ip inspect tcp max-incomplete host number block-time seconds Defines the number of half-open TCP sessions with the same host destination address that can exist at a time before CSIS starts deleting half-open sessions to the host After the number of half-open connections is exceeded to a given host, the software deletes half-open sessions on that host in the following fashion - If block-time is 0, the oldest half-open session is deleted, per new connection request, to let new connections through...

Host or Network Specific Port Mapping

User-defined entries in the mapping table can include host- or network-specific mapping information, which establishes port mapping information for specific hosts or subnets. In some environments, it might be necessary to override the default port mapping information for a specific host or subnet. With host-specific port mapping, you can use the same port number for different services on different hosts. This means that you can map port 8000 with HTTP services for one host, while mapping port...

How CBAC Works

(J) Control traffic is inspected by the CBAC rule. CBAC creates a dynamic ACL allowing return traffic back. access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447 (J) Control traffic is inspected by the CBAC rule. CBAC creates a dynamic ACL allowing return traffic back. access-list 102 permit TCP host 172.30.1.50 eq 23 host 10.0.0.3 eq 2447 ( CBAC continues to inspect control traffic and dynamically creates and removes ACLs as required by the application. It also monitors and...

How to Add Users to Csacsnt

To add users to the Cisco Secure ACS, complete the following steps Step 1 In the navigation bar, click User Setup. The Select window opens. Step 2 Enter a name in the User field. Note The username can contain up to 32 characters. Names cannot contain the following special characters *> < Leading and trailing spaces are not allowed. Step 3 Click Add Edit. The Edit window opens. The username being added or edited appears at the top of the window. Click the Account Disabled check box to deny...

HTTP Fixup Configuration

Defines ports for HTTP connections (default 80) - Logs all URLs accessed in HTTP traffic (when syslog is enabled) - Enables URL-based filtering (WebSENSE, Java, ActiveX) - URL-based filtering is disallowed pixfirewall(config) fixup protocol http 8080 pixfirewall(config) fixup protocol http 8180-8200 pixfirewall(config) no fixup protocol http 80 The HTTP fixup protocol is enabled by default. The default port for HTTP connections is port 80. When the HTTP fixup protocol is enabled, it logs all...

IKE Phase One Policy Parameters

An IKE policy defines a combination of security parameters to be used during the IKE negotiation. A group of policies makes up a protection suite of multiple policies that enable IPSec peers to establish IKE sessions and SAs with a minimum of configuration. IKE negotiations must be protected, so each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations. After the two peers...

Inbound connections

< If a conduit exists allowing inbound connections to an FTP server, and if all outbound TCP traffic is implicitly allowed, no special handling is required because the server initiates the data channel from the inside. < If a conduit exists allowing inbound connections to an FTP server, and if all outbound TCP traffic is not implicitly allowed, the PIX Firewall opens a temporary conduit for the data channel from the server. This conduit is torn down after the data is sent.

Inbound Traffic

Router(config) ip inspect name INBOUND tcp Configure CBAC to inspect TCP traffic Router(config) access-list 102 permit icmp any host 10.0.0.3 Router(config) access-list 102 permit tcp any host 10.0.0.3 eq www Router(config) access-list 102 deny ip any any Permit outside-initiated ICMP and HTTP traffic to host 10.0.0.3 Router(config) interface e0 l Router(config-if) ip inspect INBOUND in Router(config-if) ip access-group 102 in Apply an ACL and inspection rule to outside interface in inward...

Inspect packets for signs of malicious application misuse

Today many corporations use the Internet for business transactions. For the corporations to keep their internal networks secure from potential threats from the Internet, they can implement firewalls on their internal network. Even though these firewalls help protect a corporation's internal networks from external threats, firewalls have caused problems as well Some of the protocols and applications that the corporations use to communicate are not allowed through the firewalls. Specifically,...

Installation Wizard

Note Close all Windows programs before you run Setup. To start installation of Cisco Secure ACS for Windows NT, complete the following steps Step 1 Log in as the local system administrator to the machine on which you are installing Cisco Secure ACS. Step 2 Insert the Cisco Secure ACS CD-ROM into your CD-ROM drive. The Installation window opens. Step 3 Click Install. The Software License Agreement window opens. Step 4 Read the Software License Agreement. Click Accept to agree to the licensing...

Intrusion Detection

Intrusion detection systems (IDS) provide a level of protection beyond the firewall by protecting the network from internal and external attacks and threats. Cisco IOS Firewall IDS technology enhances perimeter firewall protection by taking appropriate action on packets and flows that violate the security policy or represent malicious network activity. Cisco IOS Firewall intrusion detection capabilities are ideal for providing additional visibility at intranet, extranet, and branch-office...

IP Address for Failover on PIX Firewalls

(active standby) (system IP failover IP) (active standby) (system IP failover IP) (standby active) (failover IP system IP) (standby active) (failover IP system IP) When actively functioning, the primary PIX Firewall uses system IP addresses and MAC addresses. The secondary PIX Firewall, when on standby, uses failover IP addresses and MAC addresses. When the primary PIX Firewall fails and the secondary PIX Firewall becomes active, the secondary PIX Firewall assumes the system IP addresses and...

IPSec Enables PIX Firewall VPN Features

Data confidentiality Data integrity Data authentication Anti-replay The PIX 5.1 Firewall uses the industry-standard IP Security (IPSec) protocol suite to enable advanced VPN features. The PIX IPSec implementation is based on Cisco IOS IPSec that runs in Cisco routers. IPSec provides a mechanism for secure data transmission over IP networks, ensuring confidentiality, integrity, and authenticity of data communications over unprotected networks such as the Internet. IPSec enables the following PIX...

Java Applet Filtering

Java applet filtering allows an administrator to prevent the downloading of Java applets by an inside system. Java programs can provide a vehicle through which an inside system can be invaded. Java applets are executable programs that are banned within some security policies. The PIX Firewall supports a Java applet filter that can stop potentially dangerous Java applications on a per-client or per-IP address basis. The outbound command with the java keyword is used to enable filtering of Java...

Java Applet Filtering Commands

Filter java port -port local_ip mask foreign_ip mask The filter javacommand filters out Java applets that return to the PIX Firewall from an outbound connection. Some Java applets can contain malicious code that can manipulate data on the internal network. Use the outbound and apply commands to block Java applets. 2000, Cisco Systems, Inc. WWW.cisco.com CSPFA 1.01 3-10 Java filtering lets an administrator prevent Java applets from being downloaded by an inside system. Java applets are...

Lab Configure AAA on the Cisco Secure PIX Firewall Using Cisco Secure ACS for Windows NT

Complete the following lab exercises to practice what you have learned in this chapter. In this lab exercise you will complete the following tasks Install Cisco Secure ACS for Windows NT server. Add a user to the Cisco Secure ACS database. Identify a AAA server and protocol. Configure and test inbound authentication. Configure and test outbound authentication. Configure and test console access authentication. Configure and test Virtual Telnet authentication. Change and test authentication...

Lab Configure and Test Advanced Protocol Handling and Attack Guards on the Cisco Secure PIX Firewall

Complete the following lab exercise to practice what you have learned in this chapter. Your task for this lab exercise is to Display the fixup protocol configurations. Change the fixup protocol configurations. Test the outbound FTP fixup protocol. Test the inbound FTP fixup protocol. Display the Fixup Protocol Configurations Perform the following step and enter the command as directed to see the current configurations of your PIX Firewall List the fixup protocols that are running on your PIX...

Lab Exercise Configure the PIX Firewall

Complete the following lab exercise to practice what you learned in this chapter. In this lab exercise you will complete the following tasks Configure PIX Firewall interfaces. Configure global addresses. Test the inside, outside, and DMZ interface connectivity. Test global and NAT configuration. Configure a static and conduit from the PIX Firewall outside interface to the Windows NT server inside the network. Configure multiple inside interfaces. Configure outside access to the DMZ. The...

Logging

Screening Custom URLs Workstations Messages Registration Control About WebSENSE Screening Custom URLs Workstations Messages Registration Control About WebSENSE 7i Source IP Addr. P Protocol pi Dest. IP Addr. P Category PI Dest. Hostname pFullUrl Source IP Addr. P Protocol P Dest. IP Addr. P Category P Dest. Hostname pFullUrl 7i Source IP Addr. P Protocol pi Dest. IP Addr. P Category PI Dest. Hostname pFullUrl Source IP Addr. P Protocol P Dest. IP Addr. P Category P Dest. Hostname pFullUrl...

Mail Guard

Defines ports on which to activate Mail Guard. Default 25 - Only allows RFC 821, section 4.5.1 commands HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT If disabled, all SMTP commands are allowed through the firewall - Potential mail server vulnerabilities are exposed pixfirewall(config) fixup protocol smtp 2525 pixfirewall(config) fixup protocol smtp 2625-2635 pixfirewall(config) no fixup protocol smtp 25 Mail Guard provides a safe conduit for Simple Mail Transfer Protocol (SMTP) connections from...

Multiple Interface Configurations

This section discusses the configuration of multiple interfaces to the PIX Firewall. The PIX Firewall supports up to four additional perimeter interfaces for platform extensibility and security policy enforcement on publicly accessible services. The multiple perimeter interfaces enable the PIX Firewall to protect publicly accessible Internet, mail, and Domain Name System (DNS servers on the DMZ. Web-based and traditional electronic data interchange (EDI) applications that link vendors and...

Network Address Translation and Global

Network Address Translation (NAT) allows an organization with IP addresses that are not globally unique to connect to the Internet by translating those addresses into globally routable IP address space. Global is a select pool of registered or public addresses that are used by the internal host for connectivity to the outside network through the PIX Firewall. NAT works with global to hide the real network identity of internal systems from the outside network. The nat command lets you enable or...

Open inbound port for redirected channel

SQL*Net only uses one channel for communications but it could be redirected to a different port, and even more commonly to a different secondary server altogether. When a client first starts an SQL*Net connection, it opens a standard TCP channel from one of its high-order ports to port 1521 on the server. The server then proceeds to redirect the client to a different port or IP address. The client tears down the initial connection and establishes the second connection. For SQL*Net traffic, the...

PIX Firewall 515 Image Upgrade

Complete the following steps to upgrade the PIX Firewall image Step 1 Interrupt the boot process to enter monitor mode by pressing the Escape key or sending a Break character. Step 2 Specify the PIX Firewall interface to use for tftp. To do this, you must enter the following command at the monitor prompt Step 3 Specify the IP address of the PIX Firewall Step 4 Specify default gateway (if needed) Step 5 Verify connectivity to the TFTP server

PIX Firewall 520 Password Recovery

The password recovery for the PIX Firewall 520 requires writing of a special image to a floppy diskette. Use this diskette to boot PIX Firewall 520. Complete the following steps to perform a PIX Firewall 520 password recovery Step 1 Download the file for the PIX Firewall software version you are running from CCO (each version requires a different file) ftp ftp.cisco.com cisco internet pix special your version. You will need a CCO login to download this data. Step 2 Download the rawrite.exe file...

PIX Firewall VPN Topologies

PIX Firewall to PIX Firewall VPN gateway PIX Firewall to PIX Firewall VPN gateway VPN Client to PIX Firewall VPN via dialup VPN Client to PIX Firewall VPN via network VPN Client to PIX Firewall VPN via dialup VPN Client to PIX Firewall VPN via network The PIX Firewall enables VPNs in several topologies, as illustrated in the figure PIX to PIX secure VPN gateway Two or more PIX Firewalls can enable a VPN, which secures traffic from devices behind the PIX Firewalls. The secure VPN gateway...

Port Address Translation

172.30.0.50 Destination Addr 2000 Source Port _23_ Destination Port 172.30.0.50 Destination Addr 2000 Source Port _23_ Destination Port Source Addr 10.0.0.3 -172.30.0.50 I 49090 - Port Address Translation (PAT) is a combination of an IP address and a source port number, which creates a unique session. PAT uses the same IP address for all packets, but a different unique source port greater than 1024. PAT provides the following advantages PAT and NAT can be used together. The PAT address is...

Preference

& I 3 I* HTTP HTTPS F GOPHER F IRC F Hacking F Illegal F Job Search F Lifestyles F Militancy F Personals Dating F Politics F Racism F Religion F Sex 1 F Sex 2 F Shopping F Sports F Tasteless F Travel F User-defined F Vehicles F Violence F Weapons F Web Chat After you choose whether you want to create a new preference set or edit an existing preference set by clicking either New or Edit from the Preference Set frame in the Screening tab, the Preference Set window opens. From this window you...

Provides dynamic peruser authentication and authorization via Tacacs and Radius protocols

The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access was associated with a user's IP address, or a single security policy had to be applied to an entire user group or subnet. Now, users can be identified and authorized on the basis of their per-user policy, and access privileges tailored on an individual basis are possible, as opposed to general policy...

Real Time Streaming Protocol

Real-Time audio and video delivery protocol - Uses one TCP and two UDP channels - Real-Time Transport Protocol (RTP) - Real Data Transport Protocol (RDT) - Real-Time Control Protocol (RTCP) RTSP-TCP-only mode does not require special handling by firewall RDT Multicast is not supported The Real-Time Streaming Protocol (RTSP) is a real-time audio and video delivery protocol used by many popular multimedia applications. It uses one TCP channel and some times two additional UDP channels. RTSP...

Remove CBAC Configuration

Resets all global timeouts and thresholds to the defaults Removes all associated dynamic access lists Use the no ip inspect command to remove the entire CBAC configuration, reset all global timeouts and thresholds to their defaults, delete all existing sessions, and remove all associated dynamic access lists. This command has no other arguments, keywords, default behavior, or values.

Rsh Fixup Configuration

Default 514 - Dynamically opens port for rsh standard error connections - Inbound rsh will work if conduit exists pixfirewall(config) fixup protocol rsh 1540 pixfirewall(config) fixup protocol rsh 1540-1560 pixfirewall(config) no fixup protocol rsh By default, the PIX Firewall inspects port 514 connections for Rsh traffic. If you have Rsh servers using ports other than port 514, you need to use the fixup protocol rsh command to have the PIX Firewall inspect...

Scale PIX Firewall VPNs

The use of pre-shared keys for IKE authentication only works when you have a few IPSec peers. Certificate Authorities enable scaling to a large number of IPSec peers. CA Server Fulfilling Requests from IPSec Peers - Each IPSec peer individually enrolls with the CA server. 2000, Cisco Systems, Inc. www.cisco.com Using a CA server is the most scalable solution. Other IKE authentication methods require manual intervention to generate and distribute the keys on a perpeer basis. The CA server...

Screening

Use the Screening tab to create preference sets, which give you control over the protocols and categories that WebSENSE blocks and the times when they are blocked. The following are three of the frames found in the Screening tab Preference Set Controls what protocols and categories are blocked by each preference set. Screening Period Specifies the active periods for the preference sets previously defined. Screening Preferences Lists the screening periods you have established. Notice the entry...

Setup

Before starting this lab, set up your equipment as follows Ensure your Windows NT server is turned on Access the PIX Firewall console port. You may wish to save the PIX Firewall configuration to a text file for later analysis. Make sure the PIX Firewall is turned on. Ensure you can ping from your internal Windows NT server to the opposite pod group's Windows NT server. Ensure the Web server is running on your own internal Windows NT server. Ensure you can establish a Web connection from a Web...

SfrowCommands

* Displays statistics, configurations, and cache entries of authentication proxy subsystem 2000, Cisco Systems, Inc. WWW.CiSCo.Com CSPFA 1.01 9-27 Use the show ip auth-proxy command to display the authentication proxy entries, the running authentication proxy configuration, or the authentication proxy statistics. The syntax of the show ip auth-proxy command is as follows show ip auth-proxy cache configuration statistics show ip auth-proxy cache configuration statistics Lists the host IP...

Show Commands

Show aaa authentication authorization accounting pixfirewall(config) show aaa-server aaa-server MYTACACS protocol tacacs+ aaa-server MYTACACS (inside) host 10.0.0.2 secretkey timeout 5 pixfirewall(config) show aaa-server aaa-server MYTACACS protocol tacacs+ aaa-server MYTACACS (inside) host 10.0.0.2 secretkey timeout 5 The syntax for the show aaa-server and show aaa commands are as follows no aaa-server group tag (if name) host server ip key timeout seconds show aaa authentication authorization...

Show Commands cont

Show auth-prompt prompt accept reject pixfirewall(config) show auth-prompt auth-prompt prompt prompt Authenticate to the Firewall auth-prompt prompt accept You've been Authenticated auth-prompt prompt reject Authentication Failed pixfirewall(config) show timeout uauth timeout uauth 3 00 00 absolute uauth 0 30 00 inactivity pixfirewall(config) show virtual virtual http 192.168.0.2 virtual telnet 192.168.0.2 The syntax for the show auth-prompt, show timeout uauth, and the show show auth-prompt...

Show crypto ipsec transformset

You can perform the following actions to test and verify that you have correctly Verify access lists and selects interesting traffic with the show access-list command. Verify correct IKE configuration with the show isakmp and show isakmp policy commands. Verify correct IPSec configuration of transform sets with the show crypto ipsec transform-set command.

Static Command

Static (interna.l_if_nams, external_lf_name) global_ip local_ip Maps a local IP address to a global IP address (inside,outside) 192.168.1.10 10.0.1.3 Packet sent from 10.0.1.3 has a source address of 192.168.1.10 Permanently maps a single IP address Recommended for internal service hosts The static command creates a permanent mapping (called a static translation slot or xlate) between a local IP address and a global IP address. For outbound connections, use static to specify an address in the...

Step 2Configure an IKE Phase One Policy

Pixfirewall(config) isakmp policy priority encryption des 3des pixfirewall(config) isakmp policy priority hash md5 sha pixfirewall(config) isakmp policy priority authentication pre-share rsa-sig pixfirewall(config) isakmp policy priority group 1 2 pixfirewall(config) isakmp policy priority lifetime seconds Creates a policy suite grouped by priority number Creates policy suites that match peers Step 2 Configure an IKE Phase one policy with the isakmp policy command to match expected IPSec peers...

Step 2Configure an IPSec Transform

Crypto ipsec transform-set transform-set-name transforml transform2 transform3 Sets limited up to one AH and up to two ESP transforms Default mode is tunnel Configure matching sets between IPSec peers Step 2 Configure an IPSec transform set pixfirewall(config) crypto ipsec transform-set transform-set-name transforml transform2 transform transform-set-name The name of the transform set to create or modify. transforml transform2 transform3 Specify up to three transforms. Sets are limited to up to...

Step 3Configure the Crypto

Pixfirewall(config) crypto map map-name seq-num. ipsec-isakmp pixfirewall(config) crypto map map-name seq-nummatch address access-list-name pixfirewall(config) crypto map map-name seq-num set peer hostname ip-address seq-num. set transform-name2, transform-set- pixfirewall(config) crypto map miap-name set transform-set-namel transform-set-name9 pixfirewall(config) crypto map map-name seq-num set pfs groupl group2 pixfirewall(config) crypto map map-name association lifetime seconds seconds...

Step 3Configure the IKE Preshared

Isakmp key keystring address peer-address netmask mask Pre-shared keystring must be identical at both peers Use any combination of alphanumeric characters up to 128 bytes for keystring Specify peer-address as host or wildcard address Easy to configure, yet is not scalable Step 3 Configure the IKE pre-shared key. pixf irewall (conf ig) isaknp key keystring address peer-address netmask The keystring is any combination of alphanumeric characters up to 128 bytes. This pre-shared key must be...

Step 4Verify IKE Phase One Policies

Displays configured and default IKE protection suites Step 4 Verify IKE phase one policies. The show isakmp policy command displays configured and default policies, as shown in the figure. The show isakmp command displays configured policies much as they would appear with the write terminal command, as follows pixl(config) show isaknp isakmp enable outside isaknp key ciscol23 address 192.168.2.2 netmask 255.255.255.255