CISCO PIX Firewall and network Security Configuration Guide

With the development of the international interconnection Network, some enterprises have established their own intranet and connected with the Internet through a dedicated line. In order to ensure the security of intranet, it is necessary to use dedicated firewall computer to prevent illegal intrusion. The router firewall can only be used as a filter and cannot hide the internal network structure from the intruder's eyes. As long as a computer on the external network is allowed to directly access computers on the internal network, there is the possibility that an attacker could compromise the security of the machine on the internal LAN and attack other computers from there.

Most dedicated firewall machines that provide proxy services are based on UNIX systems, and these operating systems themselves have security flaws. Cisco provides the PIX (private Internet Exchange, private Internet Exchange) firewall, which runs its own customized operating system, which has proven to be effective in preventing illegal attacks. The PIX firewall requires a router to connect to the external network, as shown in the attached diagram. The PIX has two Ethernet interfaces, one for connecting to the internal LAN and the other for connecting to an external router. The external interface has a set of external addresses that they use to communicate with the external network. The internal network is configured with an IP address that is appropriate for the internal network number scheme. The primary job of PIX is to complete the mapping between internal and external addresses when the internal computer needs to communicate with the external network.

With the PIX firewall configured, the internal computer seems to be directly connected to the outer interface of the PIX from the outside world. Because the PIX's external interface is the Ethernet interface, it requires a MAC address to send packets to the host. In order for the internal host to appear on the data Link layer and the network layer as if it were connected to an external interface, PIX runs proxy arp, proxy ARP assigns the data link MAC address to the external network layer IP address, which makes the internal computer look like it is on the external interface of the Data Link layer protocol. In most cases, communication with the external network is made from the internal network. Because the PIX is an operation on the packet, rather than at the application procedure level (which is the proxy server), the PIX can track either the UDP session or the TCP connection. When a computer wants to communicate with an external computer, the PIX records the internal source address, assigns an address from the external address library, and records the conversion. This is what people often call a bounded NAT (stateful NAT) so that the PIX can remember who it is talking to and which computer is the first to initiate the conversation. Only information packets that have been identified from the external network will run and go into the internal network.

However, it is sometimes necessary to allow external computers to initiate communication with the specified internal computer. Typical services include e-mail, the WWW service, and the FTP service. PIX encodes an external address to an internal address that does not expire. In this case, the normal filtering of the destination address and port number is used. Unless you invade the PIX itself, external users still cannot understand the internal network structure. Without understanding the internal network structure, a malicious user cannot execute an attack from an internal host to an internal network.

Another key security feature of PIX is the randomization of the sequence numbers of TCP packets. Because the IP address spoofing method has already been published, it is possible for intruders to control an out-of-the-box TCP connection and then send their own information to computers on the internal LAN. To do this, the intruder must guess the correct sequence number. It is easy to implement in the usual TCP/IP, because each time the connection is initialized, the session is started with an identical number. The PIX uses a mathematical algorithm to randomize the sequence number, which in effect makes it impossible for an attacker to guess the sequence number used by the connection.

Configuring the PIX Firewall is a more straightforward task, with the same level of security services being provided, the PIX configuration is much simpler than setting up a proxy server. In theory, all you need to do is specify an IP address and an address library for external access, an IP address and network mask for internal connections, RIP, timeouts, and other collateral security information. Here is a PIX firewall actual configuration case for your reference. Because the configuration of routers is complementary to the PIX firewall in terms of security, the configuration instances of routers are also listed.

One. PIX Firewall settings

IP address outside 131.1.23.2
//Set the PIX firewall's external addresses
IP address inside 10.10.254.1
//Set the PIX firewall internal addresses
Global 1 1　31.1.23.10-131.1.23.254
//Set
the Global address pool
NAT 1 10.0.0.0
//Allow network addresses to be 10.0.0.0 when an internal computer communicates with computers on the internet
the network segment address is translated by Pix into the external address
static 131.1.23.11 10.14.8.50
//network management Workstation fixed use of the external address is 131.1.23.11
conduit 131.1.23.11 514 UDP
131.1.23.1 255.255.255.255
//Allow system log packets sent from Rtra to the
network management workstation via PIX firewall
mailhost　131.1.23.10 10.10.254.3
//Allow
connection to mail server from outside (131.1.23.10)
telnet 10.14.8.50
//Allow network administrator to pass
Remote Login Management IPX firewall
syslog facility 20.7
syslog host 10.14.8.50
//Logging
all event logs on a log server located on a network administrator workstation

Two. Router Rtra settings

Rtra is an external protection router that must protect the PIX firewall from direct attacks, protect the ftp/http server, and as an alert system, if someone hacked into the router, management could be notified immediately.

No service TCP small-servers//block some attacks on the router itself logging trap debugging//force routers to send to the System log server every event that occurs at this router, including packets and routers rejected by the access list configuration changes; This action can serve as an early warning to the system administrator that someone is trying to attack the router, or has hacked into the router, is trying to attack the firewall logging 131.1.23.11//This address is the external address of the network management workstation, the router will log all events to this host On enable secret Xxxxxxxxxxx interface Ethernet 0 IP address 131.1.23.1 255.255.255.0 interface serial 0 IP unnumbered ETH  Ernet 0 IP Access-group in//protection of PIX firewalls and HTTP/FTP servers as well as defensive spoofing attacks (see access list) access-list security deny IP 131.1.23.0 0.0.0.255 any　
Log//prohibit any packets that appear to originate from the router Rtra and PIX firewalls, which can prevent spoofing attacks access-list A/IP any host 131.1.23.2 Log//prevent direct to the PIX firewall external interface Attack and log to the System log server any attempt to connect to the external interface of the PIX firewall R access-list permit TCP any 131.1.23.0 0.0.0.255 established//Allow information packets for a TCP session that has been established Access-list permit TCP Any host 131.1.23.3 EQ FTP//Allow and ftp/http FTP connection access-list server permit TCP any host 131. 1.23.2 eq ftp-data//Allow FTP data connections to and FTP/HTTP servers Access-list permit TCP any host 131.1.23.2 eq www//Allow and Ftp/http server http Connect access-list IP any host 131.1.23.2 Log//Disallow other connections to the Ftp/http server and log to the System log server any attempts to connect to ftp/http access-list permit IP any 131.1.23 .0 0.0.0.255//Allow other scheduled traffic between PIX firewall and router Rtra line vty 0 4 login Password xxxxxxxxxx access-class//limit can log on to this router IP address access-list Permit IP 131.1.23.11//Only allow the network management workstation to Telnet to this router, and when you want to manage this router from the Internet, you should modify this access control list

Three. Router RTRB settings

RTRB is an intranet protection router that is the last line of defense on your firewall and a gateway into the intranet.

Logging Trap Debugging
Logging 10.14.8.50
//logs all activities on this router to
the log server on the network management workstation, including configuration modifications
interface Ethernet 0
IP address 10.10.254.2 255.255.255.0
no ip proxy-arp
IP access-group $ access-list
UDP Host 10.10.254.0 0.0.0.255
//allows system log information to the network management workstation
access-list and deny IP any host 10.10.254.2 log
//Disable all other from P IX Firewall message packet
access-list permit TCP host 10.10.254.3
10.0.0.0 0.255.255.255 eq SMTP
//　Allow SMTP mail connections for mail hosts and internal mail servers
access-list deny IP host 10.10.254.3 10.0.0.0 0.255.255.255
//Prohibit traffic from other sources and mail servers
access-list deny IP any 10.10.254.0 0.0.0.255
//Prevent trusted address spoofing for internal networks
access-list permit IP 10.10.254.0
0 .0.0.255 10.0.0.0 0.255.255.255
//Allow all other traffic from the PIX firewall
and router rtrb line
vty 0 4
Login
Password xxxxxxxxxx
access-class in
//limit the IP address that can log on to this router
access-list permit IP 10.14.8.50
Only allow the network management workstation to log on remotely to this router, and
you
should modify this access control list when you want to manage this router from the Internet

After the PIX firewall and router are configured as above, an attacker outside the PIX firewall will not be able to find an open port on the external connection that can be connected or to determine the IP address of any internal host, even if the IP address of the internal host is told. It is also impossible to ping and connect them directly.

In this way, the entire intranet can be effectively protected against external illegal attacks.