© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-1 111 © 2003, Cisco Systems, Inc. All rights reserved

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-1111© 2003, Cisco Systems, Inc. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-2

Module 12

PIX Advanced Protocols and Intrusion Detection


Learning Objectives

Upon completion of this chapter, you will be able to perform the following tasks: • Describe the fixup protocol command.

• Describe the need for advanced protocol handling.

• Describe how the PIX Firewall handles FTP, rsh, and SQL*Net traffic.

• Configure FTP, rsh, and SQL*Net Fixup protocols.

• Describe the issues with multimedia applications.

• Describe how the PIX Firewall handles RTSP and H.323 multimedia protocols.

• Configure RTSP and H.323 fixup protocols.

• Describe how the PIX Firewall supports call handling sessions and VoIP call signaling.


Learning Objectives (cont.)

Upon completion of this chapter, you will be able to perform the following tasks:

• Name, describe, and configure the attack guards in the PIX Firewall.

• Define intrusion detection.

• Describe signatures.

• Name and identify signature classes supported by the PIX Firewall.

• Configure the PIX Firewall to use IDS signatures.

• Configure the PIX Firewall to shun.

• Configure the PIX Firewall to send Syslog messages to a Syslog server.


Overview

This module introduces students to the PIX Firewall advanced protocol recognition and Intrusion Detection System (IDS) capabilities. The module begins with advanced protocol handling, and how it may be tuned to fit the PIX Firewall operation via a series of fixup commands. The module moves on to discuss the advanced protocols used for multimedia support including real time streaming protocols. Finally, the methods of intrusion detection are discussed next. The system of intrusion detection signatures is examined, and the methods of configuration for PIX Firewalls are explained.


Key terms

• SIP• SQL• Skinny• RSH• H.323• RTSP• Standard Mode FTP• Passive Mode FTP• DNS Guard• Mail Guard• Syslog• SNMP


Advanced Protocols


Need for Advanced Protocol Handling

• Some popular protocols or applications behave as follows:

– Negotiate connections to dynamically assigned source or destination ports, or IP addresses.

– Embed source or destination port, or IP address information above the network layer.

• A good firewall has to inspect packets above the network layer and do the following as required by the protocol or application:

– Securely open and close negotiated ports or IP addresses for legitimate client-server connections through the firewall.

– Use NAT-relevant instances of IP addresses inside a packet.

– Use PAT-relevant instances of ports inside a packet.

– Inspect packets for signs of malicious application misuse.


fixup Command

fixup protocol ftp [strict] port [-port]

pixfirewall (config)#


fixup protocol http port [-port]

fixup protocol h323 [h225 | ras] port [-port]



fixup protocol skinny port [-port]


fixup protocol rsh port [-port]

fixup protocol smtp port [-port]


no fixup protocol protocol [port[-port]]



fixup protocol rtsp port [-port]



fixup protocol sqlnet port [-port]

show fixup [protocol protocol]


fixup protocol sip port [-port]


fixup protocol ils port [-port]


Standard Mode FTP

• Standard mode FTP uses two channels:

– Client-initiated command connection (TCP).

– Server-initiated data connection (TCP).

• For outbound connections, the PIX Firewall handles standard mode FTP as follows:

– It opens a temporary inbound conduit for the data channel.

• For inbound connections, the PIX Firewall handles standard mode FTP as follows:

– If outbound traffic is allowed, no special handling is required.

– If outbound traffic is not allowed, it opens a temporary outbound conduit for the data channel.


Passive Mode FTP

• Passive mode FTP uses two channels:


– Client-initiated data connection (TCP).

• For outbound connections, the PIX Firewall handles passive mode FTP as follows:


– If outbound traffic is not allowed, it opens an outbound port for the data channel.

• For inbound connections, the PIX Firewall opens an inbound port for the data channel.


FTP Fix-Up Configuration

• Defines ports for FTP connections (default = 21).

• Performs NAT in packet payload.

• Dynamically creates conduits for FTP-DATA connections.

• Logs FTP commands (when Syslog is enabled).

• When disabled:

– Outbound standard FTP will not work.

– Outbound passive FTP will work if not explicitly disallowed.

– Inbound standard FTP will work if conduit exists.

– Inbound passive FTP will not work.

fixup protocol ftp [strict] port [-port]


pixfirewall(config)# fixup protocol ftp 2021pixfirewall(config)# no fixup protocol ftp 21


Remote Shell

• Remote shell uses two channels:


– Server-initiated standard error connection (TCP).

• For outbound connections, the PIX Firewall opens an inbound port for standard error output.

• For inbound connections, the PIX Firewall handles remote shell as follows:


– If outbound traffic is not allowed, it opens the outbound port for standard error output.


Rsh Fixup Configuration

• Defines ports for rsh connections (default = 514)—Dynamically opens a port for rsh standard error connections

• If disabled:

– Outbound rsh will not work.

– Inbound rsh will work if conduit exists.

fixup protocol rsh port [-port]


pixfirewall(config)# fixup protocol rsh 1540pixfirewall(config)# no fixup protocol rsh


SQL*Net

• Initially the client connects to a well known port on the server.

• The server may assign another port or another host to serve the client.

• For outbound connections, the PIX Firewall handles SQL*Net connections as follows:


– If outbound traffic is not allowed, it opens an outbound port for a redirected channel.

• For inbound connections, the PIX Firewall opens an inbound port for a redirected channel.


SQL*Net Fixup Configuration

• Defines ports for SQL*Net connections (default = 1521):

– Performs NAT in packet payload.

– Dynamically opens TCP port redirected client connection.

– Port 1521 is the default port used by Oracle—IANA-compliant applications use port 66.

• If disabled:

– Outbound SQL*Net is allowed if not explicitly disallowed.

– Inbound SQL*Net is disallowed.

fixup protocol sqlnet port [-port]


pixfirewall(config)# fixup protocol sqlnet 66pixfirewall(config)# fixup protocol sqlnet 6666-6686pixfirewall(config)# no fixup protocol sqlnet


SIP Fixup Configuration

• Enables SIP.

• Default port = 5060.

• Enables the PIX Firewall to support any SIP VoIP gateways and VoIP proxies.

• SIP is enabled on port 5060.

fixup protocol sip port [-port]


pixfirewall(config)# fixup protocol sip 5060


Skinny

• Used by Cisco IP phones for VoIP call signaling

• Supported in software versions 6.0 and higher

• Skinny protocol operates by dynamically opening pinholes for media sessions and Network Address Translation (NAT) that has embedded IP addresses

• SCCP supports IP telephony and can coexist in an H.323 environment. An application layer ensures that all SCCP signaling and media packets can traverse the PIX Firewall and interoperate with H.323 terminals.

• IP phone and a Cisco Call Manager can now be placed on separate sides of the PIX Firewall.


Skinny Fixup Configuration

• Enables the SCCP (skinny) protocol.

• Dynamically opens pinholes for media sessions and NAT-embedded IP addresses.

• Supports IP telephony.

• Can coexist in an H.323 environment.

• Default port is 2000.

• Skinny is enabled on port 2000.

fixup protocol skinny port [-port]


pixfirewall(config)# fixup protocol skinny 2000


Multimedia Support


Why Multimedia Is an Issue

• Multimedia applications behave in unique ways:

– Use dynamic ports.

– Transmit a request using TCP and get responses in UDP or TCP.

– Use the same port for source and destination.

• The PIX Firewall:

– Dynamically opens and closes conduits for secure multimedia connections.

– Supports multimedia with or without NAT.


Real-Time Streaming Protocol

• Real-Time audio and video delivery protocol uses one TCP and two UDP channels.

• Transport options:

– Real-Time Transport Protocol (RTP).

– Real Data Transport Protocol (RDT).

• Sync or resend channel:

– Real-Time Control Protocol (RTCP).

– UDP resend.

• RTSP-TCP-only mode does not require special handling by the PIX Firewall.

• Supported applications:

– Cisco IP/TV.

– Apple QuickTime 4.

– RealNetworks:

• RealAudio.

• RealPlayer.

• RealServer .

• RDT Multicast is not supported.


Standard RTP Mode

• In standard RTP mode, RTSP uses the following three channels:

– Control connection (TCP).

– RTP data (simplex UDP).

– RTCP reports (duplex UDP).

• For outbound connections, the PIX Firewall opens inbound ports for RTP data and RTCP reports.

• For inbound connections, the PIX Firewall handles standard RTP mode as follows:


– If outbound traffic is not allowed, it opens outbound ports for RTP and RTCP.


RealNetworks’ RDT Mode

• In RealNetworks’ RDT mode, RTSP uses the following three channels:

– Control connection (TCP).

– UDP data (simplex UDP).

– UDP resend (simplex UDP).

• For outbound connections, the PIX Firewall handles RealNetworks’ RDT mode as follows:

– If outbound traffic is allowed, it opens an inbound port for UDP data.

– If outbound traffic is not allowed, it opens an inbound port for UDP data and an outbound port for UDP resend.

• For inbound connections, the PIX Firewall handles RealNetworks’ RDT mode as follows:

– If outbound traffic is allowed, it opens an inbound port for UDP resend.

– If outbound traffic is not allowed, it opens an outbound port for UDP data and an inbound port for UDP resend.


RTSP Fixup Configuration

• Defines ports for RTSP connections:

– No RTSP fixup is enabled by default (RFC2326 port is 554).

– RTSP dynamically opens UDP connections as required by the RTSP transport.

– PAT and dual NAT are not currently supported.

• If disabled:

– UDP transport modes are disallowed.

– TCP transport modes are allowed (TCP connection rules apply).

fixup protocol rtsp port [-port]


pixfirewall(config)# fixup protocol rtsp 554pixfirewall(config)# no fixup protocol rtsp


H.323

• Real-time multimedia communications delivery specification uses two TCP and several UDP sessions for a single “call”.

• H.323 protocols and standards:

– H.225—Registration, Admission, and Status (RAS).

– H.225—Call Signaling.

– H.245—Control Signaling.

– TPKT Header.

– Q.931 Messages.

– Abstract Syntax Notation (ASN.1) (PIX Firewall 5.2).

• Supported H.323 versions:

– H.323 v1.

– H.323 v2 (software versions 5.2 and higher).

• Supported applications:

– Cisco Multimedia Conference Manager.

– Microsoft NetMeeting.

– Intel Video Phone.

– CUseeMe Networks:

• MeetingPoint.

• CUseeMe Pro.

– VocalTec:

• Internet Phone.

• Gatekeeper.


Configuring H.323 Fixup

• Defines ports for H.323 connections (default = 1720).

• Performs NAT in H.323 messages as required.

• Dynamically opens TCP and UDP connections as required.

• Supports PAT.

• If disabled, H.323 applications are disallowed.

fixup protocol h323 [h255 | ras] port [-port]


pixfirewall(config)# fixup protocol h323 1720pixfirewall(config)# fixup protocol h323 7720-7740pixfirewall(config)# no fixup protocol h323


Cisco IP Phones and the PIX Firewall’s DHCP Server

• Cisco IP phones:

– Download their configurations from a TFTP server.

– Request an IP address and the IP address of a TFTP server from a DHCP server.

• The PIX Firewall:

– Supports DHCP option 150 for providing the IP addresses of a list of TFTP servers.

– Supports DHCP option 66 for providing the IP address of a single TFTP server.


Attack Guards


Mail Guard

• Provides a safe conduit for Simple Mail Transfer Protocol (SMTP) connections from the outside to an inside e-mail server

• Enables administrators to deploy a mail server within the internal network, without it being exposed to known security problems that exist within some mail server implementations

• Only the SMTP commands specified in RFC 821 section 4.5.1 are allowed to a mail server

• By default, the Cisco Secure PIX Firewall inspects port 25 connections for SMTP traffic

• SMTP servers using ports other than port 25 must use the fixup protocol smtp command

• The following are the commands allowed for a mail server:

– HELO

– MAIL

– RCPT

– DATA

– RSET

– NOOP

– QUIT


Mail Guard

fixup protocol smtp port [-port]


pixfirewall(config)# fixup protocol smtp 2525pixfirewall(config)# fixup protocol smtp 2625-2635pixfirewall(config)# no fixup protocol smtp 25

• Defines ports on which to activate Mail Guard (default = 25)—Only allows RFC 821, section 4.5.1 commands: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT.

• If disabled, all SMTP commands are allowed through the firewall—Potential mail server vulnerabilities are exposed.


DNS Guard

• DNS Guard is always on.

• After the client does a DNS request, a dynamic conduit allows UDP packets to return from the DNS server. The default UDP timer expires in two minutes.

• The DNS server response is recognized by the firewall, which closes the dynamic UDP conduit immediately. The PIX Firewall does not wait for the UDP timer to expire.


FragGuard and Virtual Re-assembly

The FragGuard and Virtual Re-assembly feature has the following characteristics:• Is on by default.

• Verifies each fragment set for integrity and completeness.

• Tags each fragment in a fragment set with the transport header.

• Performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIX Firewall.

• Uses Syslog to log fragment overlapping and small fragment offset anomalies.


fragment Command

• Sets the maximum number of packets in the fragment database.

fragment size database-limit [interface]


pixfirewall(config)# fragment size 1pixfirewall(config)# fragment chain 1

fragment chain chain-limit [interface]

fragment timeout seconds [interface]



• Specifies the maximum number of packets into which a full IP packet can be fragmented.

• Specifies the maximum number of seconds that the PIX Firewall waits before discarding a packet that is waiting to be reassembled.


AAA Flood Guard

floodguard enable | disable


pixfirewall(config)# floodguard enable

• Reclaims attacked or overused AAA resourcesto help prevent DoS attacks on AAA services (default = enabled).


SYN Flood Attack

• The attacker spoofs a nonexistent source IP address and floods the target with SYN packets.

• The target responds to the SYN packets by sending SYN-ACK packets to the spoofed hosts.

• The target overflows its port buffer with embryonic connections and stops responding to legitimate requests.


SYN Flood Guard Configuration

• For inbound connections:

– Use the em_limit to limit the number of embryonic connections.

– Set the limit to a number lower than the server can handle.

• For outbound connections:

– Use the em_limit to limit the number of embryonic connections.

– Set the limit to a number lower than the server can handle.

pixfirewall(config)# nat (inside) 1 0 0 0 10000pixfirewall(config)# static (inside,outside) 192.168.0.11172.16.0.2 0 1000

static [(prenat_interface, postnat_interface)] mapped_address | interface real_address [dns][netmask mask][norandomseq][connection_limit [em_limit]]


nat [(if-name)]id address [netmask [outside] [dns] [norandomseq] [timeout hh:mm:ss] [conn_limit [em_limit]]]



TCP Intercept

pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.11 netmask 255.255.255.255 1000 100


Intrusion Detection


Intrusion Detection

• Ability to detect attacks against networks

• Three types of network attacks:

– Reconnaissance

– Access

– Denial of service


Signatures

A signature is a set of rules pertaining to typical intrusion activity that, when matched, generates a unique response. The following signature classes are supported by the PIX Firewall:• Informational—Triggers on normal network activity that in itself is not considered to be malicious, but

can be used to determine the validity of an attack or for forensic purposes.

• Attack—Triggers on an activity known to be, or that could lead to, unauthorized data retrieval, system access, or privileged escalation.


Intrusion Detection in the PIX Firewall


Configure IDS

pixfirewall(config)#

ip audit name audit_name attack [action [alarm] [drop] [reset]]

ip audit interface if_name audit_name


pixfirewall(config)# ip audit name ATTACKPOLICY attack action alarm reset

pixfirewall(config)# ip audit interface outside ATTACKPOLICY


ip audit name audit_name info [action [alarm] [drop] [reset]]

• Creates a policy for informational signatures.

• Creates a policy for attack signatures.

• Applies a policy to an interface.

• When the PIX Firewall detects an attack signature on its outside interface, it reports an event to all configured Syslog servers, drops the offending packet, and closes the connection if it is part of an active connection.


Specify Default Actions for Signatures



ip audit attack [action [alarm] [drop] [reset]]

ip audit info [action [alarm] [drop] [reset]]

• Specifies the default actions for attack signatures.

• Specifies the default actions for informational signatures.

pixfirewall(config)# ip audit info action alarm drop

• When the PIX Firewall detects an info signature, it reports an event to all configured Syslog servers and drops the offending packet.



ip audit signature signature_number disable

pixfirewall(config)# ip audit signature 6102 disable

Disable Intrusion Detection Signatures

• Excludes a signature from auditing.

• Disables signature 6102.


Shunning


shun Command

• Applies a blocking function to an interface under attack.


shun src_ip [dst_ip sport dport [protocol]]

pixfirewall(config)# shun 172.26.26.45

• No further traffic from 172.26.26.45 is allowed.


Shunning an Attacker

pixfirewall(config)# shun 172.26.26.45 192.168.0.10 4000 53


Syslog Configuration


Configure Syslog Output to a Syslog Server


Syslog Messages

The PIX Firewall sends Syslog messages to document the following events:• Security

• Resources

• System

• Accounting


show logging

Configure Message Outputto the PIX Firewall Buffer

• Sends Syslog messages to an internal buffer.



logging buffered level

• Enables a specific Syslog message.

• Clears the internal buffer.

clear logging


logging message syslog_id



logging standby

• Allows a standby unit to send Syslog messages.

• Displays messages from the internal buffer.

logging on• Enables logging.



logging trap level

Configure Message Outputto a Syslog Server

• Designates the Syslog host server.

• Sets the logging level.



logging host [in_if_name] ip_address [protocol/port]

logging on


• Enables logging.


Configure Message Outputto a Syslog Server (cont.)

• Sets the facility marked on all messages.

• Starts and stops sending timestamped messages.

logging facility facility


logging timestamp



SNMP


SNMP Overview

• SNMP facilitates the exchange of management information between network devices

• Devices managed by SNMP send information to a management server from which an administrator manages and monitors the device

• SNMP can be used to monitor system events on the PIX Firewall.

• For security reasons, information on the PIX Firewall cannot be changed with SNMP.

• SNTP can be enabled through the PIX Firewall so that any device can be managed and monitored by a management server on a PIX Firewall interface other than that on which it resides.

• SNMP is a request and response protocol. The following SNMP operations rely on Management Information Bases (MIBs)


MIB Support

The Cisco Firewall MIB, Cisco Memory Pool MIB, and Cisco Process MIB provide the following PIX Firewall information through SNMP:• Buffer use from the show block command.

• Connection count from the show conn command.

• CPU use through the show cpu usage command.

• Failover status.

• Memory use from the show memory command.


SNMP to the PIX Firewall

• Configures the SNMP community string, a shared secret among the NMS and the managed devices.

snmp-server host [if_name] ip_addr [trap | poll]


pixfirewall(config)# logging on

pixfirewall(config)# logging history debugging

pixfirewall(config)# snmp-server host inside 10.0.0.11

pixfirewall(config)# snmp-server community OURCOMMUNITY

pixfirewall(config)# snmp-server enable traps

• Identifies the management station.

snmp-server community key


• Enables sending log messages as SNMP trap notifications.

snmp-server enable traps



SNMP Through the PIX Firewall

pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.11 netmask 255.255.255.255

pixfirewall(config)# access-list TRAPSIN permit udp host 192.168.0.19 host 192.168.0.10 eq snmptrap

pixfirewall(config)# access-group TRAPSIN in interface outside

pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.11 netmask 255.255.255.255

pixfirewall(config)# access-list POLLIN permit udp host 192.168.0.19 host 192.168.0.10 eq snmp

pixfirewall(config)# access-group POLLIN in interface outside


Summary


Summary

• The fixup command enables you to view, change, enable, or disable the use of a service or protocol.

• The PIX Firewall uses special handling for the following advanced protocols: FTP, rsh, and SQL*Net.

• The PIX Firewall handles the following multimedia protocols: RTSP and H.323.

• The PIX Firewall’s SIP fixup supports call handling sessions.

• The PIX Firewall’s skinny fixup supports VoIP call signaling.

• You can change the port value for each protocol including the multimedia protocols; however, you should not change the port values for rsh and SIP.


Summary (cont.)

• The PIX Firewall has the following attack guards to help protect systems from malicious attacks: Mail Guard, DNS Guard, Fragmentation Guard, AAA Flood Guard, and SYN Flood Defender.

• PIX Firewall software versions 5.2 and higher support intrusion detection.

• Intrusion detection is the ability to detect attacks against a network, including the following: reconnaissance, access, and DoS.

• The PIX Firewall supports signature-based intrusion detection.


Summary (cont.)

• Each signature can generate a unique alarm and response.

• Informational signatures collect information to help determine the validity of an attack, or for forensics.

• Attack signatures trigger on an activity known to be, or that could lead to, unauthorized data retrieval, system access, or privileged escalation.

• The PIX Firewall can be configured to shun source address of attacking hosts.

• The PIX Firewall can send Syslog messages to a Syslog server.

646464© 2003, Cisco Systems, Inc. All rights reserved.

Documents

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—12-1 111 © 2003, Cisco Systems, Inc. All rights reserved