© 1999, Cisco Systems, Inc. 8-1 Configuring Advanced PIX Firewall Features Chapter 8

© 1999, Cisco Systems, Inc. MCNS v Objectives Upon completion of this chapter, you will be able to: Configure PIX Firewall advanced features to protect Internet access to an enterprise network based on a case study network Test and verify correct PIX operation

© 1999, Cisco Systems, Inc. MCNS v CA Server PIX Firewall Web Surfer Remote Branch Internet Web Server Protected DMZ Dirty DMZ NetRanger Sensor Dialup R2 NAS ClientServer Campus Router Bastion Host SMTP Server DNS Server IS NetRanger Director NetSonar Dialup Client Sales XYZ Companys Plan for Advanced PIX Features Bastion Host R1 Perimeter Router Internet NT Server: CiscoSecure, Web, FTP, TFTP, Syslog Server

© 1999, Cisco Systems, Inc. MCNS v Controlling Outbound Access Packet filtering rules (access lists) restrict outbound access Filters on source or destination IP address, protocol, and port/application Campus Deny HTTP from Network Internet outbound 12 deny tcp apply (inside) 12 outgoing_src outbound 12 deny tcp apply (inside) 12 outgoing_src

© 1999, Cisco Systems, Inc. MCNS v Configuring PPTP Support static [(internal_if_name, external_if_name)] conduit permit tcp eq conduit permit gre static [(internal_if_name, external_if_name)] conduit permit tcp eq conduit permit gre PPTP tunnel Conduit creates tunnel through PIX Static must be entered before conduit Windows 95 Client PC Internet NT Server Allowed DMZ

© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Configuring SNMP and Logging

© 1999, Cisco Systems, Inc. MCNS v Configuring Logging Use the logging command to: Configure logging host(s) Configure logging facility and level logging on logging facility 20 logging trap warnings logging host logging on logging facility 20 logging trap warnings logging host

© 1999, Cisco Systems, Inc. MCNS v Configuring SNMP snmp-server community key snmp-server contact text snmp-server host if_name ip_address snmp-server location text snmp-server enable traps snmp-server community key snmp-server contact text snmp-server host if_name ip_address snmp-server location text snmp-server enable traps Use the snmp-server command to: –Configure SNMP community strings –Configure SNMP hosts and traps

© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Configuring PIX Firewall Failover

© 1999, Cisco Systems, Inc. MCNS v FailoverHot Standby Minimizes single point of failure Maximizes reliability of network Transparent to users behind firewall Failover units must be identical model of PIX Private LAN Failover Cable DMZ Web Server DNS Server Mail Server Internet failover active

© 1999, Cisco Systems, Inc. MCNS v Java Applet Blocking Problem: Java applets may be downloaded when you permit access to port 80 (HTTP) Some Java applets can contain hidden code that can destroy data on the internal network Solution: Use the outbound command to block all Java applets Problem: Java applets may be downloaded when you permit access to port 80 (HTTP) Some Java applets can contain hidden code that can destroy data on the internal network Solution: Use the outbound command to block all Java applets outbound 14 deny java apply (inside) 14 outgoing_src

© 1999, Cisco Systems, Inc. MCNS v Configuring URL Filtering Designates a WebSENSE server Identifies traffic to send to WebSENSE server for filtering Filters all outbound HTTP traffic Can create an exception to filtering url-server (inside) host filter url http url-server (inside) host filter url http

© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Cisco Security Manager

© 1999, Cisco Systems, Inc. MCNS v Security Manager v1.0 Overview Policy-based management system for network perimeter security Manages up to 100 Cisco PIX firewalls Windows-based Client-server architecture Web-based reports

© 1999, Cisco Systems, Inc. MCNS v Cisco Security Manager Architecture Policy Process: Define Enforce Audit Database Policy Server(s) Policy Manager(s) Perimeter Security Directory Access Servers AAA Server NetRanger Sensors IDS & Directory Services Phase III PIX Firewalls IPSec VPNs Routers VPN Clients Certificate Authority Phase II Phase I

© 1999, Cisco Systems, Inc. MCNS v Security Manager Network Topology Creation First step Provides wizards to assist in building PIX-based network topologies Network Interface Service

© 1999, Cisco Systems, Inc. MCNS v Security Manager Policy Definition Creates policies in terms of business objectives Defines end-to-end policies Independent of number of devices or their location Consistency checking

© 1999, Cisco Systems, Inc. MCNS v Security Manager Policy Enforcement Distributes policies to multiple PIXs simultaneously Translates polices into specific device configurations User verification and validation support prior to download Policy backup support

© 1999, Cisco Systems, Inc. MCNS v Security Manager Policy Auditing Real-time notification Customizable event filtering User-defined notification methods (e.g. , paging, executing scripts) Event Notification

© 1999, Cisco Systems, Inc. MCNS v Security Manager Policy Audit Reporting Provides Web-based reports on policy and device status Summary reports Detailed reports Can integrate with CiscoWorks2000 RME reporting system Reporting

© 1999, Cisco Systems, Inc. MCNS v Summary of PIX Advanced Features Secure real-time OS invulnerable to UNIX-based attacks PIX can block potentially harmful Java applets (mobile code) Supports FTP and URL logging Controls SNMP access Failover capability between identical models of PIX VPN support PIX Firewall Manager to manage multiple PIX Firewalls Cisco Security Manager manages PIX Firewall policies

© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Lab Exercise Configuring Advanced PIX Firewall Features

© 1999, Cisco Systems, Inc. MCNS v Lab Objectives Configure advanced PIX Firewall features to protect Internet access to an enterprise network given a case study network Test and verify correct PIX operation Upon completion of this lab, you will be able to perform the following tasks:

© 1999, Cisco Systems, Inc. MCNS v PIXX Firewall Protected DMZ Dirty DMZ X.0 /24.2 Outside X.0/24.1 DMZ Inside.3 NASX IS.1 10.X.2.1 /24 10.X.2.2 to 10.X.2.10 /24 Windows NT PC NT1 NT Server: CiscoSecure NT, IIS FTP and Web Server Cisco Security Manager, Syslog Server, TFTP Server.4 Instructor NT Server: FTP, HTTP, CA / X.1 /30 PerimeterX Router 10.X.1.0 /24 Bastion Host: Web Server FTP Server.3 Sales Dialup Frame Relay (Internet) Telco Simulator 100X MCNS Lab Environment Generic.1.2 X = POD #

© 1999, Cisco Systems, Inc. MCNS v Summary of PIX Advanced Features Secure real-time OS invulnerable to UNIX-based attacks PIX can block potentially harmful Java applets (mobile code) Supports FTP and URL logging Controls SNMP access Failover capability between identical models of PIX VPN support PIX Firewall Manager to manage multiple PIX Firewalls Cisco Security Manager manages PIX Firewall policies

© 1999, Cisco Systems, Inc. MCNS v Review Questions 1. List three advanced PIX Firewall features that enhance network security. A. Java Applet blocking B. URL filtering C. Control SNMP access 2. What two things are needed for Failover to work? A. Two identical PIX Firewalls B. A failover cable 3. Which commands are used together to enable a permanent connection through PIX? A. link B. linkpath

© 1999, Cisco Systems, Inc. MCNS v Review Questions (cont.) 4. Two conduits are needed to enable PPTP on a PIX. What are they for? A. TCP Port 1723 B. GRE protocol 5. Can PIX Firewall Manager and Cisco Security Manager run on the same machine at the same time? No. 6. What advantages does PFM have over the command-line interface for PIX configuration and management? A. GUI-based configuration and management enables point- and-click policy settings B. Can manage multiple PIX Firewalls from a single point C. Provides general reporting capabilities D. Provides URL and FTP logging for audits