Latest News

You can have PIX Firewall system messages sent to the defined SNMP management unit instead of, or in addition to, a Syslog server. Use the configuration mode logging history command to set the message level. This command is the SNMP ... [full story]

Use the show snmp-server command to display the current SNMP configuration:Pix(config)# show snmp-server snmp-server host inside 192.168.1.3 snmp-server host dmz 192.168.2.3 snmp-server location Building 19-67B snmp-server contact Network Security snmp-server community MySNMP snmp-server enable traps Pix(config)# The clear snmp-server command ... [full story]

Use the configuration mode snmp-server enable traps command to enable or disable sending log messages as SNMP trap notifications. Use the no form of the command to turn off the feature. The syntax is Pix(config)# snmp-server enable traps Pix(config)# no snmp-server ... [full story]

The SNMP community string is a shared “secret” among the SNMP management station and the SNMP network agents being managed. This is called a community key because it can be used to define a data-exchanging group of agent and management ... [full story]

Use the configuration mode snmp-server host command to define the interface and the IP address of the SNMP management station(s) to which traps will be sent and/or from which the SNMP polls (requests) will be accepted. By default, both the ... [full story]

You can use the configuration mode snmp-server {contact | location} command to identify the PIX Firewall system administrator and the unit location. Each item can be up to 127 characters and is case sensitive. Spaces are allowed, but multiple spaces ... [full story]

The PIX Firewall, like its router and switch cousins, is considered an SNMP agent or SNMP server that collects data in MIB form. The management station is often a UNIX or Windows network host running the SNMP program that receives ... [full story]

Simple Network Management Protocol (SNMP) is an Internet standard application-layer protocol developed to exchange management data between network devices. SNMP-compliant devices, called agents, collect data about themselves and store that data in Management Information Bases (MIBs). These MIBs are sent ... [full story]

The shun command enables a dynamic response to an attacking host by dropping any defined connections and preventing new connections. An administrator or a Cisco Secure IDS device can instruct the PIX Firewall to shun the source of traffic when ... [full story]

Intrusion Detection The Cisco Secure PIX Firewall, like the Cisco Secure IOS Firewall covered in Chapter 7, added intrusion-detection technology to extend the Cisco Secure IDS technology. IDS sensor incorporation into the firewall is ideal for locations requiring additional security between ... [full story]

Attack Guards The PIX Firewall offers a family of features to defend the device and protected networks from attack. The PIX application-inspection capabilities and IDS features work together to provide services similar to those covered in Chapters 6 (IDS) and 7 ... [full story]

This section looks at PIX Firewall support for secure use of the following additional important protocols and applications. Configurable Proxy Ping (ICMP) The configurable proxy pinging feature, covered in Chapter 18, allows controlling ICMP access to the PIX Firewall interfaces. While ICMP ... [full story]

The next three topics—FTP, SMTP, and VoIP—are included as examples of the application-inspection features and fixup commands. The Cisco site has more details and examples for any of the other supported protocols or applications. FTP The default application inspection for FTP sessions ... [full story]

Some fixup protocols support multiple applications, while other applications benefit from application inspection without having a fixup protocol for Configuration options. Features provided often include extending NAT capabilities to IP addresses embedded within the data payload, including adjusting related checksum ... [full story]

Application inspection is frequently referred to as fixup because the fixup protocol command can be used to configure the application inspection for many of the supported protocols. Note, other protocols are supported that don’t support configuration. The show fixup command ... [full story]

The PIX Firewall ASA performs stateful application inspection to provide secure use of external applications and services. In some cases, this involves monitoring for and defending against threatening traffic patterns or activity. In other cases, application inspection is used to ... [full story]

The PIX Firewall offers a number of advanced features to support the many protocols available on the Internet, while maintaining a safe internal environment. Some of these features are configurable using skills already covered or by using the fixup protocol ... [full story]

Firewall Privilege Levels Use the configuration mode privilege command to set user-defined privilege levels for specified PIX Firewall commands. This command is modeled after the Cisco IOS privilege command feature. The structure of this command makes it easy to set different ... [full story]

Beginning with PIX Firewall software v6.2, the PIX Firewall devices support command-level authorization. This is user-defined command privilege levels (0 to 15) for PIX Firewall CLI commands, similar to the privilege levels supported on Cisco routers (Chapter 2) and switches. ... [full story]

After designating at least one authentication server with the aaa-server command, it’s time to define the AAA services to be used by the PIX Firewall. The help aaa command displays the syntax and use for the aaa authentication, aaa authorization, ... [full story]

PIX Firewall software v6.2 introduced the concept of the local user authentication database, common in router configurations to the PIX Firewall family. Like its router relatives, the local PIX Firewall user authentication database consists of the users entered with the ... [full story]

Use the configuration mode aaa-server commands to specify AAA server groups. AAA server groups are defined by a tag name. If the first authentication server defined in the group fails, AAA fails over to the next server in the tag ... [full story]

The PIX Firewall serial console port allows a single administrator to configure the unit, but it requires close proximity to the device. This close proximity requirement, or limiting access to a single administrator, can severely limit the flexibility on an ... [full story]

Chapter 20: Advanced PIX Firewall Features Overview In this chapter, you will learn how to: Work with remote access using Telnet, HTTP, and SSH features Use authentication, authorization, and accounting Apply advanced protocol handling Understand attack guards Recognize Intrusion detection Use shunning Manage SNMP services Many of the advanced ... [full story]

Chapter Review Questions 1.  Return traffic from an internal user going out on the Internet requires which of the following? Static address translation Enabling access control entry Authenticated access None of the above 2.  In assigning a security level to a DMZ interface, which would be the ... [full story]

This chapter looked at some of those features and commands required to allow data to pass efficiently through the firewall. The Adaptive Security Algorithm (ASA) was addressed to understand better how the PIX Firewall determines which traffic patterns to allow ... [full story]

Routing represents a multifaceted problem for the PIX Firewall. First, the PIX Firewall is an inline security filter, not a router, and therefore uses static routes to direct traffic out of the interfaces. This nonrouter strategy is reinforced because the ... [full story]

Conduit Statements The conduit command can be used to create an exception to the PIX Firewall ASA that prevents traffic originating on a lower-level security traffic interface from passing to higher- level areas. The most obvious example would be allowing outside ... [full story]

Object Grouping The concept of grouping or forming groups isn’t new to network or even human interaction. Groups can be given special privileges or restrictions, and those privileges or restrictions then apply to all members of the group. In the networking ... [full story]

Content Filtering Content filtering features allow administrators to block certain types of web related features or content that may be deemed a threat to the network or inappropriate to the workplace. For example, ActiveX objects and Java applets can represent security ... [full story]