© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 7 Access Control Lists and Content Filtering

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this chapter, you will be able to perform the following tasks: Configure and explain the function of ACLs. Convert conduits to ACLs. Configure and explain the function of Turbo ACLs. Configure and explain the function of NAT 0 ACLs. Configure active code filtering (ActiveX and Java applets). Configure the PIX Firewall for URL filtering. Configure the PIX Firewall for long URL filtering.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA ACLs

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Access Control List (ACL) An ACL enables you to determine what traffic will be allowed or denied through the PIX Firewall. ACLs are applied per interface (traffic is analyzed inbound relative to an interface). The access-list and access-group commands are used to create an ACL. The access-list and access-group commands are an alternative for the conduit command.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA ACL Usage Guidelines Higher to lower security level: –Use an ACL to restrict outbound traffic. –The ACL source address is the actual (un-translated) address of the host or network. Lower to higher security level: –Use an ACL to restrict inbound traffic. –The ACL destination address is the translated global IP address.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA access-list Command Enables you to create an ACL. Denies access from the network to TCP ports less than 1024 on host pixfirewall(config)# access-list DMZ1 deny tcp host lt 1024 pixfirewall(config)# access-list acl_ID deny | permit protocol source_addr source_mask [operator port[port]]destination_addr destination_mask operator port [port]

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA access-group Command pixfirewall(config)# access-group acl_ID in interface interface_name pixfirewall(config)# access-group DMZ1 in interface dmz Binds ACL DMZ1 to interface dmz. Binds an ACL to an interface.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA nat 0 access-list Command nat [(if_name)] 0 access-list acl_name [outside] pixfirewall(config)# pixfirewall(config)# access-list NONAT permit ip host host pixfirewall(config)# nat (inside) 0 access- list NONAT Enables you to exempt traffic that is matched by an access-list command statement from NAT.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Turbo ACLs Turbo ACL processingRegular ACL processing ACL A Entry 1 Entry2 Entry 3 Entry N Compiled data table Packet header value IndexACL Entry Bit Maps ACLs organized internally as linked lists. Linear search to find matching entry to deny or permit packet. Increased search time when ACL A contains large number of elements, which leads to performance degradation. ACLs compiled into sets of lookup data tables. Improved search time for large ACLs. Required minimum of 2.1 MB of memory. ACL A

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Turbo ACL access-list compiled access-list acl_ID compiled pixfirewall(config)# Enables the Turbo ACL feature for a specific ACL. Enables the Turbo ACL feature on all ACLs. Turbo compiles all ACLs with 19 or more entries.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Converting Conduits to ACLs

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA ACL An ACL applies to a single interface, affecting all traffic entering that interface regardless of its security level. Conduit A conduit creates an exception to the PIX Firewall ASA by permitting connections from one interface to access hosts on another. It is recommended to use ACLs to maintain future compatibility. conduitconduit ACLs Versus Conduits ACL

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Beware of the Difference in the Behaviors of Conduits and ACLs The PIX Firewall configuration pertaining to the Partnernet contains: –A NAT and a global pool for the Partnernet. –Statics for the FTP server and mail server. –A conduit permitting access to the FTP server from the Partnernet. –An ACL on the Partnernet interface permitting access to the mail server. The action specified for both the conduit and the ACL is permit, but the configuration is not working as planned. Why? e0.2 e4.1 e / /24 Mail server.4.3 FTP server.3 c:\>ftp >ftp: connect :Connection refused The page cannot be displayed Mail...From: Partnernet Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA The Incorrect Configuration Due to the ACL bound to the Partnernet interface: –Users on the Partnernet are unable to access the internal FTP server. –Users on the Partnernet are unable to access the Internet. –Users on the Partnernet are only able to access the internal mail server. pixfirewall(config)# nat (partnernet) pixfirewall(config)# global (outside) netmask pixfirewall(config)# static (inside,partnernet) netmask pixfirewall(config)# static (inside,partnernet) netmask pixfirewall(config)# conduit permit tcp host eq ftp any pixfirewall(config)# access-list 102 permit tcp host eq smtp pixfirewall(config)# access-group 102 in interface partnernet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Convert Conduits to ACLs conduit permit | deny protocol global_ip global_mask operator port [port] foreign_ip foreign_mask [operator port[port]] global_ ip = destination_addr foreign_ip = src_addr pixfirewall(config)# conduit permit tcp host eq ftp pixfirewall(config)# access-list 102 permit tcp host eq ftp pixfirewall(config)# access-list acl_ID deny | permit protocol source_addr source_mask [operator port [port]] destination_addr destination_mask operator port [port]

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA ACLs in Action Conduits are converted to ACLs. The user is able to access the internal FTP server and the internal mail server. Although she is unable to access hosts on the inside network via HTTP, she is able to access hosts on the Internet via HTTP. All other traffic originating from the Partnernet is denied / /24 Mail server Connecting to c:\>ftp Connected to FTP server Mail...From: Partnernet Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA The Correct Configuration pixfirewall(config)# nat (partnernet) pixfirewall(config)# global (outside) netmask pixfirewall(config)# static (inside,partnernet) netmask pixfirewall(config)# static (inside,partnernet) netmask pixfirewall(config)# access-list 102 permit tcp host eq ftp pixfirewall(config)# access-list 102 permit tcp host eq smtp Pixfirewall(config)# access-list 102 deny tcp eq www pixfirewall(config)# access-list 102 permit tcp any eq www pixfirewall(config)# access-group 102 in interface partnernet Users on the Partnernet are able to access the Internet, the internal FTP server, and the internal mail server.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Using ACLs

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall(config)# write terminal... nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 access-list acl_out deny tcp any any eq www access-list acl_out permit ip any any access-group acl_out in interface inside nat (inside) global (outside) netmask Deny Web Access to the Internet www IP Denies web traffic on port 80 from the inside network to the Internet. Permits all other IP traffic from the inside network to the Internet. Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Permit Web Access to the DMZ pixfirewall(config)# write terminal... nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 nameif ethernet2 dmz sec50 ip address outside ip address inside ip address dmz static (dmz,outside) access-list acl_in_dmz permit tcp any host eq www access-list acl_in_dmz deny ip any any access-group acl_in_dmz in interface outside... Web server / / /24 The ACL acl_in_dmz permits web traffic on port 80 from the Internet to the DMZ web server. The ACL acl_in_dmz denies all other IP traffic from the Internet. Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Partner Web Access to DMZ and DMZ Access to Internal Mail pixfirewall(config)# write terminal... nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 nameif ethernet2 dmz sec50 nameif ethernet3 partnernet sec40 static (dmz,partnernet) static (inside,dmz) access-list acl_partner permit tcp host eq www access-group acl_partner in interface partnernet access-list acl_dmz_in permit tcp host host eq smtp access-group acl_dmz_in in interface dmz... WWW server Client DMZ / / /28.1 Mail server.4 Partnernet The ACL acl_partner permits web traffic from the partner subnet /28 to the DMZ intranet web server. The ACL acl_dmz_in permits host mail access to Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA VPN SolutionDual DMZ and VPN Concentrator pixfirewall(config)# write terminal... static (dmz,outside) netmask static (inside,dmz2) netmask route dmz access-list IPSEC permit tcp any host eq 443 access-list IPSEC permit esp any host access-list IPSEC permit udp any host eq isakmp access-group IPSEC in interface outside access-list WEB permit tcp eq www access-group WEB in interface dmz2 Server / / / /24 inside outside Server VPN Client Priv dmz Pub Pool dmz2 Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA icmp Command Enables or disables pinging to an interface. pixfirewall(config)# icmp deny any echo-reply outside pixfirewall(config)# icmp permit any unreachable outside pixfirewall(config)# icmp permit | deny src_addr src_mask [icmp-type] if_name All ping requests are denied at the outside interface, and all unreachable messages are permitted at the outside interface.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Malicious Active Code Filtering

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Java Applet Filtering Java applet filtering enables an administrator to prevent the downloading of Java applets by an inside system. Java programs can provide a vehicle through which an inside system can be invaded. Java applets are executable programs that are banned within some security policies.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA ActiveX Blocking ActiveX controls are applets that can be inserted in web pages or other applications. ActiveX controls can provide a way for someone to attack servers. The PIX Firewall can be used to block ActiveX controls.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA filter activex | java Command Filters out ActiveX usage from outbound packets. Filters out Java applets that return to the PIX Firewall from an outbound connection. pixfirewall(config)# filter activex | java port [-port] local_ip mask foreign_ip mask

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA ActiveX filter Command TACACS+ server RADIUS server ExecutiveEngineering Marketing DMZ pixfirewall(config)# filter activex Specifies that the ActiveX blocking applies to web traffic on port 80 from any local host and for connections to any foreign host. Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA URL Filtering

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA URL-filtering server User wants to go to Deny access Configure URL Filtering Prohibited web site pixfirewall(config)# url-server (dmz) host timeout 10 protocol TCP version 4 pixfirewall(config)# filter url http allow Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall(config)# url-server [(if_name)] [vendor websense] host local_ip [timeout seconds] [protocol TCP | UDP version [1 | 4]] Designate the URL-Filtering Server Designates a server that runs a Websense URL-filtering application. The URL-filtering host is on the DMZ interface at IP address The PIX Firewall performs a username lookup and then the URL-filtering server handles URL filtering and username logging. pixfirewall(config)# url-server (dmz) host protocol TCP version 4 pixfirewall(config)# url-server [(if_name)] vendor n2h2 host local_ip [port number][timeout seconds][protocol TCP | UDP] Designates a server that runs an N2H2 URL-filtering application.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configure the PIX Firewall to Work with a URL-Filtering Server Prevents outbound users from accessing URLs that are designated with the URL-filtering application. pixfirewall(config)# pixfirewall(config)# filter url http allow filter url port[-port] | except local_ip local_mask foreign_ip foreign_mask [allow] [proxy-block] [longurl-truncate | longurl-deny][cgi-truncate] Tells the PIX Firewall how to filter requests.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Long URL Filtering pixfirewall(config)# url-server (inside) vendor Websense host timeout 5 protocol TCP version 1 pixfirewall(config)# filter url http longurl-truncate cgi-truncate pixfirewall(config)# url-block url-mempool 1500 pixfirewall(config)# url-block url-size 4 url-block url-size long_url_size url-block url-mempool memory_pool_size pixfirewall(config)# Enables you to increase the maximum allowable length of a single URL. Enables you to configure the maximum memory available for buffering long URLs and pending URLs.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary ACLs enable you to determine which systems can establish connections through your PIX Firewall. Cisco recommends migrating from conduits to ACLs. Existing conduits can easily be converted to ACLs. Turbo ACLs improve search time for large ACLs. With ICMP ACLs, you can disable pinging to a PIX Firewall interface so that your PIX Firewall cannot be detected on your network. The PIX Firewall can be configured to filter malicious active codes. The PIX Firewall can work with URL-filtering software to control and monitor Internet activity.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Q P.0 Lab Visual Objective Student PC.2.1 Student PC PIX Firewall Web/FTP CSACS PIX Firewall.1 Remote : 10.1.P.11 Local: 10.0.P.11 Remote: 10.1.Q.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1-5 Pods Web FTP RBB.2 bastionhost: Web FTP P Q.0 bastionhost: Web FTP.1