Documente Academic
Documente Profesional
Documente Cultură
An example of a stateful packet filter. Can also work on higher layers of protocols (FTP, RealAudio, etc.) Runs on its own OS
Outline
The Adaptive Security Algorithm (ASA) Basic Features of PIX Advanced Features Case studies
ASA
ASA defines how the state and other information is used to track the sessions passing through the PIX. ASA keeps track of the following information:
Source and destination info of IP packets TCP Sequence numbers and TCP flags UDP packet flow and timers
Syn Flood
A: the initiator; B: the destination TCP connection multi-step A: SYN to initiate B: SYN+ACK to respond C: ACK gets agreement Sequence numbers then incremented for future messages Ensures message order Retransmit if lost Verifies party really initiated connection
http://sce.uhcl.edu/yang/teaching/. ../piX Firewalls.ppt 7
Syn Flood
Implementation: A, the attacker; B: the victim B
Receives SYN Allocate connection Acknowledge Wait for response
Time?
See the problem? What if no response And many SYNs All space for connections allocated None left for legitimate ones
http://sce.uhcl.edu/yang/teaching/. ../piX Firewalls.ppt 8
Benefit: Limits the exposure of the servers behind the PIX to SYN floods
Six steps (pp.421-422): 1. an initial reconnaissance attack: gather info about the victim 2. a SYN flood attack: disable the login server; a DOS attack 3. A reconnaissance attack: determine how one of the x-term generated its TCP sequence numbers 4. Spoof the server s identity, and establish a session with the xterm (using the sequence number the x-term must have sent) result: a one-way connection to the x-term 5. modify the x-term s .rhosts file to trust every host 6. Gain root access to the x-term
10
c.
11
initiator
12
13
Examples:
To allow connections to be made to web or mail servers sitting on the DMZ of the PIX from the public network To allow a machine on a DMZ network to access the private network behind the DMZ
Use of ACLs must be governed by the network security policy. (Only use them when necessary)
http://sce.uhcl.edu/yang/teaching/. ../piX Firewalls.ppt 16
A subset of the syslog messages may be displayed on the PIX console or a Telnet session screen. 3rd party s/w (e.g., Private Eye) may be used to generate extensive reporting from the syslog messages. Info in the syslog may be used by PIX to help intrusion detection.
17
18
19
static NAT
A type of NAT in which a private IP address is mapped to a public IP address, where the public address is always the same IP address (i.e., it has a static address). This allows an internal host, such as a Web server, to have an unregistered (private) IP address and still be reachable over the Internet.
dynamic NAT
A type of NAT in which a private IP address is mapped to a public IP address drawing from a pool of registered (public) IP addresses. Typically, the NAT router in a network will keep a table of registered IP addresses, and when a private IP address requests access to the Internet, the router chooses an IP address from the table that is not at the time being used by another private IP address.
System IP vs Failover IP
System IP: the address of the primary unit upon bootup Failover IP: that of the secondary unit http://sce.uhcl.edu/yang/teaching/. ../piX Firewalls.ppt
21
The secondary unit must rebuild the info to perform the functions of the failed unit.
23
24
x Guards
flood guard, frag guard, mail guard, & DNS guard
Advanced filtering Multimedia support Spoof detection (via URPF) Protocol fixup sysopt commands Multicast support Fragment handling
http://sce.uhcl.edu/yang/teaching/. ../piX Firewalls.ppt 25
Case studies
PIX with 3 interfaces, running a web server on the DMZ PIX setup for failover to a secondary device PIX setup to use the alias command for a server sitting on the DMZ (a case of NAT on the destination address) PIX setup for cut-through proxy authentication and authorization Scaling PIX configurations using object groups and turbo ACLs
26