cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
533
Views
0
Helpful
3
Replies

mitigating attacks on pix

rpalacio
Level 1
Level 1

I just have some few questions regarding securing the pix

1. it was a default of pix that the inbound on the outside interface is totally block. Say there is no access-list at all on this interface, do i need to do the deny statement for the rfc 1918 to mitigate ip spoofing? what is the difference between using the access-list to mitigate ip spoofing rather than using the ip reverse verify unicast reverse-path command?

2. how do we implement the following in pix as implemented on ios firewall;

a. tcp intercept

b. ip finger

c. small servers

d. smtp spam

3. I am using the static command with its max conn/embryonic conn option to mitigate the dos attacks..What is the pix doing to mitigate the same for host not stated on the static commands or to internal servers intended for internal users.

3 Replies 3

Patrick Iseli
Level 7
Level 7

To point 2:

a.) does not exist in the same way on PIX. PIX is also stateful but does not have an application layer support as the IOS Firewall. There are some filtering and communication mechanism used with "fixup potocol" command and other commands to define timouts for protocols.

b.) There is no finger service on a PIX

c.) the tcp and udp smal services does not exists on a PIX

d.) smtp spam does not exist.

Point 1:

ip verify reverse-path overview:

See:http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a008010578b.html#wp1053009

Implements Unicast RPF IP spoofing protection. (Configuration mode.)

The ip verify reverse-path command lets you specify which interfaces to protect from an IP spoofing attack using network ingress and egress filtering, which is described in RFC 2267. This command is disabled by default and provides Unicast Reverse Path Forwarding (Unicast RPF) functionality for the PIX Firewall.

The ip verify reverse-path command provides both ingress and egress filtering. Ingress filtering checks inbound packets for IP source address integrity, and is limited to addresses for networks in the enforcing entity's local routing table. If the incoming packet does not have a source address represented by a route, then it is impossible to know whether the packet has arrived on the best possible path back to its origin. This is often the case when routing entities cannot maintain routes for every network.

Egress filtering verifies that packets destined for hosts outside the managed domain have IP source addresses verifiable by routes in the enforcing entity's local routing table. If an exiting packet does not arrive on the best return path back to the originator, then the packet is dropped and the activity is logged. Egress filtering prevents internal users from launching attacks using IP source addresses outside of the local domain because most attacks use IP spoofing to hide the identity of the attacking host. Egress filtering makes the task of tracing the origin of an attack much easier. When employed, egress filtering enforces what IP source addresses are obtained from a valid pool of network addresses. Addresses are kept local to the enforcing entity and are therefore easily traceable.

Unicast RPF is implemented as follows:

•ICMP packets have no session, so each packet is checked.

•UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet.

Note Before using this command, add static route command statements for every network that can be accessed on the interfaces you wish to protect. Only enable this command if routing is fully specified. Otherwise, PIX Firewall will stop traffic on the interface you specify if routing is not in place.

sincerly

Patrick

So how do we stop attacks like smtp spam on the pix.

Third Party products as Esafe:

http://www.esafe.com/esafe/default.asp

Review Cisco Networking for a $25 gift card