This chapter looked at some of the more-advanced features of
the PIX Firewall.
You saw the alternatives to establishing a console cable session
with the router, including Telnet, HTTP, and SSH. The configuration and case
sensitivity are more involved than working with routers.
Configuring AAA on the PIX Firewall is similar to working with AAA
on the routers. First, the AAA server must be specified and the host key
configured. This key must match the one configured on the AAA server. The key is
used to get the AAA server to accept the AAA requests from the PIX device. The
next step involves configuring the authentication, authorization, and accounting
commands, so target users and resources are identified.
AAA support for all the console session methods and the enable command add a higher level of secure authentication to the
activity. With PIX v6.2, AAA now supports command authorization, as well as the
Local User Database for authentication and command authorization.
Advanced protocol handling involves application-layer inspection
to maintain stateful table entries to allow return traffic from those
applications and protocols that either embed IP addresses in the data payload or
make dynamic port requests after the initial session setup. The fixup protocol commands are a portion of the advanced protocol
handling that allows the PIX administrator to view, change, enable, or disable
the use of a variety of common applications or protocols through the PIX
Firewall. The specified ports define the ones the PIX Firewall will listen at
for each respective service.
Attack guards are another implementation of application-layer
inspection implemented to monitor for common network threats or undesirable
traffic and to block them. Features like DNS Control, Flood Defender, TCP
Intercept, FragGuard and Reverse Path Forwarding are examples of efforts to
block common attack strategies. Three filter commands can be
used to block potentially destructive or unpleasant web resources from the
network: the Filter activex command blocks Active X objects
from web pages, the Filter Java command does the same thing to
Java applets, and the Filter URL command works with either an
N2H2 or a Websense server to filter content based on an extensive database. URL
filtering also offers web tracking and custom blocking features.
New IDS sensor capabilities extend the Cisco Secure IDS strategy
to include the PIX Firewall, adding visibility to the Internet, intranet, and
extranet. Shunning allows the PIX Firewall to receive dynamic
commands from an IDS unit to block traffic that’s determined as a threat.
The SNMP server commands allow the PIX Firewall administrator to
configure SNMP to be more secure, while still providing an easy-to-implement
method of remote administration and monitoring for a wide variety of network