In this article, I'd like to share one of Cisco's solutions to the ever-vexing issue of secure remote management of the PIX Firewall. There will always be a need for administrators and managed service providers to access remote PIX Firewalls for monitoring, configuration, and troubleshooting. But because Telnet sends data in plain text, the designers of the PIX coded the PIX OS to disallow even the possibility of configuring telnet access to the outside (Public) interface. So, with Telnet unavailable, what can you do?
Cisco provides two mechanisms to securely access your PIX Firewall over an insecure medium, such as the Internet. The first is secure shell or SSH. The second is IPSec. If your only need for encryption is to secure access to the PIX CLI (command line interface), SSH is much more straightforward to configure and manage. This article discusses how to configure SSH on the PIX Firewall and how to obtain a SSH client.
SSH (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure networks. From the SSH Internet Draft at http://www.free.lp.se/fish/rfc.txt
The use of SSH provides a more secure alternative to telnet, which sends all data in plain text. In a SSH session, all data, including the initial sign-on and password submission, is encrypted using DES or 3DES symmetric block cipher. Both the client and server have generated RSA Public/Private Key pairs. Before the username/password is sent to the PIX, the client and the server exchange Public Keys. The PIX Firewall (acting as the SSH server) generates a session key and encrypts it with the client's RSA public key. Then, the client and server encrypt both the login authentication and all subsequent packets using the session key.
Note
The Cisco Secure PIX Firewall implements SSH v1. Although there have been many articles and papers written about vulnerabilities in SSH v1, the PIX Firewall is not vulnerable to either Traffic Analysis or Key Recovery exploits. There was a CRC-32 vulnerability, but it was patched in versions 5.2(6) and 5.3(2). All future releases of the PIX OS contain the CRC-32 fix. Another enhancement Cisco provides is the ability to add AAA authentication of the SSH session using TACACS+ or RADIUS.
Configuring the PIX for SSH Access
There are two sets of tasks you need to complete to use SSH to access your PIX:
- Configure the PIX to accept SSH connections
- Configure your SSH Client to connect to the PIX
Each will be discussed in the sections that follow.