Cisco PIX. Upgrade-Workshop PixOS 7. Dipl.-Ing. Karsten Iwen CCIE #14602 (Seccurity)

Transcription

1 Cisco PIX Upgrade-Workshop PixOS March, 2007

2 Agenda Basics Access-Control Inspections Transparent Firewalls Virtual Firewalls Failover VPNs

3 Sec. 6-5 P. 343 Modular Policy Framework MPF enhanced Application Inspections HTTP-Inspection FTP-Inspection ICMP-Inspection (E)SMTP-Inspection default-inspections

4 PixOS 6 fixups control the application-inspection fixup protocol ftp [strict] [port] fixup protocol http [port[-port]] fixup protocol smtp [port[-port]]

5 PixOS 7 - MPF Application-inspections are controlled with the MPF (Modular Policy Framework) which is similar to the MQC (Modular QoS CLI) in IOS. 1. Define a class of traffic which should be inspected 2. Define a policy with actions for the trafficclass 3. Apply the policy to an interface

6 1. Define a traffic-class; the class-map class-map class-map-name match port {tcp udp} {eq port range start end} match access-list acl-name match precedence value1 [value2 [value3 [vlaue4]]] match dscp value1 [value2... [value8]] match rtp starting-port range match tunnel-group name match any

7 2. Define a policy for the traffic-class(es), the policy-map In the policy it is possible to apply application inspection engines set connection limits adjust TCP-parameters limit the bandwidth used provide priority handling

8 define an application-inspection policy-map policy-map-name class class-map-name inspect ftp inspect http class class-map-name inspect sip inspect skinny...

9 set connection limits policy-map policy-map-name class class-map-name set connection timeout embryonic hh:mm:ss half-closed hh:mm:ss tcp hh:mm:ss set connection conn-max max embryonic-conn-max max random-sequence-number {enable disable}

10 adjust TCP-parameters first define a tcp-map with various TCP-parameters (selection): tcp-map tcp-map-name exceed-mss {allow drop} syn-data {allow drop} urgent-flag {allow clear} then attach the tcp-map to the policy-map: policy-map policy-map-name class class-map-name set connection advanced-options tcp-map-name

11 limit the bandwidth used policy-map policy-map-name class class-map-name police conform-rate [burst-bytes] conform-action {drop transmit} exceed-action {drop transmit}

12 provide priority handling (QoS, LLQ) policy-map policy-map-name class class-map-name priority by default, only a BEQ is enabled, for LLQ to work, the priority-queue has to be enabled: priority-queue interface-name

13 3. apply the policy-map to an interface service-policy policy-map {global interface ifname}

14 PixOS enhanced Inspections an enhanced inspection (aka deep inspection) can be configured for some protocols (http, ftp, snmp, mgcp, gtp) 1. Configure an inspection-map with parameters to check 2. add the inspection-map to the applicationinspection in the policy-map

15 PixOS 7 enhanced http-inspection 1. define the http-map and add checks: check the message content length http-map http-map-name content-length {[min minimum] [max maximum]} action {allow drop reset} [log] verify the message content type: http-map http-map-name content-type-verification [match-req-rsp] action {allow drop reset} [log]

16 check the header length http-map http-map-name max-header-length {[request length] [response length]}action {allow drop reset} [log] check URI-length: http-map http-map-name max-uri-length length action {allow drop reset} [log]

17 check for HTTP port cloaking http-map http-map-name port-misuse {default im p2p tunneling} action {allow drop reset} [log] PixOS 7 can detect the following misuses: im - Yahoo Messenger p2p - Kazaa, Gnutella tunneling - HTTPort/HTTHost, GNU Httptunnel, GotoMyPC, Firethru Fire Extinguisher, Http-tunnel.com Client

18 check the HTTP request method: http-map http-map-name request-method {rfc ext} {method default} action {allow drop reset} [log] Example: Allow RFC, but deny connect http-map BlockConnect request-method rfc connect action reset log request-method ext default action reset

19 check for RFC 2616 compliance http-map http-map-name strict-http action {allow drop reset} [log] check the transfer encoding type: http-map http-map-name transfer-encoding type {type default} action {allow drop reset} [log]

20 2. attach the inspection-map to a policy: http-map http-map-name... policy-map policy-map-name class class-map-name inspect http http-map-name

21 PixOS 7 enhanced ftp-inspection 1. define the ftp-map and add checks: deny specific FTP commands ftp-map ftp-map-name deny-request-cmd request-list Example: A client is not allowed to delete files or directories on the server ftp-map blockdelete deny-request-cmd dele rmd

22 mask the syst-command ftp-map ftp-map-name mask-syst-reply

23 2. attach the inspection-map to a policy: ftp-map ftp-map-name... policy-map policy-map-name class class-map-name inspect ftp strict ftp-map-name

24 PixOS 7 enhanced icmp-inspection in PixOS 6 ICMP was not inspected statefully PixOS 7 has an inspection-engine for ICMP policy-map policy-map-name class class-map-name inspect icmp the payload of icmp error-messages can also be translated: policy-map policy-map-name class class-map-name inspect icmp error

25 PixOS 7 enhanced smtp-inspection PixOS 6 only has an inspection-engine for SMTP. The allowed commands are HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. PixOS 7 has an inspection-engine for (E)SMTP. This engine adds support for the commands AUTH, DATA, EHLO, ETRN, SAML, SEND, SOML and VRFY. policy-map policy-map-name class class-map-name inspect esmtp

26 PixOS 7 default-inspection Some traffic is inspected on their defaultports: class-map inspection_default match default-inspection-traffic

27 with a default-policy policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp

28 the default-policy is attached to all interfaces: service-policy global_policy global

29 The Application-Layer-Inspections were changed with 7.2: no ftp-map, no http-map any more now class-map type inspect traffic-matching with regular expressions policy-map type inspect

30 Example 7.2 FTP-Inspection: policy-map type inspect ftp mymap parameters mask-banner! class-map match-all ftp-traffic match port tcp eq ftp! policy-map ftp-policy class ftp-traffic inspect ftp strict mymap! service-policy ftp-policy interface inside

31 PIX 7.2 HTTP-Inspection, Example 1: policy-map type inspect http mymap parameters spoof-server my very secure server! policy-map global_policy class inspection_default inspect http mymap! service-policy global_policy global

32 PIX 7.2 HTTP-Inspection, Example 2: policy-map type inspect http mymap parameters class _default_gator drop-connection log class _default_yahoo-messenger drop-connection log! policy-map global_policy class inspection_default inspect http mymap! service-policy global_policy global

33 PIX 7.2 HTTP-Inspection, Example 3: class-map type regex match-any url_to_log match regex "www\.xyz.com/.*\.asp" match regex "www\.xyz[0-9][0-9]\.com"! class-map type regex match-any methods_to_log match regex "GET" match regex "PUT"! class-map type http http_url_policy match request url regex class url_to_log match request method regex class methods_to_log! policy-map type http http_policy class http_url_policy log

34 PIX 7.2 ESMTP-Inspection, Example 1: policy-map type inspect esmtp mymap match cmd verb etrn rate-limit 10! policy-map global_policy class inspection_default inspect esmtp mymap! service-policy global_policy global

35 PIX 7.2 IPSec-Pass-Through-Inspection, Example 1: access-list test-udp-acl extended permit udp any any eq 500! class-map test-udp-class match access-list test-udp-acl! policy-map type inspect IPSec-pass-thru IPsec-map parameters esp per-client-max 32 timeout 00:06:00! policy-map test-udp-policy class test-udp-class inspect IPSec-pass-thru IPSec-map