143 In our test, we transferred a 7 MB compressed binary file using the FTP protocol. We first did it ten times with just straight FTP to get a baseline. Next, we set up the VPN and did it with no encryption for ten trials. Finally, we performed ten trials each on three different ciphers: IDEA, Blowfish, and 3DES. The highest and lowest numbers were thrown out for each type of transfer, and an average was taken. We didnt test DES or arcfour, since theyre disabled by default and arent recommended by SSHs authors. Table 8-1 shows the results of the test in the average amount of kilobytes per second transferred and the average percent efficiency versus plain FTP. The fourth column is the percent efficiency versus a VPN with no encryption. The term VPN just describes the PPP connection through SSH, with the type of encryption used in parentheses. Table 8-1. VPN Performance Showing Average KbytesSecond Transferred and Percent Efficiency Connection Type encryption type Kilobytessecond Efficiency vs. Plain FTP Efficiency vs. VPN with no Encryption Plain FTP none 480 — 233 VPN none 206 43 — VPN Blowfish 174 36 85 VPN IDEA 124 26 60 VPN 3DES 96 20 47 As you can see, the VPN connection of just PPP through SSH causes a considerable amount of performance degradation. This performance degradation is due to just the PPP and SSH protocols overhead. Its interesting to note that, overall, adding encryption to the connection doesnt cause that much of an additional bottleneck. Obviously, though, some ciphers are more efficient than others, with Blowfish edging out over IDEA, and leaving 3DES in the dust. [1] 1 Note that the percentage efficiencies versus no encryption that we calculated in our test are roughly equal to the percentages given by the SSH authors in the README.CIPHERS file that comes with the SSH distribution. 144

Chapter 9. The Cisco PIX Firewall

One of the most efficient and convenient options when creating a VPN is to install a network security device on your perimeter network to provide LAN-to-LAN tunneling, roaming, and authentication. Already, the major routing and network vendors have their own offerings in the field. In this chapter we will delve into the configuration of the Cisco PIX firewall product to give you an idea of how these devices are used and what benefits you can expect to gain from using them. We chose the Cisco PIX product because it was one of the first entrants into the market, it was backed by one of the largest and most trusted vendors Cisco Systems, and we started work on this book at a time when integrated VPN products were few and far between and IPSec was not even fully formed by the IETF the Internet Engineering Task Force.

9.1 The Cisco PIX Firewall

The PIX provides three basic VPN requirements: it separates the packet filtering functions from the main gateway router, it dynamically shares a pool of Internet addresses among many internal users, and several PIX units can be combined to create a VPN tunnel session between sites. In this chapter we will explore how the PIX firewall can be used in your network, and we will cover some basic installation and configuration techniques. The PIX has two Ethernet ports: one for the internal or private network and one for the external or public network, which is normally the Internet. The PIX uses two Intel 10100 Ethernet cards to handle high-capacity sites. It is essentially like other Cisco router products, although it does not run Ciscos popular IOS operating system. The PIX can also be deployed redundantly to create a fail-safe router, so that a failure in one PIX automatically causes a transfer of traffic to the other. The PIX provides firewall protection by completely isolating the private or internal network from an outside one. The internal network uses private addresses, such as those in the 192.168.n.n range defined by RFC 1918, and the PIX translates them dynamically to a range of external addresses used on the Internet using NAT Network Address Translation. More current information about the Cisco PIX firewall can be reviewed at http:www.cisco.comwarppublic751pix .

9.2 The PIX in Action

Figure 9-1 is a diagram of where to install the PIX firewall on a standard network topological map. 145 Figure 9-1. A typical PIX firewall setup Functionally, the PIX firewall is set up much like a packet filtration router. The two Ethernet interfaces are labeled outside and inside for the two networks that you will need to connect it to. In Figure 9-1 , the PIX firewall is situated on the perimeter network between the internal router and the external router. You will notice that the only machine connecting both networks is the PIX firewall. By funneling traffic through the PIX, you can construct an effective security gateway. For the purpose of illustrating some of the sample configurations in this chapter, we will assume that the topology of our network looks like the one depicted in Figure 9-2 .