Activity Objective
- Display the inspection protocol configurations
- Change the inspection protocol configurations
- Test the outbound FTP inspection protocol
- Perform FTP deep packet inspection
Task 1: Display the Inspection Protocol Configurations
------ NOTE: in this lab, I use Cisco PIX Security Appliance Software Version 8.0(2) ----
You need to configure class-map and policy-map (default is not enable) before make this lab, as following:
mpf-class-map mode commands/options:
access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748
dns-------udp--53
ftp-------tcp--21
gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp ils-------tcp--389
mgcp------udp--2427,2727
netbios---udp--137-138
radius-acct---udp--1646
rpc-------udp--111
rsh-------tcp--514
rtsp------tcp--554
sip-------tcp--5060
sip-------udp--5060
skinny----tcp--2000
smtp------tcp--25
sqlnet----tcp--1521
tftp------udp--69
xdmcp-----udp--177
dscp Match IP DSCP (DiffServ CodePoints)
flow Flow based Policy
port Match TCP/UDP port(s)
precedence Match IP precedence
rtp Match RTP port numbers
tunnel-group Match a Tunnel Group
pixfirewall(config)# class-map inspection_default
pixfirewall(config-cmap)# match default-inspection-traffic
pixfirewall(config)# policy-map global_policy
pixfirewall(config-pmap)# class inspection_default
pixfirewall(config-pmap-c)#
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
pixfirewall(config)# service-policy global_policy global
-----------------------------------------the end -------------------------------------------------------
Show the default modular policy class map running on your security appliance.
pixfirewall(config)# show run class-map
!
class-map isnpection_default
match default-inspection-traffic
Show the default modular policy map running on your security appliance.
pixfirewall(config)# show run policy-map
!
policy-map global_policy
class isnpection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
List the default modular policy service policy running on your PIX security appliance.
pixfirewall# show run service-policy
service-policy global_policy global
Task 2: Change the Inspection Protocol Configurations
Complete the following steps to delete some of the default protocol inspections on your security appliance.
Disable the following inspection protocols in the default policy map:
pixP# config t
pixP(config)# policy-map global_policy
pixP(config-pmap)# class inspection_default
pixP(config-pmap-c)# no inspect h323 ras
pixP(config-pmap-c)# no inspect sqlnet
pixP(config-pmap-c)# exit
pixP(config-pmap)# exit
pixP(config)#
Show the changes to the default modular policy map running on your PIX security appliance.
pixP# show run policy-map
Task 3: Test the Outbound FTP Inspection Protocol
Run 3CDaemon to test this task:
(image)
Initiate an FTP session to the backbone server from your inside host using the Windows FTP client.
C:\> ftp 172.26.26.50
User (172.26.26.50:(none)): ftpuser
Password: 123456
(image)
Turn off the FTP inspection protocol on your PIX security appliance.
pixP(config)# policy-map global_policy
pixP(config-pmap)# class inspection_default
pixP(config-pmap-c)# no inspect ftp
pixP(config-pmap-c)# exit
pixP(config-pmap)# exit
pixP(config)#
pixfirewall(config)# show run policy-map
!
policy-map global_policy
class isnpection_default
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
Again, initiate an FTP session to the backbone server from your bastionhost using the Windows FTP client.
C:\> ftp 172.26.26.50
User (172.26.26.50:(none)): ftpuser
Password: 123456
(image)
Do a directory listing at the FTP prompt.
ftp> dir
200 port command successful
226 Closing data connection
You able to connected to FTP server, but you not able to see a file listing.
Task 4: Perform FTP Deep Packet Inspection
Set all inspection protocols to the factory defaults (disregard any error messages).
pixP(config)# clear configure fixup
Define an FTP map to disallow FTP get requests.
pixP(config)# ftp-map no_get
pixP(config-ftp-map)# request-cmd deny get
pixP(config-ftp-map)# exit
pixP(config)#
//deny the get command on FTP service.
Apply the FTP map restriction to the default policy map.
pixP(config)# policy-map global_policy
pixP(config-pmap)# class inspection_default
pixP(config-pmap-c)# inspect ftp strict no_get
pixP(config-pmap-c)# exit
pixP(config-pmap)# exit
pixP(config)#
Initiate an FTP session to the backbone server from your bastionhost:
C:\> ftp 172.26.26.50
User (172.26.26.50:(none)): ftpuser
Password: 123456
Do a directory listing at the FTP prompt.
ftp> get pix721.bin
200 port command successful
226 Closing data connection
You able to connected to FTP server, and you able to see a file listing, but you should to be unable to open or retrieve a file.
Verify the change to the default policy map settings.
pixP(config)# show run policy-map
policy-map global_policy
class inspection_default
inspect dns
inspect netbios
inspect rtsp
inspect tftp
inspect xdmcp
inspect sunrpc
inspect ftp strict no_get
inspect h323 h225
inspect h323 ras
inspect rsh
inspect sqlnet
inspect sip
inspect skinny
View the service policy statistics. Examine the inspect ftp packet, drop, and resetdrop counts.
pix1(config)# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: ftp strict no_get, packet 236, drop 0, reset-drop 8
Inspect: h323 ras, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: esmtp, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Set all inspection protocols to the factory defaults.
pixP(config)# clear configure fixup
Summary:
A good security appliance has to inspect packets above the network layer and do the following
as required by the protocol or application:
- Securely open and close negotiated ports and IP addresses for legitimate client-server connections through the security appliance.
- Use Network Address Translation (NAT)-relevant instances of IP addresses inside a packet.
- Use port address translation (PAT)-relevant instances of ports inside a packet.
- Inspect packets for signs of malicious application misuse.
1. Why protocol handling:
+ Many popular protocols ans apps will assign ports or addresses dynamically.
+ For instance: multimedia, P2P file-sharing, http, ftp, SQL*net.
+ Some apps embed ports or address data info upper layers.
+ Some firewalls lack advanced protocol handling mechanisms.
2. Active Mode FTP in Action:
+ 2 channels: Client-initiated command connection and Server-initiated data connection.
+ Outbound: PIX opens temporary inbound data channel.
+ Inbound: If FTP ACL is assigned - no special handling if outbound traffic is allowed; if outbound is not allowed, PIX opens temporary outbound data channel.
3. Multimedia and the PIX firewall
0 comments
Post a Comment