© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 10 Advanced Protocol Handling

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe the fixup protocol command. Describe the need for advanced protocol handling. Describe how the PIX Firewall handles FTP, rsh, and SQL*Net traffic. Configure FTP, rsh, and SQL*Net Fixup protocols. Describe the issues with multimedia applications. Describe how the PIX Firewall handles RTSP and H.323 multimedia protocols. Configure RTSP and H.323 fixup protocols. Describe how the PIX Firewall supports call handling sessions and VoIP call signaling.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Advanced Protocols

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Need for Advanced Protocol Handling Some popular protocols or applications behave as follows: –Negotiate connections to dynamically assigned source or destination ports, or IP addresses. –Embed source or destination port, or IP address information above the network layer. A good firewall has to inspect packets above the network layer and do the following as required by the protocol or application: –Securely open and close negotiated ports or IP addresses for legitimate client-server connections through the firewall. –Use NAT-relevant instances of IP addresses inside a packet. –Use PAT-relevant instances of ports inside a packet. –Inspect packets for signs of malicious application misuse.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA fixup Command fixup protocol ftp [strict] port [-port] pixfirewall (config)# fixup protocol http port [-port] fixup protocol h323 [h225 | ras] port [-port] pixfirewall (config)# fixup protocol skinny port [-port] pixfirewall (config)# fixup protocol rsh port [-port] fixup protocol smtp port [-port] pixfirewall (config)# no fixup protocol protocol [port[-port]] pixfirewall (config)# fixup protocol rtsp port [-port] pixfirewall (config)# fixup protocol sqlnet port [-port] show fixup [protocol protocol] pixfirewall (config)# fixup protocol sip port [-port] pixfirewall (config)# fixup protocol ils port [-port]

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Server Client Command port 2008 Data port 2010 Data port 20 Command port 21 Port 2010 Port 2010 OK Standard Mode FTP Standard mode FTP uses two channels: –Client-initiated command connection (TCP). –Server-initiated data connection (TCP). For outbound connections, the PIX Firewall handles standard mode FTP as follows: –It opens a temporary inbound conduit for the data channel. For inbound connections, the PIX Firewall handles standard mode FTP as follows: –If outbound traffic is allowed, no special handling is required. –If outbound traffic is not allowed, it opens a temporary outbound conduit for the data channel. Data

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Passive Mode FTP Server Client Command port 2008 Data port 2010 Data port 1490 Command port 21 Passive? Passive OK port 1490 Passive mode FTP uses two channels: –Client-initiated command connection (TCP). –Client-initiated data connection (TCP). For outbound connections, the PIX Firewall handles passive mode FTP as follows: –If outbound traffic is allowed, no special handling is required. –If outbound traffic is not allowed, it opens an outbound port for the data channel. For inbound connections, the PIX Firewall opens an inbound port for the data channel. Data

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA FTP Fix-Up Configuration Defines ports for FTP connections (default = 21). Performs NAT in packet payload. Dynamically creates conduits for FTP-DATA connections. Logs FTP commands (when Syslog is enabled). When disabled: –Outbound standard FTP will not work. –Outbound passive FTP will work if not explicitly disallowed. –Inbound standard FTP will work if conduit exists. –Inbound passive FTP will not work. fixup protocol ftp [strict] port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol ftp 2021 pixfirewall(config)# no fixup protocol ftp 21

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Remote Shell Server Client Connection request Port 2010 Remote shell uses two channels: –Client-initiated command connection (TCP). –Server-initiated standard error connection (TCP). For outbound connections, the PIX Firewall opens an inbound port for standard error output. For inbound connections, the PIX Firewall handles remote shell as follows: –If outbound traffic is allowed, no special handling is required. –If outbound traffic is not allowed, it opens the outbound port for standard error output. Standard error output

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Rsh Fixup Configuration Defines ports for rsh connections (default = 514) Dynamically opens a port for rsh standard error connections If disabled: –Outbound rsh will not work. –Inbound rsh will work if conduit exists. fixup protocol rsh port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol rsh 1540 pixfirewall(config)# no fixup protocol rsh

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA SQL*Net Server Client TCP: Connection request Initially the client connects to a well known port on the server. The server may assign another port or another host to serve the client. For outbound connections, the PIX Firewall handles SQL*Net connections as follows: –If outbound traffic is allowed, no special handling is required. –If outbound traffic is not allowed, it opens an outbound port for a redirected channel. For inbound connections, the PIX Firewall opens an inbound port for a redirected channel. Redirect Port = 1030 TCP: Tear down TCP: Connection request

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA SQL*Net Fixup Configuration Defines ports for SQL*Net connections (default = 1521): –Performs NAT in packet payload. –Dynamically opens TCP port redirected client connection. –Port 1521 is the default port used by OracleIANA-compliant applications use port 66. If disabled: –Outbound SQL*Net is allowed if not explicitly disallowed. –Inbound SQL*Net is disallowed. fixup protocol sqlnet port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol sqlnet 66 pixfirewall(config)# fixup protocol sqlnet pixfirewall(config)# no fixup protocol sqlnet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA SIP Fixup Configuration Enables SIP. Default port = Enables the PIX Firewall to support any SIP VoIP gateways and VoIP proxies. SIP is enabled on port fixup protocol sip port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol sip 5060

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Skinny Fixup Configuration Enables the SCCP (skinny) protocol. Dynamically opens pinholes for media sessions and NAT-embedded IP addresses. Supports IP telephony. Can coexist in an H.323 environment. Default port is Skinny is enabled on port fixup protocol skinny port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol skinny 2000

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Multimedia Support

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Additional UDP or TCP high ports may be opened TCP or UDP request Why Multimedia Is an Issue Multimedia applications behave in unique ways: –Use dynamic ports. –Transmit a request using TCP and get responses in UDP or TCP. –Use the same port for source and destination. The PIX Firewall: –Dynamically opens and closes conduits for secure multimedia connections. –Supports multimedia with or without NAT.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Real-Time Streaming Protocol Real-Time audio and video delivery protocol uses one TCP and two UDP channels. Transport options: –Real-Time Transport Protocol (RTP). –Real Data Transport Protocol (RDT). Sync or resend channel: –Real-Time Control Protocol (RTCP). –UDP resend. RTSP-TCP-only mode does not require special handling by the PIX Firewall. Supported applications: –Cisco IP/TV. –Apple QuickTime 4. –RealNetworks: RealAudio. RealPlayer. RealServer. RDT Multicast is not supported.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Standard RTP Mode Server Client TCP: Control In standard RTP mode, RTSP uses the following three channels: –Control connection (TCP). –RTP data (simplex UDP). –RTCP reports (duplex UDP). For outbound connections, the PIX Firewall opens inbound ports for RTP data and RTCP reports. For inbound connections, the PIX Firewall handles standard RTP mode as follows: –If outbound traffic is allowed, no special handling is required. –If outbound traffic is not allowed, it opens outbound ports for RTP and RTCP. Setup transport = rtp/avp/udp client_port = server_port = UDP: RTCP reports UDP: RTP data

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA RealNetworks RDT Mode In RealNetworks RDT mode, RTSP uses the following three channels: –Control connection (TCP). –UDP data (simplex UDP). –UDP resend (simplex UDP). For outbound connections, the PIX Firewall handles RealNetworks RDT mode as follows: –If outbound traffic is allowed, it opens an inbound port for UDP data. –If outbound traffic is not allowed, it opens an inbound port for UDP data and an outbound port for UDP resend. For inbound connections, the PIX Firewall handles RealNetworks RDT mode as follows: –If outbound traffic is allowed, it opens an inbound port for UDP resend. –If outbound traffic is not allowed, it opens an outbound port for UDP data and an inbound port for UDP resend TCP: Control UDP: Resend Setup transport= x-real-rdt/udp client_port = 3057 server_port = 5000 UDP: Data Server Client

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA RTSP Fixup Configuration Defines ports for RTSP connections: –No RTSP fixup is enabled by default (RFC2326 port is 554). –RTSP dynamically opens UDP connections as required by the RTSP transport. –PAT and dual NAT are not currently supported. If disabled: –UDP transport modes are disallowed. –TCP transport modes are allowed (TCP connection rules apply). fixup protocol rtsp port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol rtsp 554 pixfirewall(config)# no fixup protocol rtsp

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA H.323 Real-time multimedia communications delivery specification uses two TCP and several UDP sessions for a single call. H.323 protocols and standards: –H.225Registration, Admission, and Status (RAS). –H.225Call Signaling. –H.245Control Signaling. –TPKT Header. –Q.931 Messages. –Abstract Syntax Notation (ASN.1) (PIX Firewall 5.2). Supported H.323 versions: –H.323 v1. –H.323 v2 (software versions 5.2 and higher). Supported applications: –Cisco Multimedia Conference Manager. –Microsoft NetMeeting. –Intel Video Phone. –CUseeMe Networks: MeetingPoint. CUseeMe Pro. –VocalTec: Internet Phone. Gatekeeper.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring H.323 Fixup Defines ports for H.323 connections (default = 1720). Performs NAT in H.323 messages as required. Dynamically opens TCP and UDP connections as required. Supports PAT. If disabled, H.323 applications are disallowed. fixup protocol h323 [h255 | ras] port [-port] pixfirewall (config)# pixfirewall(config)# fixup protocol h pixfirewall(config)# fixup protocol h pixfirewall(config)# no fixup protocol h323

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Cisco IP Phones and the PIX Firewalls DHCP Server Cisco IP phones: –Download their configurations from a TFTP server. –Request an IP address and the IP address of a TFTP server from a DHCP server. The PIX Firewall: –Supports DHCP option 150 for providing the IP addresses of a list of TFTP servers. –Supports DHCP option 66 for providing the IP address of a single TFTP server.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary The fixup command enables you to view, change, enable, or disable the use of a service or protocol. The PIX Firewall uses special handling for the following advanced protocols: FTP, rsh, and SQL*Net. The PIX Firewall handles the following multimedia protocols: RTSP and H.323. The PIX Firewalls SIP fixup supports call handling sessions. The PIX Firewalls skinny fixup supports VoIP call signaling. You can change the port value for each protocol including the multimedia protocols; however, you should not change the port values for rsh and SIP.