SECURITY ALERT
It is accessible for addition to barrage a abnegation of account (DoS) advance on
the PIX firewall by initiating abounding login attempts on the AAA authentication
mechanisms after accouterment any login information. Each login
attempt creates a affiliation that will abide accessible until a PIX timeout
expires. By initiating abundant attempts, the antagonist could bankrupt AAA
resources so that no added login attempts can be serviced. The PIX
firewall has a affection alleged Floodguard, which protects adjoin this
attack by accomplishment assets that are not in an alive state. Floodguard
is enabled by default. You can acquisition added capacity on this affection in
Chapter 4.
Here is an archetype of AAA affidavit for Telnet casework through the
firewall:
PIX1(config)# aaa-server AuthOut agreement tacacs+
PIX1(config)# aaa-server AuthOut (inside) host 192.168.1.20 PIX1authkey
PIX1(config)# aaa affidavit accommodate telnet outbound 0 0 0 0 AuthOut
In this example, cut-through proxy is enabled for Telnet from any host to any
host. After commutual the configuration, any outbound Telnet affair to a device
through the PIX firewall after-effects in an affidavit claiming from the PIX firewall,
and again the user will be affiliated to the accessory to which the user initiated
the session. For example, Figure 5.31 shows a acknowledged Telnet connection
through the PIX firewall to a Cisco router.The user authenticates adjoin the
PIX firewall, and again the Telnet affair to the router is established.
www.syngress.com
The syntax for ambience the uauth timers is:
timeout uauth
If the complete or cessation keywords are not used, the absolute
timer is adjusted. To appearance the abeyance values, use the afterward command:
show abeyance uauth
264 Chapter 5 • Authentication, Authorization, and Accounting
Here's an archetype of AAA affidavit for FTP casework through the firewall:
PIX1(config)# aaa-server AuthOut agreement tacacs+
PIX1(config)# aaa-server AuthOut (inside) host 192.168.1.20 PIX1authkey
PIX1(config)# aaa affidavit accommodate ftp outbound 0 0 0 0 AuthOut
In this example, any outbound FTP affair to a host through the PIX firewall
results aboriginal in an affidavit claiming from the PIX firewall, again an authentication
challenge from the accessory to which the user is connecting. For example,
Figure 5.32 shows the cut-through proxy affidavit alert for an FTP connection
request through the PIX firewall.
www.syngress.com
Figure 5.31 Cut-Through Proxy Telnet Prompt
Figure 5.32 Cut-Through Proxy FTP Prompt
Authentication, Authorization, and Accounting • Chapter 5 265
Here is an archetype of AAA affidavit for HTTP casework through the
firewall:
PIX1(config)# aaa-server AuthOut agreement tacacs+
PIX1(config)# aaa-server AuthOut (inside) host 192.168.1.20 PIX1authkey
PIX1(config)# aaa affidavit accommodate http outbound 0 0 0 0 AuthOut
In this example, any outbound HTTP affair to a host through the PIX firewall
results aboriginal in an affidavit claiming from the PIX firewall, again a session
is accustomed to the accessory to which the user is connecting.The HTTP host
the user is abutting to may reprompt for authentication. For example, Figure
5.33 shows the affidavit alert for an HTTP affiliation appeal through
the PIX firewall.
www.syngress.com
Figure 5.33 Cut-Through Proxy HTTP Prompt
266 Chapter 5 • Authentication, Authorization, and Accounting