LUNES MARTES MIERCOLES JUEVES VIERNES 09:00 Asamblea Asamblea Asamblea Asamblea Asamblea

The following examples will illustrate how a PIX firewall can be used in various real world scenarios, as well as the configuration needed on the PIX.

Protecting a Private Network

For security reasons, Company XYZ management has decided to restrict access to the Finance servers. Management has assigned the task of securing the Finance network from unauthorized access. Only individuals who are in the Finance departments network will have access to any of the Finance resources, any traffic originating from the Finance LAN will be permitted to any destination, and all other departments will not be per- mitted to access the Finance LAN. Figure 4.6 illustrates how the LAN will be set up.

To begin, execute the following:

pixfirewall(config)#write terminal nameif ethernet0 public security0 nameif ethernet1 finance security100

This assigns names and security values to each of the interfaces.

interface ethernet0 inside auto interface ethernet1 outside auto

This sets each Ethernet interface to 10/100 auto negotiation.

ip address public 172.16.2.1 255.255.255.0 ip address finance 172.16.1.1 255.255.255.0

This assigns unique RFC1918 IP addresses to each of the interfaces.

access-list deny tcp any 172.16.1.0 255.255.255.0 >eq any

access-list deny udp any 172.16.1.0 255.255.255.0 >eq any

This specifies that traffic originating from the 172.16.1.0/24 subnet will be denied.

access-group acl_out in interface public

This applies access-list acl_out to public interface.

telnet 172.16.1.0 255.255.255.0 public telnet 172.16.2.0 255.255.255.0 finance

This specifies that only clients from the 172.16.1.0/24 and 172.16.2.0/24 subnets will be able to Telnet to the PIX.

Figure 4.6

IP Packets Company XYZ Finance LAN 172.16.1.0/24 Company LAN 172.16.2.0/24 E1 E0 PIX

Packets from source 172.16.2.0/24 destined

for 172.16.1.0/24 are denied on interface E0

NOTE

A configuration where two departments are separated for security rea- sons can easily be achieved by using a router with access control lists. The PIX is a very versatile device and can also be used to protect internal networks as shown in this example.

Protecting a Network Connected to the Internet

Company XYZ management has decided that in order to keep up with the rapidly evolving world of technology, Internet access is a necessity.

Managers and administrators have decided that a T1 leased line will be sufficient for their users to access the Internet, and an ISP has already been chosen. Since the LAN uses an IP address scheme using the private 172.16.0.0 network, Network Address Translation or Network Address Port Translation will be needed in order to translate internal IP addresses to Global IP addresses. The ISP has also provided the company with eight public addresses, which consist of 207.139.221.1 to 207.139.221.8. A Cisco Secure PIX 515 Firewall has been chosen to provide security for Company XYZ.

Management and administrators have established a security policy in which users will be permitted to access only HTTP, FTP, Telnet, e-mail, DNS, and News. Web site filtering will be performed by a third-party appli- cation called WebSENSE web filtering software (www.websense.com). ActiveX controls will be also filtered due to the security problems associ- ated with them. The ability to Telnet to the inside interface will be

restricted to the administrator’s workstation. Figure 4.7 shows how the network will be set up.

To begin, execute the following:

pixfirewall(config)#write terminal interface ethernet0 inside auto interface ethernet1 outside auto

This sets each Ethernet interface to 10/100 auto negotiation.

ip address inside 172.16.0.1 255.255.0.0

This assigns unique IP addresses to each of the interfaces.

route outside 0.0.0.0 0.0.0.0 207.139.221.1

This adds a static route for outside interface.

nat (inside) 1 0.0.0.0 0.0.0.0

This allows any address on the inside interface to be NAT’d.

global (inside) 1 207.139.221.3

This sets up a global pool using the unique IP address 207.139.221.3 for NAPT.

filter url http 0 0 0 0

Figure 4.7

Company XYZ ISP T1 172.16.0.0/16 LAN Segment Inside Outside PIX Router E0 E1 S0 E0 Inside IP translate to Global IP (NAT/PAT) WebSENSE URL filtering by WebSENSE HTTP traffic

This filters any HTTP URL requests to any destination address.

filter activex 0 0 0 0

This filters any ActiveX controls in HTML pages to any destination address.

url-server (inside) host 172.16.0.10 timeout 5

This specifies the server in which WebSENSE is running for URL filtering.

access-list acl_out permit tcp any any eq http access-list acl_out permit tcp any any eq ftp access-list acl_out permit tcp any any eq ftp-data access-list acl_out permit tcp any any eq smtp access-list acl_out permit tcp any any eq telnet access-list acl_out permit tcp any any eq nntp access-list acl_out permit tcp any any eq domain access-list acl_out permit udp any any eq domain access-list acl_out deny tcp any any

access-list acl_out deny udp any any

This specifies types of traffic that will be permitted through the PIX (inside, outside) with an explicit deny all statement to block any other traffic.

access-group acl_out in interface inside

This applies access-list acl_out to the inside interface.

telnet 172.16.0.50 255.255.255.255. inside

This permits only host 172.16.0.50 for Telnet sessions on the inside interface.