Object groups (introduced in PIX 6.2) are a very useful mechanism for controlling the size of the PIX configurations and avoiding inputting redundant information in the PIX. Object grouping provides a way to reduce the number of access rules required to describe complex security policies. Object groups allow two main things to happen:
•
Group several hosts that have similar access requirements such that a single access rule can be applied to all of them, rather than creating a separate rule for each host.This also helps make the configuration more meaningful and easily comparable to the network access policy.
•
Group several services or protocols so that they can be applied to a range of hosts at the same time. This again avoids the need to create a separate rule for each host that needs to use these services.TurboACL is a feature introduced with PIX Firewall version 6.2 that improves the average search time for access control lists containing a large number of entries. The TurboACL feature causes the PIX Firewall to compile tables for ACLs; this improves searching of long ACLs. If an ACL contains more than 19 entries and is set up for turbo access list compilation, PIX compiles the access list for faster processing. This is a useful feature to have in environments that require a large number of access lists to be set up.
aaa authentication match 101 outside AuthInbound aaa authentication match 101 inside AuthOutbound aaa authorization match 101 outside AuthInbound
no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable
no sysopt route dnat isakmp identity hostname telnet timeout 5
ssh timeout 5 terminal width 80 : end
Example 8-4 How PIX Is Set up to Do Authorization and Authentication (Continued)
Example 8-5 describes how object groups and Turbo ACLs are used. The implementation of LAN failover, meaning stateful failover using LAN instead of the serial cable, is also discussed. This feature allows the distance limitations between the primary and secondary PIX to be overcome among other things.
Figure 8-16 shows the network setup via the configuration.
Figure 8-16 Network Topology for This Case Study
Example 8-5 How Object Groups and Turbo ACLs Are Used
pixfirewall#wr t
Building configuration...
: Saved :
PIX Version 6.2(1)
nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 failstate security20 nameif ethernet3 LANfail security30 enable password <removed> encrypted passwd <removed> encrypted
hostname pixfirewall domain-name sjpki.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720
Internet
Ethernet0
Ethernet 2 Ethernet 3
Ethernet1
10.0.2.2 10.0.1.2
10.1.1.1
10.1.1.10 10.1.1.11 10.1.1.20 10.1.1.30
&
FTP Server
&
FTP Server
&
SMTP Server
&
SMTP Server World Wide Web World Wide Web World Wide Web World Wide Web
Case Studies 193
fixup protocol h323 ras 1718-1719 fixup protocol ils 389
fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names
!The following command defines an object group called host_group_1. This object
!group groups two hosts' IP addresses, 100.1.1.10 and 100.1.1.11. These are called
!network objects. Both these addresses are the statically translated IP addresses
!of the 10.1.1.10 and 10.1.1.11 hosts, which are two of the servers on the inside
!network. The purpose of grouping these two servers' IP addresses is to apply
!similar access rules to them using access lists.
object-group network host_group_1 network-object host 100.1.1.10 network-object host 100.1.1.11
!Similarly, host_group_2 defines another set of two hosts, 100.1.1.20 and
!100.1.1.30, again two servers.
object-group network host_group_2 network-object host 100.1.1.20 network-object host 100.1.1.30
!all_groups defines a third set of group objects. However, this time, instead of
!having individual hosts as group objects, the entire host_group_1 and host_group
!2 are the two group objects. This group is used where there is a need to apply a
!policy to all four servers rather than just two.
object-group network all_groups group-object host_group_1 group-object host_group_2
!The outbound_services object defines a different type of object group than the
!ones defined above. Instead of defining host IP addresses, this group defines two
!services, tcp port 80 (www) and smtp (25). These two services are grouped so that
!they can be applied together to hosts on the inside networks wanting to access the
!public network.
object-group service outbound_services tcp port-object eq www
port-object eq smtp
!The three access lists below use the network object groups defined above to apply
!the rules to the entire object groups in one instance rather than multiple
!instances.
continues Example 8-5 How Object Groups and Turbo ACLs Are Used (Continued)
access-list grp_2 permit tcp any object-group host_group_2 eq smtp
!The command below turns on the turbo access list feature for the access list
!grp_2.
access-list grp_2 compiled
access-list grp_1 permit tcp any object-group host_group_1 eq ftp access-list grp_1 compiled
access-list all permit tcp any object-group all_groups eq www access-list all compiled
!The access list below is used to restrict outbound access from internal hosts.
!All hosts except the servers are allowed only WWW and SMTP access outbound. The
!services object group is used to define the services allowed for these hosts.
access-list outbound_services_acl permit ip host 10.1.1.10 any access-list outbound_services_acl permit ip host 10.1.1.11 any access-list outbound_services_acl permit ip host 10.1.1.20 any access-list outbound_services_acl permit ip host 10.1.1.30 any
access-list outbound_services_acl permit tcp 10.1.1.0 255.255.255.0 any object-group outbound_services
access-list outbound_services_acl compiled pager lines 24
no logging console debugging no logging monitor debugging interface ethernet0 100full interface ethernet1 100full interface ethenret3 100full interface ethernet4 100full
ip address outside 100.1.1.1 255.0.0.0 ip address inside 10.1.1.1 255.255.255.0 ip address failstate 10.0.1.2 255.255.255.0 ip address LANfail 10.0.2.2 255.255.255.0
!The failover IP address commands below are used to define the IP addresses that
!will be used by the primary PIX to talk to the secondary PIX.
failover ip address outside 100.1.1.100 failover ip address inside 10.1.1.100 failover ip address failstate 10.0.1.100 failover ip address LANfail 10.0.2.100
!The first two failover commands are the same as the ones described in the earlier
!failover example. However, please note that four new failover lan commands have
!been introduced that define the interface that will be used for the LAN failover
!communications to occur. Also a key used to authenticate and encrypt messages
!between the two PIXes.
failover
failover poll 15
failover lan unit primary failover lan interface LANfail failover lan key L6nfa1lk4y
Example 8-5 How Object Groups and Turbo ACLs Are Used (Continued)
Summary 195
Although the object groups reduce the complexity of the configuration, the show access-list command can still be used to view the ACL configuration in its entirety with all the object groups expanded into individual elements.
Summary
PIX Firewall has a comprehensive suite of features that allow it to perform basic firewall functions with speed. It also has an array of advanced features that can be used to take care of specific network situations and various types of attacks. This chapter built on the basic discussion of firewalls from the preceding chapter and constructed the framework under which the PIX Firewall works. It is interesting to note that most of the more complicated implementations of the PIX seen in the field are various permutations of the use of some of
failover lan enable pdm history enable arp timeout 14400
static (inside,outside) 100.1.1.10 10.1.1.10 netmask 255.255.255.255 0 0 static (inside,outside) 100.1.1.11 10.1.1.11 netmask 255.255.255.255 0 0 static (inside,outside) 100.1.1.20 10.1.1.20 netmask 255.255.255.255 0 0 static (inside,outside) 100.1.1.30 10.1.1.30 netmask 255.255.255.255 0 0 access-group grp_2 in interface outside
access-group outbound_services_acl in interface inside route outside 0.0.0.0 0.0.0.0 100.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius aaa-server LOCAL protocol local
aaa-server AuthOutbound protocol radius no snmp-server location
no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable
sysopt connection permit-ipsec no sysopt route dnat
isakmp identity address
telnet 10.1.1.0 255.255.255.0 inside telnet timeout 5
ssh 171.69.89.139 255.255.255.255 outside
ssh timeout 30 terminal width 80
Cryptochecksum:76c0494bcaa4aa2563cd11cb922375a4 : end
[OK]
Example 8-5 How Object Groups and Turbo ACLs Are Used (Continued)
the advanced features found in the PIX. Because the PIX Firewall forms the basis of any secure Cisco network security architecture, a thorough understanding of the topics in this chapter is crucial to understanding the various other techniques discussed in the other chapters.