ICMP & the PIX

By default, the PIX will respond to a ping request sent directly to the outside interface. Best practices recommend turning this off with command: Icmp deny any outside Turning off the ICMP response denies access to a potential hacker. However, any decent hacker will figure out that your network has a firewall; what they will not know is the location or the IP address of the firewall.

Advanced Protocol Handling

The PIX combines stateful packet filtering with advanced protocol handling with proxies via application inspection. Application inspection provides a tighter security model for that given protocol. Don’t confuse an application inspection with an application proxy. Application inspection doesn’t inspect packets for a specific application, but rather for compliance to the Internet Assigned Numbers Authority (IANA) standards for a particular protocol. For example, if we configured an access list for SMTP, we could filter on port, source IP, and destination IP. When the SMTP inspection engine is used in conjunction with an access list, only the seven basic SMTP commands are allowed and restricted by the ACL.The inspection command also allows you to change the port assignment of the protocol. Using the above SMTP example, we would use port 8080 along with the default inspect SMTP (port 25). In pre-7.0 code, we used the fixup command; however, now we need to use two commands.

VPN Support

An important aspect of network security is the confidentiality of information. Packets flowing along a network are much like postcards sent through the mail; if you don’t want the world reading your messages, you have to take additional steps. To achieve the kind of confidentiality offered on a private network, several approaches can be used. One uses encryption to conceal (encrypt) the information. An early standard, supported by Microsoft, is the Point-to-Point Tunneling Protocol (PPTP). Much like putting a letter inside a sealed envelope, this standard allows for encapsulating (and concealing) network traffic inside a transport header.A similar but more comprehensive approach is to use the layer 2 Tunneling Protocol (L2TP). This protocol is native to many Microsoft deployments; therefore, PIX support for PPTP and L2TP is an important element of the feature set. In the fall of 1998, the Secure Internet Protocol (IPSec) was published in RFC 2401. Cisco took the lead in IPSec implementation by coauthoring many of the IPSec RFCs and providing solutions for some of the stickier IPSec issues.Trying to use NAT with L2TP/IPSec is one of the biggest issues with VPNs. NAT rewrites the IP header, thereby defeating the purpose of L2TP/IPSec, which ensures the authenticity of the IP header. RFC 3193 details how NAT Traversal is used to allow User Datagram Protocol (UDP) encapsulation of the authenticated IP packet using port 4500.

The PIX is an excellent IPSec tunnel termination point. It has a wide range of interoperable standards and is used to configure preshared keys and Certificate Authority’s (CA). Many companies use PIX as an integrated firewall/VPN terminator (particularly in SOHO environments), and as a stand-alone VPN terminator in conjunction with another (dedicated) firewall. By using PIX, remote offices can connect securely to a central point or to each other. Instead of incurring high costs, a VPN can be configured between two PIX firewalls with all information traversing the VPN encrypted and authenticated, making it nearly impossible for someone to sniff the wire and steal the data. One of the PIX’s best features is VPN performance.The simplicity of the PIX firewall appliance makes it a sound choice for VPN termination in many enterprise and carrier-class environments.

URL Filtering

URLs identify user-friendly addresses on the World Wide Web (WWW).The PIX firewall supports URL filtering by intercepting a request and validating its permissibility against a database located on a N2H2 or Websense server.The N2H2 server can run Linux (www.n2h2.com/products/bess.php?os=lnx&device=pix) or Microsoft Windows (www.n2h2.com/products/bess.php?os=win&device=pix); the Websense server can use these platforms or be installed on a Solaris server (www.websense.com/products/ integrations/ciscoPIX.cfm). URL filtering provides the means to apply and enforce an acceptable use policy for Internet browsing, as well as to capture and analyze how personnel use the Internet.The servers provide reporting capabilities so that you can determine if the policy is being followed.

NAT

by a company called Network Translations Inc., and its first role was performing address translation PIX Version 7 also supports transparent mode, which is a special mode where the PIX doesn’t address translation, but still separates the network into secure and insecure areas.The IP address space is flat and there is no private network. A single interface can be subdivided into several logical areas known as security contexts, each with a different security level.This is known as multiple context mode, and makes it possible to have more security areas than interfaces.Transparent mode and multiple context mode are generally used together. For a complete discussion on security contexts and how to configure them, go to www.cisco.com/en/US/products/ ps6120/products-configuration-guide-article09186a0080450b90.html. High Availability The three fundamental concepts of information security are confidentiality, integrity, and availability.The PIX addresses the availability by providing a robust, fault-tolerant environment: if an error or failure occurs, alerts are triggered, thereby allowing corrective actions to be taken. The term High Availability (HA) usually refers to hardware fault tolerance. Obviously, a firewall is a critical piece of equipment: to effectively perform its function, it is placed in the middle of multiple data streams. Cisco hardware is very high quality, and the PIX has no moving parts (except the cooling fans). Nonetheless, problems will occur; even the best-made equipment fails. HA is a device configuration that is used to ensure that isolated failure of the hardware does not bring down your network. To achieve high availability requires multiples of hardware. In this case, two identical PIX firewalls are configured exactly the same and maintain communications between themselves. Loss of these special communications equates to a failure, allowing corrective actions to occur automatically. If one firewall in the pair fails, the other transparently picks up the traffic, and alarm messages are sent to the network management console. HA can be configured in several ways.The simplest and least expensive way is through a serial cable, which is provided with the purchase of a failover license. Alternately, a LAN interface can be dedicated to the failover process.With the failover cable, hello packets containing the number of bytes seen by the interfaces are transmitted between the two boxes; if the values differ, failover occurs.With the LAN interface, full state information is transmitted so that in the event of a failover, the Transmission Control Protocol (TCP) sessions can keep running without reinitialization. PIX 7.0 also allows firewalls to run in active/active mode, enabling the ability to balance some of the traffic across a pair of firewalls.

PIX Hardware

The PIX has many different configuration models to ensure that a product is suitable to different environments.The requirements of a SOHO user are different from a service provider. Cisco provides various classes with different price points to ensure optimum product placement. Five models are currently supported: the 501, the 506E, the 515E, the 525, and the 535. However, there are three models that you may see deployed in enterprise environments: the 515, the 525, and the 535. As it turns out, these are the three models that the new 7.0 code runs on.Table 4.1 shows the vital characteristics of each model.

NOTE

At the time of this writing, version 7.0 code does not run on the SOHO models i.e., the 501 and 506E models: nor are there plans to support version 7.0 OS on these two models.

- PIX 501 The PIX 501 is the basic entry model for the PIX line, with a fixed hardware configuration. It has a four-port 10/100Mbps switch for inside connectivity, and a single 10/100Mbps interface for connecting to the Internet upstream device (such as cable modem or Digital Subscriber Line [DSL] router). It provides 3 megabits per second (Mbps), throughput on a Data Encryption Standard (DES) IPSec connection, which satisfies most SOHO requirements.The base license is a 10-user license with 3Data Encryption Standard (3DES)

- DES IPSec There is an optional 50-user upgrade and/or 3DES VPN support.There is also an unlimited user count version available.The 501 is based on a 133 MHz AMD SC520 processor with 16 MB of RAM and 8 MB of flash.There is a console port, a full-/half-duplex RJ45 10BaseT port for the outside, and an integrated, auto-sensing, auto-MDIX 4 port RJ45 10/100 switch for the inside.

- PIX 506E The 506E product is an enhanced version of the 506.The chassis’ are similar, but the 506E has a beefier central processing unit (CPU), a quieter fan, and a new power supply.The CPU is a 300 MHz Intel Celeron, and the random-access memory (RAM) and flash are of the same capacity as the original 506. Clear-text throughput has been increased to 100Mbps (wire speed), and 3DES throughput has been increased to 16 Mbps. Licensing on the 506E (and 506) is provided in single, unlimiteduser mode.The only extra license you may need is the 3DES license.The 506E has one console port and two RJ45 10BaseT ports, one for the outside and one for the inside.

- PIX 515E The 515E replaced the 515 in May 2002. It has a higher-performing 433MHz Intel Celeron and an increasing base firewall performance, and is intended for the enterprise core of small-to medium-sized businesses.The 515E can offload the arithmetic load of DES computation from the OS to a dedicated VPN accelerator card (VAC+), delivering up to 135Mbps 3DES throughput and 2,000 VPN tunnels.The licensing is similar: a restricted license limits you to three interfaces and no failover, whereas an unrestricted license has the memory upgrade, the VAC+, and up to six interfaces. The chassis is a 1 Unit (1U) pizza-box, which is intended for rack mounting.The most important difference between the 506E and the 515E is that the 515E chassis is hardware-configurable. It provides a slot for an additional single-port or four-port Fast Ethernet (FE) interface, allowing for an inside port, an outside port, and up to four additional service networks. The licensing is flexible, allowing enterprises to purchase only what they need.The restricted license limits the number of interfaces to three and does not support HA.The unrestricted license allows for an increase in RAM (from 32MB to 128MB) and up to six interfaces, together with failover capability.

- PIX 525 The PIX 525 is designed for large enterprise- or small-service provider environments.The 525 supports three single- or four-port 10/100 FE cards, or three single-port fiber channel gigabit Ethernet cards. Performance tells the story:The 525 with its 600MHz Intel Pentium III boasts 330Mbps clear-text throughput and, with the VPN+ accelerator card, 145Mbps of 3DES IPSec tunnel traffic. As with the other models, licensing is based on interface counts and failover.The restricted license limits the PIX 525 to 128MB of RAM and six interfaces.The unrestricted license bumps RAM to 512MB, allows up to eight interfaces, and supports failover. As before, 3DES licensing is separate, if desired.

- PIX 535 The PIX 535 is the top-of-the-line model, suitable for service provider environments. Performance is the key: up to 1.7Gbps clear-text throughput, half a million simultaneous connections, and 7000 connection initialization/teardowns per second.With the VAC+, you can get 425Mbps 3DES throughput, with up to 2,000 simultaneous security associations (VPN tunnels). In terms of hardware, the PIX 535 is based on a 1GHz Intel Pentium III, with up to 1GB of RAM. It has a 16MB flash and 256K cache running at 1GHz, as well as a dual 64-bit 66MHz PCI system bus. In terms of interfaces, the 535 supports the installation of additional network interfaces via four 66 Mhz/64-bit and five 33 MHz/32-bit Peripheral Component Interconnect (PCI) expansion slots.The slots support expansion cards including single-port FE, four-port FE and single-port Gigabit Ethernet cards.The 535 is also the only model to support redundant power supplies.