Upload
cleopatra-simmons
View
217
Download
3
Embed Size (px)
DESCRIPTION
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-3 Objectives Upon completion of this lesson, you will be able to perform the following tasks: Name, describe, and configure the attack guards in the PIX Firewall. Define intrusion detection. Describe signatures. Name and identify signature classes supported by the PIX Firewall. Configure the PIX Firewall to use IDS signatures. Configure the PIX Firewall to shun.
Citation preview
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1
Lesson 10
Attack Guards, Intrusion Detection, and Shunning
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-2
Objectives
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-3
Objectives
Upon completion of this lesson, you will be able to perform the following tasks:• Name, describe, and configure the attack guards in
the PIX Firewall.• Define intrusion detection.• Describe signatures.• Name and identify signature classes supported by
the PIX Firewall.• Configure the PIX Firewall to use IDS signatures.• Configure the PIX Firewall to shun.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-4
Attack Guards
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-5
Mail Guard
fixup protocol smtp port [-port]pixfirewall (config)#
pixfirewall(config)# fixup protocol smtp 2525
• Allows only seven minimum commands: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT (RFC 821).
• Defines ports on which to activate Mail Guard (default = 25)• If disabled, all SMTP commands are allowed through the firewall—
potential mail server vulnerabilities are exposed.
Internet Inside
SMTP
RFC 821 commands only
Mailgateway
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-6
Client10.0.0.2
Server172.30.0.100
10.0.0.2 192.168.0.10172.30.0.100 172.30.0.100
2543 254353 53
172.30.0.100 172.30.0.10010.0.0.2 192.168.0.10
53 532543 2543
Src IP
Dst IPSrc Pt
Dst Pt
Src IPDst IP
Src PtDst Pt
DNS Guard
• DNS Guard is always on.• After the client does a
DNS request, a dynamic pin hole allows UDP packets to return from the DNS server. The default UDP timer expires in two minutes.
• The DNS server response is recognized by the firewall, which closes the dynamic UDP pin hole immediately. The PIX Firewall does not wait for the UDP timer to expire.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-7
FragGuard and Virtual Reassembly
The FragGuard and Virtual Reassembly feature has the following characteristics:• Is on by default.• Verifies each fragment set for integrity and
completeness.• Tags each fragment in a fragment set with the
transport header.• Performs full reassembly of all ICMP error messages
and virtual reassembly of the remaining IP fragments that are routed through the PIX Firewall. • Uses Syslog to log fragment overlapping and small
fragment offset anomalies.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-8
fragment Command
• Sets the maximum number of packets in the fragment database.fragment size database-limit [interface] pixfirewall (config)#
pixfirewall(config)# fragment size 1pixfirewall(config)# fragment chain 1
fragment chain chain-limit [interface]
fragment timeout seconds [interface]
pixfirewall (config)#
pixfirewall (config)#
• Specifies the maximum number of packets into which a full IP packet can be fragmented.
• Specifies the maximum number of seconds that the PIX Firewall waits before discarding a packet that is waiting to be reassembled.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-9
AAA Flood Guard
floodguard {enable | disable}pixfirewall (config)#
pixfirewall(config)# floodguard enable
• Reclaims attacked or overused AAA resources to help prevent DoS attacks on AAA services (default = enabled).
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-10
DoS Protection
PIX Firewall can mitigate TCP SYN flooding attacks:• Release 5.2 introduced TCP Intercept: proxying
of TCP sessions by the PIX Firewall• Release 6.2 introduced TCP SYN cookies:
more CPU friendly
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-11
TCP Three-Way Handshake
172.26.26.45
Target10.0.0.2
Spoofed host172.16.16.20
172.26.26.46
SYN, SRC: 172.26.26.45, DST: 10.0.0.2SYN/ACK
ACK
SYN, SRC: 172.16.16.20, DST: 10.0.0.3Target
10.0.0.3
DoSattack
SYN, SRC: 172.16.16.20, DST: 10.0.0.3
SYN, SRC: 172.16.16.20, DST: 10.0.0.3
Normal
EmbryonicConnection
?
Internet
SYN/ACK
SYN/ACK
SYN/ACK
??
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-12
TCP Intercept
Internet
Embryonicconnection count = 3
SYNSYN/ACK
ACK
SYNDoS
AttackSYNSYN
Normal
TCPIntercept
SYNSYN/ACK
ACK
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-13
SYN Cookies
Internet
SYNSYN/ACK (cookie)
ACK (cookie)
Normal
TCPIntercept
SYNSYN/ACK
ACK
PIX Firewall responds to the SYN itself, which includes a cookie in the TCP header of the SYN/ACK. The PIX Firewall keeps no state information.• The cookie is a hash of parts of the TCP header and a secret key.• A legitimate client completes the handshake by sending the ACK
back with the cookie.• If the cookie is authentic, the PIX Firewall proxies the TCP session.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-14
Embryonic Connection Limit
• Setting the embryonic connections (em) limit enables TCP proxying using either TCP Intercept or SYN cookies.– A value of 0 disables protection (default). – When embryonic connection limit is exceeded, all connections are
proxied.
pixfirewall(config)# nat (inside) 1 0 0 0 100pixfirewall(config)# static (inside,outside) 192.168.0.11172.16.0.2 0 100
static [(internal_if_name, external_if_name)] {global_ip | interface} local_ip [dns][max_conns] [emb_limit]]
pixfirewall (config)#
nat (if-name) id address [max_conns] [em_limit]
pixfirewall (config)#
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-15
Intrusion Detection
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-16
Intrusion Detection
• Ability to detect attacks against networks
• Three types of network attacks:– Reconnaissance– Access– Denial of service
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-17
Signatures
A signature is a set of rules pertaining to typical intrusion activity that, when matched, generates a unique response. The following signature classes are supported by the PIX Firewall:• Informational—Triggers on normal network activity that in
itself is not considered to be malicious, but can be used to determine the validity of an attack or for forensic purposes.
• Attack—Triggers on an activity known to be, or that could lead to, unauthorized data retrieval, system access, or privilege escalation.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-18
Intrusion Detection in the PIX Firewall
10.0.0.11C:\>nslookupDefault server: server1.domain.comAddress: 192.168.0.4ls -d domain.com
DNS server(server1)
172.16.0.4
Syslog server
The intruder attempts a zone transfer from the DNS server on dmz.
The PIX Firewall detects an attack.
domain.com
The PIX Firewall drops the connection and logs an IDS message to 10.0.0.11.
3
Internet
2
1
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-19
Configure IDS
pixfirewall(config)# ip audit name ATTACKPOLICY attack action alarm reset
pixfirewall(config)# ip audit interface outside ATTACKPOLICY
pixfirewall(config)#
ip audit name audit_name info [action [alarm] [drop] [reset]]• Creates a policy for informational signatures.
pixfirewall(config)#
ip audit name audit_name attack [action [alarm] [drop] [reset]]• Creates a policy for attack signatures.
ip audit interface if_name audit_namepixfirewall(config)#
• Applies a policy to an interface.
• When the PIX Firewall detects an attack signature on its outside interface, it reports an event to all configured Syslog servers, drops the offending packet, and closes the connection if it is part of an active connection.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-20
Specify Default Actions for Signatures
pixfirewall(config)#
pixfirewall(config)#
ip audit attack [action [alarm] [drop] [reset]]
ip audit info [action [alarm] [drop] [reset]]
• Specifies the default actions for attack signatures.
• Specifies the default actions for informational signatures.
pixfirewall(config)# ip audit info action alarm drop
• When the PIX Firewall detects an info signature, it reports an event to all configured Syslog servers and drops the offending packet.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-21
pixfirewall(config)#ip audit signature signature_number disable
pixfirewall(config)# ip audit signature 6102 disable
Disable Intrusion Detection Signatures
• Excludes a signature from auditing.
• Disables signature 6102.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-22
Shunning
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-23
shun Command
• Applies a blocking function to an interface under attack.
pixfirewall(config)#
shun src_ip [dst_ip sport dport [protocol]]
pixfirewall(config)# shun 172.26.26.45• No further traffic from 172.26.26.45 is allowed.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-24
Shunning an Attacker
pixfirewall(config)# shun 172.26.26.45 192.168.0.10 4000 53
Attacker172.26.26.45
Target
XSRC: 172.26.26.45:4000, DST: 192.168.0.10:53
SRC: 172.26.26.45:4000, DST: 192.168.0.10:53
Port4000
Port53
Internet
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-25
Summary
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-26
Summary
• The PIX Firewall has the following attack guards to help protect systems from malicious attacks: Mail Guard, DNS Guard, FragGuard and Virtual Reassembly, AAA Flood Guard, and SYN Flood Guard.• Cisco PIX Firewall Software Version 5.2 and
higher support intrusion detection.• Intrusion detection is the ability to detect
attacks against a network, including reconnaissance, access, and DoS attacks.• The PIX Firewall supports signature-based
intrusion detection.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-27
Summary (Cont.)
• Each signature can generate a unique alarm and response.• Informational signatures collect information to
help determine the validity of an attack, or for forensics.• Attack signatures trigger on an activity known
to be, or that could lead to, unauthorized data retrieval, system access, or privileged escalation.• The PIX Firewall can be configured to shun
source address of attacking hosts.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-28
Lab Exercise
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-29
192.168.Q.0192.168.P.0
Lab Visual Objective
.2.1
.1
Student PCSyslog server
PIXFirewall
.1
.2
.1
PIXFirewall
.1
Local: 10.0.P.11 Local: 10.0.Q.11
10.0.P.0 10.0.Q.0
RTS.100
RTS.100
Pods 1–5 Pods 6–10172.26.26.0
.150
.50
WebFTP
RBB
.2.2 Bastion host:Web FTP172.16.P.0 172.16.Q.0
Bastion host:WebFTP
.1
Student PCSyslog server