SCHOOL OF ELECTRICAL & ELECTRONICS ENGINEERING SPECIALIST DIPLOMA IN NETWORK SECURITY

Firewalls & Intrusion Prevention

Configuring & Managing Cisco PIX 515E Firewalls

Submitted By: Thirukkumaran Thiruchelvam - P0871031 Christopher Ravi - P0871015 Carol Sarmiento - P0870928

2008/2009

Project Supervisor: Mr. Rodney Dorville

Introduction
This assignment mainly targets configuration, management & troubleshooting of Cisco PIX 515E Firewalls using PIX operating system version 7.0. Most of the settings and configurations of this assignment were done using ASDM (Adaptive Security Device Manager) which provides nearly all functionality available in the PIX firewall CLI (Command-line Interface). ASDM is a Java-based GUI used to manage the Cisco PIX firewall. It consists of a software image that runs from flash memory on the PIX firewall, enabling administrative access via a Secure Sockets Layer (SSL) encrypted HTTPS session.

The Cisco PIX firewall has four administrative access modes using the command line, unprivileged mode, privileged mode, configuration mode, and monitor mode. There are seven basic command line commands used to configure a Cisco PIX firewall, nameif, interface, ip address, security-level, nat, global, and route. Following are the main features of Cisco PIX 515E Firewalls,

The Cisco PIX is a stateful inspection firewall that uses the Adaptive Security Algorithm (ASA). The Cisco PIX uses a custom embedded operating system, which is contained within the system FLASH memory and has been tested for both ICSA and ISO compliance. Traffic by default can flow from a high security level to a low level security level. This allows traffic to leave the inside network (level 100) and flow to the outside network (level 0) without restriction, but traffic is blocked coming into the PIX on the outside interface. The Cisco PIX firewall offers both Network Address Translation (NAT) and Port Address translation (PAT). Cisco offers the PIX firewall both with and without a DMZ port. The PIX 515 and higher model firewalls can support 2 or more interfaces. The Enterprise level Cisco PIX firewalls such as the 535 can have up to 10 interfaces. The Cisco PIX interface with the 7.0 code is much more like configuring a Cisco router now so skills can more easily transfer from one to the other. The Cisco PIX offers layer 2 virtual firewalls called Security Contexts. The Cisco PIX offers IPv6 support. The Cisco PIX offers Active/Active Failover where both PIX firewalls will pass traffic while guarding against the failure of one of them. The Cisco PIX offers the OSPF routing protocol over VPN connections.

Methods and Approaches

Password Recovery Procedures
Password recovery was the first step that was done as we were not given the existing password of PIX firewall. Following are the summary of what was done to recover the existing password. Port Eth1 of PIX is connected to PC network point using Cross Cable. TFTP server is running on Windows 2000 server & pointing to np70.bin file.

Cisco PIX is started and while it is booting Esc key is pressed within 10 seconds to go to Monitor mode. And following commands are executed to erase the existing password. monitor>interface e1 monitor>address 10.10.10.4 monitor>server 10.10.10.2 monitor>file np70.bin monitor>ping 10.10.10.2 Sending 5, 100byte 0xf8d3 ICMP Echoes to 10.10.10.2, timeout is 4 seconds: !!!!! Success rate is 100 percent (5/5) monitor>tftp Do you wish to erase the passwords? [yn] y Passwords have been erased. Rebooting....

Launching ASDM Window

To use ASDM, HTTPS server needs to be enabled to allow HTTPS connections to the security appliance. Following commands are executed prior to launching ASDM window.
pix11(config)# write erase pixfirewall> en Password: pixfirewall# conf t pixfirewall(config)# hostname pix11 pix11(config)# inte e1 pix11(config-if)# ip address 10.10.10.1 255.255.255.0 pix11(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. pix11(config-if)# no shut pix11(config-if)# exit pix11(config)# ping 10.10.10.254 Type escape sequence to abort.

Sending 5, 100-byte Success rate is 100 pix11(config)# ping pix11(config)# ping pix11(config)# ping

ICMP Echos to 10.10.10.254, timeout is 2 seconds: percent (5/5), round-trip min/avg/max = 1/1/1 ms 10.10.10.2 10.10.10.253 10.10.10.10

pix11(config)# asdm image asdm-523.bin pix11(config)# http server enable pix11(config)# http 10.10.10.254 255.255.255.255 inside pix11(config)# write mem Building configuration... Cryptochecksum: aec65b3c cc97c458 70c1612c 9ecaf5b1 1683 bytes copied in 0.310 secs [OK] pix11(config)#

Configuring PIX using ASDM Window

Note: To See the Configuration Diagrams & the Check List for this setup which were provided by the Lecturer, Please refer to the APPENDIXES on Pages 21 to 26

The ASDM Startup Wizard outside Interface Configuration Screen

From the Outside Interface Configuration window, we can select the speed of the outside interface and determine how to address the outside interface. From the wizard, we can choose to automatically configure the interface via PPPoE. We can also select DHCP to automatically determine the address of the outside interface.

The ASDM Start-up Wizard Other Interfaces Configuration Screen

The ASDM Start-up Wizard Other Interfaces Configuration Screen

Network Address Translation and Port Address Translation (NAT/PAT)

The ASDM Start-up Wizard Address Translation (NAT/PAT) Screen

In static NAT, a permanent one-to-one mapping is established between inside local and inside global addresses. This method is useful when we have a small number of inside hosts that need access to the Internet and have adequate globally unique addresses to translate to. When a NAT router or firewall receives a packet from an inside host, it looks to see if there is a matching source address entry in its static NAT table. If there is, it replaces the local source address with a global source address and forwards the packet. Replies from the outside destination host simply are translated in reverse and routed onto the inside network. Static translation is also useful for outside communication initiated to an inside host. Figure below shows an example of static NAT. Each local inside address (192.168.0.10, 192.168.0.11, and 192.168.0.12) has a matching global inside address (10.0.1.10, 10.0.1.11, and 10.0.1.12, respectively). In this situation, the destination (not the source) address is translated.

When dynamic NAT is set up, a pool of inside global addresses is defined for use in outbound translation. When the NAT router or firewall receives a packet from an inside host and dynamic NAT is configured, it selects the next available address from the global address pool that was set up and replaces the source address in the IP header. Dynamic NAT differs from static NAT because address mappings can change for each new conversation that is set up between two given endpoints. Figure below shows how dynamic translation might work. Here the global address pool is 10.0.1.10 through 10.0.1.12, using a 24-bit subnet mask (255.255.255.0). The local address 192.168.0.10 is mapped directly to the first address in the global pool (10.0.1.10). The next system needing access (local address 192.168.0.12 in this case) is mapped to the next available global address of 10.0.1.11. The local host 192.168.0.11 never initiated a connection to the Internet, and therefore a dynamic translation entry was never created for it.

When there are more internal hosts initiating sessions than there are global addresses in the pool, this can be handled through a configurable parameter in NAT known as overloading, also referred to as Port Address Translation, or PAT. In this case, we have the possibility of multiple inside hosts being assigned to the same global source address. The NAT/PAT box needs a way to keep track of which local address to send replies back to. This is done by using unique source port numbers as the tracking

mechanism and involves possible rewriting of the source port in the packet header. TCP and UDP use 16 bits to encode port numbers, which allows for 65,536 different services or sources to be identified (for each TCP and UDP). When performing translation, PAT tries to use the original source port number if it is not already used. If it is, the next available port number from the appropriate group is used. Once the available port numbers are exhausted, the process starts again using the next available IP address from the pool.

The ASDM Start-up Wizard Administrative Access Screen

From this window, we can configure which addresses are allowed to access the PIX using the various access modes, including ASDM/HTTPS, SSH, or Telnet. This window also provides the options of enabling the HTTP server for ASDM access and enabling ASDM history metrics.

The ASDM Home Screen

The ASDM Configuration-Interfaces Window

The ASDM Configuration-Security Policy Window

The ASDM Configuration-NAT Window for Static NAT Rule

10

The ASDM Configuration-NAT Window for Dynamic NAT Rule

The ASDM Configuration-Routing Window of Static Routes

11

The ASDM Configuration-Properties Window for Syslog Server Setup

The ASDM Configuration-Properties Window for Logging Setup

12

The ASDM Configuration-Properties Window for Logging Filters Setup

Screen Capture of Syslog Server

13

Accessing Cisco PIX from another Server using Putty software

Accessing Web Server from External Network

14

Accessing Cisco PIX Firewall using Telnet & SSH

Telnet
The command telnet 192.168.1.0 255.255.255.0 inside is issued to configure telnet access. Telnet is one of the most common ways to access a network device and although the Cisco PIX will support Telnet access on the inside interface by default and on the outside interface only when used with encryptions such as IPsec. Telnet is strongly discouraged in favour of using SSH, which is encrypted. The default port for Telnet is TCP port 23. The default Telnet password for the Cisco PIX is cisco.

SSH
Following commands are issued to set-up SSH using CLI ,
pixfirewall(config)# aaa-server RADIUS pro pixfirewall(config)# aaa-server RADIUS protocol radius pixfirewall(config-aaa-server-group)# ? pixfirewall(config-aaa-server-group)# max-failed-attempts 3 pixfirewall(config-aaa-server-group)# exit pixfirewall(config)# aaa-server RADIUS host 192.168.1.2 pixfirewall(config-aaa-server-host)# ? pixfirewall(config-aaa-server-host)# pixfirewall(config-aaa-server-host)# pixfirewall(config-aaa-server-host)# pixfirewall(config-aaa-server-host)# pixfirewall(config-aaa-server-host)# pixfirewall(config-aaa-server-host)# pixfirewall(config-aaa-server-host)# pixfirewall(config)# pixfirewall(config)# pixfirewall(config)# pixfirewall(config)# pixfirewall(config)# pixfirewall(config)# pixfirewall# exit key WinRadius authen authentication-port 1812 acc accou accounting-port 1813 exit

aaa authentication ssh console ? aaa authentication ssh console RADIUS LOCAL aaa authentication enable console RADIUS LOCAL

exit

In Linux Machine :
user@DET-T933-d1a1ee:~$ ssh -c des user1@192.168.1.1

Secure Shell (SSH) is the preferred method of connecting over a network to the Cisco PIX firewall. SSH is a suite of encrypted applications that can replace Telnet, copy and FTP with SSH, SCP, and SCP SSH uses port 22 and is not enabled by default.

15

The ASDM AAA Server Groups Configuration Screen

The AAA Setup menu item facilitates the configuration of Cisco authentication, authorization, and accounting variables through the AAA Server Groups, AAA Servers, and Auth. Prompt subcategories. Three AAA server groups are predefined and visible from the AAA Server Groups subcategory: TACACS+, RADIUS, and LOCAL. These default groups can be used, or we can add new groups by clicking Add. New groups can be either RADIUS or TACACS+ based.

The ASDM AAA Server Groups Configuration Screen

16

This window displays the AAA servers that have been defined on the PIX. To add a new AAA server, need to click Add, and specify the server group to which it should belong, the PIX interface where it resides, the IP address, the timeout (in seconds), and the appropriate AAA protocol (e.g., TACACS+, RADIUS) parameters

The ASDM Auth Prompt Configuration Screen

17

Conclusion
Despite some difficulties that we faced in configuring & troubleshooting of PIX Firewall during the lab sessions of this course module/during this assignment, we were able to overcome them & all the systems including PIX Firewall were up & running. Following things were learnt during this course module/during this assignment: Firewalls are most often placed between an organizations internal network and the Internet, although they are increasingly used within the internal LAN to separate different zones of trust. There are two fundamental approaches to firewall design: packet filters and application proxies. Many packet filters offer the ability to keep track of active connections (statefulness) and in general offer much faster performance and the most flexibility. Application proxies are considered more secure but require that a proxy agent be available for each application running through the firewall. The Cisco PIX is a stateful inspection firewall that uses the Adaptive Security Algorithm (ASA). Traffic by default can flow from a high security level to a low level security level. This allows traffic to leave the inside network (level 100) and flow to the outside network (level 0) without restriction, but traffic is blocked coming into the PIX on the outside interface. The Cisco PIX firewall offers both Network Address Translation (NAT) and Port Address translation (PAT). Cisco offers the PIX firewall both with and without a DMZ port. By default, connections from a lower security-level interface to a higher securitylevel interface are denied. Port redirection is an excellent option for small businesses that do not have the money to buy a large amount of IP address ranges. The PIX firewall is able to monitor various aspects of ICMP, TCP, and UDP connections in order to provide high-level security features that go beyond simple access control. The Cisco PIX firewall can act as both a DHCP server and a client. PIX DHCP features are best suited for small networks because they have some limitationsfor example, a DHCP server can support a maximum of 256 clients AAA is an architectural framework composed of the three independent but related functions of authentication, authorization, and accounting. The benefits of implementing AAA include scalability, increased flexibility and control, standardized protocols and methods, and redundancy.

18

 Console authentication is used to authenticate users attempting to access the PIX firewall itself. It can be configured to use the LOCAL, TACACS+, or RADIUS databases. To use local console authentication, we need to define users on the PIX firewall using the username command. To use TACACS+/RADIUS console authentication, we need to perform configuration tasks on the TACACS+/RADIUS server and need to define the PIX firewall as an AAA client to the server and create user accounts on the server. Syslog functionality on the PIX provides a way to send logging messages to a remote server using either UDP or TCP connections. Telnet is an insecure protocol and sends information across the network in clear text. Therefore, it is recommended that SSH be used for remote management of the PIX. The show interface command provides very useful statistics about network interfaces, which can provide clues about network malfunctions.

19

References
www.cisco.com/en/US/docs/security/pix/pix63/command/reference/ab.html www.netcraftsmen.net/welcher/papers/pix02.html www.expertsexchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firew all/Q_24064101.html www.netclarity.net/5/index.html238.html www.ciscopress.com/articles/article.asp?p=25342 www.cisco.com/en/US/docs/security/pix/pix40/configuration/guide/pixcncfg.pdf www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_password_recoveries_list. html www.ciscopress.com/articles/article.asp?p=25342&seqNum=5 http://www.tech-recipes.com/rx/215/ssh_configuration_pix_firewall/

20

APPENDIX I PIX Configuration Diagram (1 of 4)

21

PIX Configuration Diagram (2 of 4)

22

PIX Configuration Diagram (3 of 4)

23

PIX Configuration Diagram (4 of 4)

24

APPENDIX II PIX Checklist

1. Physical connection (PIX is DCE, PC is DCE, Switch is DTE), choose the correct cables. E0 = outside, E1 = inside, Console cable Establish console connection to the PIX a. ensure empty configuration (write erase) b. configure inside interface (nameif, ip address, no shutdown) c. point to asdm image (asdm image asdm5-32.bin) d. enable http server (http server enable, http <ip-address> <mask> inside) Setup host system IP. Make sure VMs are on the same network Use browser to connect to PIX (https://<pix-ip>/admin) Bring up ASDM Configure interfaces on the PIX, bring up all interfaces Establish default outside gateway for the PIX, this is the route for all OUTgoing packets. Use PIX to ping default gateways, internal PCs and outside points Setup NAT/PAT for the PIX. This is known as dynamic NAT or PAT Map all inside addresses to the outside address. Test connectivity (you cannot use PING - why?), what can you use? Allow PINGs to happen, either pix config#> fixup protocol icmp or create security access list to allow incoming ICMP-replies see Syslog for hints on echo-replies Test connectivity using inside PCs using PING Setup Syslog server on inside, configure PIX to point to syslog server, log all notifications Setup TFTP server on inside, save your configurations Setup DNS server, you may need to "share" the i386 directory to make it visible to internal VMs use the forwarder 39.9.33.2 to handle all forwards. Give your zone a name e.g. pbil0N.lab, create A-records and C-names, make sure everyone knows each other by name Setup DHCP server, take control of the range 10-49 Include the gateway, the dns and other information

2.

3.

4. 5.

6.

7.

8.

9. 10.

11,

25

Test with another PC For linux, on the command-line type sudo dhclient -1 For windows, on the command-line type ipconfig /release, ipconfig /renew 12. Setup HTTP Server on a VM.

26