Policy compiler for Cisco PIX

• Firewall Builder for PIX: Overview
• Requirements
• Summary of Features
• Support for PIX v6.3
• Support for PIX v7.x
• Policy Installation

Firewall Builder for PIX: Overview

Key features:

• designed for complex firewall configurations
• can control multiple firewalls from the central management station
• utilizes object-oriented approach to firewall policy design
• simplifies policy design
• can install policy updates without disrupting sessions opened through the firewall

Cisco PIX is widely respected for its high performance and variety of feartures, however, it is also well known to be rather difficult to configure and manage. Firewall Builder for PIX solves this problem. It hides the complexity of PIX command line interface and automatically configures options and parameters that make manual configuration a real chore. To name just a few examples, Firewall Builder for PIX completely automates management of the global address pools, watches for conflicts between global pools and static commands, properly chooses “nat” or “static” commands for a given address translation rule, and does many other things for you.

Existing solutions, such as PDM, work fine for small installations but their limitations quickly become evident as firewall policy grows and becomes complex. PDM does not help with assigning rules to interfaces, it works on the same low level of “nat”, “global” and “static” commands for NAT, it does not allow for nesting of object groups and has other limitations. Firewall Builder and Firewall Builder for PIX have been designed for management of the complex firewall policies in environments with many firewalls.

Firewall Builder for PIX is a component that works as part of the Firewall Builder suite of programs. This means you can easily control and configure several different firewalls from the same management workstation. Firewall Builder provides unified view and standardized interface for management of all supported firewalls regardless of the platform, which opens unique opportunity to minimize cost in a large firewall deployments by chosing firewall platform from the wide variety of available solutions.

Firewall Builder for PIX provides unprecedented flexibility: you can use a mix of cheap but powerful Open Source firewalls and proven rock solid Cisco PIX devices in the network and control all of them from the same central management station.

Firewall Builder works on all major Linux distributions, FreeBSD, Windows 2000 and XP, as well as Mac OS X.

More screenshots and slideshow

As of Firewall Builder v2.1.18, Firewall Builder for Cisco IOS ACL has been released under GPL and included in the main package together with other policy compilers and the GUI.

Requirements

Firewall Builder for PIX requires Firewall Builder API and GUI v2.1 or later.

Summary of Features

Policy Compiler for Cisco PIX

Technical Summary

Generating firewall policy:

Policy rules are represented in terms of “Source”, “Destination”, and “Service” rule elements. Correct PIX commands are chosen and used for each combination of objects in these rule elements. In particular, it can do the following:

• Can generate PIX Access Lists (ACLs) and automatically uses “object-group” commands where appropriate to reduce the size of generated configuration;
• Can emulate outbound ACLs;
• Can automatically assign firewall policy rules to interfaces of the firewall so that administrator does not have to do it manually. At the same time, GUI and policy compiler support manual assignment of rules to interfaces if it is so desired;
• Can automatically generate “icmp” command when appropriate;
• Can distinguish between rules that control telnet and ssh access to the firewall and rules that control access on the same protocols to hosts behind the firewall; it generates “telnet” and “ssh” commands for the former and adds lines to the “access-list” for the latter. Administrator can freely mix and match objects in the rules in the GUI because compiler can automatically determine which objects control access to the firewall and generates correct commands;

Advanced features for policy generation:

• Firewall Builder for PIX provides GUI control “assume firewall is part of any”. This option affects the way compiler generates code for “icmp” and “ssh/telnet” commands, which works as follows:
  • if this option is off, then “icmp” and “ssh/telnet” commands are generated only for rules where firewall object is in Destination. All other rules, including those with Desitnation “Any”, generate access lists
  • if this option is on, the compiler treats “Any” as if it included a firewall as well, so rules where Desitnation is “Any” generate both access-list and “ssh/telnet” commands.
• Firewall Builder for PIX also has GUI control “replace natted objects with their translations”. If this option is ON, then compiler automatically finds policy rules that control access to objects that have “static” translations and generates additional access lists for translated addresses. This feature allows user to build policy rules as if PIX could apply access lists after translation, which makes policy lot simpler and easier to understand.
• If option “replace natted objects with their translations” is ON, policy compiler can distinguish between rules controlling SSH or telnet access to the firewall itself or to internal hosts through “static” translation using interface address.

Generating NAT rules:

• NAT rules are represented in terms of “Original Source”, “Original Destination”, “Original Service”, “Translated Source”, “Translated Destination”, and “Translated Service” rule elements. Correct PIX commands are chosen and used for each combination of objects in these rule elements. In particular, it can do the following:
• Can generate “nat” commands with appropriate global pools of addresses for translations going “inside-out”, can reuse global pools where appropriate;
• Can generate “static” commands for translations going from outside to inside;
• Can use “interface” versions of global pools and static translations;
• Can generate “nat 0” and “static (interface1,interface2) addr addr” commands for “no translation” cases;
• Can verify rules for typical problems, such as overlapping global pools, overlapping global pools and static translations and so on;

General PIX setup:

• Can generate “fixup” commands;
• Can generate “timeout” commands;
• Can generate proper snmp, logging, ntp configuration commands;
• Can generate subset of “sysopt” commands;

Support for PIX v6.3

Firewall Builder for PIX supports the following features that appeared in PIX v6.3:

• New fixup commands: ’ctiqbe’, ’dns’, ’icmp error’, ’mgcp’, 'pptp’, ’sip udp’, ’tftp’
• New logging features: syslog level and logging interval can be set for an individual ACL rule. Corresponding GUI controls have been added in fwbuilder and change has been made to permit rule options column and pop-up dialog, as well as logging icon.
• support for “logging device-id” command
• support for logging in EMBLEM format
• support for marking ACL commands with original rule numbers using ACL remarks.
• Commands “sysopt route dnat” and “sysopt security fragguard” are deprecated in v6.3. Compiler is now aware of that.
• v6.3 permits using interface name in ACL. Compiler generates appropriate ACL using “interface nnnn” option if PIX OS version is 6.3 or later, compilation is aborted with an error if version is lower than 6.3.
• support for policy NAT in both “nat” and “static” commands
• support for “max_conns” and “emb_limit” options in “nat” and “static” commands

Support for PIX v7.x

Firewall Builder for PIX v2.1.7 adds support for PIX v7.x, this includes outbound ACLs and “inspect” commands. Firewall Builder GUI 2.1 can dynamically show “inspect” commands that will be generated for a given combination of protocols and parameters defined in the GUI. Different syntax of the command to configure IP addresses on interfaces is also supported.

Policy Installation

Firewall Builder 2.x comes with a built-in policy installer that uses external ssh client program to communicate with the firewall. Installer can be used with all supported firewall types: iptables, ipfilter, pf and PIX. On Linux, FreeBSD and Mac OS X installer uses standard OpenSSH client that comes with the system. On Windows it uses putty or SecureCRT which should be downloaded and installed separately.

Firewall configuration can be generated and installed in one of the following three ways (controlled by a setting in the firewall object):

• compiler generates “clear access-list” commands to clear all access lists and then creates them anew. This method is the simplest one but carries the risk of blocking access between management computer and the firewall in the middle of the policy activation.
• compiler does not generate “clear access-list” commands at all. This method is intended to be used with external policy activation scripts
• “Safety net” install. In this case compiler creates small access list that only permits ssh access from the management computer to the firewall. During policy activation this list is installed on the interface marked in Firewall Builder GUI as “management interface”, then main access lists are cleared and recreated. In the end temporary access list is swapped with the real one.