Brian Browne

Adaptive security Device Manager

ASDM (Adaptive Security Device Manager) is a highly capable graphical interface for managing the PIX firewall. In addition to providing nearly all CLI functionality, ASDM includes several features to further simplify the ongoing maintenance and operations firewall administrators and security policymakers perform. Because ASDM is Java based and runs as a signed applet over an SSL-encrypted browser session, administrators can use it securely from any authorized client. This remote management capability can be highly valuable in large, distributed environments. Of the vast ASDM functionality, perhaps most powerful ones are the ASDM wizards, which include the Startup Wizard and the VPN Wizard. Using these tools, administrators are guided using interactive prompts through the often-complex process of building PIX configurations and VPN tunnel services. In addition to the wizard functionality, ASDM facilitates full configuration of PIX firewall access, AAA, filter, NAT rules, logging, user accounts, and IDS configurations. This functionality includes the ability to manage complex, grouped services and network objects. The ASDM GUI is intuitive and well organized and helps prevent accidental syntax and configuration errors that could cause the firewall to fail. Moreover, ASDM can be used as a CLI learning tool for administrators who are not completely proficient with the PIX firewall command line by previewing all commands sent to the PIX. ASDM is a handy and powerful tool for firewall administrators.

PIX Firewall Management

When configuring the PIX for logging, one can choose from a variety of logging options such as buffered logging, console, Telnet/SSH sessions, syslog servers, or SNMP. Message severity levels can be selected, ranging from Level1 (alert) to Level7 (debug) based on the needs. Aside from selecting the severity level, one can choose from several facility levels to direct the flow of the syslog messaging. One can specify that all syslog messages should be logged or he or she can filter out certain messages, so they will not be sent. This functionality is very useful in troubleshooting a network issue where one might be in debug mode, and the normal message flow would be overwhelming to work with. The Cisco PIX firewall can be managed using a console port, although usually the PIX will be managed by remote access. The Cisco PIX firewall can act only as a server for SSH and Telnet services, not a client. An important point to remember about the Cisco PIX and SSH is to make sure to use a client that supports SSHv2 such as PuTTY or SSH Secure Shell. The Cisco PIX supports read-only SNMP reporting or read-only and can either send traps to a host or be polled for information. The Cisco PIX firewall has a wealth of system time and date functionality.

Configuring Virtual Private Networking

Virtual private networks (VPNs) are commonly used to connect branch offices, mobile users, and business partners. The two common types of VPNs are site-to-site and remote access. The PIX firewall supports VPNs using IPsec. The most robust tunneling solution for IP networks is the IPsec suite of protocols. It was developed by IETF as part of IPv6. IPsec operates at Layer 3 of the OSI model, which means that it can protect communications from the network layer (IP) and up. IPsec specifies encryption and authentication algorithms, AH and ESP protocols are used for tunneling itself and the IKE/ISAKMP key management protocol. IPsecs main goals are data confidentiality, data integrity, data origin authentication, and anti-replay service. When a site-to-site IPsec tunnel is configured on a PIX firewall, one of two main methods of IICE authentication is used: preshared keys or digital certificates. The former is simpler to set up, but lacks scalability offered by the digital certificate solution. In the second type of VPN, remote clients connect to a gateway. The PIX supports IPsec, which works with Layer 3 tunnels. Cisco has its own software VPN client that provides full IPsec features when working with the PIX firewaU. It can perform IKE authentication with both preshared keys and digital certificates. The PIX uses two extensions to IKE to provide VPN clients with an internal IP address (address pool configuration) and perform extra authentication of clients during IKE negotiation using Extended Authentication (xauth).

Configuring Authentication, Authorization, and Accounting

This chapter provides an overview of AAA and its benefits for Cisco PIX firewall administrators. A quick look is taken at the new commands that 7.0 provides. This chapter explains the PJ\DIUS and TAG ACS + security protocols. It also explains that AAA comprises the three independent, but related, functions of authentication, authorization, and accounting: Authentication is the process of identifying and authenticating a user before allowing access to network devices and services. Authorization is the process of determining user privileges and access rights after users have been authenticated. Accounting is the process of recording user activities for accountability, billing, auditing, or reporting purposes. The benefits of implementing AAA include scalability, increased flexibility and control, standardized protocols and methods, and redundancy. Cisco PIX firewalls support the RADIUS and TACACS+ security protocols for use within an AAA mechanism. Each protocol has its advantages and disadvantages. The protocol that is right will depend on the situation and requirements. To take advantage of AAA, one must implement and configure an AAA server or use a local database on the PIX but give up a few features. On the PIX firewall, one can configure authentication and authorization to control both user actions on the firewall and user actions through the firewall. Authentication of users attempting to access the PIX firewall itself is called console authentication. Authorization of user actions on the PIX firewall is called command authorization. For both console authentication and command authorization, one can use the local database, RADIUS, or TACACS+.

Troubleshooting and Performance Monitoring

This chapter introduces a troubleshooting methodology based on the OSI model. Knowledge is power! Knowing the various models of PIX firewalls and their capabilities is extremely important for troubleshooting. Although the PIX firewall supports a limited number of network types, familiarity with the cables used to connect to those networks can be a useful asset to troubleshooting. The PIX firewall uses standard TA586A/B wiring schemes for 10/100 Ethernet, and SC multi-mode fiber optic cables for Gigabit Ethernet. The failover cable is an instance of a specialized function made possible by adhering to a stringent Cisco proprietary wiring scheme. The troubleshooting toolbox includes many Cisco commands such as show xlate, show NAT, and show global, all used to check translation configurations and operations. Other connectivity issues needed to troubleshoot involve ensuring that only the proper access is granted to certain external networks. IPsec is probably one of the most complex features ever configured on the PIX firewall. The troubleshooting is equally complex. This chapter covers several of the most critical commands available for validating IPsec operation. Cisco provides an extremely useful packet capture and analysis tool in the form of the capture command. This command helps in troubleshooting networks remotely by enabling the capture and analysis of the networks connected to the PIX firewall. This reduces the need to install a third-party device on the target network to obtain information about it. The best troubleshooting practice is proactive monitoring to detect problems before they become unmanageable.

Introduction to Security and Firewalls

This chapter explains the importance of security to any organization deploying networks today. Threats can come from both outside and inside. A security strategy must address the issues of confidentiality, integrity, availability, authentication, access control, and accounting. Information security is not a goal or result; it is a process. Ciscos Security Wheel describes this ongoing process of securing a network, monitoring and responding to incidents, testing for vulnerabilities, and managing and improving security. Firewalls are devices that regulate and filter traffic between networks. The most common deployment is on an Internet connection, but more and more organizations are using firewalls internally to segment sensitive areas. There are two fundamental approaches to firewall design: packet filtering, which operates at the network layer, and application proxying, which works at the application layer and understands details of particular applications. Packet filters have the advantage of speed, but proxies have the advantage in security. Stateful packet filters, an evolution of basic packet filters, have the intelligence to keep track of connections to make more informed pass/block decisions. Firewall architectures often include one or more DMZ networks, which enable services to be made available to the Internet while keeping them protected by the firewall and segmented from the internal LAN. Network Address Translation allows an organization to use private, non-unique addresses on their internal networks. These addresses are translated to globally unique addresses for routing on the Internet. NAT also provides security by hiding internal network details from the outside. Virtual private networks are supported by most major firewalls today

Introduction to PIX Firewalls

The PIX is a dedicated firewall appliance with a special-purpose, hardened operating system. The simplified kernel and reduced command structure (compared with firewalls based on general-purpose operating systems) means that all other things being equal, the PIX will have a higher throughput and more reduced maintenance costs than the general-purpose device. The similarity to IOS provides an edge to security administrators who are familiar with the Cisco environment. The PIX is a hybrid firewall that performs stateful packet filtering using proxies for specific applications. About a dozen inspection engines are associated with the PIX. Some, such as the FTP inspection engine, augment the ASA process by permitting the passing of packets associated with an allowed communication. Although the command channel follows the normal three-way handshake initiated by the client and directed at a well-known socket, the data channels have the handshake initiated by the server and directed at a port defined during the transaction. A key advantage of an appliance is performance, and the PIX make an excellent VPN terminator, with the ability to pass encrypted traffic at wire speed, when an accelerator card is installed. Modern environments depend on firewalls, and so the PIX provides high resiliency through its failover mechanism. Licensing for the PIX features is set via the activation key. Password recovery is achieved by running a special program on the PIX itself. Passwords on any security device are very important. Managing configuration information is also important.

Chapter 11 – Configuring Failover

Publisher Summary This chapter explains how failover operation works on the PIX firewall. To support high availability, the Cisco PIX firewall has the capability of dealing with firewall failures using the failover features, which provides redundancy. Failover is only supported on the high-end models of the PIX firewall. Failover can be configured either in active/standby or in active/active mode. Active/active is only available if using multiple contexts; it does not provide true load balancing, but it does enable contexts to be assigned to one of two failover groups, and load balancing and redundancy can be implemented at the failover group level. When failover is configured, it designates one firewall as primary and the other as secondary. During normal operations, the primary firewall is active and handles all the network traffic. The secondary firewall remains on standby, ready to take over the functions of the primary firewall if it fails. When the primary fails, the secondary firewall becomes active, and the primary firewall goes into the standby state. To exchange information between the two firewalls in a failover pair, a failover link needs to be established. This can either be done using a special serial cable known as the failover cable, or a designated and dedicated Ethernet link can be created between the two firewalls. In all types of environments, the PIX can be set up to operate in regular or stateful mode. By enabling stateful failover, clients can maintain their network sessions even when a switchover occurs from the active to standby.

Chapter 7 – Services

Publisher Summary The PIX supports a number of services that are designed to augment the value of the PIX beyond its core firewall functionality. DHCP allows the PIX to provide IP address and related assignment without the need for a separate server. DHCP is a convenient method of providing required configuration parameters to network nodes such as IP address, default gateway, DNS servers, and WINS servers. Rather than configuring these parameters manually on every client, DHCP allows the configuration details to be set centrally, in this case on the PIX firewall, and then assigned to each node as required. The PIXs QoS functionality may be sufficient for the traffic prioritization needs, eliminating the need for another router that would otherwise be required. Furthermore, the routing functionality that is built into the PIX provides a flexible set of unicast and multicast routing options that allow the PIX to establish full IP connectivity to the rest of the network. Finally, with the PIXs Easy VPN functionality, it is capable of acting as an Easy VPN server where it can be configured to propagate a variety of policy settings to any number of Easy VPN clients.

Chapter 5 – Application Inspection

Publisher Summary The Cisco PIX firewall is an advanced product and has many different options for supporting various application-layer protocols as well as protecting against network-layer attacks. It also supports content filtering for outbound Web access, intrusion detection, and various routing options such as RIP, OSPF, and multicast routing. Many protocols embed extra IP address information inside the exchanged packets or negotiate additional connections on non-fixed ports to function properly. These functions are handled by the PIX application inspection feature. PIX supports FTP clients and servers in active and passive modes, DNS, RSH, RPC, SQL*Net, and LDAP protocols. It also supports various streaming protocols such as Real-Time Streaming Protocol. Another set of supported protocols includes all H.323, SCCP, and SIP—all used in VoIP applications. The PIX monitor passes packets for the embedded information and updates its tables or permits embryonic connections according to this information. It is also able to NAT these embedded addresses in several cases. The PIX can also participate in RIP and OSPF dynamic routing. Although the PIX does not have all routing features present in a full-fledged router, in some cases its routing functionality will satisfy basic routing requirements. The same goes for multicast routing, although in many cases a true multicast router is required. Having basic multicast routing support built into the PIX can allow a multicast network to function without additional devices adding complexity to a network.