You are on page 1of 64

For review only.

Please do not distribute


DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights


© 2003,
reserved.
Cisco Systems, Inc. All rights reserved. FNS 1.0—12-11
Module 12

PIX Advanced Protocols and Intrusion Detection

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-2


Learning Objectives

Upon completion of this chapter, you will be able to perform

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

the following tasks:


• Describe the fixup protocol command.
• Describe the need for advanced protocol handling.
• Describe how the PIX Firewall handles FTP, rsh, and SQL*Net
traffic.
• Configure FTP, rsh, and SQL*Net Fixup protocols.
• Describe the issues with multimedia applications.
• Describe how the PIX Firewall handles RTSP and H.323
multimedia protocols.
• Configure RTSP and H.323 fixup protocols.
• Describe how the PIX Firewall supports call handling sessions
and VoIP call signaling.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-3


Learning Objectives (cont.)

Upon completion of this chapter, you will be able to perform

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

the following tasks:


• Name, describe, and configure the attack guards in the PIX
Firewall.
• Define intrusion detection.
• Describe signatures.
• Name and identify signature classes supported by the PIX
Firewall.
• Configure the PIX Firewall to use IDS signatures.
• Configure the PIX Firewall to shun.
• Configure the PIX Firewall to send Syslog messages to a Syslog
server.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-4


Overview

This module introduces students to the PIX Firewall

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

advanced protocol recognition and Intrusion Detection


System (IDS) capabilities. The module begins with
advanced protocol handling, and how it may be tuned to
fit the PIX Firewall operation via a series of fixup
commands. The module moves on to discuss the
advanced protocols used for multimedia support
including real time streaming protocols. Finally, the
methods of intrusion detection are discussed next. The
system of intrusion detection signatures is examined,
and the methods of configuration for PIX Firewalls are
explained.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-5


Key terms

• SIP
• SQL

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

• Skinny
• RSH
• H.323
• RTSP
• Standard Mode FTP
• Passive Mode FTP
• DNS Guard
• Mail Guard
• Syslog
• SNMP
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-6
Advanced Protocols

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-7


Need for Advanced Protocol Handling

• Some popular protocols or applications behave as follows:

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

– Negotiate connections to dynamically assigned source or


destination ports, or IP addresses.
– Embed source or destination port, or IP address information
above the network layer.
• A good firewall has to inspect packets above the network layer
and do the following as required by the protocol or application:
– Securely open and close negotiated ports or IP addresses
for legitimate client-server connections through the firewall.
– Use NAT-relevant instances of IP addresses inside a packet.
– Use PAT-relevant instances of ports inside a packet.
– Inspect packets for signs of malicious application misuse.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-8


fixup Command

pixfirewall (config)# pixfirewall (config)#


fixup protocol ils port [-port] fixup protocol smtp port [-port]

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

pixfirewall (config)# pixfirewall (config)#


fixup protocol skinny port [-port] fixup protocol h323 [h225 | ras] port [-port]

pixfirewall (config)# pixfirewall (config)#

fixup protocol sip port [-port] fixup protocol sqlnet port [-port]

pixfirewall (config)# pixfirewall (config)#


fixup protocol rsh port [-port] fixup protocol http port [-port]

pixfirewall (config)# pixfirewall (config)#


fixup protocol rtsp port [-port] fixup protocol ftp [strict] port [-port]

pixfirewall (config)# pixfirewall (config)#


show fixup [protocol protocol] no fixup protocol protocol [port[-port]]

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-9


Standard Mode FTP
• Standard mode FTP uses two
channels:
– Client-initiated command

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

connection (TCP).
– Server-initiated data connection
(TCP).
• For outbound connections, the PIX
Firewall handles standard mode
FTP as follows:
– It opens a temporary inbound
conduit for the data channel.
• For inbound connections, the PIX
Firewall handles standard mode
FTP as follows:
– If outbound traffic is allowed, no
special handling is required.
– If outbound traffic is not
allowed, it opens a temporary
outbound conduit for the data
channel.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-10
Passive Mode FTP
• Passive mode FTP uses two
channels:

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

– Client-initiated command
connection (TCP).
– Client-initiated data connection
(TCP).
• For outbound connections, the PIX
Firewall handles passive mode FTP
as follows:
– If outbound traffic is allowed,
no special handling is
required.
– If outbound traffic is not
allowed, it opens an outbound
port for the data channel.
• For inbound connections, the PIX
Firewall opens an inbound port for
the data channel.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-11
FTP Fix-Up Configuration

pixfirewall (config)#
fixup protocol ftp [strict] port [-port]

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

• Defines ports for FTP connections (default = 21).


• Performs NAT in packet payload.
• Dynamically creates conduits for FTP-DATA connections.
• Logs FTP commands (when Syslog is enabled).
• When disabled:
– Outbound standard FTP will not work.
– Outbound passive FTP will work if not explicitly disallowed.
– Inbound standard FTP will work if conduit exists.
– Inbound passive FTP will not work.

pixfirewall(config)# fixup protocol ftp 2021


pixfirewall(config)# no fixup protocol ftp 21

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-12


Remote Shell

• Remote shell uses two channels:

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

– Client-initiated command
connection (TCP).
– Server-initiated standard error
connection (TCP).
• For outbound connections, the PIX
Firewall opens an inbound port for
standard error output.
• For inbound connections, the PIX
Firewall handles remote shell as
follows:
– If outbound traffic is allowed,
no special handling is required.
– If outbound traffic is not
allowed, it opens the outbound
port for standard error output.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-13


Rsh Fixup Configuration

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

pixfirewall (config)#
fixup protocol rsh port [-port]
• Defines ports for rsh connections (default = 514)—
Dynamically opens a port for rsh standard error
connections
• If disabled:
– Outbound rsh will not work.
– Inbound rsh will work if conduit exists.

pixfirewall(config)# fixup protocol rsh 1540


pixfirewall(config)# no fixup protocol rsh

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-14


SQL*Net

• Initially the client connects to a


well known port on the server.

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

• The server may assign another


port or another host to serve the
client.
• For outbound connections, the
PIX Firewall handles SQL*Net
connections as follows:
– If outbound traffic is allowed,
no special handling is
required.
– If outbound traffic is not
allowed, it opens an outbound
port for a redirected channel.
• For inbound connections, the PIX
Firewall opens an inbound port
for a redirected channel.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-15


SQL*Net Fixup Configuration

pixfirewall (config)#

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

fixup protocol sqlnet port [-port]


• Defines ports for SQL*Net connections (default = 1521):
– Performs NAT in packet payload.
– Dynamically opens TCP port redirected client connection.
– Port 1521 is the default port used by Oracle—IANA-compliant
applications use port 66.
• If disabled:
– Outbound SQL*Net is allowed if not explicitly disallowed.
– Inbound SQL*Net is disallowed.

pixfirewall(config)# fixup protocol sqlnet 66


pixfirewall(config)# fixup protocol sqlnet 6666-6686
pixfirewall(config)# no fixup protocol sqlnet

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-16


SIP Fixup Configuration

pixfirewall (config)#

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

fixup protocol sip port [-port]


• Enables SIP.
• Default port = 5060.
• Enables the PIX Firewall to support any SIP VoIP
gateways and VoIP proxies.

pixfirewall(config)# fixup protocol sip 5060


• SIP is enabled on port 5060.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-17


Skinny

• Used by Cisco IP phones for VoIP

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

call signaling
• Supported in software versions 6.0
and higher
• Skinny protocol operates by
dynamically opening pinholes for
media sessions and Network
Address Translation (NAT) that has
embedded IP addresses
• SCCP supports IP telephony and
can coexist in an H.323
environment. An application layer
ensures that all SCCP signaling and
media packets can traverse the PIX
Firewall and interoperate with H.323
terminals.
• IP phone and a Cisco Call Manager
can now be placed on separate
sides of the PIX Firewall.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-18


Skinny Fixup Configuration

pixfirewall (config)#

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

fixup protocol skinny port [-port]


• Enables the SCCP (skinny) protocol.
• Dynamically opens pinholes for media sessions and
NAT-embedded IP addresses.
• Supports IP telephony.
• Can coexist in an H.323 environment.
• Default port is 2000.

pixfirewall(config)# fixup protocol skinny 2000


• Skinny is enabled on port 2000.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-19


Multimedia Support

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-20


Why Multimedia Is an Issue

• Multimedia applications behave


in unique ways:

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

– Use dynamic ports.


– Transmit a request using
TCP and get responses in
UDP or TCP.
– Use the same port for
source and destination.
• The PIX Firewall:
– Dynamically opens and
closes conduits for secure
multimedia connections.
– Supports multimedia with or
without NAT.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-21


Real-Time Streaming Protocol

• Real-Time audio and video • RTSP-TCP-only mode does not

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

delivery protocol uses one TCP require special handling by the


and two UDP channels. PIX Firewall.
• Transport options: • Supported applications:
– Real-Time Transport – Cisco IP/TV.
Protocol (RTP). – Apple QuickTime 4.
– Real Data Transport Protocol
– RealNetworks:
(RDT).
• Sync or resend channel: • RealAudio.
– Real-Time Control Protocol • RealPlayer.
(RTCP). • RealServer .
– UDP resend. • RDT Multicast is not
supported.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-22


Standard RTP Mode

• In standard RTP mode, RTSP uses


the following three channels:

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

– Control connection (TCP).


– RTP data (simplex UDP).
– RTCP reports (duplex UDP).
• For outbound connections, the PIX
Firewall opens inbound ports for
RTP data and RTCP reports.
• For inbound connections, the PIX
Firewall handles standard RTP mode
as follows:
– If outbound traffic is allowed, no
special handling is required.
– If outbound traffic is not allowed,
it opens outbound ports for RTP
and RTCP.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-23


RealNetworks’ RDT Mode

• In RealNetworks’ RDT mode, RTSP uses the


following three channels:

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

– Control connection (TCP).


– UDP data (simplex UDP).
– UDP resend (simplex UDP).
• For outbound connections, the PIX Firewall
handles RealNetworks’ RDT mode as
follows:
– If outbound traffic is allowed, it opens
an inbound port for UDP data.
– If outbound traffic is not allowed, it
opens an inbound port for UDP data
and an outbound port for UDP resend.
• For inbound connections, the PIX Firewall
handles RealNetworks’ RDT mode as
follows:
– If outbound traffic is allowed, it opens
an inbound port for UDP resend.
– If outbound traffic is not allowed, it
opens an outbound port for UDP data
and an inbound port for UDP resend.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-24
RTSP Fixup Configuration

pixfirewall (config)#
fixup protocol rtsp port [-port]

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

• Defines ports for RTSP connections:


– No RTSP fixup is enabled by default (RFC2326 port is
554).
– RTSP dynamically opens UDP connections as required
by the RTSP transport.
– PAT and dual NAT are not currently supported.
• If disabled:
– UDP transport modes are disallowed.
– TCP transport modes are allowed (TCP connection
rules apply).

pixfirewall(config)# fixup protocol rtsp 554


pixfirewall(config)# no fixup protocol rtsp
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-25
H.323

• Real-time multimedia • Supported H.323 versions:


communications delivery – H.323 v1.

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

specification uses two TCP and


several UDP sessions for a – H.323 v2 (software versions
single “call”. 5.2 and higher).
• H.323 protocols and standards: • Supported applications:
– H.225—Registration, – Cisco Multimedia
Admission, and Status Conference Manager.
(RAS). – Microsoft NetMeeting.
– H.225—Call Signaling. – Intel Video Phone.
– H.245—Control Signaling. – CUseeMe Networks:
– TPKT Header. • MeetingPoint.
– Q.931 Messages. • CUseeMe Pro.
– Abstract Syntax Notation – VocalTec:
(ASN.1) (PIX Firewall 5.2).
• Internet Phone.
• Gatekeeper.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-26
Configuring H.323 Fixup

pixfirewall (config)#

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

fixup protocol h323 [h255 | ras] port [-port]


• Defines ports for H.323 connections (default = 1720).
• Performs NAT in H.323 messages as required.
• Dynamically opens TCP and UDP connections as required.
• Supports PAT.
• If disabled, H.323 applications are disallowed.

pixfirewall(config)# fixup protocol h323 1720


pixfirewall(config)# fixup protocol h323 7720-7740
pixfirewall(config)# no fixup protocol h323

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-27


Cisco IP Phones and the PIX
Firewall’s DHCP Server

• Cisco IP phones:

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

– Download their configurations from a TFTP server.


– Request an IP address and the IP address of a TFTP
server from a DHCP server.
• The PIX Firewall:
– Supports DHCP option 150 for providing the IP
addresses of a list of TFTP servers.
– Supports DHCP option 66 for providing the IP address
of a single TFTP server.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-28


Attack Guards

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-29


Mail Guard
• Provides a safe conduit for Simple
Mail Transfer Protocol (SMTP)

For review only. Please do not distribute



DRAFT May 2003. All rights reserved.

The following are the


connections from the outside to an commands allowed for a
inside e-mail server mail server:
• Enables administrators to deploy a – HELO
mail server within the internal – MAIL
network, without it being exposed to – RCPT
known security problems that exist – DATA
within some mail server – RSET
implementations – NOOP
– QUIT
• Only the SMTP commands specified
in RFC 821 section 4.5.1 are allowed
to a mail server
• By default, the Cisco Secure PIX
Firewall inspects port 25 connections
for SMTP traffic
• SMTP servers using ports other than
port 25 must use the fixup protocol
smtp command

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-30


Mail Guard

pixfirewall (config)#

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

fixup protocol smtp port [-port]


• Defines ports on which to activate Mail Guard (default = 25)—Only
allows RFC 821, section 4.5.1 commands: HELO, MAIL, RCPT,
DATA, RSET, NOOP, and QUIT.
• If disabled, all SMTP commands are allowed through the firewall—
Potential mail server vulnerabilities are exposed.

pixfirewall(config)# fixup protocol smtp 2525


pixfirewall(config)# fixup protocol smtp 2625-2635
pixfirewall(config)# no fixup protocol smtp 25

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-31


DNS Guard

• DNS Guard is always on.

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

• After the client does a DNS


request, a dynamic conduit
allows UDP packets to
return from the DNS server.
The default UDP timer
expires in two minutes.
• The DNS server response is
recognized by the firewall,
which closes the dynamic
UDP conduit immediately.
The PIX Firewall does not
wait for the UDP timer to
expire.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-32


FragGuard and Virtual Re-assembly

The FragGuard and Virtual Re-assembly feature

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

has the following characteristics:


• Is on by default.
• Verifies each fragment set for integrity and completeness.
• Tags each fragment in a fragment set with the transport
header.
• Performs full reassembly of all ICMP error messages and
virtual reassembly of the remaining IP fragments that are
routed through the PIX Firewall.
• Uses Syslog to log fragment overlapping and small
fragment offset anomalies.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-33


fragment Command
pixfirewall (config)#
fragment size database-limit [interface]

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

• Sets the maximum number of packets in the fragment


database.
pixfirewall (config)#
fragment chain chain-limit [interface]
• Specifies the maximum number of packets into which
a full IP packet can be fragmented.

pixfirewall (config)#
fragment timeout seconds [interface]
• Specifies the maximum number of seconds that the
PIX Firewall waits before discarding a packet that is
waiting to be reassembled.

pixfirewall(config)# fragment size 1


pixfirewall(config)# fragment chain 1
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-34
AAA Flood Guard

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

pixfirewall (config)#
floodguard enable | disable
• Reclaims attacked or overused AAA resources
to help prevent DoS attacks on AAA services
(default = enabled).

pixfirewall(config)# floodguard enable

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-35


SYN Flood Attack

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

• The attacker spoofs a


nonexistent source IP address
and floods the
target with SYN packets.
• The target responds to the SYN
packets by sending SYN-ACK
packets to the spoofed hosts.
• The target overflows its port
buffer with embryonic
connections and stops
responding to legitimate
requests.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-36


SYN Flood Guard Configuration
pixfirewall (config)#
static [(prenat_interface, postnat_interface)]

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

mapped_address | interface real_address [dns][netmask


mask][norandomseq][connection_limit [em_limit]]
• For inbound connections:
– Use the em_limit to limit the number of embryonic connections.
– Set the limit to a number lower than the server can handle.
pixfirewall (config)#
nat [(if-name)]id address [netmask [outside] [dns]
[norandomseq] [timeout hh:mm:ss] [conn_limit [em_limit]]]
• For outbound connections:
– Use the em_limit to limit the number of embryonic connections.
– Set the limit to a number lower than the server can handle.

pixfirewall(config)# nat (inside) 1 0 0 0 10000


pixfirewall(config)# static (inside,outside) 192.168.0.11
172.16.0.2 0 1000
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-37
TCP Intercept

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

pixfirewall(config)# static (inside,outside) 192.168.0.10


10.0.0.11 netmask 255.255.255.255 1000 100

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-38


Intrusion Detection

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-39


Intrusion Detection

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

• Ability to detect attacks


against networks
• Three types of network
attacks:
– Reconnaissance
– Access
– Denial of service

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-40


Signatures

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

A signature is a set of rules pertaining to typical intrusion


activity that, when matched, generates a unique response.
The following signature classes are supported by the PIX
Firewall:
• Informational—Triggers on normal network activity that in
itself is not considered to be malicious, but can be used to
determine the validity of an attack or for forensic purposes.
• Attack—Triggers on an activity known to be, or that could
lead to, unauthorized data retrieval, system access, or
privileged escalation.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-41
Intrusion Detection in the PIX Firewall

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-42


Configure IDS
pixfirewall(config)#
ip audit name audit_name info [action [alarm] [drop] [reset]]

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

• Creates a policy for informational signatures.

pixfirewall(config)#
ip audit name audit_name attack [action [alarm] [drop] [reset]]
• Creates a policy for attack signatures.

pixfirewall(config)#
ip audit interface if_name audit_name
• Applies a policy to an interface.

pixfirewall(config)# ip audit name ATTACKPOLICY attack action


alarm reset
pixfirewall(config)# ip audit interface outside ATTACKPOLICY
• When the PIX Firewall detects an attack signature on its outside interface, it reports
an event to all configured Syslog servers, drops the offending packet, and closes the
connection if it is part of an active connection.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-43
Specify Default
Actions for Signatures

pixfirewall(config)#

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

ip audit attack [action [alarm] [drop] [reset]]


• Specifies the default actions for attack signatures.

pixfirewall(config)#
ip audit info [action [alarm] [drop] [reset]]
• Specifies the default actions for informational signatures.

pixfirewall(config)# ip audit info action alarm drop


• When the PIX Firewall detects an info signature, it reports an
event to all configured Syslog servers and drops the offending
packet.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-44


Disable Intrusion
Detection Signatures

pixfirewall(config)#

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

ip audit signature signature_number


disable
• Excludes a signature from auditing.

pixfirewall(config)# ip audit signature


6102 disable
• Disables signature 6102.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-45


Shunning

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-46


shun Command

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

pixfirewall(config)#
shun src_ip [dst_ip sport dport [protocol]]
• Applies a blocking function to an interface under attack.

pixfirewall(config)# shun 172.26.26.45


• No further traffic from 172.26.26.45 is allowed.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-47


Shunning an Attacker

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

pixfirewall(config)# shun 172.26.26.45


192.168.0.10 4000 53

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-48


Syslog Configuration

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-49


Configure Syslog Output
to a Syslog Server

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-50


Syslog Messages

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

The PIX Firewall sends Syslog


messages to document the
following events:
• Security
• Resources
• System
• Accounting

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-51


Configure Message Output
to the PIX Firewall Buffer

pixfirewall(config)# pixfirewall(config)#

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

logging on clear logging


• Enables logging. • Clears the internal buffer.

pixfirewall(config)# pixfirewall(config)#
logging buffered level logging message syslog_id
• Sends Syslog messages to an • Enables a specific Syslog message.
internal buffer.

pixfirewall(config)# pixfirewall(config)#
show logging logging standby
• Displays messages from the • Allows a standby unit to send Syslog
internal buffer. messages.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-52


Configure Message Output
to a Syslog Server

pixfirewall(config)#
logging on

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

• Enables logging.

pixfirewall(config)#
logging host [in_if_name]
ip_address [protocol/port]
• Designates the Syslog host server.

pixfirewall(config)#
logging trap level
• Sets the logging level.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-53
Configure Message Output
to a Syslog Server (cont.)

pixfirewall(config)#

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

logging facility facility


• Sets the facility marked on all
messages.

pixfirewall(config)#
logging timestamp
• Starts and stops sending
timestamped messages.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-54


SNMP

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-55


SNMP Overview
• SNMP facilitates the exchange of
management information between network
devices

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

• Devices managed by SNMP send information


to a management server from which an
administrator manages and monitors the
device
• SNMP can be used to monitor system events
on the PIX Firewall.
• For security reasons, information on the PIX
Firewall cannot be changed with SNMP.
• SNTP can be enabled through the PIX Firewall
so that any device can be managed and
monitored by a management server on a PIX
Firewall interface other than that on which it
resides.
• SNMP is a request and response protocol. The
following SNMP operations rely on
Management Information Bases (MIBs)

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-56


MIB Support

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

The Cisco Firewall MIB, Cisco Memory Pool MIB, and


Cisco Process MIB provide the following PIX Firewall
information through SNMP:
• Buffer use from the show block command.
• Connection count from the show conn command.
• CPU use through the show cpu usage command.
• Failover status.
• Memory use from the show memory command.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-57


SNMP to the PIX Firewall
pixfirewall(config)#

snmp-server host [if_name] ip_addr [trap | poll]

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

• Identifies the management station.

pixfirewall(config)#
snmp-server community key
• Configures the SNMP community string, a shared secret among the NMS and
the managed devices.

pixfirewall(config)#
snmp-server enable traps
• Enables sending log messages as SNMP trap notifications.

pixfirewall(config)# logging on
pixfirewall(config)# logging history debugging
pixfirewall(config)# snmp-server host inside 10.0.0.11
pixfirewall(config)# snmp-server community OURCOMMUNITY
pixfirewall(config)# snmp-server enable traps
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-58
SNMP Through the PIX Firewall

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

pixfirewall(config)# static pixfirewall(config)# static


(inside,outside) 192.168.0.10 (inside,outside) 192.168.0.10
10.0.0.11 netmask 255.255.255.255 10.0.0.11 netmask 255.255.255.255
pixfirewall(config)# access-list TRAPSIN pixfirewall(config)# access-list POLLIN
permit udp host 192.168.0.19 host permit udp host 192.168.0.19 host
192.168.0.10 eq snmptrap 192.168.0.10 eq snmp
pixfirewall(config)# access-group TRAPSIN pixfirewall(config)# access-group POLLIN
in interface outside in interface outside

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-59


Summary

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-60


Summary

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

• The fixup command enables you to view, change, enable, or


disable the use of a service or protocol.
• The PIX Firewall uses special handling for the following
advanced protocols: FTP, rsh, and SQL*Net.
• The PIX Firewall handles the following multimedia protocols:
RTSP and H.323.
• The PIX Firewall’s SIP fixup supports call handling sessions.
• The PIX Firewall’s skinny fixup supports VoIP call signaling.
• You can change the port value for each protocol including the
multimedia protocols; however, you should not change the port
values for rsh and SIP.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-61


Summary (cont.)

• The PIX Firewall has the following attack guards to

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

help protect systems from malicious attacks: Mail


Guard, DNS Guard, Fragmentation Guard, AAA Flood
Guard, and SYN Flood Defender.
• PIX Firewall software versions 5.2 and higher
support intrusion detection.
• Intrusion detection is the ability to detect attacks
against a network, including the following:
reconnaissance, access, and DoS.
• The PIX Firewall supports signature-based intrusion
detection.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-62


Summary (cont.)

For review only. Please do not distribute


DRAFT May 2003. All rights reserved.

• Each signature can generate a unique alarm and


response.
• Informational signatures collect information to help
determine the validity of an attack, or for forensics.
• Attack signatures trigger on an activity known to be, or
that could lead to, unauthorized data retrieval, system
access, or privileged escalation.
• The PIX Firewall can be configured to shun source
address of attacking hosts.
• The PIX Firewall can send Syslog messages to a Syslog
server.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-63


© 2003, Cisco Systems, Inc. All rights reserved. 64