Securing Resources - Managing Cisco Network Security pdf

An example of securing resources would arise if Company XYZ has

numerous consultants that need access to a resource on the internal LAN. Previously the consultants have been using a RAS connection to dial in but have complained several times that the link to their work is too slow. To remedy this, administrators have decided to permit terminal access to the server via the Internet. The internal server is a Windows NT 4.0 Terminal Server and the consultants have been provided with the Terminal Server client. For security reasons, administrators have also requested the IP and subnet from which the consultants are going to be connecting.

This configuration example will explain the commands necessary to protect a server with a private IP address that is translated to a global IP address.

To create a translation for an internal IP address to a public IP address, use the staticcommand:

static (internal_if_name, external_if_name) global_ip local_ip netmask

network_mask max_conns em_limit norandomseq

To further explain:

■ _{Internal_if_name}_{is the internal network interface name (the higher}

security level interface you are accessing).

■ _{External_if_name}_{is the external network interface name (the lower}

security level interface you are accessing).

■ _{Global_ip}_{is a global IP address. This address cannot be a Port}

Address Translation IP address.

■ _{Local_ip}_{is the local IP address from the inside network.} ■ _Netmask _{specifies the network mask.}

■ _{Network_mask} _{pertains to both}_{global_ip} _and_{local_ip}_{. For host}

addresses, always use the 255.255.255.255. For networks, use the appropriate class mask or subnet mask.

■ _{Max_cons}_{is the maximum number of connections permitted}

through the static at the same time.

■ _{Em_limit}_{is the embryonic connection limit. An embryonic connec-}

tion is one that has started but not yet completed. Set this limit to prevent attack by a flood of embryonic connections.

■ _Norandomseq_{specifies not to randomize the TCP/IP packet’s}

sequence number. Use this option only if another inline firewall is also randomizing sequence numbers. Using this feature opens a security hole in the PIX.

Once a translation for an internal IP to an external IP has been made, you must specify the type of traffic that will be permitted to access it. To do this, use the access-list command:

access-list acl_name deny | permit protocol src_addr src_mask operator

port dest_addr dest_mask operator port

To further clarify:

■ _{Acl_name}_{is the name of an access list.}

■ _Deny_{does not allow a packet to traverse the PIX. By default PIX}

denies all inbound packets unless explicitly permitted.

■ _Permit_{allows a packet to traverse the PIX.}

■ _Protocol_{is the name or number of an IP protocol. It can be one of}

the keywords icmp, ip, tcp, or udp.

■ _{Src_addr}_{is the address of the network or host from which the}

packet originated. To specify all networks or hosts, use the keyword any, which is equivalent to a source network and mask of 0.0.0.0 0.0.0.0. Use the host keyword to specify a single host.

■ _{Src_mask}_{are netmask bits to be applied to the}_{src_addr}_{, if the}

source address is for a network mask. Do not apply if the source address is a host.

■ _{Dst_addr}_{is the IP address of the network or host to which the}

packet is being sent. Like the src_addr, the keyword anycan be applied for a destination and netmask of 0.0.0.0 0.0.0.0, as well as the hostabbreviation for a single host.

■ _{Dst_mask}_{are netmask bits to be applied to the dst}_{_addr}_{, if the}

destination address is for a network mask. Do not apply if the destination address is a host.

■ _Operator_{is a comparison that lets you specify a port or port range.}

Use without the operator and port to indicate all ports. Use eqand a port to permit or deny access to just that single port. Use ltto permit or deny access to all ports less that the port specified. Use gtand a port to permit or deny access to all ports greater than the port you specify. Use neq and a port to permit or deny access to every port except the ports you specify. Finally, use range and a port range to permit or deny access to only those ports named in the range.

■ _Port_{is a service or services you permit to be used while accessing} src_addror dest_addr. Specify services by port number or use the literal name.

■ _{Icmp_type}_{permits or denies access to ICMP message types.}

pixfirewall>enable

pixfirewall#configure terminal

pixfirewall(config)#static (inside,outside) 207.139.221.10 172.16.0.32 >netmask 255.255.255.255

pixfirewall(config)#access-list acl_consult permit tcp 198.142.65.0 >255.255.255.0 host 207.139.221.10 eq 3389

pixfirewall(config)#access-list acl_consult permit tcp 64.182.95.0 >255.255.255.0 host 307.139.221.10 eq 3389

pixfirewall(config)#access-group acl_consult in interface outside

TIP

TCP port 3389 is the corresponding port for Microsoft Terminal Server client. For a listing of valid TCP and UDP port numbers, refer to www.isi.edu/in-notes/iana/assignments/port-numbers.

The first staticstatement will provide a translation for the inside server with an IP address of 172.16.0.32 to a global IP address of

207.139.221.10.

The access-list statements specify that ACL acl_consult will permit only Microsoft Terminal Server client traffic originating from 198.142.65.0 and 64.182.95.0.

Finally, the access-group statement will apply the acl_consult access control list to the outside interface.

It is also important to note that implementing a security policy does not revolve around configuration of the PIX. In the previous example, a PIX will not assist as a security measure if the information passed from terminal server to terminal server client is not encrypted. If information is passed as clear text, a network monitoring tool could be used to capture packets, which can then be analyzed by other individuals. Once a consultant has connected to the terminal server, how is the authentication handled? What permissions does that account have? Have various Windows NT security flaws been addressed with the latest service packs?

URL, ActiveX, and Java Filtering

To implement URL, ActiveX, and Java filtering, use the filtercommand: filter activex port local_ip mask foreign_ip mask

In this case:

■ _{Activex blocks outbound ActiveX tags from outbound packets.} ■ _Port_{(filter activex}_{only) is the port at which Web traffic is received}

on the PIX firewall.

■ _{Local_ip}_{is the IP address of the highest security level interface}

from which access is sought. You can set this address to 0 to specify all hosts.

■ _Mask_{is the network mask of}_{local_ip}_{. You can use 0 to specify all}

hosts.

■ _{Foreign_ip}_{is the IP address of the lowest security level interface to}

which access is sought. You can use 0 to specify all hosts.

■ _{Foreign_mask}_{is the network mask of}_{foreign_ip}_{. Always specify a}

mask value. You can use 0 to specify all hosts.

filter java port[-port] local_ip mask foreign_ip mask

To further explain:

■ _Java_{blocks Java applets returning to the PIX firewall as a result}

of an outbound connection.

■ _Port[-port]_{(filter java}_{only) is one or more ports on which Java}

applets may be received.

■ _{Local_ip}_{is the IP address of the highest security level interface}

from which access is sought. You can set this address to 0 to specify all hosts.

■ _Mask_{is the network mask of}_{local_ip}_{. You can use 0 to specify all}

hosts.

■ _{Foreign_ip}_{is the IP address of the lowest security level interface to}

■ _{Foreign_mask}_{is the network mask of}_{foreign_ip}_{. Always specify a}

mask value. You can use 0 to specify all hosts.

filter url http|except local_ip local_mask foreign_ip foreign_mask

[allow]

Here we see:

■ _url_{filters URLs from data moving through the PIX firewall.} ■ _{http (filter url}_{only) filters HTTP URLs.}

■ _{except (filter url}_{only) creates an exception to a previous filter}

condition.

■ _{Local_ip}_{is the IP address of the highest security level interface}

from which access is sought. You can set this address to 0 to specify all hosts.

■ _Mask_{is the network mask of}_{local_ip}_{. You can use 0 to specify all}

hosts.

■ _{Foreign_ip}_{is the IP address of the lowest security level interface to}

which access is sought. You can use 0 to specify all hosts.

■ _{Foreign_mask}_{is the network mask of}_{foreign_ip}_{. Always specify a}

mask value. You can use 0 to specify all hosts.

■ _Allow_{(filter url}_{only) lets outbound connections pass through PIX}

firewall without filtering when the server is unavailable. If you omit this option and if the WebSENSE server goes offline, the PIX firewall stops outbound port 80 traffic until the WebSENSE server is back online.

Once filtering has been enabled on the PIX, to successfully filter URLs, you must designate a WebSENSE server with the url-server command. url-server (if_name) host ip_address timeout seconds

To further explain:

■ _{If_name}_{is the network interface where the authentication server}

resides. Default is inside.

■ _Host_{ip_address} _{is the server that runs the WebSENSE URL fil-}

tering application.

■ _Timeout_seconds _{is the maximum idle time permitted before PIX}

pixfirewall>enable

pixfirewall#configure terminal

pixfirewall(config)#filter url http 0 0 0 0 pixfirewall(config)#filter activex 80 0 0 0 0 pixfirewall(config)#filter java 80 0 0 0 0

pixfirewall(config)#url-server (inside) host 172.16.0.38 timeout 5

The filter urlstatement specifies that all http traffic passing through the PIX will be filtered. In addition, the url-serverstatement will specify which server is running WebSENSE to provide the actual filtering.

The filter activex and filter java statements specify that all http traffic will be filtered for ActiveX controls and Java applets.

In document Managing Cisco Network Security pdf (Page 190-195)