Introduction

Table Of Contents

Introduction

PIX Firewall Features

PIX Firewall Adaptive Security

Cut-Through Proxies

How the Firewall Works

Creating a Security Policy

Know Your Enemy

Count the Cost

Identify Your Assumptions

Control Your Secrets

Remember Human Factors

Know Your Weaknesses

Limit the Scope of Access

Understand Your Environment

Limit Your Trust

Remember Physical Security

Make Security Pervasive

Connection Licenses


Introduction


The PIX Firewall when properly configured, helps prevent unauthorized connections from one network to another. The network that PIX Firewall protects is referred to as the internal, or inside, network and the network from which connections are controlled is the external, or outside, network.

Typically, the inside network is an organization's own internal network, or intranet, and the outside network is the Internet, but the PIX Firewall can also be used within an intranet to isolate or protect one group of internal computing systems and users from another.

To effectively use a firewall in your organization, you need a security policy to protect your data resources from intrusion. You must decide who can access network resources, which services you can effectively support, and who can access the internal network from the external network.

The PIX forms the boundary between the inside network and a perimeter network, also known as the "demilitarized zone" (DMZ). All traffic flow between the inside and outside network passes through the firewall. The DMZ is typically accessible to the outside network and contains systems that host services to the outside network. Such services might include a Web server, FTP server, or SMTP (electronic mail) server. Connections to these applications servers can be controlled using access-lists in the Internet attached router. The PIX Firewall lets you implement your security policies for connection to and from the inside network.

For more information on firewalls refer to Firewalls & Internet Security by William Cheswick and Steven Bellovin, Addison-Wesley. Information about this book is available at:

http://www.aw.com/cp/Ches.html

PIX Firewall Features

PIX (Private Internet Exchange) Firewall provides full firewall protection that completely conceals the architecture of an internal network from the outside world. PIX Firewall allows secure access to the Internet from within existing private networks and the ability to expand and reconfigure TCP/IP networks without being concerned about a shortage of IP addresses.

PIX Firewall has the following features:

Adaptive Security that keeps intruders out of your internal network while permitting regulated conduit access through the firewall for services such as electronic mail, Telnet, FTP, SNMP, and HTTP (World Wide Web) use. (Refer to next section for more details).

Network translation services that let a site share one or more NIC-registered IP addresses among many users. With PIX Firewall, users can take advantage of larger address classes than they may have been assigned by the Internet's Network Information Center (NIC). PIX Firewall provides this access through its Network Address Translation (NAT) facility as described by RFC 1631.

NCSA and SRI certify that the PIX Firewall secures your network from outside intrusion.

An Identity feature that lets NIC-registered IP addresses pass through the firewall without address translation, while still retaining Adaptive Security. This feature is handled with the nat 0 command.

Cut-Through proxies (refer to section that follows for details).

The PAT (Port Address Translation) feature expands a company's pool of IP addresses by allowing a single IP address to support over 64000 hosts (the number of simultaneous active hosts depends on the connection license). This feature is handled with the global command.

The Mail Guard feature removes the need for an external mail relay workstation (called a bastion host) in the outside network, and provides Adaptive Security enroute for SMTP commands. This feature is handled by the mailhost command. Mail Guard permits only minimal RFC 821 commands to access the SMTP server.

Ability to filter out unwanted Java applets. This feature is handled by a new option to the outbound deny command. According to the May 1997 issue of Byte magazine in an article entitled "Avoiding Hostile Applets" by Gary McGraw and Edward Felten, Java applets can instigate attacks such as invasion of privacy, denial of service, and antagonism. The PIX Firewall lets you prevent any Java applets from being used in your network.

The Flood Defender feature eliminates the SYN flood attacks and limits the number of connections a host can use. This feature is handled by a new option to the static command.

NetBIOS over IP is supported.

A Cisco IOS-like command set for simplified configuration and administration.

Support for SNMP MIB-II gets and traps with the snmp-server command.

Simplified configuration and system management with an HTML interface.

Multimedia support for RealAudio, Streamworks, CuSeeMe, Internet Phone (H.323), and VDO Live. PIX Firewall provides the established debugging command for handling applications such as WEB Theatre VXtreme and Microsoft NetShow.

Third-party certification by NCSA (National Computer Security Association) and auditing by SRI International.

Support for Telnet, FTP, and HTTP access using RADIUS (Remote Authentication Dial-In User Service) and TACACS+ security systems. PIX Firewall authenticates users in conjunction with the security systems that Cisco routers support. The security clients run on Cisco routers and send authentication requests to a central security server, which contains all user authentication and network service access information. This feature is handled by the aaa, radius-server host, and tacacs-server host commands.

For domestic sites, the Private Link encryption option that permits up to 256 PIX Firewall units to interact together across a WAN with completely secure data transfer. From the internal networks, the other networks connected through Private Link appear as one contiguous network. Private Link supports IETF IPSEC AH/ESP with DES (56). This feature is handled by the link and linkpath commands.

Failover capability that permits a secondary PIX Firewall unit to take over firewall communications if the primary unit fails. This feature is handled by the failover command.

Support for 10BaseT and 100BaseTX networking with the interface command.

Support for Token Ring network cards that can be operated singly so that Ethernet networking transforms into Token Ring or in pairs for a standard Token Ring network.


Note   You can view information on the PIX Firewall and additional documentation over the World Wide Web at this URL:  http://www.cisco.com/pix


PIX Firewall Adaptive Security

The Adaptive Security feature applies to the dynamic translation slots and can be applied to static translation slots via the static and mailhost commands. The Adaptive Security algorithm is a very stateful approach to security. Every inbound packet is checked exhaustively against the Adaptive Security algorithm and against connection state information in memory. This stateful approach to security is regarded in the industry as being far more secure than a stateless packet screening approach.

Adaptive Security follows these rules:

Allow any TCP connections that originate from the inside network.

Ensure that if an FTP data connection is initiated to a translation slot, there is already an FTP control connection between that translation slot and the remote host. If not, drop and log the attempt to initiate an FTP data connection. For valid connections, the firewall handles passive and normal FTP transparently without the need to configure your network differently.

Drop and log attempts to initiate TCP connections to a translation slot from the outside.

Drop and log source routed IP packets sent to any translation slot on the PIX Firewall.

Allow ICMP of types 0, 3, 4, 8, 11, 12, 17 and 18. By implication, deny ICMP redirects (type 5).

Silently drop ping requests to dynamic translation slots.

Answer (by the PIX Firewall) ping requests directed to static translation slots.

You can protect static translation slots with Adaptive Security, and you can have exceptions (called conduits) to the previously described rules, which you create with the conduit command. Multiple exceptions may be applied to a single static translation slot (via multiple conduit commands). This lets you permit access from an arbitrary machine, network, or any host on the Internet to the inside host defined by the static translation slot. PIX Firewall handles UDP data transfers in a manner similar to TCP. Special handling allows DNS service, archie, and RealAudio to work securely. PIX Firewall creates UDP connection state information when a UDP packet is sent from the inside network. Response packets resulting from this traffic are accepted if they match the connection state information. The connection state information is deleted after a short period of inactivity.

Cut-Through Proxies

The PIX Firewall offers performance dramatically better than competing firewalls. It gains speed through a patent pending process called Cut-Through proxies, which is the fastest way for a firewall to authenticate a user.

Unlike a proxy server that must analyze every packet at layer seven of the OSI model, a time- and processing-intensive function, the PIX Firewall first queries a TACACS+ or RADIUS server for authentication. Once approved, the PIX Firewall then establishes a data flow and all traffic thereafter flows directly and quickly between the two parties.

Cut-Through proxies let the PIX Firewall perform dramatically faster than proxy-based servers while maintaining session state. Cut-Through proxy also lowers the cost of ownership by reusing the existing authentication database.

How the Firewall Works

The PIX Firewall contains two Ethernet or Token-Ring interfaces, one for the inside, secure network and the other for the outside, unprotected network. Both the inside and outside interfaces can listen to RIP routing updates, and the inside interface can broadcast a RIP default route.

When packets arrive at the inside interface, the PIX Firewall checks to see if previous packets have come from the inside host. If not, the PIX Firewall creates a dynamic translation slot in its state table. The dynamic translation slot includes the inside IP address and the new globally unique IP address, which is drawn from the virtual network of up to 64K host addresses. PIX Firewall then changes the IP address, the checksums, and other aspects of the packet so they agree, and forwards the packet to the outside interface on its way to the Internet.

When a packet arrives at the outside interface, it must first pass the PIX Firewall Adaptive Security criteria. If the packet passes the security tests, PIX Firewall removes the destination IP address, and the internal IP address is inserted in its place. The packet is forwarded to the inside interface.

Dynamic translation slots are useful for desktop machines that do not need constant addresses on the Internet. Inside network hosts with IP addresses not registered with the NIC (Network Information Center) can directly access the Internet with standard TCP/IP software on the desktop. No special client software is needed.

Another class of address translation on the PIX Firewall is static translation. Static translation effectively moves an internal, unregistered host into the virtual network in the PIX Firewall. This is useful for internal machines that need to be addressed from the outside Internet gateways; for example, an SMTP server.

Creating a Security Policy

To effectively use a firewall in your organization, you need a security policy to protect your data resources from intrusion. By creating or improving a security policy, you can protect against malicious attack by outsiders and control the effects of errors and equipment failures.

Your security policy needs to ensure that users can only perform tasks they are authorized to do, only obtain information they are authorized to have, and not cause damage to the data, applications, or operating environment of a system.


Note   When properly configured, the PIX Firewall can secure your network from outside threats. PIX Firewall is not a turn-key system. You have to program it to identify which hosts can access your inside network and which cannot. It is your responsibility to protect your network. The PIX Firewall will not prevent all forms of security threats, but its features give you an arsenal of resources to repel network attacks.


Security measures keep people honest in the same way that locks do. The following guidelines provide specific actions you can take to improve the security of your network:

Know your enemy

Count the cost

Identify your assumptions

Control your secrets

Remember human factors

Know your weaknesses

Limit the scope of access

Understand your environment

Limit your trust

Remember physical security

Make security pervasive

Know Your Enemy

Consider who might want to circumvent your security measures and identify their motivations. Determine what they might want to do and the damage that they could cause to your network.

Security measures can never make it impossible for a user to perform unauthorized tasks with a computer system. They can only make it harder.

The goal is to make sure the network security controls are beyond the attacker's ability or motivation.

Count the Cost

Security measures almost always reduce convenience, especially for sophisticated users. Security can delay work and create expensive administrative and educational overhead. It can use significant computing resources and require dedicated hardware.

When you design your security measures, understand their costs and weigh those costs against the potential benefits. To do that, you must understand the costs of the measures themselves and the costs and likelihoods of security breaches. If you incur security costs out of proportion to the actual dangers, you have done yourself a disservice.

Identify Your Assumptions

Every security system has underlying assumptions. For example, you might assume that your network is not tapped, or that attackers know less than you do, that they are using standard software, or that a locked room is safe. Be sure to examine and justify your assumptions. Any hidden assumption is a potential security hole.

Control Your Secrets

Most security is based on secrets. Passwords and encryption keys, for example, are secrets. Too often, though, the secrets are not really all that secret. The most important part of keeping secrets is knowing the areas you need to protect. What knowledge would enable someone to circumvent your system? You should jealously guard that knowledge and assume that everything else is known to your adversaries. The more secrets you have, the harder it will be to keep all of them. Security systems should be designed so that only a limited number of secrets need to be kept.

Remember Human Factors

Many security procedures fail because their designers do not consider how users will react to them. For example, because they can be difficult to remember, automatically generated nonsense passwords are often found written on the undersides of keyboards. For convenience, a secure door that leads to the system's only tape drive is sometimes propped open. For expediency, unauthorized modems are often connected to a network to avoid onerous dial-in security measures.

If your security measures interfere with essential use of the system, those measures will be resisted and perhaps circumvented. To get compliance, you must make sure that users can get their work done, and you must sell your security measures to users. Users must understand and accept the need for security.

Any user can compromise system security, at least to some degree. Passwords, for instance, can often be found simply by calling legitimate users on the telephone, claiming to be a system administrator, and asking for them. If your users understand security issues, and if they understand the reasons for your security measures, they are far less likely to make an intruder's life easier.

At a minimum, users should be taught never to release passwords or other secrets over unsecured telephone lines (especially cellular telephones) or electronic mail (e-mail). Users should be wary of questions asked by people who call them on the telephone. Some companies have implemented formalized network security training for their employees; that is, employees are not allowed access to the Internet until they have completed a formal training program.

Know Your Weaknesses

Every security system has vulnerabilities. You should understand your system's weak points and know how they could be exploited. You should also know the areas that present the largest danger and prevent access to them immediately. Understanding the weak points is the first step toward turning them into secure areas.

Limit the Scope of Access

You should create appropriate barriers inside your system so that if intruders access one part of the system, they do not automatically have access to the rest of the system. The security of a system is only as good as the weakest security level of any single host in the system.

Understand Your Environment

Understanding how your system normally functions, knowing what is expected and what is unexpected, and being familiar with how devices are usually used, will help you to detect security problems. Noticing unusual events can help you to catch intruders before they can damage the system.

Auditing tools can help you to detect those unusual events.

Limit Your Trust

You should know exactly which software you rely on, and your security system should not have to rely upon the assumption that all software is bug-free or that your firewall can prevent all attacks.

Remember Physical Security

Physical access to a computer, router, or your firewall usually gives a sufficiently sophisticated user total control over that device. Physical access to a network link usually allows a person to tap that link, jam it, or inject traffic into it. It makes no sense to install complicated software security measures when access to the hardware is not controlled.

Make Security Pervasive

Almost any change you make in your system may have security effects. This is especially true when new services are created. Administrators, programmers, and users should consider the security implications of every change they make. Understanding the security implications of a change is something that takes practice. It requires lateral thinking and a willingness to explore every way in which a service could potentially be manipulated.

Connection Licenses

PIX Firewall provides options you can purchase from Cisco Sales that let you increase the number of simultaneous TCP connections (also known as sessions) the firewall can handle. The options are sold for 64, 256, and 16,384 connections. Previous versions of PIX Firewall with 32 connection licenses are automatically upgraded to 64 connections when version 4 is installed.


Note   To update the number of connections, obtain a new activation key from Cisco Sales. After you receive the activation key, reboot the PIX Firewall with the original floppy disk and during the boot sequence, when prompted, enter your new key.


Each outbound TCP/IP connection counts as a simultaneous connection. UDP connections are not counted in the license value. The use of Telnet or HTTP to access the PIX Firewall console does not count in the number of TCP connections. You can see how many TCP connections are in use on the firewall with the show conn command, and you can view the total number of connections in your license with the show actkey command.

For example, if a user is running FTP, Telnet, and Netscape Navigator, the user can be using from three to seven simultaneous TCP connections depending on whether Netscape Navigator is loading a page or is done. Telnet takes a single connection, FTP takes two connections, and Netscape Navigator can open up to four connections by default while loading information. (Netscape Navigator can be set to a maximum of 8 connections.)

One application to be aware of is Microsoft's Internet Explorer for Windows 95 and Windows NT, which can use up to 20 TCP connections. One site reported running out of connections on a PIX Firewall 64-connection license with only four users using Internet Explorer. The number of connections that Internet Explorer uses is not user-configurable in the Windows version, but is in the Macintosh version, which defaults to 4 connections but can be set to a maximum of 8 connections. You can view the number of connections a Windows 95 or Windows NT system is using by entering the netstat -a command at the MS-DOS prompt.


Note   To avoid letting applications overwhelm your maximum number of connections, it is very important to always use the connection limit and embryonic limit options with the mailhost, nat, and static commands.


PIX Firewall connection options are generally sold by the type of line speed a site uses, as shown in , although you should also consider the number of TCP connections per application to determine how many users or hosts can access the firewall simultaneously.

Table 1-1

Line Speed
Number of Connections
Number of Inside Hosts

56K frame relay or 56K leased line

64

70 or fewer

ISDN with two B-channels, 128K to T1

256

70 to 500

T1 line

16,384

500 and higher


Selecting Connection Licenses

After you purchase new connection licenses, you are given an activation key that you enter during bootup by rebooting the firewall from floppy disk.

If you are configuring a second firewall for use with failover, ensure both units have the same number of connection licenses.