the best damn firewall book period phần 4 pot

133 244 0
the best damn firewall book period phần 4 pot

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

Thông tin tài liệu

Advanced PIX Configurations • Chapter 10 365 Summary The Cisco PIX firewall is an advanced product and has many different options for supporting various application-layer protocols as well as protecting against network-layer attacks. It also sup- ports content filtering for outbound Web access, intrusion detection, various routing options such as RIP and stub multicast routing, and DHCP server and client functionality. Many protocols embed extra IP address information inside the exchanged packets or nego- tiate additional connections on nonfixed ports in order to function properly.These functions are handled by the PIX application inspection feature (also known as fixup). PIX supports FTP clients and servers in active and passive modes, DNS, RSH, RPC, SQL*Net, and LDAP proto- cols. It also supports various streaming protocols such as Real-Time Streaming Protocol, NetShow, and VDO Live.Another set of supported protocols includes all H.323, SCCP, and SIP—all used in VoIP applications.The PIX monitors passing packets for the embedded informa- tion and updates its tables or permits embryonic connections according to this information. It is also able to NAT these embedded addresses in several cases. Content filtering features on the PIX can be used to enforce a company’s acceptable use policy.The PIX can interface with Websense (www.websense.com) or N2H2 (www.n2h2.com) servers and deny or allow internal clients to access specific Web sites.The PIX is also able to filter out Java applets and ActiveX code from incoming Web pages to protect clients against malicious code. For SOHO environments, the PIX firewall provides DHCP server and client functionality, although server capabilities are rather limited. DHCP server supports a couple of specific options that are used by Cisco IP Phones. Other useful PIX features include support of stub multicast routing and PPP over Ethernet client capabilities. It also supports RIPv1 and v2, including authentication and multicast updates for v2. Finally, the PIX has embedded protection against various DoS attacks, such as SYN floods, attacks on AAA mechanisms, and excessive fragmentation. Antispoofing is supported by the reverse-path forwarding feature. www.syngress.com 252_BDFW_ch10.qxd 9/18/03 4:55 PM Page 365 252_BDFW_ch10.qxd 9/18/03 4:55 PM Page 366 Troubleshooting and Performance Monitoring Best Damn Topics in This Chapter: ■ Troubleshooting Hardware and Cabling ■ Troubleshooting Connectivity ■ Troubleshooting IPsec ■ Capturing Traffic ■ Monitoring and Troubleshooting Performance Chapter 11 367 252_BDFW_ch11.qxd 9/18/03 4:56 PM Page 367 368 Part III • PIX Firewalls Introduction This chapter focuses on troubleshooting PIX firewalls. Once you have mastered its command syntax and basic firewall operations, the PIX is a relatively simple device to configure. Its library of commands is small compared to that of Cisco routers and switches. In previous chapters, we covered the PIX firewall in detail, from the various models in the product line to simple and advanced configurations.This book contains information on how to integrate the PIX firewall into your existing network. As good as your PIX configuration is, problems will still crop up, and you need to know how to resolve them.The purpose of this chapter is to present a methodology that you can use to attack these problems and avoid missing critical troubleshooting steps. Hardware and cabling problems can be a bane to an otherwise well-functioning network. A hardware problem becomes apparent if you know which indicators to monitor.The limited number of cable types that the PIX supports eases our cable troubleshooting considerably.This chapter provides technical information about these cables so you can validate them. The PIX firewall is an IP device. Granted, it is a highly specialized device that performs vital security functions, but it is still an IP device. As such, it needs to know where to send traffic. We highlight some common connectivity problems and how you can address them. A valuable func- tion of the PIX firewall is its ability to conserve IP address space and hide network details via Network Address Translation (NAT). If you have problems with NAT, you must be able to isolate and eliminate them. The PIX firewall provides several access control mechanisms, from simple access lists to com- plex conduit statements.These access mechanisms have simultaneous loose/tight properties in that certain traffic is allowed while other traffic is denied.Your troubleshooting will not only seek to resolve access problems, but also find the right balance between permitting and denying traffic. Entire books have been written on IPsec, and for good reason. IPsec can protect your traffic from end to end without having to be implemented at every hop along the way. IPsec configura- tion can be complex.You must be intimately familiar with IPsec operations in order to support and troubleshoot it.This chapter covers several key aspects of IKE and IPsec to aid your moni- toring and support. Capturing network packets on the PIX firewall can enable you to troubleshoot more effec- tively.The PIX firewall offers several features that you can use to capture traffic for analysis and problem isolation. Available tools include native PIX commands as well as third-party tools for network capture and packet decode. How do you know if your PIX firewall is performing as well as it should? How would you know if it was overloaded? You need to monitor firewall performance and health proactively.The goal of monitoring is to prevent minor glitches from turning into major problems.The output of your monitoring efforts can be quite dense and arcane, so you need to know how to interpret what you are monitoring. Troubleshooting Hardware and Cabling The most important thing to remember in troubleshooting is to tackle your problems logically so you don’t miss any important components or steps.You must confirm the health of all the com- www.syngress.com 252_BDFW_ch11.qxd 9/18/03 4:56 PM Page 368 Troubleshooting and Performance Monitoring • Chapter 11 369 ponents that make up the firewall. When addressing PIX firewall problems, you would be best served using the OSI model to guide your efforts.This model was created to guide development efforts in networking by dividing functions and services into individual layers. Per the OSI model, peer layers communicate with each other. For example, the network layer at one host communicates with the network layer at another host. The approach advocated in this chapter is based on the OSI model shown in Figure 11.1. Problems are tackled starting at the lowest layer, such as validating hardware and cabling at the physical layer. Only when the components at the lower layer have been validated do you turn your attention to components at a higher layer. This chapter organizes troubleshooting efforts by the OSI model. Initial troubleshooting starts at Layer 1, the physical layer. Once all physical components have been validated, the trou- bleshooting focus is shifted to the data link layer components, and so on, up the OSI stack.This controlled approach ensures that we do not miss any facet of our security configuration where the problem could be. Our first steps in troubleshooting start with physical layer issues. In the context of the PIX firewall, physical components include the firewall hardware and cabling. We start our discussion with a quick overview of the PIX firewall hardware architecture and cabling. www.syngress.com Figure 11.1 The OSI Model Provides the user/application an interface into the network. Converts and restores data in a format that can be transported between network devices. Example protocols include ASCII or EBCDIC. Manages and synchronizes the sessions between devices. Segments and reassembles data for the Session and Network l ayers. Establishes connections and provides flow control. Addresses and routes data on a network. IP and IPX are examples of network protocols. OSPF, EIGRP, and other routing protocols operate at this layer. Assembles raw data into acceptable formats for the Physical and the Network layers. 802.3 and HDLC are example protocols. Addresses details of connecting to physical media such as 10BaseT cable. Application Presentation Session Transport Network Data Link Physical 7 6 5 4 3 2 1 Access List Conduit NAT/PAT/Static Global IPsec/VPN Routing Hardware Cabling 252_BDFW_ch11.qxd 9/18/03 4:57 PM Page 369 370 Part III • PIX Firewalls Troubleshooting PIX Hardware Knowing the details of each PIX firewall model can be helpful in validating your configuration and troubleshooting. Such knowledge can quicken your problem-solving process from the onset by enabling you to determine how to interpret the symptoms you are witnessing. If you use the wrong firewall model for the wrong function, no amount of troubleshooting is going to make it work. It can be said that your troubleshooting actually starts with your network design and security planning.There are several models of the PIX firewall, each capable of supporting certain num- bers and types of network interfaces. Each model has its own upper limit on the number of max- imum simultaneous connections, as shown in Figure 11.1.Therefore in Table 11.1 we provide only a snapshot of each model. Table 11.1 PIX Firewall Model Features and Capabilities Interface Types Maximum Number Model Supported of Interfaces Failover Support 501 Ethernet Four-port 10/100 switch No Fast Ethernet Fixed 10BaseT 506E Ethernet Two fixed 10/100 Ethernet No Fast Ethernet 515E Ethernet Two fixed 10/100 Ethernet Yes Fast Ethernet Two expansion slots Maximum: Six ports 525 Ethernet Two fixed 10/100 Ethernet Yes Fast Ethernet Four interface slots Gigabit Ethernet Maximum: Eight ports 535 Ethernet Nine interface slots Yes Fast Ethernet Maximum: 10 ports Gigabit Ethernet The Firewall Services Module (FWSM) 1.1 for the Catalyst 6500 series switches provides no physical interfaces. Instead, it provides support for up to 100 VLAN interfaces. For failover sup- port, the FWSM has a dedicated logical interface. It is important to know whether the PIX firewall you are using is adequate for the demands planned for it. For example, if you have a network on which 100,000 simultaneous connections will be requested through the firewall and you are using a PIX 501, the firewall will immediately become congested and be virtually unusable. In this scenario, no amount of troubleshooting and configuration will enable the PIX 501 to support the load.The capacity of each firewall model is important because it determines the load that can be placed on that firewall. Overloading your firewall is an invitation to crashes or congestion. Underloading a PIX firewall, although great for performance, can be wasteful in terms of unused capacity and monetary return on investment. For example, if you have a network on which there will never be more than 200 simultaneous www.syngress.com 252_BDFW_ch11.qxd 9/18/03 4:57 PM Page 370 Troubleshooting and Performance Monitoring • Chapter 11 371 connections, installing a PIX 535 means that you will not recoup your hardware or software investment, although performance will be fantastic. The different models support different types of interfaces and in specific quantities, as shown in Table 11.1. Not shown in the table is the fact that Token Ring and FDDI are also supported by several of the models. Cisco ceased PIX firewall support for Token Ring and FDDI networks, starting with PIX software v5.3. As a rule of thumb, do not mix and match interfaces: Configure the PIX firewall as all Token Ring, all Ethernet, or all FDDI. Maintaining such network purity reduces the burden on the PIX firewall since it will not have to translate between the different LAN formats. Only models 515 and up support interfaces other than Ethernet. The PIX firewall has a system for identifying its network interfaces, which you need to understand in order to troubleshoot the right piece of hardware. Not knowing how interfaces are enumerated and identified can consume valuable time that could otherwise be used for trou- bleshooting. Figure 11.2 shows how to “read” the network interface identification scheme. Interface card numbering starts with 0 at the right, with card slot numbers increasing as you go left.The slot in which the card is installed determines the number that is given to that card. Ports are numbered top to bottom, starting with 0 for the port at the top of the card. For example, the topmost port on an Ethernet interface card installed in Slot 3 would be identified as Ethernet 3/0. Fixed interfaces are first numerically starting on the right at 0, then the next fixed interface to the left is 1.The first installed network interface card would be 2 (as in www.syngress.com Figure 11.2 PIX Firewall Interface Numbering PIX Models 515 and above. Slot determines the number, with lowest port number at left and increasing to the right. Ports are numbered from top, left to right, starting lowest at the topmost left. Fixed interfaces are numbered first. Fixed 1 PIX Models 506 and below. Fixed port configuration only! Ports are numbered low to high, right to left. 3254 7698 Fixed 0 Fixed 4 Fixed 3 Fixed 2 Fixed 1 Fixed 0 252_BDFW_ch11.qxd 9/18/03 4:57 PM Page 371 372 Part III • PIX Firewalls Slot 2) and its topmost interface is 0. It is important that you learn this scheme not only to iden- tify the specific cards but to also ensure that your configuration and troubleshooting efforts focus on the correct interface. The memory architecture of the PIX firewall is somewhat similar to that of Cisco routers with the exception that there is no NVRAM memory.The PIX uses flash memory to store the firewall operating system (image) as well as the configuration file. Main memory is used to handle data being processed. As a rule of thumb, the flash memory should be big enough to hold the software image and the configuration. Of all the memory types, main memory can potentially have the most significant impact on performance since it is the working space of the firewall. Main memory is used to store data that is waiting to be processed or forwarded.You can never have too much, and you will definitely notice when you have too little, because packet loss will increase or IPsec traffic will become lossy or laggardly. Each firewall has visual indicators of operation in the form of light-emitting diodes (LEDs). These LEDs vary by model, but some are common to all. Figure 11.3 shows several PIX firewall LEDs and their meanings. Nurturing your knowledge of these LEDs will enable you to start your Layer 1 troubleshooting from the outside. Study the information in Figure 11.3.The LEDs can be lit, unlit, or flashing, all of which indicate specific conditions.The ACT LED, since it can appear on both the front and rear of the PIX, deserves special attention. On certain models, such as the PIX 506 and 506E, the front LED flashes to indicate that the PIX software image has been loaded. When you’re troubleshooting, this indicator would be sufficient to tell you if your software image has been loaded correctly or www.syngress.com Figure 11.3 PIX Firewall LED Indicators 100Mbps FDX LINK POWER ACT (Rear) NETWORK Lit: 100Mbps. Unlit: 10Mbps. Lit: full duplex. Unlit: half-duplex. Lit: network is passing data. Unlit: no network traffic. Lit: interface is passing traffic. Unlit: interface is not passing traffic. Lit: Unit has power. Unlit: Unit has no power. Flashing: > 1 interface is passing traffic. Unlit: No interfaces are passing traffic. ACT (Front) PIX Model Determines Meaning Flashing: Image is loaded. Lit: Active unit in failover pair. Unlit: Standby unit in failover pair. 252_BDFW_ch11.qxd 9/18/03 4:57 PM Page 372 Troubleshooting and Performance Monitoring • Chapter 11 373 not at all. On higher-end models such as the 515 and up, the same LED indicates which PIX firewall is active and which is standby in a failover pair.This information can be very useful in determining if your failover configuration is cabled correctly. During the PIX boot sequence, the power-on self-test (POST) can provide a wealth of infor- mation to help determine from the onset whether the PIX firewall is healthy or ill. We use an example boot sequence (which can be seen in the following output) to guide our discussion. CISCO SYSTEMS PIX-501 Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08 Compiled by morlee 16 MB RAM PCI Device Table. Bus Dev Func VendID DevID Class Irq 00 00 00 1022 3000 Host Bridge 00 11 00 8086 1209 Ethernet 9 00 12 00 8086 1209 Ethernet 10 Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001 Platform PIX-501 Flash=E28F640J3 @ 0x3000000 Use BREAK or ESC to interrupt flash boot. Use SPACE to begin flash boot immediately. Reading 1536512 bytes of image from flash. ######################################################################### 16MB RAM Flash=E28F640J3 @ 0x3000000 BIOS Flash=E28F640J3 @ 0xD8000 mcwa i82559 Ethernet at irq 9 MAC: 0008.e317.ba6b mcwa i82559 Ethernet at irq 10 MAC: 0008.e317.ba6c || || || || |||| |||| :||||||: :||||||: c i s c o S y s t e m s Private Internet eXchange Cisco PIX Firewall www.syngress.com 252_BDFW_ch11.qxd 9/18/03 4:57 PM Page 373 374 Part III • PIX Firewalls Cisco PIX Firewall Version 6.2(2) Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES: Disabled Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: 10 Throughput: Limited IKE peers: 5 ****************************** Warning ******************************* Compliance with U.S. Export Laws and Regulations - Encryption. << output omitted >> ******************************* Warning ******************************* Copyright (c) 1996-2002 by Cisco Systems, Inc. Restricted Rights Legend << output omitted >> Cryptochecksum(unchanged): 38a9d953 0ee64510 cb324148 b87bdd42 Warning: Start and End addresses overlap with broadcast address. outside interface address added to PAT pool Address range subnet is not the same as inside interface The boot sequence identifies the version of the PIX operating system loaded on firmware used to initially boot. In this example, it is 4.3.200.This is important to know because this is the OS that will be used if there is no software image in flash memory. Notice that the first line identifies the model of firewall—information that can be useful if you are checking the firewall remotely. After the POST is complete, the software image installed in flash is loaded and takes over from that point, as indicated by the “Reading 1536512 bytes of image from flash” line.The PIX firewall runs its checksum calculations on the image to validate it.The OS in the firmware is also validated.This is a layer of protection against running a corrupted operating system. In our example, the image loaded from flash memory recognizes two Ethernet interfaces present on this unit and displays the MAC addresses associated with them. www.syngress.com 252_BDFW_ch11.qxd 9/18/03 4:57 PM Page 374 [...]... to the operating system Once the firewall has determined the output interface, the packet is placed in the appropriate output hardware queue If the hardware queue is full, the packet is placed in the output software queue In either the input or output software queue, if the maximum blocks are large, the interface is being overrun If you notice this situation, the only way to resolve it is to reduce the. .. configured incorrectly When troubleshooting outbound, ensure that you check the apply configuration as well When multiple rules match the same packet, the rule with the best match is used .The best- match rule is based on the netmask and port range .The stricter the IP address and the smaller the port range, the better a match it is If there is a tie, a permit option takes precedence over a deny option Here... working at all.Therefore, you will find that the bulk of your labors will be focused on setting IPsec correctly in the first place Figure 11. 14 IPsec Configuration 192.168.2.1/ 24 192.168.3.2/ 24 Outside 192.168.2.0/ 24 E0 E0 E1 192.168.1.1/ 24 192.168.2.2/ 24 192.168.3.1/ 24 Outside 192.168.3.0/ 24 E0 E1 RTR1 IPsec Tunnel -IPsec Peers 192.168.1.1 and 192.168 .4. 1 PIX1 Inside E1 PIX2 192.168 .4. 1/ 24 Inside Here... and that they are wired correctly Figure 11 .4 shows the pinouts that you should be using for Ethernet and Fast Ethernet cables Two wiring schemes for the RJ45 standard are used for 10/100 Ethernet:TA568A and TA568B shown in Figure 11 .4 It is important that your cable adhere to one of these standards to prevent interference (crosstalk) If you were to dismantle a RJ45 cable, you would see that there are... receive and the other for transmit, as shown in Figure 11.5 It is important that you cable the wire with the correct cable to the correct connector Fortunately, the SC connector Cisco uses prevents us from inserting the cable incorrectly .The connector on the cable is notched to fit the slotted jack on the interface card.You need to understand a little about fiber optic cables to effectively use them with... password is the same on both sides, the encryption technique is different .The result is that RIP routing will not work between them, as disagreement on the password encryption technique will prevent the peers from authenticating to each other, which will prevent the exchange and acceptance of routing updates Another potential showstopper that you need to be alert for is conflicting versions of RIP The most... currently queued at the time the command is issued .The queues will be depleted if the firewall receives more traffic than it can handle When a packet is first received at an interface, it is placed in the input hardware queue If the hardware queue is full, the packet is placed in the input software queue .The packet is then placed into a 1550-byte block (a 163 84- byte block on 66MHz Gigabit Ethernet interfaces)... available on each model :The lower-end models would be overwhelmed by the addition of even a single Gigabit Ethernet interface As of this writing, the PIX 535 provides 9Gbps of clear-text throughput, the 525 provides 360Mbps, the 515 provides 188Mbps, the 506 provides 20Mbps, and the 501 provides 10Mbps At the physical layer, the primary issue you will face is to ensure that the correct Ethernet cables are... indicate a problem, since they are a fact of Ethernet life I underrun Indicates that the PIX was too overwhelmed to get data fast enough to the network interface I babbles This is an unused counter Babbles indicate that the transmitter has been on the interface longer than the time taken to transmit the largest frame I late collisions Collisions that occurred after the first 64 bytes of transmission Unlike... time debating the merits of RIP as a routing protocol Suffice to say, the default keyword means that the PIX firewall advertises a default route out that interface .The passive keyword configures RIP to listen on, but not advertise out, a particular interface .The version keyword is used to set the version of RIP that the PIX firewall will use RIP peers can authenticate each other to ensure that they send and . Support 501 Ethernet Four-port 10/100 switch No Fast Ethernet Fixed 10BaseT 506E Ethernet Two fixed 10/100 Ethernet No Fast Ethernet 515E Ethernet Two fixed 10/100 Ethernet Yes Fast Ethernet Two. Ethernet Two fixed 10/100 Ethernet Yes Fast Ethernet Four interface slots Gigabit Ethernet Maximum: Eight ports 535 Ethernet Nine interface slots Yes Fast Ethernet Maximum: 10 ports Gigabit Ethernet The. go left .The slot in which the card is installed determines the number that is given to that card. Ports are numbered top to bottom, starting with 0 for the port at the top of the card. For example, the

Ngày đăng: 13/08/2014, 15:21

Tài liệu cùng người dùng

Tài liệu liên quan