3

I have a pix 515e running pixos 6.3 w/ 64MB RAM, 3 ethernet interfaces, only 2 in use. I am using it as an internet gateway for ~100 devices, daily peak of about 6 Mbps (megabits per second) inbound, about 10%-20% of that value outbound. It works great for this, no problems. We do not use any VPN features. Although the PIX does not know/care about this most clients are wireless.

We are having compliance/policy problems so we want to force users to authenticate before using the internet and supplement with detailed logs. I recommended replacing the PIX with another product; my suggestion (windows + unnamed portal software) has failed miserably so we are back to using the PIX which has always worked perfectly. So I've burned up some of my budget on this but I need to come up with a solution, ideally using what I have.

My understanding is that the PIX can in fact authenticate users and audit access. I really don't need detailed URL logs, really what I need is accurate date+time, username, mac address, local IP address, local port (translated + untranslated), remote IP, remote port, and octet count

I believe I have a handle on the logging, so my questions are

1) can this PIX require authentication before allowing internet access? I mean ALL internet access (games, telnet, ...), not just HTTP. Any guidance on making this work? Note: I do not have control over my users devices, I can deny them access (with cause), but I cannot install software on their computers.

2) Right now any internet enabled device (PC, Mac, iphone, android) can access the internet. I want to make sure that they continue to work, so are the changes generic enough to work with these existing devices?

3) will this pix be overburdened (CPU/memory) if I proceed? I have seen 800+ packets per second at peak times.

4) if this is a bad idea, please offer suggestions

Note I don't really want to discuss the policy. If the users want to go outside the policy they agreed to, I really don't care, but they need to use/buy their own 3G service for such activity and stay off the (W)LAN.

user32996
  • 43
  • 2

2 Answers2

1

The only authentication that I'm aware of in PIX OS relates to authenticating users for VPN or administrative sessions.

That aside, the only way to do the things you describe in item 1 ("I mean ALL internet access (games, telnet, ...), not just HTTP.") is going to involve a shim in the TCP/IP stack on all the client devices (much like the "Firewall Client" that Microsoft ISA Server uses), since per-user authentication information isn't carried around in IP datagrams, TCP segments, etc. Getting that to work with your embedded clients ("iphone, android") is going to be pretty tough. If you want per-user authentication of all protocol usage, though, that's really the only route.

You can use hacks that products like Websense or the Barracuda filtering appliances use to monitor Windows domain controllers and keep an internal "state table" of user sessions associated with client device IP addresses. Terminal Server computers will play hell with this, though. Any devices that don't perform Windows domain authentication will be "invisible" (in terms of the user associated with the client device's IP address) to such hackery, too.

The PIX can generate per-NAT-translation statistics similiar to what you're looking for via SYSLOG, but there won't be any per-user authentication. You'll also have to code something to parse the log data or purchase a third-party parsing product.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
1

First, I would recommend upgrading your RAM and updating the device to PIXOSv8. This will be the most recent software available for your device, and will enable a lot of extra features that you may find useful, but more importantly will address a lot of security holes that have been patched over the years. The good thing with this upgrade is that the 515e is, really, just a PC board with desktop class SDRAM. It maxes out at 128MB (2x64MB) and takes short sticks. Depending on your support contract, pretty much any PC133 RAM will work.

What you're looking for is called 'Cut Through Proxy', which is supported in PIXOS v6.3 and later. When configured the PIX prompts for username/password whenever a connection is established. See here for more details However, only the following services are supported:

  • telnet
  • ftp
  • http
  • https

If you go this route, I would not expect your device to be overburdened. Even in the current configuration, you are operating well under spec.

Scott Pack
  • 14,717
  • 10
  • 51
  • 83
  • thank you, I needed that terminology, I've been searching for all of the wrong terms. Here's something I found on that page which looks helpful: "Although you can configure network access authentication for any protocol or service (see the aaa authentication match or aaa authentication include command), you can authenticate directly with HTTP, Telnet, or FTP only. A user must first authenticate with one of these services before other traffic that requires authentication is allowed through." – user32996 Jan 27 '10 at 14:27
  • Make sure to test this first. I suspect it will likely be flow based, so any peer-to-peer system (like some network gaming) might be awfully auth heavy. – Scott Pack Jan 27 '10 at 14:58
  • for future reference these commands seem to approach what I wanted to do (have not actually tested whether UDP is being limited yet) aaa authentication include tcp/0 inside 0 0 0 0 LOCAL aaa authentication include udp/0 inside 0 0 0 0 LOCAL – user32996 Jan 27 '10 at 15:23
  • STEP 1. try to remote desktop to outside server, fails as desired STEP 2. Open web browser--forced to HTTP authenticate STEP 3. retry remote desktop, voila, starts working – user32996 Jan 27 '10 at 15:24
  • also, verified UDP is blocked because DNS resolution stops working as well. That actually makes it difficult to trigger HTTP authentication by first browsing to a website – user32996 Jan 27 '10 at 15:30