This topic discusses the configuration and handling of the remote shell
(RSH), SQL, SMTP, ICMP, SNMP protocols.
Remote Shell
Remote
shell (RSH) uses two channels for communications. When a client first starts an
RSH connection, it opens a TCP channel from one of its high-order ports to port
514 on the server. The server opens another channel for standard error output
to the client.
For RSH traffic, the PIX Security Appliance behaves in the manner shown in
Figure
.
By
default, the security appliance inspects port 514 connections for RSH traffic.
If RSH servers are using ports other than port 514, the
class-map command can be used to identify these other
traffic flows with their different RSH TCP port numbers. To enable RSH
application inspection use the inspect rsh command in a
policy map, class configuration mode. To remove the rsh inspection, use the
no form of this command. If the inspect
rsh command is not enabled, then:
- Outbound RSH will not work properly on that flow of traffic.
- Inbound RSH will work properly on that port if an ACL to the inside server
exists.
SQL*Net
SQL*Net only uses one channel for communications but
it could be redirected to a different port, and even more commonly to a
different secondary server altogether. When a client starts an SQL*Net
connection, it opens a standard TCP channel from one of its high-order ports to
port 1521 on the server. The server then proceeds to redirect the client to a
different port or IP address. The client tears down the initial connection and
establishes the second connection.
For SQL*Net traffic, the PIX Security
Appliance behaves in the manner shown in Figure
.
By default, the PIX Security Appliance inspects port 1521 connections for
SQL*Net traffic. If SQL*Net servers are using ports other than port 1521, the
class-map command can be used to identify these other
traffic flows with their different SQL*Net port numbers. To enable SQL*Net
application inspection use the inspect sqlnet command in a
policy map, class configuration mode. To remove the sqlnet inspection, use the
no form of this command. If the inspect
sqlnet command is not enabled, then:
- Outbound SQL*Net will work properly on that port as long as outbound
traffic is not explicitly disallowed.
- Inbound SQL*Net will not work properly on that port.
ESMTP
Extended SMTP (ESMTP) is an enhancement to the SMTP
protocol and is similar is most respects to SMTP. ESMTP application inspection
provides improved protection against SMTP-based attacks by restricting the
types of SMTP commands that can pass through the PIX Security Appliance. ESMTP
application inspection supports the commands shown in Figure
. To enable ESMTP
inspection, use the inspect esmtp command.
ICMP
Without ICMP stateful inspection, ICMP can be used to attack
the network. ICMP inspection enables the PIX Security Appliance to track ICMP
traffic so it can be inspected like TCP and UDP traffic. For any single
request, there will always be a single reply. When ICMP inspection is enabled,
the ICMP payload is scanned to retrieve the pertinent information, source IP
address, destination IP address, protocol, identification number, and sequence
number, from the original packet. The idea is to match this session information
in the PIX for each ICMP request and response pair. ICMP inspection allows
replies only when the ICMP reply session information matches a request. The
ICMP inspection ensures that there is only one response for each request. An
example of ICMP inspection is shown in Figure
. To configure
the ICMP inspection engine, use the inspect icmp command in
policy map class configuration mode.
SNMP
By default, the PIX
Security Appliance performs no inspection of SNMP. The
snmp-map and inspect snmp commands can
be used to filter out SNMP traffic based on the SNMP protocol version field in
the packets. To configure SNMP version blocking, first define an SNMP map and
then apply the SNMP map to a SNMP inspection policy.
Use the
snmp-map command to identify the SNMP protocol version or
versions to deny
. When the
administrator enters this command, the PIX Security Appliance enters the SNMP
map configuration mode. From the SNMP map configuration mode, the administrator
can define which SNMP protocol version to deny, version 1, 2, 2c, or 3. After
defining the SNMP map, the administrator can apply the map parameters using the
inspect snmp map_name command. The PIX will inspect
the SNMP traffic based on the contents of the SNMP map configuration.
To
identify a specific map for defining the parameters for SNMP inspection, use
the snmp-map map_name command. To remove the map,
use the no form of this command. To enable SNMP inspection,
use the inspect snmp map_name command in a policy
map. To remove the configuration, use the no form of this
command.