الثلاثاء، 28 أبريل 2009

CISCO PIX Terminology and Background Information

CISCO PIX Terminology and Background Information
 
PIX terminology: we generally refer to the user segment as the Inside subnet. The interface connected to the Internet router is the outside subnet. As shown, we probably have DMZ (De-Militarized Zone) subnet, the subnet where we quarantine all servers that are accessible from the outside. We might also have a separate management subnet and a subnet tying to a redundant PIX for failover (if supported/licensed).
The PIX Command-Line Interface (CLI) is somewhat like the Cisco IOS interface, but different. Use colon (":") for comments (which, as usual, are not retained).  Newer PIX OS uses ACL's, replacing the former conduits (which were arguably more confusing to experienced Cisco router administrators).
PIX interfaces are normally shutdown until the administrator activates them.
PIX interfaces have an associated security level. Two interfaces at same level can't send packets to each other. We'll shortly see that you set levels with nameif command. Connections and traffic are normally permitted from higher to lower security level interfaces, although you do have to put in some basic configuration to allow traffic to flow. Connections the other way (from low to high security) are disallowed unless the configuration explicitly permits them.
You actually do not have to put any ACL if going from a higher security level to a lower. Everything will be allowed. Best practice is to put an ACL on all interfaces even if the ACL permits everything to flow using "ip any any".  An ACL put inbound (PIX only does inbound ACLs) to the inside interface can control traffic destined going outbound. If an admin wants to only have www and dns traffic outbound he would allow only tcp on 80 and udp on 53 then everything else like real audio would be denied as it goes out.)
To let traffic flow from a high security level to a lower level, use the nat and global commands. For the opposite direction, from lower to higher, use the static and access-list commands. We suggest using nat and global when going from any non-outside interface to the outside interface (Internet usually unless the PIX is used as a border between business units) which is a little different than the first sentence above.  We also suggest using statics from any non-outside interface to any other non-outside interface (like inside to management or ethernet3 to ethernet4, below.)
The PIX normally uses stateful NAT connections and stateful security, referred to as the Adaptive Security Algorithm (ASA). The PIX does not pass multicast traffic. (Can you say "DVMRP tunnel"?)
Cisco and we recommend you do not dynamic routing to or through the PIX. The PIX does support RIP, but the authors both loathe RIP. And static routing is more secure, cannot be as easily fooled


See all the ways you can stay connected to friends and family

ليست هناك تعليقات: