© 2000, Cisco Systems, Inc. CSPFF Chapter 10 Cisco Secure PIX Firewall Advanced Features

© 2000, Cisco Systems, Inc. CSPFF Objectives Upon completion of this chapter, you will be able to complete the following task: Explain the DNS Guard. Name the SMTP commands allowed by Mail Guard. Describe the importance of failover.

© 2000, Cisco Systems, Inc. CSPFF Advanced Features

© 2000, Cisco Systems, Inc. CSPFF Private NetworkPublic Network PIX Firewall PIX FW opens dynamic conduit to allow UDP packets to return from port 53 to port UDP timer expires 10:02:00 PIX FW allows return packet to pass. Time: 10:00:30. PIX FW recognizes packet as the response packet for the above outgoing request, thus closes the dynamic conduit even though the timer has not expired. PIX Firewall PIX FW opens dynamic conduit to allow UDP packets to return from port 53 to port UDP timer expires 10:02:00 PIX FW allows return packet to pass. Time: 10:00:30. PIX FW recognizes packet as the response packet for the above outgoing request, thus closes the dynamic conduit even though the timer has not expired. Source Port Destination Addr Source Addr Destination Port DNS Guard 53 DNS Request at 10:00:00 am

© 2000, Cisco Systems, Inc. CSPFF PIX Mail Guard Implementation Cisco PIX Firewall Private clients Private Networks DMZ Public Internet Perimeter router First Tier Second Tier Private servers Internal DNS, Mail gateways, etc. Mail Guard Removes cost of external mail relay host Allows connection to internal mail host via TCP port 25 only

© 2000, Cisco Systems, Inc. CSPFF pixfirewall# outbound 1 deny java pixfirewall# apply (inside) 1 outgoing_src pixfirewall# outbound 1 deny java pixfirewall# apply (inside) 1 outgoing_src Java Applet Filtering Some Java applets can contain malicious code that can manipulate data on the internal network. Use the outbound and apply commands to block Java applets. outbound list_ID permit|deny ip_address [netmask [java|port[-port]]] [protocol] pixfirewall#

© 2000, Cisco Systems, Inc. CSPFF ActiveX Blocking TACACS+ Server RADIUS Server UNIX DB Gateway ExecutiveEngineeringMarketing Internet DMZ pixfirewall(config)# filter activex Specifies that the ActiveX blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host

© 2000, Cisco Systems, Inc. CSPFF TCP syn (D= S= ) Flood Defender static (dmz,outside) TCP syn (D= S= ) TCP syn (D= S= ) TCP syn (D= S= )

© 2000, Cisco Systems, Inc. CSPFF WebSense Server Local WebSense server nightly downloads the latest list Local WebSense server nightly downloads the latest list WebSense OpenServer 3.0 User wants to go to Deny access Internet URL Filtering Prohibited website pixfirewall(config)# url-server (dmz) host timeout 10 pixfirewall(config)# filter url http allow pixfirewall(config)# url-server (dmz) host timeout 10 pixfirewall(config)# filter url http allow

© 2000, Cisco Systems, Inc. CSPFF Internet DMZ Failover Connector Stateful Failover Eliminates single point of failure Maximizes reliability of network Transparent to users behind firewall

© 2000, Cisco Systems, Inc. CSPFF Additional UDP or TCP high ports are open UDP or TCP Request H.323 Support No special port or protocol setup/configuration required on the client No proxy settings are required at the PIX Firewall; no retransmission overhead No limit to data stream port count; highest throughput, no bottleneck at firewall

© 2000, Cisco Systems, Inc. CSPFF Summary

© 2000, Cisco Systems, Inc. CSPFF Summary The following are advanced features of the PIX Firewall: –Mail Guard –DNS Guard –Active X filters –URL filters –Stateful failover

© 2000, Cisco Systems, Inc. CSPFF Review Questions

© 2000, Cisco Systems, Inc. CSPFF Review Questions Q1) Explain the DNS Guard. Q2) What SMTP commands are allowed in by Mail Guard? Q3) Why is failover important? Q4) Why are H.323 and other multimedia applications difficult to secure?