Wednesday, February 09, 2005

PIX Firewall-ing (Part 1)

Cisco PIX Firewall is one of the best commercial firewall in the world. Pay attention to the word 'commercial'. I'm not comparing this expensive appliance with my love PF or even IP Tables, those two are free and powerful too! But like it or not, in the world where companies trust branded products and vendors, Cisco PIX really kicks in the firewall market.

Being an appliance means PIX has its own underlying operating system. And this is one of its advantage. Close-source is an evil, but for PIX it means no service running as default. And less people know about the PIX underlying OS means script kiddies with full of exploits for multi-purpose OS need to work hard to find specific exploit for PIX.
It doesn't mean PIX doesn't have any vulnerabilities. On November 2002, for example, Cisco announced the vulnerability in ISAKMP and HTTP authentication. Not running default services doesn't mean you don't want to enable them for your requirement, right?

Anyway, I'm not here to curse PIX. I'm a CCIE, remember? And I make money by selling Cisco products.
Today I'm going to explain how to make PIX firewall up and running in few minutes. But before we start, there are some concepts need to be noted:

PIX firewall is a stateful firewall, it means PIX tracks the TCP and UDP conversation. Different with PF where we have to put 'keep state' keyword, PIX does this automatically without additional configuration.

PIX distinguishes its interfaces by putting parameter called security levels.
For example, in PIX 506E
with two interfaces, by default it has already put the alias name for those interfaces as 'outside' and 'inside'. As per their name, outside interface should be used to connect to outside the internal network (for example Internet), and inside interface should be connected to internal network we want to protect.

Interface outside has security level 0 (lowest trusted) and interface inside has security level 100 (highest trusted).
Traffic coming from the network connected to interface with higher security level can flow without any restrictions to the network connected to interface with lower security level. In contrary, traffic coming from the network connected to interface with lower security level, can't flow to the network connected to interface with higher security level, unless we permit it explicitly using Access Control List.

Using default configuration, internal network should be able to go to outside network or Internet, and traffic from outside network or Internet should not be able to go into the internal network unless we explicitly put the access control list.
If PIX has more than 2 interfaces, the other interfaces can have security level between 0 to 100, and the same rule implies.

Enough talking, let's configure one Cisco PIX506E. This is one of the cheapest Cisco PIX firewall available that can have only 2 interfaces maximum. You need to get Cisco PIX for sure. I'm not interested to hear from where you get it, just open it from the box and switch it on.

After we boot our brand new PIX, we'll end up with “(firewall_name)>” prompt. This is what Cisco called as user mode prompt. The command we can execute is limited, just type “?” to see available commands.

(By the way, I assume you guys a bit familiar with basic Cisco command and OS. To connect to brand new Cisco devices without configuration, you must use cisco console cable, roll-over cable with serial port in one end and RJ45 normal ethernet plug on the other end. So connect the serial port to your PC com port, and the RJ45 port to 'console' port in Cisco. Then use serial console terminal such as Hyper Terminal in Window$, or minicom, tip, zmodem etc in *nix. Just remember to set the speed to 9600.)

The first thing we need to do is checking the hardware capabilities using “show version” command.
pixfirewall>show version

From show version output, we can get following information:
- PIX OS Version number
- PIX Device Manager (Web based administration tool) version number
- System uptime
- Hardware information such as CPU and flash drive size... see, PIX 506 is only a crap Pentium II 300 Mhz and 32 Mb RAM. So much for a thousand bucks, huh?
- Number of interfaces and interfaces name
- Licensed feature such as failover, encryption for VPN (DES/3DES), how many maximum interfaces total we can have
- Serial number, needed to generate Activation key
- Running activation key
- Last modified configuration, when and by whom

Remember, PIX is commercial product that works on license, so if you don't see any feature you need (such as 3DES or failover), then you need to buy upgrade license and generate new activation key using the serial number of the firewall.

(To be continued in part 2)

No comments: