Maintenance Limitations of the PIX Firewall
9.3 Configuring the PIX as a Gateway
The PIX firewall comes standard with two switchable 10100 Megabit Ethernet cards, a serial console port, a failover control card, some required cabling and mounting parts, and possibly a secure encryption card, depending on the bundle purchased. In this section we will set up a PIX unit right out of the box, configure it for basic operation, and set up an average firewall. Beyond that, we will illustrate the setup of multiple PIX units so that they may link to one another across the Internet, thus creating a VPN. In this section, we show you how to connect to the PIX so you can configure it, how to set up your firewall on the PIX, and how to do some initial testing. Configuration of the PIX doesnt affect configuration of any other hosts on the inner or outer networks, which you can still set up using traditional rules. The configuration examples in this chapter were set up using the 4.1.6 version of the PIX operating software.9.3.1 Connecting to the PIX
Example 9-1 shows the PIX boot screen, which is sent to the console port when the unit powers on. A serial console cable, supplied with the unit, must be attached to a personal computer, and the terminal software must be configured as follows before any commands may be input into the system: • 9600 baud • 8 bits, no parity, 1 stop bit To confirm that the connections are made properly and that the terminal software is set up right, simply booting the PIX firewall should produce the output seen in Example 9-1 . Example 9-1. PIX Console Startup Screen Copyright c 1996-1998 by Cisco Systems, Inc. Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph c of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Type ? for help armadillo 09.3.2 A Sample Configuration
The configuration of the firewall is pretty straightforward. Given our test scenario featured in Figure 9-2 , we have developed a configuration that meets those requirements. Here are the configuration parameters we entered into our PIX: 151 nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password testing password testing hostname lab-test-1 no failover names pager lines 24 syslog output 20.3 no syslog console syslog host 192.168.2.2 interface ethernet0 auto interface ethernet1 auto ip address outside 1.251.174.156 255.255.255.248 ip address inside 192.168.2.1 25.255.255.0 arp timeout 14400 global outside 1 2.241.11.249-2.241.11.251 global outside 2 2.241.11.252-2.241.11.254 nat inside 2 192.168.2.128 255.255.255.128 age 10 route outside 0.0.0.0 0.0.0.0 1.251.174.154 1 no rip outside passive no rip outside default no rip inside passive no rip inside default timeout xlate 24:00:00 conn 12:00:00 udp 00:02:00 timeout rpc 00:10:00 h323 00:05:00 uauth 00:05:00 no snmp-server location no snmp-server contact snmp-server community public telnet 192.168.2.2 255.255.255.255 mtu outside 1500 mtu insde 1500 The two nameif commands assign short names to the two interfaces: outside and inside . Then, the two interface commands define the speed at which the interfaces operate. We used the auto keyword to have the hardware automatically sync to the Ethernet it is attached to. The ip address commands use the assigned names to establish the network configuration for the internal and external networks. The internal network we chose was part of the unroutable RFC 1918 network 192.168.0.0, which is traditionally used for hosts requiring Network Address Translation NAT on an interior network protected by a firewall such as the PIX. As Figure 9-1 depicts, we dont have an internal router. The network that we used for testing was very small and an internal router was not necessary. You can see this in the configuration by studying the route command entry, which points the default route 0.0.0.0 to the gateway to which the PIX would send external traffic 1.251.174.154. Logically enough, you are always required to specify an outside router. The rip command sets whether the PIX should or should not broadcast default routing information using the RIP protocol to either the inside or outside interface. Our sample configuration disables all RIP route propagation since we had such a small example. Should you have an internal router that extends the network to other locations, you would need to set the default internal route mentioned above to the router responsible for accessing the rest ofParts
» Virtual Private Networks 2nd 1999
» How VPNs relate to Intranets
» What Are We Protecting with Our VPN?
» Firewalls How VPNs Solve Internet Security Issues
» Authentication How VPNs Solve Internet Security Issues
» Encryption How VPNs Solve Internet Security Issues
» Tunneling How VPNs Solve Internet Security Issues
» A Note on IP Address and Domain Name Conventions Used in This Book
» Packet restriction or packet filtering routers
» Bastion host What Types of Firewalls Are There?
» DMZ or perimeter zone network
» Proxy servers What Types of Firewalls Are There?
» A Brief History of Cryptography
» Cryptography: How to Keep a Secret
» Cryptography in Network Communications
» Hash algorithms Cryptographic Algorithms
» Secret key systems Cryptographic Algorithms
» Public key cryptosystems Cryptographic Algorithms
» Use of Cryptosystems and Authentication in a VPN
» ESP Encapsulating Security Payload
» AH Authentication Header VPN Protocols
» Internet Key Exchange, ISAMKPOakley
» ISO X.509 v.3 Digital Certificates
» LDAP Lightweight Directory Access Protocol Radius
» PPTP Point-to-Point Tunneling Protocol
» Basic Firewalling Methodologies for Compromising VPNs
» Ciphertext-only attack Cryptographic Assaults
» Known plaintext attack Cryptographic Assaults
» Chosen plaintext attack Cryptographic Assaults
» Chosen ciphertext attack Cryptographic Assaults
» Brute force attacks Cryptographic Assaults
» Password guessers and dictionary attacks
» Social engineering Cryptographic Assaults
» Address spoofing Network Compromises and Attacks
» Session hijacking Network Compromises and Attacks
» Man-in-the-middle attack Network Compromises and Attacks
» Replay attack Network Compromises and Attacks
» Detection and cleanup Network Compromises and Attacks
» Patents and Legal Ramifications
» General WAN, RAS, and VPN Concepts
» Telco Small to Medium Solutions
» Security, scalability, and stability
» Hardwaresoftware Small to Medium Solutions
» Administration Small to Medium Solutions
» Hardwaresoftware Administration Security, scalability, and stability
» Differences Between PPTP, L2F, and L2TP
» Dialing into an ISP That Supports PPTP
» Dialing into an ISP That Doesnt Support PPTP
» Where PPTP Fits into Our Scenario
» The encapsulation process Dissecting a PPTP Packet
» Accept encrypted authentication RAS authentication methods
» Accept Microsoft encrypted authentication
» Accept any authentication, including clear text
» Data encryption PPTP Security
» Availability Features of PPTP
» Easy Implementation Features of PPTP
» Multiprotocol Tunneling Features of PPTP
» Ability to Use Corporate and UnregisteredIP Addresses
» Choosing the protocols to tunnel
» Choosing your authentication method
» IP address negotiation using DHCP
» Outbound authentication using PPTP filtering
» Filtering caveats PPTP Filtering
» Installing PPTP Filtering by IP Address
» Configuring Users for Dial-up Access
» Configuring PPTP for Dial-up Networking on a Windows NT Client
» Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
» Setting up global PPTP parameters Setting up a port for PPTP
» Configuring PPTP on an Ascend MAX 4004
» Making the Calls Configuring and Testing Layer 2 Connections
» The Event Viewer Login problems
» The Dial-Up Networking Monitor
» ping and traceroute Connectivity Testing
» Fixed IP addresses How to Allow PPTP Through Firewalls
» How PPTP Can Bypass a Proxy Server
» Three-part encryption technique Security
» Support for an emerging security standard
» Support for Security Dynamics SecureID
» Accessibility Flexibility Advantages of the AltaVista Tunnel System
» Platform Limitations AltaVista Tunnel Limitations
» Extranet server System Considerations
» Telecommuter client System Considerations
» Planning How the AltaVista Tunnel Works
» AltaVista Tunnel Extranet server
» Security procedures The Guts
» AltaVista Tunnel Telecommuter Client
» Sample configuration Implementing a LAN-to-LAN Tunnel
» Tunnel server configuration Implementing a LAN-to-LAN Tunnel
» Firewall configuration Host configuration
» Sample configuration Implementing Single Connections-to-LAN Tunnels
» Tunnel server configuration Implementing Single Connections-to-LAN Tunnels
» Firewall configuration Implementing Single Connections-to-LAN Tunnels
» Local host configuration Implementing Single Connections-to-LAN Tunnels
» Remote PC configuration Implementing Single Connections-to-LAN Tunnels
» Sample configuration Implementing PC-to-WAN Tunnels
» Tunnel server configuration Implementing PC-to-WAN Tunnels
» Tracing the packets Implementing PC-to-WAN Tunnels
» Preparing to Install Installing the AltaVista Tunnel
» Windows NT 4.0 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
» Installing the AltaVista Tunnel Telecommuter Client for Windows
» Installing the AltaVista Tunnel Telecommuter Client for MacOS
» Initial configuration Adding Routes and Dynamic Addresses
» Managing routes and dynamic IPs
» Group configuration Adding Tunnel Groups
» Tunnel client information Adding Tunnel Groups
» Tools for Tunnel Management Changing Port Settings
» Rekey Interval and Minimum Encryption Settings
» Configuring Unix-to-Windows NT Tunnel Connections
» Getting Busy Configuring the AltaVista Telecommuter Client
» Tunnel Server and Client Configuration Checks
» Local Network and Internet Gateway Configuration Checks
» Encryption Capabilities The SSH Software
» Useful sshd parameters for our purposes
» Understanding SSH authentication ssh
» Useful ssh parameters for our purposes
» The VPN Components Creating a VPN with PPP and SSH
» Setting up the master and slave Linux systems
» Creating a user account on the slave
» Setting up SSH authentication
» Configuring sudo on the slave
» Putting pty-redir on the master
» Setting up the slaves scripts
» Testing the Connection Creating a VPN with PPP and SSH
» A Performance Evaluation Creating a VPN with the Unix Secure Shell
» ISP Assigned Addresses Global Pool
» Hardware solution Advantages of the PIX Firewall
» Superior to Unix and other router firewalls
» Single point of controlfailure
» Dynamic address translation Advantages of the PIX Firewall
» PIX acts like a proxy server
» Ease of configuration and maintenance
» High-speed access Advantages of the PIX Firewall
» Links Advantages of the PIX Firewall
» Hardware solution Limitations of the PIX Firewall
» Dynamic address use Limitations of the PIX Firewall
» Budgetary considerations Limitations of the PIX Firewall
» Maintenance Limitations of the PIX Firewall
» A Sample Configuration Configuring the PIX as a Gateway
» Firewall Configuration on the PIX
» debug xlate Testing, Tracing, and Debugging
» arp Testing, Tracing, and Debugging
» show interface Testing, Tracing, and Debugging
» Offering Services to the Internet Through Conduits and the static Command
» Tunneling with the link Directive
» Choosing an ISP Managing and Maintaining Your VPN
» Connectivity Problems Solving VPN Problems
» Authentication Errors Solving VPN Problems
» Routing Problems Dealing with an ISP
» Compatibility with Other Products
» Delivering Quality of Service
» Restrict What VPN Users Can Get To
» Avoid Public DNS Information for VPN Servers and Routers
» Keeping Yourself Up-to-Date Managing and Maintaining Your VPN
» Network Connections Hardware and Operating System VPN Package
» Connection Hardware and Operating System VPN Package
» Connection Hardware and Operating System
» VPN Package Remote Access Users
Show more