CSPFA
Cisco Secure PIX
Firewall Advanced
Student Guide
Version 2.1
The products and specifications, configurations, and other technical information regarding the products in this manual are subject to change without notice. All statements, technical information, and recommendations in this manual are believed to be accurate but are presented without warranty of any kind, express or implied. You must take full responsibility for their application of any products specified in this manual.
LICENSE
PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE MANUAL, DOCUMENTATION, AND/OR SOFTWARE (“MATERIALS”). BY USING THE MATERIALS YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO NOT AGREE WITH THE TERMS OF THIS LICENSE, PROMPTLY RETURN THE UNUSED MATERIALS (WITH PROOF OF PAYMENT) TO THE PLACE OF PURCHASE FOR A FULL REFUND.
Cisco Systems, Inc. (“Cisco”) and its suppliers grant to you (“You”) a nonexclusive and nontransferable license to use the Cisco Materials solely for Your own personal use. If the Materials include Cisco software (“Software”), Cisco grants to You a nonexclusive and nontransferable license to use the Software in object code form solely on a single central processing unit owned or leased by You or otherwise embedded in equipment provided by Cisco. You may make one (1) archival copy of the Software provided You affix to such copy all copyright,
confidentiality, and proprietary notices that appear on the original. EXCEPT AS EXPRESSLY AUTHORIZED ABOVE, YOU SHALL NOT: COPY, IN WHOLE OR IN PART, MATERIALS; MODIFY THE SOFTWARE; REVERSE COMPILE OR REVERSE ASSEMBLE ALL OR ANY PORTION OF THE SOFTWARE; OR RENT, LEASE, DISTRIBUTE, SELL, OR CREATE DERIVATIVE WORKS OF THE MATERIALS. You agree that aspects of the licensed Materials, including the specific design and structure of individual programs, constitute trade secrets and/or copyrighted material of Cisco. You agree not to disclose, provide, or otherwise make available such trade secrets or copyrighted material in any form to any third party without the prior written consent of Cisco. You agree to implement reasonable security measures to protect such trade secrets and copyrighted Material. Title to the Materials shall remain solely with Cisco.
This License is effective until terminated. You may terminate this License at any time by destroying all copies of the Materials. This License will terminate immediately without notice from Cisco if You fail to comply with any provision of this License. Upon termination, You must destroy all copies of the Materials.
Software, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. You agree to comply strictly with all such regulations and acknowledge that it has the responsibility to obtain licenses to export, re-export, or import Software.
This License shall be governed by and construed in accordance with the laws of the State of California, United States of America, as if performed wholly within the state and without giving effect to the principles of conflict of law. If any portion hereof is found to be void or unenforceable, the remaining provisions of this License shall remain in full force and effect. This License constitutes the entire License between the parties with respect to the use of the Materials
Restricted Rights - Cisco’s software is provided to non-DOD agencies with RESTRICTED RIGHTS and its supporting documentation is provided with LIMITED RIGHTS. Use, duplication, or disclosure by the U.S. Government is subject to the restrictions as set forth in subparagraph “C” of the Commercial Computer Software - Restricted Rights clause at FAR 52.227-19. In the event the sale is to a DOD agency, the U.S. Government’s rights in software, supporting documentation, and technical data are governed by the restrictions in the Technical Data Commercial Items clause at DFARS 252.227-7015 and DFARS 227.7202.
DISCLAIMER OF WARRANTY. ALL MATERIALS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall Cisco’s or its suppliers’ liability to You, whether in contract, tort (including negligence), or otherwise, exceed the price paid by You. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:
• Turn the television or radio antenna until the interference stops. • Move the equipment to one side or the other of the television or radio. • Move the equipment farther away from the television or radio.
• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.
The following third-party software may be included with your product and will be subject to the software license agreement:
CiscoWorks software and documentation are based in part on HP OpenView under license from the Hewlett-Packard Company. HP OpenView is a trademark of the Hewlett-Hewlett-Packard Company. Copyright © 1992, 1993 Hewlett-Packard Company.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
Network Time Protocol (NTP). Copyright © 1992, David L. Mills. The University of Delaware makes no representations about the suitability of this software for any purpose.
Point-to-Point Protocol. Copyright © 1989, Carnegie-Mellon University. All rights reserved. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission.
The Cisco implementation of TN3270 is an adaptation of the TN3270, curses, and termcap programs developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981-1988, Regents of the University of California.
Cisco incorporates Fastmac and TrueView software and the RingRunner chip in some Token Ring products. Fastmac software is licensed to Cisco by Madge Networks Limited, and the RingRunner chip is licensed to Cisco by Madge NV. Fastmac, RingRunner, and TrueView are trademarks and in some jurisdictions registered trademarks of Madge Networks Limited. Copyright © 1995, Madge Networks Limited. All rights reserved. XRemote is a trademark of Network Computing Devices, Inc. Copyright © 1989, Network Computing Devices, Inc., Mountain View, California. NCD makes no representations about the suitability of this software for any purpose.
The X Window System is a trademark of the X Consortium, Cambridge, Massachusetts. All rights reserved. Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the Cisco Web site at www.cisco.com/go/offices.
Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia Czech Republic Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe
Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0104R)
Cisco Secure PIX Firewall Advanced, Revision 2.1: Student Guide
Copyright 2002, Cisco Systems, Inc. All rights reserved. Printed in USA.
Table of Contents
COURSE INTRODUCTION 1-1
Overview 1-1
Course Objectives 1-2
Lab Topology 1-7
NETWORK SECURITY AND THE CISCO PIX FIREWALL 2-1
Overview 2-1 Objectives 2-2
Network Security 2-3
Cisco AVVID and SAFE 2-13
Summary 2-26
CISCO PIX FIREWALL MODELS AND FEATURES 3-1
Overview 3-1 Objectives 3-2 Firewalls 3-3
Overview of the PIX Firewall 3-8
Summary 3-22
IDENTIFY THE CISCO PIX FIREWALL 4-1
Overview 4-1 Objectives 4-2
Identify the PIX Firewall 501 Controls and Connectors 4-3
Identify the PIX Firewall 506 Controls and Connectors 4-5
Identify the PIX Firewall 515 Controls and Connectors 4-7
Identify the PIX Firewall 520 Controls and Connectors 4-11
Identify the PIX Firewall 525 Controls and Connectors 4-14
Identify the PIX Firewall 535 Controls and Connectors 4-17
Lab Exercise―Configure the PIX Firewall and Execute General
Maintenance Commands Lab 5-1
CISCO PIX FIREWALL TRANSLATIONS 6-1
Overview 6-1 Objectives 6-2
Transport Protocols 6-3
PIX Firewall Translations 6-9
Access Through the PIX Firewall 6-13
Other Ways Through the PIX Firewall 6-19
Summary 6-29 Lab Exercise—Configuring Access Through the PIX Firewall Lab 6-1
CONFIGURING MULTIPLE INTERFACES 7-1
Overview 7-1 Objectives 7-2
Configuring Additional Interfaces 7-3
Summary 7-8
Lab Exercise—Configure Inside Multiple Interfaces Lab 7-1
DYNAMIC HOST CONFIGURATION PROTOCOL SUPPORT 8-1
Overview 8-1 Objectives 8-2
Dynamic Host Configuration Protocol 8-3
The PIX Firewall as a DHCP Server 8-5
The PIX Firewall as a DHCP Client 8-15
Summary 8-19 Lab Exercise—Configure the PIX Firewall’s DHCP Server
and Client Features Lab 8-1
CONFIGURING SYSLOG 9-1
Overview 9-1 Objectives 9-2
Syslog Messages 9-3
Summary 9-10 Lab Exercise—Configure Syslog Output to a Syslog Host
or Server from the PIX Firewall Lab 9-1
ACCESS CONTROL CONFIGURATION AND CONTENT FILTERING 10-1
Overview 10-1 Objectives 10-2
Access Control Lists 10-3
Converting Conduits to Access Control Lists 10-9
URL Filtering 10-30 Summary 10-33
Lab Exercise—Configure ACLs in the PIX Firewall Lab 10-1
ADVANCED PROTOCOL HANDLING 11-1
Overview 11-1 Objectives 11-2
Advanced Protocols 11-3
Multimedia Support 11-15
Summary 11-25 Lab Exercise—Configure and Test Advanced Protocol Handling
on the Cisco PIX Firewall Lab-1
ATTACK GUARDS AND INTRUSION DETECTION 12-1
Overview 12-1 Objectives 12-2
Attack Guards 12-3
Intrusion Detection 12-13
Summary 12-21 Lab Exercise—Configure the PIX Firewall to Use IDS Signatures Lab 12-1
AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING
CONFIGURATION ON THE CISCO PIX FIREWALL 13-1
Overview 13-1 Objectives 13-2 Introduction 13-3
Installation of CSACS for Windows NT 13-8
Authentication Configuration 13-12
Authorization Configuration 13-30
Accounting Configuration 13-37
Troubleshooting the AAA Configuration 13-44
Summary 13-47 Lab Exercise―Configure AAA on the PIX Firewall Using CSACS
for Windows NT Lab 13-1
FAILOVER 14-1
Objectives 15-2
The PIX Firewall Enables a Secure VPN 15-3
IPSec Configuration Tasks 15-10
Task 1—Prepare to Configure VPN Support 15-12
Task 2—Configure IKE Parameters 15-19
Task 3—Configure IPSec Parameters 15-23
Task 4—Test and Verify VPN Configuration 15-33
The Cisco VPN Client 3.1 15-35
Scale PIX Firewall VPNs 15-45
Summary 15-47
Lab Exercise—Configure PIX Firewall VPNs Lab 15-1
SYSTEM MAINTENANCE 16-1 Overview 16-1 Objectives 16-2 Password Recovery 16-3 Image Upgrade 16-7 Summary 16-13
Lab Exercise—Upgrade the PIX Firewall Image Lab 16-1
CISCO PIX DEVICE MANAGER 17-1
Overview 17-1 Objectives 17-2 PDM Overview 17-4 PDM Operating Requirements 17-7 Prepare for PDM 17-11 Using PDM 17-15 Other Tools 17-28 Summary 17-31
Lab Exercise—Configuring the PIX Firewall with PDM Lab 17-1
THE CISCO IOS FIREWALL CONTEXT-BASED ACCESS CONTROL
CONFIGURATION 18-1
Overview 18-1 Objectives 18-2
Introduction to the Cisco IOS Firewall 18-3
Context-Based Access Control 18-8
Global Timeouts and Thresholds 18-16
Port-to-Application Mapping 18-25
Define Inspection Rules 18-30
Inspection Rules and ACLs Applied to Router Interfaces 18-39
Test and Verify 18-48
Summary 18-51
CISCO IOS FIREWALL AUTHENTICATION PROXY CONFIGURATION 19-1
Overview 19-1 Objectives 19-2 Introduction to the Cisco IOS Firewall Authentication Proxy 19-3
AAA Server Configuration 19-9
AAA Configuration 19-12
Authentication Proxy Configuration 19-21
Test and Verify the Configuration 19-24
Summary 19-27 Lab Exercise—Configure Authentication Proxy on a Cisco Router Lab 19-1
1
Course Introduction
Overview
This chapter includes the following topics:
■ Course objectives ■ Course agenda ■ Participant responsibilities ■ General administration ■ Graphic symbols ■ Participant introductions ■ Lab topology
Course Objectives
This section introduces the course and the course objectives.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—1-3
Course Objectives
Course Objectives
Upon completion of this course, you will be able
to perform the following tasks:
• Identify PIX Firewall features, models, components, and benefits.
• Describe PIX Firewall installation procedures.
• Upgrade software images.
• Configure inbound and outbound access through the PIX Firewall.
• Configure multiple interfaces on the PIX Firewall.
• Configure the PIX Firewall as a DHCP server.
• Configure the PIX Firewall as a DHCP client.
• Configure the PIX Firewall to send messages to a Syslog server.
• Perform password recovery.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—1-4
Course Objectives (cont.)
Course Objectives (cont.)
• Configure special protocol handling on the PIX Firewall.
• Configure attack guards and SSH.
• Configure AAA on the PIX Firewall.
• Configure and test failover using the PIX Firewall.
• Configure the IDS feature set.
• Configure a site-to-site VPN using the PIX Firewall.
• Configure a VPN Client-to-PIX Firewall VPN.
• Test and verify PIX Firewall operations.
• Install the PIX Device Manager and use it to configure the PIX Firewall.
• Configure Cisco IOS Firewall CBAC.
• Configure an authentication proxy with Cisco IOS software.
Course Agenda
Course Agenda
• Chapter 1—Course Introduction
• Chapter 2—Network Security and the Cisco PIX
Firewall
• Chapter 3—Cisco PIX Firewall Technology
• Chapter 4—Identifying the Cisco PIX Firewall
• Chapter 5—Basic Configuration of the PIX Firewall
• Chapter 6—PIX Firewall Translations
• Chapter 7—Configuring Multiple Interfaces
• Chapter 8—Dynamic Host Configuration Protocol
Support
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—1-6
Course Agenda (cont.)
Course Agenda (cont.)
• Chapter 11—Advanced Protocol Handling
• Chapter 12—Attack Guards and Intrusion Detection
• Chapter 13—Authentication, Authorization, and
Accounting Configuration on the Cisco Secure PIX Firewall
• Chapter 14—Failover
• Chapter 15—VPN Configuration
• Chapter 16—System Maintenance
• Chapter 17—PIX Device Manager
• Chapter 18—Cisco IOS Firewall Context-Based Access
Control Configuration
• Chapter 19—Cisco IOS Firewall Authentication Proxy
Configuration
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—1-7
Student Responsibilities
•Complete prerequisites
•Participate in lab exercises
•Ask questions
•Provide feedback
Participant Responsibilities
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—1-8
General Administration
General Administration
Class-related
• Sign-in sheet
• Length and times
• Break and lunch room
locations • Attire
Facilities-related
• Participant materials • Site emergency procedures • Restrooms • Telephones/faxesGraphic Symbols
Ethernet link Router PIX Firewall Internet PC, workstation, or server NT server: web, FTP, TFTP, Syslog server Cisco IOS Firewall© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—1-10
•
Your name
•
Your company
•
Pre-req skills
•
Brief history
•
Objective
Participant Introductions
Participant Introductions
Lab Topology
This section explains the lab topology that is used in this course.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—1-12
PIX Lab Visual Objective
.1 e0/0 R1 Perimeter Router NT Server: FTP, web 172.26.26.50 172.30.P.0 /24 R2 Perimeter Router 10.0.P.0 /24 .1 e0/0 web Server 10.0.P.3 10.0.P.0 /24 Pod 1 Pod 2 e0/1 172.30.P.0 /24 Internet PIX Firewall 192.168.P.0/24 e1 Inside .1 e0 Outside .2 e1 Inside .1 e0 Outside .2 PIX Firewall 192.168.P.0/24 e2 DMZ .1 .2 NT server Websense server web Server e2 DMZ .1 .2 10.0.P.3 NT server Websense server 172.16.P.0 /24 172.16.P.0 /24 .2 e0/1 .2 e0/1
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—1-13
Failover Visual Objective
Failover Visual Objective
Internet Secondary PIX Firewall Primary PIX Firewall 10.0.P.0 /24 192.168.P.0 /24 Backbone server web, FTP, and TFTP server 172.30.1.50 /24 e2 .1 e0 .2 e0 .7 e1 .7 e1 .1 .2 DMZ failover cable 172.16.P.0 /24 .1 e2 .7Each pair of students will be assigned a pod. The P in a command indicates your pod number. The Q in a command indicates the pod number of your peer.
2
Network Security
and the Cisco
PIX Firewall
Overview
This chapter includes the following topics:
■ Objectives ■ Network security ■ Cisco AVVID and Safe ■ Summary
Objectives
This section lists the chapter’s objectives.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-2
Objectives
Objectives
Upon completion of this chapter, you will be able
to perform the following tasks:
• State the reasons for securing computer networks.
• Define computer hacking and describe the four primary threats associated with that activity.
• Define the four primary types of threats against network security.
• Describe the three primary methods of attack against today’s computer networks.
• Describe the purpose of the Security Wheel.
• Describe the Cisco AVVID architecture.
Network Security
This section explains what network security is and why you need it.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-4
Network Security Is Essential
Network Security Is Essential
Network security is
essential because the
Internet has made
networked computers
accessible and
vulnerable.
Network security is essential because the Internet is a network of interconnected networks without a boundary. Because of this fact, the organizational network becomes accessible and vulnerable from any computer in the world. As companies become Internet businesses, new threats arise from persons who no longer require physical access to a company’s computer assets.
In a recent survey conducted by the Computer Security Institute (CSI), 70 percent of the organizations polled stated that their network security defenses had been breached and that 60 percent of the incidents came from within the organizations themselves.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-5
Network Security Threats
Network Security Threats
There are four primary
threats to network
security:
• Unstructured threats • Structured threats • External threats • Internal threatsThere are four primary threats to network security:
■ Unstructured threats ■ Structured threats ■ External threats ■ Internal threats
Unstructured threats consist of mostly inexperienced individuals using easily available hacking tools from the Internet. Some of the people in this category are motivated by malicious intent, but most are motivated by the intellectual
challenge and are commonly known as script kiddies. They are not the most talented or experienced hackers, but they have the motivation, which is all that matters.
Structured threats consist of hackers who are more highly motivated and technically competent. They usually understand network system designs and vulnerabilities, and they can understand as well as create hacking scripts to penetrate those network systems.
External threats are individuals or organizations working outside your company who do not have authorized access to your computer systems or network. They work their way into a network mainly from the Internet or dialup access servers. Internal threats occur when someone has authorized access to the network with either an account on a server or physical access to the wire. They are typically disgruntled former or current employees or contractors.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-6
Three Primary
Network Attacks
Three Primary
Network Attacks
There are three types of network attacks:
•
Reconnaissance attacks
•
Access attacks
•
Denial of service attacks
There are three types of network attacks:
■ Reconnaissance attacks—An intruder attempts to discover and map systems,
services, and vulnerabilities.
■ Access attacks—An intruder attacks networks or systems to retrieve data,
gain access, or escalate their access privilege.
■ Denial of service (DoS) attacks—An intruder attacks your network in such a
way that damages or corrupts your computer system, or denies you and others access to your networks, systems, or services.
Reconnaissance Attacks
Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. It is also known as information gathering and, in most cases, precedes an actual access or DoS attack. The malicious intruder typically ping sweeps the target network first to determine what IP addresses are alive. After this is accomplished, the intruder determines what services or ports are active on the live IP addresses. From this information, the intruder queries the ports to determine the application type and version as well as the type and version of the operating system running on the target host.
Access Attacks
Access is an all-encompassing term that refers to unauthorized data manipulation, system access, or privileged escalation. Unauthorized data retrieval is simply reading, writing, copying, or moving files that are not intended to be accessible to the intruder. Sometimes this is as easy as finding share folders in Windows 9x or NT, or NFS exported directories in UNIX systems with read or read and write access to everyone. The intruder will have no problems getting to the files and, more often than not, the easily accessible information is highly confidential and completely unprotected to prying eyes, especially if the attacker is already an internal user.
System access is the ability of an intruder to gain access to a machine, which the intruder is not allowed access to (for example, the intruder does not have an account or password). Entering or accessing systems which one does not have access to usually involves running a hack, script, or tool that exploits a known vulnerability of the system or application being attacked.
Another form of access attacks involves privileged escalation. This is done by legitimate users with a lower level of access privileges, or intruders who have gained lower privileged access. The intent is to get information or execute procedures that are not authorized at their current level of access. In many cases this involves gaining root access in a UNIX system to install a sniffer to record network traffic, such as usernames and passwords which can be used to access another target.
In some cases, intruders only want to gain access without wanting to steal information—especially when the motive is intellectual challenge, curiosity, or ignorance.
DoS Attacks
DoS is when an attacker disables or corrupts networks, systems, or services with the intent to deny the service to intended users. It usually involves either crashing the system or slowing it down to the point that it is unusable. But DoS can also be as simple as wiping out or corrupting information necessary for business. In most cases, performing the attack simply involves running a hack, script, or tool. The attacker does not need prior access to the target because all that is usually
required is a way to get to it. For these reasons and because of the great damaging potential, DoS attacks are the most feared—especially by e-commerce web site operators.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-7
Network Security as a
Continuous Process
Network Security as a
Continuous Process
Network security is a
continuous process
built around a security
policy.
• Step 1: Secure • Step 2: Monitor • Step 3: Test • Step 4: Improve Secure Monitor Test Improve Security PolicyNetwork security should be a continuous process built around a security policy. A continuous security policy is most effective because it promotes retesting and reapplying updated security measures on a continuous basis. This continuous security process is represented by the Security Wheel.
To begin this continuous process known as the Security Wheel, you need to create a security policy that enables the application of security measures. A security policy needs to accomplish the following tasks:
■ Identify the organization’s security objectives. ■ Document the resources to be protected.
■ Identify the network infrastructure with current maps and inventories.
To create or implement an effective security policy, you need to determine what it is you want to protect and in what manner you are going to protect it. You should know and understand your network’s weak points and how they can be exploited. You should also understand how your system normally functions so that you know what to expect and are familiar with how the devices are normally used. Finally, consider the physical security of your network and how to protect it. Physical access to a computer, router, or firewall can give a user total control over that device.
Monitoring the network with a real-time intrusion detection system, such as the Cisco Secure Intrusion Detection System, can ensure that the security devices in Step 1 have been configured properly.
Step 3 Test the effectiveness of the security safeguards in place. Use the Cisco Secure Scanner to identify the security posture of the network with respect to the security procedures that form the hub of the Security Wheel.
Step 4 Improve corporate security. Collect and analyze information from the monitoring
and testing phases to make security improvements.
All four steps—secure, monitor, test, and improve—should be repeated on a continuous basis and should be incorporated into updated versions of the corporate security policy.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-8 Secure Monitor Test Improve Security Policy
Secure the Network
Secure the Network
Implement security
solutions to stop or
prevent unauthorized
access or activities,
and to protect
information.
• Authentication • Encryption • Firewalls • Vulnerability PatchingSecure the network by applying the security policy and implementing the following security solutions:
■ Authentication—Gives access to authorized users only (for example, using
one-time passwords).
■ Encryption—Hide traffic contents to prevent unwanted disclosure to
unauthorized or malicious individuals.
■ Firewalls—Filter network traffic to allow only valid traffic and services. ■ Vulnerability patching—Applies fixes or measures to stop the exploitation of
known vulnerabilities. This includes turning off services that are not needed on every system; the fewer services that are enabled, the harder it is for hackers to gain access.
Note Also remember to implement physical security solutions to prevent unauthorized
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-9 Secure Monitor Test Improve Security Policy
Monitor Security
Monitor Security
• Detects violations tothe security policy
• Involves system auditing
and real-time intrusion detection
• Validates the security
implementation in Step 1
Monitor the network for violations and attacks against the corporate security policy. These attacks can occur within the secured perimeter of the network— from a disgruntled employee or contractor—or from a source outside your trusted network. Monitoring the network should be done with a real-time intrusion detection device such as the Cisco Secure Intrusion Detection System (CSIDS). This assists you in discovering unauthorized entries, and also serves as a check-and-balance system for ensuring that devices implemented in Step 1 of the Security Wheel have been configured and are working properly.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-10 Secure Monitor Test Improve Security Policy
Test Security
Test Security
Validates effectiveness
of the security policy
through system
auditing and
vulnerability scanning
Validation is a must. You can have the most sophisticated network security system, but if it is not working, your network can be compromised. This is why you need to test the devices you implemented in Steps 1 and 2 to make sure they are functioning properly. The Cisco Secure Scanner is designed to validate your network security.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-11 Secure Monitor Test Improve Security Policy
Improve Security
Improve Security
• Use information from the
monitor and test phases to make improvements to the security
implementation.
• Adjust the security
policy as security
vulnerabilities and risks are identified.
The improvement phase of the Security Wheel involves analyzing the data collected during the monitoring and testing phases, and developing and
implementing improvement mechanisms that feed into your security policy and the securing phase in Step 1. If you want to keep your network as secure as possible, you must keep repeating the cycle of the Security Wheel, because new network vulnerabilities and risks are created every day.
Cisco AVVID and SAFE
This section discusses Cisco Architecture for Voice, Video, and Integrated Data (AVVID) and SAFE.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-13
Cisco AVVID Architecture
Cisco AVVID Architecture
E-Learning
E-Learning
Supply Chain
Supply
Chain Customer Customer CareCare CommerceCommerceInternet Internet OptimizationOptimizationWorkforce Workforce
Intelligent Network Services Network Platforms Mu lti cas t Mu lti c a s t Lo a d Lo a d B a la n c in g B a la n c in g Ca c h in g Ca c h in g DN S DN S Se rv ic e s Se rv ic e s M a na ge m e nt M a n a ge m e nt A cco u n tin g Ac c o u n tin g R eal T im e R eal T im e Se rv ic e s Se rv ic e s Qo S Qo S Se c u rit y S ecu rity
Intelligent Network Classification
Intelligent Network Classification Internet Business Integrators Internet Middleware Layer Messaging Messaging Contact Center Contact Center
Voice Call Processing
Voice Call Processing
Collaboration Collaboration Video on Demand Video on Demand Personal Productivity Personal Productivity Policy Management Policy Management Content Distribution Content Distribution Address Management Address Management Security Security SLA Management SLA Management Clients Multimedia Multimedia
Cisco AVVID can be viewed as a framework to describe a network optimized for the support of Internet business solutions and as a best practice or roadmap for network implementation. This section discusses the various layers of the Cisco AVVID framework. The following are the different parts of the Cisco AVVID architecture:
■ Clients—The wide variety of devices that can be used to access the Internet
business solutions through the network. These might include phones, PCs, PDAs, and so on. One key difference from traditional proprietary
architectures is that the Cisco AVVID standards-based solution enables a wide variety of devices to be connected, even some not yet in broad use. Unlike traditional telephony and video solutions, proprietary access devices are not necessary. Instead, functionality is added through the intelligent network services provided in the infrastructure.
■ Intelligent Network Services—The intelligent network services, provided
through software that operates on network platforms, are a major benefit of an end-to-end architecture for deploying Internet business solutions. From quality of service (QoS) (prioritization) through security, accounting, and management, intelligent network services reflect the enterprise’s business rules and policies in network performance. A consistent set of the services end-to-end through the network is vital if the infrastructure is to be relied upon as a network utility. These consistent services enable new Internet business applications and e-business initiatives to rollout very quickly without a major re-engineering of the network each time. By contrast,
networks built on best-of-breed strategies may promise higher performance in a specific device, but cannot be counted on to deliver these sophisticated features end-to-end in a multivendor environment. Cisco AVVID supports standards to provide for migration and the incorporation of Internet business integrators, but the added intelligent network services offered by an end-to-end Cisco AVVID solution go far beyond what can be achieved in a best of breed environment.
■ Internet middleware layer—The next section, including service control and
communication services, is a key part of any networking architecture, providing the software and tools to break down the barriers of complexity arising from new technology. These combined layers provide the tools for integrators and customers to tailor their network infrastructure and customize intelligent network services to meet application needs. These layers manage access, call setup and teardown, perimeter security, prioritization and bandwidth allocation, and user privileges. Software, such as distributed customer contact suites, messaging solutions, and multimedia and collaboration provide capabilities and a communication foundation that enable interaction between users and a variety of application platforms. In a best-of-breed strategy, many of these capabilities must be individually configured or managed. In traditional proprietary schemes, vendors dictated these layers, limiting innovation and responsiveness.
Rapid deployment of Internet business solutions depends on consistent service control and communication services capabilities throughout the network. These capabilities are often delivered by Cisco from servers distributed throughout the network. The service control and communication services layers are the glue that joins the Internet technology layers of the Cisco AVVID framework with the Internet business solutions, in effect tuning the network infrastructure and intelligent network services to the needs of the Internet business solutions. In turn, the Internet business solutions are adapted for the best performance and availability on the network infrastructure by exploiting the end-to-end services available through the Cisco AVVID framework.
■ Internet business integrators—As part of the open ecosystem, it is imperative
to enable partners with Cisco AVVID. Cisco realizes the crucial requirement to team with integrators, strategic partners, and customers to deliver complete Internet business. Cisco AVVID offers a guide for these interactions by describing a consistent set of services and capabilities that form a basis for many types of partner relationships.
■ Internet business solutions—Enterprise customers are deploying Internet
enabled, accelerated, and delivered through Cisco AVVID. The ability for companies to move their traditional business models to Internet business models and to deploy Internet business solutions is key to their survival. Cisco AVVID is the architecture upon which e-businesses build Internet business solutions that can be easily deployed and managed. Ultimately, the more Internet business solutions that are delivered, the more efficiently and effectively companies will increase productivity and added value.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-14
Cisco AVVID Overview
Cisco AVVID Overview
•
Cisco AVVID is the one enterprise architecture that
provides the intelligent network infrastructure for
today’s Internet business solutions.
•
As the industry’s only enterprise-wide,
standards-based network architecture, Cisco AVVID provides
the roadmap for combining Cisco customers’
business and technology strategies into one
cohesive model.
The Internet is creating tremendous business opportunities for Cisco and Cisco customers. Internet business solutions such as e-commerce, supply chain management, e-learning, and customer care are dramatically increasing productivity and efficiency.
Cisco AVVID is the one enterprise architecture that provides the intelligent network infrastructure for today’s Internet business solutions. As the industry’s only enterprise-wide, standards-based network architecture, Cisco AVVID provides the roadmap for combining customers’ business and technology strategies into one cohesive model.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-15
Cisco AVVID Benefits
Cisco AVVID Benefits
•
Integration—By leveraging the Cisco AVVID
architecture and applying the network intelligence
inherent in IP, companies can develop
comprehensive tools to improve productivity.
•
Intelligence—Traffic prioritization and intelligent
networking services maximize network efficiency
for optimized application performance.
•
Innovation—Customers have the ability to adapt
quickly in a changing business environment.
•
Interoperability—Standards-based APIs enable
open-integration with third-party developers,
providing customers with choice and flexibility.
With Cisco AVVID, customers have a comprehensive roadmap for enabling Internet business solutions and creating a competitive advantage. There are four Cisco AVVID benefits:
■ Integration—By leveraging the Cisco AVVID architecture and applying the
network intelligence inherent in IP, companies can develop comprehensive tools to improve productivity.
■ Intelligence—Traffic prioritization and intelligent networking services
maximize network efficiency for optimized application performance.
■ Innovation—Customers have the ability to adapt quickly in a changing
business environment.
■ Interoperability—Standards-based application programming interfaces
(APIs) enable open-integration with third-party developers, providing customers with choice and flexibility.
Combining the network infrastructure and services with new-world applications, Cisco AVVID accelerates the integration of technology strategy with business vision.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-16
SAFE Blueprint Overview
SAFE Blueprint Overview
• Building on Cisco AVVID, the SAFE framework provides asecure migration path for companies to implement converged voice, video, and data networks.
• SAFE is a flexible framework that empowers companies to securely, reliably, and cost-effectively take advantage of the Internet economy.
• SAFE integrates scalable, high performance security services throughout the e-business infrastructure.
• SAFE is enhanced by a rich ecosystem of products,
partners, and services that enable companies to implement secure e-business infrastructures today.
SAFE is a flexible, dynamic security blueprint for networks, which is based on Cisco AVVID. SAFE enables businesses to securely and successfully take advantage of e-business economies and compete in the Internet economy. As the leader in networking for the Internet, Cisco is ideally positioned to help companies secure their networks. The SAFE blueprint, in conjunction with an ecosystem of best-of-breed, complementary products, partners, and services, ensures that businesses can deploy robust, secure networks in the Internet age.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-17
SAFE Benefits
SAFE Benefits
•
Provides a proven, detailed blueprint to
securely compete in the Internet economy
•
Provides the foundation for migrating to
secure, cost-effective, converged networks
•
Enables organizations to stay within their
budgets by deploying a modular, scalable
security framework in stages
•
Delivers protection at every access point to
the network through best-in-class security
products and services
There are several major benefits in implementing the SAFE blueprint for secure e-business:
■ Provides the foundation for migrating to secure, affordable, converged
networks
■ Enables companies to cost-effectively deploy a modular, scalable security
framework in stages
■ Delivers integrated network protection via high-level security products and
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-18
SAFE Modular Blueprint
SAFE Modular Blueprint
Enterprise campus Enterprise edge Service
provider edge Building Building Building distribution Building distribution Management Management Server Server Core Core Edge distributionEdge distribution E-commerce E-commerce Corporate Internet Corporate Internet VPN and remote accessVPN and
remote access WAN WAN ISP B ISP B ISP A ISP A PSTN PSTN Frame or ATM Frame or ATM
The SAFE Blueprint provides a robust security blueprint that builds on Cisco AVVID. SAFE layers are incorporated throughout the Cisco AVVID
infrastructure:
■ Infrastructure layer—Intelligent, scalable security services in Cisco
plat-forms, such as routers, switches, firewalls, intrusion detection systems, and other devices
■ Appliances layer—Incorporation of key security functionality in mobile
hand-held devices and remote PC clients
■ Service control layer—Critical security protocols and APIs that enable
security solutions to work together cohesively
■ Applications layer—Host- and application-based security elements that
ensure the integrity of critical e-business applications
To facilitate rapidly deployable, consistent security throughout the enterprise, SAFE consists of modules that address the distinct requirements of each network area. By adopting a SAFE blueprint, security managers do not need to redesign the entire security architecture each time a new service is added to the network. With modular templates, it is easier and more cost-effective to secure each new service as it is needed and to integrate it with the overall security architecture. One of the unique characteristics of the SAFE blueprint is that it is the first industry blueprint that recommends exactly which security solutions should be included in which sections of the network, and why they should be deployed. Each module in the SAFE blueprint is designed specifically to provide maximum performance for e-business, while at the same time enabling enterprises to maintain security and integrity.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-19
SAFE Blueprint and
Ecosystem
SAFE Blueprint and
Ecosystem
Solutions
Ecosystem
$
$
Cisco programs and services Security Associate solutions
Integration partners Applications Applications Direct or y D irect o ry O p er at io n s O p erat io n s Service control Service control Infrastructure Infrastructure Appliances or clients Appliances or clients
Cisco AVVID
system
architecture
Secure e-commerceSecure supply chain management
Secure intranet for workforce optimization
Cisco has opened its Cisco AVVID architecture and SAFE blueprint to key third-party vendors to create a security solutions ecosystem to spur development of best-in-class multiservice applications and products. The Cisco AVVID
architecture and SAFE blueprint provide interoperability for third-party hardware and software using standards-based media interfaces, APIs, and protocols. This ecosystem is offered through the Security and Virtual Private Network (VPN) Associate Program, an interoperability solutions program that provides Cisco customers with tested and certified, complementary products for securing their businesses. The ecosystem enables businesses to design and roll out secure networks that best fit their business model and enable maximum agility.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-20
Cisco AVVID Partner Program
Security and VPN Products
Cisco AVVID Partner Program
Security and VPN Products
IDENTITY IDENTITY Strong Strong Authentication, PKI Authentication, PKI APPLICATION SECURITY APPLICATION SECURITY
Host and Server Protection
Host and Server Protection
SECURITY MANAGEMENT and MONITORING
SECURITY MANAGEMENT and MONITORING
Event logging, Reporting, and Analysis
Event logging, Reporting, and Analysis
SECURE CONNECTIVITY
SECURE CONNECTIVITY
Wired and Wireless VPNs
Wired and Wireless VPNs
PERIMETER PERIMETER SECURITY SECURITY Content Filtering; Content Filtering; Personal Firewall Personal Firewall Interoperability Interoperability and Co Co--existence existence with
Cisco Security and VPN
Cisco Security and VPN
Products
Products
The Security and VPN Solutions Set within the Cisco AVVID Partner Program is an interoperability solutions program developed to deliver comprehensive security and VPN solutions for Cisco networks to Cisco customers.
This program is a key component of the SAFE strategy in that it provides a rich ecosystem of products, partners, and services that empowers companies to securely, reliably, and cost-effectively take advantage of the Internet Economy. The program provides the assurance that security solutions making up Partner products have been tested and verified to be interoperable with Cisco security products, and add distinct value to Cisco networks. The goal is to enable Cisco customers to securely take advantage of the expanding e-business marketplace. The security and VPN solutions created through this interoperability program are focused on critical business applications such as e-commerce, secure remote access, intranets, extranets, and supply-chain integration and management. As a result, the solutions categories currently targeted in the program include those that customers continue to request and deploy in their networks:
■ Identity solutions—Include authentication, authorization, and Public Key
Infrastructure (PKI) solutions such as smart cards, hard and soft tokens, authentication servers, and Certificate Authority (CA) servers
■ Application security solutions—Include products such as server and host
protection applications
■ Perimeter security solutions—Include products such as URL filtering
applications, e-mail, and virus scanning applications
■ Security management and monitoring solutions—Include products that
support Syslog reporting, event analysis, reporting, and secure remote administration
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-21
Cisco AVVID Partner Program
Security and VPN Services
Cisco AVVID Partner Program
Security and VPN Services
P
POLICYOLICYand Pand PROCEDUREROCEDURE
O
OUTSOURCEUTSOURCE MMONITORINGONITORING and M
and MANAGEMENTANAGEMENT A
APPLICATIONPPLICATIONand Cand CODEODERREVIEWEVIEW
I
INCIDENT NCIDENT RRESPONSEESPONSE Security Services Security Services Compatible Compatible with with Cisco Security Cisco Security Solution Solution
The security services offered through the AVVID Partner Program are focused on specific areas of security services available in the industry. As a result, the services categories currently targeted include those that customers continue to request and deploy in their organizations:
■ Application and code review—Examines and analyzes security structure and
vulnerabilities of hardware and software systems
■ Outsourced monitoring and management—Provides third-party management,
monitoring of security infrastructure with incident notification, or both
■ Policy and procedures—Provides assistance with reviewing and building
robust and effective security policies and practices
■ Incident response—Responds to and mitigates attacks on systems and
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-22
Cisco AVVID Partner Program
Security and VPN Services (cont.)
Cisco AVVID Partner Program
Security and VPN Services (cont.)
V
VULNERABILITYULNERABILITYAASSESSMENTSSESSMENT DDESIGN and ESIGN and IIMPLEMENTATIONMPLEMENTATION
C
COMPETITIVEOMPETITIVE C
COUNTEROUNTER--IINTELLIGENCENTELLIGENCE
B
BUSINESSUSINESSIIMPACTMPACTand and R
RISKISKAASSESSMENTSSESSMENT
Security Services Security Services Compatible Compatible with with Cisco Security Cisco Security Solution Solution
■ Business impact and risk assessment—Correlates the security state of the
network to impact on broad business processes
■ Vulnerability assessment—Provides proactive audit and analysis of the
current security state of a system or network
■ Competitive counter-intelligence—Assesses the vulnerability to compromise
from knowledge-based attacks
■ Design and implementation—Provides assistance with the architecture,
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-23
CCO Links
CCO Links
•
www.cisco.com/go/avvid
•
www.cisco.com/go/safe
•
www.cisco.com/go/avvidpartners
•
www.cisco.com/warp/public/779/largeent/
partner/esap/secvpn.html
Summary
This section summarizes the information you learned in this chapter.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—2-25
Summary
Summary
• Network security is essential because networked computers are accessible and vulnerable from any computer in the world.
• There are four primary threats to network security: unstructured, structured, external, and internal threats.
• There are three types of network attacks: reconnaissance, access, and denial of service attacks.
• The Security Wheel is the graphical representation of security as a continuous process.
• Cisco AVVID is a standards-based enterprise architecture that accelerates the integration of business and technology
strategies.
• Cisco SAFE, which is based on Cisco AVVID, is a flexible, dynamic security blueprint for networks.
3
Cisco PIX Firewall
Models and Features
Overview
This chapter includes the following topics:
■ Objectives ■ Firewalls
■ Overview of the PIX Firewall ■ Summary
Objectives
This section lists the chapter’s objectives.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—3-2
Objectives
Upon completion of this chapter, you will
be able to perform the following tasks:
•
Describe firewall technologies and define the
three types of firewalls used to secure today’s
computer networks.
•
Describe the PIX Firewall.
•
Identify the PIX Firewall models.
Firewalls
This section provides an explanation of a firewall.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—3-4
What Is a Firewall?
What Is a Firewall?
A firewall is a
system or group
of systems that
manages access
between two
networks.
By conventional definition, a firewall is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. It can also be used to isolate one compartment from another.
When applying the term firewall to a computer network, a firewall is a system or group of systems that enforces an access control policy between two or more networks.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—3-5
Firewall Technologies
Firewall Technologies
Firewall operations
are based on one of
three technologies:
•
Packet filtering
•
Proxy server
•
Stateful packet
filtering
Firewall operations are based on one of three technologies:
■ Packet filtering—Limits information into a network based on static packet
header information.
■ Proxy server—Requests connections between a client on the inside of the
firewall and the Internet.
■ Stateful packet filtering—Combines the best of packet filtering and proxy
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—3-6
ACL
Packet Filtering
Packet Filtering
Limits information into a network based
on destination and source address
A firewall can use packet filtering to limit information entering a network, or information moving from one segment of a network to another. Packet filtering uses access control lists (ACLs), which allow a firewall to accept or deny access based on packet types and other variables.
This method is effective when a protected network receives a packet from an unprotected network. Any packet that is sent to the protected network and does not fit the criteria defined by the ACLs is dropped.
But there are problems with packet filtering:
■ Arbitrary packets can be sent that fit the ACL criteria and, therefore, pass
through the filter.
■ Packets can pass through the filter by being fragmented.
■ Complex ACLs are difficult to implement and maintain correctly. ■ Some services cannot be filtered.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—3-7
Proxy Server
Proxy Server
Requests
connections
between a client
on the inside of
the firewall and
the Internet
A proxy server is a firewall device that examines packets at higher layers of the Open Systems Interconnection (OSI) model. This device hides valuable data by requiring users to communicate with a secure system by means of a proxy. Users gain access to the network by going through a process that establishes session state, user authentication, and authorized policy. This means that users connect to outside services via application programs (proxies) running on the gateway connecting to the outside unprotected zone.
However, there are problems with the proxy server because it
■ Creates a single point of failure, which means that if the entrance to the
network is compromised, then the entire network is compromised.
■ Is difficult to add new services to the firewall. ■ Performs slower under stress.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—3-8
Stateful Packet Filtering
Stateful Packet Filtering
Limits information
into a network
based not only
on destination
and source
address, but also
on packet data
content
Stateful packet filtering is the method used by the Cisco PIX Firewall. This technology maintains complete session state. Each time a TCP/UDP connection is established for inbound or outbound connections, the information is logged in a stateful session flow table.
The stateful session flow table contains the source and destination addresses, port numbers, TCP sequencing information, and additional flags for each TCP/UDP connection associated with that particular session. This information creates a connection object and, consequently, all inbound and outbound packets are compared against session flows in the stateful session flow table. Data is
permitted through the firewall only if an appropriate connection exists to validate its passage.
This method is effective because:
■ It works on packets and connections.
■ It operates at a higher performance level than packet filtering or using a
proxy server.
■ It records data in a table for every connection or connectionless transaction.
This table serves as a reference point to determine if packets belong to an existing connection or are from an unauthorized source.
Overview of the PIX Firewall
This section discusses the basic concepts of the PIX Firewall.
© 2002, Cisco Systems, Inc. www.cisco.com CSPFA 2.1—3-10
PIX Firewall—What Is it?
Stateful firewall with high security and fast
performance
•
Secure, real-time, embedded operating system—
no UNIX or NT security holes
•
Adaptive security algorithm provides stateful
security
•
Cut-through proxy eliminates application-layer
bottlenecks
•
AMD SC520 (501), Pentium MMX (506), Pentium
Pro (515), Pentium II (520), or Pentium III (525
and 535) processor-based system
The Private Internet Exchange (PIX) Firewall is a key element in the overall Cisco end-to-end security solution. The PIX Firewall is a dedicated hardware and software security solution that delivers high-level security without impacting network performance. It is a hybrid system because it uses features from both the packet filtering and proxy server technologies.
Unlike typical CPU-intensive, full-time proxy servers that perform extensive processing on each data packet at the application level; the PIX Firewall uses a proprietary operating system that is a secure, real-time, embedded system. The PIX Firewall provides the following benefits and features:
■ Non-UNIX, secure, real-time, embedded system—Unlike typical
CPU-intensive proxy servers that perform extensive processing on each data packet, the PIX Firewall uses a secure, real-time, embedded system, which enhances the security of the network.
■ Adaptive Security Algorithm (ASA)—Implements stateful connection
control through the PIX Firewall.
■ Cut-through proxy—A user-based authentication method of both inbound
and outbound connections, providing improved performance in comparison to that of a proxy server.
■ Stateful failover—The PIX Firewall enables you to configure two PIX
■ Stateful packet filtering—A secure method of analyzing data packets that
places extensive information about a data packet into a table. For a session to be established, information about the connection must match the information in the table.
The PIX Firewall is interoperable and scalable with IPSec, which includes an umbrella of security and authentication protocols such as Internet Key Exchange (IKE) and Public Key Infrastructure (PKI). The PIX Firewall offers an IPSec-based virtual private network (VPN). Remote clients can securely access corporate networks through their ISPs.
