Monday, March 27, 2006

Guide to Installing a Cisco PIX 501 Firewall

Setup, configuration, and additional resources for securing your PC

A firewall acts as a security guard, standing watch over data as it travels in and out of your network. Yet unlike a security guard, it doesn't rely on magic passwords or secret keystrokes to determine whether to accept or deny data. Instead, it refers to a set of rules in order to determine what is allowed to pass. While a properly configured firewall can keep unauthorized users out, an improperly configured one can halt both incoming and outgoing network traffic.

Both hardware and software firewalls are effective ways to safeguard your network, but we will focus here on setting up the Cisco PIX 501 firewall, available from TechSoup Stock.

This guide will explain what makes a PIX 501 firewall different, and describe its basic configuration. It also includes helpful Cisco links, a glossary, and resources for networking with other TechSoup users and consultants.

First Thing's First: What the Heck is a Firewall?

A firewall is hardware or software that blocks communications forbidden by security policy in a networked environment. A firewall's packet filtering rules permit or deny certain users from sending or receiving certain types of information. Packet filters have no idea what type of traffic is running on those ports, only what ports and IP numbers that traffic is going to or coming from.

A special breed, the PIX firewall is more intelligent than your average packet filter. Its stateful inspection takes the TCP state of Internet traffic into consideration and allows it back in if it originated within the network. Cisco's PIX also offers additional protocol options to make sure that incoming and outgoing protocols are legitimate.

Basic Configuration

Before setting up your firewall, check to make sure that it came with the following:
  • A beige PC terminal adapter
  • A blue console cable
  • A yellow straight-through cable
  • An orange crossover cable
  • A power supply
  • A power cable
  • Documentation
  • Installation software
  • Your PIX firewall
First, connect the power cable and turn on your PIX. Once you see the LEDs light up, it's time to move onto configuration. While the PIX is similar in function to a home firewall, its configuration is a bit more involved. You can’t just unwrap it, plug it in, and expect it to work.

Setup isn't very intuitive, so check your configuration with this Cisco documentation (PDF) . (Go to Section 3, "Connect the Cables.")

Graphical Setup

There are two options for setup: console and graphical. If you want to go with a graphical setup, you'll find the PIX Device Manager -- an HTML configuration application -- bundled with PIX.

To get started with the graphical setup, point any Java-enabled browser at your internal IP address, better known as https://172.16.0.1. (Be sure to use "https" instead of "http" or the connection will fail.)

After you've entered your IP, the browser window will open, and you'll see a gray box, which is the PDM start screen. Go to the System Properties tab, expand Logging in the tree view, and select Logging Setup. Check the Enable Logging box and select Syslog in the tree view. If you've just installed PIX, then you won't see a configured server in the list by default.

To add a server, hit the Add button and start entering data into the dialog that appears. Because your syslog server is typically located on your network, select Inside from the Interface dropdown list.

Move onto the Protocol section where you'll find two radio buttons. Select UDP as the protocol. The next data entry area is port value: put "514" as the default and the standard.

Once you've configured PIX's syslog settings, click OK to get back to the main screen. At this point, your configuration hasn't been saved. To do this, hit Apply to PIX and wait. This may take awhile, depending on your configuration.

You'll also need to get those settings onto the firewall by hitting the Save to Flash Needed button on the top of the screen. If you fail to take this step, PIX may not forward syslog messages, or stop forwarding them after a reboot. Once everything has been saved, a dialog box reading "Configuration saved to flash memory" will appear.

You should now be receiving syslog messages on your confirmed syslog server. At this point, close PDM. (You can always return to it later if you need to make adjustments.)

Before changing or modifying anything, make sure you know what you're doing, as inputting the wrong data or port can disrupt your network's traffic. Full documentation on configuring your PIX with the graphical installer can be found on MonitorWare.
Console Setup

Those who are more comfortable using the terminal can set up PIX using a terminal emulation program to talk to the PIX on a console port. (For instructions, check out TechSoup's article A Guide to Installing a Cisco PIX 501 Firewall: Advanced Setup .)
I Need Help!

Cisco provides excellent technical documentation, so if you’re not quite sure where to start, visit one of these links for help:
Defining Network Terms

Sometimes computer terms can sound a bit like gibberish. Read our glossary of important terms you may come across as you configure your firewall.

Static NAT: Also known as "one-to-one" NAT. For every one public IP, there is one private IP statically mapped to it. An organization that has exactly one public IP addresses for everyone computer could use this sort of scheme. By statically NAT-ting computers on a firewall, a network administrator could filter out certain types of inbound traffic.

Dynamic NAT: Also known as "many-to-many" NAT. Statically NAT-ting all of the IPs in your organization is not practical, as public IPs are not always very easy to get. A range of IP addresses is shared between lots of private IP addresses. If someone is surfing the Web only, there's absolutely no need for them to have their own dedicated IP address.

Overloading: Also known as Port Address Translation (PAT), "NAT overloading," or "many-to-one" NAT. Overloading describes what we did in our basic configuration example. It is used when there is only one IP address to share with many people. The unique source port determines which internal (private) IP address gets the return traffic.

Overlapping: Used when your public IP addresses "overlap" with the public IP addresses of another network. The router translates the address in order to avoid a potential conflict with this other network.

Help from TechSoup's Forums

Don't forget to tap your TechSoup community as a resource to help you set up your firewall. If you run into problems or want to help others, drop by TechSoup's Networks or Virus Vaccination and Computer Security forums and let us know what did and didn’t work for you.

Before you post, please make sure that you strip out any important identifying information (such as your public IP address). Post your configuration and a general description of your network layout and what you’re trying to accomplish and one of our moderators or forum members will do their best to point you in the right direction.

Finally, remember: While installing a hardware firewall is one of the best things you can do to secure your network from the outside, security should by no means end there. Firewalls alone cannot fully protect you from Internet threats, vengeful employees, a lack of password protection, spyware, or even viruses. Be sure to take precautions to safeguard your network from these threats, too.

No comments: