For review only.

Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights2003, Cisco Systems, Inc. All rights reserved. © reserved.

1 FNS 1.0—12-1

Module 12
PIX Advanced Protocols and Intrusion Detection

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-2

Learning Objectives
Upon completion of this chapter, you will be able to perform the following tasks:
• Describe the fixup protocol command. • Describe the need for advanced protocol handling. • Describe how the PIX Firewall handles FTP, rsh, and SQL*Net traffic. • Configure FTP, rsh, and SQL*Net Fixup protocols. • Describe the issues with multimedia applications. • Describe how the PIX Firewall handles RTSP and H.323 multimedia protocols. • Configure RTSP and H.323 fixup protocols. • Describe how the PIX Firewall supports call handling sessions and VoIP call signaling.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-3

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Learning Objectives (cont.)
Upon completion of this chapter, you will be able to perform the following tasks:
• Name, describe, and configure the attack guards in the PIX Firewall. • Define intrusion detection. • Describe signatures. • Name and identify signature classes supported by the PIX Firewall. • Configure the PIX Firewall to use IDS signatures. • Configure the PIX Firewall to shun. • Configure the PIX Firewall to send Syslog messages to a Syslog server.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-4

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Overview
This module introduces students to the PIX Firewall advanced protocol recognition and Intrusion Detection System (IDS) capabilities. The module begins with advanced protocol handling, and how it may be tuned to fit the PIX Firewall operation via a series of fixup commands. The module moves on to discuss the advanced protocols used for multimedia support including real time streaming protocols. Finally, the methods of intrusion detection are discussed next. The system of intrusion detection signatures is examined, and the methods of configuration for PIX Firewalls are explained.
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-5

Key terms
• • • • • • • • • • • •
© 2003, Cisco Systems, Inc. All rights reserved.

SIP SQL Skinny RSH H.323 RTSP Standard Mode FTP Passive Mode FTP DNS Guard Mail Guard Syslog SNMP
FNS 1.0—12-6

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Advanced Protocols

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-7

Need for Advanced Protocol Handling
• Some popular protocols or applications behave as follows: – Negotiate connections to dynamically assigned source or destination ports, or IP addresses. – Embed source or destination port, or IP address information above the network layer. • A good firewall has to inspect packets above the network layer and do the following as required by the protocol or application: – Securely open and close negotiated ports or IP addresses for legitimate client-server connections through the firewall. – Use NAT-relevant instances of IP addresses inside a packet. – Use PAT-relevant instances of ports inside a packet. – Inspect packets for signs of malicious application misuse.
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-8

fixup Command
pixfirewall (config)#
fixup protocol ils port [-port]

pixfirewall (config)#
fixup protocol smtp port [-port]

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall (config)#
fixup protocol skinny port [-port]

pixfirewall (config)#
fixup protocol h323 [h225 | ras] port [-port]

pixfirewall (config)#
fixup protocol sip port [-port]

pixfirewall (config)#
fixup protocol sqlnet port [-port]

pixfirewall (config)#
fixup protocol rsh port [-port]

pixfirewall (config)#
fixup protocol http port [-port]

pixfirewall (config)#
fixup protocol rtsp port [-port]

pixfirewall (config)#
fixup protocol ftp [strict] port [-port]

pixfirewall (config)#
show fixup [protocol protocol]

pixfirewall (config)#
no fixup protocol protocol [port[-port]]

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-9

Standard Mode FTP
• Standard mode FTP uses two channels: – Client-initiated command connection (TCP). – Server-initiated data connection (TCP). • For outbound connections, the PIX Firewall handles standard mode FTP as follows: – It opens a temporary inbound conduit for the data channel. • For inbound connections, the PIX Firewall handles standard mode FTP as follows: – If outbound traffic is allowed, no special handling is required. – If outbound traffic is not allowed, it opens a temporary outbound conduit for the data channel.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-10

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Passive Mode FTP
• Passive mode FTP uses two channels:
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

– Client-initiated command connection (TCP). – Client-initiated data connection (TCP). • For outbound connections, the PIX Firewall handles passive mode FTP as follows: – If outbound traffic is allowed, no special handling is required. – If outbound traffic is not allowed, it opens an outbound port for the data channel. • For inbound connections, the PIX Firewall opens an inbound port for the data channel.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-11

FTP Fix-Up Configuration
pixfirewall (config)# fixup protocol ftp [strict] port [-port]
• Defines ports for FTP connections (default = 21). • Performs NAT in packet payload. • Dynamically creates conduits for FTP-DATA connections. • Logs FTP commands (when Syslog is enabled). • When disabled: – Outbound standard FTP will not work. – Outbound passive FTP will work if not explicitly disallowed. – Inbound standard FTP will work if conduit exists. – Inbound passive FTP will not work. For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)# fixup protocol ftp 2021 pixfirewall(config)# no fixup protocol ftp 21
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-12

Remote Shell
• Remote shell uses two channels:
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

– Client-initiated command connection (TCP). – Server-initiated standard error connection (TCP). • For outbound connections, the PIX Firewall opens an inbound port for standard error output. • For inbound connections, the PIX Firewall handles remote shell as follows: – If outbound traffic is allowed, no special handling is required. – If outbound traffic is not allowed, it opens the outbound port for standard error output.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-13

Rsh Fixup Configuration
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall (config)#

fixup protocol rsh port [-port]
• Defines ports for rsh connections (default = 514)— Dynamically opens a port for rsh standard error connections • If disabled: – Outbound rsh will not work. – Inbound rsh will work if conduit exists.

pixfirewall(config)# fixup protocol rsh 1540 pixfirewall(config)# no fixup protocol rsh

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-14

SQL*Net
• Initially the client connects to a well known port on the server. • The server may assign another port or another host to serve the client. • For outbound connections, the PIX Firewall handles SQL*Net connections as follows: – If outbound traffic is allowed, no special handling is required. – If outbound traffic is not allowed, it opens an outbound port for a redirected channel. • For inbound connections, the PIX Firewall opens an inbound port for a redirected channel.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-15

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

SQL*Net Fixup Configuration
pixfirewall (config)# For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

fixup protocol sqlnet port [-port]
• Defines ports for SQL*Net connections (default = 1521): – Performs NAT in packet payload. – Dynamically opens TCP port redirected client connection. – Port 1521 is the default port used by Oracle—IANA-compliant applications use port 66. • If disabled: – Outbound SQL*Net is allowed if not explicitly disallowed. – Inbound SQL*Net is disallowed.

pixfirewall(config)# fixup protocol sqlnet 66 pixfirewall(config)# fixup protocol sqlnet 6666-6686 pixfirewall(config)# no fixup protocol sqlnet
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-16

SIP Fixup Configuration
pixfirewall (config)#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

fixup protocol sip port [-port]
• Enables SIP. • Default port = 5060. • Enables the PIX Firewall to support any SIP VoIP gateways and VoIP proxies.

pixfirewall(config)# fixup protocol sip 5060
• SIP is enabled on port 5060.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-17

Skinny
• Used by Cisco IP phones for VoIP call signaling • Supported in software versions 6.0 and higher • Skinny protocol operates by dynamically opening pinholes for media sessions and Network Address Translation (NAT) that has embedded IP addresses • SCCP supports IP telephony and can coexist in an H.323 environment. An application layer ensures that all SCCP signaling and media packets can traverse the PIX Firewall and interoperate with H.323 terminals. • IP phone and a Cisco Call Manager can now be placed on separate sides of the PIX Firewall.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-18

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Skinny Fixup Configuration
pixfirewall (config)#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

fixup protocol skinny port [-port]
• Enables the SCCP (skinny) protocol. • Dynamically opens pinholes for media sessions and NAT-embedded IP addresses. • Supports IP telephony. • Can coexist in an H.323 environment. • Default port is 2000.

pixfirewall(config)# fixup protocol skinny 2000
• Skinny is enabled on port 2000.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-19

Multimedia Support

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-20

Why Multimedia Is an Issue
• Multimedia applications behave in unique ways: – Use dynamic ports. – Transmit a request using TCP and get responses in UDP or TCP. – Use the same port for source and destination. • The PIX Firewall: – Dynamically opens and closes conduits for secure multimedia connections. – Supports multimedia with or without NAT.
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-21

Real-Time Streaming Protocol
• Real-Time audio and video delivery protocol uses one TCP and two UDP channels. • Transport options: – Real-Time Transport Protocol (RTP). – Real Data Transport Protocol (RDT). • Sync or resend channel: – Real-Time Control Protocol (RTCP). – UDP resend. • RTSP-TCP-only mode does not require special handling by the PIX Firewall. • Supported applications: – Cisco IP/TV. – Apple QuickTime 4. – RealNetworks: • RealAudio. • RealPlayer. • RealServer . • RDT Multicast is not supported.
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-22

Standard RTP Mode
• In standard RTP mode, RTSP uses the following three channels: – Control connection (TCP). – RTP data (simplex UDP). – RTCP reports (duplex UDP). • For outbound connections, the PIX Firewall opens inbound ports for RTP data and RTCP reports. • For inbound connections, the PIX Firewall handles standard RTP mode as follows: – If outbound traffic is allowed, no special handling is required. – If outbound traffic is not allowed, it opens outbound ports for RTP and RTCP.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-23

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

RealNetworks’ RDT Mode
• In RealNetworks’ RDT mode, RTSP uses the following three channels: – Control connection (TCP). – UDP data (simplex UDP). – UDP resend (simplex UDP). • For outbound connections, the PIX Firewall handles RealNetworks’ RDT mode as follows: – If outbound traffic is allowed, it opens an inbound port for UDP data. – If outbound traffic is not allowed, it opens an inbound port for UDP data and an outbound port for UDP resend. • For inbound connections, the PIX Firewall handles RealNetworks’ RDT mode as follows: – If outbound traffic is allowed, it opens an inbound port for UDP resend. – If outbound traffic is not allowed, it opens an outbound port for UDP data and an inbound port for UDP resend.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-24

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

RTSP Fixup Configuration
pixfirewall (config)#

fixup protocol rtsp port [-port]
• Defines ports for RTSP connections: – No RTSP fixup is enabled by default (RFC2326 port is 554). – RTSP dynamically opens UDP connections as required by the RTSP transport. – PAT and dual NAT are not currently supported. • If disabled: – UDP transport modes are disallowed. – TCP transport modes are allowed (TCP connection rules apply).

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)# fixup protocol rtsp 554 pixfirewall(config)# no fixup protocol rtsp
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-25

H.323
• Real-time multimedia communications delivery specification uses two TCP and several UDP sessions for a single “call”. • H.323 protocols and standards: – H.225—Registration, Admission, and Status (RAS). – H.225—Call Signaling. – H.245—Control Signaling. – TPKT Header. – Q.931 Messages. – Abstract Syntax Notation (ASN.1) (PIX Firewall 5.2). • Supported H.323 versions: – H.323 v1. – H.323 v2 (software versions 5.2 and higher). • Supported applications: – Cisco Multimedia Conference Manager. – Microsoft NetMeeting. – Intel Video Phone. – CUseeMe Networks: • MeetingPoint. • CUseeMe Pro. – VocalTec: • Internet Phone. • Gatekeeper.
FNS 1.0—12-26

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

Configuring H.323 Fixup
pixfirewall (config)#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

fixup protocol h323 [h255 | ras] port [-port]
• Defines ports for H.323 connections (default = 1720). • Performs NAT in H.323 messages as required. • Dynamically opens TCP and UDP connections as required. • Supports PAT. • If disabled, H.323 applications are disallowed.

pixfirewall(config)# fixup protocol h323 1720 pixfirewall(config)# fixup protocol h323 7720-7740 pixfirewall(config)# no fixup protocol h323

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-27

Cisco IP Phones and the PIX Firewall’s DHCP Server
• Cisco IP phones: – Download their configurations from a TFTP server. – Request an IP address and the IP address of a TFTP server from a DHCP server. • The PIX Firewall: – Supports DHCP option 150 for providing the IP addresses of a list of TFTP servers. – Supports DHCP option 66 for providing the IP address of a single TFTP server.
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-28

Attack Guards

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-29

Mail Guard
• Provides a safe conduit for Simple Mail Transfer Protocol (SMTP) connections from the outside to an inside e-mail server • Enables administrators to deploy a mail server within the internal network, without it being exposed to known security problems that exist within some mail server implementations • Only the SMTP commands specified in RFC 821 section 4.5.1 are allowed to a mail server • By default, the Cisco Secure PIX Firewall inspects port 25 connections for SMTP traffic • SMTP servers using ports other than port 25 must use the fixup protocol smtp command
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-30

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

The following are the commands allowed for a mail server: – – – – – – – HELO MAIL RCPT DATA RSET NOOP QUIT

Mail Guard
pixfirewall (config)#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

fixup protocol smtp port [-port]
• Defines ports on which to activate Mail Guard (default = 25)—Only allows RFC 821, section 4.5.1 commands: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. • If disabled, all SMTP commands are allowed through the firewall— Potential mail server vulnerabilities are exposed.

pixfirewall(config)# fixup protocol smtp 2525 pixfirewall(config)# fixup protocol smtp 2625-2635 pixfirewall(config)# no fixup protocol smtp 25

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-31

DNS Guard
• DNS Guard is always on. • After the client does a DNS request, a dynamic conduit allows UDP packets to return from the DNS server. The default UDP timer expires in two minutes. • The DNS server response is recognized by the firewall, which closes the dynamic UDP conduit immediately. The PIX Firewall does not wait for the UDP timer to expire.
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-32

FragGuard and Virtual Re-assembly
The FragGuard and Virtual Re-assembly feature has the following characteristics:
• Is on by default. • Verifies each fragment set for integrity and completeness. • Tags each fragment in a fragment set with the transport header. • Performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIX Firewall. • Uses Syslog to log fragment overlapping and small fragment offset anomalies.
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-33

fragment Command
pixfirewall (config)#

fragment size database-limit [interface]
For review only. Please do not distribute • Sets the maximum number of packets in the fragment database. pixfirewall (config)#

DRAFT May 2003. All rights reserved.

fragment chain chain-limit [interface]
• Specifies the maximum number of packets into which a full IP packet can be fragmented. pixfirewall (config)#

fragment timeout seconds [interface]
• Specifies the maximum number of seconds that the PIX Firewall waits before discarding a packet that is waiting to be reassembled.

pixfirewall(config)# fragment size 1 pixfirewall(config)# fragment chain 1
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-34

AAA Flood Guard
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall (config)#

floodguard enable | disable
• Reclaims attacked or overused AAA resources to help prevent DoS attacks on AAA services (default = enabled).

pixfirewall(config)# floodguard enable

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-35

SYN Flood Attack
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

• The attacker spoofs a nonexistent source IP address and floods the target with SYN packets. • The target responds to the SYN packets by sending SYN-ACK packets to the spoofed hosts. • The target overflows its port buffer with embryonic connections and stops responding to legitimate requests.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-36

SYN Flood Guard Configuration
pixfirewall (config)#

static [(prenat_interface, postnat_interface)] mapped_address | interface real_address [dns][netmask mask][norandomseq][connection_limit [em_limit]]
• For inbound connections: – Use the em_limit to limit the number of embryonic connections. – Set the limit to a number lower than the server can handle. pixfirewall (config)#

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

nat [(if-name)]id address [netmask [outside] [dns] [norandomseq] [timeout hh:mm:ss] [conn_limit [em_limit]]]
• For outbound connections: – Use the em_limit to limit the number of embryonic connections. – Set the limit to a number lower than the server can handle.

pixfirewall(config)# nat (inside) 1 0 0 0 10000 pixfirewall(config)# static (inside,outside) 192.168.0.11 172.16.0.2 0 1000
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-37

TCP Intercept
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.11 netmask 255.255.255.255 1000 100

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-38

Intrusion Detection

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-39

Intrusion Detection
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

• Ability to detect attacks against networks • Three types of network attacks: – Reconnaissance – Access – Denial of service

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-40

Signatures
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

A signature is a set of rules pertaining to typical intrusion activity that, when matched, generates a unique response. The following signature classes are supported by the PIX Firewall:
• Informational—Triggers on normal network activity that in itself is not considered to be malicious, but can be used to determine the validity of an attack or for forensic purposes. • Attack—Triggers on an activity known to be, or that could lead to, unauthorized data retrieval, system access, or privileged escalation.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-41

Intrusion Detection in the PIX Firewall
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-42

Configure IDS
pixfirewall(config)#

ip audit name audit_name info [action [alarm] [drop] [reset]]
• Creates a policy for informational signatures. pixfirewall(config)#

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

ip audit name audit_name attack [action [alarm] [drop] [reset]]
• Creates a policy for attack signatures. pixfirewall(config)#

ip audit interface if_name audit_name
• Applies a policy to an interface.

pixfirewall(config)# ip audit name ATTACKPOLICY attack action alarm reset pixfirewall(config)# ip audit interface outside ATTACKPOLICY
• When the PIX Firewall detects an attack signature on its outside interface, it reports an event to all configured Syslog servers, drops the offending packet, and closes the connection if it is part of an active connection.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-43

Specify Default Actions for Signatures
pixfirewall(config)# For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

ip audit attack [action [alarm] [drop] [reset]]
• Specifies the default actions for attack signatures.

pixfirewall(config)#

ip audit info [action [alarm] [drop] [reset]]
• Specifies the default actions for informational signatures.

pixfirewall(config)# ip audit info action alarm drop
• When the PIX Firewall detects an info signature, it reports an event to all configured Syslog servers and drops the offending packet.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-44

Disable Intrusion Detection Signatures
pixfirewall(config)#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

ip audit signature signature_number disable
• Excludes a signature from auditing.

pixfirewall(config)# ip audit signature 6102 disable
• Disables signature 6102.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-45

Shunning

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-46

shun Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

shun src_ip [dst_ip sport dport [protocol]]
• Applies a blocking function to an interface under attack.

pixfirewall(config)# shun 172.26.26.45
• No further traffic from 172.26.26.45 is allowed.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-47

Shunning an Attacker
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)# shun 172.26.26.45 192.168.0.10 4000 53
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-48

Syslog Configuration

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-49

Configure Syslog Output to a Syslog Server
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-50

Syslog Messages
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

The PIX Firewall sends Syslog messages to document the following events:
• Security • Resources • System • Accounting

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-51

Configure Message Output to the PIX Firewall Buffer
pixfirewall(config)# pixfirewall(config)#

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

logging on
• Enables logging. pixfirewall(config)#

clear logging
• Clears the internal buffer. pixfirewall(config)#

logging buffered level
• Sends Syslog messages to an internal buffer.

logging message syslog_id
• Enables a specific Syslog message.

pixfirewall(config)#

pixfirewall(config)#

show logging
• Displays messages from the internal buffer.

logging standby
• Allows a standby unit to send Syslog messages.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-52

Configure Message Output to a Syslog Server
pixfirewall(config)#

logging on
• Enables logging. pixfirewall(config)#

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

logging host [in_if_name] ip_address [protocol/port]
• Designates the Syslog host server. pixfirewall(config)#

logging trap level
• Sets the logging level.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-53

Configure Message Output to a Syslog Server (cont.)
pixfirewall(config)#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved.

logging facility facility
• Sets the facility marked on all messages. pixfirewall(config)#

logging timestamp
• Starts and stops sending timestamped messages.

FNS 1.0—12-54

SNMP

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-55

SNMP Overview
• SNMP facilitates the exchange of management information between network devices • Devices managed by SNMP send information to a management server from which an administrator manages and monitors the device • SNMP can be used to monitor system events on the PIX Firewall. • For security reasons, information on the PIX Firewall cannot be changed with SNMP. • SNTP can be enabled through the PIX Firewall so that any device can be managed and monitored by a management server on a PIX Firewall interface other than that on which it resides. • SNMP is a request and response protocol. The following SNMP operations rely on Management Information Bases (MIBs)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-56

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

MIB Support
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

The Cisco Firewall MIB, Cisco Memory Pool MIB, and Cisco Process MIB provide the following PIX Firewall information through SNMP:
• Buffer use from the show block command. • Connection count from the show conn command. • CPU use through the show cpu usage command. • Failover status. • Memory use from the show memory command.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-57

SNMP to the PIX Firewall
pixfirewall(config)#

snmp-server host [if_name] ip_addr [trap | poll]
• Identifies the management station. pixfirewall(config)#

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

snmp-server community key
• Configures the SNMP community string, a shared secret among the NMS and the managed devices. pixfirewall(config)#

snmp-server enable traps
• Enables sending log messages as SNMP trap notifications.

pixfirewall(config)# logging on pixfirewall(config)# logging history debugging pixfirewall(config)# snmp-server host inside 10.0.0.11 pixfirewall(config)# snmp-server community OURCOMMUNITY pixfirewall(config)# snmp-server enable traps
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-58

SNMP Through the PIX Firewall
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.11 netmask 255.255.255.255 pixfirewall(config)# access-list TRAPSIN permit udp host 192.168.0.19 host 192.168.0.10 eq snmptrap pixfirewall(config)# access-group TRAPSIN in interface outside
© 2003, Cisco Systems, Inc. All rights reserved.

pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.11 netmask 255.255.255.255 pixfirewall(config)# access-list POLLIN permit udp host 192.168.0.19 host 192.168.0.10 eq snmp pixfirewall(config)# access-group POLLIN in interface outside
FNS 1.0—12-59

Summary

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-60

Summary
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

• The fixup command enables you to view, change, enable, or disable the use of a service or protocol. • The PIX Firewall uses special handling for the following advanced protocols: FTP, rsh, and SQL*Net. • The PIX Firewall handles the following multimedia protocols: RTSP and H.323. • The PIX Firewall’s SIP fixup supports call handling sessions. • The PIX Firewall’s skinny fixup supports VoIP call signaling. • You can change the port value for each protocol including the multimedia protocols; however, you should not change the port values for rsh and SIP.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-61

Summary (cont.)
• The PIX Firewall has the following attack guards to help protect systems from malicious attacks: Mail Guard, DNS Guard, Fragmentation Guard, AAA Flood Guard, and SYN Flood Defender. • PIX Firewall software versions 5.2 and higher support intrusion detection. • Intrusion detection is the ability to detect attacks against a network, including the following: reconnaissance, access, and DoS. • The PIX Firewall supports signature-based intrusion detection.
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-62

Summary (cont.)
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

• Each signature can generate a unique alarm and response. • Informational signatures collect information to help determine the validity of an attack, or for forensics. • Attack signatures trigger on an activity known to be, or that could lead to, unauthorized data retrieval, system access, or privileged escalation. • The PIX Firewall can be configured to shun source address of attacking hosts.
• The PIX Firewall can send Syslog messages to a Syslog server.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—12-63

© 2003, Cisco Systems, Inc. All rights reserved.

64