PIX Firewall - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

PIX Firewall

Description:

Secure, real-time, embedded operating system no UNIX or NT ... Bastion host, and. web and FTP server. 172.26.26.50 .2. 172.16.0.0/24. Internet. e1 inside .1 ... – PowerPoint PPT presentation

Number of Views:78
Avg rating:3.0/5.0
Slides: 29
Provided by: michae555
Category:
Tags: pix | bastion | firewall

less

Transcript and Presenter's Notes

Title: PIX Firewall


1
PIX Firewall
  • Stateful firewall with high security and fast
    performance
  • Secure, real-time, embedded operating systemno
    UNIX or NT security holes
  • Adaptive security algorithm provides stateful
    security
  • Cut-through proxy eliminates application-layer
    bottlenecks
  • Easy management through CLI or PDM GUI

2
PIX Firewall Family Lineup
Price
Gigabit Ethernet
PIX 501
SMB
Enterprise
ROBO
SOHO
SP
3
PIX Firewall Product Line Overview
Model
506E
515E-UR
525-UR
535-UR
501
Market MSRP Licensed Users Max VPN Peers Size
(RU) Processor (MHz) RAM (MB) Max.
Interfaces Failover Cleartext (Mbps) 3DES (Mbps)
ROBO 1,695 Unlimited 25 1 300 32 2
10BaseT No 20 16
SMB 7,995 Unlimited 2,000 1 433 64 6 Yes 188 63
Enterprise 18,495 Unlimited 2,000 2 600 256 8 Yes
360 70
Ent., SP 59,000 Unlimited 2,000 3 1 GHz 1 GB 10
Yes 1.7 Gbps 95
SOHO 595 or 1195 10 or 50 5 lt 1 133 16 1 10BT
4 FE No 10 3
4
PIX Firewall Primary Commands
  • There are six primary configuration commands for
    the PIX Firewall
  • nameif
  • interface
  • ip address
  • nat
  • global
  • route

5
Command 1 nameif
pixfirewall(config)
nameif hardware_id if_name security_level
  • The nameif command assigns a name to each
    perimeter interface on the PIX Firewall and
    specifies its security level.

pixfirewall(config) nameif ethernet2 dmz sec50
6
Command 2 interface
pixfirewall(config)
interface hardware_id hardware_speed
  • The interface command configures the type and
    capability of each perimeter interface.

pixfirewall(config) interface ethernet0
auto pixfirewall(config) interface token-ring0
16mbps pixfirewall(config) interface fddi1 auto
7
Command 3 ip address
pixfirewall(config)
ip address if_name ip_address netmask
  • The ip address command assigns an IP address to
    each interface.

pixfirewall(config)
pixfirewall(config) ip address dmz 172.16.0.1
255.255.255.0
8
Command 4 nat
pixfirewall(config)
nat (if_name) nat_id local_ip netmask
  • The nat command shields IP addresses on the
    inside network from the outside network.

pixfirewall(config)
pixfirewall(config) nat (inside) 1 0.0.0.0
0.0.0.0
9
Command 5 global
pixfirewall(config)
global(if_name) nat_id global_ip-global_ipn
etmask global_mask interface
  • Works with the nat command to assign a registered
    or public IP address to an internal host when
    accessing the outside network through the
    firewall

pixfirewall(config) nat (inside) 1 0.0.0.0
0.0.0.0 pixfirewall(config) global (outside) 1
192.168.0.20-192.168.0.254
  • When internal hosts access the outside network
    through the firewall, they are assigned public
    addresses from the 192.168.0.20192.168.0.254
    range

10
Three Interfaces with NAT
Internet
Pod perimeter router
.1
192.168.0.0/24
172.16.0.0/24
e0 outside .2 security level 0
Bastion host, and web and FTP server
PIX Firewall
.2
e2 dmz .1 security level 50
e1 inside .1 security level 100
172.26.26.50
10.0.0.0 /24
Backbone, web, FTP, and TFTP server
.3
Inside host, and web and FTP server
pixfirewall(config) nat(inside) 1 10.0.0.0
255.255.255.0 pixfirewall(config) nat (dmz) 1
172.16.0.0 255.255.255.0 pixfirewall(config)
global (outside) 1 192.168.0.20-192.168.0.254
netmask 255.255.255.0 pixfirewall(config)
global(dmz) 1 172.16.0.20-172.16.0.254 netmask
255.255.255.0
  • Inside users can start outbound connections to
    both the DMZ and the Internet.
  • The nat (dmz) command gives DMZ services access
    to the Internet.
  • The global (dmz) command gives inside users
    access to the web server on the DMZ.

11
Command 6 route
pixfirewall(config)
route if_name ip_address netmask gateway_ip
metric
  • The route command defines a static or default
    route for an interface.

pixfirewall(config) route outside 0.0.0.0
0.0.0.0 192.168.0.1 1
12
Syslog Messages
  • The PIX Firewall sends Syslog messages to either
  • An internal buffer
  • A Syslog Server
  • Syslog documents the following events
  • Security
  • Resources
  • System
  • Accounting

13
Configure Message Output to the PIX Firewall
Buffer
pixfirewall(config)
logging buffered level
  • Step 1Send Syslog messages to an internal buffer.

pixfirewall(config)
show logging
  • Step 2View messages in the internal buffer.

pixfirewall(config)
clear logging
  • Step 3Clear the internal buffer.

pixfirewall(config)
no logging message syslog_id
  • Enable or disable specific Syslog message type
    logging.

pixfirewall(config)
logging standby
  • Allow a standby unit to send Syslog messages.

14
Configure Message Output to a Syslog Server
pixfirewall(config)
  • Step 1Designate the Syslog host server.

logging host in_if_name ip_address
protocol/port
pixfirewall(config)
logging trap level
  • Step 2Set the logging level.

pixfirewall(config)
logging facility facility
  • Step 3Set the facility marked on all messages.

pixfirewall(config)
no logging timestamp
  • Step 4Start and stop sending timestamp messages.

pixfirewall(config)
no logging on
  • Step 5Start or stop sending messages to the
    Syslog server.

15
Summary
  • The PIX Firewall can generate Syslog messages for
    system events.
  • Syslog messages can be sent to the PIX Firewall
    buffer.
  • The PIX Firewall can forward Syslog messages to
    any Syslog server.

16
Access Control List
  • An ACL enables you to determine what traffic will
    be allowed or denied through the PIX Firewall.
  • ACLs are applied per interface (traffic is
    analyzed inbound relative to an interface).
  • The access-list and access-group commands are
    used to create an ACL.
  • The access-list and access-group commands are an
    alternative for the conduit and outbound commands.

17
ASA Security Level Example
18
ACL Usage Guidelines
  • Higher to lower security level
  • Use an ACL to restrict outbound traffic.
  • The ACL source address is the actual
    (un-translated) address of the host or network.
  • Lower to higher security level
  • Use an ACL to restrict inbound traffic.
  • The destination host must have a statically
    mapped address.
  • The ACL destination address is the global ip
    assigned in the static command.

19
access-list Command
  • pixfirewall(config)
  • access-list acl_name deny permit protocol
    src_addr local_addr src_mask local_mask
    operator port destination_addr remote_addr
    destination_mask remote_mask operator port
  • Enables you to create an ACL
  • ACLs associated with IPSec are known as crypto
    ACLs

pixfirewall(config) access-list dmz1 deny tcp
192.168.1.0 255.255.255.0 host 192.168.0.1 lt 1025
  • ACL dmz1 denies access from the 192.168.1.0
    network to TCP ports less than 1025 on host
    192.168.0.1

20
access-group Command
  • pixfirewall(config)
  • access-group acl_name in interface interface_name
  • Binds an ACL to an interface
  • The ACL is applied to traffic inbound to an
    interface

pixfirewall(config) access-group dmz1 in
interface dmz
  • ACL dmz1 is bound to interface dmz

21


ACLs Versus Conduits
ACL
Conduit
  • A conduit creates an exception to the PIX
    Firewall Adaptive Security Algorithm by
    permitting connections from one interface to
    access hosts on another.
  • An ACL applies to a single interface, affecting
    all traffic entering that interface regardless of
    its security level.

conduit
ACL
  • It is recommended to use ACLs to maintain future
    compatibility.
  • Do not mix ACLs and Conduits in the same PIX

22
The Problem ACLs Collide with Conduits
pixfirewall(config) nat (dmz) 1 0
0 pixfirewall(config) global (outside) 1
192.168.0.20-192.168.0.254 netmask 255.255.255.0
pixfirewall(config) static (inside,dmz)
172.16.0.10 10.0.0.3 netmask 255.255.255.255 pixfi
rewall(config) static (inside,dmz) 172.16.0.12
10.0.0.4 netmask 255.255.255.255 pixfirewall(confi
g) conduit permit tcp host 172.16.0.10 eq ftp
any pixfirewall(config) access-list 102 permit
tcp 172.16.0.0 255.255.255.0 172.16.0.12
255.255.255.255 eq smtp pixfirewall(config)
access-group 102 in interface dmz
  • Due to the ACL bound to the DMZ interface,
  • Users on the DMZ are unable to access the
    internal FTP server.
  • Users on the DMZ are unable to access the
    Internet.
  • Users on the DMZ are only able to access the
    internal mail server.

23
The Solution Convert Conduits to ACLs
  • pixfirewall(config)
  • conduit permit deny protocol global_ip
    global_mask operator port port foreign_ip
    foreign_maskoperator portport
  • pixfirewall(config)
  • access-list acl_name deny permit protocol
    src_addr local_addr src_mask local_mask
    operator port destination_addr remote_addr
    destination_mask remote_mask operator port
  • global_ ip destination_addr
  • foreign_ip src_addr

pixfirewall(config) conduit permit tcp host
192.168.0.10 eq www any
pixfirewall(config) access-list acl_in permit
tcp any host 192.168.0.10 eq www
24
Making ACLs Work for You
pixfirewall(config) nat (dmz) 1 0
0 pixfirewall(config) global (outside) 1
192.168.0.20-192.168.0.254 netmask 255.255.255.0
pixfirewall(config) static (inside,dmz)
172.16.0.10 10.0.0.3 netmask 255.255.255.255 pixfi
rewall(config) static (inside,dmz) 172.16.0.12
10.0.0.4 netmask 255.255.255.255 pixfirewall(confi
g) access-list 102 permit tcp 172.16.0.0
255.255.255.0 172.16.0.10 255.255.255.255 eq
ftp pixfirewall(config) access-list 102 permit
tcp 172.16.0.0 255.255.255.0 172.16.0.12
255.255.255.255 eq smtp pixfirewall(config)
access-list 102 permit tcp 172.16.0.0
255.255.255.0 any eq www pixfirewall(config)
access-group 102 in interface dmz
  • Users on the DMZ are able to access the Internet,
    the internal FTP server, and the internal mail
    server.

25
Deny Web Access to the Internet
pixfirewall(config) write terminal ... nameif
ethernet0 outside sec0 nameif ethernet1 inside
sec100 access-list acl_out deny tcp any any eq
www access-list acl_out permit ip any
any access-group acl_out in interface inside nat
(inside) 1 10.0.0.0 255.255.255.0 global
(outside) 1 192.168.0.20-192.168.0.254 netmask
255.255.255.0 ...
  • Denies web traffic on port 80 from the inside
    network to the Internet
  • Permits all other IP traffic from the inside
    network to the Internet

www


Internet
26
Permit Web Access to the DMZ
Internet
pixfirewall(config) write terminal ... nameif
ethernet0 outside sec0 nameif ethernet1 inside
sec100 nameif ethernet2 dmz sec50 ip address
outside 192.168.0.2 255.255.255.0 ip address
inside 10.0.0.1 255.255.255.0 ip address dmz
172.16.0.1 255.255.255.0 static (dmz,outside)
192.168.0.11 172.16.0.2 access-list acl_in_dmz
permit tcp any host 192.168.0.11 eq
www access-list acl_in_dmz deny ip any
any access-group acl_in_dmz in interface
outside ...
192.168.0.0/24
Web server
.2
.2
.1
.1
172.16.0.0/24
10.0.0.0/24
  • The ACL acl_in_dmz permits web traffic on port 80
    from the Internet to the DMZ web server.
  • The ACL acl_in_dmz denies all other IP traffic
    from the Internet.

27
icmp Command
pixfirewall(config)
icmp permit deny host src_addr src_mask
type int_name
  • Enables or disables pinging to an interface

pixfirewall(config) icmp deny any echo-reply
outside pixfirewall(config) icmp permit any
unreachable outside
  • All ping requests are denied at the outside
    interface, and all unreachable messages are
    permitted at the outside interface

28
Securing Remote Configuration with SSH
SSH client
Username pix password TelnetPassword
.50
172.26.26.0/24
pixfirewall(config)
ssh ip_addressnetmaskinterface_name
  • Specifies the host or network authorized to
    initiate an SSH connection to the PIX Firewall.

192.168.0.0/24
.2
pixfirewall(config) ca generate rsa key
768 pixfirewall(config) ssh 172.26.26.50
255.255.255.255 outside
10.0.0.0/24
  • An RSA key pair is generated for the PIX Firewall
    using the default key modulus size of 768.
  • Host 172.26.26.50 is authorized to initiate an
    SSH connection to the PIX Firewall.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "PIX Firewall" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!