Académique Documents
Professionnel Documents
Culture Documents
3 Chapter 2 VLANs
..................................................... 52
.............................................78
Chapter 4 WebVPN and Endpoint Security ...............................104 Chapter 5 Security Services Modules
...............14 1
I1
I
12 I
CHAPTER 1
8 2009 C
Inc. Al rlgMa r e .
Ms pubkaUon k p
m by
131
CHAPTER 1
Chapter 1
Understanding Traffic Classification
Throughout this Quick Reference, I rapidly take you through some of the more advanced forms of traffic filtering. We begin this journey with the familiar access control list (ACL), and progress into deep packet inspection with regular expressions and parameter-specific conditional statements. I think that many people would flip to the center of this Quick Reference and feel intimidated by some of the content, but if we step through the technologies one by one and remember that our entire configuration is based on a simple "if-then" logic, everything will make sense. My goal, at least, is that when we have finished you will become much more effective as a firewall administrator.
I assume that you know the fundamentals based on the SNAF material that precedes this. However, I will quickly redefine some things just to make sure that you truly understand what is happening "beneath the hood," rather than just knowing the definition of a term.
Just remember, almost everything we cover in the first half of this Quick Reference follows the same simple logic: If you see a packet that looks like this, forward it to this interface; if it looks like this, then drop, NAT, encrypt, and so on. We will just add classifications and additional actions beyond what you may be used to using, but the core logic always remains the same. This logic is true of anything computer related, ifand then. Remember this when troubleshooting, or when studying for the exam. If things seem to get complicated or you feel lost at any point in this Quick Reference, remember that it all boils down this simple logic.
If you intend to create traffic policies on a Cisco &wall, it is imperative that you solidly understand ACLs. One of the first questions that I ask during my classes is this: What are ACL's used for? The most common answer that I receive is "to block traffic," but this answer is only partially correct. An access list can certainly be used to block t r a c , but it is more appropriate to think of an ACL as a way to define interesting traffic, and once you define that interesting trdc you can manipulate it in some way. As we continue through this Quick Reference, remember that an ACL by itself doesn't have any effect. We must associate that traffic classification with a function. From this day forward, think of an ACL as an incomplete sentence that requires a verb or action. The function associated with this ACL would be synonymous to a verb within a sentence.
141
CHAPTER 1
When you create an ACL, it is similar to telling the device "Hey ASA, when you see traffic sourced from network A destined for host B[el]," and that is where you've left it. No action is associated with it yet; ail you have done is define a traffic flow. That alone will not do anything. After this ACL has been associated with some action, then it will become useful to you. For example, when you place the ACL on an interface, it will permit or deny the trafFrc flow that you specified. When you associate an ACL with a nat statement, you will control address translation based on the address pairs that you specified, permit means translate the source IP address, and deny means mute without address translation occurring. When you reference an ACL within a crypto map, this tells the security appliance to encrypt the traffic that matches permit statements; deny statements tell the ASA to forward the tral3ic without encryption. We can association even more actions with traffic flows, but the point being made here is that a permit statement says to perform the action, whereas a deny statement says do not perform this action.
Types of Access Control Lists Type o Access List f Criteria to Match Upon Standard Source IP address.
Extended Webtype
Source I,destination IP address, Layer 4 protocol (TCP, UDP, EIGRP, ESP, GRE, and so on) P source port number, destination port number.
Destination TCP port, or Uniform Resource Locator (UBL), which can include the asterisk as a w l c r ,the question mark a s single character wild card, and square brackets to &be a range. idad
Ethertype, bridge protocol data unit (BPDU),and Layer 3 information (IPXcan be permitted or denied). Ethertype ACLs are available only when operating in transparent mode.
'IEme based
(subcategory of extended)
ih Associates a specifrc month, day, or hour range w t an access list, enabling you to permit or deny traffic based on these parameters.
Remember that a single ACL can have many access control entries (ACES)and that each line in the access list (ACE) will contain a permit or deny action. As you should recall, these entries are processed in a top-down order.
Q 2OOQ C
Inc. Al rl-a
nswved. This
kp
m by
I1
I
151
CHAPTER 1
Is this a good thing or a bad thing? Generally we don't like to be denied entry, denied a hotel room, denied a loan, denied by anyone for anything. But wait, this is different. Being denied could actually be a good thing; it depends on where that ACL is being applied. Remember, this is a security appliance, and we are applying different types of filtering and restrictions to users. If we were referring to the I . address of your workstation, we would not want this ACL to be applied inbound on the firewall interface that connects to your subnet because it would prevent you from getting to other networks. However, if rate limiting were king placed upon all users in the enterprise, and this statement were placed at the top of the ACL used for rate limiting, our traffic would proceed without any rate limit, so it would be preferable. If you were to implement Cutthrough Proxy on the inside interface of the &wall, forcing all users to authenticate before browsing the web, again this deny statement would exclude you from Cut-through Proxy. Your traffic would flow through uninterrupted while everyone else must first authenticate to go out. Similar logic applies to other functions, such as authentication, policy NAT, URL filtering, and so forth.
Logging
As mentioned previously, ACLs have many purposes. One that is commonly overlooked is intrusion detection. This might sound surprising, but it makes sense when you think about it. Intrusion detection does not have to be accomplished by using network sensors or modules within other network equipment. You can use ACLs for troubleshooting and detection. For instance, I sometimes use a very specific permit statement and apply it at the top of an ACL to make sure traffic is reaching a device and being processed appropriately. It is less disruptive than a debug, but it can also prove that "the network is not the problem." The catch is that I have to watch and refksh and look at hit counts. Is there an easier way?
@ 2009 C
i Systems Inc. All rlgMs rsswwd. This publication is protected by copyright Please see page 16 1 for mo details im
161
CHAPTER 1
Most ACLs consist of a collection of permit statements followed by that implicit deny. I was once in a training class and the instructor recommended manually adding the deny ip any any log at the end of the ACL so that we could see a l l packets that are denied. This was not the right idea in my mind, but it was a good start. Logging all denied packets wl il generate too much information, and chances are slim that the administrator will take these notifications seriously because he'll see a great deal of useless information. Things such as routing updates, broadcasts, and multicasts are going to hit that ACL and be denied, which will generate entries that you have to scroll past, or will generate hit counts that are too high to do us any good. For the past several years, what I have been doing is building a list of specific protocols that I want to deny demilitarized , zone (DMZ) servers from accessing mF'W, SSH, IRC, and even HTI'P at certain hours, and so on), and placing the log statement at the end of each line. This way, when a server is compromised using some new exploit that is not detected by the intrusion prevention system (IPS), and the attacker attempts to fetch his rootkit from a remote server using TFTP/FI'P/HITP or log in to a botnet on IRC, not only wl the connection be denied, but it will also generate a notificail tion. When logged in at the server's desktop, it may look okay. If you inspect the event log, it might be normal, but the syslog notification is proof that something is not right. Why was your server attempting to connect to a T F R sever in Malaysia at 245 a.m.? I have been compromised more than once, but I've also been fortunate enough to detect the compromise within a few hours. Quite often, this is not the case, and a machine might go undetected for months, or even years. You can configure ACLs to send information to a syslog server using the command-line interface (CLI). At the end of an access list entry, use the log parameter. For instance, suppose that we want to v e n t a SQL server on the inside network whose IP is 192.168.50.7 from accessing any IRC network, and should this ever occur we want to be notified via syslog. We could use the following statement to make this happen:
Router(config)# access-list 1@1deny tcp host 192.168.59.7 any sq a667 log
Note
Logging of access list matches requires the prior configuration of syslog. It is also possible to set different logging
171
CCSP SMAA Quick Reference by Ryan Lindfield
You can also configure this through the graphical user interface (GUT), as shown in Figure 1-1.
NAT
Based on your previous studies, you should already know how to perform basic NAT operations, so let's begin looking at how not to NAT.
Identity NAT,or using NAT with the ID of zero, has the highest priority of all NAT operations. Identity NAT overrules a similar static or dynamic NAT rule. So, when would you want to use identity NAT? The most common example is tr&c flows between two protected networks. Examine the diagram shown in Figure 1-2.
181
CCSP SMAA Quick Reference by Ryan Lindfield
As you can see, traffic flowing from the 192.168.1.0/24 network destined for the 10.1.1.0124 does not require NAT operations. These networks are trusted, and there is no overlap in IP addresses. Therefore, to disable the requirement to NAT, use the following commands:
r c c e r r - l i s t 191 deny i p 182.16@,1 nat 9 rccess-list 191
255,2@.2@.0 la.1.1,0
.25-5:tS+?p,O
You can also configure this from the Cisco Adaptive Security Device Manager (ASDM). Just select Codgumtion, the Firewall pane on the left, and then NAT R l s Within the NAT Rules conEiguration, se18ct Add, and then Add NAT ue. Exempt R l . ue
8 2009 C
M pu#lcatson k p .
m by
191
CCSP SNAA Quick Reference by Ryan Lindfield
Figure 1-4 shows the configuration for our N N policy. W will select an interface, the source IP address, and then the e destination I address. P
8 2009 C
kp
m by
[ 101
CCSP SNAA Quick Reference by Ryan Lindfield
First we will select the source IP address range. In this case, 192.168.1.0is our inside network.
8 2009 C
kp
m by
1111
CCSP SMAA Quick Reference by Ryan Lindfield
I like to define object groups and then reference the object groups w t i an ACL, which can also be done here. While in ihn the same Edit NAT Exempt Rule window as earlier, I selected Destination,and then in the Browse Destination windows, I selected the Add drop down, then Network Object. Here I define the name and address range for the remote office.
[ 121
CCSP SMAA Quick Reference by Ryan Lindfield
At this point, the new network object called Remok-Office can be seen in the Browse Destination window. I select that
as the Destination and click OK.
[ 131
CCSP SMAA Quick Reference by Ryan Lindfield
Now that we have selected both source and destination for our N N exempt rule, we are almost done.
[ 141
CCSP SNAA Quick Reference by Ryan Lindfield
After you have accepted this change, you can see the new rule at the top of your Access Rules.
We are issuing this statement with the assumption that it is required, but this is not always the case. Before version 7.0 of the m a l l OS, all packets that traverse a PIX firewall had to be translated When the Adaptive Security Appliances (ASAs) were introduced along with 7.0, this was not the case, and by default packets did not have to be NAT'd. To enable this rsquirement, you can use the command nat-contmL After you issue this command, all packets flows require mat and global statements for the packet to pass through the firewall, similar to behavior before 7.0. You can then use the nat 0 command to break this requirement and a l w packets to pass without source address translation lo
[ 151
CCSP SMAA Quick Reference by Ryan Lindfield
Dynamic NAT
Within these high-level categories, a statement that references an ACL takes precedence over another rule that is more general. Just think of this concept as "the most specific match rules."
8 2009 C
kp
m by
1
I
CHAPTER 1 Understanding Traffic Classification
[ 161
CCSP SMAA Quick Reference by Ryan Lindfield
Example
ASA5505(config)# nat (inside) 1 192.168.1.1 255.255.255.1 ASA5505(config)# access-list 1@2p e m l t tcp host 192.168.1.11 any eq W ASASSBS(config)# nat (inside) 2 a c c e s s - l l t 102
In this example, a packet from 192.168.1.10 destined for www.google.com on port 80 matches both statements, nat 1and nat 2. However, because nat 2 is more specific, it takes precedence over nat 1.
When configuring an ASA 5505 for NAT, you will notice that the terms inside and outside refer to VLAN interfaces, as opposed to physical interfaces. The physical interfaces are switch ports and must be associated with a VLAN to pass traffic.
The concept of nat 0 is fairly simple, but it serves as an excellent example of the logic we will be embracing. Instead of using an ACL to permit traffic through an interface, in this example we are using an ACL to define what should not be translated. So notice how, in this scenario, using apermit within the ACL to not do something is actually address translation.
If the ACL referenced by the nat 0 statement has a deny statement within it, what wl happen to source IP address? il Perhaps you said to yourself "nothing at all"; it's easy to get confused with multiple operations. Remember that nat 0 is a command that says "do not translate." Therefore, the deny would be a double-negative, effectivelytelling the security appliance "don't not translate" (or in other words, this packet should be translated).
If you have followed the examples so far, you are in good shape and we can delve further into the logic of the security appliance. Remember, everything we do in IT follows an "if-then" logic. lf this condition occurs, then perform this action.
[ 171
CHAPTER 1
We can now expand our knowledge of NAT operations with Policy NAT. The first time I heard the term Policy NAT I was on a bridge call with several engineers. At the time, it sounded pretty fancy, and even intimidating. My strategy then was just to keep my mouth shut and not ask any dumb questions. Just what is this policy thing? For instance, what is policy-based routing (PBR)(another term that can sound intimidating at first). Policy NAT and policy-based routing are just making forwarding operations based on criteria within the packet outside of the usual things that we look at. You might still be wondering what that means. To help you understand, let's look at routing. A router makes forwarding decisions based on the destination IP address in the I header (Layer 3), and that is dl. "That's it?" you ask. Essentially, P YesSimply put, PBR is making a forwarding decision based on other information. You can specify lots of different criteria, but imagine routing t d i c j b m your call center to the Internet over a 5-MWs cable modem, and traffic sourced from your executives to the same destination out of a different, faster link, such as a 50-Mb/s FiOS link. Now we are making a forwarding decision based on both the source and destination IP address. You can also specify other criteria, such as Layer 3 and Layer 4 information like type of senrice (ToS), time of day, protocol, and service (HTTl?,SMTP, POP3, and so forth). So, to clarify, you can perform NAT and routing operations based on criteria that you can specify within an ACL.
If you are with me so far, we are making great progress. Things will continue to build in a similar logical manner. For more than a decade, we have been making forwarding decisions based on some, but not a l l of the information contained within Layers 2,3, and 4 of the OSI model. Primarily, we have looked at source and destination MAC addresses, IP addresses, and port numbers. What about the payload, what about other fields within the IP header and TCP header? In the latest versions of FOS and IOS software, you wl find a growing number of parameters that you can specify to match il upon the contents of the payload. Dozens of combinations of conditions are available that we can d e k e to control the flow of packets through the security appliance.
Q 2OOQ C
Inc. Al rl-a
nswved. This
kp
m by
[ 181
CHAPTER 1
We will now move beyond the familiar Layer 3 and Layer 4 conditions and into specifying criteria within the payload. Each protocol will have specific parameten that we can specify upon. For instance, think about FTP.When you connect to a remote FIT' server, you first log in with a username and password, and then transfer files. Al the file operations have l specific commands. You can tind these commands within an RFC. In other words, standards define how a client and I, server communicate. Every protocol has these standards defined, whether it is H'ITP, F T SMTP, or so forth. When a client connects to a server, certain commands are available. Each protocol is almost a language in itself. Think of the client and server as two peers having a conversation while the firewall is eavesdropping on them. If the irewallhas the capability to inspect a conversation, we can create conditions upon commands or actions / conditions of this conversation. In terms of configuration, think of the entire process of "advanced protocol inspection*'as a simple conversation between rm the administrator and the h a l l . Essentially, you are saying, "Hey firewall, if you see a packt corning f o the outside world, destined for our FIP server, and someone tries to create a new directory." Notice there is no action. Once again, it's an "if-then" logic that we are dealing with here; the action is defined in a separate step. From a bird'seye view, you're saying, "Hey firewall, if you see a packet that looks like this, then do this action." The action may be drop the packet, reset the connection, implement rate limiting, generate syslog notification, or so on. A number of actions can be taken upon a traffic flow. This "advanced protocol handling" is implemented through the Modular policy Framework (MPF). The MPF, although seemingly complex, gives administrators a powerful means of implementing strict control over traffic flows.
Note MPF replaces the fixup commands that were used in earlier versions of the 0 s .
Every protocol should be thought of as a separate language, and the firewall must have an understanding of the language before you can match upon protocol-specific parameters (such as deleting a We or making a new directory in FTP).
As we go forward and explore these protocols, you will gain a better understanding of what is possible with the ASA and PIX perimeter security appliances.
Q 2OOQ C
Inc. Al rl-a
nswved. This
kp
m by
1191
CCSP SMAA Quick Reference by Ryan Lindfield
Modular Policy Framework is the term Cisco gives to the use of class maps and policy maps to control the flow of traffic through your device. This is sometimes referred to as Modular Quality of Service Command Line Interface, or Modular QoS CLI, when dealing with routers. The MPF uses class maps to identify a flow of tdTic and a policy map to implement some action on that tratfic flow. Based on earlier explanations, think of the class map as the "if" condition and the policy map as the "then" condition.
Public
Remote Users
BrartchOftice
First let's tackle class maps. A class map is used to define a traffic flow. A class map wl have a name (for instance, il ac DMZ_Services). Within the class map named DMZ-Services, we will defmz some criteria ts m t h upon.
8 2009 C
Inc. Al rl-a
nswved. This
kp
m by
1201
CCSP SlYAA Quick Reference by Ryan Lindfield
Type of service
lhnel group
H
H
H Flow
Q 2OOQ C
Inc. AM rl-a
r a m . This pubkatknk protected by copy~4ght Please sse page 161 for mom details
121 I
CCSP SNAA Quick Reference by Ryan Lindfield
I
We can place access list 101 into the class map called DMZ-Services by using the following CLI command:
M A ( conf ig ) # class-map DMZ-8emice8 ASA(config -cmap)R match access-list 101
At this point, we have taken several ttaffic flows and associated them with a single name: DMZ_Services. However, we have not done anything to these packets. Previously we have discussed things such as dropping packets, routing, and
8 2009 Chco
m by
I1
I
[ 22 I
CHAPTER 1
In the preceding example, we identified traffic destined for the services on our DMZ. After identifying the traffic f o s lw using an ACL, we referenced this ACL within a class map. Finally, the class map was placed within a policy map, and an action was associated with that traffic flow. In this case, any traffic destined for our DMZ servers will be passed to an IPS module within the ASA.
Let's examine different actions we can take on a traffic flow using the MPF:
Permit
@ 2009 C
i Systems Inc. All rigMs rsswwd. This publication is protected by copyright Please see page 16 1 for mo details im
1231
CHAPTER 1
Expedite this traffic with priority queuing Tune connection parameters Police (rate limit) Traffic shaping Let's review what we have covered so far: An ACL can be used to define a flow of traffic, then, that ACL can then be referenced within a class map, and the class map is then placed within a policy map to take some action on the flow of traffic previously described in the ACL. The f n l step is to apply the policy map to an interface. You can do this by using the service-policy command. ia
ASA(config)# service-policy Outside-Policy interface outside
In this example, we applied the previously generated policy Outside-Policy to our outside interface.
Do you have to use an ACL within a class map? No, this is not a requirement. ACLs are one of several options available to you for specifying packet criteria. You can find the complete list earlier in the chapter.
Configuration is a bit different when performed from ASDM; you actually start at the interface, and work your way backward. First, select Configuration, then Firewall, followed by Service Policy Rules.
@ 2009 C
i Systems Inc. All rigM8 reserved. Thk publication is protected by copyright Please see page 16 1 for mo details im
[ 241
CCSP SMAA Quick Reference by Ryan Lindfield
Click the Add button, and then Add Service Policy Rule from the drop-down window.
[ 251
CCSP SMAA Quick Reference by Ryan Lindfield
Because only one policy can be applied to an interface, you must modify the existing policy if one has already been configured. By default, there is a policy called global_policy that is applied globally, and the interfaces do not have any configuration. Assuming that we are working with a fresh configuration, we will continue by selecting the Interface radio button and selecting the Outside interface. Similar to the previous example, I will use the policy name OutsideJolicy, add a description, and then click Next.
[ 26 I
CCSP SMAA Quick Reference by Ryan Lindfield
As previously mentioned, we have several methods available for classifying traffic. Because the most familiar is using an ACL,I will select Some and Destination IP Address fkom the Traffic Match Criteria selection. As you can see, other methods are aIso available.
1271
CCSP SMAA Quick Reference by Ryan Lindfield
It is extremely easy to configure ACLs from the GUI, as you can see here. Just select a source, destination, and service. The button on the right will present a list of preconfigured network objects that you can select, or you can type the network addresses by hand. The last requirement is to specify the service. A preconfigured list is available, or you can manually enter the protocol and port.
8 2009 C
m by
[ 28 I
CCSP SNAA Quick Reference by Ryan Lindfield
6 2009 C 1
i S r t r m Inc. All rights reserved. ThiD publicationis pmtacted by copyright Please see page 16 1 for miom details yror
129I
CCSP SNAA Quick Reference by Ryan Lindfield
The following window is used to configure protocol inspection, connection settings, QoS, and other rules. This is the actual action covered in the next section of this Quick Reference.
8 2OOQ C
by
1301
CHAPTER 1
131 I
CCSP SMAA Quick Reference by Ryan Lindfield
So far we know that we want to allow traffic f o the outside interface (the public Internet) into our web server, but we rm also want to protect this server from malicious attacks that it is sure to receive. We know not al port 80 traffic is going to l be friendly, so we have filtered out HTTP requests that support the POST request header. Let's start where we previously left off when configuring service policy rules on the ASA. The screen was asking for rule actions (allows for QoS, connection settings, IPS, application inspection, and more). We will select the Protocol Inspection tab. Make sure HlTP inspection is enabled, and then select Con6gure.
8 2OOB C
Inc. AM rl-a
[ 32 I
CCSP SMAA Quick Reference by Ryan Lindfield
Now we will create an inspect map for HTIF. Select the radio button that reads Select a H l T P Inspect Map for Fine Control over Inspection, then click the Add button.
8 2009 C
m by
[ 33 I
CCSP SMAA Quick Reference by Ryan Lindfield
Name this HTlT inspection map, and then provide a description. Then, select Details.
8 2009 C
m by
1341
CCSP SNAA Quick Reference by Ryan Lindfield
I
8 2009 C
1351
CCSP SNAA Quick Reference by Ryan Lindfield
The final step is to set the actual parameter that we are trying to block. From the Method dropdown box, select Post, and then ensure that the action is set to Dmp Co~ection, that Log is set to Enabled. and
1361
CHAPTER 1
In the future if you want to modify inspection maps, you can find them by following this path: Configuration> Firewall > Objects > Inspect Maps.
[ 37 I
CCSP SNAA Quick Reference by Ryan Lindfield
To properly protect this server, we need to make a few more tweaks to minimize our exposure. Let's take a look at a few more ways to do this.
Regular Expressions
Some of you may be familiar with regular expressions (regex) f o prior programming or scripting experience. If you rm have not had experience with this type of classXcation before, you wl probably be a bit intimidated at first, but with a il bit of practice it all makes sense.
8 2009 C
m by
[ 38 I
CHAPTER 1
For instance, if I want to coniigure the firewall to notify me if the word Hacked passes through the firewall on port 80, I could define the word as it is styled right here (with only the H capitalized). But, what if I want to match on all cases (for instance, Hacked or hacked)? What if I also want to match upon alphabet characters that have been swapped with numbers (such as h4ck3d) or a mixture of upper- and lowercase (such as hAcKeD)? You can use a regular expression to mach up a string of characters and combinations of those characters, including ranges and the position of the pattern within other text. For example, if I want to match all the previously mentioned variations of hacked, I could use the following regular expression:
If the payload of a packet contains six characters in order that match any single character within these six sets of brackets, we will consider this a match. Creating regular expressions can be tricky at first, but you have a tool built in to the ASA to test your regular expression to ensure that is it matching the way you planned, as follows:
ASA55tBH t e s t INFO: Regular rrsAs5W t e s t INFO: Regular ragex H4ck3d [Hh][Aa46][Cc][Kk][Ee3][W] expression match succeeded. n a e x H4ck3r [Hh][A14QE][Ce][Kk][Et3][W] expression match f a i l e d .
You can also wildcard a single character by using the period (.), as follows:
ASA55851Y test rrgex HIck3d [Hh][Aa46][Cc][Kk][Ee3].
expression match succeeded. regex H4ck3r [Nh][Aa#][Cc][Kk][Ee3]. expression match succeeded. ragex 4cWr [Hh][Aa4@][Cc][Kk][E&]. expression match f a i l e d .
2009 C
i Systems inc. All rights roserwd. Thip publicationis protoctecl by copyright Please see page 16 1 for mwe details
1391
CCSP SMAA Quick Reference by Ryan Lindfield
Beware of special characters, however. If you want to match on a file, such as nc.exe, the period will be used as a wildcard. But, suppose you want to match literally on the period itself:
ASA5585# test regex nc.exe nc.exe INFO: Regular expression match succeeded.
ASA55W test rrgex nclexm nc.exe INFO: Regular expression match succeeded.
To correct this issue, just place the backslash (\) before a character to match on it, as follows:
ASA55W test INFO: Regular ASA55595# test INFO: Regular
You can configure regular expressions from ASDM. Just navigate to the following location: Codgumtion > Firewall >
Objects > Regular Expmsions.
[ 40 I
CCSP SMAA Quick Reference by Ryan Lindfield
I
For example, if I want to block anything that contains myspace.com myspace.co.uk, or some other variation, I could try this.
8 2009 C
is p
m by
141 I
CCSP SMAA Quick Reference by Ryan Lindfield
A tool is built in to assist you in constructing regular expressions. Click the Build button to use the tool. I have typed M s a e c m into the character string, but I want to match on both uppercase and lowercase, so I have selected the ypc.o Ignore Case option.
[ 42 I
CCSP SNAA Quick Reference by Ryan Lindfield
I
It's always good to test things out h t , so click the Append Snippet button to copy the regular expressions code into the dialog box.
8 2009 C
kp
m by
[ 43 I
CCSP SNAA Quick Reference by Ryan Lindfield
You can now tweak the code that was generated, or test it by clicking the Test button.
[ 44 I
CCSP SMAA Quick Reference by Ryan Lindfield
You can create multiple regular expressions that are used for a similar purpose and group them within a regular o ee expression class. That class can then be referenced in other parts of the configurations. F r instance, if you w r to create a regex class called SocialNetworking, you could then include the individual regular expressions for Myspace, Facebook, LinkedIn, and so on.
8 2009 C
kp
m by
1451
CHAPTER 1
Protocol-Specific Parameters
Our goal is to look deep within the flow of packets and identify certain circumstances that require special handling by the
security appliance. So far, you have read about ACLs, class maps, and ~ g u l a expressions. I now want to provide more r detail about packet inspection.
I like the term deep packet inspection (it works for me), but many other terms also describe this process: advanced protocol handling, advanced protocol inspection, inspection class maps, or modular QoS CLI (when dealing with routers).
' m Before we get too caught up in terminology, let's step back to the 32,000-foot view. I say 32,000 feet because I currently on an airplane, at 32,000feet, while writing this.
A good way to think of protocols is that each one is like a different language. And, think of our inspection of the traffic flow as eavesdropping on a phone call between two other parties. The Marriot Park Hotel in Rome has a gated facility, and a guard is posted at this gate. Imagine that you are the guard working there. M n different people (guests and otherwise), from many different places, are coming and going. It is ay your duty to make sure that only guests with reservations are allowed through the front gate. To stretch this a bit further, imagine that you have the capability to monitor all inbound phone calls and eavesdrop on the ensuing conversations. If a guest (think client) is talking to your guest services desk (think internal server) in German, and you understand German, you can understand what is being said. Although most of the information being passed is not of interest to you (type of room, cost, discount rates), you at^ waiting for keywords such as arrival, departure, a.m., p.m., days of week, specific dates, number of adults, number of children, and so on. After you have obtained this information from the inbound phone call, you can then make note of it in your log. Well, &walls maintain a similar log, called a state table. You should know this already from the SNAF course. So, here is a quick recap of what has happened: We have an inbound phone call, we inspect in, listen for the guest name and the arrival date, and make a note of it in the log. Your k w a l l does the exact same thing on a day-to-day basis. Therefore, if you understand German, French, Dutch, Italian, English, and Spanish, these customers will be passed through the gate without any additional checks. You will be expecting their arrival, and when they arrive at the gate, they will be passed through.
@ 2009 C c Systems Inc. A rights reeerwd. Thk publicationis protected by copyright Please see page 16 1 for miom details ko H
146 I
CHAPTER 1
But what happens when someone calls the hotel and makes a reservation speaking Luxembourgish? Did you know that there is a language called Luxembourgish? Obviously, this phone call will not be able to be inspected. Therefore, we have no idea when the guest f o Luxembourg will arrive, and when he does arrive he will be denied access. rm So what does this mean in the technology world? Your security appliance lacks the capability to inspect every protocol. Therefore, when well-known protocols are used, we can automatically alter the security policy to accommodate the traffic flow. When an unknown protocol is used, it will fail. This is generally where you, as administrator, come into the picture. A user tells you that the firewall his application, for example. The first question to ask yourself is what protocol the qplication is using to communicate through the firewall. Then, you ask whether that protocol is supported, and finally, whether inspection is enabled for that protocol. Protocol inspection can be enabled or disabled within the policy map codiguration. The following table shows the available protocols that can be enabled for a traflic flow, as follows:
ASA5585(config-pmap-c)# inspect ?
MPF Policy Map and Class Map Mode Inspection Protocols
ctiqbe
dcerp~
im
sip
* Y
ipsec-pass-thru
-P
emp st
sqbt
netbios
h W
icm~
rsh
*SP
waas
xdmcp
8 2OOQ C
Inc. Al rl-a
re .
T h i pubkaUon k p ~
m by
[ 47 I
CCSP SMAA Quick Reference by Ryan Lindfield
Beyond just inspecting these policies for parameters that are negotiated, we can also filter upon protocol-specific conditions. I covered HTTP briefly earlier in the chapter, and these protocols are handed the same way. Inspection maps a e r created with protocol-specific conditions and then applied using MPF.Although d g u r a t i o n is possible from the CLI, ASDM is much more intuitive when performing granular filtering with MPF. To configure protocol inspection from ASDM, navigate to the following location, where you will find a list of protocols that support inspection maps: Configuration > Firewall > Objects > Inspect Maps.
*-wmE . I -IC -R
--m!
.0 I
--IC
-m
.m
a m !
'IL
. -
-=
Q 2OOQ C
Inc. Al rl-a
nswved. This
kp
m by
[ 48 I
CHAPTER 1
As an administrator, you have the ability to create inspection maps to match specific criteria for each of these protocols. I have given you only the tip of the iceberg here. The im you see listed in the table is for the instant messaging class. You can permit or deny certain functions within instant messenger, such as whiteboard, file transfer, chat, games, and more. Each protocol has specific parameters that you can tune to enhance the security of your network.
Banner Masking
One of the first steps of a network attack is reconnaissance; attackers will map out your network resources before launching an attack. By default, when users connect to certain services, they are greeted by a banner, which the service uses to announce the type of software in use and the version number, as follows:
mac-pro:- sin$ telnet rm.ciscopress. Trying 209.2fB2.161.68 Connected t o ciscopress.com. Escape character i s ' * ] ' HEAD I HTTPl1.I
...
COD
89
HTTPIl. 1 302 Found Connection: close Date: Sun, 21 Dec 2008 23:22:57 QMT server: Microsoft-IIS16.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: https:llmemberservices.informit Cache-Control: private Content-Type: textlhtml; charset=utf-8 Content-Length: 221 Connection closed by foreign host. IIUC-pro:- sin$
@ 2009 Cisco Systems Inc. All rights roserwd. Thip publicationis protoctecl by copyright Please see page 161 for mwe details
[ 49 I
CCSP SNAA Quick Reference by Ryan Lindfield
When configuring H'ITP, FT'P, and SMTP inspection, you can mask or even spoof the server reply. However, coafiguration of these features is beyond the scope of this Quick Reference.
DNS Inspection
DNS inspection is used to alter DNS replies @NS doctoring) for internal hosts and to filter DNS traffic based on specific criteria. Altering DNS replies is necessary if you have internal users who are using external DNS servers to discover internal resources.
II
1501
CHAPTER I
The external DNS server replies to the client using the real-world I ,but the internal host should be using the internal I P P address to contact the server. DNS doctoring is the process of rewriting the DNS reply, changing the public IP address to the tradated private IP address. For instance, consider the following static statement:
ASA(config)# static (dnz,outside) 192.168.50.50 18.18.10.5a dns
From this statement, we can tell that the outside IP address is 192.168.50.50 and the internal IP address is 10.10.10.50. If we do a DNS lookup to the external DNS server, the reply will read 192.168.50.50. When the ASA receives this DNS reply, it will be inspected, and the 192.168.50.50 address will be overwritten with 10.10.10.50 and then fomarded to the client. Another DNS feature provided by the ASA is stateful inspection of DNS. When a host sends a DNS request through the firewall, a slot is created in the translation table. As soon as one reply is received, that reply is forwarded, and the slot is then cleared. Should any additional replies arrive, they will be discarded.
DNS ID randomization
@ 2009 C
i Systems Inc. All rlgMs rsswwd. This publication is protected by copyright Please see page 16 1 for mo details im
151 I
CHAPTER 1
M s DNS flags ak
Block DNS types
l You can configure al these features by using a DNS inspection class map.
In summary, many different methods are available to identify a trafEc flow and then alter the traffic flow in some way. Historically, we have done most of our filtering based on parameters at Layer 3 or 4 of the OSI model. Presently, we are diving into the payload of the packet and making our atering decisions there. The security appliances add a great number of improvements over the PIX firewalls, not only in terms of performance but also in hctionality. We can now perform rate limiting, intrusion prevention, malware analysis, and priority queuing.
Q 2OOQ C
Inc. Al rl-s
rewrvod. This
kp
m by
1521
CCSP SMAA Quick Reference by Ryan Lindfield
VLANs
Chapter 2
VLANs
Beginning in Version 6.2 of the PIX &wall, there is support for subinterfaces, trunk links, and VLANs. The PIX and ASA can support 802.lq encapsulation and a number of logical interfaces depending on the platform. This enables you to scale your perimeter security solution without the cost of additional hardware. For instance, I have had many clients in the past with a three-interface firewall configuration (inside, outside, DMZ).
DMZ
VLAN 50
Outside
@ 2009 Clsco Systems Im.All r i m s r s s e r d . This publicationis protected by copyright Please see page 16 1 for mom details
[ 53 I
CHAPTER
VLANs
The problem that lies here is that all the web services are hosted on the same subnet, and while filtering is being performed between the outside and the DMZ, there is no filtering within the DMZ. Suppose a security breach occurs on your web server through a web application vulnerability. After the web server has been compromised, it has unrestricted access to the other hosts on the DMZ.The mail semer can now be compromised using an exploit against ports that would have been off limits, such as 135,139,445. In addition, servers and network rm devices that were previously inaccessible from the Internet can now be attacked f o the compromised host. Through the use of subinterfaces and VLANs, we can now segregate our DMZ servers and apply different security policies to each server or each group depending on your configuration. We can take control over what traffic, if any, will pass between these servers.
DMZ VLAN 25
VLAN 50
Inside
Q 2OOQ C
Inc. Al rl-a
nswved. This
kp
m by
1541
CCSP SMAA Quick Reference by Ryan Lindfield
VLANs
To configure a subinterface f o the command line, simply enter the interface command followed by the interface, rm including a fractional decimal value:
ASA5510(config)# interface ethernet @/@.I
Within the interface configuration mode, assign additional parameters, such as logical name, IP address, security level, and VLAN:
ASA551W confin t ASA5510(config)# int 0012.1 ASA551 0(conf ig subif ) # vlrn 25 MA5510(conf ig-subif) # security-level 25 ASA5510(conf ig-subit)# nameif web ASA551B(config-subif)# i p addre88 1 2 1 . 7 1 255.255.255.248 7.61. ASA5510(config)# int 0012.2 ASA5510(config-subif)# vlrn 50 ASA551 B(conf ig subif ) # security-lrwel88 ASA55l@(config-subif)# nameif n a i l ASA5510(config-subif)# i p address 1 2 1 . 7 0 255.255.255.248 7.61. MA551 B(conf ig ) # int 0012.1 ASA5510(config-subif)# vlrn 75 ASAS510(config-subif)# security-level 75 ASA5510(config-subif)# nrmoit DNS ASA551B(config-subif)# i p addreor 1 2 1 . 7 1 7 . 6 1 . 7 255.255.255.248
After configuring the interface, you configure NAT rules and access control lists (ACLs) and apply these the same way that you do when using physical interfaces.
@ 2009 C
rsswwd. This publlcatbnis protected by copyright Please see page 16 1 for miom details
1551
CHAPTER 2
VLANs
[ 56 I
CCSP SMAA Quick Reference by Ryan Lindfield
VLANs As you should know, one of RIP v2's improvements over vl is the support for authentication. Although authentication of routing protocols is a best practice that makes lots of sense to me, I have found that it is not used the majority of the time in production networks. If this is something that is under your control, invest the small amount of time required to secure your muting tables. You can configure authentication on a per-interface basis. To enable authentication of RIP, navigate to Codguration > Device Setup > Routing > RIP > Interface. On this screen, select an interface, and then click Edit.
8 2OOQ C
Inc. Al rl-a
re .
Thk pubkaUon k p
m by
II
[ 57 I
CHAPTER 2 -
VLANs
Notice that you can control the version and authentication on a per-interface basis. You can also choose between MD5 and clear text authentication. Although many devices default to clear text, MD5 should be implemented when possible.
If there are routes being advertised to you that you want to ignore, or networks that you do not want advertised to other s devices, you can control this using RIP filter rules. From the command line or when using a mt,erathis i referred to as a distribute list. Select the Filter Rules tab and then click the Add button.
[ 58 I
CHAPTER 2
VLANs
Click the Add button again to add the network that you want to filter.
kp
[ 59 I
CHAPTER 2
VLANs
Finally, define the interface and direction to which this filter should be applied. In this example, I want to prevent the
192.168.1.0network from being advertised through the outside interface.
@ 2009 Cisco Sy.temr Inc. Al rights reserved. TNa publicationis protected by copyright
1601
CCSP SMAA Quick Reference by Ryan Lindfield
VLANs
Redistribution is used to pass information from one muting protocol, such as Open Shortest Path F~rst (OSPF), into another routing protocol, such as RIP. The ASA can perform redistribution of routes between routing processes. This is not generally something that you want to do, but something that you might be required to implement because of a merger or to support legacy hardware. Redistribution can be d g u r e d h m the Redistribution tab beneath the routing process. Just click the Add button, and then specify the criteria for the process that you want to redistribute into RIP. Notice that Static, Connected, EIGRP, and OSPF are supported.
@ 2009 Ckco Syrrtorrm Inc. All rights reserved. ThiD publicationis protected by copyright b a s e see page 16 1 for miom details
161 I
CCSP SNAA Quick Reference by Ryan Lindfield
VLANs
1621
CCSP SMAA Quick Reference by Ryan Lindfield
VLANs
The ability to act as a designated router @ ) Area Border Router, and even an Autonomous System Boundary R, Router (ASBR) Support for two separate OSPF processes Support for both clear text and MD5 authentication Filtering of 7 ) p 3 link-state advertisements (LSAs) Support for OSPF virtual links
H
H
OSPF can be enabled from the command line with the muter ospf process-id command. You can enable OSPF from ASDM via Configuration > Routing > OSPF > Setup. The first step is to enable OSPF and assign a process ID. Notice there are two processes available. You can configure separate routing processes for two different groups of interfaces, ensuring there is no leak of information from the topology tables of mission-critical networks to less-trusted networks.
Q 2OOQ Clrco
Inc. Al rl-a
nswved. This
kp
m by
1631
CCSP SMAA Quick Reference by Ryan Lindfield
VLANs
ll-l
m u
. l
[wr*-'
I
Routers running an OSPF routing process perform summarhation on ABRs. When administering the MA, you can manipulate summarization manually by adding statements t the OSPP process. You can do this via the command-line o interface (CLI) or ASDM.To configure using ASDM,navigate to Codgtwation > Device Setup > Routing > OSPF > Summary Address.
1641
CCSP SMAA Quick Reference by Ryan Lindfield
VLANs
MD5 and clear text authentication are supported by OSPF, similar to what we s w in RIP. Authentication requires some a configuration within the muting process and within the interface. O e a l it is easy to configure and will protect your vrl,
network h m possibIe man-in-the-middle attacks or denial-of-service (DoS) via route poisoning. To configure authentication, navigate to Codigmation > D v c Setup > Routing > OSPF > Interface. eie Under the Authentication tab, select the interface that you want to modify authentication properties for, and then click the Edit button.
[ 651
CCSP SMAA Quick Reference by Ryan Lindfield
VLANs
If you tve pedoming authentication of routing updates, I mm e d using MD5 autbentcatioa T enable this, first o mn o select the MD5 Authentication radio buttan. Under the MD5 IDSand Keys W n speciqr a key identifier, and key, and o, then click Add.
1661
CCSP SMAA Quick Reference by Ryan Lindfield
VLANs
Type 3 LSAs (summary LSAs sent to ABRs) exchanged between OSPF neighbors can be limited through the use of filtering. If you configure filtering from the CLI, you use a prefix list rather than a distribute list. ASDM simplifies configuration by simply calling it filtering, and you can configure it via Configuration > Device Setup > Routing >
1671
CCSP SMAA Quick Reference by Ryan Lindfield
VLANs
One of the principle chamkrbtics of OSPF is the bierachy that is enfowed regarding area 0, and that aIl inteaarea t d E c must pass through area 0. As you might wall, if you want to get fbm area 1 to area 2, it must pass from area 1 t 0 t 2, o o aud then back from 2 t 0 to 1. Each area within an OSPF topology must be directly ammcmdto area 0. o
As there is an exception to wery rule, virtual links enable us to connect to area O without a physical direct connection. W can build a logid link through another area, into the backbone area.This is never samething you would do from a e design perspective, but something you d d do in a pinch to make things work
1681
CHAPTER 2 -
VLANs
The ASA supports virtual links, and you can configure them f o the CLI or GUI. CLT configuration is similar to that of rm a router. ASDM configuration is simpler and can be accomplished via Configuration> Device Setup > Routing > OSPF > Vrul Link. rta
1691
CHAPTER
VLANs
@ 2009 C c Systems Inc. All r i m s rseerwd. This publicationis protected by copyright Please see page 16 1 for mom details ko
[ 72 I
CCSP SNAA Quick Reference by Ryan Lindfield
VLANs
kp
[ 73 I
CCSP SMAA Quick Reference by Ryan Lindfield
VLANs
Hello intervals, hold times, split horizon, and authentication can be configured on a per-interface basis. Keep in mind that adjacent EIGRP neighbors need to agree on these parameters,
[ 74 I
CHAPTER 2 -
VLANs Redistribution can also be cor@ured by selecting the redistribution link under the EIGRP process. Notice that static routes, directly connected routes, RIP,and OSPF can be redistributed into EIGRP.
1751
CCSP SMAA Quick Reference by Ryan Lindfield
VLANs
You can verify the routes within the routing table from the CLI by using the show route command Routes can be verified using ASDM by selecting the Monitoring tab, the Routing panel, and then clicking the Routes link.
[ 76 I
CHAPTER 2
VLANs
Redistribution
If multiple routing protocols are being used within a single environment, redistribution of reachability from one routing protocol to another might be required. This is not something that you would usually build in to your network on purpose, but is often the result of mergers and acquisitions. Redistribution is possible between all protocols, but the thing to remember is that the metrics do not match. Suppose, for instance, that you want to pass routing information from RIP to OSPF. Well, OSPF does not use hop count. Therefore, you must manually set a metric for what the cost of these routes should be. The same is true if you were to pass OSPF routes into RIP. RZP does not have a cost, so you must manually define the hop count for these external mutes.
CQ
kp
m by
[ 77 I
CHAPTER 2
VLANs
There is another operating mode called network RRI. This is used with network extension mode of EasyVPN. When a remote network connects to the central network, the ASA can inject a network route (f24 perhaps) for the remote office. This update notifies internal devices as to whether the remote network is reachable and instructs them that to get there they must send traffic to this ASA.
Multicast
The ASA and P l a l l Services Module (FWSM) are making their way iiuther into our networks. Companies have begun moving &walls from the perimeter of the network toward the center of the network Instead of relying on Layer 3 switches and ACLs, we can now perform stateful packet inspection and application layer inspection of inter-VLAN traffic. Although this drastically enhances security, it also introduces new challenges. One of these challenges is forwarding multicast traffic. As you know, multicast is used by videoconferencing, telepresence, software distribution services, stock quotes, routing protocols, video games, and many other technologies. Beginning in software Version 6.2, the PIX irewalls could support multicast applications with Stub Multicast Routing (SMR). Currently, the ASA supports SMR,Internet Group Management Protocol (IGMP), and Protocol Independent Multicast (PIM) Although IGMP and PIM both handle the delivery of multicast traffic to recipients, they are slightly different. Routers use IGMP to discover hosts that want to subscribe to a multicast transmission by sending IGMP queries. A host may respond to an IGMP query by sending an IGMP report upsmarn. IGMP is traditionally used within the network, whereas PIM is a multicast routing protocol that provides reverse path forwarding information independent of the interior routing protocol. It is used mostly in the LAN, but can also provide multicast feeds to remote WAN sites. PIM uses unicast and multicast forwarding tables to pass multicast traffic from one network to another. IGMP is used within a network for clients and routers to communicate. PIM also uses a concept called a rendezvous point (RP), which almost acts as a central meeting place for multicast sources and multicast clients. If a server is to offer a multicast resource,it will register with an RP. Clients interested in multicast resources can also register with the RP to discover servers. The ASA can be configured to act as an RP.
[ 78 I
CHAPTER
lPsec VPNs
Chapter 3
lPsec VPNs
Essential Terminology
Simpiy put, IPsec is a framework for providing reliable and secure communication between hosts. This additional protection is provided at the IP layer of the OSI model. IPsec is based on Internet Key Exchange (IKE), Authentication Header (AH), and Encapsulating Security Payload (ESP). These protocols work together to provide secure tunnels between a pair of hosts that are IPsec capable. The list of potential hosts includes but is not limited to ikewalls, VPN concentrators, routers, cellular phones, PDAs, workstations, laptops, and servers. Let's examine each of these protocols individually.
Phase 2 is responsible for negotiating an IPsec (data) SA. M i mode or aggressive mode can be used during IKE phase 1. an
Main mode consists of six messages between the IPsec peers.
Aggressive mode uses only three messages. Quick mode is used during IKE phase 2.
@ 2009 Clsco Systems Inc. All r i m s reserved. This publicationis protected by copyright Please see page 16 1 for mom details
[ 79 I
CHAPTER
1 Note
AH is not supported on Cisco security appliances beginning with software Version 7.0. AH w s previously supported a on the PIX platform in softwareVersions 6.3 and earlier.
Previously, we used the terms confidentiality, integrity, and authentication; each of these can be achieved through the use of appropriate protocols. Confidentiality. Ensure that data is secure from eavesdropping. Symmetric encryption is used to secure the data.
@ 2009 C
i Systems Inc. All r i m s reserved. This publication is protected by copyright Please see page 16 1 for miom details
1801
CCSP SMAA Quick Reference by Ryan Lindfield
Commonly implemented through the use of Advanced Encryption Standard (AES), 3 Data Encryption Standard (3DES), and Data Encryption Standard Integrity. Ensure that data has not been altered during transmission. Achieved through the use of a keyed hash algorithm. Commonly used algorithms include Message Digest 5 (MDS-HMAC) and Secure Hash Algorithm 1 (SHA-1HMAC).
Authentication
Guarantee that the remote peer is authentic. Methods of authentication include digital certificates and pre-shared keys. Encryption and hash algorithms vary in strength. Here is a refresher of these values:
AES: Symmetric encryption algorithm that has a key length that can vary between 128, 192, and 256 bits
3DES: Symmetric encryptions algorithm that was supposed to have an effective key strength of 168 bits (3 x 56), but many cryptanalysts argue that the strength is effectively 112. The factors that determine the types of attacks used against 3DES are beyond the scope of this book.
DES:Another symmetric encryption algorithm, which became a standard in July 1977. DES has a 54-bit key and is
no longer considered cryptographically adequate promion for production data.
RSA: Asymmetric encryption algorithm whose length of key varies, but often 512 to 2048 bits
Q 2OOQ Clrco
Inc. Al rl-a
nswved. This
kp
m by
181 I
CCSP SMAA Quick Reference by Ryan Lindfield
ance, besides the fact that it is referenced by a transform set, which is applied to a crypto map, which goes on an interface.
2. When interesting t d l c is detected, the two peers negotiate a management session through the successful negotiation
of an ISAKMP SA. This is achieved through successful negotiation of policy sets during ME phase 1.
3 After an ISAKMP SA has been successfully negotiated, the two peers begin IKE phase 2. IKE phase 2 uses the . transform set to determine how end-user data should be protected. Upon successful negotiation of transform sets, the two peers will establish two IPsec SAs (one for transmit, one for receive). Each SA is independently keyed. IKE phase 2 defines how the payload should be protected.
Symmetric Encryption
Symmetric encryption refers to encrypting and decrypting data using the same key by both peers. This type of encryption has been used for thousands of years, and continues to be used today. Whenever you construct an IPsec or Secure Sockets Layer (SSL) virtual private network (VPN),you are using symmetric encryption to protect data as it crosses the network. Whenever you use SSH to administer a remote device, or HTI'PS to read email or purchase items online, you are using symmetric encryption. Although symmetric encryption is very fast by comparison to asymmetric encryption, there is a il catch: key distribution. How do you get that secret key that wl be used to decrypt data to the other side?
[ 82 I
CCSP SMAA Quick Reference by Ryan Lindfield
Symmetric key comparison Advantage: Very fast Disadvantage: Key distribution (How do we transmit the secret key to the other side?)
Asymmetric Encryption
Unlike symmetric encryption algorithms, asymmetric encryption algorithms use a different key for encryption than for decryption. In other words, a user knowing the encryption key of an asymmetric algorithm can encrypt messages, but cannot decrypt the message because he does not possess the decryption key. The encrypted message can be decrypted only by the other party. Each host that is communicating using asymmetric encryption needs to generate a key pair. One of these keys is referred to as a private key and the other as a public key. As you can tell from the names of these keys, one is meant for distribution, the other is to be kept secret. If Alice encrypts a message using her private key, the message can be decrypted by anyone who has a copy of Alice's public key. The encryption of the hash of a message using the private key is the basis of digital signatures and digital certificates.
If Alice wants to encrypt a message to her associate Bob, they will first exchange public keys. Alice will encrypt the message using Bob's public key. Bob will decrypt the message using his private key, known only to him. Because of the large key sizes and the algorithm used, asymmetric encryption is very slow and rarely used for bulk data encryption. Asymmetric encryption is mainly used for peer authentication and message integrity.
@ 2009 C~ICO
kp
m by
1831
CHAPTER
Diff ie-Hellman
The Diffie-Hellman algorithm is used between IPsec devices during IKE phase 1 to buiId a secret key. After this secret key has been calculated, it is used to protect end user data and management trafficbetween the IPsec peers. Now that you have that basic understanding, let's review the things you should know already about IPsec.
IPsec Components
IKE policy set: Used for negotiation of an ISAKMP SA. Includes encryption algorithm, DifEie-Hellman group, hashing algorithm, SA lifetime, and authentication method.
transform set: Used for negotiation of an IPsec SA. A transform set includes parameters such as cipher, integrity algorithm, lifetime, and mode.
1 %
The negotiated algorithms and parameters used to protect traffic are referred to as security
C y t access control list: An extended ACL identifies the W c we w n to encrypt, or not encrypt. rpo at C y t map: Ties together other portions of our configuration (transform set and ACL) and maps this information to rpo
a remote peer. So if we look over the preceding list, everyone should agree that during IKE phase 1 two IPsec-capable devices would il negotiate an ISAKMP SA. Within this SA, you wl see a symmetric encryption algorithm, such as AES, 3DES, or DES. As you should know, symmetric encryption algorithms use the same key on each side to encrypt and decrypt data. So my question to you is this: How did it get there?
Q 2OOQ C
Inc. Al rl-a
nswved. This
kp
m by
[ 84 I
CCSP SMAA Quick Reference by Ryan Lindfield
If ASAl is encrypting data, using AES-128 for instance, we know that ASA2 must decrypt these messages using the same key. If we look over the configuration, do we see a key?
MA551B# show run , .omitted tunnel-group 1B2.168.2.2 type ipsec-121 tunnel-group 1B2.168.2.2 ipsec-attributes prs-shared-key omitted
...
Above is the only key that we see for our peer ASA2, and some people would think that this must be the key used for AES encryption, but it is not. The key shown here is used for authentication during IKE phase 1. In the policy set, you define an authentication method, pre-shared keys, or digital certificates. a pre-shared key is used, this is set up on each If ASA before the first tunnel can be established.
ht We now have two questions to answer. Wa is Diffie-Hellman used for, and how do we get a key on ASAl and ASA2 so that AES can be used to carry end-user data f o site 1 to site 2? Some of you may have just figured it out. rm
Simply put, Diffie-Hellman is an asymmetric means to symmetric encryption. ASAl and ASA2 want to pass encrypted data between one another, and because asymmetric encryption requires excessive overhead they will need to use a symmetric encryption algorithm to perform payload protection. Diffie-Hellmanmakes this possible by calculating a %hared key" across a nonsecure medium such as the Internet
1851
CCSP SMAA Quick Reference by Ryan Lindfield
lPsec VPNs
IKE Phase 1
Each ASA will generate two values, a public value and a private value. Each peer transmits the public value it calculated and transmits it to its peer. Each ASA will run its private value and the peer's public value through an algorithm, which results in a shared secret on each side of the connection. The shared secret is then used to generate several encryption keys, one of which is used to protect the phase 1 SA. The use of the other keys is beyond the scope of this book. IKE phase 1 and phase 2 each have a lifetime. The phase 1 lifetime is configured in the ISAKMP policy, and the phase 2 lifetime is configured in the transform set. If Perfect Forward Secrecy (PFS) configured i the crypt0 map, Diffieis n Hellman is run at the end of the phase 2 lifetime. PFS ensures the new keys are not derived from the old keys.
[ 86 I
CHAPTER
Security Associations
A security association (SA) is a collection of parameters that specify how data is to be protected when communicating wt a peer. An ISAKMP SA defines how to protect the IPsec policy negotiation horn one ASA to another ASA. An IPsec ih SA defines how user t r m c from one host to another host should be protected. ISAKMP SAs are bidirectional, whereas IPsec SAs are unidirectional. Therefore, each site-to-site connection will have one ISAKMP SA and two IPsec data SAs, one for inbound traffic, and another for outbound traffic.
Note
Although it is not technically correct, Cisco documentation consistently uses ISAKMP and IKE phase 1 to mean the same thing. Likewise, IPsec is used interchangeably with IKE phase 2.
Security Parameter Index (SPI): A unique 32-bit number that is used to associate an SA with an encrypted packet. Within the ESP header, there is a field for the SPI that is used to map that encrypted data with an SA. The parameters found in the SADB are used to select the key to encrypt of decrypt the payload of the packet.
Encryption algorithm: Dehes how the data is protected: AES, 3DES, DES.
1 Authentication algorithm: A keyed hash, or HMAC (Hashed Message Authentication Code): MD5-HMAC, SHAl-
HMAC.
1 Mode: The mode IPsec is working as: tunnel or transport. 1 Lifetime: The number of seconds or kilobytes that a key should be used; when this lifetime is exceeded, a new key
is created.
8 2009 Cisso Systems Inc. Al m
m by
[ 87 I
CCSP SMAA Quick Reference by Ryan Lindfield
I
I
Note
YOU can vlew tne SA atter an wsec tonne1 llas been estatlhmeci tly uslng tne mow crypt0 ipsec sa command. YOU will notice the SF'I values. If you inspect the traflic flow and analyze the ESP header, you wl notice the same SPI il values from the SAs, but this time they are found the in the ESP header.
Digital Certificates
When choosing a method of authentication, your options are pre-shared keys and digitaI certificates. A pre-shared key is P simply a password or key that matches on both sides of the tunnel. If the foreign I knows the password, it is safe to assume that we are communicating with a legitimate host. Although pre-shared keys are commonly implemented, they are not the most secure method of authentication available. The most secure method of authentication is RSA signatures, also known as digital certificates. Not only are digital certificates more secure, but they are also much more scalable than pre-shared keys. If you were to configure a network that allowed office-to-office communication and there wet.e currently 12 offices, you would need a pre-shared key for each connection. Based on the well-known formula to calculate the number of peers in a full mesh, n(n-1)/2, you would need 66 pre-shared keys. Each time you add an office, this number grows exponentially. With 12 sites, you need to configure 66 pre-shared key entries on each peer SA. If you add 8 more sites, the number of entries jumps to 190 on each peer. Clearly, this is not a workable solution for large meshes. Many companies solve this full-mesh issue by using the same key for a l l sites (a wildcard pre-shared key), but this is a security risk. If the pre-shared key is compromised on one peer, it is compromised for all peers.
If you use digital certificates in place of pre-shared keys, each device must enroll with the CA server. After a device has
been added to your domain, it can then authenticate to other devices, and now your network has become much more easily scalable.
rm reserved. This publication is protected by copyright Plesse see page 16 1 for mom details i s
1881
CCSP SMAA Quick Reference by Ryan Lindfield
IPsec VPNs
So what exactly is a digital certificate? Earlier we learned the differences between public keys and private keys, and we know that a private key is kept secret whereas a public key can be distributed. The question is this: How exactly do we distribute the public key? If you look at a public key, it is not very pretty:
QRlR show crypt0 key mypubkey r r a
% Key p a i r was generated at: 20:21:23
Key name: TP-self-signed-31274211W Usage: General Purpose Key Key i s not exportable. Key Data: 30819F30 0D06092A 864886F7 00010101 8!5001381 80803081 C4B06988 40A7CF42 46C031C9 1D95A77C 58695E4E B59CC533 F0B2B814 8ASlECC4 822EC72A 4EEC78C9 E07ACB50 FFElE307 85D6874B DBElQBAD EA4971C3 2301CA93 W6BEBB BBAlCB82 E9340B3F 1E295953 C3A26ECD BBFA6171 F3489BD4 97FBD9EE % Key p a i r was generated at: 02:58:38 UTC Rec 1 2008 Key name: TP-self-signed-312742119$.serv~r Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01818185 01836800 30680261 B5D54D82 BA36237B 85822929 59BF33E3 44A4FDAE C956028E 4592CC36 50D020CA B40839C6 6FB0093C 2DBF8888 7BBAFC59 0BC30EBE 93A892EB 6C5A9601 37382997 89986Bm 7C2C8B23
@ 2OOQ Cisco Systems Inc. Al rlgMs roserwd. Thip publicationie protected by copyright Please see page 16 1 for mwe details
189 I
CHAPTER
lPsec VPNs
As you can see here, an RSA public key looks to be a large block of hexadecimal characters, which leaves us with many questions: How is this key to be distributed? How will someone know that this strange block of hex belongs to me? How can someone else tell whether my private key has been compromised? standard. X.509~3 defines standard formats for digital certificates The answer to all these questions lies in the X.509~3 and for many other components of the Public Key Infrastructure (PKI).Although a public key on its own is not very impressive to look at, after it has been formatted with the X.509~3 specification as a digital certificate everything seems oe much m r logical. This formatting enables us to define the following parameters and associate them with our key pair.
@ 2009 CIsco Systems Inc. All rigMs rsswwd. This publication is protected by copyright Please see page 16 1 for miom details
1901
CCSP SMAA Quick Reference by Ryan Lindfield
Subject public key info Public key algorithm Subject public key Issuer unique identifier (optional) Subject unique identifier (optional) Extensions (optional) Certificate signature algorithm Certilicate signature To obtain a digital certificate, one must be requested from a certificate authority (CA). This is referred to as certificate enrollment. You log in to a device and generate an RSA key pair. The public key is then bundled into a certificate signing request (CSR) along with information that you want to associate with the key (as discussed earlier). The protocol used by Cisco security appliances for the enrollment of a digital certificate is called Simple Certificate Enrollment h.Otocol (SCEP).
After the enrollment request has been sent to the CA server, the administrator verifies the information and, if accurate, hs approves the creation of a digital certificate. T i final product includes the public key generated by your device, the OU, information you entered during enrollment (FQDN, 0, and so on), and the signature of the CA. This signature is similar to the holographic seal on your driver's license, which guarantees the authenticity of the digital certificate. After digital certificates have been installed on network devices within your organization, they can then be used as a means of authentication of one device to another. This authentication type is referred to as MA-sig within the configuration of the ASA.
kp
m by
191I
CHAPTER
lPsec VPNs
The first step o an IPsec tunnel is that a packet matches the crypto ACL. Therefore, this is a good place to begin f troubleshooting IPsec. Make sure that this ACL has matches by using the show access-list command to inspect the
hit count.
IKE Phase 1
When the security appliance detects interesting t m , it begins negotiation with the remote peer using port UDP port 500 r c
for ISAKMP phase 1 negotiations. These negotiations are to determine which policies or methods will be used to protect management t r a c between the two IPsec VPN peers. The collection of polices used to secure the ISAKMP SA is called a policy set. A policy set includes the following parameters: Encryption @ES, 3DES, AES) Hash algorithm (MD5, SHA- 1)
@ 2009 C c k oS
Inc. All rm reserved. This publication is protected by copyright Please see page 16 1 for mom details i s
192 I
CCSP SMAA Quick Reference by Ryan Lindfield
lPsec VPNs
Authentication (pre-shared, RSA-sig) Lifetime (seconds) Although it is possible to have many policy sets, only one is required to construct an ISAKMP SA. If there are multiple sites with different security requirements, you must then create different policy sets. Each policy set wl have a sequence il number, and the lower sequence number has a higher priority. Therefore, it is essential that your most secure polices have the lowest priority number. For example:
ASA5505# show run crypto isrkrp crypto isakmp enable outside crypto isakmp policy 5 authentication pre-share encryption aes -256 hash sha group =5 l i f e t i m e 86408 crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 5 l i f e t i m e 86408 crypto isakmp policy 20 authentication pre-share encryption 3des hash md5 group 2 l i f e t i m e 86408
@ 2OOQ Cisco Systems Inc. All r i m s reserved. This publicationis protected by copyright b a s e see page 16 1 for mwe details
[ 93 I
CHAPTER
lPsec VPNs
Based on the policy sets listed here, if this device were to initiate an IPsec tunnel with another device it would first offer f policy 5 to the remote side, and if there is a match encrypt data using AES-256. I policy 5 is rejected by the remote peer, il this device wl then attempt to connect with policy 10, and then policy 20, until there is a match. There are two modes of negotiation for IKE phase 1: aggressive mode and main mode. Aggressive mode is used when pre-shared keys are used as a form of authentication, and main mode is used for negotiation if digital certificates are being used for authentication. The type of authentication to be used is defined in the policy set, as shown previously.
In summary, IKE phase 1 is the process of negotiating policy, key exchange, and peer authentication. This negotiation results in the formation of an ISAKMP security association (ISAKMP SA).
IKE Phase 2
Upon completion of ME phase 1, the security appliance will commence IKE phase 2 (called quick mode), which secures the end-user data as it passes through a nonsecure network such as the Internet. In this step, a transform set defmes the parameters used to form an IPsec SA. The protocol used to protect the end user data will always be ESP.
Q 2OOQ C
Inc. Al rl-a
nswved. This
kp
m by
1941
CCSP SMAA Quick Reference by Ryan Lindfield
lPsec VPNs
L-
Transform SE
Use the following command to view the values of the transform set n m d ESP-AES-256-MD5 the phase 2 SA lifetime: ae and
ASASSgSIY
show running-wntig crypto iprec crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec lecurity-aseociation lifetime seconds 288W
After IPsec SAs have been crated based on matching phase 2 policies, tunnels are established and end-user data can pass. An IPsec SA contains the following:
Protocol (ESP)
@ 2009 C
m by
1951
CHAPTER
lPsec VPNs
After IKE Phase 2 negotiations have completed successfully, the end users can transmit data across the tunnel. The tunnel will remain active as long as interesting traffic is passing through the tunnel. If a specific period of time has passed and no interesting traffic has been detected, the SAs will be removed and the tunnel torn down.
Q 2OOQ Clrco
Inc. Al rl-a
nswved. This
kp
m by
lPsec VPNs Select the type of tunnel that you want to create: Site-to-Site o Remote Access. Remote Access must be used if the r This is appropriate for s a l o f c s m l fie
After launching the wizard, specify I address of the IPsec peer and authentication credentials. P
1971
CCSP SMAA Quick Reference by Ryan Lindfield
Define parameters for your IKE policy set. Remember, these are the parameters ta wl be used during IKE phase 1 to ht il negotiate an ISAKMP SA. These are the algorithms used to encrypt the management traffic (our ASA communicating with the remote-sideASA about the IPS= tunnel).
lPsec VPNs
Next we define parameters for the transform set; here it is called IPsec Rule. These are the parameters that d e h e how end-user data wl be protected as it crosses the Internet, or unprotected network. il Next we define the tmEc that is to be protected. If this step were being con@ured from the CLI, we would write an extended ACL to define the traffic to be protected. In this case, we just define the local network, and the remote private network (that is, the network address space behind the public I address defined earlier).You will notice at the bottom P there is also an option to make this traffic flow exempt from Network Address Translation (NAT) rules.
[ 99 I
CHAPTER
lPsec VPNs
kp
[loo1
CCSP SMAA Quick Reference by Ryan Lindfield
Finally, we are done. You see a list of the attributes that you have defined in the preceding steps. If all the infomation is correct, accept these changes by clicking the Finish button.
@ 2009 Ckco Syrrtorrm Inc. All rights reserved. ThiD publicationis protected by copyright b a s e see page 16 1 for miom details
[ l o 1I
CCSP SMAA Quick Reference by Ryan Lindfield
lPsec VPNs
Load Balancing
It is possible to pair two or more Cisco security appliances into a single logical unit for the purpose of load distribution. This logical grouping is referred to as a cluster. Although it is recommended to build this cluster from similar devices (ASAs, for instance), it is possible to mix ASA, VPN concentrators, and PIX fhwalls.Remember, however, that the PIX firewall does not support WebWN.
[ 102 I
CHAPTER
lPsec VPNs
When you create the cluster, a single IP address is assigned to the group as a whole. This IP address should be a globally routable IP address from the same subnet as the security appliances that are participating in the group.
5.5.6.5
As you can see from the diagram, we have four ASAs that are part of the cluster. W e a connection is made to the hn P cluster I address (5.5.53, that request is handled by the master of the cluster (in this case, ASA1). You can control which of the ASAs become the master by manipulating the priority. The priority is a numeric value between 1 and 10. Similar to routing protocol elections, the higher number means greater preference. Therefore, setting the priority to 10 on ASAl establishes that this should be the master. When clients connect from the outside, their VPN client will be configured to connect to the virtual IP address (5.5.5.5). However, when a client initiates a connection to this address, a redirect occurs, passing the client to the security appIiance with the lightest load.
L
CHAPTER
103 I
CCSP SMAA Quick Reference by Ryan Lindfield
lPsec VPNs
Load is calculated by a weighted ratio of the number of active connections to the total number of active connections. This information is then sent from the secondary appliance, or slave, to the master. These load messages can be encrypted and are sent using UDP 9023. When remote users or offices establish IPsec connections to the virtual IP, they are then redirected to the concentrator with the lightest load. All current IPsec and Anyconnect clients support this redirect. IPsec siteto-site tunnels should be built using the physical interface IP addresses of concentrators; their connections still count toward the load and play a factor in load balancing. The difference is that site-to-site tunnels will not experience the redirect at the beginning of the session.
Note
LonrlgUrSLnon or loaa manang a n m penurme~~ uung me LLJur UUI.
UUI
I
cvmgun!uun suppunti a w a r u ciiueu
References
Introduction t cryptography, IBM, o h~://www.ibm.com/develope~~mksfib~/s-cryptO2.html
Q 2OOQ Clrco
Inc. Al rl-a
nswved. This
kp
m by
[1041
CHAPTER 4
Chapter 4
WebVPN and Endpoint Security
Serving as an alternative to traditional IPsec VPN clients, Cisco now offers WebVPN (also known as SSL VPN) solutions to customers. A WebVPN can make use of the client's web browser alone, or download the AnyConnect client (replacing SSL VPN client) to build a secure connection to company resources. One of the biggest advantages to WebVPN is that the user does not require a software client to build the secure connection. The user can connect using a web browser, and then after successful authentication gain access to certain corporate resources, or possibly download the AnyConnect WebVPN client, which will allow a greater level of access than the browser alone.
WebVPN functionality is provided by the ASA 5500 security appliances. WebVPN is not supported by the mX 500
series firewalls because of the lack of a Secure Sockets Layer (SSL) crypto processor.
Similar to the function of an IPsec virtual private network (VPN)gateway, an SSL VPN gateway terminates the encrypted session and forwards data into the network in its standard format. For instance, if a user were to initiate a Telnet session though an SSL tunnel, the Telnet mffic would be encrypted between the user and the ASA, and then sent "in the clear" to the corporate LAN. If security within the corporate network is a concern, secure protocols such as Secure Copy (SCP), Secure Shell (SSH), and HTTPS should be used for remote administration. WebVPN can be implemented with three different client configurations: clientless, thin client, and the AnyConnect VPN client.
11051
CHAPTER 4
The intended application for clientless or thin client SSL VPN is as follows: Corporate user at a public kiosk (such as a business center in a hotel)
1 Residential workstation 1 Partner 1 Corporate desktop, if applications are limited 1 Appropriate for users when a simplified portal is preferred to full ~ m s s . 1 Users who require remote connectivity occasionally
B VoIP users
1 Company-managed workstations and laptops
1 Users with diverse application requirements 1 Users who frequently require secure remote access to the corporate LAN
SSL provides a secure means for communication between client and server. A digital certificate is used for server and client authentication. The exchange of the session key is protected by RSA keys. The session key is based on a symmetric cipher such as DES,RC4,3DES, or AES.
@ 2009 C
i Systems Inc. All rlgMs rsswwd. This publication is protected by copyright Please see page 16 1 for mo details im
106 I
CCSP SlYAA Quick Reference by Ryan Lindfield
SeMkOone
Certificate
(fa
cri-w
:I
Q 2009 Clsco Systems Inc. All ri&ts resewed. Thi. publication is protacted by copyright Please see page 16 1 for miom details
107 I
CHAPTER 4
This is a nice simple solution for certain roles within your organization, such as sales and marketing personnel who require access to only a particular file share or internal website.
Clientless SSL is supported on the following: Browsers Flrefox Internet Explorer
Netscape
Safari
Operating systems Apple 0 s X Microsoft Windows
@ 2009 C c Systems Inc. All rims reswwd. This publication is protected by copyright Please see page 16 1 for miom details ko
[lo81
CCSP SNAA Qukk Reference by Ryan Lindfield
Thin Client
The thin client remote-access method refers to the use of tiny applet (typically less than 100 KB)being pushed to the il il client after authentication. This applet wl be ActiveX or Java based and wl require permission to run within the launched successfully, the thin client allows for port forward applications through the SSL connection. browser. Once This allows access to internal devices using Telnet and SSH;access to mail servers using IMAP, POP3, and SMTP, and other nonweb applications.
Q 2009 C
Inc. Al rlghta rowrvrd. TN.pu#lcaUon is pmtectA by copyright Pleam see page 161for mom details
[1091
CHAPTER 4
When configuring the thin client, the firewall administrator must define the port that will be used on the client side (TCP port 2323, for example) and the internal resource that this will be forwarded to. When the client establishes an SSL VPN connection, he can then connect to that port to access corporate resources. This is referred to as port forwarding. Example: telnet 127.0.0.1 2323 This Telnet connection will then be forwarded through SSL to the ASA, where the SSL encapsulation is removed and the unencrypted Telnet traffic is forwarded to the server that was mapped by the b a l l administrator.
O e restriction of using the thin client is that it requires administrative privileges to install the client. n
Smart Tunnels
Smart tunnels can be thought of as the evolution of the thin client, because they allow the similar access without the need for a local port on the client's machine, thus removing the requirement for administrative access. This feature was introduced in Version 8.0(2) of the ASA operating system. The only operating systems that currently support this are Wmdows 2000, XP,and Vista. Similar to the thin client, smart tunnel connections also require access to Java or ActiveX.
Anyconnect
The Anyconnect client was introduced in the 8.0 version of the ASA operating system to replace the SSL VPN client (SVC). Anyconnect provides transparent network access, similar to what is provided by the Cisco IPsec VPN client.
Q 2OOQ Clrco
Inc. Al rl-a
nswved. This
kp
m by
I1
I
[1101
CHAPTER 4
Instalhion of the Anyconnect cbent requires ahmktrltive privileges on the loud machine.
Anyconnect
Version 8 . h Supports Windows, OS X, and Linux Supports DTLS for latency-sensitive applications Support for 64-bit operating systems
2.3 MB download
Version 7.W
Supports Windows 2000 and XP
Standalone installation
Q 2009 C
is p
m by
[I11 I
TW~~VPN
and ~nd;oint Security
CHAPTER 4
Upon successful connection of a traditional WebVPN connection, the user m y be presented with a link within the portal a to download and install the AnyComect client.
Q 2009 C
Inc. Al rlghtmmsavrd. TN.pu#lcatbn is pmtectA by copyright Please see page 161for mom details
I
CHAPTER 4
[ 1121
CCSP SNAA Quick Reference by Ryan Lindfield
If you click the hyperlink, the Cisco Anyconnect SSL VPN client wl be installed on the users workstation. il
[1131
CHAPTER 4
Once installed, the Cisco Anyconnect VPN can be launched from the Start menu.
kp
m by
11141
CCSP SMAA Quick Reference by Ryan Lindfield
Launching the Cisco Anyconnect VPN client brings you to the interface found here. Just insert the IP address or hostname of the ASA and then click Select.
@ 2009 Ckco Syrrtorrm Inc. All rights reserved. ThiD publicationis protected by copyright b a s e see page 16 1 for miom details
[ 1151
CHAPTER 4
@ 2009 Ci
Systems Inc. Al rlgMs reserved. TN. publication is pmtactad by copyright Please see page 16 1 for miom details
[ 1161
CHAPTER 4
@ 2009 C
kp
II
11171
CHAPTER 4
Basic i n f o d o n about the connection can be vefied. Notice the IP address that has been assigned, bytes sent, bytes received, and time connected.
[I181
CCSP SMAA Quick Reference by Ryan Lindfield
If you select Details, you can view additional information, including protocol, cipher, compression, and more.
II
[ 1191
CHAPTER 4
One neat detail that you can find that is similar to the Cisco IPsec VPN client is the additional virtual adapter that is installed. When an I address is assigned f o the server side, you can see that this IP is associated with the virtual interP rm face by using ipcodig from the command prompt.
1s
CHAPTER d
[I201
CCSP S N M Quick Reference by Ryan Lindfield
Check 0s.
Check antivirus.
Check firewall.
Check antispyware.
Scan for filenames.
Scan for processes.
8 2OOQ C
kp
m by c w o *
bsagoo3jo pornax
dn-p
nops-pq
[ 1221
CHAPTER 4
Note
The use of CSD is an excellent precautionary measure if you are considering allowing users to connect from workstations that are not owned and controlled by your organization. When a user establishes a clientless SSL or AnyComect VPN connection, the CSD can be pushed down. Before the connection is finalized and the user is allowed into the network, CSD scans the host to make sure that it is free of rnalware, and checks various parameters of the operating system. The results of this scan can then be compared against a profile stored on the ASA, and then access can be granted based on these results. The process of comparing client-generated results to a server-side (ASA) policy is referred to as dynamic access policy PAP). Dynamic access policies can be pushed down to the client based on a combination of endpoint attribute values such as operating system, prelogin policies, basic host scan results, and more. Whenever a user connects, a level of access is granted based on these parameters, and should something change qualifying a host for a greater level of access, it is possible to alter the access policy while the user is connected.
Windows Macintosh
Linux
Keylogger detection
Pre-login assessment
Host scan
Cache cleaner
Host scan
Cache cleaner
kp
m by
mawssasse ~u!odpua p a ~ u e ~ JOeb l u a ~ s s a s ~ p lurodpua 'urr~s s o q ~ 1nq lsoq a u 'T'Z'E uo!sJaA u! pappE aaM xnuq pw 3~14 'smopu!~03 p a 1 y q L p u s -uoge3guaylnr!~ a 1 p aylo) umop paysnd alnpour ~euo!l!ppe ur! SF u e ~ ]soy a u ~ oZuppay 3 am noL j e ~ u sle arr! l e q amuaIy ayl a)ep!IrrA 01 q s ~ q apnpu! uaAa ms ynurJa1em s ! pm! ' y ~ r m u a r e ~ 01 paua3a.1s~IOJ %u!y~aqa noiC aeyl alnqgle aqL - a ~ q ~ e ~ . u a q no pallelsy ley1 uo!le3!ldde 10a n p hrls!%a~ s,~ua!p s,mopu!~ p a d s e roj 733143 q sl ' u )soy r! woddns xnug p m '3~14' s ~ o p u )! ~ yaas noL 'alqe) 8u!pa~ard a q no pasea ~ l e %uyuunrLIIB~!SV~ ~ 3 y m e ~ s
11241
CCSP SMAA Quick Reference by Ryan Lindfield
I
A basic host scan identifies the remote operating system down to the service pack, and performs checks against the Registry and memory for watermarks. The basic host scan could be used to determine a great deal of information about the remote host, and then this information is used to apply a DAP to this user. Endpoint assessment goes a step beyond the basic host scan, by checking the Emote host for antivirus and antispyware applications and their version. Endpoint assessment can also check for the presence of a software firewall. You can use the results returned by endpoint assessment to further enhance DAP. Advanced endpoint assessment goes a step further than the previously mentioned techniques, by pushing updates to the client based on results of the other scans.
Secure Session
The data accessed by users during their WebVPN sessions can be encrypted upon a secure partition if Windows 2000 or XP are in use. This process is referred to as Secure Session, Secure Desktop, or Vault. That's three names to define a single technology; furthermore, it would make Secure Desktop a feature of Cisco Secure Desktop, two different things with a very similar name. The technology itself is easy to understand, but the wording may confuse you in the future, so be aware. In a nutshell, the data is stored in a safe place during the session, and then wiped using a Department of Defense @OD) sanitation algorithm.
Q 2OOQ C
Inc. Al rl-a
nswved. This
kp
m by
125 I
CHAPTER 4
Cache Cleaner
Although Secure Session is an extremely powerful feature, it is not supported on all operating systems. As a matter of fact, it works only on certain versions of Windows. If you are supporting Windows Vista-, OS X- and Linux-based clients, you can still perform post-session cleanup with the cache cleaner. The cache cleaner is used to erase all the data that was downloaded f o the corporate network, and any data that was input by the user. rm
@ 2008 C
126 I
CCSP SMAA Quick Reference by Ryan Lindfield
ll
-#z,"-
Wk l a w
-lE
.,*, .. ,
127 I
CCSP SMAA Quick Reference by Ryan Lindfield
When a user connects to the ASA WebVPN and enters a username, the user is then prompted for a password. At that point, the OSK launches, and the user will use the mouse to select the appropriate characters.
Masv)
ap3 @
P Fq-mo no snmj a~ 7nq ' 1 arp m o l ~ 13 ~ q dw a alq~ssod a? 'S~RMP - w w ~ @ p 3 w &dmp LPPW a ~ q sv imp 'qo 4-d *dws 4 d-ws 30 uo?m%~= w =w -s WWV WY w=w =~JBO 4 p I -m ssapna~p p q s s a m q o m a JO poqram aaldqs q ' X ~ m p pampuam q+ TSS a a ~d
n q nob
uo!aern61auog ~ S ssqaue!lg S
I
[ 129 I
CCSP SNAA Quick Reference by Ryan Lindfield
s. o n G E ~ , ~ m ~ ~ ~ a m ~ w a ~ 1 m *
3. Select a name for this connection, and the interface upon which SSL VPN will run. From this screen, we can also il select a digital certificate that wl be used by the ASA to authenticate itself to clients. By default, this is a selfsigned certificate. However, you can also use your own certificate authority (CA) or a purchased certificate f o a rm well-known CA such as Verisign or Thawte.
[I301
CCSP SMAA Quick Reference by Ryan Lindfield
in earlier versions of code. The URL used to access SSL VPN i https://hostname. s
@ 2009 C
b Systan8 Inc. AM r
[ 131 I
CCSP SMAA Quick Reference by Ryan Lindfield
this step.
WebVPN and Endpoint Security 5. Select the group policy. You can use an existing group policy or create a new group policy. Policies can be defined at the group level or the user level. If a profile is configured specifically for a user, it overrides the policy defined at the group level.
[ 132 I
CCSP SMAA Quick Reference by Ryan Lindfield
II
133 I
CHAPTER 4
Configure a Bookmark list. The Bookmark list is a collection of URLs that a user is presented within the SSL VPN portal. You can choose an existing URL list, or create a new list during the setup. Bookmarks can be created for
134 I
CCSP SMAA Quick Reference by Ryan Lindfield
7. The final task is to verify the attributes that you have defined before finishing the w z r .When you click Finish, iad commands are pushed to the ASA. You can view all the commands that are pushed down; just select the option (under Preferences) within ASDM to preview commands before sending to device.
[ 1351
CHAPTER 4
When the user click this link, however, he will actually connect to the ASA, which launches an applet that manipulates the packets in such a way that you can use the application without opening ports on the local machine and proxying through them.
m by
I1
I
11361
CHAPTER 4
Smart Tunnels
Smart tunneb are a new feature that was introduced in the 8.0.2 version of the ASA operating system. Smart tunnels replace the port forwarding techniques that were used in 7.x code, which required a user to connect to a local port, which ih would proxy the connection over SSL.One of the disadvantages w t the earlier technique is that it required administrative access on the client machine. Smart tunnels circumvent the requirements for administrative rights, while allowing use of applications such as Outlook, Outlook Express, and Lotus Same Time through the SSL VPN.
When configuring smart tunnel access, you can define specific paths to executables that can be used to access internal applications. Beyond specifying a path, you can also perform an integrity check by comparing the hash of the executable with a known-good hash. You can use a utility (fciv.exe) to generate. a SHA-1 hash of a file. You can generate. the hash, and then import this value into the ASA and make a comparison against the same-name executable file on the client's machine.
137 I
CHAPTER 4
6 2009 C 1
i Sy8tema Inc. Al
rm reserved. Thir publication is protected by copyright Please see page 16 1 for miom details i s
138 I
CHAPTER 4
WebVPN and Endpoint Security The difference between keepalives and DPD is that DPD waits until a worry timer expires befom sending an %-UThere" message. When configured for keepalives, the client sends a "Hello" message regardless of the amount of traEc on the link.
Split Tunneling
When users build a connection to the ASA using IPsec or WebVPN, by default all traffic is routed through the tunnel.
This logic behind this configuration is that if the user is blocked from communicating with any host outside of the corporate network, there is no way that the user's machine can be compromised and then serve as a proxy for an attacker to
Q 2OOQ C
Inc. Al rl-a
nswvd. This
is p
m by
11391
CHAPTER 4
gain access into the network. Currently, there are many browser vulnerabilities, and there have been exploits against browsers that would allow an attacker to relay an attack into the corporate network through the user's browser if the user were to visit the attacker's site while comected to the corporate network through VPN. While forcing alI traffic through the VPN tunnel is a good security measure, it is not efficient, and can be frustrating for users. Split tunneling allows for tral3ic destined to corporate network to pass through the VPN,and all other traffic is routed normally. The end result is that a user can log in to the coprate network using IPsec or WebVPN and still browse the Internet and have access to local resources such as file shares or printers on his personal network, Additional configuration is required for traffic to pass through the tunnel and then back out to the Internet. First, traffic must be allowed to enter and then leave your outside interface. This is enabled with the same-secnrity-traftlc permit intra-interface command, which is also required if the ASA is configured as a hub between two remote offices.You will also need a nat statement for the outside interfaces, grouping it with a global statement that is also on your outside interface, allowing users to come through the tunnel to the ASA and then out to the Internet.
Q 2OOQ C
Inc. A rl-a M
re-vrd.
140 I
CHAPTER 4
WebVPN and Endpoint Security CA server by creating user accounts, and then setting a one-time password ((TrP) for the user to obtain the certificate. There is a link within ASDM to email the OTP to the user. When the user collects thii key, he can then connect to WebVPN and download his digital certificate. Once installed locally, this certificate can be used for authentication alone or with a usemame and password. Before a user or device installs a digital certificate, it must trust the CA server and install the CA's certificate, also known as the root certificate.
When you introduce time as a factor of authentication, you are likely to experience users who receive an 'qnvalid Certificate" error because of a time mismatch. The configuration error could be as simple as the wrong time zone, or a date that is off by a few days to a few years. Whenever troubleshooting certiicate issues, always be sure that the time and date correct.
Note
The ASA can act as a CA server only when operating as a single context in routed mode. Transparent mode and multiple contexts are not supported
Q 2OOQ Clrco
Inc. Al rl-a
nswved. This
kp
m by
II
1141 I
CHAPTER 5
Chapter 5
Security Services Modules
One of the primary benefits of an ASA over the PIX is the ability to support security service modules (SSMs). T e e are hr two modules that exist for security purposes and one that is for interface expansion. The Content Security and ControI (CSC-SSM) and the Advanced Inspection and Prevention (AIP-SSM) provide security services, while the 4GE-SSM offers additional gigabit interfaces. There are different hardware platforms for each of the security services modules: the SSM-10, SSM-20, and a third option called the 4GE-SSM. Yes, you guessed it, 4-Gb interfaces. The AIP-SSM and CSCSSM host a singIe 10/100/1000 Ethernet interface that can be used for in-band or out-of-band management, and software recovery. The software recovery procedure is covered at the end of this chapter. These modules can be managed from the command-line interface (CLI), Advanced Security Device Manger (ASDM), or Cisco Security Manager. Security modules can be monitored via the CLI, ASDM, or Cisco Secure Monitoring, Analysis, and Response System (MARS). The hardware specifications of each module are listed here:
2.0Ghz CPU
1.OGB RAM Flash-based file storage 15OMbps throughput with ASA 55 10 225Mbps throughput with ASA 5520 10/100/1000 interface for management Two logical interfaces: data channel and control channel
142 I
CHAPTER 5
Flash-basedfile storage
375Mbps throughput with ASA 5520 450Mbps throughput with ASA 5540
4GE-SSM Does not provide intelligent processing services,just additional ports. Supports four UTP or four fiber interfaces.
Only four interfaces of the eight can be used to pass traffic.
1 Note
Cisco released the SSM-40 after the SNAA course was released. It supports up to 650 Mbps of throughput when installed in an ASA 5540.
Cisco CSC-SSM
The Cisco CSC-SSM has the ability to block or clean malicious traffic within the following protocols: SMTP,FTP, EITT'P, and POP3. The application layer intelligence is provided by Trend-Micro. While inspecting the aforementioned protocols, the CSC-SSMcan monitor for signs of known spyware and viruses, known phishing sites, URLs that host prohibited content, and can even perform content-type validation.
8 2008 C
b Systems Inc. All r i m s rmswwd. This publicationis protected by copyright Plesse see page 16 1 for mom details
143 I
CHAPTER 5
Content-type validation is a new feature also supported on Integrated Services Routers (ISRs). The way that it works is by examining the header of a file and comparing it to the file type (.mp3, .doc, .exe, and so on). Every file type has what is sometimes called a magic number. A magic number is a unique string of characters that when opened with a hex editor can be seen. For instance, if you open three different Microsoft Word .doc files in a hex editor, you wl notice that they il t all have the same string of characters at the head of the file and a the tail of the file. The CSC module can make comparisons to known file types. Therefore, when a user renames an executable file ( m e ) to .doc and tries to pass it through the firewaIl in an email, the CSC-SSM will identify the mismatch and take the appropriate action. The antispam engine within the CSC-SSM is equally impressive. Not only does it perform your standard filtering bas& on the content of the email, but it also does a reverse lookup, or repudiation check to mala sure that the email was not spoofed and did come from the correct source. Furthermore, the antispam engine uses blacklists similar to other filtering software on the market. These features are limited based on software license, but with the features enabled fbm the Plus al License, Cisco claims to be able to catch 99 percent of spam before it reaches your m i server. As mentioned previously, the CSC-SMM is available on both the SSM-10 and SSM-20 platforms. Beyond having an option of which platform you select, there is also licensing options to choose.
Q 2OOQ C
Inc. Al rl-a
nswvd. This
is p
m by
144 I
CHAPTER 5
CSC SSM-20
Base License
500 Users Antivirus, antispyware, file-blocking services
11451
CCSP SMAA Quick Reference by Ryan Lindfield
I
A few different terms are used to describe the accuracy of an alert generated by an IPS. First, positive, which means an alert was generated, followed by negative, which refers to any condition in which an alert was not generated. This brings us to the following terms:
T h e positive: An attack was passing through the network and was successfully identified.
False positive: An alarm was generated, but the traffic that was passing through the network was legitimate trafiic and w s not harmful. a
Tkue negative: An alarm was not generated, and legitimate traffic is passing. This is a normal state.
F l e negative:An alarm was not generated, but an attack has passed by undetected. as
Signatures are not the only way to identify that an attack is taking place on your network. Cisco IPS products also perform analysis of your standard network traffic and maintain somewhat of a baseline called a histogram. This histogram is a ratio of hosts to half-open connections. This table is maintained by the sensor and is updated on a regular basis (every 24 hours by default). While network traffic may rise over time, if the number of half-open co~ections increases by more than 20 percent the sensor will become aware of this and notify the administrator that an attack such as a worm outbreak or port scanning may be taking place. The aforementioned method of detecting attacks is referred to as statistical anomaly detection. This term makes sense because we are building a profle of what is normal and then making comparisons to it. Another type of anomaly detection is nonstatistical, in which case the sensor compares the behavior of protocols on your network to the behavior expected based on how the white papers or RFCs say how a protocol should behave.
Q 2OOQ Clrco
Inc. Al rl-a
nswved. This
kp
m by
146 I
CHAPTER 5
An IDS works in what is referred to as promiscuous mode. The sensor receives a copy of each packet. If you were to look at the network topology, the sensor is not directly in the path of the packet, but off to the side. With a standalone sensor (for instance, a 4200 series product), a switch is generally configured with a Switched Port Analyzer (SPAN) port that will mirror traffic from one port on the switch to another. In other words, duplicate packets are forwarded to a second port, strictly for analysis. If an IDS identifies a packet that is malicious, it performs a few different actions, but it cannot drop the packet. By the time the IDS receives a copy of a packet, the target host also receives a copy of the malicious packet at the same time. In real-world terms, it is like a parking lot security guard watching from the roof. The security guard watches a girl pull up in a car, throw a brick through your car window, and then drive away. He can tell you all about the incident, but your window is still broken.
rm Let's now look how an IPS differs f o an IDS. You see, an IPS works inline. Yes, inline is the keyword here. The IPS sensor is in the forwarding path between the source and destination. Therefore, if the sensor identifies traffic that is deemed malicious, it has the capability to drop the packet, and that packet will never reach the intended destination. In other words, if the parking lot security guard is in the parking lot, where he belongs, and he sees a crazed woman drive into the parking lot, he can stop her before she reaches your car with the brick.
Dropping packets is most effective when implemented with atomic signatures. It is possible that if an elaborate exploit is detected using a TCP stream signature, the damage may be already done.
@ 2009 C
kp
m by
[ 147 I
CCSP SNAA Quick Reference by Ryan Lindfield
Security S e r ~ i ~ e s Modules
PromisFwus Mode
IPS
Now let's look at this realistically. How does an IDS or IPS identify an attack? Most of the time (in fact, 99 percent of the time), it is based on a signature. Well, where do these signatures come from?
1. Vulnerability is announced publicly (1 day).
2. An exploit is written for this vulnerability (0 to 24 hours).
3. A patch is written for your operating system by a third party or the open source community (2 to 5 days).
5. A signature updated f o your IDSlIPS vendor is released that identifies the attack (generally released within 14 to rm 30 days, if ever).
6 2009 Clsco Systems Inc. All r i m s reservd. Thi.publication is protoctecl by copyright Please see page 16 1 for mom details
148 I
CHAPTER 5
Based on this timeline, does an IPS stop the attack inline? Chances are, probably not. Your new shiny IPS will watch this new cutting-edge attack go by just like the IDS will. The tirneline in the preceding list is not the protocol or standard, but it is an estimate based on what I have seen in the security world over the past several years. Exceptions apply, however. Sometimes the vendors are quick. Sometimes custom signatures can be created and deployed before the operating system patch is released. However, consider an attacker who is using attacks that have not been publicly disclosed. In such a scenario, the chance of detection is minimal. Although network IDS/IPS solutions are good, try to remain realistic about their capabilities and remember that they work best when paired w t a host-based I S solution such as Cisco Security ih P Agent.
One thing to consider when deploying an IDS/IPS solution is the amount of traffic that the sensor can analyze. It is possible to overwhelm the sensor with too much information. A good rule of thumb when deploying an IPS is to analyze the parts of the network where attacks are most likely to exist, such as the outside interface and the demilitarized zone (DMZ) interface. The majority of the trafEc that the ASA handles may be coming from the inside interface, which is the least likely to contain malicious content.
Software Bypass
The software bypass feature refers to the condition in which inspection is not possible because of hardware or software failure. There are two different configurations to consider: fail open and fail closed. In the event of failure of an IPS or CSC module, what should the ASA do with the traffic that is to be inspected? If the sensor is configured to "fdrl open," the traffic should be forwarded through the security appliance without IPS or CSC inspection. This is less secure but provides for a more resilient network Keep in mind that all the other protections of the security appliance are still in effect. If the security appliance is configured to ' Y d closed," in the event of hardware or software failure of the IPS/CSC module, any traffic analyzed by those modules will cease to pass. This is a more secure mode of operation but will obviously affect network connectivity in an adverse way. Fail open and fail closed are applicable only when the module is configured for inline operation. This setting is not used for promiscuous operation.
@ 2009 C
i Systems Inc. All rlgMs rsswwd. This publication is protected by copyright Please see page 16 1 for mo details im
149 I
CHAPTER 5
Sensor Initialization
You can begin configuring the sensor by first verifying that it is operating properly. You can do so from the CLI by using the show module 1details command:
hostname# r h mdule 1 detail Getting d e t a i l s from the Service Module, please wait ASA 55W Series Security Services Module-10 Wel: ASA-SSM-10 Hardware version: 1.0 JAF10000009 S e r i a l Number : F i r m r e version: 1.0(11)2 $oftware version: 6.1 (1 )El WC Address Range : 0018. b@l .56cB t o 8018. b91b. 5 8 ~ 8 b App. n m : IPS App. Status: U P App. Status Desc: App. version: 6.1(1 )El Data plane Status: Up Status: U P Mgmt I P addr: 18.10.1.66 443 Mgnt web ports: Mgmt TLS enabled: true
...
In the preceding output, notice that the model of hardware. is an ASA-SSM-10. can also see a -ware You version and software version. To access the sensor, you need to take note of the management I address and port number. Also notice P that TLS is enabled, which is required for secure management access to the sensor's command and control interface.
8 2009 C
resorvpd. TN. publication is protected by copyright Please see page 16 1 for mom details
[1WI
CHAPTER 5
In the event that you have a corrupt or missing operating system, the output would differ and the Software Version field will be blank. To recover the operating system, you must follow these steps:
1. In the event that there is not an I address assigned to the SSM,you will not be able to manage it remotely, and P must access it from the CLI or from the appropriate tab within ASDM.
2. When initializing the sensor, you will also want to verify the time and date of the sensor, because having accurate time stamps on event notifications is critical for correlation and analysis. You can synchronize using the time from the ASA itself or an NTP server.
3. The h a 1 step of configuration is to add your license codes. The AIP module requires a license to perform signature updates, whereas the CSC module requires a Base License or Plus License to implement the corresponding features.
In the event of corrupt software, you will need to recover the software image from a remote server, as follows:
1. Configure a TFTP server with the AIPICSC image. 2. On the ASA, configure the location of the TFlT server using the following command:
h module slot recover configure w
3. The previous command will bring you to a configuration dialog where you will define the following parameters:
8 2OOQ C
T h i pubkaUon k p ~
m by
P
I
CHAPTER 5
[ 151 I
CCSP SMAA Quick Reference by Ryan Lindfield
Note
Use the debug module command to watch the details of the recovery process.
Sensor Configuration
After the sensor software has been restored (if necessary), you can begin configuration of the sensor. This can be done
fromthe CLI or using ASDM.To connect to the sensor through the ASA console (or vty), use the session 1 command. Doing so moves your shell environment from the ASA configuration to SSM configuration. T i is sometimes referred to hs as a reverse Telnet:
AM551W
sassion 1 Opening command session with s l o t 1. Connected t o s l o t 1. Escape character sequence i s 'CTRL-"X'.
login: cisoo Password: *'*N~I~*I* This product contains cryptographic features and i s subject t o United States and l o c a l country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority t o import, export, distribute o r use encryption. Importers, exporters, distributors and users ere responsible f o r coqliance with U.8. and l o c a l country laws. By using t h i s product you agree t o comply with applicable laws and reaulations. I f you
[ 152 I
CCSP SMAA Quick Reference by Ryan Lindfield
Attp:!Ivlnm.cisco.cm/wl/e~ort/crypto/tool/stqrg.html
I t you require further assistance please contact us'by sending email t o export8cisco. con.
***LICERE NOTICE***
mere is no license key installed on the GSM-IPS10. The system w i l l continue t o operate with the currently installed signature set. A v a l i d license must be obtained i n order t o apply signature updates. Please go t o http://mwm.cisco.com/go/license t o obtain a new license o r i n s t a l l a license. seneor#
The first thing that you will encounter in the SSM environment is a login prompt. The default username is cisco, with a password of cisco. When you log in, you are asked to change your password. From this point, you can perform most of the administration tasks. However, the GUI interface provides a much more effectiveenvironment for management. Generally, when you first access any IDS sensor, whether it is the AIP-SSM, 4200 series sensor, or IDSM2, you will nm the setup script from the CLI.The setup script walks you through the basic configuration of the sensor. As of IPS Version 5.0, the sensor has switched f o TCP Wrappers and a default access list of permit 10.0.0.018 to IP Tables and a default rm of deny all for remote access:
--m s i c Setup - -
[ 153 I
CCSP SNAA Quick Reference by Ryan Lindfield
- -System Configuration
Dialog
-'?I
f o r help. User c t r l - c t o abort configuration dialog a t any prompt. Default sattinge are i n square brackets ' [ I 8 .
Enter host name[sensor]: Enter I P interface[1@.2.2.33/24,10.2.2.1]: Modify current eccess l i s t ? [ n o l : Modify system clock settings?[no]: The following configuration was entered. service host network-setting8 h o s t - i p 10.2.2.33/24,10.2.2.1 host-nam sensor telnet-option disabled accmss-list 1&9.2.2.0/24 ttp-timeout 300 no l o g i n banner t e x t
C 2009 Clscx, Systems ImAM r i m msrwd. TNs publication ie protected by copyright Please see page 161 for mom details 3
[ 154 I
CCSP SMAA Quick Reference by Ryan Lindfield
[I]Return t o setup without saving t h i s config. [2] Save t h i s configuration and e x i t setup. [3] Continue t o Advanced setup.
After an I address has been defined, and you have added the administrator's workstation to the access list, you are ready P to log in to the AIP-SSM with the GUI.
First log in to the ASDM GUI, and then select Configmation> IPS. When you click this hyperlink, ASDM wl open a il new window. A notification from ASDM will tell you about the new connection. Click Continue to move forward.
5
I
CHAPTER 5
11551
CCSP SNAA Quick Reference by Ryan Lindfield
When you click Continue, ASDM will load data from the IPS sensor.
5
CHAPTER 5
156 I
CCSP SMAA Quick Reference by Ryan Lindfield
After data has finished loading, you will see a picture of a security appliance and security services module. In this diagram, the management ports have been highlighted. Notice there is an ASA management port and an SSM manage ment port. In my experience, 1 have needed separate IP addresses to perform both functions (ASDM 1 AIP-SSM). Notice that there is a wizard here that we can launch to begin passing W c to the SSM.
157 I
I
CHAPTER 5
When you click the Launch Startup Wizard button, the wizard brings you to a sensor setup page. This page can be used to define the hostname, IP address, subnet mask, and default gateway. You can a h manage access lists from this screen. Remember, when configuring IDS products the term access list refers to administrative access, or access to the device, as opposed to trmc through the device. You can also set the time, date, time zone, daylight savings time, and an NTP server.
Q 2009 Ckco
by
5
I
CHAPTER 5
1 8I 5
CCSP SMAA Quick Reference by Ryan Lindfield
After you have co~gured, verified, the basic configuration i n f o d o n of the SSM,you can define the traffic f o s or lw
5
I
CHAPTER 5
11591
CCSP SNAA Quick Reference by Ryan Lindfield
By clicking the Add button on the right side, you can define the W c flow for analysis. F r t specify the interface, is, source IP address, destination IP address, destination port number (service), and then possibly a description. These paramem are then followed by how analysis should be performed (inline or promiscuous) and what should happen to this trafEc if the sensing process should fail (fail open or fail closed).
P
I
CHAPTER 5
[1WI
CCSP SMAA Quick Reference by Ryan Lindfield
After rules have been added, the window will be populated, and you can see an animation displaying the path of the packet. If everything looks appropriate, click Finish.
Further configuration of the modules is beyond the scope of this Quick Reference.
Feedback Information
AtCiscoPress,wrgoalistoaubeiPdephtecfinicalboortsofthe~q~aadvalue.Bachboolris~ with care and precision, undergoin8 rlgonms devclopmeat that imolves the unique expertise of members of the professid tcchiad community. Reader feedback is a natural m u h d c m of this proms. If yau have any commmta on how we could impme the qualityofthisdlgilalehoncut.ar~~Se~tt~be#ersUayom~youcan~us~e-mailat f~@ciscoprwacom. Plea# be sue to include the dlgltal Shon Cut ti& and ISBN in your message.
AU rights merved. No pan of this digital shon cut may be reprommd a hamnitted in any fwm or by any means, electronic or mechanical, including photocopying, recmdhg, or by any infonnatim storage aud retrieval system, without written permission from the publisher, except for the inclusion of brief quotatiam in a nview.
Pint Digital Edition February 2009 ISBN-10: 1-58705-8774 ISBN-13: 978-1-58705-877-6
The infonuation is provided on an "as is" basis. The author, C s o Press, and Cisco ic Systems, Inc. ahall have neither liability nor responsibility to any person o entity r wlth respect t any loss a damages arising from the information coaElined m this o digital short cut The opinions expssed in this digital Short Cut belong to the authors and are not necessarily those of Cisco Systems. Inc.
-0111.1110
%msaZs8Wl-CA06L m
rn
CISCO.
T*:10882b1om
am-gsla)
Re-
*I-
ZC& zz
-m12 IBWlOpLYIDr*
TY&m??rn
~crdbcn711~0
Trademark Acknowledgments
All terms mentioned in this digital Short Cut that are known to be traduarrksm
service marks have been appr&ately c a p i M C i a Press or Cisco Systems. Inc. faawt attest to the accuracy of Ulis information. Use of r term in this digital Short Cut should not be regarded as affecting the validity of any iradenwk or service m r . ak
@ 2009 C b o Systems Inc. All rights msewed. Thii p r b l i b p r o b d d by copyright Pbase see this page for m
w details ~ ~