Title: First Slide in a Presentation
Download
Report
Transcript Title: First Slide in a Presentation
©
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
© 2004,
2005 Cisco
1
1
Network Security 1
Module 9 – Configure Filtering on a PIX
Security Appliance
© 2005 Cisco Systems, Inc. All rights reserved.
2
Learning Objectives
–9.1 Configure ACLs and Content Filters
–9.2 Object Grouping
–9.3 Configure a Security Appliance Modular Policy
–9.4 Configure Advanced Protocol Inspection
© 2005 Cisco Systems, Inc. All rights reserved.
3
Module 9 – Configure Filtering on a
PIX Security Appliance
9.1 Configure ACLs and Content Filters
© 2005 Cisco Systems, Inc. All rights reserved.
4
PIX Security Appliance ACLs
© 2005 Cisco Systems, Inc. All rights reserved.
5
access-list command
© 2005 Cisco Systems, Inc. All rights reserved.
6
access-group command
© 2005 Cisco Systems, Inc. All rights reserved.
7
nat 0 access-list command
© 2005 Cisco Systems, Inc. All rights reserved.
8
ACL Line Numbers
© 2005 Cisco Systems, Inc. All rights reserved.
9
icmp command
© 2005 Cisco Systems, Inc. All rights reserved.
10
NAT 0 ACLs – NAT “Zero” or No NAT
© 2005 Cisco Systems, Inc. All rights reserved.
11
Turbo ACL – Not supported by PIX 7.x OS
pixfirewall(config)#
access-list compiled
• Enables the Turbo ACL feature on all
ACLs.
• Turbo compiles all ACLs with 19 or
more entries.
pixfirewall(config)#
access-list acl_ID compiled
• Enables the Turbo ACL feature for a
specific ACL.
© 2005 Cisco Systems, Inc. All rights reserved.
12
Java Applet Filtering
–Java applet filtering enables an
administrator to prevent the
downloading of Java applets by
an inside system.
–Java programs can provide a
vehicle through which an inside
system can be invaded.
–Java applets are executable
programs that are banned within
some security policies.
© 2005 Cisco Systems, Inc. All rights reserved.
13
ActiveX Blocking
• ActiveX controls are applets that can be inserted in
web pages or other applications.
• ActiveX controls can provide a way for someone to
attack servers.
• The PIX Security Appliance can be used to block
ActiveX controls.
© 2005 Cisco Systems, Inc. All rights reserved.
14
filter activex | java Command
pixfirewall(config)#
filter activex | java port [-port]
local_ip mask foreign_ip mask
–Filters out ActiveX usage from outbound packets.
–Filters out Java applets that return to the PIX
Security Appliance from an outbound connection.
© 2005 Cisco Systems, Inc. All rights reserved.
15
Designate the URL-Filtering Server
pixfirewall(config)#
url-server [(if_name)] [vendor websense] host
local_ip [timeout seconds] [protocol TCP | UDP
version [1 | 4]]
–Designates a server that runs a Websense URLfiltering application.
pixfirewall(config)#
url-server [(if_name)] vendor n2h2 host local_ip
[port number][timeout seconds][protocol TCP |
UDP]
• Designates a server that runs an N2H2 URL-filtering application.
pixfirewall(config)# url-server (dmz) host
172.16.0.3 protocol TCP version 4
–The URL-filtering host is on the DMZ interface at IP address 172.16.0.3. The
PIX Security Appliance performs a username lookup and then the URL-filtering
server handles URL filtering and username logging.
© 2005 Cisco Systems, Inc. All rights reserved.
16
Configure the PIX Security Appliance to
Work with a URL-Filtering Server
pixfirewall(config)#
filter url port[-port] | except local_ip local_mask
foreign_ip foreign_mask [allow] [proxy-block]
[longurl-truncate | longurl-deny][cgi-truncate]
–Prevents outbound users from accessing URLs that are
designated with the URL-filtering application.
pixfirewall(config)# filter url http 0 0 0 0 allow
• Tells the PIX Security Appliance how to filter requests.
© 2005 Cisco Systems, Inc. All rights reserved.
17
Module 9 – Configure Filtering on a
PIX Security Appliance
9.2 Object Grouping
© 2005 Cisco Systems, Inc. All rights reserved.
18
Grouping Objects of Similar Types
–Services
–MYSERVICES
•SMTP
•FTP
–Protocols
–MYPROTOCOLS
•UDP
•IPSec
–Networks/Hosts
•Subnet 10.0.0.0/11
•10.0.1.11
–MYCLIENTS
•10.0.2.11
–PING
–ICMP-type
© 2005 Cisco Systems, Inc. All rights reserved.
19
Using Object Groups in ACLs
pixfirewall(config)#
172.26.26.50
pixfirewall(config)#
172.26.26.50
pixfirewall(config)#
172.26.26.51
pixfirewall(config)#
172.26.26.51
pixfirewall(config)#
172.26.26.50
pixfirewall(config)#
172.26.26.50
pixfirewall(config)#
172.26.26.51
pixfirewall(config)#
172.26.26.51
pixfirewall(config)#
172.26.26.50
pixfirewall(config)#
172.26.26.50
pixfirewall(config)#
172.26.26.51
pixfirewall(config)#
172.26.26.51
access-list ACLOUT permit tcp 10.0.0.0 255.255.255.0 host
access-list ACLOUT permit icmp 10.0.0.0 255.255.255.0 host
access-list ACLOUT permit tcp 10.0.0.0 255.255.255.0 host
access-list ACLOUT permit icmp 10.0.0.0 255.255.255.0 host
access-list ACLOUT permit tcp host 10.0.1.11 host
access-list ACLOUT permit icmp host 10.0.1.11 host
access-list ACLOUT permit tcp host 10.0.1.11
host
access-list ACLOUT permit icmp host 10.0.1.11 host
access-list ACLOUT permit tcp host 10.0.2.11 host
access-list ACLOUT permit icmp host 10.0.2.11 host
access-list ACLOUT permit tcp host 10.0.2.11 host
access-list ACLOUT permit icmp host 10.0.2.11 host
pixfirewall(config)# access-list ACLOUT permit object-group
MYPROTOCOLS object-group CLIENTS object-group SERVERS
© 2005 Cisco Systems, Inc. All rights reserved.
20
Using Object Groups in ACLs
Pix1(config)# object-group ?
configure mode commands/options:
icmp-type Specifies a group of ICMP types, such as echo
network
Specifies a group of host or subnet IP addresses
protocol
Specifies a group of protocols, such as TCP, etc
service
Specifies a group of TCP/UDP ports/services
Pix1(config)# object-group network INSIDE-HOSTS
Pix1(config-network)#
Pix1(config)# object-group network INSIDE-HOSTS
Pix1(config-network)# network-object 192.168.2.11 255.255.255.255
Pix1(config-network)# network-object host insidehost
Pix1(config-network)# show run
!
object-group network INSIDE-HOSTS
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.11 255.255.255.255
network-object host insidehost
© 2005 Cisco Systems, Inc. All rights reserved.
21
Using Object Groups in ACLs
• Creating groups of services
Pix1(config)# object-group service SERV tcp
Pix1(config-service)# port-object eq 80
Pix1(config-service)# port-object eq https
Pix1(config-service)# port-object eq ftp
Pix1(config-service)# sh run
!
object-group service SERV tcp
port-object eq www
port-object eq https
port-object eq ftp
!
© 2005 Cisco Systems, Inc. All rights reserved.
22
Nested Object Groups
• Do not confuse the object-group command with the groupobject command.
• The group-object command adds existing objects to an
object group
!
object-group network INSIDE-HOSTS
network-object 192.168.1.0 255.255.255.0
network-object host insidehost
object-group network DMZ-HOSTS
network-object 172.16.5.0 255.255.255.0
network-object 172.16.6.0 255.255.255.0
object-group network ALL-HOSTS
group-object INSIDE-HOSTS
group-object DMZ-HOSTS
!
© 2005 Cisco Systems, Inc. All rights reserved.
23
Configuring and Using
Object Groups
• Complete the following tasks to create object groups and use them in
your configuration:
–Task 1—Use the object-group command to enter the appropriate
subcommand mode for the type of group you want to configure.
–Task 2—In subcommand mode, define the members of the object
group.
–Task 3—(Optional.) Use the description sub-command to describe the
object group.
–Task 4—Use the exit or quit command to return to configuration mode.
–Task 5—(Optional.) Use the show object-group command to verify that
the object group has been configured successfully.
–Task 6—Apply the access-list command to the object group.
–Task 7—(Optional.) Use the show access-list command to display the
expanded access-list entries.
© 2005 Cisco Systems, Inc. All rights reserved.
24
object-group Command
pixfirewall(config)#
object-group network grp_id
• Assigns a name to a Network group and enables the Network subcommand mode.
pixfirewall(config)#
object-group service grp_id tcp | udp | tcp-udp
• Assigns a name to a Service group and enables the Service subcommand mode.
pixfirewall(config)#
object-group protocol grp_id
• Assigns a name to a Protocol group and enables the Protocol subcommand mode.
pixfirewall(config)#
object-group icmp-type grp_id
–Assigns a name to an ICMP-type group and enables the ICMP-type subcommand mode.
pixfirewall(config)# object-group network CLIENTS
• Assigns the name CLIENTS to a Network group and enables the Network
subcommand mode.
© 2005 Cisco Systems, Inc. All rights reserved.
25
Configuring Network
Object Groups
pixfirewall(config)#
object-group network grp_id
• Assigns a name to the group and enables the Network sub-command mode.
pixfirewall(config-network)#
network-object host host_addr | host_name
• Assigns hosts to the Network object group.
pixfirewall(config-network)#
network-object net_addr netmask
• Assigns networks to the Network object group.
pixfirewall(config)# object-group network CLIENTS
pixfirewall(config-network)# network-object host 10.0.1.11
pixfirewall(config-network)# network-object 10.0.0.0
255.255.255.0
–Creates a Network object group named CLIENTS which consists of host 10.0.1.11, and network
10.0.0.0.
© 2005 Cisco Systems, Inc. All rights reserved.
26
Configuring Service
Object Groups
pixfirewall(config)#
object-group service grp_id tcp | udp | tcp-udp
• Assigns a name to a Service group and enables the Service sub-command
mode.
pixfirewall(config-service)#
port-object eq service
• Assigns a single TCP or UDP port number to the Service object group.
pixfirewall(config-service)#
port-object range begin_service end_service
• Assigns a range of TCP or UDP port numbers to the Service object group.
pixfirewall(config)# object-group service
MYSERVICES tcp
pixfirewall(config-service)# port-object eq http
pixfirewall(config-service)# port-object eq ftp
• Creates a Service group named MYSERVICES, which contains HTTP and FTP.
© 2005 Cisco Systems, Inc. All rights reserved.
27
Configuring Protocol
Object Groups
pixfirewall(config)#
object-group protocol grp_id
• Assigns a name to a Protocol group and enables the Protocol sub-command
mode.
pixfirewall(config-protocol)#
protocol-object protocol
• Assigns a protocol to the Protocol object group.
pixfirewall(config)# object-group protocol
MYPROTOCOLS
pixfirewall(config-protocol)# protocol-object icmp
pixfirewall(config-protocol)# protocol-object tcp
• Creates a Protocol group named MYPROTOCOLS, which contains ICMP and
TCP.
© 2005 Cisco Systems, Inc. All rights reserved.
28
Configuring ICMP-Type
Object Groups
pixfirewall(config)#
object-group icmp-type grp_id
• Assigns a name to an ICMP-Type group and enables the icmp-type
sub-command mode.
pixfirewall(config-icmp-type)#
icmp-object icmp-type
• Assigns an ICMP message type to the object group.
pixfirewall(config)# object-group icmp-type PING
pixfirewall(config-icmp-type)# icmp-object echo
pixfirewall(config-icmp-type)# icmp-object echo-reply
• Creates an ICMP-Type group named PING which contains echo and
echo-reply message types.
© 2005 Cisco Systems, Inc. All rights reserved.
29
Configuring Nested
Object Groups
•
Complete the following steps to configure nested
object groups:
– Step 1—Assign a group identity to the object group that
you want to nest within another object group.
– Step 2—Add the appropriate type of objects to the
object group.
– Step 3—Assign a group identity to the object group
within which you want to nest another object group.
– Step 4—Add the first object group to the group that will
contain it.
– Step 5—Add any other objects that are required to the
group.
© 2005 Cisco Systems, Inc. All rights reserved.
30
group-object Command
pixfirewall(config-group-type)#
group-object object_group_id
• Nests an object group within another object group.
pixfirewall(config)# object-group service SERVICESA tcp
pixfirewall(config-service)# port-object eq smtp
pixfirewall(config-service)# port-object eq ftp
pixfirewall(config-service)# exit
pixfirewall(config)# object-group service SERVICES tcp
pixfirewall(config-service)# group-object SERVICESA
© 2005 Cisco Systems, Inc. All rights reserved.
31
access-list Command
for Object Grouping
pixfirewall(config)#
access-list acl_ID deny | permit object-group
protocol_obj_grp_id object-group network_obj_grp_id
[object-group service_obj_grp_id] object-group
network_obj_grp_id object-group service_obj_grp_id
• Create an access list containing object groups.
pixfirewall(config)# access-list ACLIN permit tcp
object-group REMOTECLIENTS object-group LOCALSERVERS
object-group MYSERVICES
© 2005 Cisco Systems, Inc. All rights reserved.
32
Nested Object Group Example
pixfirewall(config)# object-group network HOSTGROUP1
pixfirewall(config-network)# network-object host 10.0.0.11
pixfirewall(config-network)# network-object host 10.0.0.12
pixfirewall(config-network)# exit
pixfirewall(config)# object-group network HOSTGROUP2
pixfirewall(config-network)# network-object host 10.0.0.13
pixfirewall(config-network)# network-object host 10.0.0.14
pixfirewall(config-network)# exit
pixfirewall(config)# object-group network ALLHOSTS
pixfirewall(config-network)# group-object HOSTGROUP1
pixfirewall(config-network)# group-object HOSTGROUP2
pixfirewall(config-network)# exit
pixfirewall(config)# access-list ALL permit tcp object-group
ALLHOSTS any eq ftp
pixfirewall(config)# access-group ALL in interface inside
© 2005 Cisco Systems, Inc. All rights reserved.
33
Multiple Object Groups in ACLs
pixfirewall(config)# show static
static(inside,outside)192.168.1.10 10.0.1.11
netmask 255.255.255.255
static(inside,outside)192.168.1.12 10.0.1.12
netmask 255.255.255.255
static(inside,outside)192.168.2.10 10.0.2.11
netmask 255.255.255.255
static(inside,outside)192.168.2.12 10.0.2.12
netmask 255.255.255.255
pixfirewall(config)# show objectgroup
object-group network REMOTES
network-object host
172.26.26.50
network-object host
172.26.26.51
object-group network LOCALS1
network-object host
192.168.1.10
network-object host
192.168.1.12
object-group network LOCALS2
network-object host
192.168.2.10
network-object host
192.168.2.12
object-group network ALLLOCALS
group-object LOCALS1
group-object LOCALS2
object-group service BASIC
port-object eq ftp
port-object eq smtp
pixfirewall(config)# access-list
INBOUND permit tcp object-group
REMOTES object-group ALLLOCALS
object-group BASIC
© 2005 Cisco Systems, Inc. All rights reserved.
34
Removing Configured
Object Groups
pixfirewall(config)#
no object-group service grp_id tcp | udp | tcp-udp
–Removes a specific service object group.
pixfirewall(config)#
no object-group protocol | network | icmp-type grp_id
• Removes a specific protocol, network or icmp-type object group.
pixfirewall(config)# no object-group network ALLHOSTS
• Removes object group ALLHOSTS and all Protocol object groups.
© 2005 Cisco Systems, Inc. All rights reserved.
35
Module 9 – Configure Filtering on a
PIX Security Appliance
9.3 Configure a Security Appliance
Modular Policy
© 2005 Cisco Systems, Inc. All rights reserved.
36
Modular Policy Overview
© 2005 Cisco Systems, Inc. All rights reserved.
37
Modular Policy
© 2005 Cisco Systems, Inc. All rights reserved.
38
Assign a Class Map Name
© 2005 Cisco Systems, Inc. All rights reserved.
39
Class Map – Define a Class of Traffic
© 2005 Cisco Systems, Inc. All rights reserved.
40
Policy Map Overview
© 2005 Cisco Systems, Inc. All rights reserved.
41
Assign a Policy Map Name
© 2005 Cisco Systems, Inc. All rights reserved.
42
Assign a Policy Map Name
© 2005 Cisco Systems, Inc. All rights reserved.
43
Service Policy
© 2005 Cisco Systems, Inc. All rights reserved.
44
Module 9 – Configure Filtering on a
PIX Security Appliance
9.4 Configure Advanced Protocol Inspection
© 2005 Cisco Systems, Inc. All rights reserved.
45
Need for Advanced Protocol Handling
Some popular protocols or applications behave as follows:
• Negotiate connections to dynamically assigned source or
destination ports or IP addresses.
• Embed source or destination port or IP address information
above the network layer.
A good firewall has to inspect packets above the network layer
and do the following as required by the protocol or
application:
• Securely open and close negotiated ports or IP addresses for
legitimate client-server connections through the firewall.
• Use NAT-relevant instances of IP addresses inside a packet.
• Use PAT-relevant instances of ports inside a packet.
• Inspect packets for signs of malicious application misuse.
© 2005 Cisco Systems, Inc. All rights reserved.
46
inspect Command
© 2005 Cisco Systems, Inc. All rights reserved.
47
FTP Inspection
FTP uses two channels:
• Command connection (TCP)
• Data connection (TCP)
FTP Inspection
• Address translation in the message
• Dynamically create openings for FTP data
connections
• Stateful tracking of request and response
messages
• Optionally—FTP strict prevents web
browsers from sending embedded
commands in FTP requests.
FTP Deep Packet Inspection:
• Added to strict inspection functionality
• Command filtering--disallow specific
commands.
© 2005 Cisco Systems, Inc. All rights reserved.
48
Active FTP Inspection
© 2005 Cisco Systems, Inc. All rights reserved.
49
Passive FTP Inspection
© 2005 Cisco Systems, Inc. All rights reserved.
50
FTP Deep Packet Inspection – Command
Filtering
© 2005 Cisco Systems, Inc. All rights reserved.
51
Adding an ftp-map to a policy-map
© 2005 Cisco Systems, Inc. All rights reserved.
52
HTTP Inspection
© 2005 Cisco Systems, Inc. All rights reserved.
53
Enhanced HTTP Inspection
© 2005 Cisco Systems, Inc. All rights reserved.
54
ICMP Inspection
© 2005 Cisco Systems, Inc. All rights reserved.
55
SNMP Inspection
© 2005 Cisco Systems, Inc. All rights reserved.
56
Why Multimedia Is an Issue
– Multimedia applications behave in
unique ways:
•
Use dynamic ports.
•
Transmit a request using TCP
and get responses in UDP or
TCP.
•
Use the same port for source
and destination.
– The PIX Security Appliance:
•
Dynamically opens and closes
conduits for secure multimedia
connections.
•
Supports multimedia with or
without NAT.
© 2005 Cisco Systems, Inc. All rights reserved.
57
Real-Time Streaming Protocol
– Real-Time audio and
video delivery protocol
uses one TCP and two
UDP channels.
– RTSP-TCP-only mode
does not require special
handling by the PIX
Security Appliance.
– Transport options:
– Supported applications:
• Real-Time Transport
Protocol (RTP).
• Real Data Transport
Protocol (RDT).
• Cisco IP/TV.
• Apple QuickTime 4.
• RealNetworks:
– Sync or resend channel:
– RealAudio.
• Real-Time Control
Protocol (RTCP).
– RealPlayer.
• UDP resend.
– RDT Multicast is
not supported.
© 2005 Cisco Systems, Inc. All rights reserved.
– RealServer .
58
Standard RTP Mode
–
In standard RTP mode, RTSP uses the
following three channels:
•
Control connection (TCP).
•
RTP data (simplex UDP).
•
RTCP reports (duplex UDP).
–
For outbound connections, the PIX
Security Appliance opens inbound
ports for RTP data and RTCP reports.
–
For inbound connections, the PIX
Security Appliance handles standard
RTP mode as follows:
•
If outbound traffic is allowed, no
special handling is required.
•
If outbound traffic is not allowed,
it opens outbound ports for RTP
and RTCP.
© 2005 Cisco Systems, Inc. All rights reserved.
59
RealNetworks’ RDT Mode
– In RealNetworks’ RDT mode, RTSP uses the
following three channels:
•
Control connection (TCP).
•
UDP data (simplex UDP).
•
UDP resend (simplex UDP).
– For outbound connections, the PIX Security
Appliance handles RealNetworks’ RDT mode
as follows:
•
If outbound traffic is allowed, it opens an
inbound port for UDP data.
•
If outbound traffic is not allowed, it opens
an inbound port for UDP data and an
outbound port for UDP resend.
– For inbound connections, the PIX Security
Appliance handles RealNetworks’ RDT mode
as follows:
•
If outbound traffic is allowed, it opens an
inbound port for UDP resend.
•
If outbound traffic is not allowed, it opens
an outbound port for UDP data and an
inbound port for UDP resend.
© 2005 Cisco Systems, Inc. All rights reserved.
60
H.323
– Real-time multimedia
communications delivery
specification uses two TCP and
several UDP sessions for a single
“call”.
–Supported H.323 versions:
•H.323 v1.
•H.323 v2 (software versions
5.2 and higher).
– H.323 protocols and standards:
–Supported applications:
•Cisco Multimedia
Conference Manager.
•Microsoft NetMeeting.
•Intel Video Phone.
•CUseeMe Networks:
MeetingPoint.
CUseeMe Pro.
•VocalTec:
Internet Phone.
•
H.225—Registration,
Admission, and Status (RAS).
•
H.225—Call Signaling.
•
H.245—Control Signaling.
•
TPKT Header.
•
Q.931 Messages.
•
Abstract Syntax Notation
(ASN.1) (PIX Security Appliance
5.2).
Gatekeeper.
© 2005 Cisco Systems, Inc. All rights reserved.
61
Cisco IP Phones and the PIX Security
Appliance’s DHCP Server
– Cisco IP phones:
• Download their configurations from a TFTP
server.
• Request an IP address and the IP address of a
TFTP server from a DHCP server.
– The PIX Security Appliance:
• Supports DHCP option 150 for providing the IP
addresses of a list of TFTP servers.
• Supports DHCP option 66 for providing the IP
address of a single TFTP server.
© 2005 Cisco Systems, Inc. All rights reserved.
62
DNS Inspection
© 2005 Cisco Systems, Inc. All rights reserved.
63
DNS Record Translation
© 2005 Cisco Systems, Inc. All rights reserved.
64
©
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
© 2005,
2005 Cisco
65
65