PiX Firewalls

8/6/2019 PiX Firewalls

1/26

PIX Firewall

An example of a statefulpacket filter.

Can also work on higher layers of protocols

(FTP, RealAudio, etc.)

Runs on its own OS


2/26

http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt

2

Outline

The Adaptive Security Algorithm (ASA)

Basic Features of PIX

Advanced Features

Case studies


3/26


3

Adaptive Security Algorithm

An algorithm that defines how PIX examines trafficpassing through it, and applies various rules to it.

Basic concept:

- Keep track of the connections being formed from thenetworks behind the PIX to the public network

- Based on info about these connections, ASA allows

packets to come back into the private network through thefirewall.

- All other traffic destined for the private network is blockedby the firewall (unless specifically allowed).


4/26


4

ASA

ASA defines how the state and other information isused to track the sessions passing through the PIX.

ASA keeps track of the following information: Source and destination info of IP packets

TCP Sequence numbers and TCP flags

UDP packet flow and timers


5/26


5

ASA and TCP

TCP is connection-oriented, and provides most ofthe information the firewall needs.

The firewall keeps track of each sessionbeing

formed, utilized, and terminated. ASA only allows for the packets confirming to the

state of a session to go through. All other packetsare dropped.

However, TCP has inherent weakness, whichrequires ASA to perform additional work managing

the sessions SYN flood, session hijacking


6/26


6

ASA and TCP

SYN flooding

The SYN flood attack sends TCP connections requests

faster than a machine can process them.

(Internet Security Systems,

http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/default.htm)

SYN flood (as fefined in the Wikipedia,

http://en.wikipedia.org/wiki/SYN_flood)

Illustration: next


7/26

http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt 7

Syn Flood

A: the initiator; B: the destination

TCP connection multi-step

A: SYN to initiate

B: SYN+ACK to respond C: ACK gets agreement

Sequence numbers then

incremented for future messages

Ensures message order

Retransmit if lost

Verifies party really initiated

connection


8/26


Syn Flood

Implementation: A, the attacker;B: the victim

B

Receives SYN Allocate connection

Acknowledge

Wait for response

See the problem?

What if no response And many SYNs

All space for connectionsallocated

None left for legitimate ones

Time?


9/26


ASA vs Syn Flood

(Beginning in version 5.2 and later) When the number of incomplete connections through the

PIX reaches a pre-configured limit (the limit on embryonicconnections), ASA turns the PIX into a proxy forconnection attempts (SYNs) to servers or other resourcessitting behind it.

PIX responds to SYN requests with SYN ACKs andcontinues proxying the connection until the three-way TCPhandshake is complete.

Only when the three-way handshake is complete would thePIX allow the connection through to the server or resource onthe private or DMZ network.

Benefit: Limits the exposure of the servers behind the PIXto SYN floods


10/26


ASA and TCP

Problem with the ISN: The initial sequence number (ISN) of TCP isnot really random!

possible TCP session hijacking attack

case study: Kevin Metnicks attack on Tsutomu Shimomuras computersin 1994-1995

Six steps (pp.421-422):

1. an initial reconnaissance attack: gather info about the victim

2. a SYN flood attack: disable the login server; a DOS attack

3. A reconnaissance attack: determine how one of the x-termgenerated its TCP sequence numbers

4. Spoof the servers identity, and establish a session with the x-term (using the sequence number the x-term must have sent)

result: a one-way connection to the x-term5. modify the x-terms .rhosts file to trust every host

6. Gain root access to the x-term


11/26


12/26


initiator


13/26


PIX: Basic Features

ASAs stateful inspection of traffic

Assigning varying security levels to interfaces

ACL

Extensive logging

Basic routing capability (including RIP)

NAT

Failover and redundancy

Traffic authentication


14/26


PIX: Basic Features- ASAs stateful inspection of traffic

PIX uses a basic set of rules to control traffic flow: No packets can traverse the PIX w/o a translation,

connection, and state.

Outbound connections are allowed, except thosespecifically denied by the ACLs.

Inbound connections are denied, except for thosespecifically allowed.

All ICMP packets are denied unless specifically permitted.

All attempts to circumvent the rules are dropped, and amessage is sent to syslog.

To tighten or relax some of these default rules: nextfew slides


15/26


PIX: Basic Features Assigning varying security levels to interfaces

PIX allows varying security levels to be assigned to itsvarious interfaces, creating the so called security zones.

A PIX may have 2 to 10 interfaces.

Each i/f can be assigned a level from 0 (least secure,usually the Internet) to 100 (most secure, usually theinternal private network).

Default rules:

o Traffic from a higher security zone can enter a lower security

zone.

PIX keeps track of the connections for this traffic andallows the return traffic through.

o Traffic from a lower security zone is not allowed to enter a

higher security zone, unless explicitly permitted (such asusing ACLs).


16/26


PIX: Basic Features

ACL Mainly used to allow traffic from a less-secure portion ofthe network to enter a more-secure portion of the network.

Information used in ACLs:

Source address

Destination addressProtocol numbers

Port numbers

Examples:

To allow connections to be made to web or mail servers sitting onthe DMZ of the PIX from the public network

To allow a machine on a DMZ network to access the privatenetwork behind the DMZ

Use of ACLs must be governed by the network securitypolicy. (Only use them when necessary)


17/26


PIX: Basic Features Extensive logging

System logs are sent and recorded in a central location (forexample, the syslogserver).

PIX records the following types of syslog messages:

Connection events, AAA events, Failover events, FTP/URL events, Mail

Guard/SNMP events, PIX Firewall management events, Routing

errors

8 syslog logging levels:

0 (emergency), 1 (alert), 2 (critical condition), , 7 (debug message, log

FTP command, etc.)

A subset of the syslog messages may be displayed on the PIX

console or a Telnet session screen. 3rd party s/w (e.g., Private Eye) may be used to generate

extensive reporting from the syslog messages.

Info in the syslog may be used by PIX to help intrusion detection.


18/26


PIX: Basic Features

Basic routing capability

PIX supports some basic routing, including

the use of default routes,

static routes, andRouting Information Protocol (RIP)

However, routing functionality in PIX is limited.


19/26


PIX: Basic Features

NAT PIX can perform NAT for packets traversing any two of its

interfaces.

By default, NAT must be set up for a connection state to becreated.

Examples:

The most common use of NAT is sit between the private network

behind the PIX (using an RFC 1918 space) and the Internet translate and keep track of the addresses

NAT may also be used between two interfaces on the PIX, neither ofwhich is on the public network.

dynamic NAT vs static NAT: next


20/26


PIX: Basic Features

static NAT A type ofNAT in which a private IP address is mapped to a public IPaddress, where the public address is always the same IP address (i.e., ithas a static address). This allows an internal host, such as a Web server,to have an unregistered (private) IP address and still be reachable overthe Internet.

dynamic NAT A type ofNAT in which a private IP address is mapped to a public IP

address drawing from a pool of registered (public) IP addresses.Typically, the NAT routerin a network will keep a table of registered IPaddresses, and when a private IP address requests access to theInternet, the routerchooses an IP address from the table that is not atthe time being used by another private IP address.

Configuring NAT in PIX: http://www.cisco.com/warp/public/556/9.html

With dynamic NAT, translations do not exist in the NAT table until therouter receives traffic that requires translation. Dynamic translations havea timeout period after which they are purged from the translation table.

With static NAT, translations exist in the NAT translation table as soon asyou configure static NAT command(s), and they remain in the translationtable until you delete the static NAT command(s).


21/26


PIX: Basic Features

Terminology related to failover:

Active unit vs Standby unit

Primary unit vs Secondary unit

Question: relationships between

active/standby and

primary/secondary ?

System IP vs Failover IP

System IP: the address of the

primary unit upon bootup

Failover IP: that of the secondary

unit

Primary Secondary

Active

standby

Failover and redundancy

The failovercapability allows a standby PIX to take over thefunctionality of the primary PIX, as soon as it fails.

Statefulfailover: The connection info stored on the failing PIX is

transferred to the PIX taking over.

The standby PIX assumes the IP and MAC addresses of the

failed PIX.


22/26


PIX: Basic Features

- Failover and redundancy

How does failoverwork?

A failover cable(RS-232 serial) connects the primary unit

and the secondary unit, allowing the secondary unit todetect the primary units power status, and failover

communication in between.

(In the case of statefulfailover) The state info istransferred via an Ethernet cable connecting the primary

unit and the secondary unit.

Every 15 seconds, special failover hellopackets are sentin between the two units for synchronization.

Requirements: The h/w, s/w, and configurations on thetwo PIXes must be identical.


23/26


PIX: Basic Features

- Failover and redundancy Limitations of CISCO PIX failover?

Some info are not replicated between the two units: User authentication table

ISAKMP and IPsec SA table ARP table

Routing info

The secondary unit must rebuild the info to perform thefunctions of the failed unit.


24/26


PIX: Basic Features

Traffic authentication on PIX: Cut-through proxy authentication

Only when the authentication occurring during theestablishment of a given connection succeeds would PIX

allows the data flow to be established through it.

A successfully authenticated connection is entered the ASAas a valid state.

As soon as an authenticated connection is established, PIX

lets the rest of the packets belong to that connection gothrough without further authentication.

PIX supports both TACACS+ and Radius as the AAA

servers.


25/26

http://sce.uhcl.edu/yang/teaching/.

../piX Firewalls.ppt

25

Advanced Features of PIX

Aliasing

NAT on the destination addresses

DNS doctoring (modification) of a DNS servers address

x Guards

flood guard, frag guard, mail guard, & DNS guard

Advanced filtering

Multimedia support

Spoof detection (via URPF)

Protocol fixup sysopt commands

Multicast support

Fragment handling


26/26

http://sce.uhcl.edu/yang/teaching/.

../piX Firewalls.ppt

26

Case studies

PIX with 3 interfaces, running a web server on the DMZ

PIX setup for failover to a secondary device

PIX setup to use the aliascommand for a server sitting on theDMZ (a case of NAT on the destination address)

PIX setup for cut-through proxy authentication and

authorization

Scaling PIX configurations using object groups and turbo

ACLs

Documents

PiX Firewalls