Vous êtes sur la page 1sur 31

Mettre en oeuvre la sécurité

avec les FIREWALLS Cisco


ASA – Fonctionnalités de base
Douala, 7-11 Octobre 2019

Joël NGUINA
Executive MBA Management Stratégique
CCNP, CEH, LPIC2, PMP & MTCNA Certified

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Les bases du Cisco ASA Firewall

Fonctionnalités réseau

Configuration des règles de filtrage

Les VPN

Haute disponibilité et virtualisation

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
• Adaptive Security Appliance - Développé par Cisco en 2005 est
une solution firewall dédiée (All-in-One solution)
 Firewall
 VPN concentrator
 IPS

• Fonctionnalités avancées
 Virtual Firewalling
 Transparent/Routed mode
 High Availability
 Advanced Threat Control (AIP-SSM, AIP-SSC modules)
 Identity Firewall

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
• Entre 2 réseaux
Joue le rôle de la police des frontières, se place avant l’IPS

• Filtre le trafic.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
• surveille l’état des connexions
Initiation, transfert des données, fin de communication

• Détecte un comportement anormal qui indique une attaque ou un


exploit.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
“DMZ “
Security Level 50

“outside” “inside”
Security Level 0 Security Level 100
E0/2
E0/1
Internet
E0/3

• Certaines connexions seulement sont inspectées

• L’administrateur configure le niveau de sécurité de chaque interface

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
- ASA randomisez the initial sequence
- Le paquet est reçu sur l’interface number of the connection
inside - the ASA creates a state object in memory
- L’ACL entrant est appliqué et si le retaining layer 3 and layer 4 information
NAT est configuré, l’opération inside from the packet
NAT est effectuée 1 - The connection is marked as embryonic
2

- the ASA checks the ACK nr in the


packet relative to the SN that is
overwritten in the second step
- The packet comes back on the outside - if the packet is legitimate, the ASA
interface sets the ACK to ISN+1 to match the
- inbound ACLs are applied TCP information on the host
* if the packet is permitted by the ACL, 4
the state table isn’t checked and the
below next step is - the hosts responds with an ACK
- the state table is checked for a state - the ACK number is not randomized
object that matches the information - the connection is changed to active-
contained in the returning packet; if the established and the embryonic counter
match is not done, the packet is is reset for that state object
dropped 3 5

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
• Routed-mode
• ASA est un équipement de niveau 3
• Toutes les fonctionnalités et capacités de ASA sont activées

• Transparent-mode
• ASA est un équipement de couche 2 (on a des vlans plutôt que des sous-
réseaux)
• possède une adresse ip de management pour les connexions distantes
• est invisible par tout attaquant à partir de internet
• certaines fonctionnalités sont désactivées : le routage, les VPN, QoS, DHCP
Relay.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
• Plusieurs LEDs
 Speed and link activity LEDs
 Power LED
 Status LED
 Active LED
 VPN LED
 Security Services Card (SSC) LED

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
• 8-port switch 10/100 Fast Ethernet.

• Trois ports USB.

• Un slot Security Service Card (SSC) pour une éventuelle extension. On peut y
mettre carte Cisco Advanced Inspection and Prevention Security Services Card
(AIP-SSC).

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
• Structure modulaire identique à ios
mode non privilégié
Droit limité
mode privilégié
Pour les commandes show principalement
configuration global
Pour les config générales (e.g mot de passe, routage… etc)
Configuration specifique
Pour les configurations avancées (firewall, VPN, routage etc)

• Aide est la même


ciscoasa > ?

enable Turn on privileged commands

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
ciscoasa>enable 15
Password:
ciscoasa#configure terminal
ciscoasa(config)#interface fa0/1
ciscoasa(config-if)#exit
ciscoasa(config)#exit
ciscoasa#exit
ciscoasa>

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
ciscoasa > ?

enable Turn on privileged commands

exit Exit the current command mode

login Log in as a particular user

logout Exit from current user profile to unprivileged mode

perfmon Change or view performance monitoring options

ping Test connectivity from specified interface to an IP

address

quit Exit the current command mode

ciscoasa > help enable

USAGE:

enable [<priv_level>]

DESCRIPTION:

enable Turn on privileged commands

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
• Effacer la config existante…
startup-config running- config

Flash RAM

Deleting configurations

ciscoasa# clear configure all

ciscoasa# write erase

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
• Les sauvegardes!
startup-config running- config
ciscoasa# show running
ciscoasa# show startup Flash RAM

Salvarea configurației

ciscoasa# copy running startup


ciscoasa# write mem
ciscoasa# wr

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
• Elle n’existe pas sur IOS( routeurs et switchs)
• Permet de supprimer une config specifiques de la RAM

ciscoasa(config)# show running-config | include isakmp


isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

ciscoasa(config)# clear configure isakmp


ciscoasa(config)# show running-config | include isakmp

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
• Configurer le hostname

ciscoasa(config)# hostname ipd


ipd(config)#

• Configurer le mot de passe telnet


ipd(config)# passwd cisco

• Configurer le mdp du mode privilégié.

ipd(config)# enable password cisco


ipd# sh run | i pass
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
• La définition de niveau de sécurité sur des
interfaces est un préalable aux échanges.

• Les Packets sont inspectés quand ils partent d’une interface à niveau de
sécurité élevé vers une interface moins élévée
• Les paquets qui partent d’une interface à niveau de sécurité bas vers une
interface élevée sont supprimés à moins qu’une exception formelle les y
autorise.
• Chaque interface a également besoin d’être nommée,

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
“DMZ “
Security Level 50

“outside” “inside”
Security Level 0 Security Level 100
E0/2
E0/1
Internet
E0/3

• Se configure en mode interface (config-if)#

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
• Une interface ASA sans nom et sans niveau de sécurité n'a pas
de connectivité de couche 3
“DMZ “
Security Level 50

“outside” “inside”
Security Level 0 Security Level 100
E0/2
E0/1
Internet
E0/3

ciscoasa(config)# interface e0/1


ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
• La commande security-level
“DMZ “
Security Level 50

“outside” “inside”
Security Level 0 Security Level 100
E0/2
E0/1
Internet
E0/3

ciscoasa(config)#interface e0/1
ciscoasa(config-if)#nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
ciscoasa(config-if)#security-level 50
ciscoasa(config-if)#ip address 192.168.2.1 255.255.255.0
ciscoasa(config-if)#no shutdown

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
• doit être formellement autorisé

ciscoasa(config)# telnet 10.10.0.0 255.255.255.0 inside


ciscoasa(config)# telnet timeout 10
ciscoasa(config)# passwd cisco123

• Le mdp par defaut est “cisco”

• L'accès telnet par l'interface outside (security-level 0) n'est pas permis sauf
s'il provient d'un tunnel IPSEC
• Surveillance des connexions

ciscoasa# who
0: 10.10.0.132
ciscoasa# kill 0
ciscoasa# who

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
• Permis sur tous les interfaces
• étape 1: génération des clés
ciscoasa(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named
<Default-RSA-Key>.
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...

• étape 2: activer SSH


ciscoasa(config)# ssh 141.85.37.0 255.255.255.0 outside
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh timeout 10

• Par defaut, le user est “pix” le mdp est configuré avec la


commande passwd

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
• Configuring a specific interface
asa1# show run interface E0/3
interface Ethernet0/3
speed 10
duplex full
nameif outside
security-level 0
ip address 192.168.3.1 255.255.255.0

• interface et security levels

asa1# show nameif


Interface Name Security
GigabitEthernet0/0 outside 0
GigabitEthernet0/1 inside 100
GigabitEthernet0/2 dmz 50

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
• Paramètres d'interface
asa1# show interface
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 0013.c482.2e4c, MTU 1500
IP address 192.168.1.2, subnet mask 255.255.255.0
8 packets input, 1078 bytes, 0 no buffer
Received 8 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max blocks): hardware (8/0) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
Traffic Statistics for "outside":
8 packets input, 934 bytes
0 packets output, 0 bytes
8 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
• Avec IOS on utilise
show ip interface brief

Pour avoir les infos brèves de L2 et L3 d'une interface


• Avec ASA, on a
show interface ip brief

ciscoasa(config)# sh int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.1 YES manual up up
Ethernet0/1 10.10.1.1 YES manual up up

 28
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
• Avec l'IOS on utilisait "do" pour passer une commande show
en mode specifique
R1(config)#do show clock
*15:08:07.867 UTC Thu Feb 17 2011

• “do” n'existe pas chez ASA OS

ciscoasa(config-if)# sh clock
15:54:01.139 UTC Thu Feb 17 2011

• On utilise“|” pour filtrer and the arguments:“i”, “b”, “grep”

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
ASA
R1 e0/0 e0/0
R2
G0 G1

outside
inside

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Thank you.