157 The static command merely assigns a fixed address so that the mail server wont continually get a NAT-assigned address from the pool. It is difficult to send mail to a machine whose address is always changing. The mailhost command is a variant of the conduit command that allows incoming port 25 traffic to the static translation slot assigned to the mail server at 192.168.2.3. It is different from conduit because it actually looks at the directive and arguments being passed to the mail server HELO, MAIL, RCPT, DATA, RSET, NOOP, or QUIT. It allows only the most basic of commands, thereby reducing the threat of an outsider sending unwanted commands in attempts to compromise the machine. Now lets assume that we have a web server that we want to assign a fixed address to and create a conduit for, much like the mail host in the previous example. We would perform essentially the same tasks to allow only port 80 traffic to the unit: static 2.241.11.257 192.168.2.99 conduit inside, outside 2.241.11.257 80 tcp 0 0 The 0 0 part on the end is a PIX shorthand for the default network pointing to everything. Hence, this pair of commands would allow any host anywhere on the outside interface to come in through the PIX only using tcp port 80, but only to the address at 2.241.11.257, which is statically linked to internal host 192.168.2.99.

9.4.2 Tunneling with the link Directive

The most stellar application of the PIX firewall is to create a ready-made tunnel. To create a virtual private network per the guidelines detailed in this book, a private encrypted tunnel needs to be created between two separate sites. The PIX firewall, in addition to its deployment as a packet restriction firewall and a dynamic translation mechanism, can also be used in this capacity through the link command. Of course, at least two PIX units are required to create the link. The link command establishes an encrypted link between two PIX units, thus letting the two sites carry on secure communications over their outside networks. Currently, you can link together up to 64 different PIX firewall sites in this fashion. Cisco calls this security mechanism a private link feature, and requires the installation of a separate encryption card in the PIX unit, along with the appropriate PIX software. All PIX firewalls that you intend to use for tunnels must be installed with both of these components. The private link operates by scanning packets that arrive at its inside interface. Packets that match the PIXs list of route link configurations are encrypted and encapsulated in a UDP frame, then sent off across the outside interface. The PIX uses port 1123 to exchange its private link information. When the encrypted bundle arrives at the destination unit, the packet is unwrapped, decrypted, and forwarded on to the inside interface. As an example using our networks, lets assume that we added another PIX firewall to our San Francisco office. The networks the service provider allocated were 5.182.95.24829 for the outside interface and 6.242.188.024 for the global pool. Our administrator in San Francisco decided to assign the address 5.182.95.250 to the PIXs outside interface. The configuration of the rest of the machine is similar to the first site we discussed. In the configuration example below, we link together the two PIX units using their outside Ethernet interfaces with a special secret key shared by both systems. 158 Here are the commands we would enter on the PIX that we originally set up: link 5.182.95.250 1 A6B5C02 link path 6.242.188.0 255.255.255.0 5.182.95.250 Here are the commands for the new San Francisco PIX: link 1.251.174.156 1 A6B5C02 link path 192.168.2.0 255.255.255.0 1.251.174.156 The link command itself is used to associate one PIX unit with another one, and also serves to set the key that the two units will use to encrypt and decrypt packets. The link path command is used to explicitly tell the PIX that packets destined for another internal network on a friendly PIX should not be forwarded or translated as other packets are, but instead encrypted and tunneled. As you can see, setting up multiple PIX units in a large array is very simple. By duplicating the pair of commands above for every private link communication channel the PIX has, an administrator can simply and easily add, change, or remove whole tunneled sites. The PIXs encryption, which uses a separate piece of hardware, is currently restricted to a key size of 56 bits. Although no official announcement has been made, it is our guess that Cisco will provide a beefier version of its encryption card for those most paranoid about security, and for those with ultra-sensitive data to share and protect.