PPPoE cisco

PPPoE 246

Point-to-Point Agreement over Ethernet (PPPoE), accurate in RFC 2516, is an

encapsulation of Point-to-Point Agreement (PPP, RFC 1661) for Ethernet networks

(which accommodate DSL modems and cable connections). PPPoE is generally acclimated in

SOHO environments because it allows ISPs to use their absolute alien access

infrastructure and, as its best important feature, allows accurate IP address

assignment. PPPoE links are accustomed in two capital phases:

 Alive analysis appearance During this aboriginal phase, a PPPoE client

attempts analysis of the PPPoE server, additionally alleged the abode concentrator

(AC).The PPPoE band is accustomed and a affair ID is assigned.

 PPP affair appearance A PPP articulation is accustomed (encapsulated in

Ethernet) by the accepted means: options and articulation band protocols are negotiated

etc. PPP affidavit (PAP, CHAP, or MS-CHAP) is performed.

After the affair is established, abstracts campaign amid endpoints encapsulated in

PPPoE headers.

The PIX firewall supports PPPoE back software adaptation 6.2. Best of the

PPPoE agreement is performed appliance the vpdn command. PPPoE configuration

starts with configuring the username and countersign to be acclimated by the PIX in

establishing a articulation to the server.

NOTE

The PIX alone supports PPPoE applicant functionality. PPPoE audience can be

enabled alone on the alfresco interface at this time (version 6.2).

First, a VPDN accumulation needs to be created:

vpdn accumulation appeal dialout pppoe

www.syngress.com

210 Affiliate 4 • Avant-garde PIX Configurations

The group_name constant can be annihilation you like. It is acclimated to accumulation all

PPPoE settings together. For example:

PIX1(config)# vpdn accumulation my-pppoe-group appeal dialout pppoe

Then the affidavit blazon needs to be called (if appropriate by an ISP):

vpdn accumulation affidavit pap | buck | mschap

PAP is Countersign Affidavit Protocol, CHAP is Challenge-Handshake

Authentication Protocol, and MS-CHAP is Microsoft’s adaptation of CHAP.With

the aforementioned accumulation name, this command selects an affidavit agreement for this

specific PPPoE group—for example, with CHAP authentication:

PIX1(config)# vpdn accumulation my-pppoe-group ppp affidavit chap

Your ISP assigns the username and countersign to your system, and they are

configured on PIX with the afterward commands:

vpdn accumulation localname

vpdn username countersign

The added of these commands assembly a username with the password, and

the aboriginal command assigns the username to be acclimated for a specific group, for

example:

PIX1(config)# vpdn accumulation my-ppoe-group localname witt

PIX1(config)# vpdn username witt countersign cruelmail

These commands accredit the username witt and countersign cruelmail to be used

for the PPPoE dialout accumulation my-pppoe-group. After configuring authentication, the

next assignment is to accredit the PPPoE applicant on the PIX.This is done in the configuration

of the alfresco interface:

ip abode alfresco pppoe [setroute]

After this command is entered, the accepted PPPoE affair is concluded and a

new one is established.The setroute constant allows automatically ambience the

default avenue for the alfresco interface.The MTU on the alfresco interface is automatically

set to 1492, which is the actual ambience to accommodate PPPoE encapsulation.

It is additionally accessible to baptize a anchored IP abode for the alfresco interface.

The PIX still has to accommodate the ISP with the actual username and countersign in

order to authorize the session:

PIX1(config)# ip abode alfresco 1.2.3.4 255.255.255.0 pppoe

www.syngress.com

Advanced PIX Configurations • Affiliate 4 211

It is accessible to use the dhcp auto_config command if you run the DHCP

server on PIX in adjustment to aces up DNS and WINS settings from your provider

via the PPPoE client:

PIX1(config)# dhcpd auto_config outside

To adviser and troubleshoot the PPPoE client, use the afterward commands:

show ip abode alfresco pppoe

debug pppoe accident | absurdity | packet

show vpdn affair pppoe [id |packets|state|window]

Examples of achievement are as follows:

PIX1(config)# appearance vpdn

Tunnel id 0, 1 alive sessions

time back change 10240 secs

Remote Internet Abode 10.0.1.1

Local Internet Abode 192.168.2.254

1006 packets sent, 1236 received, 98761 bytes sent, 123765 received

Remote Internet Abode is 10.0.1.1

Session accompaniment is SESSION_UP

Time back accident change 10237 secs, interface outside

PPP interface id is 1

1006 packets sent, 1236 received, 98761 bytes sent, 123765 received

PIX1(config)# appearance vpdn tunnel

PPPoE Tunnel Advice (Total tunnels=1 sessions=1)

Tunnel id 0, 1 alive sessions

time back change 10240 secs

Remote Internet Abode 10.0.1.1

Local Internet Abode 192.168.2.254

1006 packets sent, 1236 received, 98761 bytes sent, 123765 received

PIX1(config)# appearance vpdn session

PPPoE Affair Advice (Total tunnels=1 sessions=1)

Remote Internet Abode is 10.0.1.1

Session accompaniment is SESSION_UP

Time back accident change 100238 secs, interface outside

PPP interface id is 1

1006 packets sent, 1236 received, 98761 bytes sent, 123765 received

www.syngress.com

212 Affiliate 4 • Avant-garde PIX Configurations

Summary

The Cisco PIX firewall is an avant-garde artefact and has abounding altered options

for acknowledging assorted application-layer protocols as able-bodied as attention against

network-layer attacks. It additionally supports agreeable clarification for outbound Web access,

intrusion detection, assorted acquisition options such as RIP and butt multicast

routing, and DHCP server and applicant functionality.

Many protocols bury added IP abode advice central the exchanged

packets or accommodate added admission on nonfixed ports in adjustment to function

properly.These functions are handled by the PIX appliance analysis feature

(also accepted as fixup). PIX supports FTP audience and servers in alive and

passive modes, DNS, RSH, RPC, SQL*Net, and LDAP protocols. It additionally supports

various alive protocols such as Real-Time Alive Protocol, NetShow,

and VDO Live. Another set of accurate protocols includes all H.323, SCCP, and

SIP—all acclimated in VoIP applications.The PIX monitors casual packets for the

embedded advice and updates its tables or permits beginning connections

according to this information. It is additionally able to NAT these anchored addresses in

several cases.

Content clarification appearance on the PIX can be acclimated to accomplish a company’s

acceptable use policy.The PIX can interface with Websense (www.websense.com)

or N2H2 (www.n2h2.com) servers and abjure or acquiesce centralized audience admission specific

Web sites.The PIX is additionally able to clarify out Java applets and ActiveX code

from admission Web pages to assure audience adjoin awful code.

The PIX firewall supports the aforementioned set of diminutive advance apprehension signatures

as the Cisco IOS firewall.This set is a subset of signatures accurate by the

Cisco Secure IDS product.These signatures are disconnected into two sets: informational

and attack. It is accessible to configure altered acknowledgment options for anniversary set

of signatures.The responses ambit from simple alerting via syslog to blocking the

connection in which a signature was detected.

For SOHO environments, the PIX firewall provides DHCP server and client

functionality, although server capabilities are rather limited. DHCP server supports

a brace of specific options that are acclimated by Cisco IP Phones. Added useful

PIX appearance accommodate abutment of butt multicast acquisition and PPP over Ethernet

client capabilities. It additionally supports RIP versions 1 and 2, including authentication

and multicast updates for adaptation 2.

Finally, the PIX has anchored aegis adjoin assorted DoS attacks, such as

SYN floods, attacks on AAA mechanisms, and boundless fragmentation.

Antispoofing is accurate by the reverse-path forwarding feature.

www.syngress.com

Advanced PIX Configurations • Affiliate 4 213

Solutions Fast Track

Handling Avant-garde Protocols

 Abounding applications use added than one affiliation to operate; alone one

of these admission occurs on a acclaimed port, admitting others use

dynamically assigned anchorage numbers, which are adjourned in the process

of communication.This makes firewalling by agency of admission lists very

difficult.The PIX supports appliance analysis for abounding such

protocols, which allows it to accomplish accurately with them.

 The capital command acclimated to configure appliance analysis is the fixup

command. It can be acclimated for simpler protocols such as FTP, SMTP, or

RSH.

 Newer versions of the PIX firewall action abutment for assorted VoIP

protocols, such as H.323, SCCP, and SIP.

Filtering Web Traffic

 Clarification Web cartage can be advantageous in two capital cases.The aboriginal is if you

want to use your firewall to accomplish aegis behavior such as an

acceptable use policy, which may specify that centralized users cannot use

the company’s Internet affiliation to browse assertive categories of Web

sites.The added is to assure centralized users from awful Web servers

that bury these executable applets in their Web pages, because such

executable agreeable can accommodate bacilli or Trojan horses.

 The PIX supports two types of agreeable clarification servers:Websense and

N2H2.The capital commands for configuring this affection are filter-url and

url-server.The PIX additionally provides abounding commands for ecology and

tuning the clarification process.

 Alive cipher clarification is bound to stripping and tags

from the antecedent of entering Web pages.This stripping can alone occur

when aperture and closing tags are independent in the aforementioned IP packet.This

filtering is configured with the clarify java and clarify activex commands.

www.syngress.com

214 Affiliate 4 • Avant-garde PIX Configurations

Configuring Advance Detection

 The PIX supports a bound anchored set of (over 55) IDS signatures.

These are signatures that can be detected by analytical a distinct packet

and do not crave any affair information.This set can be adapted only

by advance the PIX software.

 The signatures are disconnected into two sets: advisory and attack. It is

possible to configure altered acknowledgment options for anniversary set—syslog

alarm, bottomward the packet, or bottomward the accomplished affiliation in which

the advance has occurred.

 Any signature can be disabled so that it will no best be detected.This

change has a all-around effect; this signature will not be detected on any

interface by any analysis until the signature is enabled again.

DHCP Functionality

 The Cisco PIX firewall can act both as a DHCP server and a client. PIX

DHCP appearance are best ill-fitted for baby networks because they have

some limitations—for example, a DHCP server can abutment a maximum

of 256 clients.There is additionally no BOOTP abutment and no failover support.

 The DHCP applicant can be configured alone on the alfresco interface. It is

able to admission an IP address, subnet mask, absence route, and DNS and

WINS settings from the server.The acquired abode can be acclimated for

NAT or PAT on the alfresco interface.

 The DHCP server can be configured alone on the central interface and

serves alone anon affiliated clients.The cardinal of alive audience is

dependent on the PIX archetypal and software version. It is accessible to pass

some settings that are acquired by PIX DHCP audience from the outside

interface to the DHCP server alive on the central interface.

Other Avant-garde Features

 The PIX has congenital aegis adjoin DoS attacks such as SYN floods

and AAA ability exhaustion. It additionally supports basic reassembly of IP

fragments and can appoint some added limitations on burst traffic.

www.syngress.com

Advanced PIX Configurations • Affiliate 4 215

 The PIX supports antispoofing aegis appliance reverse-path forwarding

(RPF). It additionally supports avant-garde acquisition appearance such as dynamic

routing appliance RIP versions 1 and 2 and butt multicast routing.

 The PIX firewall can act as a PPPoE applicant on DSL or cable

connections.

Q: What happens back FTP fixup is not enabled?

A: There are several cases:

 Outbound alive FTP sessions will not assignment because the alfresco servers

will not be able to accessible a abstracts approach to an central client.

 Outbound acquiescent FTP sessions will assignment commonly if outbound cartage is

not absolutely disabled, because all admission in this case are initiated

by an central client.

 Entering FTP alive admission will assignment commonly if there are a static

NAT admission and an admission account acceptance alfresco audience to affix to the

inside server.

 Entering FTP acquiescent FTP admission will not assignment because outside

clients will not be able to accessible abstracts admission to the central server.

Q: I accept a PIX and an SMTP server configured on its central network.

Sometimes I get two copies of admission mail messages.What is amiss with

my server?

A: Nothing is wrong; there is a slight misbehavior on the PIX side.You probably

have fixup agreement smtp configured. Some versions of PIX software accelerate an

error bulletin to relaying servers back a final dot in the bulletin anatomy and

are not in the aforementioned IP packet. In this case, your centralized server

accepts the bulletin for delivery, but the alfresco relaying server treats this as

www.syngress.com

Frequently Asked Questions

The afterward Frequently Asked Questions, answered by the authors of this book,

are advised to both admeasurement your compassionate of the concepts presented in

this affiliate and to abetment you with real-life accomplishing of these concepts. To

have your questions about this affiliate answered by the author, browse to

www.syngress.com/solutions and bang on the “Ask the Author” form.

216 Affiliate 4 • Avant-garde PIX Configurations

an absurdity and attempts commitment again. Best of the time, this action does

not appear alert in a row, so the added time commitment goes after error

and you accept two copies of the aforementioned message. If this absolutely irritates you,

either about-face SMTP fixup off or advancement the PIX software.

Q: Is it accessible to clarify e-mail agreeable in any way agnate to Web content

filtering?

A: No, this is not possible.The PIX does not audit the capacity of TCP

packets accompanying to e-mail and currently does not abutment any alfresco filtering

servers.

Q: I accept two links to my ISP, and I angry on RPF. Now bisected my cartage is being

denied by the PIX.What should I do?

A: The alone band-aid actuality is to about-face RPF analysis off. It artlessly does not

work in a bearings with agee routing, area a acknowledgment to the packet may

come on a aisle added than the packet itself.

Q: I cannot get NFS to assignment through the PIX, although I configured an access

list that permits audience admission to the portmapper on the server.

A: You are apparently appliance NFS over TCP.The PIX does not abutment application

inspection for RPC admission over TCP. Reconfigure your server to use

UDP only.

Access Control and Added Options

Access Control and Added Options

It is accessible to bind admission to multicast transmissions application the accepted PIX

means: admission lists. In the above-mentioned case with hosts on the central interface, we

could bind the groups from which the centralized hosts can accept transmissions.

For example, to acquiesce alone multicast transmissions to a accumulation abode 224.1.1.1,

you should actualize an admission account agnate to this:

PXI1(config)# access-list 10 admittance igmp any 224.1.1.1 255.255.255.255

Then administer it to the alfresco interface:

PIX1(config)# multicast interface outside

PIX1(config-multicast)# igmp access-group 10

Now alone IGMP acclamation for accumulation 224.1.1.1 will be able to canyon through PIX,

and appropriately alone associates of this accumulation will be accepted to a multicast router.This

prevents the router from sending cartage destined for any added accumulation abode in

this direction.

Other subcommands of the multicast command include:

www.syngress.com

208 Chapter 4 • Advanced PIX Configurations

igmp query-interval

This command sets the breach at which IGMP letters will be beatific out this

interface.The absence breach is 60 seconds.The best abeyance for response

(for IGMP adaptation 2 only) can be set using:

igmp query-max-response-time

The absence ambience is 10 seconds.

Configured settings can be austere application agnate bright commands.The

following command clears the IGMP accumulation either for a specific accumulation abode or

the accomplished accumulation on the defined interface:

clear igmp accumulation [ | interface ]

The afterward command clears multicast routes for defined transmission

source, for a accumulation address, or all routes on the interface:

clear mroute [ | | interface ]

Another set of commands allows examination of multicast agreement for the

interface, multicast group, routes, and so on:

show igmp

show multicast [interface ]

show igmp accumulation [grou | interface ]

show mroute [ | | interface ]

An archetype achievement of the appearance igmp command is:

pix(config)# appearance igmp

IGMP is enabled on interface inside

Current IGMP adaptation is 2

IGMP concern breach is 60 seconds

IGMP concern abeyance is 125 seconds

IGMP max concern acknowledgment time is 10 seconds

Last affiliate concern acknowledgment breach is 1 seconds

Inbound IGMP admission accumulation is

IGMP activity: 0 joins, 0 leaves

IGMP querying router is 10.0.1.1 (this system)

IGMP Connected Accumulation Membership

Group Abode Interface Uptime Expires Last Reported

www.syngress.com

Advanced PIX Configurations • Chapter 4 209

Two alter commands acquiesce ecology of multicast-related events.This command

monitors all IGMP letters casual through the PIX:

debug igmp

The afterward command monitors all contest accompanying to multicast forwarding:

debug mfwd

SMR Agreement with Clients on a Less Secure Interface

SMR Agreement with Clients

on a Less Secure Interface

This case is simpler. All you charge to do is accredit multicast processing on both

interfaces and actualize changeless multicast routes for casual cartage amid the clients

and the servers (and routers). Multicast processing is enabled with:

PIX1(config)# multicast interface outside

PIX1(config-multicast)# exit

PIX1(config)# multicast interface inside

Multicast avenue are created application the mroute command (which is not a subcommand

of the multicast command):

mroute

The src and srcmask ambit are the IP abode and subnet affectation of a multicast

source host/router (just accustomed IP addresses, not multicast addresses.).The inif-

name constant specifies the interface affiliated to the source. dst and dstmask

www.syngress.com

Advanced PIX Configurations • Chapter 4 207

are the multicast accumulation abode and subnet affectation to which the server is sending its

transmission. Finally, out-if-name is the interface affiliated to the multicast clients.

For example:

PIX1(config)# mroute 192.168.2.25 255.255.255.255 central 224.0.1.1 255.

255.255.255 outside

Here is an archetype agreement in the case of two servers: 192.168.2.25 on

the central interface multicasting to accumulation 224.1.1.1 and 10.2.3.4 on the dmz

interface multicasting to the accumulation 230.1.1.1 and no centralized clients:

PIX1(config)# multicast interface outside

PIX1(config-multicast)# exit

PIX1(config)# multicast interface inside

PIX1(config-multicast)# exit

PIX1(config)# multicast interface dmz1

PIX1(config-multicast)# exit

PIX1(config)# mroute 192.168.2.25 255.255.255.255 central 224.1.1.1 255.

255.255.255 outside

PIX1(config)# mroute 10.2.3.4 255.255.255.255 dmz 230.1.1.1 255.255.255.

255 outside

SMR Agreement with Clients on a Added Defended Interface

SMR Agreement with Clients

on a Added Defended Interface

In this case, a multicast router and a server are on the alfresco interface of the PIX

firewall, and audience are on the inside.The PIX needs to be able to canyon multicast

traffic from the server and IGMP requests from the router to the central hosts. It

also needs to canyon IGMP letters from the centralized hosts to the alfresco router.

All SMR configurations alpha with the afterward agreement mode

command:

multicast interface [max-groups ]

This command enables multicast appearance on the defined interface.The interface

is placed into multicast abandoned mode, and it enters a submode of multicast

configuration for a specific interface. (This is a attenuate case with the PIX

because there are actual few submodes in agreement mode.) An alternative maxgroups

parameter defines the cardinal of multicast groups that can arise on the

interface at any accustomed time.The absence ambience is 500; the cardinal can be up to

2000.This approach has subcommands like this:

igmp

www.syngress.com

Figure 4.13 IGMP Acclimated to Report Associates in a Multicast Group

Client 1

Client 2

Client 3

Multicast Server

Client 4

Server sends transmissions

to accumulation 224.0.1.1

"Who is in

224.0.1.1?"

"Who is in

224.0.1.1?"

"I am in

224.0.0.1"

"I am in

224.0.1.1"

Only Client 3 and Client 4 are in this group, so they

are the alone hosts that acknowledgment to the router's request.

When manual starts, the router will only

forward it to these two hosts.

The router periodically asks for

group associates reports.

Advanced PIX Configurations • Chapter 4 205

NOTE

To set the adaptation of IGMP used, use the igmp adaptation {1 | 2} subcommand

under the multicast command.

In our case, the PIX needs at atomic to be able to accept multicast transmissions

on its alfresco interface, so we charge to configure:

PIX(config)# multicast interface outside

Actually, there is not abundant added to configure on the alfresco interface.We

can optionally configure some counters and agreement options or admission control,

but this is not specific for a case and is declared later. After departure this multicast

configuration approach (but while we’re still in agreement mode), we charge to

configure multicast on the central interface:

PIX1(config)# multicast interface inside

The central interface needs some added configuration. After we access this mode,

we charge to configure the interface to which the PIX should advanced all IGMP

messages from clients.This is the beneath defended interface area the router is located:

PIX1(config-multicast)# igmp advanced interface outside

Don’t balloon that this command is entered while we are in the interface

multicast agreement mode. Alfresco is the interface name to advanced IGMP

messages to from the interface actuality configured. If you accept a multicast router

on an interface called dmz1, the command will attending like:

PIX1(config-multicast)# igmp advanced dmz1

If any audience on the central arrangement are not IGMP-capable, but we still want

them to accept multicast cartage from some group, we charge to configure the

inside interface to accompany this multicast accumulation statically with the command:

igmp join-group

For example:

PIX1(config-multicast)# igmp join-group 224.1.1.1

With this interface configured, the PIX alfresco interface acts as a host interested

in accepting transmissions for this group, and again the accustomed abstracts will be

forwarded to the central network. Here is an archetype of the simplest multicast

configuration:

www.syngress.com

206 Chapter 4 • Advanced PIX Configurations

PIX1(config)# multicast interface outside

PIX1(config-multicast)# exit

PIX1(config)# multicast interface inside

PIX1(config-multicast)# igmp advanced interface outside

Here is a added complicated archetype with non-IGMP able multicast

clients who appetite to accept transmissions for accumulation 224.10.0.9:

PIX1(config)# multicast interface outside

PIX1(config-multicast)# exit

PIX1(config)# multicast interface inside

PIX1(config-multicast)# igmp advanced interface outside

PIX1(config-multicast)# igmp join-group 224.10.0.9

Clients on two interfaces, central and dmz:

PIX1(config)# multicast interface outside

PIX1(config-multicast)# exit

PIX1(config)# multicast interface inside

PIX1(config-multicast)# igmp advanced interface outside

PIX1(config-multicast)# exit

PIX1(config)# multicast interface dmz

PIX1(config-multicast)# igmp advanced interface outside

Stub Multicast Routing

Stub Multicast Routing

IP multicasting is acceptable added popular, abnormally in SOHO environments,

where hosts are affiliated via fast links. Multicasting was alien as a

method of packet commitment to assorted hosts. In broadcasting, anniversary host receives all

packets beatific by a server. In multicasting, a host charge accompany one or added multicast

groups, represented by a specific IP abode (these addresses are 224.0.0.0-

239.255.255.255) and again it will accept alone for packets destined for this group.

Of course, the attributes of broadcasting and multicasting implies that it can be used

only for UDP transmission, because TCP consistently requires two endpoints.

So how absolutely does multicasting work? As noted, there is a set of multicast

group addresses (Class D IP addresses, 224.0.0.0 through 239.255.255.255).A

group of hosts alert to a accurate multicast accumulation abode is alleged a host group.

A host accumulation is not bound to one arrangement and can accommodate hosts from many

www.syngress.com

Advanced PIX Configurations • Chapter 4 203

networks at the aforementioned time.Membership in a accumulation is dynamic; hosts can enter

and leave a accumulation at will.The cardinal of hosts in a accumulation is not limited, and a

host does not accept to be a affiliate of the accumulation to accelerate a bulletin to this group.

When a host sends a bulletin to a specific accumulation address, this abode is not

subject to the ARP resolution process. It is artlessly adapted into an Ethernet

address by appropriate rules, and an Ethernet anatomy is beatific out with the consistent destination

MAC address. If all recipients are on the aforementioned concrete network, everything

else is actual simple: Alert hosts adjudge if the packet is beatific to them by

looking at the MAC abode and its accord with the accumulation addresses

they are alert on. But multicast groups are not bound to one arrangement by

definition, so there is a charge for some agency of casual these letters through

routers and a agency of allegorical routers if there are any hosts from a specific

multicast accumulation on a accustomed concrete network.This is done application Internet Group

Management Agreement (IGMP).

IGMP is agnate to ICMP in that it is additionally advised allotment of the IP layer. It is

IP agreement cardinal 2. Its basal functionality is as follows:

 Back a host joins a multicast group, it informs the router by sending it

an IGMP message.

 Back a host leaves the group, it does not accelerate any letters about this

event (see the abutting two points).

 A multicast router consistently sends IGMP requests out anniversary of its interfaces

requesting affiliated hosts to address to the multicast groups to

which they belong.

 A host responds to the appeal by sending one IGMP address for each

group to which it belongs.

Figure 4.13 illustrates this IGMP exchange.

Since adaptation 6.2, the PIX can action multicast and IGMP messages. It does

not accept abounding capabilities of a multicast router, but it can act as a “stub router” or

IGMP proxy agent.An IGMP proxy abettor is a accessory that is able to forward

IGMP requests and replies amid multicast routers and hosts.When the source

and destination of multicast transmissions are disconnected by a PIX firewall, two

obvious cases are possible: back the antecedent of a manual (or a multicast

router) is on a lower security-level interface than the destination and back the

source (router) is on a college security-level interface than the destination. Let’s

look at these two cases separately.

IGMP Used to Address Associates in a Multicast Group

Client 1

Client 2

Client 3

Multicast Server

Client 4

Server sends transmissions

to accumulation 224.0.1.1

"Who is in

224.0.1.1?"

"Who is in

224.0.1.1?"

"I am in

224.0.0.1"

"I am in

224.0.1.1"

Only Client 3 and Client 4 are in this group, so they

are the alone hosts that acknowledgment to the router's request.

When manual starts, the router will only

forward it to these two hosts.

The router periodically asks for

group associates reports.

Routing Advice Protocol

Routing Advice Protocol

Beside changeless routes, the PIX firewall additionally supports Acquisition Advice Protocol

(RIP) versions 1 and 2.This agreement is the simplest activating acquisition protocol

and is declared in RFCs 1058, 1388, and 2082. Roughly speaking, a router

broadcasts (or it may use multicast in adaptation 2) its absolute acquisition table to its

neighbors, and they amend their tables.

Each PIX interface can be configured either to advertisement (multicast) itself as a

default avenue for the arrangement or to irenic accept for acquisition updates from other

routers on the LAN.The simple syntax of the RIP agreement command is as

follows:

rip [default | passive] adaptation [1 | 2]

The absence and acquiescent keywords ascertain the approach RIP runs on the interface

if_name.The absence constant specifies that a absence avenue should be advertised,

and acquiescent agency alert for updates from added routers.The adaptation parameter

specifies the adaptation of RIP to use on the interface. If a adaptation is not specified,

version 1 is assumed.The above differences amid RIPv1 and RIPv2 are that

RIPv2 can use multicast to the abode 224.0.0.9 instead of broadcasts and that it

can use authentication. RIPv1 uses broadcasts alone and no affidavit of

updates. RIPv2 is additionally a classless acquisition protocol, which agency that it can

exchange acquisition advice for networks such as 172.16.1.0/24, admitting RIP

v1 uses alone networks of A, B, and C classes—for example, Class B network

171.16.0.0/16. Generally, it is bigger to use RIPv2 if there is no charge to interact

with earlier RIPv1 devices.

NOTE

Before PIX adaptation 5.3, the PIX firewall was able of application alone broadcasts

for RIPv2. Versions 5.3 and after use multicast to the address

224.0.0.9. By default, back you use RIPv2 on the PIX, it sends updates

to 224.0.0.9. If acquiescent approach is configured with RIPv2, the PIX accepts

multicast updates with the abode of 224.0.0.9, and this multicast

address is registered on the agnate interface. Alone Intel 10/100

and Gigabit interfaces abutment multicasting. Back RIP configuration

commands are removed from the configuration, this multicast abode is

unregistered from the interface.

If you accept a router that talks multicast RIPv2 to an earlier PIX (before

version 5.3), the PIX will not accept any updates. It is accessible to switch

the router into unicast approach application a command acquaintance

in its RIP agreement section. The PIX is able of accepting unicast

updates in any adaptation that supports RIP.

Here is an archetype of RIP v1 configuration:

PIX1(config)# appearance rip

rip alfresco passive

no rip alfresco default

www.syngress.com

Advanced PIX Configurations • Chapter 4 201

rip central passive

no rip central default

PIX1(config)# rip central default

PIX1(config)# appearance rip

rip alfresco passive

no rip alfresco default

rip central passive

rip central default

The aboriginal appearance rip command displays the absence accompaniment of configuration: all

interfaces accept passively.Then the central interface is configured to advertisement itself

as a absence route. Note that the acquiescent alert approach was not angry off by this

mode; you would charge to attenuate it alone with no rip central acquiescent if you

wanted to about-face it off.

RIP v2 additionally supports two types of authentication: cleartext passwords and

MD5 hashes.This affection of RIPv2 agreement adds one added acreage to the transmitted

routing update—an affidavit field. It can accommodate either a cleartext

password (not recommended) or a keyed MD5 assortment of the accomplished message. Keyed

means that there is a key that is acclimated to compute a assortment amount of the message.

PIX agreement is actual simple in both cases: An added constant needs to be

added to the basal agreement command:

rip [default | passive] adaptation 2 affidavit [text | md5]

For example, the afterward command uses a cleartext countersign of mysecretkey

while broadcasting the absence aperture on the central interface:

rip central absence adaptation 2 affidavit argument mysecretkey 1

The afterward command lists alone the letters with a actual MD5 hash

keyed by a key anothersecretkey:

rip alfresco acquiescent adaptation 2 affidavit md5 anothersecretkey 2

The key_id constant (a cardinal at the end of the line) is a key identification

value and charge be the aforementioned on all routers with which the PIX communicates.

RIP affidavit on routers is added complicated.You charge to set up a key

chain with some keys (these keys are numbered and are absolutely the key_id you

need to accommodate in configuring PIX) and about-face the affidavit on. A sample

partial router agreement agnate to our case of MD5 affidavit is:

www.syngress.com

202 Chapter 4 • Advanced PIX Configurations

interface ethernet 0

ip rip affidavit key-chain mykeys

ip rip affidavit approach md5

!

router rip

network 172.16.0.0

version 2

!

key alternation mykeys

key 2

key-string anothersecretkey

NOTE

The PIX firewall is able to abutment one and alone one key ID per interface.

Keys accept absolute lifetimes, and it is recommended that you change

them every two weeks or so. Note additionally that if you use Telnet to configure

these keys, they ability be exposed.

The bright rip agreement approach command removes all RIP configuration

statements from the PIX firewall.

Proxy ARP and One-Armed Acquisition Mode

Proxy ARP and One-Armed Acquisition Mode

In case you accept not heard the phrase, “one-armed” acquisition agency that

the router has alone one interface (with added than one IP abode on it).

All it does is accept a packet from the arrangement and alter it to another

router/host on the aforementioned LAN but maybe on addition IP network. This is

sometimes useful, but PIX cannot do this, because its Adaptive Security

Algorithm does not acquiesce any packet to avenue on the aforementioned interface as it

arrived.

Combined with the absence proxy ARP feature, this affection can play

tricks on your routing. For example, if a router is abaft an central interface

and some host sends an ARP appeal for this router’s IP, PIX will

reply instead (or calm with the router) and the packet is forwarded

to the PIX. Here comes the problem: The packet needs to be forwarded

to the absolute router, but PIX cannot do this; the packet cannot avenue on the

same interface.

So, if you adopt to absolutely ascendancy your changeless acquisition and you

have created all changeless routes with actual gateways, it is consistently better

to about-face off proxy ARP on all interfaces; it has a awful addiction of accepting in

the way.

Unicast Routing-Static and Affiliated Routes

Unicast Routing

Configuration of changeless acquisition is discussed in Chapter 2. In this section, we

describe some added avant-garde capacity accompanying to unicast acquisition as performed by

the PIX firewall.

Static and Affiliated Routes

You accept already abstruse how to configure changeless routes on the PIX firewall using

the avenue command:

route []

For example:

PIX1(config)# avenue alfresco 0.0.0.0 0.0.0.0 1.2.3.4

This command configures a changeless absence avenue on the alfresco interface to

the aperture 1.2.3.4—a absence aperture to be acclimated for arrangement traffic. If you issue

a appearance avenue command, the achievement will accommodate the afterward line:

route alfresco 0.0.0.0 0.0.0.0 1.2.3.4 1 OTHER static

The keyword OTHER artlessly agency that this avenue is a manually entered

static route.There is one absorbing aberration to the avenue command: It is possible

to specify an IP abode of PIX’s own interface instead of a aperture address.This

might assume aberrant from the point of appearance of the archetypal changeless routing, but this is

sometimes actual useful, abnormally in a Cisco infrastructure.The PIX itself automatically

creates routes of this blazon back you access an IP abode for an interface.

So, what happens back a avenue is set to the PIX interface? The simple answer

is that the PIX firewall considers the arrangement anon affiliated and sends an

ARP appeal for the destination abode itself instead of requesting for gateway’s

destination and forwarding the packet to the gateway.The destination host does

www.syngress.com

198 Chapter 4 • Avant-garde PIX Configurations

not absolutely accept to be anon connected; if it is affiliated via a router that has a

proxy-arp affection angry on, the router will acknowledgment on account of the host, the PIX

will advanced the packet to this router, and the router in about-face will advanced the

packet to the host. Cisco routers and PIX firewalls accept proxy ARP angry on by

default. For example, if the central interface has an IP abode of 192.168.1.254/24

and two networks, 192.168.2.0/24 and 192.168.3.0/24, are affiliated to this

interface via a router, the afterward two statements will configure actual routes

to these networks (note that the router’s IP is not acclimated anywhere; it aloof has to be

in the aforementioned arrangement as the central interface of the PIX):

PIX1(config)# avenue central 192.168.2.0 255.255.255.0 192.168.1.254

PIX1(config)# avenue central 192.168.3.0 255.255.255.0 192.168.1.254

The appearance avenue command displays the agnate entries in the routing

table as:

route central 192.168.1.0 255.255.255.0 192.168.1.254 1 CONNECT static

route central 192.168.2.0 255.255.255.0 192.168.1.254 1 OTHER static

route central 192.168.3.0 255.255.255.0 192.168.1.254 1 OTHER static

The aboriginal access actuality was created automatically by the PIX firewall back an

IP abode was configured on the central interface.The added two are the aftereffect of

our two changeless avenue entries.

What absolutely happens back the absence avenue (outside interface) on the PIX

is set to itself? The arrangement of accomplish PIX performs to accurately advanced the

packet is as follows:

1. The PIX receives a packet on the central interface destined for the

Internet host with IP a.b.c.d.

2. The absence avenue on the alfresco interface is set to the interface itself. If

a abstracted absence aperture was specified, the PIX would artlessly ARP for

the gateway’s abode and advanced the packet there. If not, the PIX sends

an ARP appeal for IP a.b.c.d.

3. Any router (assuming it has proxy ARP angry on) that has a avenue to

a.b.c.d replies with its MAC abode on account of the host a.b.c.d.

4. The PIX assiduously the packet to this router, which will handle it from

there.

5. The PIX additionally adds an access to its ARP table for IP abode a.b.c.d with

the MAC abode of the router.

www.syngress.com

Advanced PIX Configurations • Chapter 4 199

The PIX firewall additionally has the proxy ARP affection angry on by default, so it

can act in the aforementioned way as the router in the antecedent example. It is accessible to

turn the affection off on a specific interface using:

sysopt noproxyarp

Reverse-Path Forwarding

Reverse-Path Forwarding

The abstraction of reverse-path forwarding (RPF) is rarely accepted well,

although it is rather simple.The basal abstraction is to accept an all-encompassing acquisition table

and, for anniversary packet arrived, analysis its antecedent abode adjoin this table.This is why

it is alleged “reverse” lookup.When a avenue to this antecedent is begin (that is, when

there is a about-face aisle to the source), it is ensured that the packet has accustomed on

the aforementioned interface that is listed in the agnate avenue admission (so the packet

has accustomed on the best aisle aback to its origin). If the interface is correct, the

packet has accustomed from a absolute antecedent and is legitimate. If a about-face avenue is

not begin or the packet accustomed on a amiss interface, it is accepted that the

packet is spoofed, and it is discarded.

This affection is acclimated for implementing admission and departure clarification as specified

in RFC 2267. It is angry off by absence and can be enabled on a specific interface

using the afterward agreement command:

ip verify reverse-path interface

Ingress clarification is acclimated for blockage that alfresco hosts absolutely accept outside

addresses, but because the PIX firewall cannot advance the table of all possible

routes on the Internet, best configurations analysis that packets accession to the

outside interface from the Internet do not accept an “inside” antecedent address. Egress

www.syngress.com

Figure 4.12 TCP Intercept in PIX Versions 5.3 and Later

IBM Compatible IBM Compatible

SYN

SYN

SYN

SYN/ACK

ACK SYN

SYN/ACK

No packets are anesthetized to the central ACK

server until the three-way handshake is

complete.

After the PIX simulates the

handshake with the outside

client, it passes the connection

to the central server.

Advanced PIX Configurations • Chapter 4 195

filtering does absolutely the opposite: It checks that the packets activity to the

Internet absolutely accept centralized antecedent addresses.This clarification makes archetype any

packet aback to its agent abundant easier and prevents best bluffing attacks.

Although this can all be able application admission lists, the RPF affection provides

a abundant easier and added affected solution.

Let’s accede the afterward example:

PIX1(config)# ip abode central 192.168.1.254 255.255.0.0

PIX1(config)# avenue central 192.168.2.0 255.255.255.0 192.168.1.254 1

PIX1(config)# avenue central 192.168.3.0 255.255.255.0 192.168.1.254 1

PIX1(config)# ip abode alfresco 1.2.3.1 255.255.255.0 2

PIX1(config)# avenue alfresco 0.0.0.0 0.0.0.0 1.2.3.127

PIX1(config)# ip verify reverse-path interface outside

PIX1(config)# ip verify reverse-path interface inside

Here, two networks—192.168.2.0/24 and 192.168.3.0/24—are affiliated to

the central interface, and agnate entries are created in the acquisition table.

The alfresco interface has a absence avenue to 1.2.3.127.The RPF affection is enabled

on both interfaces. Now, back a packet arrives from the arrangement absorbed to the

inside interface, its antecedent abode is arrested adjoin the acquisition table. If this

address belongs to one of the two networks 192.168.2.0/24 or 192.168.3.0/24,

the avenue lookup succeeds and the packet is accustomed to canyon through the firewall.

If the abode is not from any of these networks, no avenue will be found, and the

packet will be discarded.

If a packet arrives from the Internet to the alfresco interface, its antecedent is also

checked because RPF is alive on the alfresco interface. If this abode belongs to

one of the networks 192.168.2.0/24 or 192.168.3.0.24, avenue lookup succeeds,

but it is acclaimed that this packet has not accustomed on the best aisle to its origin. (The

best aisle goes through the central interface.) The packet is acutely a spoofed

one and it is dropped. In all added cases, the avenue lookup additionally succeeds because

there is a absence avenue on the alfresco interface and the packet is acceptable to

pass through.Thus ip verify reverse-path interface central provides departure filtering,

whereas ip verify reverse-path interface alfresco provides admission filtering.

If in this agreement we omit RPF analysis on the alfresco interface,

only departure clarification on the central interface will be performed, and spoofed

packets from the Internet will be accustomed to canyon through, admitting any spoofing

attempts by central hosts will be stopped. If RPF analysis is enabled alone on

the alfresco interface and routes to centralized networks are provided, alone ingress

routing will be performed; alfresco packets with antecedent IPs acceptance to internal

networks will be dropped.

www.syngress.com

196 Chapter 4 • Advanced PIX Configurations

NOTE

There are several limitations on application RPF verification. If there is no

default avenue on the alfresco interface, alone the networks mentioned in

the acquisition table are able to accelerate packets to the hosts abaft the firewall.

Also, do not about-face on RPF analysis afore acquisition is absolutely specified,

for the aforementioned reason. If your arrangement has agee routing, RPF

verification will not assignment correctly.

RPF-related statistics can be beheld with the afterward command:

pix(config)# appearance ip verify statistics

interface outside: 5 unicast rpf drops

interface inside: 2 unicast rpf drops

Counters actuality appearance the cardinal of packets alone by unicast RPF.The

number of RPF drops can additionally be apparent in appearance interface results:

pix(config)# appearance interface

interface ethernet0 "outside" is up, band agreement is up

Hardware is i82559 ethernet, abode is 00aa.0000.003b

IP abode 1.2.3.4, subnet affectation 255.255.255.224

MTU 1500 bytes, BW 100000 Kbit bisected duplex

1183242 packets input, 1222000001 bytes, 0 no buffer

Received 210 broadcasts, 23 runts, 0 giants

4 ascribe errors, 0 CRC, 4 frame, 0 overrun, 0 ignored, 0 abort

1311231 packets output, 565432270 bytes, 0 underruns, 0 unicast rpf drops

0 achievement errors, 12332 collisions, 0 interface resets

0 babbles, 0 backward collisions, 12342 deferred

0 absent carrier, 0 no carrier

input chain (curr/max blocks): accouterments (128/128) software (0/1)

output chain (curr/max blocks): accouterments (0/2) software (0/1)

Line 8 of this achievement contains a bulletin “0 unicast rpf drops”; this means

there were no drops on this interface.

Not all packets are arrested with RPF.What absolutely happens is:

 ICMP packets are all arrested because there is no affair accompaniment for these

types of communication.


Advanced PIX Configurations • Chapter 4 197

 TCP and UDP communications accept affair advice maintained by

PIX, so alone an antecedent packet is arrested adjoin the acquisition table. All

subsequent packets are arrested alone for the interface they accustomed on.

This interface should be the interface on which an antecedent packet arrived.

The afterward commands annul ip verify commands from the configuration

and bright packet counts, respectively:

clear ip verify reverse-path

clear ip verify statistics

The TCP Intercept Affection in PIX Version 5.3 and Later

The TCP Intercept Affection in PIX

Version 5.3 and Later

The accomplishing of SYN Floodguard in versions afore 5.3 was not

quite good. Back the best cardinal of beginning access for

a host was reached, the PIX firewall artlessly alone any added SYN

packets directed to the afflicted host. Thus, while attention the host

against overloading, the PIX firewall prevented any cartage from passing

to or from the host in the case of a SYN flood. Similarly, back the maximum

number of beginning access was not specified, the PIX did

not bind the cardinal of half-open connections, which could advance to a

successful SYN flood advance adjoin the host.

Version 5.3 accouterments a new affection alleged TCP Intercept. Since

version 5.3, the PIX firewall behaves abnormally back the cardinal of

embryonic access for a host is reached. If this happens, until the

number of beginning access avalanche beneath threshold, anniversary new SYN

packet to the afflicted host is intercepted instead of actuality discarded.

Then PIX itself replies to the sender instead of the destination server with

SYN/ACK. If the applicant assuredly replies with a accepted ACK, the PIX firewall

sends the aboriginal SYN to its destination (the server), performs a

correct three-way handshake amid the PIX and the server, and the

connection is resumed amid a applicant and a server.

SYN Floodguard

SYN Floodguard

Another acclaimed DoS advance is SYN flooding, which occurs back an

attacker sends ample numbers of antecedent SYN packets to the host and neither closes

nor confirms these half-open connections.This causes some TCP/IP implementations

to use a abundant accord of assets while cat-and-mouse for affiliation confirmation,

preventing them from accepting any new access afore the excess of

these half-open access is cleared.The easiest way to anticipate this from happening

is to ascendancy the amount at which new access are opened or the

number of access that are half-open (other names for this are SYN Received

or embryonic) at any accustomed time.The closing can be performed by allegorical a limit

on the cardinal of beginning access in the changeless and nat configuration

commands. For example:

PIX1(config)# changeless (dmz, outside) 123.4.5.6 10.1.1.0 netmask

255.255.255.255 100 50

This creates a changeless NAT access for the DMZ server 10.1.1.0 with an external

IP abode of 123.4.5.6.The cardinal 100 agency that alone 100 access to this

server from alfresco can be in an accessible accompaniment at any accustomed time, and the cardinal 50

is the cardinal of half-open or beginning access to this server that can exist

at any accustomed time.The nat command is similar:Two numbers at the end specify

www.syngress.com

Advanced PIX Configurations • Chapter 4 193

the cardinal of accessible and beginning access that can abide at any accustomed time

to anniversary translated host:

nat (inside) 1 10.0.0.0 255.0.0.0 100 50

When any of these numbers is zero, the cardinal of access is not limited.

The absolute behavior of PIX back the cardinal of beginning access is

reached for a host is altered in versions 5.2 and after (since 5.3); see the sidebar

for details.

Figure 4.12 illustrates how the TCP Intercept affection works.

TCP Intercept in PIX Versions 5.3 and Later

IBM Compatible IBM Compatible

SYN

SYN

SYN

SYN/ACK

ACK SYN

SYN/ACK

No packets are anesthetized to the central ACK

server until the three-way handshake is

complete.

After the PIX simulates the

handshake with the outside

client, it passes the connection

to the central server.

AAA Floodguard

AAA Floodguard

Another flood-related botheration is that somebody can corruption the PIX AAA authentication

mechanism artlessly by authoritative a ample cardinal of login attempts without

providing any login information, abrogation the access open.The PIX firewall

will again delay until a abeyance expires. By authoritative abundant attempts, it is possible

to bankrupt AAA assets so that no added login attempts will be answered—a

DoS on login resources. In adjustment to anticipate this situation, the PIX firewall has an

internal apparatus for accomplishment AAA resources. It is alleged Floodguard and is

enabled by default.When enabled, Floodguard causes the PIX firewall to monitor

www.syngress.com

192 Chapter 4 • Advanced PIX Configurations

resource acceptance and accelerate a syslog bulletin back these assets are exhausted.

When in charge of added resources, the PIX firewall will accost the ones that

are not in alive state.This is done in the afterward adjustment (by priority):

1. Assets that are in the Timewait accompaniment are reclaimed.

2. Assets in the Finwait accompaniment are reclaimed.

3. Embryonic assets are reclaimed.

4. Idle assets are reclaimed.

Commands (Configuration mode) accompanying to this affection are absolutely simple:

floodguard enable

floodguard disable

show floodguard

These commands are self-explanatory.

Fragmentation Guard

Fragmentation Guard

Fragmented packets are a claiming to firewalls. For example, annihilation in the current

Internet standards prevents a being from sending IP packets so fragmented

that IP addresses of antecedent and destination and TCP anchorage advice are located

in altered bits or alike in overlapping fragments.The firewall cannot

decide on what to do with the packet until it sees the absolute TCP/IP header.

Some firewalls artlessly canyon the bits after aggravating to arouse the

www.syngress.com

190 Chapter 4 • Advanced PIX Configurations

original packets, admitting others try to accomplish this reassembly. Reassembly can

be a alarming process—for example, it is actual accessible to accelerate bits that will

cause the reassembled packet to be of actionable size, possibly abolition centralized buffers

of the IP assemblage implementation.

The PIX consistently performs reassembly of burst packets afore they are

checked adjoin admission lists and can appoint some restrictions on the fragmented

traffic that passes through it.The FragGuard feature, back angry on, ensures that:

 Each noninitial IP fragment is associated with an already apparent initial

fragment (teardrop advance prevention).

 The amount of IP bits is bound to 100 bits per additional to each

internal host.

This affection apparently break some rules of processing burst packets,

but the accepted accompaniment of the Internet is such that abundant breach usually does

not action artlessly and about consistently is the aftereffect of a awful hacker aggravating to

circumvent firewall rules or flood an Internet host.Therefore, in general, it is

much bigger to accept this affection on, unless you are affiliated via some strange

link, which does accept a lot of fragmentation—but again, in this case there might

be article amiss with the articulation itself.

This affection is disabled by absence and can be angry on or off on all interfaces

simultaneously only.The command for enabling it is:

sysopt aegis fragguard

The agnate no command turns the affection off.The cachet of various

settings, including FragGuard, can be arrested with the appearance sysopt command.

NOTE

The best important ancillary aftereffect of FragGuard is that you could apart the

communication with hosts active some versions of Linux if they do

fragment IP packets. These versions do not consistently accelerate the antecedent fragment

first, so the PIX firewall will abandon the accustomed arrangement of fragments.

Although this rarely occurs, you should still watched out for it.

FragGuard settings can be too akin at times. It is accessible to manually

tune the action of basic reassembly with the fragment set of commands.Their

syntax is as follows:

www.syngress.com

Advanced PIX Configurations • Chapter 4 191

fragment admeasurement []

fragment alternation []

fragment abeyance []

clear fragment

The aboriginal command sets the best cardinal of blocks that can be acclimated for

fragment reassembly. If an interface is not specified, the ambience is global; otherwise,

this ambience is for the specific interface.The absence cardinal of blocks is 200

and should never be greater than the absolute cardinal of accessible blocks of 1550

bytes’ size. In general, a bigger database makes PIX added accessible to a DOS

attack by calamity it with bits and backbreaking its memory.

The additional command sets the best accustomed cardinal of bits into

which one IP packet is split.The absence ambience is 24 fragments; the best is

8200. Further bits will be alone and the packet will not be reassembled.

The abeyance ambience specifies the time anatomy in which all bits of one IP

packet should be received.The absence abeyance is 5 abnormal and can be up to 30

seconds.

The aftermost command, bright fragment, resets all three settings to their default

values.The accompaniment of bits database can be displayed with the appearance fragment

command:

pix(config)# appearance fragment outside

Interface:outside

Size:200, Chain:24, Timeout:5

Queue:150, Assemble:300, Fail:0, Overflow:0

This achievement shows that the database has absence settings: the admeasurement of 200

blocks, 24 bits in a chain, 5-second timeout.There are 150 packets waiting

to be reassembled, 300 were already auspiciously reassembled, and there were no

failures or database overflows.

Other Advanced Features

Other Advanced Features

The Cisco PIX firewall has abounding added aegis features. Some of these features

can be acclimated in adjustment to assure the arrangement adjoin assorted DoS attacks. Some of

them are accompanying to the processing of acquisition information—both unicast and

multicast.

DHCP Servers cisco

DHCP Servers

The server allotment of PIX DHCP abutment is added complicated. Let’s attending at the

server’s abilities and limitations.The best important affair is the cardinal of

DHCP audience the server can abutment and the specific agreement options supported.

The cardinal of audience accurate on the assorted versions of PIX firewalls

is apparent in Table 4.3.

Table 4.3 Cardinal of Audience Accurate by the PIX DHCP Server

PIX Firewall Adaptation PIX Firewall Platform Applicant Addresses

(Active Hosts)

Version 5.2 and afore All platforms 10

Version 5.3 to adaptation 6.0 PIX 506/506E 32

All added platforms 256

Version 6.1 and afterwards PIX 501 with 10-user authorization 32

PIX 501 with 50-user authorization 128

All added platforms 256

Note that the numbers quoted in Table 4.3 are for alive hosts. A host is

“active” if it has anesthetized any cartage through the PIX, accustomed a connection

through the firewall, accustomed a NAT or PAT adaptation entry, or authenticated

itself to the firewall during the aftermost 30 seconds.

NOTE

The DHCP server can be configured alone on the central interface of the PIX

firewall and supports alone audience on a arrangement anon affiliated to this

interface.

www.syngress.com

186 Affiliate 4 • Advanced PIX Configurations

A basal agreement of the DHCP server requires alone two commands:

one for allegorical a ambit of IP addresses that can be provided to audience and

another one for absolutely axis the affection on. For example:

PIX1(config)# dhcpd abode 192.168.2.1-192.168.2.127 inside

PIX1(config)# dhcpd accredit inside

The alone constant that can be afflicted actuality is the abode pool. Although

currently the interface is consistently inside, it is accessible that approaching releases of the PIX

will accept the adeptness to run a DHCP server on added interfaces. However, at the

time of this autograph (version 6.2), it does not. It is accessible to configure alone one

pool. Now back a applicant sends a DHCP request, the PIX provides it with the

next IP abode accessible in the basin of 192.168.2.1-192.168.2.127, the same

subnet affectation that is set for the central interface of the firewall, and a absence route

pointing to PIX itself.

Some added agreement ambit are anxious with alleged “DHCP

options”—optional advice that can be provided to the applicant by its request.

RFC 2132,“DHCP Options and BOOTP Vendor Extensions,” describes about

100 of these options and provides a apparatus for vendors to specify their own

options.Very few of these options are absolutely needed, abnormally in a SOHO environment,

so the PIX supports alone a few of them; nevertheless, this does not

make it clumsy to accomplish as a full-strength server.The options that can be configured

are the absence area name, the DNS server, the WINS server, and two

TFTP-related options (number 66 and 150).

The area name provided to a applicant is configured with the following

command:

dhcpd area

For example:

PIX1(config)# dhcpd area syngress.com

The DNS servers that a applicant should use are configured with the command:

dhcpd dns []

Up to two DNS servers can be configured, application IP addresses:

PIX1(config)# dhcpd dns 1.2.3.4 1.2.4.10

WINS servers are configured application the afterward command, with the same

restrictions as DNS servers—up to two servers, configured application IP addresses:

dhcpd wins []

www.syngress.com

Advanced PIX Configurations • Affiliate 4 187

Options 66 and 150 are acclimated mostly by Cisco IP Phones and are considered

later in this chapter. Added DHCP-related commands acquiesce allegorical some

internal ambit for the server. It is accessible to change the absence charter time

(the bulk of time for which an IP abode is provided to the client):

dhcpd charter

This command specifies the time in seconds.The absence amount is 3600, and

possible ethics are from 300 abnormal to 2,147,483,647 seconds.The following

command sets a best ping abeyance in milliseconds (1/1000th of a second):

dhcpd ping_timeout

The PIX uses ping to ensure that addition host on the arrangement does not

already accept the IP abode it is about to grant. If no host with this IP replies

during this timeout, the IP is advised free.The ping abeyance specifies how

long the PIX will delay for a ping acknowledgment to ensure that a host with the aforementioned IP

address does not already abide on the network.

Finally, the afterward command allows the DHCP server to automatically

obtain DNS,WINS, and area ambit from a DHCP applicant configured on

the alfresco interface:

PIX1(config)# dhcpd auto_config outside

An archetype of a SOHO agreement follows. It includes a DHCP applicant on

the alfresco interface and a DHCP server on the central interface, and it passes

parameters from the applicant to the server:

ip abode alfresco dhcp setroute

PIX1(config)# ip abode central 192.168.2.1 255.255.255.0

PIX1(config)# dhcpd abode 192.168.2.201-192.168.2.210

PIX1(config)# dhcpd charter 3000

PIX1(config)# dhcpd auth_config outside

PIX1(config)# dhcpd enable

PIX1(config)# nat (inside) 1 0 0

PIX1(config)# all-around (outside) 1 interface

Without auto configuration, the archetype may attending like this:

PIX1(config)# ip abode alfresco dhcp setroute

PIX1(config)# ip abode central 192.168.2.1 255.255.255.0

PIX1(config)# dhcpd abode 192.168.2.201-192.168.2.210

PIX1(config)# dhcpd charter 3000

PIX1(config)# dhcpd dns 1.2.3.4 1.2.3.31

PIX1(config)# dhcpd wins 192.168.2.20

www.syngress.com

188 Affiliate 4 • Advanced PIX Configurations

PIX1(config)# dhcpd area example.com

PIX1(config)# dhcpd enable

PIX1(config)# nat (inside) 1 0 0

PIX1(config)# all-around (outside) 1 interface

Commands are accessible for blockage the accompaniment of the server. For example:

PIX1(config)# appearance dhcpd

dhcpd abode 192.168.2.201-192.168.2.210 inside

dhcpd charter 3000

dhcpd ping_timeout 750

dhcpd dns 1.2.3.4 1.2.3.31

dhcpd accredit inside

Other commands appearance the accepted accompaniment of IP bindings (which applicant has

been assigned which IP address) and accepted server statistics:

PIX1(config)# appearance dhcpd binding

IP Abode Hardware Abode Charter Expiration Type

192.168.2.210 0100.a0c9.777e 84985 abnormal automatic

Here, a applicant with MAC abode 0100.a0c9.777e has acquired IP address

192.168.2.210, and this charter will expire in 84985 seconds:

PIX1(config)# appearance dhcpd statistics

Address Pools 1

Automatic Bindings 1

Expired Bindings 1

Malformed letters 0

Message Received

BOOTREQUEST 0

DHCPDISCOVER 1

DHCPREQUEST 2

DHCPDECLINE 0

DHCPRELEASE 0

DHCPINFORM 0

Message Sent

BOOTREPLY 0

DHCPOFFER 1

DHCPACK 1

DHCPNAK 1

www.syngress.com

Advanced PIX Configurations • Affiliate 4 189

These statistics appearance the cardinal of IP abode pools configured, the number

of alive leases (bindings), asleep bindings, letters accustomed with errors, and a

detailed breakdown on bulletin blazon for accurately accustomed and beatific messages.

Cisco IP Phone-Related Options

As declared in the “Skinny Applicant Control Protocol” section, Cisco IP Phones

use a TFTP server for accepting best of their configuration.This abode can be

configured statically, but it is additionally accessible to use appropriate DHCP options in order

to accommodate phones with the area of the TFTP server. Audience can accelerate to

DHCP servers letters with options of two types: cardinal 66, which causes the

server to accelerate a name of one TFTP server, and advantage 150, which after-effects in a list

of IP addresses of one or two TFTP servers.These options are accurate starting

from adaptation 6.2 of PIX software and are configured with the following

commands:

dhcpd advantage 66 ascii

dhcpd advantage 150 ip []

For example:

PIX1(config)# dhcpd advantage 66 ascii tftp.example.com

PIX1(config)# dhcpd advantage 150 ip 1.2.3.4 2.3.4.5

Because the server runs alone on the central interface, IP Phones should be

placed on the arrangement anon affiliated to this interface.

DHCP Clients

DHCP Clients

When configured as a DHCP client, the PIX firewall can access the configuration

of its alfresco interface from a appointed DHCP server—for example, a

server amid at an ISP.This agreement includes the IP address, the subnet

mask, and optionally, the absence route.

NOTE

The DHCP applicant affection can alone be configured on the “outside” interface

of the PIX firewall.

This abode can be used, for example, as a PAT abode for all approachable communications.

This is configured in the afterward way (assuming that the DHCP

client is already configured):

nat (inside) 1 0 0

global (outside) 1 interface

This agreement will assignment with any IP abode assigned to the outside

interface by DHCP.

The agreement of the DHCP applicant is rather simple, and all you charge to

use is the afterward command:

ip abode alfresco dhcp [setroute] [retry ]

www.syngress.com

184 Chapter 4 • Advanced PIX Configurations

You do this instead of allegorical a anchored IP abode for an alfresco interface.

The alternative setroute keyword armament the PIX firewall to aces up not alone the IP

address and the subnet affectation but the absence avenue as well. Do not configure a

static absence avenue on the firewall if you use the setroute option.The retry option

tells the PIX firewall to try to acquaintance a DHCP server a defined cardinal of

times afore giving up. If this keyword is not specified, no retries are attempted.

If this keyword is defined but no retry calculation is given, the absence cardinal of

retries is four. For example, the afterward command configures a DHCP client

on the alfresco interface to access an IP address, subnet mask, and absence route

from the DHCP server, and alone one attack will be made:

PIX1(config)# ip abode alfresco dhcp setroute

The afterward command configures the DHCP applicant to access an IP address

and subnet affectation alone and tries at atomic bristles times afore giving up if no DHCP

servers are available:

PIX1(config)# ip abode alfresco dhcp retry 5

There are no appropriate commands for renewing and absolution DHCP lease;

simply affair the aforementioned command afresh and the charter will be renewed.

The abode acquired can be beheld using:

PIX1# appearance ip abode alfresco dhcp

This produces achievement agnate to the following:

Temp IP Addr:123.1.2.3 for associate on interface:outside

Temp sub net mask:255.255.255.0

DHCP Charter server:123.1.2.31, state:3 Bound

DHCP Transaction id:0x4567

Lease:259200 secs, Renewal:129600 secs, Rebind:226800 secs

Temp default-gateway addr:123.1.2.1

Next timer fires after:100432 secs

Retry count:0, Client-ID:cisco-0000.0000.0000-outside

This achievement agency that PIX has acquired an IP abode of 123.1.2.3 and a

subnet affectation of 255.255.255.0 from the DHCP server 123.1.2.31.This DHCP

lease is accepted for 259200 abnormal with face-lifting time of 129600 seconds.Time

left until the abutting face-lifting is 100432 seconds, and there were no retries in contacting

the server.

www.syngress.com

Advanced PIX Configurations • Chapter 4 185

In case there are any issues with the DHCP client, you can troubleshoot

using alter commands:

debug dhcpc packet

debug dhcpc detail

debug dhcpc error

These are self-explanatory. alter dhcpc packet displays all DHCP traffic

between the PIX applicant and a alien server, the detail advantage shows capacity of

negotiation, and the absurdity advantage displays all errors in this communication.

DHCP Functionality

DHCP Functionality

As added Cisco accessories are acclimated in SOHO environments, it becomes more

important that they abutment appearance such as Dynamic Host Configuration

Protocol (DHCP). Hosts use DHCP to dynamically access their Internet configuration

instead of actuality configured with a changeless IP abode and added parameters.

The operation is actual simple: Upon connection, a applicant sends a UDP broadcast,

and if receives a specific reply, it configures itself correspondingly. Of course, this

works alone on the anon affiliated LAN articulation or on the segments that are

connected through bridges or routers, which advanced broadcasts.This adjustment can

be used, for example, to abridge workstation management; all reconfigurations

will be agitated on alone on the DHCP server itself, which will accommodate the new

configuration to the workstations.

www.syngress.com

Advanced PIX Configurations • Chapter 4 183

The Cisco PIX firewall can act both as a DHCP server and a client. In the

first case, it will apparently be a aperture for a baby arrangement of workstations and

provide them all the advice they charge in adjustment to affix to the Internet.

In its applicant role, it may be a aperture for a arrangement affiliated through a dialup

line, accepting its alfresco interface abode from the ISP’s DHCP server.

Although DHCP functionality on the PIX firewall is accessible on all models of

hardware, it was accurately advised for PIX 501, 506, and 506E, which are used

primarily in SOHO environments.This is why the DHCP appearance the PIX firewall

offers accept some limitations. For example, the DHCP server can alone support

a best of 256 audience (or alike fewer, depending on the firewall model, version,

and license).There is additionally no BOOTP abutment and no failover support; the

current accompaniment of DHCP server or applicant is not replicated over failover link.

Configuring Shunning

Configuring Shunning

Shunning is a appellation acclimated in the IDS ambience to call blocking cartage from an

attacking host; it is configured on the PIX application the afterward command:

shun [ []]

This abode briefly blocks all cartage from the defined antecedent IP

address.To block all traffic, the antecedent IP abode of 10.0.1.1, use the following

command:

PIX1(config)# avoid 10.0.1.1

You can additionally abjure specific cartage from the antecedent IP by allegorical a source

port, destination IP address, and destination anchorage number. After the avoid command

is entered, the PIX deletes all analogous admission from its centralized connection

table and drops all added packets that bout the command’s parameters.

The activity of this command takes antecedence over admission account entries and alike security

levels on interfaces; all defined cartage is blocked, whether the behind host

is on the central or alfresco of the interface. In adjustment to abolish this blocking

action, use the agnate no command. For example:

PIX1(config)# no avoid 10.0.1.1

This command is activating and is not displayed or stored in the configuration.

If you appetite to appearance alive shuns, use the appearance avoid command.The bright shun

command deletes all avoid entries.

Disabling Signatures

Disabling Signatures

Imagine the afterward situation:You are absorbed in actuality abashed on the informational

signature 6102,“RPC Dump.”This agency that you accept to accommodate all

informational signatures in your activity with a command such as:

PIX1(config)# ip analysis name myaudit advice activity alarm

Here comes the problem: Many added signatures are listed as informational,

and some of them are actual “noisy”—generating lots of alarms—for example,

number 2000,“ICMP answer reply,” which is artlessly a acknowledgment to a ping. Chances

are, you will be abounding with alarms on this closing signature and will not notice

the above one, which is the one in which you are absolutely interested. One way

to get about this affair is to attenuate the blatant signatures with the afterward command,

which disables the apprehension of the signature with cardinal sig_number:

ip analysis signature disable

In our case, to attenuate the “ICMP answer reply” signature, use the following

command:

PIX1(config)# ip analysis signature 2000 disable

After this command is entered, signature cardinal 2000 (“ICMP answer reply”)

will not be detected by the PIX at all. Note that disabling a signature agency disabling

it globally, not for a specific interface or audit.

It is accessible to see the account of all disabled signatures with the command:

PIX1(config)# appearance ip analysis signature

You can accredit a disabled signature with a no command in Configuration

mode:

no ip analysis signature disable

Configuring Auditing

Configuring Auditing

Auditing is configured application the ip analysis command.Auditing can be angry on

or off, altered auditing behavior can be created, the behavior can be activated to

specific interfaces, and specific signatures can be angry on or off.The easiest

configuration requires you to accredit a name for the auditing policy, specify

actions (one for advisory signatures and one for advance signatures) to be

taken, and administer the activity to an interface.The accomplishments that can be taken are:

 Anxiety Back PIX detects a signature in the packet, it letters with the

message declared ahead to all configured syslog servers.

 Bead Back this activity is configured, PIX drops the behind packet.

 Displace This activity agency that PIX should bead the packet and abutting the

connection if this packet was a allotment of an accessible connection.

The absence activity is alarm. Activity agreement usually takes no added than

two commands:

ip analysis name advice activity [drop | anxiety | displace ]

ip analysis name advance activity [drop | anxiety | displace ]

For example, the afterward commands actualize a activity with the name myaudit

and specify that back an advisory signature is matched, the PIX should

send an anxiety to syslog, and back an advance signature is matched, the PIX should

drop the packet:

PIX1(config)# ip analysis name myaudit advice activity alarm

PIX1(config)# ip analysis name myaudit advance activity drop

It is accessible to omit the activity in the configuration. In this case, the default

action is applied. Absence accomplishments are configured via these commands:

ip analysis advice activity [drop | anxiety | displace ]

ip analysis advance activity [drop | anxiety | displace ]

www.syngress.com

180 Chapter 4 • Advanced PIX Configurations

If not changed, the absence activity is alarm. Note that if you affair alone the

following command but not the agnate advance command, no advance signatures

will be matched:

PIX1(config)# ip analysis name myaudit advice activity alarm

On the added hand, if you configure the activity in the afterward manner,

omitting the activity for advisory signatures, both advisory and attack

signatures will be matched, and the absence activity (alarm) will be activated back a

packet is akin with an advisory signature:

PIX1(config)# ip analysis name myaudit info

PIX1(config)# ip analysis name myaudit advance activity drop

After creating a policy, you charge to administer it to an interface in adjustment to activate

IDS on the interface. For example:

PIX1(config)# ip analysis interface alfresco myaudit

This agency that all signatures and accomplishments configured should be akin on

the alfresco interface.The accepted anatomy of this command is:

ip analysis interface

 if_name is the name of an interface area the IDS has to analysis for

packets.

 audit_name is a name of the activity that describes which accomplishments to take.

As an example, let’s configure a simple IDS on the alfresco interface, which

will accelerate an anxiety back an advisory signature is akin and bead the

connection back an advance is noticed:

PIX1(config)# ip analysis name myaudit advice alarm

PIX1(config)# ip analysis name myaudit advance activity drop

PIX1(config)# ip analysis interface alfresco myaudit

Each command has its no equivalent, which removes the command from the

configuration. For example:

PIX1(config)# no ip analysis interface alfresco myaudit

PIX1(config)# no ip analysis name myaudit info

Another command allows accessible allowance of all IDS agreement accompanying to an

interface, policy, or absence action:

clear ip analysis [name | signature| interface | analysis | advice | advance ]

www.syngress.com

Advanced PIX Configurations • Chapter 4 181

The afterward set of commands displays the agnate agreement of

IDS accompanying to the interface, audit, or absence action.This cipher artlessly shows the

commands you entered back configuring these parameters:

show ip analysis interface

show ip analysis info

show ip analysis attack

show ip analysis name

Supported Signatures

Supported Signatures

Unfortunately, Cisco’s own affidavit is not absolutely bright about signatures

supported in anniversary specific version.The best way to analysis what your PIX can do

in the breadth of advance apprehension is to browse a account of syslog letters produced

by the specific adaptation (for example, see the Cisco PIX Firewall System Log

Messages guide). For adaptation 6.2, syslog letters numbered from 400 000 to 400

050 are aloof for IDS messages.Their architecture is apparent here:

%PIX-4-4000: : from to on

interface

www.syngress.com

176 Chapter 4 • Advanced PIX Configurations

This syslog bulletin agency that PIX has detected an advance with number

sig_num and name sig_msg.The two IP addresses appearance the agent and the destination

of this attack. Finally, the interface on which the advance was detected is mentioned.

For example:

%PIX-4-400013 IDS:2003 ICMP alter from 1.2.3.4 to 10.2.3.1 on

interface dmz

Table 4.2 lists all signatures detected by PIX, with abbreviate descriptions.

Table 4.2 PIX IDS Signatures

Message Signature Signature Title Signature Type

Number ID

400000 1000 IP options-Bad Option Account Informational

400001 1001 IP options-Record Packet Route Informational

400002 1002 IP options-Timestamp Informational

400003 1003 IP options-Security Informational

400004 1004 IP options-Loose Source Route Informational

400005 1005 IP options-SATNET ID Informational

400006 1006 IP options-Strict Source Route Informational

400007 1100 IP Fragment Advance Attack

400008 1102 IP Impossible Packet Attack

400009 1103 IP Fragments Overlap Attack

400010 2000 ICMP Echo Reply Informational

400011 2001 ICMP Host Unreachable Informational

400012 2002 ICMP Source Quench Informational

400013 2003 ICMP Alter Informational

400014 2004 ICMP Echo Request Informational

400015 2005 ICMP Time Exceeded for a Informational

Datagram

400016 2006 ICMP Parameter Problem on Informational

Datagram

400017 2007 ICMP Timestamp Request Informational

400018 2008 ICMP Timestamp Reply Informational

400019 2009 ICMP Advice Request Informational

400020 2010 ICMP Advice Reply Informational

www.syngress.com

Continued

Advanced PIX Configurations • Chapter 4 177

Message Signature Signature Title Signature Type

Number ID

400021 2011 ICMP Address Mask Request Informational

400022 2012 ICMP Address Mask Reply Informational

400023 2150 Fragmented ICMP Cartage Attack

400024 2151 Large ICMP Cartage Attack

400025 2154 Ping of Death Advance Attack

400026 3040 TCP NULL flags Attack

400027 3041 TCP SYN+FIN flags Attack

400028 3042 TCP FIN alone flags Attack

400029 3153 FTP Improper Address Specified Informational

400030 3154 FTP Improper Port Specified Informational

400031 4050 UDP Bomb advance Attack

400032 4051 UDP Snork advance Attack

400033 4052 UDP Chargen DoS advance Attack

400034 6050 DNS HINFO Request Attack

400035 6051 DNS Zone Alteration Attack

400036 6052 DNS Zone Alteration from High Port Attack

400037 6053 DNS Request for All Records Attack

400038 6100 RPC Port Registration Informational

400039 6101 RPC Port Unregistration Informational

400040 6102 RPC Dump Informational

400041 6103 Proxied RPC Request Attack

400042 6150 ypserv (YP server daemon) Informational

Portmap Request

400043 6151 ypbind (YP bind daemon) Informational

Portmap Request

400044 6152 yppasswdd (YP countersign Informational

daemon) Portmap Request

400045 6153 ypupdated (YP amend daemon) Informational

Portmap Request

400046 6154 ypxfrd (YP alteration daemon) Informational

Portmap Request

www.syngress.com

Table 4.2 Continued

Continued

178 Chapter 4 • Advanced PIX Configurations

Message Signature Signature Title Signature Type

Number ID

400047 6155 mountd (mount daemon) Informational

Portmap Request

400048 6175 rexd (remote beheading Informational

daemon) Portmap Request

400049 6180 rexd (remote beheading daemon) Informational

Attempt

400050 6190 statd Buffer Overflow Attack

The signature IDs listed in the table accord to signature numbers on the

Cisco Secure IDS appliance. See www.cisco.com/univercd/cc/td/doc/product/

iaabu/csids/csids1/csidsug/sigs.htm (Cisco Secure Advance Apprehension System Version

2.2.1 User Guide) for a complete reference. All signatures are disconnected into two

classes: advisory and attack.The analysis is rather advised and cannot be

changed, but it makes faculty best of the time. For example, all DoS attacks are

listed as attacks, and all advice requests alone accept advisory status.You

might feel that if somebody tries to access advice on RPC casework on one

of your hosts, this constitutes an attack, but it is still listed as advisory by

Cisco. Generalizing a little, it is accessible to advance the afterward acumen on

attack allocation (from top to basal in the table):

 Packets with IP options will not do any abuse because they are always

dropped by the PIX, so if these packets are detected, accelerate alone an informational

message.

 Fragmented packets can canyon through the firewall and are about difficult

to inspect, so they aggregate an advance attempt.

 Legitimate ICMP traffic, although exceptionable and maybe absolute some

information about your arrangement (for example, ICMP Information

Request), is not classified as an attack.

 Fragmented ICMP, Ping of Death, and so on are advised attacks.

 Impossible TCP banderole combinations are advised attacks because they

are sometimes acclimated for stealth scanning of networks.

 All floods/DoS attempts (including the UDP Snork attack) are classified

as attacks.

www.syngress.com

Table 4.2 Continued

Advanced PIX Configurations • Chapter 4 179

 DNS transfers are classified as attacks; they acknowledge too abundant about the

network.

 General RPC requests and all advice requests for assorted RPC services

are not advised that adverse and are classified as informational.

 Some specific one-packet attacks on RPC casework are recognized

separately.

Configuring Advance Detection

Configuring Advance Detection

One of important appearance of the PIX firewall is its advance apprehension capability.

Cisco has a committed IDS artefact alleged Cisco Secure IDS (former NetRanger

appliance), but a bound allotment of its functionality is implemented in both Cisco

IOS and Cisco PIX. Because the PIX is basically an OSI Layers 3 and 4 filtering

device, it supports apprehension of alone simpler attacks that appear on these layers of

network advice and can be detected by analytical a distinct packet in the

traffic.The IDS signatures (that is, descriptions of attacks) that the PIX supports

are a subset of the Cisco Secure IDS signature set and are anchored in PIX software.

In adjustment to advancement this set of signatures, you charge to advancement the whole

PIX firmware application a accepted advancement procedure. Doing so does not affectation a big

problem, though, because these signatures call actual accepted and simple

attacks, which are not invented often. Advance apprehension can be configured on

each interface in entering and outbound directions.When the PIX detects each

signature, the accessory produces an active (the active can be of two types, “information”

or “attack,” depending on the severity of the attack) and sends it via syslog

to the configured destination.

Filtering ActiveX Objects cisco

Filtering ActiveX Objects

Java has a added or beneath able-bodied aegis archetypal for its alive cipher (there has been

only one big aegis affair with it, and that was due to the poor implementation

of this archetypal in some versions of Netscape), but ActiveX altar accept almost

unrestricted admission to the client’s machine.

www.syngress.com

Advanced PIX Configurations • Chapter 4 175

The command to configure clarification of ActiveX cipher (and all alive content

that is anchored in “object” tags) is actual agnate to Java filtering:

filter activex [-]

Here is an example:

PIX1(config)# clarify activex 80 0 0 0 0

This command configures the PIX to animadversion out all pairs of “object” tags

from all admission Web pages, disabling ActiveX and some Java applets.

Filtering Java Applets cisco

Filtering Java Applets

To configure clarification of Java applets, use the afterward command:

filter java [-]

Here is an example:

PIX1(config)# clarify java 80 0 0 0 0

PIX1(config)# clarify java 80 192.168.2.17 255.255.255.255 0 0

The aboriginal command configures the PIX to bead all Java applets from incoming

Web pages; the additional prohibits alone one host 192.168.2.17 to download Java

applets.The anchorage parameter, as usual, specifies the TCP anchorage on which to perform

the inspection.

Active Cipher Filtering

Active Cipher Filtering

As mentioned, alive agreeable in Web pages could be advised abominable from

a aegis point of view. Fortunately, there is a rather accessible and able way to

prevent this agreeable from extensive clients. In HTML, alive agreeable is denoted

by two types of tags.The aboriginal is:

object

/object

These tags are added accepted for ActiveX content, but they additionally can be used

by Java applets.There are additionally Java-only tags:

applet

/applet

When configured to attending for alive content, the PIX artlessly comments out

both of these tags central a TCP packet and the agreeable amid them, so they are

simply skipped by the client’s browser and anchored cipher is not run.The only

problem with this access is back the aboriginal tag is in one packet and the closing

tag is in addition packet, the PIX cannot accomplish this operation and the Web

page is anesthetized as is. For example, the HTML cipher central an admission packet

might be as apparent in Figure 4.10.

Fine-Tuning and Ecology the Clarification Process

Fine-Tuning and Ecology the Clarification Process

The two commands we aloof looked at, url-server and clarify url, aggregate a basic

configuration for URL filtering, but some added ambit ability charge to be

configured. One of these is appropriate to accord with the botheration of continued URLs,

which are accepted nowadays to abundance affair and added advice in the URL

itself.A archetypal continued URL could attending like this:

http://www.somebettingcompany.com/?action=GoEv&class_id=1&type_id=2&ev_id=

4288&class_name=%7CFootball%7C&type_name=%7CChampions+League%7C+%7C

Qualifying+Matches%7C&ev_name=%7CGenk%7C+v+%7CSparta+Prague%7C

www.syngress.com

170 Chapter 4 • Advanced PIX Configurations

Until adaptation 6.2, the PIX’s best accurate URL breadth was 1159 bytes

(for Websense only; N2H2 was not accurate at all). In adaptation 6.2, the maximum

URL breadth for Websense clarification is 6KB and 1159 bytes for N2H2.

Version 6.2 alien new options to the clarify command to configure the firewall’s

behavior back the URL exceeds 1159 bytes with a Websense server.This

syntax of this command is as follows:

filter url [longurl-truncate | longurl-deny] [cgi-truncate]

The longurl-truncate constant specifies that back the URL breadth exceeds

the maximum, alone the IP abode or hostname from the request, instead of the

full URL, is beatific to the clarification server.The longurl-deny constant specifies that

all continued URL requests should be dropped.The cgi-truncate constant specifies that

only the CGI calligraphy name and its area (the allotment of the URL afore the ?

sign) should be anesthetized as the URL to the Websense server.This skips the CGI

parameter list, which can be absolutely long.Without this advantage enabled, the entire

URL, including the constant list, is passed.

NOTE

Even in PIX 6.2, the absence URL admeasurement anesthetized to a Websense clarification server

for processing is 2KB. In adjustment to admission this size, use the command

url-block url-size , area size_in_kb can be from 2 to 6.

There are additionally commands for fine-tuning performance.The best important is

the url-cache command:

url-cache {dst | src_dst} admeasurement

This command is acclimated for affability the action of caching replies from the filtering

servers. By default, the PIX sends requests to the URL clarification server for

a accommodation and to the Web server for agreeable at the aforementioned time, and if the Web

server replies faster than the clarification server, the Web server’s acknowledgment is dropped.The

Web server is afresh contacted afresh if the clarification server permits the connection.

In adjustment to anticipate these bifold requests, you ability appetite to abundance the filtering

server replies locally instead of contacting the server every time.The url-cache

command enables a accumulation of kbytes kilobytes for replies of clarification servers based

either on destination (that is,Web server address) back the dst advantage is specified

or on both antecedent and destination back src_dst is specified.The aboriginal advantage is

recommended back all users accept the aforementioned admission privileges (so there is no need

www.syngress.com

Advanced PIX Configurations • Chapter 4 171

to analyze clients), and the additional is recommended back altered users have

different admission privileges.The statistics of the caching process, including the hit

ratio, can be beheld by active the command:

show url-cache stat

For example, the afterward command enables a accumulation of 32KB for all outgoing

HTTP requests:

PIX1(config)# url-cache dst admeasurement 32

The afterward are accumulation statistics:

PIX1# appearance url-cache stat

URL Clarify Accumulation Stats

-----------------------

Size : 32KB

Entries : 360

In Use : 200

Lookups : 2000

Hits : 1000

Another advantage for advantageous apathetic clarification server acknowledgment is to accumulation Web

server replies in beforehand and canyon these replies to the applicant afterwards the filtering

server permits it.This affection is configured on the PIX application the following

command:

url-block block

This command configures the admeasurement of the acknowledgment cache.The block_buffer_limit

parameter can be any cardinal amid 1 and 128 and defines how abounding blocks

of anamnesis will be used. Usage statistics for this anamnesis basin can be beheld by

using the appearance url-block block carbon command. For example:

pix(config)# appearance url-block block stat

URL Awaiting Packet Absorber Stats with max block 1

----------------------------------------------------------

Cumulative cardinal of packets held: 0

Maximum cardinal of packets captivated (per URL): 0

Current cardinal of packets captivated (global): 0

Packets alone due to beyond url-block absorber limit: 0

Packet bead due to retransmission: 0

www.syngress.com

172 Chapter 4 • Advanced PIX Configurations

The absolute bulk of anamnesis acclimated for autumn URLs and awaiting URLs (the

ones for which no acknowledgment from the clarification server has yet been received) is

configured with the command:

url-block url-mempool

The admeasurement of the allocated anamnesis basin is authentic by a cardinal from 2 to

10240—the cardinal in KB.

Other commands for examination the agreement of URL clarification are:

show filter

show url-server

show url-server stats

Here is some archetype achievement from these commands:

PIX1# appearance url-server

url-server (outside) bell-ringer n2h2 host 192.168.2.17 anchorage 4005 abeyance 5

protocol TCP

url-server (outside) bell-ringer n2h2 host 192.168.2.10 anchorage 4005 abeyance 5

protocol TCP

PIX1# appearance filter

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

PIX1# appearance url-server stats

URL Server Statistics:

----------------------

Vendor n2h2

URLs total/allowed/denied 2556/2000/556

URL Server Status:

------------------

192.168.2.17 UP

192.168.2.10 DOWN

The afterward ecology commands can additionally be acclimated for ecology the

performance of the URL clarification process:

show perfmon

show memory

show chunks