Mettre en oeuvre la sécurité

avec les FIREWALLS Cisco

ASA – Fonctionnalités de base
Douala, 7-11 Octobre 2019

Joël NGUINA
Executive MBA Management Stratégique
CCNP, CEH, LPIC2, PMP & MTCNA Certified

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
 Les bases du Cisco ASA Firewall

Fonctionnalités réseau

Configuration des règles de filtrage

Les VPN

Haute disponibilité et virtualisation

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
• Adaptive Security Appliance - Développé par Cisco en 2005 est
une solution firewall dédiée (All-in-One solution)
 Firewall
 VPN concentrator
 IPS

• Fonctionnalités avancées
 Virtual Firewalling
 Transparent/Routed mode
 High Availability
 Advanced Threat Control (AIP-SSM, AIP-SSC modules)
 Identity Firewall

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
 • Entre 2 réseaux
Joue le rôle de la police des frontières, se place avant l’IPS

• Filtre le trafic.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
 • surveille l’état des connexions
Initiation, transfert des données, fin de communication

• Détecte un comportement anormal qui indique une attaque ou un

exploit.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
 “DMZ “
Security Level 50

“outside” “inside”
Security Level 0 Security Level 100
E0/2
E0/1
Internet
E0/3

• Certaines connexions seulement sont inspectées

• L’administrateur configure le niveau de sécurité de chaque interface

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

- Le paquet est reçu sur l’interface
inside
- L’ACL entrant est appliqué et si le
NAT est configuré, l’opération inside
NAT est effectuée
- The packet comes back on the outside
interface
- inbound ACLs are applied
* if the packet is permitted by the ACL,
the state table isn’t checked and the
below next step is
- the state table is checked for a state
object that matches the information
contained in the returning packet; if the
match is not done, the packet is
dropped 3 5
© 2011 Cisco and/or its affiliates. All rights reserved.
- ASA randomisez the initial sequence
number of the connection
- the ASA creates a state object in memory
retaining layer 3 and layer 4 information
from the packet
1 - The connection is marked as embryonic
2
- the ASA checks the ACK nr in the
packet relative to the SN that is
overwritten in the second step
- if the packet is legitimate, the ASA
sets the ACK to ISN+1 to match the
TCP information on the host
4
- the hosts responds with an ACK
- the ACK number is not randomized
- the connection is changed to active-
established and the embryonic counter
is reset for that state object
Cisco Confidential 8
• Routed-mode
• ASA est un équipement de niveau 3
• Toutes les fonctionnalités et capacités de ASA sont activées

• Transparent-mode
• ASA est un équipement de couche 2 (on a des vlans plutôt que des sous-
réseaux)
• possède une adresse ip de management pour les connexions distantes
• est invisible par tout attaquant à partir de internet
• certaines fonctionnalités sont désactivées : le routage, les VPN, QoS, DHCP
Relay.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
• Plusieurs LEDs
 Speed and link activity LEDs
 Power LED
 Status LED
 Active LED
 VPN LED
 Security Services Card (SSC) LED

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
• 8-port switch 10/100 Fast Ethernet.

• Trois ports USB.

• Un slot Security Service Card (SSC) pour une éventuelle extension. On peut y
mettre carte Cisco Advanced Inspection and Prevention Security Services Card
(AIP-SSC).

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
 • Structure modulaire identique à ios
mode non privilégié
Droit limité
mode privilégié
Pour les commandes show principalement
configuration global
Pour les config générales (e.g mot de passe, routage… etc)
Configuration specifique
Pour les configurations avancées (firewall, VPN, routage etc)

• Aide est la même

ciscoasa > ?

enable Turn on privileged commands

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
 ciscoasa>enable 15
Password:
ciscoasa#configure terminal
ciscoasa(config)#interface fa0/1
ciscoasa(config-if)#exit
ciscoasa(config)#exit
ciscoasa#exit
ciscoasa>

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
 ciscoasa > ?

enable Turn on privileged commands

exit Exit the current command mode

login Log in as a particular user

logout Exit from current user profile to unprivileged mode

perfmon Change or view performance monitoring options

ping Test connectivity from specified interface to an IP

address

quit Exit the current command mode

ciscoasa > help enable

USAGE:

enable [<priv_level>]

DESCRIPTION:

enable Turn on privileged commands

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
 • Effacer la config existante…
startup-config running- config

Flash RAM

Deleting configurations

ciscoasa# clear configure all

ciscoasa# write erase

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
 • Les sauvegardes!
startup-config running- config
ciscoasa# show running
ciscoasa# show startup Flash RAM

Salvarea configurației

ciscoasa# copy running startup

ciscoasa# write mem
ciscoasa# wr

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
 • Elle n’existe pas sur IOS( routeurs et switchs)
• Permet de supprimer une config specifiques de la RAM

ciscoasa(config)# show running-config | include isakmp

isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

ciscoasa(config)# clear configure isakmp

ciscoasa(config)# show running-config | include isakmp

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
 • Configurer le hostname

ciscoasa(config)# hostname ipd

ipd(config)#

• Configurer le mot de passe telnet

ipd(config)# passwd cisco

• Configurer le mdp du mode privilégié.

ipd(config)# enable password cisco

ipd# sh run | i pass
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
 • La définition de niveau de sécurité sur des
interfaces est un préalable aux échanges.

• Les Packets sont inspectés quand ils partent d’une interface à niveau de
sécurité élevé vers une interface moins élévée
• Les paquets qui partent d’une interface à niveau de sécurité bas vers une
interface élevée sont supprimés à moins qu’une exception formelle les y
autorise.
• Chaque interface a également besoin d’être nommée,

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
 “DMZ “
Security Level 50

“outside” “inside”
Security Level 0 Security Level 100
E0/2
E0/1
Internet
E0/3

• Se configure en mode interface (config-if)#

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
 • Une interface ASA sans nom et sans niveau de sécurité n'a pas
de connectivité de couche 3
“DMZ “
Security Level 50

“outside” “inside”
Security Level 0 Security Level 100
E0/2
E0/1
Internet
E0/3

ciscoasa(config)# interface e0/1

ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
 • La commande security-level
“DMZ “
Security Level 50

“outside” “inside”
Security Level 0 Security Level 100
E0/2
E0/1
Internet
E0/3

ciscoasa(config)#interface e0/1
ciscoasa(config-if)#nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
ciscoasa(config-if)#security-level 50
ciscoasa(config-if)#ip address 192.168.2.1 255.255.255.0
ciscoasa(config-if)#no shutdown

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
 • doit être formellement autorisé

ciscoasa(config)# telnet 10.10.0.0 255.255.255.0 inside

ciscoasa(config)# telnet timeout 10
ciscoasa(config)# passwd cisco123

• Le mdp par defaut est “cisco”

• L'accès telnet par l'interface outside (security-level 0) n'est pas permis sauf
s'il provient d'un tunnel IPSEC
• Surveillance des connexions

ciscoasa# who
0: 10.10.0.132
ciscoasa# kill 0
ciscoasa# who

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
 • Permis sur tous les interfaces
• étape 1: génération des clés
ciscoasa(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named
<Default-RSA-Key>.
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...

• étape 2: activer SSH

ciscoasa(config)# ssh 141.85.37.0 255.255.255.0 outside
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh timeout 10

• Par defaut, le user est “pix” le mdp est configuré avec la

commande passwd

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
 • Configuring a specific interface
asa1# show run interface E0/3
interface Ethernet0/3
speed 10
duplex full
nameif outside
security-level 0
ip address 192.168.3.1 255.255.255.0

• interface et security levels

asa1# show nameif

Interface Name Security
GigabitEthernet0/0 outside 0
GigabitEthernet0/1 inside 100
GigabitEthernet0/2 dmz 50

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
 • Paramètres d'interface
asa1# show interface
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 0013.c482.2e4c, MTU 1500
IP address 192.168.1.2, subnet mask 255.255.255.0
8 packets input, 1078 bytes, 0 no buffer
Received 8 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max blocks): hardware (8/0) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
Traffic Statistics for "outside":
8 packets input, 934 bytes
0 packets output, 0 bytes
8 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
 • Avec IOS on utilise
show ip interface brief

Pour avoir les infos brèves de L2 et L3 d'une interface

• Avec ASA, on a
show interface ip brief

ciscoasa(config)# sh int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.1 YES manual up up
Ethernet0/1 10.10.1.1 YES manual up up

 28
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
 • Avec l'IOS on utilisait "do" pour passer une commande show
en mode specifique
R1(config)#do show clock
*15:08:07.867 UTC Thu Feb 17 2011

• “do” n'existe pas chez ASA OS

ciscoasa(config-if)# sh clock
15:54:01.139 UTC Thu Feb 17 2011

• On utilise“|” pour filtrer and the arguments:“i”, “b”, “grep”

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
 ASA
R1 e0/0 e0/0
R2
G0 G1

outside
inside

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Thank you.