Network Security (Part 2) · Router (NAT) Proxy server Email server Web server DMZ FTP server Firewall (Statefull) Bob Alice: n S t a t e f u l f i r e w a l l N e t w o r k S e c

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA

Author: Prof Bill BuchananAuthor: Prof Bill Buchanan

Network Security (Part 2)Professional Certification

NetworkSims

PIX/ASA Configuration· Interfaces.

· Fixup.

· Static Routes.

· Access-lists.

· Failover.

· VPN.

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA

Author: Prof Bill Buchanan

Intr

od

uctio

nN

etw

ork

Se

cu

rity


CIA and AAA

Applications

(Integrated Security)

Application Communications

(TCP, IP, and so on)

Services

(Integrated Security)

Network Infrastructure

(Firewalls, Proxies, and so on)

Integration between the levels

often causes the most problems

Co

nfid

en

tia

lity

Inte

grity

Assu

ran

ce

Au

the

ntic

atio

n

Au

tho

riza

tion

Acco

un

ting

CIA AAA

Eve

Bob Alice

Eve

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Intr

od

uctio

nN

etw

ork

Se

cu

rity


Example Infrastructure

Intrusion

Detection

System

Intrusion

Detection

System

Firewall

Firewall

Internet

Switch

Router

Proxy

server

Email

server

Web

server

FTP

server

Switch

Bob Alice

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Intr

od

uctio

nN

etw

ork

Se

cu

rity



Intrusion

Detection

System

Intrusion

Detection

System

Firewall (Packet

filter)

Internet

Switch

Router (NAT)

Proxy

server

Email

server

Web

serverDMZ

FTP

server

Firewall

(Statefull)

Bob

Alice

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Intr

od

uctio

nN

etw

ork

Se

cu

rity



Intrusion

Detection

System

Intrusion

Detection

System

Cisco

PIX

Cisco

Firewall

Internet

Cisco

Switch

Router

(NAT)

Proxy

server

Email

server

Web

serverDMZ

FTP

server

Cisco

ASA 5500

Alice

Bob

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Intr

od

uctio

nN

etw

ork

Se

cu

rity



Application

(FTP, Telnet, etc)

L4. Transport

(TCP)

L3. Internet (IP)

L2. Network

(Ethernet)Intrusion

Detection

System

Firewall

(Packet filter)

Internet

Switch

Router (NAT)

Proxy

server

Email

server

Web

server

DMZ

FTP

server

Firewall

(Stateful)

Physical security requires restricted

areas and padlocked equipment

Bob

VLAN 1 VLAN 2Restricted

areas

Restricted

areas

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Intr

od

uctio

nN

etw

ork

Se

cu

rity



Application

(FTP, Telnet, etc)

L4. Transport

(TCP)

L3. Internet (IP)

L2. Network

(Ethernet)Intrusion

Detection

System

Firewall

(Packet filter)

Internet

Switch

Router (NAT)

Proxy

server

Email

server

Web

server

DMZ

FTP

server

Firewall

(Stateful)

Different VLANs cannot communication

directly, and need to go through a router

to communicate

Bob

VLAN 1 VLAN 2

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Intr

od

uctio

nN

etw

ork

Se

cu

rity



Intrusion

Detection

System

Firewall

(Packet filter)

Internet

Switch

Router (NAT)

Proxy

server

Email

server

Web

server

DMZ

FTP

server

Firewall

(Stateful)

Different VLANs cannot communication

directly, and need to go through a router

to communicate

Bob

VLAN 1 VLAN 2

VLAN 1

802.1q

Trunk

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Intr

od

uctio

nN

etw

ork

Se

cu

rity



Application

(FTP, Telnet, etc)

L4. Transport

(TCP)

L3. Internet (IP)

L2. Network

(Ethernet)Intrusion

Detection

System

Intrusion

Detection

System

Firewall

(Packet filter)

Internet

Switch

Router (NAT)

Proxy

server

Email

server

Web

server

DMZ

FTP

server

Firewall

(Stateful)

Screening Firewalls

filter for IP and TCP packet details, such

as addresses and TCP ports, for

incoming/outgoing traffic

Bob

Alice

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Intr

od

uctio

nN

etw

ork

Se

cu

rity



Application

(FTP, Telnet, etc)

L4. Transport

(TCP)

L3. Internet (IP)

L2. Network

(Ethernet)Intrusion

Detection

System

Intrusion

Detection

System

Firewall

(Packet filter)

Internet

Switch

Router (NAT)

Proxy

server

Email

server

Web

server

DMZ

FTP

server

Firewall

(Stateful)

Stateful Firewalls

filter for Application, IP and TCP packet

details. They remember previous data

packets, and keep track of connections

Alice

Bob

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Intr

od

uctio

nN

etw

ork

Se

cu

rity



Intrusion

Detection

System

Intrusion

Detection

System

Firewall

(Packet filter)

Internet

Switch

Router (NAT)

Proxy

server

Email

server

Web

server

DMZ

FTP

server

Firewall

(Stateful)

All Application-layer traffic goes

through the Proxy (eg FTP,

Telnet, and so on) – aka

Application Gateways

Application

(FTP, Telnet, etc)

L4. Transport

(TCP)

L3. Internet (IP)

L2. Network

(Ethernet)

Alice

Bob

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Intr

od

uctio

nN

etw

ork

Se

cu

rity

Firewalls

Runs within:

Windows Server,

VMWare

LINUX

CheckPoint

firewall

(software)

Host-based:

Zone alarm

CheckPoint firewall

(dedicated)

Nokia

LINUX

iptables

Software firewallHardware firewall

Cisco PIX/ASA

(stateful)

Cisco router

With firewall

(non-stateful)

Software firewall:

· Easy to reconfigure

· Slower

· Less expensive

· Can be used with a range of computers/OSs

Hardware firewall:

· Optimized engine/architecture

· Copes better with large traffic conditions

· Improved failover

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

Firewall rules. These are contained within ACLs

(using the access-list and access-group

commands), and block or permit traffic. A key feature

of this is the usage of URL filtering which defines

the Web pages which are allowed and which are not.

Port blocking. These use the fixup command to

change, enable or disable network services.

Intrusion detection.

These use the ip audit

command to detect

intrusions.

Shunning. This, along

with intrusion detection,

allows a defined

response to an

intrusion.

Encryption. This allows the PIX firewall to

support enhanced encryption, such as

being a server for VPN connections,

typically with IPSec and tunnelling

techniques such as PPTP.

Cut-through proxy. This allows the definition of the

users who are allowed services such as HTTP, Telnet

and FTP. This authentication is a single initial

authentication, which differs from the normal proxy

operation which checks every single packet.Bob

Failover. This allows other

devices to detect that a PIX

device has crashed, and that

another device needs to take its

place.

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

Remote office – PIX 506E. This

has a 300MHz processor with

32MB RAM, and handles a

throughput of 20Mbps for a

maximum of 25,000

connections. It does not

support failover, and has two

connections.

515E – R

515E – U

· Integrated accelerator

· Failover support.

· More LAN.

· VPN acceleration.

Medium-sized office – PIX 515E. This has a

433MHz processor with 32/64MB RAM, and

handles a throughput of 188Mbps for a

maximum of 130,000 connections. It supports

failover, and has the support for up to six

connections.Max throughput: 188Mbps, 3-DES Throughput: 22Mbps

AES Throughput: 63Mbps (100Mbps - accell)

Access: VPN Accellerator (DES/3DES), Failover cable, 4-

port FE (PCI), 1-port GE (PCI).

Small office – PIX 501. This

has a 133MHz processor with



maximum of 7,500 connections.

It does not support failover, and

has one external connection,

and a switch for inside

connections.

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

Enterprise – PIX 525. This has

a 600MHz processor with



maximum of 280,000

connections. It supports

failover, and has the support for

up to eight connections.

ASA 5520

Intel Pentium 4, 2GHz

512MB RAM

PIX 7.x, ASA 8.x IOS

8 interfaces

Integrated VPN

SSL VPN

Throughput: 450Mbps

3DES: 225Mbps

Max conn: 280,000

VPN peers: 750

Enterprise – PIX 535. This has

a 1GHz processor with 1GB

RAM, and handles a throughput

of 1Gbps for a maximum of

500,000 connections. It

supports failover, and has the

support for up to ten network

interfaces.

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Ne

two

rk S

ec

uri

ty

PIX/ASA Configuration

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA firewall

Intrusion

Detection System

Cisco

PIX

Gateway

Proxy

server

Email

server

Web

server

DMZ

FTP

server

E0 –

Name: outside

Security = 0

E1

Name: inside

Security: 100E2 – inf2

Name: inf2

Security: 50

Trusted

Untrusted

Eve

By default:

Traffic on a lower

security level cannot flow

from a lower level to a

higher one

Traffic from Inside to

DMZ: not allowed

Traffic from Inside to

DMZ: allowed

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA firewall

Intrusion

Detection System

Cisco

PIX

(192.168.0.1/24)

Proxy

server

Email

server

Web

server

DMZ

FTP

server

(10.0.0.1/16)

(172.16.0.1/24)

Trusted

Untrusted

(192.168.0.2/24)

(10.0.0.2/16)

(172.16.0.2/24)

Global pool

192.168.0.20-

192.168.0.254

Hosts in the DMZ are

accessed from addresses

from a global pool.

NAT mapping:

192.168.0.20 -> 172.16.0.2

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA firewall (ASDM)

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA firewall (ASDM)

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA firewall

E0 (outside)

E1 (inside)

E2 (inf2)

# config t (config)# hostname freds(config)# domain-name fred.com(config)# ip address outside 192.168.1.1 255.255.255.0(config)# interface e0 auto

PIX 6.x

(config)# hostname freds(config)# domain-name fred.com(config)# int e0(config-if)# ip address 192.168.2.1 255.255.255.0(config-if)# no shutdown(config-if)# exit

PIX/ASA 7.x/8.x

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA firewall

E0 (outside)

E1 (inside)

E2 (inf2)

# config t (config)# hostname freds(config)# domain-name fred.com(config)# ip address outside 192.168.1.1 255.255.255.0(config)# interface e0 auto

PIX 6.x

(config)# hostname freds(config)# domain-name fred.com(config)# int e0(config-if)# ip address 192.168.2.1 255.255.255.0(config-if)# no shutdown(config-if)# exit

PIX/ASA 7.x/8.x

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA firewall

E0 (outside) E1 (inside)

E2 (inf2)

> enable# nameif# config t (config)# nameif e0 mars security0(config)# nameif e1 pluto security100(config)# nameif e2 jupiter security50(config)# username fred password bert(config)# exit

PIX 6.x

(config)# int e0(config-if)# nameif mars(config-if)# security 0(config-if)# no shutdown(config)# int e1(config-if)# nameif inf2(config-if)# security 100(config-if)# no shutdown

PIX/ASA 7.x/8.x

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Configuring the interfaces


E2 (inf2)

myPIX (config)# nameif e0 gretna security0myPIX (config)# nameif e1 alabama security100myPIX (config)# nameif e2 uranus security50myPIX (config)# show nameifmyPIX (config)# interface e0 auto shutmyPIX (config)# interface e1 auto shutmyPIX (config)# interface e2 auto shutmyPIX (config)# show intmyPIX (config)# show int e0myPIX (config)# show int e1myPIX (config)# show int e2

PIX 6.x

(config)# int e0(config-if)# nameif gretna (config-if)# security 0(config-if)# shutdown(config)# int e1(config-if)# nameif alabama (config-if)# security 100(config-if)# shutdown

PIX/ASA 7.x/8.x

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA firewall

E0 (outside)

E1 (inside)

E2 (inf2)

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Setting the default route


E2 (inf2)

myPIX (config)# banner motd admin devicemyPIX (config)# banner login personal devicemyPIX (config)# banner exec main device


Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Ne

two

rk S

ec

uri

ty

PIX/ASA Routes

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Setting the default route


E2 (inf2)

myPIX (config)# route outside 10.0.0.0 255.255.0.0 10.1.1.254


Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Setting routes

E0

E1E2

(config)# route outside 10.0.0.0 255.255.0.0 10.1.1.254 1(config)# interface Ethernet0(config-if)# nameif outside(config-if)# security-level 0(config-if)# ip address 10.1.1.1 255.255.255.0(config-if)# interface Ethernet1(config-if)# nameif inside(config-if)# security-level 100(config-if)# ip address 192.168.2.1 255.255.255.0(config-if)# interface Ethernet2(config-if)# nameif dmz(config-if)# security-level 50(config-if)# ip address 172.10.10.1 255.255.255.0# sh routeS 10.0.0.0 255.255.0.0 [1/0] via 10.1.1.254, outsideC 10.1.1.0 255.255.255.0 is directly connected, outsideC 192.168.1.0 255.255.255.0 is directly connected, managementC 172.10.10.0 255.255.255.0 is directly connected, dmzC 192.168.2.0 255.255.255.0 is directly connected, inside

Perimeter

gateway


192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Setting routes

E0

E1E2

(config)# route outside 10.0.0.0 255.255.0.0 10.1.1.254 1(config)# interface Ethernet0(config-if)# nameif outside(config-if)# security-level 0(config-if)# ip address 10.1.1.1 255.255.255.0(config-if)# interface Ethernet1(config-if)# nameif inside(config-if)# security-level 100(config-if)# ip address 192.168.2.1 255.255.255.0(config-if)# interface Ethernet2(config-if)# nameif dmz(config-if)# security-level 50(config-if)# ip address 172.10.10.1 255.255.255.0# sh routeS 10.0.0.0 255.255.0.0 [1/0] via 10.1.1.254, outsideC 10.1.1.0 255.255.255.0 is directly connected, outsideC 192.168.1.0 255.255.255.0 is directly connected, managementC 172.10.10.0 255.255.255.0 is directly connected, dmzC 192.168.2.0 255.255.255.0 is directly connected, inside

Perimeter

gateway


192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Setting routes

(config)# route inside 176.10.1.0 255.255.255.0 192.168.2.3 1# sh route

S 10.0.0.0 255.255.0.0 [1/0] via 10.1.1.254, outsideC 10.1.1.0 255.255.255.0 is directly connected, outsideC 172.10.10.0 255.255.255.0 is directly connected, dmzS 176.10.1.0 255.255.255.0 [1/0] via 192.168.2.3, insideC 192.168.1.0 255.255.255.0 is directly connected, managementC 192.168.2.0 255.255.255.0 is directly connected, inside


E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Setting routes

(config)# route inside 176.10.1.0 255.255.255.0 192.168.2.3 1(config)# show route# sh route



E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Setting routes

(config)# route inside 176.10.1.0 255.255.255.0 192.168.1.3 1(config)# show route# sh route



E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Setting routes

(config)# route outside 0.0.0.0 0.0.0.0 10.1.1.254# sh routeS 0.0.0.0 0.0.0.0 [1/0] via 10.1.1.254, outsideS 10.0.0.0 255.255.0.0 [1/0] via 10.1.1.254, outsideC 10.1.1.0 255.255.255.0 is directly connected, outsideC 172.10.10.0 255.255.255.0 is directly connected, dmzS 176.10.1.0 255.255.255.0 [1/0] via 192.168.1.3, insideC 192.168.1.0 255.255.255.0 is directly connected, managementC 192.168.2.0 255.255.255.0 is directly connected, inside


E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Ne

two

rk S

ec

uri

ty

PIX/ASA Fixup

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A F

ixu

pN

etw

ork

Se

cu

rity

Fixup

(config)# show fixupfixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol ils 389fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521(config)# fixup protocol http 161(config)# fixup protocol ftp 60(config)# fixup protocol smtp 84



E2 (inf2)

FTP requires a

server

port on the

initiator.

SQL*Net requires

a negiotation on

the

connected port.

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Ne

two

rk S

ec

uri

ty

PIX/ASA NAT

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

NAT

(config)# nat (inside) 1 192.168.2.0 255.255.255.0(config)# nat (dmz) 2 172.10.10.0 255.255.255.0(config)# global (outside) 1 10.1.1.2-10.1.1.200 netmask

255.255.255.0(config)# global (outside) 2 10.1.1.201-10.1.1.254 netmask 255.255.255.0


E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

NAT

(config)# nat (inside) 1 192.168.2.0 255.255.255.0(config)# nat (dmz) 2 172.10.10.0 255.255.255.0(config)# global (outside) 1 10.1.1.2-10.1.1.200 netmask

255.255.255.0(config)# global (outside) 2 10.1.1.201-10.1.1.254 netmask 255.255.255.0


E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Ne

two

rk S

ec

uri

ty

PIX/ASA PAT

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PAT

(config)# nat (inside) 1 192.168.2.0 255.255.255.0(config)# nat (dmz) 1 172.10.10.0 255.255.255.0(config)# global (outside) 1 interface


E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PAT



E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PAT



E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Do not NAT!

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PAT



E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Do not NAT!

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Ne

two

rk S

ec

uri

ty

PIX/ASA Static Mapping

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Static mappings

static (dmz,outside) 10.1.1.201 172.10.10.2 netmask 255.255.255.255static (inside,outside) 10.1.1.202 192.168.1.5 netmask 255.255.255.255


E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Static mappings

static (dmz,outside) 10.1.1.201 172.10.10.2 netmask 255.255.255.255static (inside,outside) 10.1.1.202 192.168.1.5 netmask 255.255.255.255


E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Ne

two

rk S

ec

uri

ty

PIX/ASA ACLs

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Static mappings

static (dmz,outside) 10.1.1.201 172.10.10.2 netmask 255.255.255.255access-list uranus permit tcp any 10.1.1.201 255.255.255.255 eq telnetaccess-list uranus permit tcp any 10.1.1.201 255.255.255.255 eq wwwaccess-list uranus deny ip any anyaccess-group uranus in interface outside


E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Static mappings

access-list uranus permit tcp any 10.1.1.201 255.255.255.255 eq telnetaccess-list uranus permit tcp any 10.1.1.201 255.255.255.255 eq wwwaccess-list uranus deny ip any anyaccess-group uranus in interface outside


E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Static mappings

access-list uranus permit tcp any 10.1.1.201 255.255.255.255 eq telnetaccess-list uranus permit tcp any 10.1.1.201 255.255.255.255 eq wwwaccess-list uranus deny ip any anyaccess-group uranus in interface outside


E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

ACL

static (dmz,outside) 10.1.1.201 172.10.10.2 netmask 255.255.255.255access-list mars permit ip host 10.1.1.200 host 10.1.1.201access-list mars deny ip any anyaccess-group mars in interface outside


E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

ACL



E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Static mappings



E0

E1E2

Perimeter

gateway

192.168.2.1

192.168.2.5

192.168.2.3

176.10.1.1

176.10.1.2

10.1.1.1

10.1.1.254

172.10.10.2

172.10.10.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Ne

two

rk S

ec

uri

ty

PIX/ASA Failover

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

Fa

ilove

rN

etw

ork

Se

cu

rity

Failure


Power supply failures,

Primary reboot.

Interface problems

Memory Overflow.

40 U

1 U

5 U

1 U

UPS 1

UPS 2

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

Failover


Same PIX type

Same RAM

Same Flash memory.

Same type and interfaces.

Same software version.

Same activation keys for DES or

3DES

E0

(outside)

E1

(inside)

E2

(inf2)

Failover

cable

STANDBY

MAIN

· UR – Unrestricted licence

(must be used for primary).

· FO – Failover licence (for

secondary).

· R – Restricted licence

(cannot be used).

Either

Prim (UR)/Sec (UR)

Or:

Prim (UR)/Sec (FO)

Activation key is required!

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

Fa

ilove

rN

etw

ork

Se

cu

rity

Failover


· Hello messages are sent every 1-15 seconds on every interface. Hello time. (PIX default

15 second, ASA default 1 second)

· If messages are not received with the holdtime Holdtime (PIX default: 45 seconds – 3

times hello time, ASA default: 15 seconds), failover happens.

· If secondary doesn’t work, primary assumes control, and no failover.

Sent on ALL interfaces, including failover connection.

E0

(outside)

E1

(inside)

E2

(inf2)

Failover

cable “Hello”“Hello”

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


e0 e1

e2

outside inside

inf2

Failover cable

Or Ethernet

(LAN-based)

Standby

Tests:

Test 1. NIC status test. Up/down status of interface.

Test 2. Network activity. Monitor for 5 seconds. If detected, cancel tests.

Test 3. ARP test. Requests last 10 IP addresses in the ARP table.

Test 4. Ping test. Broadcast ping of 255.255.255.255. If any replies the test

is quit.

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


e0 e1

e2

outside inside

inf2

Failover cable

Or Ethernet

(LAN-based)

Standby

On start-up config is automated copied over.

All new commands are replicated.

The write startby command sends the config to the

secondary.

Either

Prim (UR)

Sec (UR)

Or

Prim (UR)

Sec (FO)

Activation key

is required!

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Stateful – Restores everything. ARP table, Xlate, Fixup tables,

ARP, routing information, IPSec/ISAKMP tables, MAC addresses,

Hello messages.

Secondary

Inherits: IP addresses and MAC addresses of the primary.

Primary

Inherits: IP addresses and MAC addresses of the secondary.

e0 e1

e2

outside inside

inf2

Stateful

connection Failover

cable

e3

e3

Require an additional Ethernet connection

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


e0 e1

e2

outside inside

inf2

Failover cable

Or Ethernet

(LAN-based)

Standby

Non-stateful – Only RAM config and session details.

Secondary


Primary


Lost: NAT translations and connections.

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


e0 e1

e2

outside inside

Standby

.

e2

Dedicated

switch/hub

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


e0 e1

e2

outside inside

inf2

Failover

cable

e3

e3

Non-stateful – Only RAM config and session details.

Secondary


Primary


Lost: NAT translations and connections.

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


myPIX (config)# failover active myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address inside 73.105.56.11 myPIX (config)# failover ip address inf2 166.209.230.11 myPIX (config)# failover poll 2 myPIX (config)# show failover

myPIX (config)# failover active myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address inside 73.105.56.11 myPIX (config)# failover ip address inf2 166.209.230.11 myPIX (config)# failover poll 2 myPIX (config)# show failover

e0 e1

e2

outside inside

inf2

Stateful

connection Failover

cable

e3

e3

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


LAN-based Failover myPIX (config)# ip address outside 157.202.212.1 myPIX (config)# ip address inside 73.105.56.1 myPIX (config)# ip address inf2 166.209.230.1 myPIX (config)# failover active myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address inside 73.105.56.2 myPIX (config)# failover ip address inf2 166.209.230.2 myPIX (config)# failover lan key mypix myPIX (config)# failover lan unit primary myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan enable

myPIX (config)# ip address outside 157.202.212.1 myPIX (config)# ip address inside 73.105.56.1 myPIX (config)# ip address inf2 166.209.230.1 myPIX (config)# failover active myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address inside 73.105.56.2 myPIX (config)# failover ip address inf2 166.209.230.2 myPIX (config)# failover lan key mypix myPIX (config)# failover lan unit primary myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan enable

e0 e1 outside inside

Stateful

connection

e2

e2

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


LAN-based Failover myPIX (config)# ip address inf2 166.209.230.2 myPIX (config)# failover active myPIX (config)# failover lan key mypix myPIX (config)# failover lan unit secondary myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan enable

myPIX (config)# ip address inf2 166.209.230.2 myPIX (config)# failover active myPIX (config)# failover lan key mypix myPIX (config)# failover lan unit secondary myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan enable

e0 e1 outside inside

Stateful

connection

e2

e2

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Ne

two

rk S

ec

uri

ty

VPN

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

Issues involved

Bob Alice

Eve could

eavesdrop on the

public

communications

Eve

Gateway Gateway

Eve

Eve could

change the

data packets

What is required is:

· Encryption.

· Authentication of

devices (to

overcome

spoofing)


packets (for

integrity)

Untrusted network

Gateway

Eve

Eve could

setup an

alternative

gateway

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

Tunnelling methods

Bob Alice

Eve

Gateway Gateway

What is required is:

· Encryption.


devices (to

overcome

spoofing)


packets (for

integrity)

Untrusted network

PPTP (Point-to-point Tunneling Protocol). Created by

Microsoft and is routable. It uses MPPE (Microsoft

Point-to-point Encryption) and user authentication.

L2TP (Layer 2 Tunneling Protocol). Works at Layer 2 to

Forward IP, IPX and AppleTalk (RFC2661). Cisco,

Microsoft, Ascent and 3Com developed it. User and

machine authentication, but no encryption (but can be used

with L2TP over IPSec).

IPSec. An open standard. Includes both encryption and

Authentication.

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

Tunnelling mode or transport mode

Bob Alice

Tunelling mode (over

untrusted connections)

Traffic is encrypted

over the untrusted

network.

Bob Alice

Transport mode.

End-to-end (host-to-

host) tunnelling

Unencrypted traffic

Encrypted traffic

Unencrypted traffic

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

VPN types

Bob@

home

VPN

Remote

Access VPN

VPN

Intranet

VPN

VPN

VPN

Extranet

VPN

VPN

Alice Co.

Bob Co.

Bob Co.

Bob Co.

Bob Co.

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

Tunnelling mode or transport mode

Intrusion

Detection

System

Intrusion

Detection

System

Firewall

Firewall

Internet

Switch

Router

Proxy

server

Email

server

Web

server

FTP

server

Switch

Bob Alice

Traffic

only

encrypted

over the

public

channel

Traffic is encrypted

and cannot be

checked by firewalls,

IDS, and so on

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

Blocking end-to-end encryption

Intrusion

Detection

System

Intrusion

Detection

System

Firewall

Firewall

Internet

Switch

Router

Proxy

server

Email

server

Web

server

FTP

server

Switch

Bob Alice

Traffic

only

encrypted

over the

public

channel

Firewall blocks all

encrypted content

and any negation of

a tunnel

For IPSec (one of the most popular tunnelling

methods):

· UDP Port 500 is the key exchange port. If it is

blocked there can be no tunnel.

· TCP Port 50 for IPSec ESP (Encapsulated Security

Protocol).

· TCP Port 51 for IPSec AH (Authentication Header)

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

IPSec

ESP

Auth.

IP packet contents

ESP

trailer

IP packet contents IP header

IP packet

(encrypted)

ESP

headerIP header

ESP transport mode method

(Weakness: Replay attack)

IP packet contents IP header

AH

header

New

IP header

AH transport method

(Provides complete

authentication for the packet)

Authentication scope

Authentication scope

The IPSec protocol has:

· ESP (Encapsulated Security Protocol).

ESP takes the original data packet, and

breaks off the IP header. The rest of the

packet is encrypted, with the original header

added at the start, along with a new ESP

field at the start, and one at the end. It is

important that the IP header is not encrypted

as the data packet must still be read by

routers as it travels over the Internet. Only

the host at the other end of the IPSec tunnel

can decrypt the contents of the IPSec data

packet.

· AH (Authentication Header). This encrypts

the complete contents of the IP data packet,

and adds a new packet header. ESP has the

weakness that an intruder can replay

previously sent data, whereas AH provides a

mechanism of sequence numbers to reduce

this problem.

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

IPSec

IPIP TCPTCP Higher-level protocol/dataHigher-level protocol/data

VersionVersion Header lengthHeader length Type of serviceType of service

Total lengthTotal length

IdentificationIdentification

00 DD MM Fragment OffsetFragment Offset

Time-to-LiveTime-to-Live ProtocolProtocol

Header ChecksumHeader Checksum

Source IP AddressSource IP Address

Destination IP AddressDestination IP Address

1 ICMP Internet Control Message [RFC792]

6 TCP Transmission Control [RFC793]

8 EGP Exterior Gateway Protocol [RFC888]

9 IGP any private interior gateway [IANA]

47 GRE General Routing Encapsulation

(PPTP)

50 ESP Encap Security Payload [RFC2406]

51 AH Authentication Header [RFC2402]

55 MOBILE IP Mobility

88 EIGRP EIGRP [CISCO]

89 OSPFIGP OSPFIGP [RFC1583]

115 L2TP Layer Two Tunneling Protocol

VP

NN

etw

ork

Se

cu

rity

IPSec

IPIP TCPTCP Higher-level protocol/dataHigher-level protocol/data

VersionVersion Header lengthHeader length Type of serviceType of service

Total lengthTotal length

IdentificationIdentification

00 DD MM Fragment OffsetFragment Offset

Time-to-LiveTime-to-Live ProtocolProtocol

Header ChecksumHeader Checksum

Source IP AddressSource IP Address

Destination IP AddressDestination IP Address

1 ICMP Internet Control Message [RFC792]

6 TCP Transmission Control [RFC793]

8 EGP Exterior Gateway Protocol [RFC888]

9 IGP any private interior gateway [IANA]

47 GRE General Routing Encapsulation

(PPTP)

50 ESP Encap Security Payload [RFC2406]

51 AH Authentication Header [RFC2402]

55 MOBILE IP Mobility

88 EIGRP EIGRP [CISCO]

89 OSPFIGP OSPFIGP [RFC1583]

115 L2TP Layer Two Tunneling Protocol

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

IPSec

Bob@

home

VPN

Remote

Access VPN

Bob Co.

Phase 1 (IKE – Internet Key Exchange)UDP port 500 is used for IKE

Define the policies between the peers

IKE Policies · Hashing algorithm (SHA/MD5)

· Encryption (DES/3DES)

· Diffie-Hellman agreements

· Authentication (pre-share, RSA nonces, RSA sig).

Phase 2Defines the policies for transform sets, peer IP

addresses/hostnames and lifetime settings.

Crypto maps are exchanged

· AH, ESP (or both)

· Encryption (DES, 3DES)

· ESP (tunnel or transport)

· Authentication (SHA/MD5)

· SA lifetimes defined

· Define the traffic of interest

isakmp enable outsideisakmp key ABC&FDD address 176.16.0.2 netmask 255.255.255.255isakmp identity addressisakmp policy 5 authen pre-shareisakmp policy 5 encrypt desisakmp policy 5 hash shaisakmp policy 5 group 1isakmp policy 5 lifetime 86400sysopt connection permit-ipsec

crypto ipsec transform-set MYIPSECFORMAT esp-des esp-sha-hmaccrypto map MYIPSEC 10 ipsec-isakmpaccess-list 111 permit ip 10.0.0.0 255.255.255.0 176.16.0.0 255.255.255.0 crypto map MYIPSEC 10 match address 111crypto map MYIPSEC 10 set peer 176.16.0.2crypto map MYIPSEC 10 set transform-set MYIPSECFORMATcrypto map MYIPSEC interface outside

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

Blocking end-to-end encryption

Result

Challenge?

Kpv1

Public

Key (Kpb1) Public

Key (Kpb2)

Hashed

value

Shared key passed (Diffie-

Hellman) – used to encrypt all

the data

Hashed

value

Public key is used

to authenticate the

device

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

IPSec (PIX)


crypto ipsec transform-set MYIPSECFORMAT esp-des esp-sha-hmacaccess-list 111 permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 crypto map MYIPSEC 10 ipsec-isakmpcrypto map MYIPSEC 10 match address 111crypto map MYIPSEC 10 set peer 176.16.0.2crypto map MYIPSEC 10 set transform-set MYIPSECFORMATcrypto map MYIPSEC interface outside



10.0.0.1172.16.0.1 172.16.0.2 192.168.0.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

IPSec (PIX and Router)



crypto isakmp policy 1 hash sha authentication pre-share group 1 lifetime 86400 encryption descrypto isakmp key ABC&FDD address 172.16.0.1 crypto ipsec transform-set rtpset esp-des esp-md5-hmac crypto identity address

crypto map mymap 1 ipsec-isakmp set peer 172.16.0.1 set transform-set rtpset match address 115

interface FastEthernet0/0 ip address 172.16.0.2 255.255.255.0 crypto map mymap

access-list 115 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255

10.0.0.1172.16.0.1 172.16.0.2 192.168.0.1

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

IPSec (PIX and Router)

10.0.0.1172.16.0.1 172.16.0.2 192.168.0.1

No. Time Source Destination Protocol Info81 5.237402 192.168.0.3 146.176.210.2 ISAKMP Aggressive

Frame 81 (918 bytes on wire, 918 bytes captured)Ethernet II, Src: IntelCor_34:02:f0 (00:15:20:34:62:f0), Dst: Netgear_b0:d6:8c (00:18:4d:b0:d6:8c)Internet Protocol, Src: 192.168.0.3 (192.168.0.3), Dst: 146.176.210.2 (146.176.210.2)User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500) Source port: isakmp (500) Destination port: isakmp (500) Length: 884 Checksum: 0xd89d [correct]Internet Security Association and Key Management Protocol Initiator cookie: 5ABABE2D49A2D42A Responder cookie: 0000000000000000 Next payload: Security Association (1) Version: 1.0 Exchange type: Aggressive (4) Flags: 0x00 Message ID: 0x00000000 Length: 860 Security Association payload Next payload: Key Exchange (4) Payload length: 556 Domain of interpretation: IPSEC (1) Situation: IDENTITY (1) Proposal payload # 1 Next payload: NONE (0) Payload length: 544 Proposal number: 1 Protocol ID: ISAKMP (1) SPI Size: 0 Proposal transforms: 14 Transform payload # 1 Next payload: Transform (3) Payload length: 40 Transform number: 1 Transform ID: KEY_IKE (1) Encryption-Algorithm (1): AES-CBC (7) Hash-Algorithm (2): SHA (2) Group-Description (4): Alternate 1024-bit MODP group (2) Authentication-Method (3): XAUTHInitPreShared (65001) Life-Type (11): Seconds (1) Life-Duration (12): Duration-Value (2147483) Key-Length (14): Key-Length (256)

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

Before connecting to the VPN

Bob@

home

VPN

Remote

Access VPN

Bob Co.

C:\>route print===========================================================================Interface List 10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast Ethernet 7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless 3945ABG Network Connection

1 ........................... Software Loopback Interface 1===========================================================================

IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.0.0 255.255.255.0 On-link 192.168.0.3 281 192.168.0.3 255.255.255.255 On-link 192.168.0.3 281 192.168.0.255 255.255.255.255 On-link 192.168.0.3 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.0.3 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.0.3 281===========================================================================Persistent Routes: None

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

After connecting to the VPN

Bob@

home

VPN

Remote

Access VPN

Bob Co.

C:\>route print===========================================================================Interface List 21 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter 10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast Ethernet 7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless 3945ABG Network Connectio


IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 146.176.0.0 255.255.0.0 On-link 146.176.212.218 281 146.176.1.0 255.255.255.0 146.176.0.1 146.176.212.218 100 146.176.2.0 255.255.255.0 146.176.0.1 146.176.212.218 100... 146.176.210.2 255.255.255.255 192.168.0.1 192.168.0.3 100 146.176.211.0 255.255.255.0 146.176.0.1 146.176.212.218 100 146.176.212.218 255.255.255.255 On-link 146.176.212.218 281... 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.0.3 281 255.255.255.255 255.255.255.255 On-link 146.176.212.218 281===========================================================================Persist

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

After connecting to the VPN

Bob@

home

VPN

Remote

Access VPN

Bob Co.

C:\>route print===========================================================================Interface List 21 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter 10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast Ethernet 7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless 3945ABG Network Connectio


IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 146.176.0.0 255.255.0.0 On-link 146.176.212.218 281 146.176.1.0 255.255.255.0 146.176.0.1 146.176.212.218 100 146.176.2.0 255.255.255.0 146.176.0.1 146.176.212.218 100...===========================================================================Persist

146.176.212.218

192.168.0.3

146.176.0.1VPN connection

All other traffic goes

not on 146.176.0.0

network goes through

non-VPN connection

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

Traceroute for VPN

Bob@

home

VPN

Remote

Access VPN

Bob Co.

C:\>tracert www.napier.ac.uk

Tracing route to www.napier.ac.uk [146.176.222.174]over a maximum of 30 hops:

1 57 ms 58 ms 57 ms 146.176.210.2 2 58 ms 56 ms 57 ms www.napier.ac.uk [146.176.222.174] 3 58 ms 59 ms 56 ms www.napier.ac.uk [146.176.222.174]

146.176.212.218 146.176.0.1VPN connection

C:\>tracert www.napier.ac.uk

Tracing route to www.napier.ac.uk [146.176.222.174]over a maximum of 30 hops:

1 2 ms 2 ms 6 ms 192.168.0.1 2 36 ms 38 ms 38 ms cr0.escra.uk.easynet.net [87.87.249.224] 3 31 ms 31 ms 30 ms ip-87-87-146-129.easynet.co.uk [87.87.146.129] 4 43 ms 43 ms 43 ms be2.er10.thlon.ov.easynet.net [195.66.224.43] 5 48 ms 45 ms 45 ms linx-gw1.ja.net [195.66.224.15] 6 45 ms 44 ms 45 ms so-0-1-0.lond-sbr4.ja.net [146.97.35.129] 7 49 ms 79 ms 49 ms so-2-1-0.leed-sbr1.ja.net [146.97.33.29] 8 58 ms 56 ms 56 ms EastMAN-E1.site.ja.net [146.97.42.46] 9 59 ms 57 ms 57 ms vlan16.s-pop2.eastman.net.uk [194.81.56.66] 10 57 ms 59 ms 58 ms gi0-1.napier-pop.eastman.net.uk [194.81.56.46] 11

Before VPN connection

After VPN connection

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


VP

NN

etw

ork

Se

cu

rity

Traceroute for VPN

Bob@

home

VPN

Remote

Access VPN

Bob Co.

C:\>tracert www.intel.com

Tracing route to a961.g.akamai.net [90.223.246.33]over a maximum of 30 hops:

1 3 ms 1 ms 1 ms 192.168.0.1 2 35 ms 43 ms 36 ms cr0.escra.uk.easynet.net [87.87.249.224] 3 32 ms 31 ms 32 ms ip-87-87-146-129.easynet.co.uk [87.87.146.129] 4 46 ms 45 ms 45 ms te7-0-0.sr0.enlcs.ov.easynet.net [89.200.132.109] 5 46 ms 47 ms 47 ms 5adff621.bb.sky.com [90.223.246.33]

146.176.212.218 146.176.0.1VPN connection

C:\>tracert www.intel.com

Tracing route to a961.g.akamai.net [90.223.246.33]over a maximum of 30 hops:

1 3 ms 1 ms 1 ms 192.168.0.1 2 35 ms 43 ms 36 ms cr0.escra.uk.easynet.net [87.87.249.224] 3 32 ms 31 ms 32 ms ip-87-87-146-129.easynet.co.uk [87.87.146.129] 4 46 ms 45 ms 45 ms te7-0-0.sr0.enlcs.ov.easynet.net [89.200.132.109] 5 46 ms 47 ms 47 ms 5adff621.bb.sky.com [90.223.246.33]

Before VPN connection

After VPN connection

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Network Security (Part 2)Professional Certification

NetworkSims

PIX/ASA Configuration· Interfaces.

· Fixup.

· Static Routes.

· Access-lists.

· Failover.

· VPN.

Prof Bill Buchanan, Leader, Centre for Distributed

Computing and Security

http://www.dcs.napier.ac.uk/~bill

Room: C.63

Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Au

tho

r:

Bill

Buchanan

A

uth

or:

B

ill B

uchanan

Sta

tefu

l fire

wa

llN

etw

ork

Se

cu

rity

Stateful firewall

PIX

/AS

A C

on

fig

Ne

two

rk S

ecu

rity

PIX/ASA


Academic

Element

On-line test:

40%

.NET Security

On-line test:

20%

Network Security

On-line test:

20%

Coursework: Agent-based IDS

Web-CT submission:

40%

We

ek

1-8

We

ek

8-1

3

MCQ

Test

Web-CT

submission

On-line

test

Documents

Network Security (Part 2) · Router (NAT) Proxy server Email server Web server DMZ FTP server Firewall (Statefull) Bob Alice: n S t a t e f u l f i r e w a l l N e t w o r k S e c