Book Excerpt: Cisco Secure Internet Security Solutions, Part 1

By Cisco Press | Sep 12, 2001 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/883401/Book-Excerpt-Cisco-Secure-Internet-Security-Solutions-Part-1.htm

Cisco Secure Internet Security Solutions - Chapter 4
by Andrew Mason, Mark Newcomb

Cisco Secure PIX Firewall - Part 1
Cisco Secure Internet Security Solutions -- click to go to publisher's site

This chapter focuses on the Cisco Secure Private Internet Exchange (PIX) Firewall. The strength of the security features within the PIX lay in the fact that it was designed solely as a firewall. Although a PIX Firewall will do a limited amount of routing, the real purposes of the PIX are to deny unrequested outside traffic from your LAN and to form secure Virtual Private Networks (VPNs) between remote locations. A router requires a great deal of configuration to act effectively as a firewall. The PIX, however, only requires six commands before it can be placed into service. The PIX is easy to configure and generally requires no routine maintenance once configured.

The larger a sphere is, the larger the surface area of that sphere. If you analogize the security concerns of an operating system to a sphere, you soon realize that the larger the operating system, the larger the "surface area" that must be defended. A router with a much larger operating system must be carefully configured to stop intruders, prevent denial of service (DoS) attacks, and secure the LAN. The PIX operating system, originally designed as a Network Address Translation (NAT) device, is not a general-purpose operating system and operates in real time, unlike both Windows NT and UNIX. Therefore, the PIX has a very small operating system that presents fewer opportunities for a security breach. The smaller the operating system, the less chance that an area has been overlooked in the development process.

The PIX does not experience any of the many security holes present within either UNIX or Windows NT. The operating system is proprietary, and its inner workings are not published for use outside of Cisco Systems. The general networking public does not have access to the source code for the PIX, and therefore, the opportunities for exploiting a possible vulnerability are limited. The inner workings of the PIX Firewall are so secret that the authors of this book were not able to gain access to them.

Several advantages to using the PIX over a router or a UNIX, Linux, or Windows NT-based firewall exist. The benefits of using a PIX include the following:

  • PIX's Adaptive Security Algorithm (ASA), combined with cut-through proxy, allows the PIX to deliver outstanding performance
  • Up to 500,000 connections simultaneously
  • Throughput speeds up to 1000 Mbps
  • Failover capabilities on most models
  • An integrated appliance
  • IPSec VPN support
  • NAT and Port Address Translation (PAT) fully supported
  • Low packet delay
  • Low cost of ownership due to no OS maintenance
  • Integrated Intrusion Detection System (IDS)
  • High reliability, no hard disk, Mean Time Between Failure greater than 60,000 hours
  • Common criteria EAL 2 certification

PIX Models
The PIX Firewall comes in four main models, with an additional model that's being phased out. Ranging in size from models designed for the home or small office through enterprise level firewalls, the PIX models allow for virtually any size of organization to be protected.

The models are as follows:

  • PIX 506
  • PIX 515
  • PIX 520/525
  • PIX 535
The features of each model follow.

PIX 506
The PIX 506 is the smallest of the PIX Firewalls available. Currently list-priced at less than U.S. $2000, the 506 is designed for firewall protection of the home or small business office. The 506 is approximately one-half the width of the rest of the PIX models. The capabilities and hardware features of the 506 are as follows:

  • 10 Mbps throughput
  • 7 Mbps throughput for Triple Data Encryption Standard (3DES) connections
  • Up to ten simultaneous IPSec Security Associations (SAs)
  • 200 MHz Pentium MMX processor
  • 32 MB SDRAM
  • 8 MB Flash memory
  • Two integrated 10/100 ports

PIX 515
The PIX 515 is designed for larger offices than those of the 506. There are three main advantages of the 515 over the 506. The first advantage is the ability to create demilitarized zones (DMZs) through the use of an additional network interface. The second advantage is the throughput speed and number of simultaneous connections supported. The third advantage is the ability to support a failover device that will assume the duties of the primary PIX should there be a failure. The PIX 515 comes in two models, the 515 Restricted (515-r) and the 515 Unrestricted (515-ur). The characteristics of these two models follow.
PIX 515-r:

  • No failover devices supported.
  • A single DMZ can be used.
  • Ethernet must be the LAN protocol.
  • Maximum of three interfaces may be used.
  • 32 MB RAM.
PIX 515-ur:
  • Failover devices are supported.
  • Two DMZs may be implemented.
  • Ethernet must be the LAN protocol.
  • Maximum of six interfaces may be used.
  • 64 MB RAM.
These two models are essentially the same hardware with different memory and software. It is possible to purchase a 515-r and upgrade it to a 515-ur by adding more memory and updating the operating system. The net cost to the user is very close to the purchase price of a 515-ur. The capabilities and hardware features of the 515 follow:
  • Rack mountable
  • Up to 100,000 simultaneous connections
  • Up to 170 Mbps throughput
  • Up to four interfaces
  • Up to 64 MB SDRAM
  • 16 MB Flash memory
  • 200 MHz Pentium MMX processor

PIX 520/525
The PIX 520, sometimes called the classic PIX, is in the process of being phased out in favor of the newer design of the model 525. Both of these firewalls have the same underlying hardware.

The PIX 525 is designed for a large organization and has the following capabilities and hardware features:

  • Rack mountable
  • More than 256,000 simultaneous connections
  • Six to eight integrated Ethernet cards
  • Up to four Token Ring cards
  • Up to four FDDI or four Gigabit Ethernet cards
  • More than 240 Mbps throughput
  • Up to 256 MB RAM

PIX 535
The PIX 535 is designed for large enterprise and Internet service provider (ISP) environments where an extreme amount of traffic must be secured. This is presently the largest PIX Firewall available and has the following capabilities and hardware features:

  • Rack mountable
  • More than 500,000 simultaneous connections
  • Six to eight integrated Ethernet cards
  • Up to four Token Ring cards
  • Up to four FDDI or eight Gigabit Ethernet cards
  • More than 1,000 Mbps throughput
  • 512 to 1024 MB RAM

PIX Features
The PIX Firewalls, regardless of model number, all provide the same security features. The PIX is a stateful firewall that delivers full protection to the corporate network by completely concealing the nature of the internal network to those outside. The main operating features of the PIX follow:

  • Sequence random numbering -- IP spoofing generally relies on the ability to guess a sequence number. The PIX randomizes the IP sequence numbers for each session. This makes IP spoofing much more difficult to accomplish.
  • Stateful filtering -- This is a secure method of analyzing data packets that is also known as the Adaptive Security Algorithm (ASA). When data traverses from the trusted interface on the PIX to a less trusted interface, information about this packet is entered into a table. When the PIX receives a data packet with the SYN bit set, the PIX checks the table to see if, in fact, the destination host has previously sent data out to the responding host. If the table does not contain an entry showing that the local host has requested data, the packet is dropped. This technique virtually eliminates all SYN-based DoS attacks.
  • Network Address Translation (NAT) -- NAT is the process of changing the source IP address on all packets sent out by a host and changing the destination IP address of all incoming packets for that host. This prevents hosts outside of the LAN from knowing the true IP address of a local host. NAT uses a pool of IP addresses for all local hosts. The IP address a local host will receive changes as addresses are used and returned to the pool.
  • Port Address Translation (PAT) -- PAT is similar to NAT except that all local hosts receive the same IP address. Using different ports for each session differentiates local host sessions. The IP address of the local host is still changed using PAT, but the ports associated with the session are also changed. Both PAT and NAT can be used concurrently on a PIX Firewall.
  • Embedded operating system -- A UNIX, Linux, or Windows NT machine can be used as a proxy server. However, the throughput of such a machine is slower by design than that available through the PIX. A proxy server receives an Ethernet packet, strips off the header, extracts the IP packet, and then moves that packet up through the OSI model until it reaches the application layer (Layer 7), where the proxy server software changes the address. The new IP packet is rebuilt and sent down to Layer 1 of the OSI model, where it is transmitted. This uses a large number of CPU cycles and introduces delay. Because the PIX is a proprietary system, the OSI model constraints can be bypassed and made to allow cut-through proxy to operate.
  • Cut-through proxy and ASA -- The combination of cut-through proxy and ASA allows the PIX to process more than 500,000 connections simultaneously with virtually no packet delay. Cut-through proxy is the process where the first packet in a session is checked as in any proxy server, but all subsequent packets are passed through. This technique allows the PIX to transfer packets extremely efficiently.
  • DNS guard -- By default, all outgoing DNS requests are allowed. Only the first response is allowed to enter the LAN.
  • Mail guard -- Only RFC 821-specific commands are allowed to a Simple Mail Transfer Protocol (SMTP) server on an inside interface. These commands are HELLO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. The PIX responds with an OK to all other mail requests to confuse attackers. This is configured with the fixup command.
  • Flood defender -- This limits the total number of connections and the number of halfopen connections. User Datagram Protocol (UDP) response packets that either have not been requested or arrive after a timeout period are also dropped.
  • ICMP deny -- By default, all Internet Control Message Protocol (ICMP) traffic does not get sent over the inside interface. The administrator must specifically allow ICMP traffic to enter if needed.
  • IP Frag Guard -- This limits the number of IP full-fragment packets per second per internal host to 100. This prevents DoS attacks such as LAND.c and teardrop. Additionally, this ensures that all responsive IP packets are let through only after an initial IP packet requesting the response has traversed the PIX.
  • Flood guard -- This feature is designed to prevent DoS attacks that continuously request an authentication of a user. The repetitive requests for authentication in this type of DoS attack are designed to use memory resources on a network device. The PIX relies on a subroutine that uses its own section of memory. When an excessive number of authentication requests are received, the PIX starts dropping these requests and reclaiming memory, thus defeating this form of attack.
  • Automatic Telnet denial -- By default, the PIX Firewall will not respond to any Telnet request except through the console port. When enabling Telnet, set it to allow only those connections that are actually necessary.
  • Dynamic Host Configuration Protocol (DHCP) client and server support -- The PIX can rely on a DHCP server to gain an IP address for an interface. As a DHCP server, the PIX provides IP addresses for hosts attached to one of the interfaces.
  • Secure Shell (SSH) support -- The PIX supports the SSH remote shell functionality available in SSH version 1. SSH is an application that runs on top of a connection-oriented Layer 3 protocol such as TCP. SSH provides encryption and authentication services for Telnet sessions. Support for SSH requires third-party software, which may be obtained at the following sites:
    -- Windows client:
    hp.vector.co.jp/authors/VA002416/teraterm.html
    -- Linux, Solaris, OpenBSD, AIX, IRIX, HP/UX, FreeBSD, and NetBSD client:
    www.openssh.com -- Macintosh client:
    www.lyastor.liu.se/~jonasw/freeware/niftyssh
  • Intrusion Detection System (IDS) -- The PIX integrates the same IDS features that are available on routers through the Cisco Secure IOS. The IDS detects 53 specific types of intrusion. See Chapter 6, "Intrusion Detection Systems," for more details on IDS.
  • TCP intercept -- The PIX can act like a TCP intercept device, isolating protected hosts from direct contact through TCP connections. TCP intercept is discussed in Chapter 2, "Basic Cisco Router Security."

Part 2 of this chapter will cover Cisco Secure Private Internet Exchange (PIX) Firewall configuration.