Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco PIX 500 Series Security Appliances

Installation and Configuration for the Cisco PIX Firewall - EAL4 Certification, Version 5.2(3)

Downloads

Table Of Contents

Certified Installation and Configuration for the Cisco Secure PIX Firewall Version 5.2(3)

Contents

Introduction

Audience

Security Information

Security Policy

Security Implementation Considerations

Certified Configuration

Physical Security

Access Control

Servers and Proxies

Log Files and Messages

Trusted and Untrusted Networks

Access Lists

Public Access Servers

Using FTP

Monitoring and Maintenance

Auditing Component Requirements

Determining the Software Version

Installation Notes

Verification of Image

Additional Notes

Configuration Notes

Disabling NAT

Disabling Example

Disabling NAT Warning

static Function

Saving Configuration

Enabling Time-Stamp

Enabling Reliable Logging

System Logs

Release Notes Caveats

Obtaining Documentation

Cisco.com

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco TAC Website

Opening a TAC Case

TAC Case Priority Definitions

Obtaining Additional Publications and Information


Certified Installation and Configuration for the Cisco Secure PIX Firewall Version 5.2(3)

January 2001

Contents

This document describes how to install and configure a PIX 515, PIX 520, or PIX 525 for use with Cisco Secure PIX Firewall software version 5.2(3) as certified by Common Criteria Evaluation Assurance Level 4 (EAL4).

Note Any changes to the information provided in this document will invalidate the certified Cisco Secure PIX Firewall and may make it insecure.

This document includes the following sections:

Introduction

Audience

Security Information

Auditing Component Requirements

Determining the Software Version

Installation Notes

Configuration Notes

System Logs

Release Notes Caveats

Obtaining Documentation

Obtaining Documentation

Obtaining Technical Assistance

Obtaining Additional Publications and Information

Introduction

This document is an addendum to the Cisco Secure PIX Firewall Version 5.2 documentation set, which should be read prior to use of the Cisco Secure PIX Firewall. This document provides references to the following Cisco Secure PIX Firewall documentation:

Installation Guide for Cisco Secure PIX Firewall Version 5.2

Cisco PIX Firewall Configuration Guide, Version 5.2

Cisco PIX Firewall Regulatory Compliance and Safety Information Version 5.2

Cisco PIX Firewall System Log Messages Version 5.2

Cisco PIX Firewall Release Notes, Version 5.2(1)

Cisco PIX Firewall Release Notes Version 5.2(2)

Cisco PIX Firewall Release Notes, Version 5.2(3)

This document provides information on the installation and configuration of the Common Criteria Certified Cisco Secure PIX Firewall.

Note The Cisco PIX Firewall IPSec User Guide Version 5.2 is not referenced in this document because the information in that document does not form part of the Common Criteria Certified Cisco Secure PIX Firewall Version 5.2(3).

PIX Firewall documentation is available online at the following site:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_technical_documentation.html

Audience

This document is written for administrators configuring a Common Criteria Certified Cisco Secure PIX Firewall version 5.2(3) using a PIX 515, PIX 520, or PIX 525. This document assumes you are familiar with networks and network terminology, that you are a trusted individual, and that you have been trained for use with the Internet and its associated terms and applications.

Security Information

In addition to the Cisco PIX Firewall Regulatory Compliance and Safety Information Version 5.2, the sections that follow provide additional security information for use with a Common Criteria Certified Cisco Secure PIX Firewall.

Security Policy

Ensure that your PIX Firewall is delivered, installed, managed, and operated in a manner that maintains a security policy. The Cisco PIX Firewall Configuration Guide Version 5.2 provides guidance on how to define a security policy.

Security Implementation Considerations

The sections that follow provide implementation considerations that need to be addressed to administer the PIX Firewall in a secure manner.

Certified Configuration

Only version 5.2(3) can be used to ensure a secure configuration. Changing the PIX Firewall software to a different version invalidates the secure configuration. The PIX Firewall must also be configured as the only network connection between the networks connected to the firewall's interfaces.

The following hardware and software features are outside the scope of the defined Target of Evaluation (TOE) Security Functions. These have not been evaluated and do not form part of the certified product configuration. The certified Cisco Secure PIX Firewall version 5.2(3) does not include the use of the following:

Cut-Through Proxies

Failover

Network Address Translation (NAT)

Routing Information Protocol (RIP)

Remote Management

Simple Network Management Protocol (SNMP)

Dynamic Host Configuration Protocol (DHCP) Server

Virtual Private Networks (VPNs)

Authentication, authorization, and accounting (AAA) server to provide identification and authentication

Accepting updates for internal data structures (for example, routing tables) from an authorized host

The configuration of the PIX Firewall should be reviewed on a regular basis to ensure that the configuration continues to meet the organization's security objectives (as defined in the security policy) in the face of the following:

Changes in the Cisco Secure PIX Firewall configuration

Changes in the security objectives

Changes in the threats presented by the external network

Changes in the internal hosts and services available to the external network by the internal network

Physical Security

The PIX Firewall must only be administered at the PIX Firewall console from a locked room to which only the administrator has access.

Access Control

You must set the enable mode password using the enable password command. A good password has a combination of alphabetic and numeric characters as well as punctuation characters. This password must be at least eight characters long. We recommend that you tell the password to someone who is in a position of trust. If you lose the password, you must contact customer support to gain access to your unit.

Servers and Proxies

To ensure complete security when the PIX Firewall is shipped, inbound access to all proxies and servers is initially disabled. After the installation, you must explicitly permit each service and enable the ones necessary for your security policy. Refer to the Cisco PIX Firewall Configuration Guide Version 5.2 and this document for information on how to configure the PIX Firewall. Certification requires a completely controlled environment in which specified services are allowed and all others denied.

Log Files and Messages

Log files are kept for all connection requests and server activity. Monitoring activity in the log files is an important aspect of your network security and should be conducted regularly. Monitoring the log files lets you take appropriate and timely action when you detect breaches of security or events that are likely to lead to a security breach in the future. Use the logging command to view log files messages. Refer to the Cisco PIX Firewall Configuration Guide Version 5.2 and this document for information on logging, messaging, and archiving.

Trusted and Untrusted Networks

The PIX Firewall can be used to isolate your network from the Internet or from another network. Trusted networks are usually your internal network and untrusted networks may be the Internet or any other network. Therefore, the PIX Firewall must be configured so that it acts as the only network connection between your internal network and any external networks. The PIX Firewall will deny any information flows for which no rule is defined.

Your security implementation is based on the control of traffic from one network to the other, and should support your security policy.

Access Lists

The access-list command operates on a first match basis. Therefore, the last rule added to the access list is the last rule checked. The administrator should make a note of the last rule during initial configuration, because it may impact the remainder of the rule parsing.

Public Access Servers

If you are planning to host public access servers, you must decide where they will be located in relation to the PIX Firewall. Placing servers on the network outside the PIX Firewall leaves them open to attack. Placing servers on the internal network means you must allow access through the PIX Firewall to the servers.

Using FTP

File Transfer Protocol (FTP) is used to retrieve or deposit files on a remote system. Allowing users to access internal FTP servers directly leaves many opportunities for abuse. This service should be of concern when designing your security policy. The functionality provided by the TFTP configuration server is outside the scope of the certified Target of Evaluation (TOE).

Monitoring and Maintenance

The PIX Firewall provides several ways to monitor the firewall, from logs to messages.

Ensure you know how you will monitor the PIX Firewall, both for performance and for possible security issues.

Plan your backups. If there should be a hardware or software problem, you may need to restore the PIX Firewall configuration.

The configuration of the PIX Firewall should be reviewed on a regular basis to ensure that the configuration meets the organization's security objectives in the face of the following:

Changes in the PIX Firewall configuration

Changes in the security objectives

Changes in the threats presented by the external network

Changes in the internal hosts and services available to the external network by the internal network

Auditing Component Requirements

The PIX Firewall interacts with a Windows NT system for the purpose of storing the audit data. The auditing machine requirements are a Pentium II or later PC running Windows NT 4.0 with Service Pack 4 and Y2K patches.

Note We recommend that you use a certified version of the Windows NT Server for the machine holding the audit records.

The auditing machine will provide suitable audit records to the administrator, protect the stored audit records from unauthorized deletion, and detect modifications to the audit records. It is the responsibility of the administrator to regularly review the audit records provided by the PIX Firewall and take any relevant action as necessary to ensure the security of the PIX Firewall.

The location of the auditing machine and records should only be accessible to the administrator.

Determining the Software Version

Use the show version command to verify the software version of your PIX Firewall unit.

Installation Notes

The following sections in the Installation Guide for Cisco Secure PIX Firewall Version 5.2 are supported on a certified PIX Firewall and should be followed when installing the certified PIX Firewall:

Introduction, including safety recommendations, maintaining safety with electricity, and general site requirements in Chapter 1, "Introduction"

Installation Overview and Installing a PIX 515, PIX 520, and PIX 525 models and Hardware and Software requirements for version 5.2 in Chapter 2, "Installing a PIX Firewall"

Installing the PIX Firewall Syslog Server (PFSS) in Chapter 4, "Installing the PIX Firewall Syslog Server (PFSS)"

Opening a PIX Firewall Chassis for PIX 515, PIX 520, and PIX 525 models in Chapter 5, "Opening a PIX Firewall Chassis"

Installing a Memory Upgrade for PIX 515, PIX 520, and PIX 525 models in Chapter 6, "Installing a Memory Upgrade"

Installing a Circuit Board for PIX 515, PIX 520, and PIX 525 models in Chapter 7, "Installing a Circuit Board"

Installing a DC Voltage PIX 515 and PIX 520 in Chapter 8, "Installing a DC Voltage PIX 515 or PIX 520"

The following sections in the Installation Guide for Cisco Secure PIX Firewall Version 5.2 are not supported on the certified configuration of the PIX Firewall. The features covered by these sections are outside the scope of the evaluated PIX Firewall and should not be installed:

Installing Failover in Chapter 3, "Installing Failover"

Installing a Private Link VPN board in Chapter 7, "Installing a Circuit Board"

Installing the PIX Firewall Setup Wizard in Chapter 9, "Installing the PIX Firewall Setup Wizard"

Verification of Image

To verify that the PIX Firewall has not been tampered with during delivery, execute the following procedures:

Once the PIX Firewall has been unpacked, you must obtain an activation (license) key that enables Data Encryption Standard (DES) or the more secure 3DES.

To obtain a DES (56-bit) license key for the PIX Firewall, use the IPSec 56-bit Customer Registration form. Accessing this form requires prior registration on Cisco.com at http://tools.cisco.com/RPF/register/register.do. However, access to this form does not require a purchase or service contract. You can register as a guest and then proceed to fill out the form. The form is available at the following website:

http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=324

You must purchase a 3DES (168-bit) license key, or have a service contract, to obtain a 3DES license key. If you have already purchased a 3DES upgrade, and you have your Cisco PIX Firewall 3DES upgrade document with the entitlement number printed on it, you can register your license key for use on your PIX Firewall with the License Registration form. Accessing this form also requires prior registration on Cisco.com at http://www.cisco.com/register. The License Registration form is available at the following website:

http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=301

You must also purchase or have a service contract to download PIX Firewall software.

You may need the following information to complete these forms:

Serial number

Your e-mail address

Export acknowledgement

Once the form is submitted, the activation key will be sent by e-mail directly back to the your e-mail address.

Once the activation key has been received, the PIX Firewall should be started up in accordance with the Installation Guide for the Cisco Secure PIX Firewall Version 5.2, Chapter 2.

At the prompt, type the show version command.

The activation key is displayed in four parts. The activation key displayed should be verified against the downloaded activation key.

Additional Notes

1. Do not attempt to load version 5.2(3) on a PIX Firewall unit containing less than 32 MB of memory. While the PIX Firewall may appear to permit this configuration, upon reboot, the PIX Firewall unit will continuously fail. You can stop the failure loop by immediately inserting a previous version diskette into the PIX Firewall unit and then pressing the reboot switch. This note only applies to PIX Firewall units with a diskette drive, not to the PIX 515 or PIX 525.

2. After installing additional memory in a PIX 520, do not remove the memory strips after you install them and have powered on the unit, or the PIX Firewall unit will become inoperable.

3. A PIX Firewall unit containing a 16-MB Flash memory card cannot be downgraded to version 4.4(1), 4.4(2), 5.0(1), or 5.0(2).

4. Version 5.1 on a PIX 515 cannot be downgraded to previous version 4.4(1) images.

Configuration Notes

The following features of the PIX 515, PIX 520, and PIX 525 version 5.2(3) as stated in the Cisco PIX Firewall Configuration Guide Version 5.2 are included in the certified configuration of the PIX Firewall:

Everything as stated in Chapter 1, "Introduction," except those features listed in this document that are not supported. Read this document carefully and consider the Security Policy section of this document.

PIX 515 configuration with the exceptions noted.

Everything else except for what is stated as not supported in this document.

The following features of the PIX 515, PIX 520, and PIX 525 version 5.2(3) as stated in the Cisco PIX Firewall Configuration Guide Version 5.2 are not supported in the certified configuration of the PIX Firewall:

Chapter 1, "Introduction," PIX Firewall features including:

AAA Service Selection

AAA Server Groups

Boothelper Installation

Cut-Through Proxies

Failover

FTP and URL logging

PIX Firewall Manager

IPSec

Java Filtering

Mail Guard

PPTP

Setup Wizard

Telnet Interface

TFTP Configuration Server

FTP Image Downloading

URL Filtering

VPN

The following Chapter 2, "Configuring the PIX Firewall," sections are not supported in a certified PIX Firewall:

Upgrading from a Previous Version, Steps 1 and 2

Step 2—Get the Most Current Software section on downloading the image using TFTP

Step 3—Configure Network Routing sections on Setting a Windows 95 and Windows 98 Default Route or a MacOS Default Route

Step 12—Add Telnet Console Access

Step 16—Viewing Messages from a Telnet Console Session

Step 17—Add AAA User Authentication

Chapter 3, "Advanced Configurations"

Chapter 4, "Configuration Examples"

Chapter 5, "Command Reference," features listed in the "Certified Configuration" section of this document

Disabling NAT

NAT must not be included in the configured certified PIX Firewall. By default, the PIX Firewall assumes NAT is configured.

NAT must be disabled. To disable NAT, the following steps are required:

1. Configure an access-list command statement that matches any IP traffic.

2. Associate the NAT access list to all interfaces to enable the certified environment to bypass the NAT processing.

Disabling Example

The following example lists the command statements for a certified PIX Firewall with the three interfaces inside, outside, and intf2: 

access-list no-nat-list permit ip any any

nat (inside) 0 access-list no-nat-list

nat (outside) 0 access-list no-nat-list

nat (intf2) 0 access-list no-nat-list

Disabling NAT Warning

Through the use of the disabling NAT commands, the administrator initiates the capability to let users on the higher security interface access a lower security interface. Therefore, at this stage all traffic from the internal network will be allowed out, until a single rule (irrespective of its content) has been bound to the higher interface, thereby invoking the default deny all rule at the end of the access list bound to the interface.

Use of the clear nat command does not return the NAT settings to the default when the product has just been loaded. In this instance, the product will be left permitting connections from a higher security interface to the lower security interface, therefore affecting security. It is therefore recommended that the clear nat command not be used to remove the nat 0 0 disable Network Address Translation setting.

Note Using the clear access-list command to delete the set of rules (access-list command statements) will also remove the access-list command statement used by NAT, so that any subsequent rules bound to an interface will not be processed until NAT has been reconfigured.

static Function

The static command must not be included in the certified PIX Firewall. The static command enables particular instances of NAT.

Saving Configuration

The write memory command should be used frequently when making changes to the configuration of the PIX Firewall. If the PIX Firewall reboots and resumes operation when uncommitted changes have been made, these changes will be lost and the PIX Firewall will revert to the last committed configuration.

Enabling Time-Stamp

By default, all audit records are not stamped with the time and date, which are generated from the system clock when an event occurs.

The certified PIX Firewall requires the Time-Stamp feature to be enabled. To enable the timestamp of audit events, use the logging timestamp command.

To ensure that the timestamp option remains the default, use the write memory command to save the option into the startup configuration.

Enabling Reliable Logging

By default, auditing events are transported to a remote syslog server over UDP. The certified PIX Firewall requires auditing events to be transported over TCP.

The TCP option is configured using the logging host ip_address tcp/port_number command.

With TCP logging configured, new sessions through the certified PIX Firewall will be disallowed if log messages cannot be forwarded to the remote host.

System Logs

Cisco PIX Firewall System Log Messages Version 5.2 provides details on the PIX Firewall system logs.

The following sections are not supported on a certified PIX Firewall:

Viewing Syslog Messages in a Telnet Console Session

Receiving SNMP Requests

Sending SNMP Traps

Other Remote Management and Monitoring Tools

Release Notes Caveats

The following sections in the Release Notes for the Cisco Secure PIX Firewall Version 5.2(1) are not supported on a certified PIX Firewall:

Cisco IOS Software Interoperability

Cisco Secure VPN Client Interoperability

Cisco VPN 3000 Concentrator and Client Interoperability

PIX Firewall Manager Interoperability

Failover Serial Connection

AAA access-list Support

Cisco VPN 3000 Client (Formerly the Altiga VPN Client)

Failover Polling Time

Important Notes:

AAA

Cisco Secure VPN Client

Cisco VPN 3000 Client and Concentrator

Failover

Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco websites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.

Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html

All users can order annual or quarterly subscriptions through the online Subscription Store:

http://www.cisco.com/go/subscription

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.

You can send your comments in e-mail to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance.

Cisco TAC Website

The Cisco TAC website (http://www.cisco.com/tac) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

The online TAC Case Open Tool (http://www.cisco.com/tac/caseopen) is the fastest way to open P3 and P4 cases. (Your network is minimally impaired or you require product information). After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using these recommendations, your case will be assigned to a Cisco TAC engineer.

For P1 or P2 cases (your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/go/packet

iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:

http://www.cisco.com/en/US/learning/index.html