© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 11 Attack Guards, Intrusion Detection, and Shunning

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this chapter, you will be able to perform the following tasks: Name, describe, and configure the attack guards in the PIX Firewall. Define intrusion detection. Describe signatures. Name and identify signature classes supported by the PIX Firewall. Configure the PIX Firewall to use IDS signatures. Configure the PIX Firewall to shun.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Attack Guards

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Mail Guard fixup protocol smtp port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol smtp 2525 pixfirewall(config)# fixup protocol smtp pixfirewall(config)# no fixup protocol smtp 25 Defines ports on which to activate Mail Guard (default = 25)Only allows RFC 821, section commands: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. If disabled, all SMTP commands are allowed through the firewall Potential mail server vulnerabilities are exposed.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Client Server Src IP Dst IP Src Pt Dst Pt Src IP Dst IP Src Pt Dst Pt DNS Guard DNS Guard is always on. After the client does a DNS request, a dynamic conduit allows UDP packets to return from the DNS server. The default UDP timer expires in two minutes. The DNS server response is recognized by the firewall, which closes the dynamic UDP conduit immediately. The PIX Firewall does not wait for the UDP timer to expire.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA FragGuard and Virtual Re-assembly The FragGuard and Virtual Re-assembly feature has the following characteristics: Is on by default. Verifies each fragment set for integrity and completeness. Tags each fragment in a fragment set with the transport header. Performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIX Firewall. Uses Syslog to log fragment overlapping and small fragment offset anomalies.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA fragment Command Sets the maximum number of packets in the fragment database. fragment size database-limit [interface] pixfirewall (config)# pixfirewall(config)# fragment size 1 pixfirewall(config)# fragment chain 1 fragment chain chain-limit [interface] fragment timeout seconds [interface] pixfirewall (config)# Specifies the maximum number of packets into which a full IP packet can be fragmented. Specifies the maximum number of seconds that the PIX Firewall waits before discarding a packet that is waiting to be reassembled.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA AAA Flood Guard floodguard enable | disable pixfirewall (config)# pixfirewall(config)# floodguard enable Reclaims attacked or overused AAA resources to help prevent DoS attacks on AAA services (default = enabled).

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA SYN Flood Attack The attacker spoofs a nonexistent source IP address and floods the target with SYN packets. The target responds to the SYN packets by sending SYN-ACK packets to the spoofed hosts. The target overflows its port buffer with embryonic connections and stops responding to legitimate requests. Attacker Target Spoofed host X Port 2876 Port 80 SYN, SRC: , DST: SYN-ACK Port 2876 ?????? ???? Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA SYN Flood Guard Configuration For inbound connections: –Use the em_limit to limit the number of embryonic connections. –Set the limit to a number lower than the server can handle. For outbound connections: –Use the em_limit to limit the number of embryonic connections. –Set the limit to a number lower than the server can handle. pixfirewall(config)# nat (inside) pixfirewall(config)# static (inside,outside) static [(prenat_interface, postnat_interface)] mapped_address | interface real_address [dns][netmask mask][norandomseq][connection_limit [em_limit]] pixfirewall (config)# nat [(if-name)]id address [netmask [outside] [dns] [norandomseq] [timeout hh:mm:ss] [conn_limit [em_limit]]] pixfirewall (config)#

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA TCP Intercept pixfirewall(config)# static (inside,outside) netmask Internet TCP syn (D= S= )

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Intrusion Detection

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Intrusion Detection Ability to detect attacks against networks Three types of network attacks: –Reconnaissance –Access –Denial of service

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Signatures A signature is a set of rules pertaining to typical intrusion activity that, when matched, generates a unique response. The following signature classes are supported by the PIX Firewall: InformationalTriggers on normal network activity that in itself is not considered to be malicious, but can be used to determine the validity of an attack or for forensic purposes. AttackTriggers on an activity known to be, or that could lead to, unauthorized data retrieval, system access, or privileged escalation.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Intrusion Detection in the PIX Firewall C:\>nslookup Default server: server1.domain.com Address: ls -d domain.com DNS server (server1) Syslog server The intruder attempts a zone transfer from the DNS server on dmz. The PIX Firewall detects an attack. domain.com The PIX Firewall drops the connection and logs an IDS message to Internet 2 1

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configure IDS pixfirewall(config)# ip audit name audit_name attack [action [alarm] [drop] [reset]] ip audit interface if_name audit_name pixfirewall(config)# pixfirewall(config)# ip audit name ATTACKPOLICY attack action alarm reset pixfirewall(config)# ip audit interface outside ATTACKPOLICY pixfirewall(config)# ip audit name audit_name info [action [alarm] [drop] [reset]] Creates a policy for informational signatures. Creates a policy for attack signatures. Applies a policy to an interface. When the PIX Firewall detects an attack signature on its outside interface, it reports an event to all configured Syslog servers, drops the offending packet, and closes the connection if it is part of an active connection.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Specify Default Actions for Signatures pixfirewall(config)# ip audit attack [action [alarm] [drop] [reset]] ip audit info [action [alarm] [drop] [reset]] Specifies the default actions for attack signatures. Specifies the default actions for informational signatures. pixfirewall(config)# ip audit info action alarm drop When the PIX Firewall detects an info signature, it reports an event to all configured Syslog servers and drops the offending packet.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall(config)# ip audit signature signature_number disable pixfirewall(config)# ip audit signature 6102 disable Disable Intrusion Detection Signatures Excludes a signature from auditing. Disables signature 6102.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Shunning

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA shun Command Applies a blocking function to an interface under attack. pixfirewall(config)# shun src_ip [dst_ip sport dport [protocol]] pixfirewall(config)# shun No further traffic from is allowed.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Shunning an Attacker pixfirewall(config)# shun Attacker Target X SRC: :4000, DST: :53 Port 4000 Port 53 Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary The PIX Firewall has the following attack guards to help protect systems from malicious attacks: Mail Guard, DNS Guard, Fragmentation Guard, AAA Flood Guard, and SYN Flood Defender. PIX Firewall software versions 5.2 and higher support intrusion detection. Intrusion detection is the ability to detect attacks against a network, including the following: reconnaissance, access, and DoS. The PIX Firewall supports signature-based intrusion detection.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary (cont.) Each signature can generate a unique alarm and response. Informational signatures collect information to help determine the validity of an attack, or for forensics. Attack signatures trigger on an activity known to be, or that could lead to, unauthorized data retrieval, system access, or privileged escalation. The PIX Firewall can be configured to shun source address of attacking hosts.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Q P.0 Lab Visual Objective.2.1 Student PC Syslog server PIX Firewall Web/FTP PIX Firewall.1 Remote : 10.1.P.11 Local: 10.0.P.11 Remote: 10.1.Q.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web FTP RBB.2 Bastion host: Web FTP P Q.0 Bastion host: Web FTP.1 Student PC Syslog server