Firewall based on Cisco PIX Firewall System
Abstract: This paper introduces the Cisco PIX Firewall firewall features and functions. Shows how to use Cisco PIX Firewall to quickly and easily build a more secure firewall system.
1. Introduction
With the Internet, into a universal and rapid development of the network for the growing invasion of host, application firewall technology is imperative. But the variety of firewall products a wide range of different functions, which to achieve and maintain a firewall system brought many difficulties. How to build a safe and practical, easy to implement a firewall system is worth studying, in general, a complete firewall system should not only prevent external intrusion, but also to prevent unauthorized access to internal staff. The Cisco PIX Firewall is a firewall, through the dynamic and static address mapping, pipeline technology, we can find it easier to achieve a more comprehensive firewall system.
2. About Cisco PIX Firewall features
In general, a fire protection system is implemented between the two networks a number of the access control method of collection. There are usually two types of firewalls; based on network layer packet filtering firewall and Web-based application layer proxy server isolation (proxy server). The former mainly in the network layer IP packet according to the source and destination addresses and source and destination port to determine a forward or discard IP packets, then one is in the application layer to provide a proxy for each service, in view of the two Technology has its own features and drawbacks of building a firewall with good performance should be based on reasonable selection of topology and firewall technology in a reasonable configuration.
Ciso PIX Firewall is based on combining the two technologies firewall. It applies the security algorithm (Adaptive Security Algorithm), the internal host address mapping for the external address and refuse to allow the package without the entry realize a dynamic, static address mapping, thereby effectively shielding the internal network topology. Through the pipeline, the exit access list, we can effectively control the internal and external access to various resources.
PIX Firewall can connect to four different networks, each network can define a security level, low level relative to the high level is always seen as the external network, but the minimum must be globally consistent IP address. The following, we only introduce two example Cisco PIX Firewall network firewall system.
3. Cisco PIX Firewall configuration process
In the configuration before you plan a good network topology, to develop a more detailedly security policy; to map a topology network for example. Set its IP address range 204.31.17.128-204.31.17.191, have E-mail, WWW, FTP and other servers, PIX Firewall's internal virtual IP address range for the :192.168.3.1-192 .168.3.255, you can define the following strategy
3.1 shielding the internal network topology
To prevent hacker intrusion, should be isolated using the dynamic address mapping the internal network, shielding the internal network topology. We make the following configuration on PIX Firewall:
nat 1 0 0
global (outside) 1 204.31.17.131 - 204.31.17.165
global (outside) 1 204.31.17.130
All immigrants to access the configuration block
3.2 Resource Access Control host
E-mail, FTP, www and other servers is an important resource, we must use pipe (conduit) made accessible to them outside, but to restrict access to them, that is prohibited except E-mail, www, FTP all the other services for maximum security, configure as follows:
static (inside, outside) 204.31.17.129 192.168.3.1
conduit permit tcp host 204.31.17.129 eq www any
static (inside, outside) 204.31.17.128 192.168.3.2
conduit permit tcp host 204.31.17.128 eq smtp any
static (inside, outside) 204.31.17.166 192.168.3.3
conduit permit tcp host 204.31.17.128 eq ftp any
3.3 Internet hosts and resources on the control of sensitive
For the Internet, some of the sensitive resources, such as a number of unhealthy site, we can (nslookup domain) found in its IP address, and exit access control. The configuration on the PIX Firewall as follows:
outbound 10 deny 204.31.17.11 255.255.255.255 www tcp
apply (inside) 10 outgoing_dest
Internal host, we can control it can use the service, for example, a host 192.168.3.4 on the map we can disable it using the WWW service to access the external network. The configuration is as follows:
outbound 20 deny 192.168.3.4 255.255.255.255 www tcp
apply (inside) 20 outgoing_src
So that we can access the internal host to external control completely.
4. Against the internal network IP and MAC address of the illegal
Because IP addresses can be set to change, illegal users often tampered with, someone else's IP address and MAC address, to achieve the purpose to hide their unauthorized access. We can use the PIX Firewall's ARP command to the internal host IP and MAC address binding it to effectively steal music hook Zou twilight P addresses the phenomenon of bad armpit. For example, we want to host the IP address of 192.168.3.4 and it's MAC address 00e0.1e40.2a7c binding, can be configured as follows:
arp inside 192.168.3.4 00e0.1e40.2a7c alias
wr m
Combination of these four configurations, Cisco PIX Firewall can be achieved for IP packet filtering, shielding the internal network and network resources to control and effectively prevent IP address theft and tampering. To better achieve a complete firewall system. Thus, the PIX Firewall system to build an extremely convenient.