Other Supported Protocols and Applications
This section looks at PIX Firewall support for secure use of
the following additional important protocols and applications.
Configurable Proxy Ping (ICMP)
The configurable proxy pinging feature, covered in Chapter 18, allows
controlling ICMP access to the PIX Firewall interfaces. While ICMP access
through the firewall is denied by ASA, access to the interfaces is unrestricted.
The icmp {permit | deny} command allows configuring access on
a per-interface/per-message–type basis. This feature can shield the PIX Firewall
interfaces from detection by users on an external network.
While a temptation exists to deny all ICMP access to the
firewall interfaces, permitting ICMP Unreachable (type 3) messages will allow
ICMP Path MTU discovery, which is required by IPSec and PPTP traffic.
Internet Group Management Protocol (IGMP)
Internet Group Management Protocol (IGMP) is the protocol
that facilitates forwarding router multicast transmissions, which can provide
the broad-reach data distributions in an internetwork without the inherent
congestion associated with broadcasts and multiple unicasts. IGMP dynamically
registers specific LAN hosts in a multicast group with a multicast-enabled
router. The enabled routers and supporting Cisco Group Management Protocol
(CGMP)–enabled LAN switches efficiently distribute the multicast transmissions
to the registered hosts.
PIX Firewall version 6.2 introduced Stub Multicast Routing
(SMR) to allow the firewall to function as a stub router,
an IGMP proxy agent. The firewall, like any stub router, isn’t a full multicast
router, but simply forwards IGMP messages between hosts and multicast
routers.
NetBIOS over IP
The NetBIOS over IP support allows connections from the
internal network to the external network. This support is important to Microsoft
clients on the internal network that need to access external network servers
running older versions of Windows, such as Windows NT. This allows the
organization security policies to include Microsoft servers across the Internet
and inside an intranet, while still allowing access controls native to the
Microsoft environment.
RIP Version 2
As covered in Chapter 19, the PIX Firewall is not a
router and, as such, won’t forward routing information to other interfaces.
Instead, the PIX only “listens” in Passive mode and can be configured to
broadcast a default route.
The PIX Firewall supports Cisco IOS software standards,
including support for RIP v2, which provides optional MD5 authentication of
encryption keys. The RIP v2 support includes one key and key ID per interface.
While the key has an infinite lifetime, best practices would indicate more
frequent changes consistent with the security policy. Don’t forget, using Telnet
to change the configuration might inadvertently expose the key and the key ID on
the network. cp20 attack
63 times read
|
|
|
Did you enjoy this article?
 (total 2 votes)
|
Sections
Comments (0 posted)
Syndication
