The Function of Fixups

Previous page
Table of content
Next page

The PIX firewall implements fixup protocol features to help overcome the difficulties with advanced protocols. The fixup protocols perform what is known as application inspection on a limited number of advanced protocols. The inspection monitors the traffic across the PIX and dynamically opens and closes connection slots between the inside and outside interfaces. Fixups try to make the connections as secure as possible by dynamically opening only the necessary ports.

If fixup protocols did not exist, you would have to open large numbers of ports with ACLs or the established commands to allow traffic to pass, effectively compromising the granularity and overall value of your security solution. Table 8.1 displays some of the available fixup protocols with their respective ports and functions.

Table 8.1. Available Fixup Protocols

Protocol

Default Port

Function

FTP

21

The FTP fixup works to help correct standard and passive FTP problems.

H323 h225

1720

The H323 monitors and helps correct the multimedia applications that use H323 back through the PIX firewall.

H323 RAS

1718 and 1719

This works with the H323 protocol suite.

HTTP

80

Helps monitor HTTP and is required for WebSense or N2H2 URL filtering services.

ILS

389

The ILS fixup works to help correct LDAP transactions across the PIX firewall.

RSH

514

Remote Shell.

RTSP

554

Real-Time Streaming Protocol.

SMTP

25

Simple Mail Transport Protocol.

SQL*Net

1521

Oracle communications.

SIP

5060

Session Initiation Protocol.

SCCP

2000

Skinny Client Control Protocol.

The show fixup Command

You can use the show fixup command to display the active fixup protocols on the PIX firewall. Listing 8.1 displays the output of the show fixup command.

Listing 8.1 show fixup Command Example 
 pixfirewall(config)# show fixup fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 pixfirewall(config)#

The fixup protocol Command

The standard fixup command is similar for all the protocols listed in Table 8.1. Most protocols can have additional ports assigned to them that will enable application inspection monitoring of nonstandard ports for that protocol. This is the standard fixup protocol command's syntax: 

 pixfirewall(config)# [no] fixup protocol <prot> [<option>] <port>[-<port>]

Table 8.2 displays the fixup protocol options.

Table 8.2. fixup protocol Command Options

Option

Function

prot

Protocol setting, such as HTTP, SIP, RTSP, and so on.

port-port

A single port or a range or ports can be used to enable application inspections on traffic defined for the protocol option.

The following example adds a single port and a range of nonstandard ports for RTSP: 

 pixfirewall(config)# fixup protocol rtsp 1501 pixfirewall(config)# fixup protocol rtsp 1700-1710 pixfirewall(config)# show fixup protocol rtsp fixup protocol rtsp 554 fixup protocol rtsp 1501 fixup protocol rtsp 1700-1710 pixfirewall(config)#

The clear fixup Command

The clear fixup command resets the fixup protocol to the default values, like so: 

 pixfirewall(config)# clear fixup

Previous page
Table of content
Next page
CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218
Authors: Daniel P. Newman
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Lotus Notes and Domino 6 Development (2nd Edition)
Software Configuration Management
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy