© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1 Lesson 10 Attack Guards, Intrusion Detection, and Shunning

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1

Lesson 10

Attack Guards, Intrusion Detection, and Shunning


Objectives


Objectives

Upon completion of this lesson, you will be able to perform the following tasks:• Name, describe, and configure the attack guards in

the PIX Firewall.• Define intrusion detection.• Describe signatures.• Name and identify signature classes supported by

the PIX Firewall.• Configure the PIX Firewall to use IDS signatures.• Configure the PIX Firewall to shun.


Attack Guards


Mail Guard

fixup protocol smtp port [-port]pixfirewall (config)#

pixfirewall(config)# fixup protocol smtp 2525

• Allows only seven minimum commands: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT (RFC 821).

• Defines ports on which to activate Mail Guard (default = 25)• If disabled, all SMTP commands are allowed through the firewall—

potential mail server vulnerabilities are exposed.

Internet Inside

SMTP

RFC 821 commands only

Mailgateway


Client10.0.0.2

Server172.30.0.100

10.0.0.2 192.168.0.10172.30.0.100 172.30.0.100

2543 254353 53

172.30.0.100 172.30.0.10010.0.0.2 192.168.0.10

53 532543 2543

Src IP

Dst IPSrc Pt

Dst Pt

Src IPDst IP

Src PtDst Pt

DNS Guard

• DNS Guard is always on.• After the client does a

DNS request, a dynamic pin hole allows UDP packets to return from the DNS server. The default UDP timer expires in two minutes.

• The DNS server response is recognized by the firewall, which closes the dynamic UDP pin hole immediately. The PIX Firewall does not wait for the UDP timer to expire.


FragGuard and Virtual Reassembly

The FragGuard and Virtual Reassembly feature has the following characteristics:• Is on by default.• Verifies each fragment set for integrity and

completeness.• Tags each fragment in a fragment set with the

transport header.• Performs full reassembly of all ICMP error messages

and virtual reassembly of the remaining IP fragments that are routed through the PIX Firewall. • Uses Syslog to log fragment overlapping and small

fragment offset anomalies.


fragment Command

• Sets the maximum number of packets in the fragment database.fragment size database-limit [interface] pixfirewall (config)#

pixfirewall(config)# fragment size 1pixfirewall(config)# fragment chain 1

fragment chain chain-limit [interface]

fragment timeout seconds [interface]

pixfirewall (config)#


• Specifies the maximum number of packets into which a full IP packet can be fragmented.

• Specifies the maximum number of seconds that the PIX Firewall waits before discarding a packet that is waiting to be reassembled.


AAA Flood Guard

floodguard {enable | disable}pixfirewall (config)#

pixfirewall(config)# floodguard enable

• Reclaims attacked or overused AAA resources to help prevent DoS attacks on AAA services (default = enabled).


DoS Protection

PIX Firewall can mitigate TCP SYN flooding attacks:• Release 5.2 introduced TCP Intercept: proxying

of TCP sessions by the PIX Firewall• Release 6.2 introduced TCP SYN cookies:

more CPU friendly


TCP Three-Way Handshake

172.26.26.45

Target10.0.0.2

Spoofed host172.16.16.20

172.26.26.46

SYN, SRC: 172.26.26.45, DST: 10.0.0.2SYN/ACK

ACK

SYN, SRC: 172.16.16.20, DST: 10.0.0.3Target

10.0.0.3

DoSattack

SYN, SRC: 172.16.16.20, DST: 10.0.0.3

SYN, SRC: 172.16.16.20, DST: 10.0.0.3

Normal

EmbryonicConnection

?

Internet

SYN/ACK

SYN/ACK

SYN/ACK

??


TCP Intercept

Internet

Embryonicconnection count = 3

SYNSYN/ACK

ACK

SYNDoS

AttackSYNSYN

Normal

TCPIntercept

SYNSYN/ACK

ACK


SYN Cookies

Internet

SYNSYN/ACK (cookie)

ACK (cookie)

Normal

TCPIntercept

SYNSYN/ACK

ACK

PIX Firewall responds to the SYN itself, which includes a cookie in the TCP header of the SYN/ACK. The PIX Firewall keeps no state information.• The cookie is a hash of parts of the TCP header and a secret key.• A legitimate client completes the handshake by sending the ACK

back with the cookie.• If the cookie is authentic, the PIX Firewall proxies the TCP session.


Embryonic Connection Limit

• Setting the embryonic connections (em) limit enables TCP proxying using either TCP Intercept or SYN cookies.– A value of 0 disables protection (default). – When embryonic connection limit is exceeded, all connections are

proxied.

pixfirewall(config)# nat (inside) 1 0 0 0 100pixfirewall(config)# static (inside,outside) 192.168.0.11172.16.0.2 0 100

static [(internal_if_name, external_if_name)] {global_ip | interface} local_ip [dns][max_conns] [emb_limit]]


nat (if-name) id address [max_conns] [em_limit]



Intrusion Detection


Intrusion Detection

• Ability to detect attacks against networks

• Three types of network attacks:– Reconnaissance– Access– Denial of service


Signatures

A signature is a set of rules pertaining to typical intrusion activity that, when matched, generates a unique response. The following signature classes are supported by the PIX Firewall:• Informational—Triggers on normal network activity that in

itself is not considered to be malicious, but can be used to determine the validity of an attack or for forensic purposes.

• Attack—Triggers on an activity known to be, or that could lead to, unauthorized data retrieval, system access, or privilege escalation.


Intrusion Detection in the PIX Firewall

10.0.0.11C:\>nslookupDefault server: server1.domain.comAddress: 192.168.0.4ls -d domain.com

DNS server(server1)

172.16.0.4

Syslog server

The intruder attempts a zone transfer from the DNS server on dmz.

The PIX Firewall detects an attack.

domain.com

The PIX Firewall drops the connection and logs an IDS message to 10.0.0.11.

3

Internet

2

1


Configure IDS

pixfirewall(config)# ip audit name ATTACKPOLICY attack action alarm reset

pixfirewall(config)# ip audit interface outside ATTACKPOLICY

pixfirewall(config)#

ip audit name audit_name info [action [alarm] [drop] [reset]]• Creates a policy for informational signatures.


ip audit name audit_name attack [action [alarm] [drop] [reset]]• Creates a policy for attack signatures.

ip audit interface if_name audit_namepixfirewall(config)#

• Applies a policy to an interface.

• When the PIX Firewall detects an attack signature on its outside interface, it reports an event to all configured Syslog servers, drops the offending packet, and closes the connection if it is part of an active connection.


Specify Default Actions for Signatures



ip audit attack [action [alarm] [drop] [reset]]

ip audit info [action [alarm] [drop] [reset]]

• Specifies the default actions for attack signatures.

• Specifies the default actions for informational signatures.

pixfirewall(config)# ip audit info action alarm drop

• When the PIX Firewall detects an info signature, it reports an event to all configured Syslog servers and drops the offending packet.


pixfirewall(config)#ip audit signature signature_number disable

pixfirewall(config)# ip audit signature 6102 disable

Disable Intrusion Detection Signatures

• Excludes a signature from auditing.

• Disables signature 6102.


Shunning


shun Command

• Applies a blocking function to an interface under attack.


shun src_ip [dst_ip sport dport [protocol]]

pixfirewall(config)# shun 172.26.26.45• No further traffic from 172.26.26.45 is allowed.


Shunning an Attacker

pixfirewall(config)# shun 172.26.26.45 192.168.0.10 4000 53

Attacker172.26.26.45

Target

XSRC: 172.26.26.45:4000, DST: 192.168.0.10:53

SRC: 172.26.26.45:4000, DST: 192.168.0.10:53

Port4000

Port53

Internet


Summary


Summary

• The PIX Firewall has the following attack guards to help protect systems from malicious attacks: Mail Guard, DNS Guard, FragGuard and Virtual Reassembly, AAA Flood Guard, and SYN Flood Guard.• Cisco PIX Firewall Software Version 5.2 and

higher support intrusion detection.• Intrusion detection is the ability to detect

attacks against a network, including reconnaissance, access, and DoS attacks.• The PIX Firewall supports signature-based

intrusion detection.


Summary (Cont.)

• Each signature can generate a unique alarm and response.• Informational signatures collect information to

help determine the validity of an attack, or for forensics.• Attack signatures trigger on an activity known

to be, or that could lead to, unauthorized data retrieval, system access, or privileged escalation.• The PIX Firewall can be configured to shun

source address of attacking hosts.


Lab Exercise


192.168.Q.0192.168.P.0

Lab Visual Objective

.2.1

.1

Student PCSyslog server

PIXFirewall

.1

.2

.1

PIXFirewall

.1

Local: 10.0.P.11 Local: 10.0.Q.11

10.0.P.0 10.0.Q.0

RTS.100

RTS.100

Pods 1–5 Pods 6–10172.26.26.0

.150

.50

WebFTP

RBB

.2.2 Bastion host:Web FTP172.16.P.0 172.16.Q.0

Bastion host:WebFTP

.1

Student PCSyslog server

Documents

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1 Lesson 10 Attack Guards, Intrusion Detection, and Shunning