The PIX Firewall

Originally posted HERE this is part one in a multi-part series of papers regarding the PIX, how it works and how to configure it.

The Cisco PIX firewall is one of the most popular brands of firewalls available today. Whilst they can be a very useful piece of equipment, it is not always straight forward to configure them.
Due to the nature of a Firewall and what it is used for it is essential to deploy and configure it correctly to prevent you inadvertently leaving your network wide open to attack when you thought it was secure.

The PIX comes in several form factors:


501 – This the cheapest and smallest firewall in the PIX range and is aimed almost exclusively at Small Office – Home Office (SOHO) setups. It can support up to 7500 concurrent connections and has 60 Mbps throughput.
Interface wise it has a 10/100BASE-T Ethernet interface for the outside connection (100BASE-T is only in version 6.3) and a four-port 10/100 switch for the inside interfaces. It can also support up to 10 simultaneous VPN connections. It does not support any failover at all.

As you can no doubt see it is only useful for the very small SOHO setup.

506E – Although more useful for the SOHO setup than the 501, the 506E is more geared up towards the ROBO setup (Remote Office – Branch Office) and is an ideal choice for a small – medium sized business if you don’t need any failover capabilities, a lot of VLAN’s or a very fast throughput of data.
It can provide 25,000 concurrent connections and 100 Mbps clear text throughput.
It has only two 10/100BASE-T interfaces and support for up to Two VLAN’s and can support up to 25 simultaneous VPN connections. It does not support version 7 of the PIX operating system or the ADSM utility, instead it has a less useful PDM for remote configuration.

515E – Is designed for small to medium sized businesses and enterprise networks. It can handle up to 130,000 concurrent connections and provides 190 Mbps of clear text throughput. It can have up to 6 10/100 Fast Ethernet interfaces, 25 VLAN’s and up to five contexts (contexts will be explained later).
It is the first PIX in the range that supports failover and version 7 of the PIX operating system. It can have up to 2,000 VPN tunnels and supports site to site and remote access VPN’s

525 – The 525 is probably the most common security appliance in the PIX range that you may come across due to its affodability Vs funcionality. It can support up to 280,000 concurrent connections, has 330 Mbps of clear text throughput, up to 10 10/100 Fast Ethernet interfaces, up to 100 VLAN’s and 50 contexts.
It supports failover and version 7 of the PIX operating System and up to 2,000 VPN tunnels.

535 -The Cisco PIX 535 is a high-performance, purpose-built security appliance designed for very large enterprise and service provider networks.

It supports up to ten 10/100 Fast Ethernet interfaces or nine Gigabit Ethernet interfaces and redundant power supplies, can handle up to 1.7 Gbps of firewall throughput with the capacity to handle more than 500,000 simultaneous sessions.

Certain PIX 535 models include an integrated hardware VPN acceleration card that delivers up to 440 Mbps of Triple Data Encryption Standard (3DES) VPN throughput and 440 Mbps of Advanced Encryption Standard-256 (AES) VPN throughput.


The PIX firewall range has a wide variety of add on cards and can work hand in hand with the Adaptive Security Appliance (ASA). There are too many add on cards and different ASA configurations to go in to here but the Cisco web site has all the information if you need to research it further.

Getting Started:

There are three ways to connect to the PIX:

1) Via the console cable
2) Via the PDM or for the 515 and later the ADSM
3) Via Telnet /SSH (needs to be configured first)

If you are comfortable with the Command Line Interface (CLI) on the PIX then the best way to connect is via the console port. To do this, simply attach the supplied console cable and open hyper terminal (or a terminal emulation program of your choice) set the baud rate to 9600 and press enter.

If you are not comfortable using the CLI then Cisco have provided a GUI for you to use. On the 501 and the 506E this is known as the PDM and on the 515 and above it is known as the ADSM.

Connect to the INSDIE interface of the PIX (Eth1) using a normal Cat5 Ethernet cable, open your web browser and type 192.168.1.1.If you get stuck trying to connect to the PIX to use the PDM/ADSM refer to the user manual and it will tell you the IP address range the DHCP server uses. This is usually 192.168.1.1/24 so either set your PC to receive an IP via DHCP or configure it in the correct subnet 192.168.1.2 is usually good with a 255.255.255.0 mask.

There is a known problem when using the PDM with Sun’s latest versions of Java. You need to have version 4 installed, which you can get from the archive pages on the Sun web site. If you can not connect you may need to remove the latest Java update from the Add/ Remove programs window in the control panel.( 5.0 update 5 and 5.0 update 6)

For now we will use the CLI.

Once connected there are four administrative modes you can be in:

1) Unprivileged
2) Privileged
3) Configuration
4) Monitor

When you first connect via the CLI you will be in unprivileged mode, which uses the > prompt:

Code:
Firewall>
Just like a router you would now type ‘enable’ or en for short

Code:
Firewall>en
If there is a password set you will now be prompted for a password, the PIX usually ships with the default password of either pix or cisco.

If you enter the password successfully you will now land in privileged mode, which uses the # symbol:

Code:
Firewall#
From the privileged mode you can issue most commands that will show you details about the configuration but will not allow you to alter the configuration except for setting passwords, writing configuration to memory and a few others:

Code:
Firewall#show running-config (or sh run for short)
The above command would show you the entire running configuration of the PIX.
To make and changes to the actual configuration of the PIX we need to be in configuration mode. We get this by using the command Configure Terminal (or conf t for short)

Code:
Firewall#conf t
The prompt will now change to:

Code:
Firewall<config>#
This shows us we are in configuration mode. From here we can now change the configuration of the firewall.

Monitor mode is a special mode that enables us to update the OS image over a network to perform password recovery. Whilst in Monitor mode we can enter commands to specify the location of a TFTP server, the location of the updates software or a password recovery file to download.

As mentioned with most Cisco equipment that uses a CLI commands can be abbreviated to the fewest unique characters for that command.
So sh run is short for Show Running-Configuration, en is short for Enable, copy run start is short for copy running-configuration > startup-configuration.

The first thing we can do is set a password for the PIX to stop unauthorised access. It is easy to get so engrossed in the configuration of the PIX to forget to set a user password once finished, so I make it a habit to set the password on any device first.

There are 15 different access levels we can grant a user when he logs on to the PIX, with 15 being the highest. Depending on what password is used will depend on what access level the user is dropped in to.

To set the password we need to be in the privileged mode (the # prompt).

So

Code:
Firewall>en
Password:
Firewall#
We now issue the command enable password <password>

Code:
Firewall#enable password tazzone123 15
Enable = we want to set the enable password (the password that is presented when the enable command is issued)
Password = we are setting the password and not giving the enable command.
Tazzone123 = the password we want to set
15 = the privilege level that anyone using that password will be granted. In this case the user will have total control of the PIX.


Before we go in to the configuration commands there are a few commands we need to know to save the configuration to memory and to erase it in case we mess it up!

Like a router the PIX has two different configurations; running configuration and start-up configuration.

The running configuration is what we are making all the changes to. If after making the changes we do not save it to the start-up configuration and the PIX was to be unplugged, suffer a power cut etc it would start up with the configuration that is in the start-up configuration and all our changes would be lost.

There is a twofold advantage to this – we can make changes ‘on the fly’ and if the firewall was to stop working as it should, we can just reload it and it will have its old configuration, the other benefit of it is if we are unsure of any changes that have been made we can use the sh start and the sh run commands to view both configuration’s and compare then to each other.

After we have made a change to the running configuration and are sure we want to keep it, the command ‘write memory’ is used to save the running configuration to the start-up configuration.

Code:
Firewall#write memory  (or wr mem for short)
If we have made a complete hash of the running configuration and want to start over again but still retain the start-up configuration we can use the command ‘clear configure all’.

Code:
Firewall#clear configure all  (or clear con all for short)
Finally if we want to clear everything and start from afresh we can use the command ‘write erase’

Code:
Firewall#write erase  (or wr er for short)
You will be prompted to confirm that you do want to erase the start-up configuration, hitting Enter or typing Yes will clear the configuration.

We will still be active in the running configuration however so we need to either reload the PIX or copy the running configuration to the start-up configuration.

To reboot the PIX we use the command ‘reload’

Code:
Firewall#reload
We will be prompted to confirm we want to reload the device.

Or we can use the copy run start command to copy the running configuration to the start-up configuration:

Code:
Firewall#copy run start
If you are writing a script to send or paste straight in to the PIX we can issue the ‘reload noconfirm’ command – which will just reload the device without asking for confirmation.

*Before making any changes to the PIX once you have an up and running configuration you can copy the results of the ‘show run’ command in to a text editor such as notepad. Then if you ever need to revert back to the configuration you can just copy and paste it straight back in to the firewall.*

Security Levels

The whole concept of the PIX security appliance revolves around security levels. The more trusted the network the higher the security level.

Obviously the most un-trusted network is going to always be the internet – and the interface that is going to be attached to the internet is the OUTSIDE interface (Eth0) which has by default the security level of 0.

The most trusted network attached to the PIX is going to be your internal network, which funnily enough is attached to the INSIDE (Eth1) interface and has a security level of 100 by default.

*You can remember which interface is which by the Ethernet numbers, Eth0 = Outside interface, Eth1 = Inside network…. 0-Out 1-In)*

The interfaces came with the INSIDE and OUTSIDE names pre-complied and can not be changed, likewise the security levels can not be changed either.

Code:
Outside level 0 -<--<---<--|PIX|--<---<---<-Inside level 100
An interface that has a higher security level can by default send traffic to an interface with a lower security level – hence internal hosts attached to the inside network with a security level of 100 can by default pass traffic through the outside interface as it only has a security level of 0. Traffic can flow downhill but not uphill.

This allows for one way (outbound) connections with a minimum number of configuration changes. The PIX will monitor the outgoing packets and when the return packet comes in, it is checked to ensure it is a valid packet and if so, is sent on its way.


The outside interface as it has a 0 security level can not send traffic to the inside interface with out a preconfigured permission to do so in the form of an Access Control List (ACL)

If you were to add a third interface for a DMZ and give it a security level of 50, the INSDIE interface would be able to pass traffic to it by default, but with out an ACL the DMZ would not be able to initiate a connection to send data to the INSIDE interface and obviously the least trusted interface (OUTSIDE) would not be able to initiate any connection to any interface with out an ACL being in place.

It is possible to enable same security level traffic flow, so two interfaces with the same security level can pas traffic unhindered should you wish..


The PIX Adaptive Security Algorithm
is a stateful approach to security, in so much as every inbound packet (the packet originating from a host on a less secure network destined for a host on a more secure network, i.e. DMZ (50) ->->-> INSIDE (100) ) is checked against a database called the State Table which is stored in the PIX’s memory which keeps the state of every connection that has passed through the PIX. This will tell the PIX if the packet is a return packet from a connection initiated from the INSIDE network, or if it has arrived out of the blue.

This table keeps a record of the original packets:-

1) Source IP Address
2) Source Port
3) Destination IP Address
4) Destination Port
5) Additional TCP / UDP Flags / Protocol etc
6) Original TCP Sequence number
7) Replacement TCP Sequence number
(The PIX randomizes the first TCP sequence number to reduce the risk of TCP Hijacking and does this by default.)

If a returning packet does not match ALL of the above criteria it is dropped there and then. Each of these entries is called a 'Session Object' and will stay in memory until the connection is terminated in the normal way or the session has timed out.

So in a nutshell if a packet arrives on the OUTSIDE interface, the PIX will check that either a Static NAT/PAT Translation exists for it and if so will then check if it is permitted by an ACL, if there is an ACL the PIX will act in accordance with it.
If no static translation exists the PIX will check the state table to see if it is a return packet from a connection that has been initiated by an inside and therefore trusted host - if it meets all the requirements in the state table the packet is allowed to continue its journey. If not the packet is dropped straight away.

The stateful design to the PIX maintains the secure perimeters of the different networks by creating session flows based upon the destination and source address and also the destination and source port numbers of the packets. Fundamentally, this is how the whole PIX is designed to work and will be discussed in more detail in further papers.

*Inbound and outbound traffic is not necessarily traffic coming from the internet to the inside network and vice versa. Traffic is considered to be inbound if it is coming from an interface with a lower security level and is considered to be outbound if it is coming from a higher security level. The most interfaces the PIX can support is 14 depending on Model and License*


Next 'Chapter' is Basic PIX configuration.