Software Licensing and Upgrades


In order to have a flexible product, the PIX uses software licensing to enable or disable features within the PIX OS. Although the hardware is common to all platforms (except that certain licenses can ship with additional memory or hardware accelerators) and the software is common, features differ depending on the activation key.

The activation key allows you to upgrade features without acquiring new software, although the process is similar. The activation key is computed by Cisco depending on what you have ordered and your serial number, so it's different for each piece of PIX hardware you own. The serial number is based on the flash, so if you replace the flash, you have to replace the activation key.

The activation key enables feature-specific information such as interfaces, high availability, and type of encryption. More specific information is found in the section "PIX Licensing and Upgrades."

To get information about the activation key, use the show version command. The command provides information about the code version, hardware information, and activation key information. Alternately, the command show activation-key provides something like this:

Serial Number: 480090153 (0x1c9d9829)     Running Activation Key: 0x75fe7c49 0xc08b4082 0x08979930 0xe4b4c4b0 Licensed Features: Failover:           Enabled VPN-DES:            Enabled VPN-3DES:           Disabled Maximum Interfaces: 6 Cut-through Proxy:  Enabled Guards:             Enabled URL-filtering:      Enabled Inside Hosts:       Unlimited Throughput:         Unlimited IKE peers:          Unlimited 

The flash activation key is the same as the running key.

This machine is a PIX 515 and has an unrestricted license, with the maximum number of interfaces permitted, including failover.

Updating the activation key in version 6.2 of the PIX OS couldn't be simpler. The command activation-key <activation-key-four-tuple> sets the key to the new value. Note that activation four-tuples are in hexadecimal, are case insensitive, and don't require you to start the numbers with 0x. Thus the previously mentioned machine could be set with:

PIX1(config)# activation-key 75fe7c49 c08b4082 08979930 e4b4c4b0 

Updating the activation keys in prior versions is not much more complicated. Power-cycle the PIX, and send an Esc or Break to enter monitor mode. This will present you with a prompt:

monitor>

Type a ? to see the options. Sample output is listed here:

Use ? for help. monitor> ? ? this help message address    [addr]    set IP address file       [name]    set boot file name gateway    [addr]    set IP gateway help                 this help message interface  [num]     select TFTP interface ping       <addr>    send ICMP echo reload               halt and reload system server     [addr]    set server IP address tftp       TFTP      download timeout    TFTP      timeout trace                toggle packet tracing

It would be a good idea to upgrade your software at this time, but in any event, the PIX will ask you if you want to update your activation key at the end of the TFTP process.

Licensing

Generally, the licensing falls into one of three types, plus an additional factor for crypto constraints. The three main categories are unrestricted, restricted, and failover. If you have a single PIX, you'll want unrestricted or restricted licensing, depending on the number of interfaces you want to support. If you have two PIX appliances and want high availability, you'll want one machine with an unrestricted license and another machine with a failover license.

Upgrading Software

The traditional way of managing images is via TFTP. This is a UDP-based transport protocol—fast and efficient. Unfortunately, it is not authenticated, so you have to be a bit careful to ensure that your data gets saved when you write to a TFTP server and that the data downloaded doesn't get corrupted.

By tradition, UNIX hosts have TFTP software preinstalled. If you do have a UNIX laptop, try man tftpd to see how to turn it on. If you have a Windows laptop, the server is not installed (although a client might well be—it's standard on most NT and Win2K environments).

Luckily, a TFTP server for a Windows environment is easy to acquire and install. Perhaps one of the best is the Solar Winds server, part of the Solar Winds suite. The full tool set is an invaluable aid to security professionals, and some pieces of it, like the TFTP server, are free. Installation is via the WISE installation wizard.

Another excellent TFTP server is the one Cisco provides. It is available at www.cisco.com/cgi-bin/tablebuild.pl/tftp and is also free. Simply provide your Cisco user ID when you download, and launch the installer executable.

Running the Cisco TFTP server is straightforward. The server, by default, is not running. (This mode is recommended, since there is no authentication; you don't want anyone uploading or downloading files without your knowledge.) The first time you run it, you will want to press O for Options (under the View menu) to set the log file, if desired, and set the TFTP root directory. This is where you want to store the images. If you are going to be upgrading the PIX software, FTP the binary image down from the Web into that directory, and you are ready for the transfer.

If you have a very old version of the software (pre 5.1(x)), you must upgrade using monitor mode. You can follow the preceding notes or the following step-by-step procedure:

  1. Enter monitor mode. Remember, this requires that you get a console session running, power-cycle the box, and press Escape within 10 seconds of the boot.

  2. The PIX is currently unconfigured. Set up your download interface by doing the _following:

    • Use interface <number> to set the TFTP interface. The default is 1, so you don't have to set it if the TFTP server is on the inside.

    • Use address <IP address> to set the IP address of the PIX.

    • Hopefully, your server is on the same network as the TFTP interface. If not, you can set a default gateway with gateway <IP address>.

  3. Next prepare the transfer information:

    • Use server <IP address> to set the IP address of your TFTP server.

    • Use file <filename> to set the name of the image to upload.

  4. Finally, execute the transfer. Use tftp to start the file.

This process loads a new image in place, and when you reboot, you will come up under the new image.

Luckily, this process should not apply—unless you accidentally upload the wrong file or your TFTP transfer fails. Monitor mode is primarily used in the event of disaster.

The process of updating your software on a reasonably new version of code is straightforward. You can avoid monitor mode and do everything from the PIX enable command line. Log in to the PIX and get into enable mode. It is a good idea to ping your TFTP server to verify connectivity—for example:

PIX1# ping inside 10.1.1.1 

Get the version of the software onto your TFTP server, and copy the file to flash:

pixfirewall# copy tftp flash  Address or name of remote host [127.0.0.1]? 10.1.1.1  Source file name [cdisk]? pix621.bin  copying tftp://10.1.1.1/pix621.bin to flash [yes|no|again]? yes  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Received 1640448 bytes.  Erasing current image.  Writing 1640448 bytes of image.  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Image installed. 

On the next reload, the new image is available.

Password Recovery

Passwords are stored on the PIX using an MD5 hash. This is good; you are probably aware that Cisco type 7 passwords can be instantly decrypted using a simple personal digital assistant (PDA). MD5 hash is harder: a hacker essentially has to try out all the combinations. Unfortunately, the MD5 hash used on the PIX is significantly weaker than the Cisco type 5 hash used on Cisco routers. Programs such as Cain & Abel (www.oxid.it) can, with time, discover a password. This weakness has been assigned CVE vulnerability CAN-2002-0954. So, if all you have is a printout, you can recover your password. This can be helpful for machines that are in production environments. (However, the caveat is that others can do the same. Be careful about leaving configuration files on TFTP servers or printouts where others can get to them.)

If your environment can tolerate a little downtime, you can reset your PIX password. You download a program, depending on your OS version, that will execute on the PIX and reset the password to the default, cisco. You can then get in and use enable mode to set the password to a known value.

Earlier you saw that monitor mode was used for emergencies. Forgetting the password is a pretty good emergency. Here is what you do:

  1. Pick the correct version of the software from Table 8.2.

    Table 8.2: PIX Password Recovery Binaries

    Version

    Filename

    URL

    4.3 and earlier releases

    nppix.bin

    www.cisco.com/warp/public/110/nppix.bin

    4.4 release

    np44.bin

    www.cisco.com/warp/public/110/np44.bin

    5.0 release

    np50.bin

    www.cisco.com/warp/public/110/np50.bin

    5.1 release

    np51.bin

    www.cisco.com/warp/public/110/np51.bin

    5.2 release

    np52.bin

    www.cisco.com/warp/public/110/np52.bin

    5.3 release

    np53.bin

    www.cisco.com/warp/public/110/np53.bin

    6.0 release

    np60.bin

    www.cisco.com/warp/public/110/np60.bin

    6.1 release

    np61.bin

    www.cisco.com/warp/public/110/np61.bin

    6.2 release

    np62.bin

    www.cisco.com/warp/public/110/np62.bin

  2. Place this software on a TFTP server accessible to the PIX.

  3. Connect to the PIX on the console port. Verify connectivity. (You should get a password prompt, which you can't answer.)

  4. Reboot the PIX.

  5. Within 10 seconds of the reboot, press Esc to enter monitor mode.

  6. Use the interface command to set the interface to that of the TFTP server.

  7. Use the address command to specify the IP address of that interface.

  8. Use the server command to specify the IP address of the TFTP server.

  9. Use the gateway command to specify the default route to the TFTP server, if needed. (This is not recommended; if at all possible, try to have the TFTP server on the same network as the PIX interface to minimize the likelihood of file corruption.)

  10. Use the file command to specify the filename of the recovery file you chose in Step 1.

  11. Use the ping command to verify that you can connect to the TFTP server.

  12. Use the tftp command to start the download.

At this point, you should be prompted to erase the passwords, and you will be in. The default password has now been set to cisco, with no enable password.




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net