PIX FirewallOutlineAdaptive Security AlgorithmASAASA and TCPSlide 6DOS via Syn FloodASA vs Syn FloodSlide 9Slide 10PIX: Basic FeaturesPIX: Basic Features - ASA’s stateful inspection of trafficSlide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19PIX: Basic Features - Failover and redundancySlide 21Slide 22Advanced Features of PIXCase studiesPIX FirewallAn example of a stateful packet filter.Can also work on higher layers of protocols (FTP, RealAudio, etc.)Runs on its own OShttp://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt2Outline•The Adaptive Security Algorithm (ASA)•Basic Features of PIX•Advanced Features•Case studieshttp://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt3Adaptive Security Algorithm•An algorithm that defines how PIX examines traffic passing through it, and applies various rules to it.•Basic concept:-Keep track of the connections being formed from the networks behind the PIX to the public network-Based on info about these connections, ASA allows packets to come back into the private network through the firewall.-All other traffic destined for the private network is blocked by the firewall (unless specifically allowed).http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt4ASA•ASA defines how the state and other information is used to track the sessions passing through the PIX.•ASA keeps track of the following information:–Source and destination info of IP packets–TCP Sequence numbers and TCP flags–UDP packet flow and timershttp://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt5ASA and TCP•TCP is connection-oriented, and provides most of the information the firewall needs.•The firewall keeps track of each session being formed, utilized, and terminated.•ASA only allows for the packets confirming to the state of a session to go through. All other packets are dropped.•However, TCP has inherent weakness, which requires ASA to perform additional work managing the sessions  SYN flood, session hijackinghttp://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt6ASA and TCP•SYN flooding–“The SYN flood attack sends TCP connections requests faster than a machine can process them.” (Internet Security Systems, http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/default.htm)–SYN flood (as fefined in the Wikipedia, http://en.wikipedia.org/wiki/SYN_flood) –Illustration: nexthttp://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt7DOS via Syn Flood•A: the initiator; •B: the destination•The three-way TCP handshake:–A: SYN to initiate–B: SYN+ACK to respond–A: ACK gets agreementhttp://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt8ASA vs Syn Flood•(Beginning in version 5.2 and later)–When the number of incomplete connections through the PIX reaches a pre-configured limit (the limit on embryonic connections), ASA turns the PIX into a proxy for connection attempts (SYNs) to servers or other resources sitting behind it.•PIX responds to SYN requests with SYN ACKs and continues proxying the connection until the three-way TCP handshake is complete.•Only when the three-way handshake is complete would the PIX allow the connection through to the server or resource on the private or DMZ network.–Benefit: Limits the exposure of the servers behind the PIX to SYN floodshttp://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt9ASA and TCP•Problem with the ISN: The initial sequence number (ISN) of TCP is not really random! possible TCP session hijacking attackcase study: Kevin Metnick’s attack on Tsutomu Shimomura’s computers in 1994-1995 Six steps (pp.421-422):1. an initial reconnaissance attack: gather info about the victim2. a SYN flood attack: disable the login server; a DOS attack3. A reconnaissance attack: determine how one of the x-term generated its TCP sequence numbers4. Spoof the server’s identity, and establish a session with the x-term (using the sequence number the x-term must have sent)  result: a one-way connection to the x-term5. modify the x-term’s .rhosts file to trust every host6. Gain root access to the x-termhttp://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt10ASA and TCP•TCP session hijacking attack (cont.)ASA’s solution  “proxy” the sequence number in an outgoing packet a. create a new, more random sequence number; b. use the new number as the sequence number in the outgoing packet, and store the difference between the new and the original number; c. When return traffic for that packet is received, ASA restores the sequence number before forwarding the packet to the destination on the inside network.Illustration: Figures 8-1 (initialization) and 8-2 (termination)http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt11PIX: Basic Features•ASA’s stateful inspection of traffic•Assigning varying security levels to interfaces•ACL•Extensive logging•Basic routing capability (including RIP)•NAT•Failover and redundancy•Traffic authenticationhttp://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt12PIX: Basic Features - ASA’s stateful inspection of traffic•PIX uses a basic set of rules to control traffic flow:–No packets can traverse the PIX w/o a translation, connection, and state.–Outbound connections are allowed, except those specifically denied by the ACLs.–Inbound connections are denied, except for those specifically allowed.–All ICMP packets are denied unless specifically permitted.–All attempts to circumvent the rules are dropped, and a message is sent to syslog.•To tighten or relax some of these default rules: next few slideshttp://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt13PIX: Basic Features•Assigning varying security levels to interfaces–PIX allows varying security levels to be assigned to its various interfaces, creating the so called security zones.–A PIX may have 2 to 10 interfaces.–Each i/f can be assigned a level from 0 (least secure, usually the Internet) to 100 (most secure, usually the internal private network).–Default rules:oTraffic from a higher security zone can enter a lower security zone.  PIX keeps track of the connections for this traffic and allows the return traffic through.oTraffic from a lower security zone is not allowed to enter a higher security zone, unless explicitly permitted (such as using ACLs).http://sce.uhcl.edu/yang/teaching/.../piX Firewalls.ppt14PIX: Basic Features•ACL–Mainly used to allow traffic from a less-secure portion of the network to enter a more-secure