CISCO
PIX: INTRODUCTION, HOW IT OPERATES AND THE CLI CONT...
Security Levels
The whole concept of the PIX security appliance revolves around
security levels. The more trusted the network the higher the security
level.
Obviously the most un-trusted network is going to always be the
internet – and the interface that is going to be attached to the
internet is the OUTSIDE interface (Eth0) which has by default the
security level of 0.
The most trusted network attached to the PIX is going to be your
internal network, which funnily enough is attached to the INSIDE (Eth1)
interface and has a security level of 100 by default.
*You can remember which interface is which by the Ethernet numbers,
Eth0 = Outside interface, Eth1 = Inside network…. 0-Out 1-In)*
The interfaces came with the INSIDE and OUTSIDE names pre-complied and
can not be changed, likewise the security levels can not be changed
either.
Code:
Outside level 0 -<--<---<--|PIX|--<---<---<-Inside
level 100
An interface that has a higher security level can by default send
traffic to an interface with a lower security level – hence internal
hosts attached to the inside network with a security level of 100 can
by default pass traffic through the outside interface as it only has a
security level of 0. Traffic can flow downhill but not uphill.
This allows for one way (outbound) connections with a minimum number of
configuration changes. The PIX will monitor the outgoing packets and
when the return packet comes in, it is checked to ensure it is a valid
packet and if so, is sent on its way.
The outside interface as it has a 0 security level can not send traffic
to the inside interface with out a preconfigured permission to do so in
the form of an Access Control List (ACL)
If you were to add a third interface for a DMZ and give it a security
level of 50, the INSDIE interface would be able to pass traffic to it
by default, but with out an ACL the DMZ would not be able to initiate a
connection to send data to the INSIDE interface and obviously the least
trusted interface (OUTSIDE) would not be able to initiate any
connection to any interface with out an ACL being in place.
It is possible to enable same security level traffic flow, so two
interfaces with the same security level can pas traffic unhindered
should you wish..
The PIX Adaptive Security Algorithm is a stateful approach to security,
in so much as every inbound packet (the packet originating from a host
on a less secure network destined for a host on a more secure network,
i.e. DMZ (50) ->->-> INSIDE (100) ) is checked against a
database called the State Table which is stored in the PIX’s memory
which keeps the state of every connection that has passed through the
PIX. This will tell the PIX if the packet is a return packet from a
connection initiated from the INSIDE network, or if it has arrived out
of the blue.
This table keeps a record of the original packets:-
1) Source IP Address
2) Source Port
3) Destination IP Address
4) Destination Port
5) Additional TCP / UDP Flags / Protocol etc
6) Original TCP Sequence number
7) Replacement TCP Sequence number
(The PIX randomizes the first TCP sequence number to reduce the risk of
TCP Hijacking and does this by default.)
If a returning packet does not match ALL of the above criteria it is
dropped there and then. Each of these entries is called a 'Session
Object' and will stay in memory until the connection is terminated in
the normal way or the session has timed out.
So in a nutshell if a packet arrives on the OUTSIDE interface, the PIX
will check that either a Static NAT/PAT Translation exists for it and
if so will then check if it is permitted by an ACL, if there is an ACL
the PIX will act in accordance with it.
If no static translation exists the PIX will check the state table to
see if it is a return packet from a connection that has been initiated
by an inside and therefore trusted host - if it meets all the
requirements in the state table the packet is allowed to continue its
journey. If not the packet is dropped straight away.
The stateful design to the PIX maintains the secure perimeters of the
different networks by creating session flows based upon the destination
and source address and also the destination and source port numbers of
the packets. Fundamentally, this is how the whole PIX is designed to
work and will be discussed in more detail in further papers.
*Inbound and outbound traffic is not necessarily traffic coming from
the internet to the inside network and vice versa. Traffic is
considered to be inbound if it is coming from an interface with a lower
security level and is considered to be outbound if it is coming from a
higher security level. The most interfaces the PIX can support is 14
depending on Model and License*
Next 'Chapter' is Basic PIX configuration.
Original Tutorial
by nokia for TheTAZZone-TAZForum
Originally posted on September 10th, 2006 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.