Chapter 1 Understanding Traffic Classification ...............................3 Chapter 2 VLANs
.....................................................52
Chapter 3 IPsec VPNs
CCSP SNAA Quick Reference
.............................................78
Chapter 4 WebVPN and Endpoint Security ...............................104 Chapter 5 Security Services Modules
...............14 1
Lindfield, Ryan
Your Short Cut to Knowledqe
I1 I
12 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 1
7 Traffic Classification Understanding
About the Author Ryan Lindffeld is an instructor and network administrator with Boson. He has more than 10 years of network administration experience. He has taught many courses designed for CCNA, CCIW, and CCSP preparation, among others. He has written many practice exams and study guides for various networking technologies. He also works as a consultant, where among his tasks are installing and configuring Cisco routers, switches, VPNs, IDSs, and firewalls.
About the Technical Editor: David W. Chapman, CISSP-ISSAP, CCSI, CCSP is a 22-year veteran of the IT industry. He is an internationally recognized information security practitioner, instructor, and author. David has been a certified Cisco instructor since 2000. He was the first instructor in North America to teach the Cisco Secure PIX Firewall course (now SNPA). In the last seven years, David has delivered over 200 Cisco Security courses, including many custom on-site engagements to US military and commercial accounts. He has taught for Cisco's internal Associate Systems Engineer (ASE) training program in the United States and Europe. In 2001, he co-edited the first Cisco Press title on the PIX Firewall, Cisco Secure PIX Firewdls. The book was very popular and eventually translated into seven languages. In 2003, the IEEE awarded him Senior Member status for significant career achievement. David divides his lime between his consulting practice and teaching Cisco security courses for Fast Lane, Consulting and Education Services, Inc.
8 2009 C
b
Inc. Al rlgMa re-.
Ms pubkaUon k p
m by
Please see page 181for mom details
131 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 1
I
Understanding Traffic Classification
Chapter 1 Understanding Traffic Classification Throughout this Quick Reference, I rapidly take you through some of the more advanced forms of traffic filtering. We begin this journey with the familiar access control list (ACL), and progress into deep packet inspection with regular expressions and parameter-specific conditional statements. I think that many people would flip to the center of this Quick Reference and feel intimidated by some of the content, but if we step through the technologies one by one and remember that our entire configuration is based on a simple "if-then" logic, everything will make sense. My goal, at least, is that when we have finished you will become much more effective as a firewall administrator.
I assume that you know the fundamentals based on the SNAF material that precedes this. However, I will quickly redefine some things just to make sure that you truly understand what is happening "beneath the hood," rather than just knowing the definition of a term. Just remember, almost everything we cover in the first half of this Quick Reference follows the same simple logic: If you see a packet that looks like this, forward it to this interface; if it looks like this, then drop, NAT, encrypt, and so on. We will just add classifications and additional actions beyond what you may be used to using, but the core logic always remains the same. This logic is true of anything computer related, ifand then. Remember this when troubleshooting, or when studying for the exam. If things seem to get complicated or you feel lost at any point in this Quick Reference, remember that it all boils down this simple logic.
If you intend to create traffic policies on a Cisco &wall, it is imperative that you solidly understand ACLs. One of the first questions that I ask during my classes is this: What are ACL's used for? The most common answer that I receive is "to block traffic," but this answer is only partially correct. An access list can certainly be used to block t r a c , but it is more appropriate to think of an ACL as a way to define interesting traffic, and once you define that interesting trdc you can manipulate it in some way. As we continue through this Quick Reference, remember that an ACL by itself doesn't have any effect. We must associate that traffic classification with a function. From this day forward, think of an ACL as an incomplete sentence that requires a verb or action. The function associated with this ACL would be synonymous to a verb within a sentence.
141
CHAPTER 1
CCSP SMAA Quick Reference by Ryan Lindfield I
Understanding Traffic Classification
When you create an ACL, it is similar to telling the device "Hey ASA, when you see traffic sourced from network A destined for host B[el]," and that is where you've left it. No action is associated with it yet; ail you have done is define a traffic flow. That alone will not do anything. After this ACL has been associated with some action, then it will become useful to you. For example, when you place the ACL on an interface, it will permit or deny the trafFrc flow that you specified. When you associate an ACL with a nat statement, you will control address translation based on the address pairs that you specified, permit means translate the source IP address, and deny means mute without address translation occurring. When you reference an ACL within a crypto map, this tells the security appliance to encrypt the traffic that matches permit statements; deny statements tell the ASA to forward the tral3ic without encryption. We can association even more actions with traffic flows, but the point being made here is that a permit statement says to perform the action, whereas a deny statement says do not perform this action. Types of Access Control Lists Type of Access List Criteria to Match Upon Standard Source IP address.
Extended
Source IP,destination IP address, Layer 4 protocol (TCP, UDP, EIGRP, ESP, GRE, and so on) source port number, destination port number.
Webtype
Destination TCP port, or Uniform Resource Locator (UBL), which can include the asterisk as a wildcard,the question mark a s single character wild card, and square brackets to &£be a range. Ethertype, bridge protocol data unit (BPDU),and Layer 3 information (IPXcan be permitted or denied). Ethertype ACLs are available only when operating in transparent mode.
Associates a specifrc month, day, or hour range with an access list, enabling you to permit or deny traffic based on these parameters.
'IEme based
(subcategory of extended)
Remember that a single ACL can have many access control entries (ACES)and that each line in the access list (ACE) will contain a permit or deny action. As you should recall, these entries are processed in a top-down order.
Q 2OOQ C
b
Inc. Al rl-a
nswved. This
kp
m by
Please see page 181f# more deMds.
I1 I
151 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 1
7 Traffic Classification Understanding When creating an ACL, don't always think of this in terms of "forward the packet, drop the packet." Permit or deny .You fill in these blanks with the action that you hope to associate, it could be simply means to or not to encrypt, NAT, inspect, rate limit, and so forth. For instance, suppose that we have an ACL that references traffic from your workstation destined anywhere, and we are using the deny action: access-list 191 extended deny i p host 192.168.1.180 any
Is this a good thing or a bad thing? Generally we don't like to be denied entry, denied a hotel room, denied a loan, denied by anyone for anything. But wait, this is different. Being denied could actually be a good thing; it depends on where that ACL is being applied. Remember, this is a security appliance, and we are applying different types of filtering and restrictions to users. If we were referring to the I . address of your workstation, we would not want this ACL to be applied inbound on the firewall interface that connects to your subnet because it would prevent you from getting to other networks. However, if rate limiting were king placed upon all users in the enterprise, and this statement were placed at the top of the ACL used for rate limiting, our traffic would proceed without any rate limit, so it would be preferable. If you were to implement Cutthrough Proxy on the inside interface of the &wall, forcing all users to authenticate before browsing the web, again this deny statement would exclude you from Cut-through Proxy. Your traffic would flow through uninterrupted while everyone else must first authenticate to go out. Similar logic applies to other functions, such as authentication, policy NAT, URL filtering, and so forth.
Logging As mentioned previously, ACLs have many purposes. One that is commonly overlooked is intrusion detection. This might sound surprising, but it makes sense when you think about it. Intrusion detection does not have to be accomplished by using network sensors or modules within other network equipment. You can use ACLs for troubleshooting and detection. For instance, I sometimes use a very specific permit statement and apply it at the top of an ACL to make sure traffic is reaching a device and being processed appropriately. It is less disruptive than a debug, but it can also prove that "the network is not the problem." The catch is that I have to watch and refksh and look at hit counts. Is there an easier way? @ 2009 C
i Systems Inc. All rlgMs rsswwd. This publication is protected by copyright Please see page 16 1 for miom details
161 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 1
I
Understanding Traffic Classification
Most ACLs consist of a collection of permit statements followed by that implicit deny. I was once in a training class and the instructor recommended manually adding the deny ip any any log at the end of the ACL so that we could see a l l packets that are denied. This was not the right idea in my mind, but it was a good start. Logging all denied packets will generate too much information, and chances are slim that the administrator will take these notifications seriously because he'll see a great deal of useless information. Things such as routing updates, broadcasts, and multicasts are going to hit that ACL and be denied, which will generate entries that you have to scroll past, or will generate hit counts that are too high to do us any good. For the past several years, what I have been doing is building a list of specific protocols that I want to deny demilitarized F'W, SSH, IRC, and even HTI'P at certain hours, and so on), and placing the zone (DMZ) servers from accessing m, log statement at the end of each line. This way, when a server is compromised using some new exploit that is not detected by the intrusion prevention system (IPS), and the attacker attempts to fetch his rootkit from a remote server using TFTP/FI'P/HITP or log in to a botnet on IRC, not only will the connection be denied, but it will also generate a notification. When logged in at the server's desktop, it may look okay. If you inspect the event log, it might be normal, but the syslog notification is proof that something is not right. Why was your server attempting to connect to a T F R sever in Malaysia at 245 a.m.? I have been compromised more than once, but I've also been fortunate enough to detect the compromise within a few hours. Quite often, this is not the case, and a machine might go undetected for months, or even years. You can configure ACLs to send information to a syslog server using the command-line interface (CLI). At the end of an access list entry, use the log parameter. For instance, suppose that we want to v e n t a SQL server on the inside network whose IP is 192.168.50.7 from accessing any IRC network, and should this ever occur we want to be notified via syslog. We could use the following statement to make this happen: Router(config)# access-list 1@1deny tcp host 192.168.59.7 any sq a667 log Note
Logging of access list matches requires the prior configuration of syslog. It is also possible to set different logging
levels for different access list entries. @ 2009 C
i Systems Inc. All r i m s rsswwd. Thip publication is protected by copyright Plesse see page 16 1 for mom details
171 CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
You can also configure this through the graphical user interface (GUT), as shown in Figure 1-1.
NAT Based on your previous studies, you should already know how to perform basic NAT operations, so let's begin looking at how not to NAT.
Identity NAT,or using NAT with the ID of zero, has the highest priority of all NAT operations. Identity NAT overrules a similar static or dynamic NAT rule. So, when would you want to use identity NAT? The most common example is tr&c flows between two protected networks. Examine the diagram shown in Figure 1-2.
181 CCSP SMAA Quick Reference by Ryan Lindfield
1
Understanding Traffic Classification
As you can see, traffic flowing from the 192.168.1.0/24 network destined for the 10.1.1.0124 does not require NAT operations. These networks are trusted, and there is no overlap in IP addresses. Therefore, to disable the requirement to NAT, use the following commands: r c c e r r - l i s t 191 deny i p 182.16@,1 nat 9 rccess-list 191
255,
[email protected]@.0
la.1.1,0
.25-5:tS+?p,O
You can also configure this from the Cisco Adaptive Security Device Manager (ASDM). Just select Codgumtion, the Firewall pane on the left, and then NAT Rules.Within the NAT Rules conEiguration, se18ct Add, and then Add NAT Exempt Rule.
8 2009 C
b Systenm Inc. AM rlgMm re-
M.pu#lcatson k p
m by
Please see page 181for mom details
191 CCSP SNAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
Figure 1-4 shows the configuration for our N N policy. We will select an interface, the source IP address, and then the destination IP address.
8 2009 C
b Systanm Inc. M rlgM8 m. TN.
kp
m by
Please see page 181for mom details
[ 101 CCSP SNAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
First we will select the source IP address range. In this case, 192.168.1.0is our inside network.
8 2009 C
b Syetum Inc. Al rlgM. nosrmd. TN.
kp
m by
Please see page 161 for mom details
1111 CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
I like to define object groups and then reference the object groups within an ACL, which can also be done here. While in the same Edit NAT Exempt Rule window as earlier, I selected Destination,and then in the Browse Destination windows, I selected the Add drop down, then Network Object. Here I define the name and address range for the remote office.
[ 121 CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
At this point, the new network object called Remok-Office can be seen in the Browse Destination window. I select that as the Destination and click OK.
[ 131 CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
Now that we have selected both source and destination for our N N exempt rule, we are almost done.
[ 141 CCSP SNAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Clsodflcatian
After you have accepted this change, you can see the new rule at the top of your Access Rules.
We are issuing this statement with the assumption that it is required, but this is not always the case. Before version 7.0 of the m a l l OS, all packets that traverse a PIX firewall had to be translated When the Adaptive Security Appliances (ASAs) were introduced along with 7.0, this was not the case, and by default packets did not have to be NAT'd. To enable this rsquirement, you can use the command nat-contmL After you issue this command, all packets flows require mat and global statements for the packet to pass through the firewall, similar to behavior before 7.0. You can then use the nat 0 command to break this requirement and allow packets to pass without source address translation
[ 151 CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
The order of NAT processing is as follows: Identity NAT Static NAT
Dynamic NAT
Within these high-level categories, a statement that references an ACL takes precedence over another rule that is more general. Just think of this concept as "the most specific match rules."
8 2009 C
b Systanm Inc. M rlgM8 m. TN.
kp
m by
Please see page 181for mom details
1 I
CHAPTER 1
[ 161 CCSP SMAA Quick Reference by Ryan Lindfield
Understanding Traffic Classification
Example ASA5505(config)# nat (inside) 1 192.168.1.1 255.255.255.1 ASA5505(config)# access-list 1@2p e m l t tcp host 192.168.1.11 any eq W ASASSBS(config)# nat (inside) 2 a c c e s s - l l t 102
In this example, a packet from 192.168.1.10 destined for www.google.com on port 80 matches both statements, nat 1and nat 2. However, because nat 2 is more specific, it takes precedence over nat 1.
When configuring an ASA 5505 for NAT, you will notice that the terms inside and outside refer to VLAN interfaces, as opposed to physical interfaces. The physical interfaces are switch ports and must be associated with a VLAN to pass traffic.
The concept of nat 0 is fairly simple, but it serves as an excellent example of the logic we will be embracing. Instead of using an ACL to permit traffic through an interface, in this example we are using an ACL to define what should not be translated. So notice how, in this scenario, using apermit within the ACL to not do something is actually address translation. If the ACL referenced by the nat 0 statement has a deny statement within it, what will happen to source IP address? Perhaps you said to yourself "nothing at all"; it's easy to get confused with multiple operations. Remember that nat 0 is a command that says "do not translate." Therefore, the deny would be a double-negative, effectivelytelling the security appliance "don't not translate" (or in other words, this packet should be translated).
If you have followed the examples so far, you are in good shape and we can delve further into the logic of the security appliance. Remember, everything we do in IT follows an "if-then" logic. lf this condition occurs, then perform this action.
[ 171 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 1
I
Understanding Traffic Classification
We can now expand our knowledge of NAT operations with Policy NAT. The first time I heard the term Policy NAT I was on a bridge call with several engineers. At the time, it sounded pretty fancy, and even intimidating. My strategy then was just to keep my mouth shut and not ask any dumb questions. Just what is this policy thing? For instance, what is policy-based routing (PBR)(another term that can sound intimidating at first). Policy NAT and policy-based routing are just making forwarding operations based on criteria within the packet outside of the usual things that we look at. You might still be wondering what that means. To help you understand, let's look at routing. A router makes forwarding decisions based on the destination IP address in the IP header (Layer 3), and that is dl. "That's it?" you ask. Essentially, YesSimply put, PBR is making a forwarding decision based on other information. You can specify lots of different criteria, but imagine routing t d i c j b m your call center to the Internet over a 5-MWs cable modem, and traffic sourced from your executives to the same destination out of a different, faster link, such as a 50-Mb/s FiOS link. Now we are making a forwarding decision based on both the source and destination IP address. You can also specify other criteria, such as Layer 3 and Layer 4 information like type of senrice (ToS), time of day, protocol, and service (HTTl?,SMTP, POP3, and so forth). So, to clarify, you can perform NAT and routing operations based on criteria that you can specify within an ACL. If you are with me so far, we are making great progress. Things will continue to build in a similar logical manner. For more than a decade, we have been making forwarding decisions based on some, but not a l l of the information contained within Layers 2,3, and 4 of the OSI model. Primarily, we have looked at source and destination MAC addresses, IP addresses, and port numbers. What about the payload, what about other fields within the IP header and TCP header? In the latest versions of FOS and IOS software, you will find a growing number of parameters that you can specify to match upon the contents of the payload. Dozens of combinations of conditions are available that we can d e k e to control the flow of packets through the security appliance.
Q 2OOQ C
b
Inc. Al rl-a
nswved. This
kp
m by
Please see page 181for mom details
[ 181 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 1
I
Understanding Traffic Classification
We will now move beyond the familiar Layer 3 and Layer 4 conditions and into specifying criteria within the payload. Each protocol will have specific parameten that we can specify upon. For instance, think about FTP.When you connect to a remote FIT' server, you first log in with a username and password, and then transfer files. All the file operations have specific commands. You can tind these commands within an RFC. In other words, standards define how a client and server communicate. Every protocol has these standards defined, whether it is H'ITP, FIT,SMTP, or so forth. When a client connects to a server, certain commands are available. Each protocol is almost a language in itself. Think of the client and server as two peers having a conversation while the firewall is eavesdropping on them. If the £irewallhas the capability to inspect a conversation, we can create conditions upon commands or actions / conditions of this conversation. In terms of configuration, think of the entire process of "advanced protocol inspection*'as a simple conversation between the administrator and the h a l l . Essentially, you are saying, "Hey firewall, if you see a packt corning from the outside world, destined for our FIP server, and someone tries to create a new directory." Notice there is no action. Once again, it's an "if-then" logic that we are dealing with here; the action is defined in a separate step. From a bird'seye view, you're saying, "Hey firewall, if you see a packet that looks like this, then do this action." The action may be drop the packet, reset the connection, implement rate limiting, generate syslog notification, or so on. A number of actions can be taken upon a traffic flow. This "advanced protocol handling" is implemented through the Modular policy Framework (MPF). The MPF, although seemingly complex, gives administrators a powerful means of implementing strict control over traffic flows.
I
Note MPF replaces the fixup commands that were used in earlier versions of the 0 s .
Every protocol should be thought of as a separate language, and the firewall must have an understanding of the language before you can match upon protocol-specific parameters (such as deleting a We or making a new directory in FTP). As we go forward and explore these protocols, you will gain a better understanding of what is possible with the ASA and PIX perimeter security appliances.
Q 2OOQ C
b
Inc. Al rl-a
nswved. This
kp
m by
Please see page 181for mom details
1191 CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
Modular Policy Framework is the term Cisco gives to the use of class maps and policy maps to control the flow of traffic through your device. This is sometimes referred to as Modular Quality of Service Command Line Interface, or Modular QoS CLI, when dealing with routers. The MPF uses class maps to identify a flow of tdTic and a policy map to implement some action on that tratfic flow. Based on earlier explanations, think of the class map as the "if" condition and the policy map as the "then" condition.
I
Class Map (define traffic flow)
Pdic~ Map (associate action)
Service Policy (apply policy here)
Public
IPS
Outside
Remote Users
Police
Outside
BrartchOftice
Priority
Outaide
First let's tackle class maps. A class map is used to define a traffic flow. A class map will have a name (for instance, DMZ_Services). Within the class map named DMZ-Services, we will defmz some criteria ts match upon.
8 2009 C
b
Inc. Al rl-a
nswved. This
kp
m by
Please see page 181for mom details
1201 CCSP SlYAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
Class map criteria include the following: Access control lists H
Type of service
H
lhnel group
H
Differentiated services code points
H
Destination IP address
TCP or UDP port number H
Real-time Transport Pmtucol (RTP)port numbers
H
Default inspection traffic Any packet
H Flow
Q 2OOQ C
b
Inc. AM rl-a
r a m . This pubkatknk protected by copy~4ghtPlease sse page 161 for mom details
121 I CCSP SNAA Quick Reference by Ryan Lindfield I
Understanding Traffic Classification
Therefore, if we use the following topology.
And if we write the following access list: ASA(config)# ASA(config)# ASA(config)# ASA(config)# ASA(config)#
access-list 101 permit tcp any host 10.10.18.108 eq 80 access-list 101 permit tcp any host 10.10.10.101
eq 25
access-list 101 permit tcp any host 10.10.10.100
eq 443
access-list 101 permit tcp any host 10.1kl.10.101
eq 110
access-list 101 permit udp any host 10.10.10.102 eq 53
We can place access list 101 into the class map called DMZ-Services by using the following CLI command: M A ( conf ig ) # class-map DMZ-8emice8 ASA(config -cmap)R match access-list 101
At this point, we have taken several ttaffic flows and associated them with a single name: DMZ_Services. However, we have not done anything to these packets. Previously we have discussed things such as dropping packets, routing, and
8 2009 Chco
Inc. Al rlgM. rewrued. Thk pr#lcstsonk p
m by
Please see page 181for mom details.
I1 I
[ 22 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 1
7 Classification Understanding Traffic NAT'ing. In this example, we will take this traffic flow that applies to users from the Internet destined for our DMZ services and pass that traffic to an IPS module for inspection. We can do this by using a policy map, and we can use the following codiguration to forward this traffic flow to the AIP-SSM: 1. Cmte a policy map called Outside-Policy:
ASA(config)# policy-map Outside-Policy 2. Reference our previously defined traffic flow called DMZ-Services:
ASA(config-pmap)# class DMZ-Services 3. Pass this traffic flow to the IPS module for inspection. If the IPS module is unable to process the traffic, ignore this
failure and forward it without inspection: ASA(config-pmap-c)# i p s inline fail-open
In the preceding example, we identified traffic destined for the services on our DMZ. After identifying the traffic flows using an ACL, we referenced this ACL within a class map. Finally, the class map was placed within a policy map, and an action was associated with that traffic flow. In this case, any traffic destined for our DMZ servers will be passed to an IPS module within the ASA. Let's examine different actions we can take on a traffic flow using the MPF: Permit
Deny Application inspection Send to IPS module Send to CSC module
@ 2009 C
i Systems Inc. All rigMs rsswwd. This publication is protected by copyright Please see page 16 1 for miom details
1231 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 1
I
Understanding Traffic Classification
Expedite this traffic with priority queuing Tune connection parameters Police (rate limit) Traffic shaping Let's review what we have covered so far: An ACL can be used to define a flow of traffic, then, that ACL can then be referenced within a class map, and the class map is then placed within a policy map to take some action on the flow of traffic previously described in the ACL. The final step is to apply the policy map to an interface. You can do this by using the service-policy command. ASA(config)# service-policy Outside-Policy interface outside
In this example, we applied the previously generated policy Outside-Policy to our outside interface. Do you have to use an ACL within a class map? No, this is not a requirement. ACLs are one of several options available to you for specifying packet criteria. You can find the complete list earlier in the chapter.
Configuration is a bit different when performed from ASDM; you actually start at the interface, and work your way backward. First, select Configuration, then Firewall, followed by Service Policy Rules.
@ 2009 C
i Systems Inc. All rigM8 reserved. Thk publication is protected by copyright Please see page 16 1 for miom details
[ 241 CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
Click the Add button, and then Add Service Policy Rule from the drop-down window.
[ 251 CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
Because only one policy can be applied to an interface, you must modify the existing policy if one has already been configured. By default, there is a policy called global_policy that is applied globally, and the interfaces do not have any configuration. Assuming that we are working with a fresh configuration, we will continue by selecting the Interface radio button and selecting the Outside interface. Similar to the previous example, I will use the policy name OutsideJolicy, add a description, and then click Next.
[ 26 I CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
As previously mentioned, we have several methods available for classifying traffic. Because the most familiar is using an ACL,I will select Some and Destination IP Address fkom the Traffic Match Criteria selection. As you can see, other methods are aIso available.
1271 CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
It is extremely easy to configure ACLs from the GUI, as you can see here. Just select a source, destination, and service. The button on the right will present a list of preconfigured network objects that you can select, or you can type the network addresses by hand. The last requirement is to specify the service. A preconfigured list is available, or you can manually enter the protocol and port.
8 2009 C
b Systanm Inc. M rlgM8 m. TN.pu#lcatsonk p
m by
Please see page 181for mom details
[ 28 I CCSP SNAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
612009 C
i Syrrtorrm Inc. All rights reserved. ThiD publicationis pmtacted by copyright Please see page 16 1 for miom details
129I CCSP SNAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
The following window is used to configure protocol inspection, connection settings, QoS, and other rules. This is the actual action covered in the next section of this Quick Reference.
8 2OOQ C
h Sysmm Inc. Al rlgM. n#rmd. Thh pu#lcatsonk-p
by
Pie86e see page 181for mom details.
1301 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 1
I
Understanding Traffic Classification
Application Inspection (Deep Packet Inspection) At this point, we know that it is possible create criteria that matches parameters that exist in the payload (Layer 5 to 7) of a packet. For instance, if a packet is sent from a remote user's browser to our web server, we can permit or deny the packet based on HTTP parameters within the payload. HTTP uses a different set of commands between the client and server than other protocols (such as FTP, S m , and so on). Although many protocols are in use today, and there are multiple versions of the clients and servers for each of these protocols, the commands are still based on standards defined in a protocol-specific RFC or group of RFCs. This is why any web browser (Firefox, Internet Explorer, Safari, Netscape) can communicate with any web server (Apache, IIS, Tomcat, and so on). A sequence of events always occurs, and speclfic commands are passed back and forth between client and server for any protocol (HTTPS, HTIT, FP, SMTP, POP3, IMAP, RTSP, and so on). If the security appliance understands the language that is being spoken @ITIF in this case), then as a &wall administrator we have the ability to match criteria within HTTP communications and associate a security policy with that traffic flow. Suppose that we have a web server within our DMZ that is running a single web application that is under our company's control. The web developers have informed us that this specific application supports the GET request, but not a POST request. Using the ASA, we have the ability to inspect within the payload of the packet and interpret the HTTP commands that are being passed from a client to a server. If we see a client sending a packet toward our web application that contains a POST command in the payload, we know that this is malicious activity (because our web application does not support POST). After identifying this activity, we can react accordingly. For instance, someone may be running a web application vulnerability scanner against our application, or sending custom messages created by hand with a utility such as Burp. By similar logic, if we inspect a packet sent from an unknown client to our server and it contains a GET request, we know this packet is not malicious, correct? Nope, not really. An attacker can still perform web application attacks using the GET command, but by blocking the POST command we have eliminated our exposure to some of the attacks that exist.
131 I CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
So far we know that we want to allow traffic from the outside interface (the public Internet) into our web server, but we also want to protect this server from malicious attacks that it is sure to receive. We know not all port 80 traffic is going to be friendly, so we have filtered out HTTP requests that support the POST request header. Let's start where we previously left off when configuring service policy rules on the ASA. The screen was asking for rule actions (allows for QoS, connection settings, IPS, application inspection, and more). We will select the Protocol Inspection tab. Make sure HlTP inspection is enabled, and then select Con6gure.
8 2OOB C
h
Inc. AM rl-a
r a m . Thk publlcatknk protected by
Please see page 181for mom details
[ 32 I CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
Now we will create an inspect map for HTIF. Select the radio button that reads Select a H l T P Inspect Map for Fine Control over Inspection, then click the Add button.
8 2009 C
b Systmm Inc. M rlgM8 m. TN.pu#lcstsonk p
m by
Please see page 181for mom details
[ 33 I CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
Name this HTlT inspection map, and then provide a description. Then, select Details.
8 2009 C
b Syetum Inc. Al rlgM. nosrmd. TN.pu#lcstson k p
m by
Plegse see page 161 for mom details
1341 CCSP SNAA Quick Reference by Ryan Lindfield I
Understanding Traffic Classification
Under the Inspections tab, click Add.
8 2009 C
b Systamm Inc. M rlgM8 m. TN.pu#lcstsonk p
m by copyright Please see page 161 for mom details
1351 CCSP SNAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
The final step is to set the actual parameter that we are trying to block. From the Method dropdown box, select Post, and then ensure that the action is set to Dmp Co~ection,and that Log is set to Enabled.
1361
1
CCSP SNAA Quick Reference by Ryan Lindfield
CHAPTER 1
Understanding Traffic Classification
In the future if you want to modify inspection maps, you can find them by following this path: Configuration> Firewall > Objects > Inspect Maps.
[ 37 I CCSP SNAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
To properly protect this server, we need to make a few more tweaks to minimize our exposure. Let's take a look at a few more ways to do this.
Regular Expressions Some of you may be familiar with regular expressions (regex) from prior programming or scripting experience. If you have not had experience with this type of classXcation before, you will probably be a bit intimidated at first, but with a bit of practice it all makes sense.
8 2009 C
b Systanm Inc. M rlgM8 m. TN.pu#lcatsonk p
m by
Please see page 181for mom details
[ 38 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 1
I
Understanding Traffic Classification
For instance, if I want to coniigure the firewall to notify me if the word Hacked passes through the firewall on port 80, I could define the word as it is styled right here (with only the H capitalized). But, what if I want to match on all cases (for instance, Hacked or hacked)? What if I also want to match upon alphabet characters that have been swapped with numbers (such as h4ck3d) or a mixture of upper- and lowercase (such as hAcKeD)? You can use a regular expression to mach up a string of characters and combinations of those characters, including ranges and the position of the pattern within other text. For example, if I want to match all the previously mentioned variations of hacked, I could use the following regular expression:
If the payload of a packet contains six characters in order that match any single character within these six sets of brackets, we will consider this a match. Creating regular expressions can be tricky at first, but you have a tool built in to the ASA to test your regular expression to ensure that is it matching the way you planned, as follows: ASA55tBH t e s t INFO: Regular rrsAs5W t e s t INFO: Regular
ragex H4ck3d [Hh][Aa46][Cc][Kk][Ee3][W] expression match succeeded. n a e x H4ck3r [Hh][A14QE][Ce][Kk][Et3][W] expression match f a i l e d .
You can also wildcard a single character by using the period (.), as follows: ASA55851Y test rrgex HIck3d [Hh][Aa46][Cc][Kk][Ee3].
INFO: Regular ASA55g51 test INFO: Regular A S A 5 M test INFO: Regular
expression match succeeded. regex H4ck3r [Nh][Aa#][Cc][Kk][Ee3]. expression match succeeded. ragex 4cWr [Hh][Aa4@][Cc][Kk][E&]. expression match f a i l e d .
ASA558M t e s t rrgex If4ck3rr8128Z18312 [Hh][Aa4@][Cc][Kk][Ee3].
INFO: Regular expression match succeeded.
2009 C
i Systems inc. All rights roserwd. Thip publicationis protoctecl by copyright Please see page 16 1 for mwe details
+
1391 CCSP SMAA Quick Reference by Ryan Lindfield
Understanding Traffic Classification
Beware of special characters, however. If you want to match on a file, such as nc.exe, the period will be used as a wildcard. But, suppose you want to match literally on the period itself: ASA5585# test regex nc.exe nc.exe INFO: Regular expression match succeeded.
ASA55W test rrgex nclexm nc.exe INFO: Regular expression match succeeded.
To correct this issue, just place the backslash (\) before a character to match on it, as follows: ASA55W test INFO: Regular ASA55595# test INFO: Regular
.
regex mc .exe nc\ exe expression match succeeded.
regex nclexe nc\.exe expression match f a i l e d .
Remember to use the \ character when matching against a domain: ASA56@5(config)# test regex myspace.com myepace\.cor INFO: Regular expression match succeeded.
You can configure regular expressions from ASDM. Just navigate to the following location: Codgumtion > Firewall > Objects > Regular Expmsions.
[ 40 I CCSP SMAA Quick Reference by Ryan Lindfield I
Understanding Traffic Classification
For example, if I want to block anything that contains myspace.com myspace.co.uk, or some other variation, I could try this.
8 2009 C
h Systanm Inc. M rlgM8 m. TN.
is p
m by
Ple86e see page 181 for mom details
141 I CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
A tool is built in to assist you in constructing regular expressions. Click the Build button to use the tool. I have typed Myspace.com into the character string, but I want to match on both uppercase and lowercase, so I have selected the Ignore Case option.
[ 42 I CCSP SNAA Quick Reference by Ryan Lindfield I
Understanding Traffic Classification
It's always good to test things out h t , so click the Append Snippet button to copy the regular expressions code into the dialog box.
8 2009 C
b Systanm Inc. M rlgM8 m. TN.
kp
m by
Please see page 181for mom details
[ 43 I CCSP SNAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
You can now tweak the code that was generated, or test it by clicking the Test button.
[ 44 I CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
You can create multiple regular expressions that are used for a similar purpose and group them within a regular expression class. That class can then be referenced in other parts of the configurations. For instance, if you were to create a regex class called SocialNetworking, you could then include the individual regular expressions for Myspace, Facebook, LinkedIn, and so on.
8 2009 C
b Systanm Inc. M rlgM8 m. TN.
kp
m by
Please see page 181for mom details
1451 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 1
I
Understanding Traffic Classification
Protocol-Specific Parameters Our goal is to look deep within the flow of packets and identify certain circumstances that require special handling by the security appliance. So far, you have read about ACLs, class maps, and ~ g u l a expressions. r I now want to provide more detail about packet inspection.
I like the term deep packet inspection (it works for me), but many other terms also describe this process: advanced protocol handling, advanced protocol inspection, inspection class maps, or modular QoS CLI (when dealing with routers).
Before we get too caught up in terminology, let's step back to the 32,000-foot view. I say 32,000 feet because I'm currently on an airplane, at 32,000feet, while writing this. A good way to think of protocols is that each one is like a different language. And, think of our inspection of the traffic flow as eavesdropping on a phone call between two other parties. The Marriot Park Hotel in Rome has a gated facility, and a guard is posted at this gate. Imagine that you are the guard working there. Many different people (guests and otherwise), from many different places, are coming and going. It is your duty to make sure that only guests with reservations are allowed through the front gate. To stretch this a bit further, imagine that you have the capability to monitor all inbound phone calls and eavesdrop on the ensuing conversations. If a guest (think client) is talking to your guest services desk (think internal server) in German, and you understand German, you can understand what is being said. Although most of the information being passed is not of interest to you (type of room, cost, discount rates), you at^ waiting for keywords such as arrival, departure, a.m., p.m., days of week, specific dates, number of adults, number of children, and so on. After you have obtained this information from the inbound phone call, you can then make note of it in your log. Well, &walls maintain a similar log, called a state table. You should know this already from the SNAF course. So, here is a quick recap of what has happened: We have an inbound phone call, we inspect in, listen for the guest name and the arrival date, and make a note of it in the log. Your k w a l l does the exact same thing on a day-to-day basis. Therefore, if you understand German, French, Dutch, Italian, English, and Spanish, these customers will be passed through the gate without any additional checks. You will be expecting their arrival, and when they arrive at the gate, they will be passed through. @ 2009 Ckco Systems Inc. AH rights reeerwd. Thk publicationis protected by copyright Please see page 16 1 for miom details
146 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 1
I
Understanding Traffic Classification
But what happens when someone calls the hotel and makes a reservation speaking Luxembourgish? Did you know that there is a language called Luxembourgish? Obviously, this phone call will not be able to be inspected. Therefore, we have no idea when the guest from Luxembourg will arrive, and when he does arrive he will be denied access. So what does this mean in the technology world? Your security appliance lacks the capability to inspect every protocol. Therefore, when well-known protocols are used, we can automatically alter the security policy to accommodate the traffic flow. When an unknown protocol is used, it will fail. This is generally where you, as administrator, come into the picture. A user tells you that the firewall his application, for example. The first question to ask yourself is what protocol the qplication is using to communicate through the firewall. Then, you ask whether that protocol is supported, and finally, whether inspection is enabled for that protocol. Protocol inspection can be enabled or disabled within the policy map codiguration. The following table shows the available protocols that can be enabled for a traflic flow, as follows: ASA5585(config-pmap-c)# inspect ? MPF Policy Map and Class Map Mode Inspection Protocols
ctiqbe
im
sip
dcerp~
ipsec-pass-thru
*Y
esmtp
-P
sqbt
netbios
hW
rsh
waas
icm~
*SP
xdmcp
8 2OOQ C
h
Inc. Al rl-a
re-.
T h i pubkaUon ~ kp
m by
Please see page 181far more detaids.
[ 47 I CCSP SMAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
Beyond just inspecting these policies for parameters that are negotiated, we can also filter upon protocol-specific conditions. I covered HTTP briefly earlier in the chapter, and these protocols are handed the same way. Inspection maps are created with protocol-specific conditions and then applied using MPF.Although d g u r a t i o n is possible from the CLI, ASDM is much more intuitive when performing granular filtering with MPF. To configure protocol inspection from ASDM, navigate to the following location, where you will find a list of protocols that support inspection maps: Configuration > Firewall > Objects > Inspect Maps.
*-wm-E . I -IC -R
--IC
-m
--m! .I0
.m
-.
.-
a m !
'IL
-=
Q 2OOQ C
b
Inc. Al rl-a
nswved. This
kp
m by
Please see page 181for mom details
[ 48 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 1
I
Understanding Traffic Classification
As an administrator, you have the ability to create inspection maps to match specific criteria for each of these protocols. I have given you only the tip of the iceberg here. The im you see listed in the table is for the instant messaging class. You can permit or deny certain functions within instant messenger, such as whiteboard, file transfer, chat, games, and more. Each protocol has specific parameters that you can tune to enhance the security of your network.
Banner Masking One of the first steps of a network attack is reconnaissance; attackers will map out your network resources before launching an attack. By default, when users connect to certain services, they are greeted by a banner, which the service uses to announce the type of software in use and the version number, as follows: mac-pro:- sin$ telnet rm.ciscopress. Trying 209.2fB2.161.68 Connected t o ciscopress.com. Escape character i s ' * ] ' HEAD I HTTPl1.I
...
COD
89
.
HTTPIl. 1 302 Found Connection: close Date: Sun, 21 Dec 2008 23:22:57 QMT server: Microsoft-IIS16.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: https:llmemberservices.informit Cache-Control: private Content-Type: textlhtml; charset=utf-8 Content-Length: 221 Connection closed by foreign host. IIUC-pro:- sin$ @ 2009 Cisco Systems Inc. All rights roserwd. Thip publicationis protoctecl by copyright Please see page 161 for mwe details
[ 49 I CCSP SNAA Quick Reference by Ryan Lindfield
I
Understanding Traffic Classification
When configuring H'ITP, FT'P, and SMTP inspection, you can mask or even spoof the server reply. However, coafiguration of these features is beyond the scope of this Quick Reference.
DNS Inspection DNS inspection is used to alter DNS replies @NS doctoring) for internal hosts and to filter DNS traffic based on specific criteria. Altering DNS replies is necessary if you have internal users who are using external DNS servers to discover internal resources.
II
1501 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER I
Understanding Traffic Classification
The external DNS server replies to the client using the real-world IP,but the internal host should be using the internal IP address to contact the server. DNS doctoring is the process of rewriting the DNS reply, changing the public IP address to the tradated private IP address. For instance, consider the following static statement: ASA(config)# static (dnz,outside) 192.168.50.50 18.18.10.5a dns
From this statement, we can tell that the outside IP address is 192.168.50.50 and the internal IP address is 10.10.10.50. If we do a DNS lookup to the external DNS server, the reply will read 192.168.50.50. When the ASA receives this DNS reply, it will be inspected, and the 192.168.50.50 address will be overwritten with 10.10.10.50 and then fomarded to the client. Another DNS feature provided by the ASA is stateful inspection of DNS. When a host sends a DNS request through the firewall, a slot is created in the translation table. As soon as one reply is received, that reply is forwarded, and the slot is then cleared. Should any additional replies arrive, they will be discarded.
Advanced DNS Inspection The ASA firewalls provide advanced DNS inspection features that protect your network h m DNS spoofing and cachepoisoning attacks. In spring of 2008, Dan Karninsky discovered one of the greatest vulnerabilities in the history of the Internet, and it had to do with poisoning major DNS servers. Although the details of the attack are fascinating, they are beyond the scope of this Quick Reference. Refer to www.doxpara.com for more information. The ASA provides the following advanced DNS inspection features to combat DNS attacks:
Require transaction signatures (TSIG) Notification for excessive mismatched DNS responses
DNS ID randomization
@ 2009 C
i Systems Inc. All rlgMs rsswwd. This publication is protected by copyright Please see page 16 1 for miom details
151 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 1
I
Understanding Traffic Classification
Mask DNS flags Block DNS types
Limithg of domains that can be queried
Mask the recursion desired (RD) bit B Set maximum message-length
You can configure all these features by using a DNS inspection class map. In summary, many different methods are available to identify a trafEc flow and then alter the traffic flow in some way. Historically, we have done most of our filtering based on parameters at Layer 3 or 4 of the OSI model. Presently, we are diving into the payload of the packet and making our atering decisions there. The security appliances add a great number of improvements over the PIX firewalls, not only in terms of performance but also in hctionality. We can now perform rate limiting, intrusion prevention, malware analysis, and priority queuing.
Q 2OOQ C
b
Inc. Al rl-s
rewrvod. This
kp
m by
Please see page 181for mom details
1521 CCSP SMAA Quick Reference by Ryan Lindfield
I
VLANs
Chapter 2 VLANs Beginning in Version 6.2 of the PIX &wall, there is support for subinterfaces, trunk links, and VLANs. The PIX and ASA can support 802.lq encapsulation and a number of logical interfaces depending on the platform. This enables you to scale your perimeter security solution without the cost of additional hardware. For instance, I have had many clients in the past with a three-interface firewall configuration (inside, outside, DMZ). DMZ VLAN 50
Outside
@ 2009 Clsco Systems Im.All r i m s r s s e r d . This publicationis protected by copyright Please see page 16 1 for mom details
[ 53 I
CHAPTER
I
CCSP SMAA Quick Reference by Ryan Lindfield
2
VLANs
The problem that lies here is that all the web services are hosted on the same subnet, and while filtering is being performed between the outside and the DMZ, there is no filtering within the DMZ. Suppose a security breach occurs on your web server through a web application vulnerability. After the web server has been compromised, it has unrestricted access to the other hosts on the DMZ.The mail semer can now be compromised using an exploit against ports that would have been off limits, such as 135,139,445. In addition, servers and network devices that were previously inaccessible from the Internet can now be attacked from the compromised host. Through the use of subinterfaces and VLANs, we can now segregate our DMZ servers and apply different security policies to each server or each group depending on your configuration. We can take control over what traffic, if any, will pass between these servers. DMZ
VLAN 50
VLAN 25
Inside
Q 2OOQ C
b
Inc. Al rl-a
nswved. This
kp
m by
Please see page 181for mom details
1541 CCSP SMAA Quick Reference by Ryan Lindfield
I
VLANs
To configure a subinterface from the command line, simply enter the interface command followed by the interface, including a fractional decimal value: ASA5510(config)# interface ethernet @/@.I
Within the interface configuration mode, assign additional parameters, such as logical name, IP address, security level, and VLAN: ASA551W confin t ASA5510(config)# int 0012.1 ASA551 0(conf ig subif ) # vlrn 25 MA5510(conf ig-subif) # security-level 25 ASA5510(conf ig-subit)# nameif web ASA551B(config-subif)# i p addre88 172.16.17.1 255.255.255.248 ASA5510(config)# int 0012.2 ASA5510(config-subif)# vlrn 50 ASA551 B(conf ig subif ) # security-lrwel88 ASA55l@(config-subif)# nameif n a i l ASA5510(config-subif)# i p address 172.16.17.0 255.255.255.248 MA551 B(conf ig ) # int 0012.1 ASA5510(config-subif)# vlrn 75 ASAS510(config-subif)# security-level 75 ASA5510(config-subif)# nrmoit DNS ASA551B(config-subif)# i p addreor 172.16.17.17 255.255.255.248
-
-
After configuring the interface, you configure NAT rules and access control lists (ACLs) and apply these the same way that you do when using physical interfaces.
@ 2009 C
i Systems Inc. Al rl-s
rsswwd. This publlcatbnis protected by copyright Please see page 16 1 for miom details
1551 CCSP SNAA Quick Reference by Ryan Lindfield
CHAPTER 2
I
VLANs
Routing Information Protocol The security appliances have support for dynamic routing protocols. As you may know,Routing Information Protocol (RIP) is a distance-vector routing protocol that is supported by the majority of network devices. The ASA can support RIP Version 1 and Version 2. You can run RIP vl, v2, both vl and v2 on the same interface or different interfaces at the same time. You can enable RIP from the command line with the router rip command. RIP can also be enabled from the Cisco Adaptive Security Device Manager (ASDM) from the following location: Codgumtion > Routing > RIP > Setup. From this screen, RIP can be enabled, interfaces can be set to passive if necessary, and network statements can be added. In this case, I have configured the outside interface.
[ 56 I CCSP SMAA Quick Reference by Ryan Lindfield
I
VLANs As you should know, one of RIP v2's improvements over vl is the support for authentication. Although authentication of routing protocols is a best practice that makes lots of sense to me, I have found that it is not used the majority of the time in production networks. If this is something that is under your control, invest the small amount of time required to secure your muting tables. You can configure authentication on a per-interface basis. To enable authentication of RIP, navigate to Codguration > Device Setup > Routing > RIP > Interface. On this screen, select an interface, and then click Edit.
8 2OOQ C
h
Inc. Al rl-a
re-.
Thk pubkaUon k p
m by
Please see page 181for mom details
II
[ 57 I
CHAPTER 2 -
CCSP SMAA Quick Reference by Ryan Lindfield -
VLANs
Notice that you can control the version and authentication on a per-interface basis. You can also choose between MD5 and clear text authentication. Although many devices default to clear text, MD5 should be implemented when possible.
If there are routes being advertised to you that you want to ignore, or networks that you do not want advertised to other devices, you can control this using RIP filter rules. From the command line or when using a mt,erathis is referred to as a distribute list. Select the Filter Rules tab and then click the Add button.
[ 58 I CCSP SNAA Quick Reference by Ryan Lindfield
CHAPTER 2
I
VLANs
Click the Add button again to add the network that you want to filter.
@ 2009 Circo Syetuns Inc. Al rlgM. rosurmd. TN.
kp
m by c o w g h t Please see page 161 for mom details
[ 59 I
CHAPTER 2
I
CCSP SMAA Quick Reference by Ryan Lindfield
VLANs
Finally, define the interface and direction to which this filter should be applied. In this example, I want to prevent the 192.168.1.0network from being advertised through the outside interface.
@ 2009 Cisco Sy.temr Inc. Al rights reserved. TNa publicationis protected by copyright
see page 161for mom details.
1601 CCSP SMAA Quick Reference by Ryan Lindfield
I
VLANs
Redistribution is used to pass information from one muting protocol, such as Open Shortest Path F~rst(OSPF), into another routing protocol, such as RIP. The ASA can perform redistribution of routes between routing processes. This is not generally something that you want to do, but something that you might be required to implement because of a merger or to support legacy hardware. Redistribution can be d g u r e d h m the Redistribution tab beneath the routing process. Just click the Add button, and then specify the criteria for the process that you want to redistribute into RIP. Notice that Static, Connected, EIGRP, and OSPF are supported.
@ 2009 Ckco Syrrtorrm Inc. All rights reserved. ThiD publicationis protected by copyright b a s e see page 16 1 for miom details
161 I CCSP SNAA Quick Reference by Ryan Lindfield
I
VLANs
Open Shortest Path First Protocol OSPF,a link-state protocol, has been supported by the PIX since 6.3, and the ASA since Version 7. OSPF is an open standard, and therefore supported by many vendors. Although OSPF adapts to network changes more quickly than RIP, it also requires more resources.
1621 CCSP SMAA Quick Reference by Ryan Lindfield
I
VLANs
OSPF highlights include the following: H
The ability to act as a designated router @R), Area Border Router, and even an Autonomous System Boundary Router (ASBR) Support for two separate OSPF processes
H
Support for both clear text and MD5 authentication
H
Filtering of 7 ) p 3 link-state advertisements (LSAs)
H
Support for OSPF virtual links
OSPF can be enabled from the command line with the muter ospf process-id command. You can enable OSPF from ASDM via Configuration > Routing > OSPF > Setup. The first step is to enable OSPF and assign a process ID. Notice there are two processes available. You can configure separate routing processes for two different groups of interfaces, ensuring there is no leak of information from the topology tables of mission-critical networks to less-trusted networks.
Q 2OOQ Clrco
Inc. Al rl-a
nswved. This
kp
m by
Please see page 181for mom details
1631 CCSP SMAA Quick Reference by Ryan Lindfield
I
VLANs
ll-l
mu. l
I
[wr*-' I
Routers running an OSPF routing process perform summarhation on ABRs. When administering the MA, you can manipulate summarization manually by adding statements to the OSPP process. You can do this via the command-line interface (CLI) or ASDM.To configure using ASDM,navigate to Codgtwation > Device Setup > Routing > OSPF > Summary Address.
1641 CCSP SMAA Quick Reference by Ryan Lindfield
I
VLANs
MD5 and clear text authentication are supported by OSPF, similar to what we saw in RIP. Authentication requires some configuration within the muting process and within the interface. Overall,it is easy to configure and will protect your network h m possibIe man-in-the-middle attacks or denial-of-service (DoS) via route poisoning. To configure authentication, navigate to Codigmation > Device Setup > Routing > OSPF > Interface. Under the Authentication tab, select the interface that you want to modify authentication properties for, and then click the Edit button.
[ 651 CCSP SMAA Quick Reference by Ryan Lindfield
I
VLANs
If you tve pedoming authentication of routing updates, I mommend using MD5 autbentcatioa To enable this, first select the MD5 Authentication radio buttan. Under the MD5 IDSand Keys Won, speciqr a key identifier, and key, and then click Add.
1661 CCSP SMAA Quick Reference by Ryan Lindfield
I
VLANs
Type 3 LSAs (summary LSAs sent to ABRs) exchanged between OSPF neighbors can be limited through the use of filtering. If you configure filtering from the CLI, you use a prefix list rather than a distribute list. ASDM simplifies configuration by simply calling it filtering, and you can configure it via Configuration > Device Setup > Routing >
OSPF > Filtering.
1671 CCSP SMAA Quick Reference by Ryan Lindfield
VLANs
One of the principle chamkrbtics of OSPF is the bierachy that is enfowed regarding area 0, and that aIl inteaarea t d E c must pass through area 0. As you might wall, if you want to get fbm area 1 to area 2, it must pass from area 1 to 0 to 2, aud then back from 2 to 0 to 1. Each area within an OSPF topology must be directly ammcmdto area 0.
As there is an exception to wery rule, virtual links enable us to connect to area O without a physical direct connection. We can build a logid link through another area, into the backbone area.This is never samething you would do from a design perspective, but something you d d do in a pinch to make things work
1681
I
CHAPTER 2 -
-
CCSP SMAA Quick Reference by Ryan Lindfield -
VLANs
The ASA supports virtual links, and you can configure them from the CLI or GUI. CLT configuration is similar to that of a router. ASDM configuration is simpler and can be accomplished via Configuration> Device Setup > Routing > OSPF > Vrrtual Link.
1691
CHAPTER
I
2
CCSP SMAA Quick Reference by Ryan Lindfield
VLANs
Enhanced Interior Gateway Routing Protocol The support of Enhanced Interior Gateway Routing Protocol (EIGRP) was added in Version 8.0 of the security appliance code; over the past several years, only RIP and OSPF were supported. Devices running EIGRP must be associated with an autonomous system. Other routers that you hope to form neighborship with must be in the same autonomous system if you want to exchange routes. To configure EIGRP, you must define an autonomous system and the interfaces that will participate in the routing process. Configuration of EIGRP from the command line and from ASA is almost identical to that of a router. You can also configure EIGRP by using ASDM via Configuration > Device Setup > Routing > EIGRP > Setup. Under the Process Instances tab, check the box to enable EIGRP,followed by the autonomous system number for EIGRP. The EIGRP autonomous system actually goes in the Process field; this could be confusing.
@ 2009 Ckco Systems Inc. All r i m s rseerwd. This publicationis protected by copyright Please see page 16 1 for mom details
[ 72 I CCSP SNAA Quick Reference by Ryan Lindfield
I
VLANs
Similar to RIP and OSPF, routing filtering is sugported.
@ 2009 Circo Syetuns Inc. Al rlgM. rosurmd. TN.
kp
m by c o w g h t Please see page 161 for mom details
[ 73 I CCSP SMAA Quick Reference by Ryan Lindfield
I
VLANs
Hello intervals, hold times, split horizon, and authentication can be configured on a per-interface basis. Keep in mind that adjacent EIGRP neighbors need to agree on these parameters,
[ 74 I
I
CHAPTER 2 -
-
CCSP SMAA Quick Reference by Ryan Lindfield -
VLANs Redistribution can also be cor@ured by selecting the redistribution link under the EIGRP process. Notice that static routes, directly connected routes, RIP,and OSPF can be redistributed into EIGRP.
1751 CCSP SMAA Quick Reference by Ryan Lindfield
1
VLANs
You can verify the routes within the routing table from the CLI by using the show route command Routes can be verified using ASDM by selecting the Monitoring tab, the Routing panel, and then clicking the Routes link.
[ 76 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 2
I
VLANs
Redistribution If multiple routing protocols are being used within a single environment, redistribution of reachability from one routing protocol to another might be required. This is not something that you would usually build in to your network on purpose, but is often the result of mergers and acquisitions. Redistribution is possible between all protocols, but the thing to remember is that the metrics do not match. Suppose, for instance, that you want to pass routing information from RIP to OSPF. Well, OSPF does not use hop count. Therefore, you must manually set a metric for what the cost of these routes should be. The same is true if you were to pass OSPF routes into RIP. RZP does not have a cost, so you must manually define the hop count for these external mutes.
Reverse Route Injection Reverse route injection (RRI) is used to advertise remote-access virtual private network (VPN)clients to devices on the internal network; this is usually not required unless you have multiple VPN gateways. Imagine a scenario in which you have several ASAs configured in a VPN cluster. This cluster is a grouping of ASAs that are working as a team to handle incoming remote W N client connections. When you are using this load-balancing technique, incoming VPN co~ections are distributed to the security appliance with the lowest load, so different users are connecting to different gateways dynamically. If a user is disconnected and then reconnects, he is likely to be assigned to a differentgateway. So in a nutshell, RRI is used to advertise remote users to internal network devices, and to notify the internal device that this particular ASA is used to reach the client. After an IP address has been pushed to the client, that address is injected to the routing table of the ASA as a static route. The static route would basically says, "If you want to get to the assigned address, go to this public address." These static routes are then advertised to internal hosts at the corporate LAN using EIGRP,RIP,or OSPF. RRI sends a host route or I32 route update to the internal network, notifying internal devices that if they need to reach that particular remote host, that this is the next hop to get to that host.
CQ
2008 Cbmo Systems Inc. AH rights nswved. This
kp
m by
Ple86e see page 181for mom details
[ 77 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 2
I
VLANs
There is another operating mode called network RRI. This is used with network extension mode of EasyVPN. When a remote network connects to the central network, the ASA can inject a network route (f24 perhaps) for the remote office. This update notifies internal devices as to whether the remote network is reachable and instructs them that to get there they must send traffic to this ASA.
Multicast The ASA and P l a l l Services Module (FWSM) are making their way iiuther into our networks. Companies have begun moving &walls from the perimeter of the network toward the center of the network Instead of relying on Layer 3 switches and ACLs, we can now perform stateful packet inspection and application layer inspection of inter-VLAN traffic. Although this drastically enhances security, it also introduces new challenges. One of these challenges is forwarding multicast traffic. As you know, multicast is used by videoconferencing, telepresence, software distribution services, stock quotes, routing protocols, video games, and many other technologies. Beginning in software Version 6.2, the PIX £irewalls could support multicast applications with Stub Multicast Routing (SMR). Currently, the ASA supports SMR,Internet Group Management Protocol (IGMP), and Protocol Independent Multicast (PIM) Although IGMP and PIM both handle the delivery of multicast traffic to recipients, they are slightly different. Routers use IGMP to discover hosts that want to subscribe to a multicast transmission by sending IGMP queries. A host may respond to an IGMP query by sending an IGMP report upsmarn. IGMP is traditionally used within the network, whereas PIM is a multicast routing protocol that provides reverse path forwarding information independent of the interior routing protocol. It is used mostly in the LAN, but can also provide multicast feeds to remote WAN sites. PIM uses unicast and multicast forwarding tables to pass multicast traffic from one network to another. IGMP is used within a network for clients and routers to communicate. PIM also uses a concept called a rendezvous point (RP), which almost acts as a central meeting place for multicast sources and multicast clients. If a server is to offer a multicast resource,it will register with an RP. Clients interested in multicast resources can also register with the RP to discover servers. The ASA can be configured to act as an RP.
* Configuration and troubleshooting of multicast is beyond the scope of this book. @ 2009 C
i Systems Inc. All rlgMs rsswwd. This publication is protected by copyright Please see page 16 1 for miom details
[ 78 I
CHAPTER
I
CCSP SMAA Quick Reference by Ryan Lindfield
3
lPsec VPNs
Chapter 3 lPsec VPNs
Essential Terminology Simpiy put, IPsec is a framework for providing reliable and secure communication between hosts. This additional protection is provided at the IP layer of the OSI model. IPsec is based on Internet Key Exchange (IKE), Authentication Header (AH), and Encapsulating Security Payload (ESP). These protocols work together to provide secure tunnels between a pair of hosts that are IPsec capable. The list of potential hosts includes but is not limited to ikewalls, VPN concentrators, routers, cellular phones, PDAs, workstations, laptops, and servers. Let's examine each of these protocols individually.
Internet Key Exchange (IKE) Handles the negotiation of security associations (SAs). Communications occur using UDP port 500. Phase 1 is responsible for negotiating an ISAKMP (management) SA.
Phase 2 is responsible for negotiating an IPsec (data) SA. Main mode or aggressive mode can be used during IKE phase 1. Main mode consists of six messages between the IPsec peers.
Aggressive mode uses only three messages. Quick mode is used during IKE phase 2.
@ 2009 Clsco Systems Inc. All r i m s reserved. This publicationis protected by copyright Please see page 16 1 for mom details
[ 79 I
CHAPTER
CCSP SMAA Quick Reference by Ryan Lindfield
3
Encapsulating Security Payload (ESP) ESP handles the encapsulation of confidential data at the network layer of the OSI model. ESP is IP protocol number 50 and should be allowed through perimeter security devices if site-&site tunnels are to be used. Provides confidentiality. Provides integrity. Provides origin authentication. Provides antireplay.
Authentication Header (AH) Authentication Header also encapsulates at the network layer of the OSI model, but it does not provide confidentially (encryption). AH can work alone or in conjunction with ESP. Provides an integrity check of the packet that includes the nontransitive fields of the IP header. Provides origin authentication. Provides antireplay.
1 Note AH is not supported on Cisco security appliances beginning with software Version 7.0. AH was previously supported on the PIX platform in softwareVersions 6.3 and earlier.
Previously, we used the terms confidentiality, integrity, and authentication; each of these can be achieved through the use of appropriate protocols. Confidentiality. Ensure that data is secure from eavesdropping. Symmetric encryption is used to secure the data. @ 2009 C
i Systems Inc. All r i m s reserved. This publication is protected by copyright Please see page 16 1 for miom details
1801 CCSP SMAA Quick Reference by Ryan Lindfield
Commonly implemented through the use of Advanced Encryption Standard (AES), 3 Data Encryption Standard (3DES), and Data Encryption Standard Integrity. Ensure that data has not been altered during transmission. Achieved through the use of a keyed hash algorithm. Commonly used algorithms include Message Digest 5 (MDS-HMAC) and Secure Hash Algorithm 1 (SHA-1HMAC).
Authentication Guarantee that the remote peer is authentic. Methods of authentication include digital certificates and pre-shared keys. Encryption and hash algorithms vary in strength. Here is a refresher of these values:
AES: Symmetric encryption algorithm that has a key length that can vary between 128, 192, and 256 bits
3DES: Symmetric encryptions algorithm that was supposed to have an effective key strength of 168 bits (3 x 56), but many cryptanalysts argue that the strength is effectively 112. The factors that determine the types of attacks used against 3DES are beyond the scope of this book.
DES:Another symmetric encryption algorithm, which became a standard in July 1977. DES has a 54-bit key and is no longer considered cryptographically adequate promion for production data.
RSA: Asymmetric encryption algorithm whose length of key varies, but often 512 to 2048 bits
MD5: 128-bit hash algorithm.
SHA-1:l a b i t hash algorithm. Me-Hellman: Unauthenticated key exchange algorithm used to securely establish symmetric encryption keys over a nonsecure medium (such as the Internet).
Q 2OOQ Clrco
Inc. Al rl-a
nswved. This
kp
m by
Please see page 181for mom details
181 I CCSP SMAA Quick Reference by Ryan Lindfield
The Life Cycle of a VPN Tunnel The tunnels that are constructed between IPsec peers are not permanent. These tunnels are constructed dynamically between peers when deemed necessary. Let's examine the five stages of an IPsec tunnel: 1. Interesting traffic must be detected. Remember we define interesting W c in an ACL. In this case, the ACL is referred to as a crypto ACL. In reality, this ACL is no different from any other extended ACL on the security appli-
ance, besides the fact that it is referenced by a transform set, which is applied to a crypto map, which goes on an interface. 2. When interesting t d l c is detected, the two peers negotiate a management session through the successful negotiation
of an ISAKMP SA. This is achieved through successful negotiation of policy sets during ME phase 1. 3. After an ISAKMP SA has been successfully negotiated, the two peers begin IKE phase 2. IKE phase 2 uses the transform set to determine how end-user data should be protected. Upon successful negotiation of transform sets, the two peers will establish two IPsec SAs (one for transmit, one for receive). Each SA is independently keyed. IKE phase 2 defines how the payload should be protected.
4. Data can now be transferred between the two peers. 5, Tunnel termination occurs if an idle timer is reached or one side disconnects from the other.
Symmetric Encryption Symmetric encryption refers to encrypting and decrypting data using the same key by both peers. This type of encryption has been used for thousands of years, and continues to be used today. Whenever you construct an IPsec or Secure Sockets Layer (SSL)virtual private network (VPN),you are using symmetric encryption to protect data as it crosses the network. Whenever you use SSH to administer a remote device, or HTI'PS to read email or purchase items online, you are using symmetric encryption. Although symmetric encryption is very fast by comparison to asymmetric encryption, there is a catch: key distribution. How do you get that secret key that will be used to decrypt data to the other side?
[ 82 I CCSP SMAA Quick Reference by Ryan Lindfield
Symmetric key comparison Advantage: Very fast Disadvantage: Key distribution (How do we transmit the secret key to the other side?)
Asymmetric Encryption Unlike symmetric encryption algorithms, asymmetric encryption algorithms use a different key for encryption than for decryption. In other words, a user knowing the encryption key of an asymmetric algorithm can encrypt messages, but cannot decrypt the message because he does not possess the decryption key. The encrypted message can be decrypted only by the other party. Each host that is communicating using asymmetric encryption needs to generate a key pair. One of these keys is referred to as a private key and the other as a public key. As you can tell from the names of these keys, one is meant for distribution, the other is to be kept secret. If Alice encrypts a message using her private key, the message can be decrypted by anyone who has a copy of Alice's public key. The encryption of the hash of a message using the private key is the basis of digital signatures and digital certificates. If Alice wants to encrypt a message to her associate Bob, they will first exchange public keys. Alice will encrypt the message using Bob's public key. Bob will decrypt the message using his private key, known only to him. Because of the large key sizes and the algorithm used, asymmetric encryption is very slow and rarely used for bulk data encryption. Asymmetric encryption is mainly used for peer authentication and message integrity.
Asymmetric key comparison Advantage: Key distribution Disadvantage: Very slow (estimated 1500 times more CPU intensive)
@ 2009 C~ICO
Inc. AH rlgM. rsravsd. TN.
kp
m by
Please see page 181for more details
1831
CHAPTER
CCSP SMAA Quick Reference by Ryan Lindfield
3
Diff ie-Hellman The Diffie-Hellman algorithm is used between IPsec devices during IKE phase 1 to buiId a secret key. After this secret key has been calculated, it is used to protect end user data and management trafficbetween the IPsec peers. Now that you have that basic understanding, let's review the things you should know already about IPsec.
IPsec Components IKE policy set: Used for negotiation of an ISAKMP SA. Includes encryption algorithm, DifEie-Hellman group, hashing algorithm, SA lifetime, and authentication method.
transform set: Used for negotiation of an IPsec SA. A transform set includes parameters such as cipher, integrity algorithm, lifetime, and mode. 1%
Security &tion: associations.
The negotiated algorithms and parameters used to protect traffic are referred to as security
Crypto access control list: An extended ACL identifies the W c we want to encrypt, or not encrypt. Crypto map: Ties together other portions of our configuration (transform set and ACL) and maps this information to a remote peer. So if we look over the preceding list, everyone should agree that during IKE phase 1 two IPsec-capable devices would negotiate an ISAKMP SA. Within this SA, you will see a symmetric encryption algorithm, such as AES, 3DES, or DES. As you should know, symmetric encryption algorithms use the same key on each side to encrypt and decrypt data. So my question to you is this: How did it get there?
Q 2OOQ C
h
Inc. Al rl-a
nswved. This
kp
m by
Please see page 181for mom details
[ 84 I CCSP SMAA Quick Reference by Ryan Lindfield
If ASAl is encrypting data, using AES-128 for instance, we know that ASA2 must decrypt these messages using the same key. If we look over the configuration, do we see a key? MA551B# show run , .omitted tunnel-group 1B2.168.2.2 type ipsec-121 tunnel-group 1B2.168.2.2 ipsec-attributes prs-shared-key omitted
.
...
Above is the only key that we see for our peer ASA2, and some people would think that this must be the key used for AES encryption, but it is not. The key shown here is used for authentication during IKE phase 1. In the policy set, you define an authentication method, pre-shared keys, or digital certificates.If a pre-shared key is used, this is set up on each ASA before the first tunnel can be established. We now have two questions to answer. What is Diffie-Hellman used for, and how do we get a key on ASAl and ASA2 so that AES can be used to carry end-user data from site 1 to site 2? Some of you may have just figured it out. Simply put, Diffie-Hellman is an asymmetric means to symmetric encryption. ASAl and ASA2 want to pass encrypted data between one another, and because asymmetric encryption requires excessive overhead they will need to use a symmetric encryption algorithm to perform payload protection. Diffie-Hellmanmakes this possible by calculating a %hared key" across a nonsecure medium such as the Internet
1851 CCSP SMAA Quick Reference by Ryan Lindfield
I
lPsec VPNs
IKE Phase 1
Each ASA will generate two values, a public value and a private value. Each peer transmits the public value it calculated and transmits it to its peer. Each ASA will run its private value and the peer's public value through an algorithm, which results in a shared secret on each side of the connection. The shared secret is then used to generate several encryption keys, one of which is used to protect the phase 1 SA. The use of the other keys is beyond the scope of this book. IKE phase 1 and phase 2 each have a lifetime. The phase 1 lifetime is configured in the ISAKMP policy, and the phase 2 lifetime is configured in the transform set. If Perfect Forward Secrecy (PFS)is configured in the crypt0 map, DiffieHellman is run at the end of the phase 2 lifetime. PFS ensures the new keys are not derived from the old keys.
[ 86 I
CHAPTER
CCSP SMAA Quick Reference by Ryan Lindfield
3
Security Associations A security association (SA) is a collection of parameters that specify how data is to be protected when communicating with a peer. An ISAKMP SA defines how to protect the IPsec policy negotiation horn one ASA to another ASA. An IPsec SA defines how user t r m c from one host to another host should be protected. ISAKMP SAs are bidirectional, whereas IPsec SAs are unidirectional. Therefore, each site-to-site connection will have one ISAKMP SA and two IPsec data SAs, one for inbound traffic, and another for outbound traffic.
1
I
Note Although it is not technically correct, Cisco documentation consistently uses ISAKMP and IKE phase 1 to mean the same thing. Likewise, IPsec is used interchangeably with IKE phase 2.
Security Association Components 1 Destination IP addms: Your IPsec peer. 1
Security Parameter Index (SPI): A unique 32-bit number that is used to associate an SA with an encrypted packet. Within the ESP header, there is a field for the SPI that is used to map that encrypted data with an SA. The parameters found in the SADB are used to select the key to encrypt of decrypt the payload of the packet.
1 Protocol: ESP or AH. AH is no longer supported on Cisco security appliances as of OS 7.0.
Encryption algorithm: Dehes how the data is protected: AES, 3DES, DES. 1 Authentication algorithm: A keyed hash, or HMAC (Hashed Message Authentication Code): MD5-HMAC, SHAl-
HMAC. 1 Mode: The mode IPsec is working as: tunnel or transport. 1 Lifetime: The number of seconds or kilobytes that a key should be used; when this lifetime is exceeded, a new key
is created. 8 2009 Cisso Systems Inc. Al m
a nswvd. Thk pu#lcatsonk p
m by
Please see page 181for mom details
[ 87 I CCSP SMAA Quick Reference by Ryan Lindfield
I
Note YOU can vlew tne SA atter an wsec tonne1 llas been estatlhmeci tly uslng tne mow crypt0 ipsec sa command. YOU will notice the SF'I values. If you inspect the traflic flow and analyze the ESP header, you will notice the same SPI values from the SAs, but this time they are found the in the ESP header.
I
Digital Certificates When choosing a method of authentication, your options are pre-shared keys and digitaI certificates. A pre-shared key is simply a password or key that matches on both sides of the tunnel. If the foreign IP knows the password, it is safe to assume that we are communicating with a legitimate host. Although pre-shared keys are commonly implemented, they are not the most secure method of authentication available. The most secure method of authentication is RSA signatures, also known as digital certificates. Not only are digital certificates more secure, but they are also much more scalable than pre-shared keys. If you were to configure a network that allowed office-to-office communication and there wet.e currently 12 offices, you would need a pre-shared key for each connection. Based on the well-known formula to calculate the number of peers in a full mesh, n(n-1)/2, you would need 66 pre-shared keys. Each time you add an office, this number grows exponentially. With 12 sites, you need to configure 66 pre-shared key entries on each peer SA. If you add 8 more sites, the number of entries jumps to 190 on each peer. Clearly, this is not a workable solution for large meshes. Many companies solve this full-mesh issue by using the same key for a l l sites (a wildcard pre-shared key), but this is a security risk. If the pre-shared key is compromised on one peer, it is compromised for all peers. If you use digital certificates in place of pre-shared keys, each device must enroll with the CA server. After a device has
been added to your domain, it can then authenticate to other devices, and now your network has become much more easily scalable.
@ 2008 Ciaco Systems Inc. Al
rims reserved. This publication is protected by copyright Plesse see page 16 1 for mom details
1881 CCSP SMAA Quick Reference by Ryan Lindfield
1
IPsec VPNs
So what exactly is a digital certificate? Earlier we learned the differences between public keys and private keys, and we know that a private key is kept secret whereas a public key can be distributed. The question is this: How exactly do we distribute the public key? If you look at a public key, it is not very pretty: QRlR show crypt0 key mypubkey r r a % Key p a i r was generated at: 20:21:23
UTC Sep 7 2008
Key name: TP-self-signed-31274211W Usage: General Purpose Key Key i s not exportable. Key Data: 30819F30 0D06092A 864886F7 00010101 8!5001381 80803081 C4B06988 40A7CF42 46C031C9 1D95A77C 58695E4E B59CC533 F0B2B814 8ASlECC4 822EC72A 4EEC78C9 E07ACB50 FFElE307 85D6874B DBElQBAD EA4971C3 2301CA93 W6BEBB BBAlCB82 E9340B3F 1E295953 C3A26ECD BBFA6171 F3489BD4 97FBD9EE % Key p a i r was generated at: 02:58:38 UTC Rec 1 2008 Key name: TP-self-signed-312742119$.serv~r Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01818185 01836800 30680261 B5D54D82 BA36237B 85822929 59BF33E3 44A4FDAE C956028E 4592CC36 50D020CA B40839C6 6FB0093C 2DBF8888 7BBAFC59 0BC30EBE 93A892EB 6C5A9601 37382997 89986Bm 7C2C8B23
89028181 F7E3D5B1 lDE64E11 D3C8442C B1462E5E
008ECF48 DFD2FC85 A3423ADA FB8C0158 83020301 0@
00BF8BE7 F439C7AB DCB8D89E C5020301
D925725E F70DDBlD 6FD46374 0001
@ 2OOQ Cisco Systems Inc. Al rlgMs roserwd. Thip publicationie protected by copyright Please see page 16 1 for mwe details
189 I
CHAPTER
I
CCSP SMAA Quick Reference by Ryan Lindfield
3
lPsec VPNs
As you can see here, an RSA public key looks to be a large block of hexadecimal characters, which leaves us with many questions: How is this key to be distributed? How will someone know that this strange block of hex belongs to me? How can someone else tell whether my private key has been compromised? The answer to all these questions lies in the X.509~3standard. X.509~3defines standard formats for digital certificates and for many other components of the Public Key Infrastructure (PKI).Although a public key on its own is not very impressive to look at, after it has been formatted with the X.509~3specification as a digital certificate everything seems much more logical. This formatting enables us to define the following parameters and associate them with our key pair.
Digital Certificate Parameters Version Serial number Algorithm ID Issuer Validity Not before Not after Subject
@ 2009 CIsco Systems Inc. All rigMs rsswwd. This publication is protected by copyright Please see page 16 1 for miom details
1901 CCSP SMAA Quick Reference by Ryan Lindfield
Subject public key info Public key algorithm Subject public key Issuer unique identifier (optional) Subject unique identifier (optional) Extensions (optional) Certificate signature algorithm Certilicate signature To obtain a digital certificate, one must be requested from a certificate authority (CA). This is referred to as certificate enrollment. You log in to a device and generate an RSA key pair. The public key is then bundled into a certificate signing request (CSR) along with information that you want to associate with the key (as discussed earlier). The protocol used by Cisco security appliances for the enrollment of a digital certificate is called Simple Certificate Enrollment h.Otocol (SCEP). After the enrollment request has been sent to the CA server, the administrator verifies the information and, if accurate, approves the creation of a digital certificate. This final product includes the public key generated by your device, the information you entered during enrollment (FQDN,OU, 0, and so on), and the signature of the CA. This signature is similar to the holographic seal on your driver's license, which guarantees the authenticity of the digital certificate. After digital certificates have been installed on network devices within your organization, they can then be used as a means of authentication of one device to another. This authentication type is referred to as MA-sig within the configuration of the ASA.
Q 2OOQ Clrco Systems Inc. AH rights nswvd. Thk
kp
m by
Please see page 181for mom details
191I
CHAPTER
I
CCSP SMAA Quick Reference by Ryan Lindfield
3
lPsec VPNs
lPsec Step by Step Interesting Traffic The first step of IPsec is interesting traffic; that is, some traffic must enter the security appliance that requires encryption. This traffic is identified with an extended access control list (ACL); this is sometimes referred to as a crypto ACL. The local network would be the source in this ACL, and the remote address space would be the destination. This ACL will later be applied to a crypto map, and that crypto map will be applied to an interface, generally the outside interface.
The first step of an IPsec tunnel is that a packet matches the crypto ACL. Therefore, this is a good place to begin troubleshooting IPsec. Make sure that this ACL has matches by using the show access-list command to inspect the hit count.
IKE Phase 1 When the security appliance detects interesting trmc, it begins negotiation with the remote peer using port UDP port 500 for ISAKMP phase 1 negotiations. These negotiations are to determine which policies or methods will be used to protect management t r a c between the two IPsec VPN peers. The collection of polices used to secure the ISAKMP SA is called a policy set. A policy set includes the following parameters: Encryption @ES, 3DES, AES) Hash algorithm (MD5, SHA- 1)
@ 2009 Ckco -S
Inc. All rims reserved. This publication is protected by copyright Please see page 16 1 for mom details
192 I CCSP SMAA Quick Reference by Ryan Lindfield
I
lPsec VPNs
DiffieHellrnan group (1,2,5,7)
Authentication (pre-shared, RSA-sig) Lifetime (seconds) Although it is possible to have many policy sets, only one is required to construct an ISAKMP SA. If there are multiple sites with different security requirements, you must then create different policy sets. Each policy set will have a sequence number, and the lower sequence number has a higher priority. Therefore, it is essential that your most secure polices have the lowest priority number. For example: ASA5505# show run crypto isrkrp crypto isakmp enable outside crypto isakmp policy 5 authentication pre-share encryption aes -256 hash sha group =5 l i f e t i m e 86408 crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 5 l i f e t i m e 86408 crypto isakmp policy 20 authentication pre-share encryption 3des hash md5 group 2 l i f e t i m e 86408
@ 2OOQ Cisco Systems Inc. All r i m s reserved. This publicationis protected by copyright b a s e see page 16 1 for mwe details
[ 93 I
CHAPTER
I
CCSP SMAA Quick Reference by Ryan Lindfield
3
lPsec VPNs
Based on the policy sets listed here, if this device were to initiate an IPsec tunnel with another device it would first offer policy 5 to the remote side, and if there is a match encrypt data using AES-256. If policy 5 is rejected by the remote peer, this device will then attempt to connect with policy 10, and then policy 20, until there is a match. There are two modes of negotiation for IKE phase 1: aggressive mode and main mode. Aggressive mode is used when pre-shared keys are used as a form of authentication, and main mode is used for negotiation if digital certificates are being used for authentication. The type of authentication to be used is defined in the policy set, as shown previously.
In summary, IKE phase 1 is the process of negotiating policy, key exchange, and peer authentication. This negotiation results in the formation of an ISAKMP security association (ISAKMP SA).
IKE Phase 2 Upon completion of ME phase 1, the security appliance will commence IKE phase 2 (called quick mode), which secures the end-user data as it passes through a nonsecure network such as the Internet. In this step, a transform set defmes the parameters used to form an IPsec SA. The protocol used to protect the end user data will always be ESP.
Q 2OOQ C
b
Inc. Al rl-a
nswved. This
kp
m by
Please see page 181for mom details
1941 CCSP SMAA Quick Reference by Ryan Lindfield
I
lPsec VPNs
L-
Transform SE
Use the following command to view the values of the transform set named ESP-AES-256-MD5 and the phase 2 SA lifetime: show running-wntig crypto iprec crypto ipsec transform-set ESP-AES-256-MD5esp-aes-256 esp-md5-hmac crypto ipsec lecurity-aseociation lifetime seconds 288W
ASASSgSIY
After IPsec SAs have been crated based on matching phase 2 policies, tunnels are established and end-user data can pass. An IPsec SA contains the following:
Destination IP address (remote peer) Security Parameter Index (randomvalue used to identify relevant packets)
Protocol (ESP)
Encryption algorithm @ES, 3DES,AES)
Mode (tunnel or transport) Key lifetime (how often keys should be changed)
@ 2009 C
b systmm Inc. M rlgM8 m. TN.pu#lcstsonk p
m by
Please see page 181for mom details.
1951
CHAPTER
I
CCSP SNAA Quick Reference by Ryan Lindfield
3
lPsec VPNs After IKE Phase 2 negotiations have completed successfully, the end users can transmit data across the tunnel. The tunnel will remain active as long as interesting traffic is passing through the tunnel. If a specific period of time has passed and no interesting traffic has been detected, the SAs will be removed and the tunnel torn down.
Configuring an lPsec Tunnel Using ASDM IPsec site-to-site configuration has been simplified within Cisco Adaptive Security Device Manager (ASDM) with the IPsec VPN Wizard. Although configuration is possible from the command line, the graphical user interface (GUI) offers an extremely fast, effortless wizard that reduces misconfigurations by streamlining most of the configuration parameters. To use the IPsec VPN Wizard, just select the appropriate option from the W
Q 2OOQ Clrco
Inc. Al rl-a
nswved. This
kp
d toolbar within ASDM.
m by
Please see page 181for mom details
196 I CCSP SMAA Quick Reference by Ryan Lindfield
I
lPsec VPNs Select the type of tunnel that you want to create: Site-to-Site or Remote Access. Remote Access must be used if the This is appropriate for small offices
After launching the wizard, specify IP address of the IPsec peer and authentication credentials.
1971 CCSP SMAA Quick Reference by Ryan Lindfield
Define parameters for your IKE policy set. Remember, these are the parameters that will be used during IKE phase 1 to negotiate an ISAKMP SA. These are the algorithms used to encrypt the management traffic (our ASA communicating with the remote-sideASA about the IPS= tunnel).
198 I CCSP SMAA Quick Reference by Ryan Lindfield
I
lPsec VPNs
Next we define parameters for the transform set; here it is called IPsec Rule. These are the parameters that d e h e how end-user data will be protected as it crosses the Internet, or unprotected network. Next we define the tmEc that is to be protected. If this step were being con@ured from the CLI, we would write an extended ACL to define the traffic to be protected. In this case, we just define the local network, and the remote private network (that is, the network address space behind the public IP address defined earlier).You will notice at the bottom there is also an option to make this traffic flow exempt from Network Address Translation (NAT) rules.
[ 99 I
CHAPTER
I
CCSP SNAA Quick Reference by Ryan Lindfield
3
lPsec VPNs
@ 2009 Circo Syetuns Inc. Al rlgM. rosurmd. TN.
kp
m by c o w g h t Please see page 161 for mom details
[loo1 CCSP SMAA Quick Reference by Ryan Lindfield
Finally, we are done. You see a list of the attributes that you have defined in the preceding steps. If all the infomation is correct, accept these changes by clicking the Finish button.
@ 2009 Ckco Syrrtorrm Inc. All rights reserved. ThiD publicationis protected by copyright b a s e see page 16 1 for miom details
[ l o 1I CCSP SMAA Quick Reference by Ryan Lindfield
I
lPsec VPNs
Load Balancing It is possible to pair two or more Cisco security appliances into a single logical unit for the purpose of load distribution. This logical grouping is referred to as a cluster. Although it is recommended to build this cluster from similar devices (ASAs, for instance), it is possible to mix ASA, VPN concentrators, and PIX fhwalls.Remember, however, that the PIX firewall does not support WebWN.
[ 102 I
CHAPTER
I
CCSP SNAA Quick Reference by Ryan Lindfield
3
lPsec VPNs
When you create the cluster, a single IP address is assigned to the group as a whole. This IP address should be a globally routable IP address from the same subnet as the security appliances that are participating in the group. 5.5.6.5
As you can see from the diagram, we have four ASAs that are part of the cluster. When a connection is made to the cluster IP address (5.5.53, that request is handled by the master of the cluster (in this case, ASA1). You can control which of the ASAs become the master by manipulating the priority. The priority is a numeric value between 1 and 10. Similar to routing protocol elections, the higher number means greater preference. Therefore, setting the priority to 10 on ASAl establishes that this should be the master. When clients connect from the outside, their VPN client will be configured to connect to the virtual IP address (5.5.5.5). However, when a client initiates a connection to this address, a redirect occurs, passing the client to the security appIiance with the lightest load.
L CHAPTER
103 I CCSP SMAA Quick Reference by Ryan Lindfield
3
lPsec VPNs
Load is calculated by a weighted ratio of the number of active connections to the total number of active connections. This information is then sent from the secondary appliance, or slave, to the master. These load messages can be encrypted and are sent using UDP 9023. When remote users or offices establish IPsec connections to the virtual IP, they are then redirected to the concentrator with the lightest load. All current IPsec and Anyconnect clients support this redirect. IPsec siteto-site tunnels should be built using the physical interface IP addresses of concentrators; their connections still count toward the load and play a factor in load balancing. The difference is that site-to-site tunnels will not experience the redirect at the beginning of the session.
I
I
Note LonrlgUrSLnon or loaa manang a n m penurme~~ uung me LLJur UUI.
UUI
cvmgun!uun suppunti a w a r u ciiueu
the High Availability and Scalability Wizard.
References Introduction to cryptography, IBM,h~://www.ibm.com/develope~~mksfib~/s-cryptO2.html
Q 2OOQ Clrco
Inc. Al rl-a
nswved. This
kp
m by
Please see page 181for mom details
[1041 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 4
I
WebVPN and Endpoint Security
Chapter 4 WebVPN and Endpoint Security Serving as an alternative to traditional IPsec VPN clients, Cisco now offers WebVPN (also known as SSL VPN) solutions to customers. A WebVPN can make use of the client's web browser alone, or download the AnyConnect client (replacing SSL VPN client) to build a secure connection to company resources. One of the biggest advantages to WebVPN is that the user does not require a software client to build the secure connection. The user can connect using a web browser, and then after successful authentication gain access to certain corporate resources, or possibly download the AnyConnect WebVPN client, which will allow a greater level of access than the browser alone.
WebVPN functionality is provided by the ASA 5500 security appliances. WebVPN is not supported by the mX 500 series firewalls because of the lack of a Secure Sockets Layer (SSL) crypto processor.
Similar to the function of an IPsec virtual private network (VPN)gateway, an SSL VPN gateway terminates the encrypted session and forwards data into the network in its standard format. For instance, if a user were to initiate a Telnet session though an SSL tunnel, the Telnet mffic would be encrypted between the user and the ASA, and then sent "in the clear" to the corporate LAN. If security within the corporate network is a concern, secure protocols such as Secure Copy (SCP), Secure Shell (SSH), and HTTPS should be used for remote administration. WebVPN can be implemented with three different client configurations: clientless, thin client, and the AnyConnect VPN client.
11051 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 4
I
WebVPN and Endpoint Security
The intended application for clientless or thin client SSL VPN is as follows: Corporate user at a public kiosk (such as a business center in a hotel) 1 Residential workstation 1 Partner 1 Corporate desktop, if applications are limited 1 Appropriate for users when a simplified portal is preferred to full ~ m s s . 1 Users who require remote connectivity occasionally
The intended application for Anyconnect SSL VPN is as follows: Network engineers
Mobile employees who require LAN-like access
B VoIP users 1 Company-managed workstations and laptops 1 Users with diverse application requirements 1 Users who frequently require secure remote access to the corporate LAN
SSL provides a secure means for communication between client and server. A digital certificate is used for server and client authentication. The exchange of the session key is protected by RSA keys. The session key is based on a symmetric cipher such as DES,RC4,3DES, or AES.
@ 2009 C
i Systems Inc. All rlgMs rsswwd. This publication is protected by copyright Please see page 16 1 for miom details
106 I CCSP SlYAA Quick Reference by Ryan Lindfield
I
WebVPN and Endpoint Security
SeMkOone Certificate
(fa
cri-w
:I
Q 2009 Clsco Systems Inc. All ri&ts resewed. Thi. publication is protacted by copyright Please see page 16 1 for miom details
107 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 4
I
WebVPN and Endpoint Security
Clientless SSL VPN The simplest implementation of WebVPN is clientless SSL VPN. In this scenario, a remote user connects to the ASA using only a web browser, and upon successful authentication, is granted access to a web portal. This portal can be configured on a per-group or per-user basis, to include hyperlinks to internal resources using the Common Internet File System (CIFS) or HTI'P. Users can also be granted access to a URL Entry field, allowing users to define their own URLs for internal resources.
This is a nice simple solution for certain roles within your organization, such as sales and marketing personnel who require access to only a particular file share or internal website. Clientless SSL is supported on the following: Browsers Flrefox Internet Explorer
Netscape
Safari Operating systems Apple 0 s X Microsoft Windows
@ 2009 Ckco Systems Inc. All rims reswwd. This publication is protected by copyright Please see page 16 1 for miom details
[lo81 CCSP SNAA Qukk Reference by Ryan Lindfield
I
WebVPN and Endpoint Security
Thin Client The thin client remote-access method refers to the use of tiny applet (typically less than 100 KB)being pushed to the client after authentication. This applet will be ActiveX or Java based and will require permission to run within the browser. Once launched successfully, the thin client allows for port forward applications through the SSL connection. This allows access to internal devices using Telnet and SSH;access to mail servers using IMAP, POP3, and SMTP, and other nonweb applications.
Q 2009 C
h
Inc. Al rlghta rowrvrd. TN.pu#lcaUon is pmtectA by copyright Pleam see page 161for mom details
[1091 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 4
I
WebVPN and Endpoint Security
When configuring the thin client, the firewall administrator must define the port that will be used on the client side (TCP port 2323, for example) and the internal resource that this will be forwarded to. When the client establishes an SSL VPN connection, he can then connect to that port to access corporate resources. This is referred to as port forwarding. Example: telnet 127.0.0.1 2323 This Telnet connection will then be forwarded through SSL to the ASA, where the SSL encapsulation is removed and the unencrypted Telnet traffic is forwarded to the server that was mapped by the b a l l administrator.
One restriction of using the thin client is that it requires administrative privileges to install the client.
Smart Tunnels Smart tunnels can be thought of as the evolution of the thin client, because they allow the similar access without the need for a local port on the client's machine, thus removing the requirement for administrative access. This feature was introduced in Version 8.0(2) of the ASA operating system. The only operating systems that currently support this are Wmdows 2000, XP,and Vista. Similar to the thin client, smart tunnel connections also require access to Java or ActiveX.
Anyconnect The Anyconnect client was introduced in the 8.0 version of the ASA operating system to replace the SSL VPN client (SVC). Anyconnect provides transparent network access, similar to what is provided by the Cisco IPsec VPN client.
Q 2OOQ Clrco
Inc. Al rl-a
nswved. This
kp
m by
Please see page 181for mom details
I1 I
[1101 CCSP SNAA Qukk Reference by Ryan Lindfield
CHAPTER 4
WebVPN and7 Endpoint Security Unlike the Psec client, however, it can be installed dynamically after a user establishes an SSL VPN connection to the ASA.
Instalhion of the Anyconnect cbent requires ahmktrltive privileges on the loud machine.
SSL VPN Client
Anyconnect
Version 8 . h Supports Windows, OS X, and Linux Supports DTLS for latency-sensitive applications
Version 7.W
Support for 64-bit operating systems
Supports Windows 2000 and XP
2.3 MB download
Lacks DTLS support 400 KB download
lPV6 access over IW4 networks
Standalone installation
Q 2009 C
h
Inc. AM rlghtmrosurvrd. TN.
is p
m by
Ple86e see page 181 f # more deMds.
[I11 I CCSP SNAA Quick Reference by Ryan Lindfield
CHAPTER 4
TW~~VPN and ~nd;oint Security
Upon successful connection of a traditional WebVPN connection, the user may be presented with a link within the portal to download and install the AnyComect client.
Q 2009 C
b
Inc. Al rlghtmmsavrd. TN.pu#lcatbn is pmtectA by copyright Please see page 161for mom details
I CHAPTER 4
I
[ 1121 CCSP SNAA Quick Reference by Ryan Lindfield
WebVPN and Endpoint Security
If you click the hyperlink, the Cisco Anyconnect SSL VPN client will be installed on the users workstation.
@ 2009 Ckco Systom~Inc. M rlms twarVed. 'M.PubkaUonk t p m h k I by m
a h t Please see page 16T for mom details
[1131 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 4
I
WebVPN and Endpoint Security
Once installed, the Cisco Anyconnect VPN can be launched from the Start menu.
@ 2009 Circo Syetuns Inc. Al rlgM. rosurmd. TN.
kp
m by
Please see page 161 for mom details
s
11141 CCSP SMAA Quick Reference by Ryan Lindfield
WebVPN and Endpoint Security
Launching the Cisco Anyconnect VPN client brings you to the interface found here. Just insert the IP address or hostname of the ASA and then click Select.
@ 2009 Ckco Syrrtorrm Inc. All rights reserved. ThiD publicationis protected by copyright b a s e see page 16 1 for miom details
[ 1151 CCSP SNAA Quick Reference by Ryan Lindfield
CHAPTER 4
~ W ~ ~ and V P Endpoint N Security
Finally, add your username and password and click Cannect.
@ 2009 Ci-
Systems Inc. Al rlgMs reserved. TN. publication is pmtactad by copyright Please see page 16 1 for miom details
[ 1161 CCSP SNAA Quick Reference by Ryan Lindfield
CHAPTER 4
I
WebVPN and Endpoint Security
Once connected, the user receives a welcome banner.
@ 2009 C
h Systanm Inc. M rlgMs nswved. Thk
kp
m by c o w g h t Please see page 161 for mom details
II
11171 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 4
WebVPN and Endpoint Security
Basic i n f o d o n about the connection can be vefied. Notice the IP address that has been assigned, bytes sent, bytes received, and time connected.
[I181 CCSP SMAA Quick Reference by Ryan Lindfield
I
WebVPN and Endpoint Security
If you select Details, you can view additional information, including protocol, cipher, compression, and more.
II
[ 1191 CCSP SNAA Quick Reference by Ryan Lindfield
CHAPTER 4
WebVPN and Endpoint Security
One neat detail that you can find that is similar to the Cisco IPsec VPN client is the additional virtual adapter that is installed. When an IP address is assigned from the server side, you can see that this IP is associated with the virtual interface by using ipcodig from the command prompt.
Cisco Secure Desktop Cisco Secure Desktop (CSD) enables you to secure an endpoint before allowing it to join your network, protect data that is in use during the session, and then clean up after the session is complete. These actions are actually classified as three unique stages:
1s
[I201 CCSP S N M Quick Reference by Ryan Lindfield
CHAPTER d
WebVPN and Endpoint Security IJ?reco~ectassessment
Check 0s. Check antivirus.
Check firewall. Check antispyware. Scan for filenames. Scan for processes.
Scan for registry entries.
8 2OOQ C
b Sysbms Inc. AM righb msuved. This
kp
m by cow*
Please see page 161 for mom details
'salg papaopop pm ' a q m a 8 ~ d% ~ w s y
bsagoo3jo pornax
*(sasedLZ 01 1) uoissas bq gal saly bm e m 01 pasn q p o % puogwpm asuajaa jo 1uau41edaa
dn-p
nops-pq
.UO!l3%~ aJBMl?m *uoIssasW p m y ~zx~ord 01 pasn sr xoqpms nopw~d
[ 1221 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 4
I
WebVPN and Endpoint Security
I
1
Note
mtauatlon or me csu client requms acmmttatwe pnvlleges on tae row rnacme.
The use of CSD is an excellent precautionary measure if you are considering allowing users to connect from workstations that are not owned and controlled by your organization. When a user establishes a clientless SSL or AnyComect VPN connection, the CSD can be pushed down. Before the connection is finalized and the user is allowed into the network, CSD scans the host to make sure that it is free of rnalware, and checks various parameters of the operating system. The results of this scan can then be compared against a profile stored on the ASA, and then access can be granted based on these results. The process of comparing client-generated results to a server-side (ASA) policy is referred to as dynamic access policy PAP). Dynamic access policies can be pushed down to the client based on a combination of endpoint attribute values such as operating system, prelogin policies, basic host scan results, and more. Whenever a user connects, a level of access is granted based on these parameters, and should something change qualifying a host for a greater level of access, it is possible to alter the access policy while the user is connected. Macintosh
Linux
Host scan
Host scan
Host scan
Cache cleaner
Cache cleaner
Cache cleaner
Windows
Keylogger detection
Pre-login assessment
O 2008 Claco Sysbms Inc. A i righb maerved. This
kp
m by
Please see page 181f# more deMds.
mawssasse ~u!odpua p a ~ u e ~ JO p eb l u a ~ s s alurodpua s~ 'urr~s~ s o q lsoq a u 'T'Z'E uo!sJaA u! pappE aaM xnuq pw 3~141nq 'smopu!~03 p a 1 y q L p u s a u -uoge3guaylnr!~ a 1 p aylo) umop paysnd alnpour ~euo!l!ppe ur! SF u e ~ ]soy ~ oZuppay j 3 am noL ~ ' y ~ r m u a r eu ~sle 01 paua3a.1s~IOJ %u!y~aqaarr! l e q amuaIy ayl a)ep!IrrA 01 q s ~ qe apnpu! uaAa ms ynurJa1em s ! pm! noiC aeyl alnqgle aqL - a ~ q ~ es,~ua!p ~ . u a q no pallelsy ley1 uo!le3!ldde 10a n p hrls!%a~s,mopu!~q p a d s e roj 733143 sl ~ 3 y m ' u e ~ s)soy r! woddns xnug p m '3~14' s ~ o p u )! ~~yaas l noL 'alqe) 8u!pa~ard a q no pasea e %uyuunrLIIB~!SV~
11241 CCSP SMAA Quick Reference by Ryan Lindfield I
WebVPN and Endpoint Security
A basic host scan identifies the remote operating system down to the service pack, and performs checks against the Registry and memory for watermarks. The basic host scan could be used to determine a great deal of information about the remote host, and then this information is used to apply a DAP to this user. Endpoint assessment goes a step beyond the basic host scan, by checking the Emote host for antivirus and antispyware applications and their version. Endpoint assessment can also check for the presence of a software firewall. You can use the results returned by endpoint assessment to further enhance DAP. Advanced endpoint assessment goes a step further than the previously mentioned techniques, by pushing updates to the client based on results of the other scans.
The lulvwed endpint assessment feature requires h Security Plus license.
Secure Session The data accessed by users during their WebVPN sessions can be encrypted upon a secure partition if Windows 2000 or XP are in use. This process is referred to as Secure Session, Secure Desktop, or Vault. That's three names to define a single technology; furthermore, it would make Secure Desktop a feature of Cisco Secure Desktop, two different things with a very similar name. The technology itself is easy to understand, but the wording may confuse you in the future, so be aware. In a nutshell, the data is stored in a safe place during the session, and then wiped using a Department of Defense @OD) sanitation algorithm.
Q 2OOQ C
b
Inc. Al rl-a
nswved. This
kp
m by
Please see page 181for mom details
125 I
1
CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 4
WebVPN and Endpoint Security
Cache Cleaner Although Secure Session is an extremely powerful feature, it is not supported on all operating systems. As a matter of fact, it works only on certain versions of Windows. If you are supporting Windows Vista-, OS X- and Linux-based clients, you can still perform post-session cleanup with the cache cleaner. The cache cleaner is used to erase all the data that was downloaded from the corporate network, and any data that was input by the user.
@ 2008 C
b Syotemr Inc. All r i m s reserved. This publicationis protoctecl by copyright
see page 181fm mom details
126 I CCSP SMAA Quick Reference by Ryan Lindfield
I
WebVPN and Endpoint Security
Cisco Secure Desktop Onscreen Keyboard The Cisco Secure Desktop Onscreen Keyboard (OSK) is a great utility that presents an onscreen keyboard when users attempt to type in their password for authentication of a WebVPN session. This feature mitigates the effects of both hardware- and software-based keyloggers. Whereas many software-based keyloggers can be detected by CSD,newer releases of this malware may go undetected, and hardware-based keyloggers can be very difficult to detect. Therefore, the OSK is an excellent mitigation technique.
ll
1
-#z,"-
l
W l a k w
-lE
..,.*,,
127 I CCSP SMAA Quick Reference by Ryan Lindfield
I
WebVPN and Endpoint Security
When a user connects to the ASA WebVPN and enters a username, the user is then prompted for a password. At that point, the OSK launches, and the user will use the mouse to select the appropriate characters.
P- Fq-mo no snmj a~ 7nq '113 arp m o l ~ q dw a a alq~ssod ~ q a? 'S~RMPsv - w w ~ @ p 3 w &dmp LPPW imp '4q-od *dws 4 d-wsw 30 uo?m%~= =w4-s WWV WY w=w =~JBO p I -mTSS ssapna~pa p q s s a m q o m a JO poqram aaldqs q a ' X ~ m p pampuam ~d q+
Masv) ap3 @
n q nob
uo!aern61auog ~ S ssqaue!lg S I
[ 129 I CCSP SNAA Quick Reference by Ryan Lindfield
WebVPN 3rd Endpoint SecwrSty
s. o n G E ~ , ~ m ~ ~ ~ a m ~ w a ~ 1 m *
3. Select a name for this connection, and the interface upon which SSL VPN will run. From this screen, we can also select a digital certificate that will be used by the ASA to authenticate itself to clients. By default, this is a selfsigned certificate. However, you can also use your own certificate authority (CA) or a purchased certificate from a well-known CA such as Verisign or Thawte.
[I301 CCSP SMAA Quick Reference by Ryan Lindfield
I
WebVPN and Endpoint Security Note ASDM and SSL VPN can in tact be used on tne same interrace, on me same port. Tnis was not possible
in earlier versions of code. The URL used to access SSL VPN is https://hostname.
The URL used to access ASDM is https:/hstn&admin.
@ 2009 C
b Systan8 Inc. AM r
m mrmd.Thk pubkath is pmtectA by eopyrlght P h m see page 181for mom details
[ 131 I CCSP SMAA Quick Reference by Ryan Lindfield
~ W ~ ~ and V Endpoint P N Security 4. Configure user authentication. When end usem connect to the ASA, they will authenticate, and the ASA musl: check the local user database, or an external AAA m e t The wizard enables us to populate the local user database *g
this step.
r
=
-
[ 132 I CCSP SMAA Quick Reference by Ryan Lindfield
WebVPN and Endpoint Security 5. Select the group policy. You can use an existing group policy or create a new group policy. Policies can be defined at the group level or the user level. If a profile is configured specifically for a user, it overrides the policy defined at the group level.
II
133 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 4
WebVPN and Endpoint Security 8.
Configure a Bookmark list. The Bookmark list is a collection of URLs that a user is presented within the SSL VPN portal. You can choose an existing URL list, or create a new list during the setup. Bookmarks can be created for
134 I CCSP SMAA Quick Reference by Ryan Lindfield
WebVPN and Endpoint Security
7. The final task is to verify the attributes that you have defined before finishing the wizard.When you click Finish, commands are pushed to the ASA. You can view all the commands that are pushed down; just select the option (under Preferences) within ASDM to preview commands before sending to device.
[ 1351 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 4
I
WebVPN and Endpoint Security
Additional Features of Clientless SSL VPN Client/Server Plug-Ins The ASA supports third-party application support through the WebVPN portal. As an administrator, you can download Java applications from Cisco and put them in flash on your ASA. Once installed, these applications can then be linked to portals of end users, so when they connect they will have access to client applications that are written in Java. The list of applications currently includes VNC, Telnet, Citrix, and Windows Terminal Services. Users can use the plug-in by selecting predefined URLs. Notice that the URL will begin with the acronym for the application being used. For instance, if you want to create a bookmark for an end user that allows the user to access an internal Linux server using VNC, the URL may look like this:
When the user click this link, however, he will actually connect to the ASA, which launches an applet that manipulates the packets in such a way that you can use the application without opening ports on the local machine and proxying through them.
User Interface Configuration The web portal provided by the ASA for clientless WebVPN is greatly improved over the look and feel of the 7.0 implementation. The new version not only looks better, it offers better controls for the administrator. Previously, you could name categories, hyperlinks, and replace the Cisco logo with your company's logo. Now you can create custom XML and push it to the ASA; generate custom panes; and add Really Simple Syndication (RSS) feeds, Cascading Style Sheets (CSS), and more. This flexibility enables you to create completely customized web portals to cater to your company's needs. To simplify the creation of the custom portal, there is an SSL VPN Customization Editor.
@ 2009 CLwo Syntanm Inc. Al rlgM. m. T h h pu#lcstsonk p
m by
Please see page 181for mom details.
I1 I
11361 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 4
7 Security WebVPN and Endpoint Caching and Content Rewriting The ASA can perform caching, or storing frequently reused objects, to enhance the perfonnance and efficiency of WebVPN sessions. Caching is disabled by default but can be enabled from the CLI or GUI,and then configured to store files with a maximum size of up to a maximum of 10 MB. Another useful feature called content rewriting can be enabled on the ASA. This feature allows users to browse to public websites while a WebVPN tunnel is established. This changes the default behavior, which relays all web browsing through the ASA. Content rewriting functionality is similar to split tunneling in the IPsec VPN configuration. This feature is disabled by default, but can be enabled from the CLI or GUI.
Smart Tunnels Smart tunneb are a new feature that was introduced in the 8.0.2 version of the ASA operating system. Smart tunnels replace the port forwarding techniques that were used in 7.x code, which required a user to connect to a local port, which would proxy the connection over SSL.One of the disadvantages with the earlier technique is that it required administrative access on the client machine. Smart tunnels circumvent the requirements for administrative rights, while allowing use of applications such as Outlook, Outlook Express, and Lotus Same Time through the SSL VPN.
When configuring smart tunnel access, you can define specific paths to executables that can be used to access internal applications. Beyond specifying a path, you can also perform an integrity check by comparing the hash of the executable with a known-good hash. You can use a utility (fciv.exe) to generate. a SHA-1 hash of a file. You can generate. the hash, and then import this value into the ASA and make a comparison against the same-name executable file on the client's machine.
137 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 4
I
WebVPN and Endpoint Security
Advanced Features of SSL VPN AnyConnect SSL VPN Client Installer After a user successfully establishes an SSL VPN session to an ASA, they may have the ability to install the AnyConnect client. Installation of the AnyConnect requires additional administrative overhead, because the administrator must configure additional software and parameters to allow this download to take place. The AnyConnect VPN client package must be downloaded from http://www.cisco.com, and then must be uploaded to the M A and configured within the CLI or GUI for download. As an administrator, you can control the end users' experience, and you have a few options as to how the Anyconnect client can be used. First, you can make it accessible to the user for use, and then beyond that you can allow a user to install the client persistently, meaning that the AnyConnect client will remain installed after tunnel termination, or you can disallow this and the client must download the AnyCo~ectinstgdkr each t h e it c~nnects,
Dead Peer Detection and Keepalives Dead Peer Detection (DPD) is a mechanism used behHeen client and headend to detect link failure. The way that DPD works is that if the session goes idle and no tra£fic passes for a configurable amount of time (defined as a worry timer), an "R-U-There" message is sent across the connection. If the other side receives this message, an aclcnowledgment (ACK) is sent back to the client. Besides DPD, you can also configure keepalives to assist in maintaining a session. Occasionally, you will find clients that are behind Network Address Translation (NAT) devices, or firewalls with very strict rules, including exceptionally short idle timers. A simple unidirectional message that passes from the client to the security appliance is enough to keep a session from being terminated by intermediate filtering devices. This keepalive is encapsulated in SSL and appears as part of the user communication to any other devices in the path of transit.
612009 C
i Sy8tema Inc. Al
rimsreserved. Thir publication is protected by copyright Please see page 16 1 for miom details
138 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 4
I
WebVPN and Endpoint Security The difference between keepalives and DPD is that DPD waits until a worry timer expires befom sending an %-UThere" message. When configured for keepalives, the client sends a "Hello" message regardless of the amount of tra£Ec on the link.
Dynamic Transport Layer Security When using Transport Layer Security (TLS) to encapsulate user data, additional overhead is generated that we would like to avoid. If you look at the application that is being used across the SSL VPN,such as Remote Desktop, you will see that TCP is usually the transport protocol. The TCP header provides for synchronization of both parties, and retransmission of lost packets, for reliable delivery. When you are using TLS for tunneling, TCP is used once again for the transfer of encapsulated packets, thus resulting in two TCP connections per flow. There is an encrypted TCP header within the SSL payload, and an unencrypted TCP header, which is used by TLS between the client and the ASA, resulting in unnecessary overhead Dynamic Transport Layer Security (DTLS) provides a more efficient means of communication. DTLS is a more efficient way to implement an SSL VPN solution. DTLS establishes two separate TLS tunnels: a standard TLS tunnel, which handles session information (control messages and key exchange); and a DTLS tunnel, which is used for h e transport of end user data. The DTLS session actually uses UDP port 443. The advantage with DTLS/UDP is that a smaller header is used during the encapsulation phase (UDP opposed to TCP), and retransmissions only occur once, and that is done by the client application. When you are using WebVPN without DTLS,if a packet is lost in transit, retransmission occurs twice, once by the client application and once again by the SSL VPN client.
Split Tunneling When users build a connection to the ASA using IPsec or WebVPN, by default all traffic is routed through the tunnel. This logic behind this configuration is that if the user is blocked from communicating with any host outside of the corporate network, there is no way that the user's machine can be compromised and then serve as a proxy for an attacker to
Q 2OOQ C
b
Inc. Al rl-a
nswvd. This
is p
m by
Ple86e see page 181 for mom details
11391 CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 4
I
WebVPN and Endpoint Security
gain access into the network. Currently, there are many browser vulnerabilities, and there have been exploits against browsers that would allow an attacker to relay an attack into the corporate network through the user's browser if the user were to visit the attacker's site while comected to the corporate network through VPN. While forcing alI traffic through the VPN tunnel is a good security measure, it is not efficient, and can be frustrating for users. Split tunneling allows for tral3ic destined to corporate network to pass through the VPN,and all other traffic is routed normally. The end result is that a user can log in to the coprate network using IPsec or WebVPN and still browse the Internet and have access to local resources such as file shares or printers on his personal network, Additional configuration is required for traffic to pass through the tunnel and then back out to the Internet. First, traffic must be allowed to enter and then leave your outside interface. This is enabled with the same-secnrity-traftlc permit intra-interface command, which is also required if the ASA is configured as a hub between two remote offices.You will also need a nat statement for the outside interfaces, grouping it with a global statement that is also on your outside interface, allowing users to come through the tunnel to the ASA and then out to the Internet.
Certif icate-Based Authentication Authentication of remote-access VPNs can be performed using a traditional username and password, a digital certificate., or both methods. When I say both methods, that means you will use both a digital certificate and a username/password combination to authenticate. To perform certificate-based authentication, both the ASA and the remote users must obtain a certi£icate. After a certificate has been generated for the ASA, you then associate this digital certificate with the interface that is terminating the incoming VPN connections. To perform certificate-based authentication, the clients must obtain a digital certificate. The ASA can be used for this process, believe it or not, as of the 8.0 operating system. The ASA can serve a CA, issuing and managing certificates. The CA service is disabled by default, but it can be enabled easily. After the CA has been configured, it can generate certifites for users. These certificates are valid for 365 days by default. You can manage the user database for the local
Q 2OOQ C
b
Inc. AM rl-a
re-vrd.
This publlcatkn is protected by
Ple8m see page 181 for mom details
140 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 4
I
WebVPN and Endpoint Security CA server by creating user accounts, and then setting a one-time password ((TrP) for the user to obtain the certificate. There is a link within ASDM to email the OTP to the user. When the user collects thii key, he can then connect to WebVPN and download his digital certificate. Once installed locally, this certificate can be used for authentication alone or with a usemame and password. Before a user or device installs a digital certificate, it must trust the CA server and install the CA's certificate, also known as the root certificate.
When you introduce time as a factor of authentication, you are likely to experience users who receive an 'qnvalid Certificate" error because of a time mismatch. The configuration error could be as simple as the wrong time zone, or a date that is off by a few days to a few years. Whenever troubleshooting certi€icate issues, always be sure that the time and date correct.
I
Note The ASA can act as a CA server only when operating as a single context in routed mode. Transparent mode and multiple contexts are not supported
Q 2OOQ Clrco
Inc. Al rl-a
nswved. This
kp
m by
Please see page 181for mom details
II
1141 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 5
Security Services Modules
Chapter 5 Security Services Modules One of the primary benefits of an ASA over the PIX is the ability to support security service modules (SSMs). There are two modules that exist for security purposes and one that is for interface expansion. The Content Security and ControI (CSC-SSM) and the Advanced Inspection and Prevention (AIP-SSM) provide security services, while the 4GE-SSM offers additional gigabit interfaces. There are different hardware platforms for each of the security services modules: the SSM-10, SSM-20, and a third option called the 4GE-SSM. Yes, you guessed it, 4-Gb interfaces. The AIP-SSM and CSCSSM host a singIe 10/100/1000 Ethernet interface that can be used for in-band or out-of-band management, and software recovery. The software recovery procedure is covered at the end of this chapter. These modules can be managed from the command-line interface (CLI), Advanced Security Device Manger (ASDM), or Cisco Security Manager. Security modules can be monitored via the CLI, ASDM, or Cisco Secure Monitoring, Analysis, and Response System (MARS). The hardware specifications of each module are listed here:
2.0Ghz CPU 1.OGB RAM Flash-based file storage 15OMbps throughput with ASA 55 10 225Mbps throughput with ASA 5520 10/100/1000 interface for management Two logical interfaces: data channel and control channel
142 I
1
CHAPTER 5
CCSP SMAA Quick Reference by Ryan Lindfield I
Security Services Modules
SSM-20 2.4Gbz CPU 2.OGB RAM
Flash-basedfile storage 375Mbps throughput with ASA 5520 450Mbps throughput with ASA 5540
10/100/1000 interface for management -0
logical interfaces: data channel and control channel
4GE-SSM Does not provide intelligent processing services,just additional ports. Supports four UTP or four fiber interfaces. Only four interfaces of the eight can be used to pass traffic.
1 Note Cisco released the SSM-40 after the SNAA course was released. It supports up to 650 Mbps of throughput when installed in an ASA 5540.
Cisco CSC-SSM The Cisco CSC-SSM has the ability to block or clean malicious traffic within the following protocols: SMTP,FTP, EITT'P, and POP3. The application layer intelligence is provided by Trend-Micro. While inspecting the aforementioned protocols, the CSC-SSMcan monitor for signs of known spyware and viruses, known phishing sites, URLs that host prohibited content, and can even perform content-type validation. 8 2008 C
b Systems Inc. All r i m s rmswwd. This publicationis protected by copyright Plesse see page 16 1 for mom details
143 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 5
I
Security Services Modules
Content-type validation is a new feature also supported on Integrated Services Routers (ISRs). The way that it works is by examining the header of a file and comparing it to the file type (.mp3, .doc, .exe, and so on). Every file type has what is sometimes called a magic number. A magic number is a unique string of characters that when opened with a hex editor can be seen. For instance, if you open three different Microsoft Word .doc files in a hex editor, you will notice that they all have the same string of characters at the head of the file and at the tail of the file. The CSC module can make comparisons to known file types. Therefore, when a user renames an executable file ( m e ) to .doc and tries to pass it through the firewaIl in an email, the CSC-SSM will identify the mismatch and take the appropriate action. The antispam engine within the CSC-SSM is equally impressive. Not only does it perform your standard filtering bas& on the content of the email, but it also does a reverse lookup, or repudiation check to mala sure that the email was not spoofed and did come from the correct source. Furthermore, the antispam engine uses blacklists similar to other filtering software on the market. These features are limited based on software license, but with the features enabled fbm the Plus License, Cisco claims to be able to catch 99 percent of spam before it reaches your mail server. As mentioned previously, the CSC-SMM is available on both the SSM-10 and SSM-20platforms. Beyond having an option of which platform you select, there is also licensing options to choose.
Security Services Licensing Models CSC-SSM 10 Base License 50 users
Antivirus, antispyware, and file-blocking services
Q 2OOQ C
b
Inc. Al rl-a
nswvd. This
is p
m by
Ple86e see page 181 for mom details
144 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 5
I
Security Services Modules
Additional licensing includes 100,250, or 500 users Antispam, antiphishing, and URL filtering
CSC SSM-20 Base License 500 Users Antivirus, antispyware, file-blocking services
Additional licensing includes 750,1000 users Antispam, antiphishing, and URL filtering Cisco AIP-SSM The Cisco Advanced Inspection and Prevention Security Services Module (AIP-SSM)provides IPS services at your network perimeter, similar to that of a Cisco 4200 series Intrusion Prevention Sensor (IPS). The AIP-SSM uses the same software (currently 6.x) as the 4200 series sensors, which makes migration and administration easy, especially if you have prior experience with the 4200 series sensors. As traffic passes through the ASA, it can be redirectedto pass through the AIP-SSM, where it will be analyzed for signs of malicious intent. As mentioned previously, the AIP-SSM runs the same software as the standalone sensor, which means they carry the same signatures, currently more than 1500. What is a signature? you ask. Well, in its most basic sense, it is a set of parameters, that match a traffic condition or value found in particular field of a particular protocol. Remember, everything in IT is a collection of if's and then's. Therefore, the signature is our if condition. A signature is used as a matching condition before an action is put into place. Simply put, the IPS module has a database of known attacks, and it compares data that is passing through your network to this database. The only catch is that the IPS is not always accurate.
11451 CCSP SMAA Quick Reference by Ryan Lindfield I
Security Services Modules
A few different terms are used to describe the accuracy of an alert generated by an IPS. First, positive, which means an alert was generated, followed by negative, which refers to any condition in which an alert was not generated. This brings us to the following terms:
T h e positive: An attack was passing through the network and was successfully identified. False positive: An alarm was generated, but the traffic that was passing through the network was legitimate trafiic and was not harmful.
Tkue negative: An alarm was not generated, and legitimate traffic is passing. This is a normal state.
False negative:An alarm was not generated, but an attack has passed by undetected. Signatures are not the only way to identify that an attack is taking place on your network. Cisco IPS products also perform analysis of your standard network traffic and maintain somewhat of a baseline called a histogram. This histogram is a ratio of hosts to half-open connections. This table is maintained by the sensor and is updated on a regular basis (every 24 hours by default). While network traffic may rise over time, if the number of half-open co~ectionsincreases by more than 20 percent the sensor will become aware of this and notify the administrator that an attack such as a worm outbreak or port scanning may be taking place. The aforementioned method of detecting attacks is referred to as statistical anomaly detection. This term makes sense because we are building a profle of what is normal and then making comparisons to it. Another type of anomaly detection is nonstatistical, in which case the sensor compares the behavior of protocols on your network to the behavior expected based on how the white papers or RFCs say how a protocol should behave.
Q 2OOQ Clrco
Inc. Al rl-a
nswved. This
kp
m by
Please see page 181for mdetails
146 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 5
I
Security Services Modules
IDS Versus IPS So, your sales rep has just called and is trying to sell you on the idea that you need an intrusion prevention system (IPS) to replace your intrusion detection system (IDS). The IPS actually stops the attack inline, whereas your IDS only tells you about it. Is there any truth to this? Let's look at how each of these solutions works.
An IDS works in what is referred to as promiscuous mode. The sensor receives a copy of each packet. If you were to look at the network topology, the sensor is not directly in the path of the packet, but off to the side. With a standalone sensor (for instance, a 4200 series product), a switch is generally configured with a Switched Port Analyzer (SPAN) port that will mirror traffic from one port on the switch to another. In other words, duplicate packets are forwarded to a second port, strictly for analysis. If an IDS identifies a packet that is malicious, it performs a few different actions, but it cannot drop the packet. By the time the IDS receives a copy of a packet, the target host also receives a copy of the malicious packet at the same time. In real-world terms, it is like a parking lot security guard watching from the roof. The security guard watches a girl pull up in a car, throw a brick through your car window, and then drive away. He can tell you all about the incident, but your window is still broken. Let's now look how an IPS differs from an IDS. You see, an IPS works inline. Yes, inline is the keyword here. The IPS sensor is in the forwarding path between the source and destination. Therefore, if the sensor identifies traffic that is deemed malicious, it has the capability to drop the packet, and that packet will never reach the intended destination. In other words, if the parking lot security guard is in the parking lot, where he belongs, and he sees a crazed woman drive into the parking lot, he can stop her before she reaches your car with the brick.
Dropping packets is most effective when implemented with atomic signatures. It is possible that if an elaborate exploit is detected using a TCP stream signature, the damage may be already done.
@ 2009 C
i
Inc. Al rlghta nswved. This
kp
m by
Please see page 181for mom details
[ 147 I CCSP SNAA Quick Reference by Ryan Lindfield
I
Security S e r ~ i ~ e Modules s PromisFwus Mode
IPS
Now let's look at this realistically. How does an IDS or IPS identify an attack? Most of the time (in fact, 99 percent of the time), it is based on a signature. Well, where do these signatures come from? 1. Vulnerability is announced publicly (1 day). 2. An exploit is written for this vulnerability (0 to 24 hours). 3. A patch is written for your operating system by a third party or the open source community (2 to 5 days).
4. An official patch is released from the vendor (7 to 14, sometimes even 30 days).
5. A signature updated from your IDSlIPS vendor is released that identifies the attack (generally released within 14 to 30 days, if ever).
6 2009 Clsco Systems Inc. All r i m s reservd. Thi.publication is protoctecl by copyright Please see page 16 1 for mom details
148 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 5
I
Security Services Modules
Based on this timeline, does an IPS stop the attack inline? Chances are, probably not. Your new shiny IPS will watch this new cutting-edge attack go by just like the IDS will. The tirneline in the preceding list is not the protocol or standard, but it is an estimate based on what I have seen in the security world over the past several years. Exceptions apply, however. Sometimes the vendors are quick. Sometimes custom signatures can be created and deployed before the operating system patch is released. However, consider an attacker who is using attacks that have not been publicly disclosed. In such a scenario, the chance of detection is minimal. Although network IDS/IPS solutions are good, try to remain realistic about their capabilities and remember that they work best when paired with a host-based IPS solution such as Cisco Security Agent. One thing to consider when deploying an IDS/IPS solution is the amount of traffic that the sensor can analyze. It is possible to overwhelm the sensor with too much information. A good rule of thumb when deploying an IPS is to analyze the parts of the network where attacks are most likely to exist, such as the outside interface and the demilitarized zone (DMZ)interface. The majority of the trafEc that the ASA handles may be coming from the inside interface, which is the least likely to contain malicious content.
Software Bypass The software bypass feature refers to the condition in which inspection is not possible because of hardware or software failure. There are two different configurations to consider: fail open and fail closed. In the event of failure of an IPS or CSC module, what should the ASA do with the traffic that is to be inspected? If the sensor is configured to "fdrl open," the traffic should be forwarded through the security appliance without IPS or CSC inspection. This is less secure but provides for a more resilient network Keep in mind that all the other protections of the security appliance are still in effect. If the security appliance is configured to ' Y d closed," in the event of hardware or software failure of the IPS/CSC module, any traffic analyzed by those modules will cease to pass. This is a more secure mode of operation but will obviously affect network connectivity in an adverse way. Fail open and fail closed are applicable only when the module is configured for inline operation. This setting is not used for promiscuous operation.
@ 2009 C
i Systems Inc. All rlgMs rsswwd. This publication is protected by copyright Please see page 16 1 for miom details
149 I CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 5
I
Security Services Modules
Sensor Initialization You can begin configuring the sensor by first verifying that it is operating properly. You can do so from the CLI by using the show module 1details command: hostname# r h mdule 1 detail Getting d e t a i l s from the Service Module, please wait ASA 55W Series Security Services Module-10 Wel: ASA-SSM-10 Hardware version: 1.0 JAF10000009 S e r i a l Number : F i r m r e version: 1.0(11)2 $oftware version: 6.1 (1 )El WC Address Range : 0018. b@lb .56cB t o 8018. b91b. 5 8 ~ 8 App. n m : IPS App. Status: UP App. Status Desc: App. version: 6.1(1 )El Data plane Status: Up Status: UP Mgmt I P addr: 18.10.1.66 443 Mgnt web ports: Mgmt TLS enabled: true
...
In the preceding output, notice that the model of hardware. is an ASA-SSM-10.You can also see a -ware version and software version. To access the sensor, you need to take note of the management IP address and port number. Also notice that TLS is enabled, which is required for secure management access to the sensor's command and control interface.
8 2009 C
b 8ystems Inc. All -8
resorvpd. TN. publication is protected by copyright Please see page 16 1 for mom details
[1WI CCSP SMAA Quick Reference by Ryan Lindfield
CHAPTER 5
I
Security Services Modules
In the event that you have a corrupt or missing operating system, the output would differ and the Software Version field will be blank. To recover the operating system, you must follow these steps: 1. In the event that there is not an IP address assigned to the SSM,you will not be able to manage it remotely, and must access it from the CLI or from the appropriate tab within ASDM. 2. When initializing the sensor, you will also want to verify the time and date of the sensor, because having accurate time stamps on event notifications is critical for correlation and analysis. You can synchronize using the time from the ASA itself or an NTP server. 3. The h a 1 step of configuration is to add your license codes. The AIP module requires a license to perform signature updates, whereas the CSC module requires a Base License or Plus License to implement the corresponding features.
In the event of corrupt software, you will need to recover the software image from a remote server, as follows: 1. Configure a TFTP server with the AIPICSC image. 2. On the ASA, configure the location of the TFlT server using the following command: hw module slot recover configure
3. The previous command will bring you to a configuration dialog where you will define the following parameters:
Image URL (tftp:l/192.168.1.7/csc6.2.16U5.bin)
IP address of the Ethernet interface of the SSM (192.168.1.15) VLAN ID if required
Gateway IP address if required
8 2OOQ C
h Syetuns Inc. Al rlgMa re-.
T h i pubkaUon ~ kp
m by
Please see page 181for mom details
P I
CHAPTER 5
[ 151 I CCSP SMAA Quick Reference by Ryan Lindfield
Security Services Modules
4. Begin recovery using the hw module slot recover boot command.
I
Note
Use the debug module command to watch the details of the recovery process.
Sensor Configuration After the sensor software has been restored (if necessary), you can begin configuration of the sensor. This can be done
fromthe CLI or using ASDM.To connect to the sensor through the ASA console (or vty), use the session 1 command. Doing so moves your shell environment from the ASA configuration to SSM configuration. This is sometimes referred to as a reverse Telnet: sassion 1 Opening command session with s l o t 1. Connected t o s l o t 1. Escape character sequence i s 'CTRL-"X'.
AM551W
login: cisoo Password: *'*N~I~*I* This product contains cryptographic features and i s subject t o United States and l o c a l country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority t o import, export, distribute o r use encryption. Importers, exporters, distributors and users ere responsible f o r coqliance with U.8. and l o c a l country laws. By using t h i s product you agree t o comply with applicable laws and reaulations. I f you
[ 152 I CCSP SMAA Quick Reference by Ryan Lindfield
1
Security Services Modules are unable t o comply with U.S. and l o c a l law$, return t h i s product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at:
Attp:!Ivlnm.cisco.cm/wl/e~ort/crypto/tool/stqrg.html I t you require further assistance please contact us'by sending email t o export8cisco. con. ***LICERE NOTICE***
mere is no license key installed on the GSM-IPS10. The system w i l l continue t o operate with the currently installed signature set. A v a l i d license must be obtained i n order t o apply signature updates. Please go t o http://mwm.cisco.com/go/license t o obtain a new license o r i n s t a l l a license. seneor#
The first thing that you will encounter in the SSM environment is a login prompt. The default username is cisco, with a password of cisco. When you log in, you are asked to change your password. From this point, you can perform most of the administration tasks. However, the GUI interface provides a much more effectiveenvironment for management. Generally, when you first access any IDS sensor, whether it is the AIP-SSM, 4200 series sensor, or IDSM2, you will nm the setup script from the CLI.The setup script walks you through the basic configuration of the sensor. As of IPS Version 5.0, the sensor has switched from TCP Wrappers and a default access list of permit 10.0.0.018 to IP Tables and a default of deny all for remote access:
--m s i c Setup - -
[ 153 I CCSP SNAA Quick Reference by Ryan Lindfield
I
Security Services Modules
- -System Configuration
Dialog
--
A t any point you may enter a question nark
f o r help. User c t r l - c t o abort configuration dialog a t any prompt. Default sattinge are i n square brackets ' [ I 8 . '?I
Current time: Man Oec 15 14:81:44 2-8 Setup Configuration l a s t modified: Yon Dec 01 07:42:10 294'88
Enter host name[sensor]: Enter I P interface[
[email protected]/24,10.2.2.1]: Modify current eccess l i s t ? [ n o l : Modify system clock settings?[no]: The following configuration was entered. service host network-setting8 h o s t - i p 10.2.2.33/24,10.2.2.1 host-nam sensor telnet-option disabled accmss-list 1&9.2.2.0/24 ttp-timeout 300 no l o g i n banner t e x t
-
-
C3 2009 Clscx, Systems ImAM r i m msrwd. TNs publication ie protected by copyright Please see page 161 for mom details
[ 154 I CCSP SMAA Quick Reference by Ryan Lindfield
1
Security Services Modules exit tine-tone-settings offset t!~ standard time -zone -name UTC exit summertime-option disabled ntp-option disabled exit
[I] Go t o the cemand prompt without saving t h i s config.
[I]Return t o setup without saving t h i s config. [2] Save t h i s configuration and e x i t setup. [3] Continue t o Advanced setup.
Entsr your selectlon[3] :
After an IP address has been defined, and you have added the administrator's workstation to the access list, you are ready to log in to the AIP-SSM with the GUI.
First log in to the ASDM GUI, and then select Configmation> IPS. When you click this hyperlink, ASDM will open a new window. A notification from ASDM will tell you about the new connection. Click Continue to move forward.
5 I
CHAPTER 5
11551
-
CCSP SNAA Quick Reference by Ryan Lindfield
Security Services Modules
When you click Continue, ASDM will load data from the IPS sensor.
O 2008 Ciww Systuns Inc. A9 rigM.mwnmd. This pr#lcatson k p
m by c o w g h t Please see page 161 for mom details
5 CHAPTER 5
I
156 I CCSP SMAA Quick Reference by Ryan Lindfield
Security Services Modules
After data has finished loading, you will see a picture of a security appliance and security services module. In this diagram, the management ports have been highlighted. Notice there is an ASA management port and an SSM manage ment port. In my experience, 1 have needed separate IP addresses to perform both functions (ASDM 1 AIP-SSM). Notice that there is a wizard here that we can launch to begin passing W c to the SSM.
157 I I
I
CCSP SNAA Quick Reference by Ryan Lindfield
CHAPTER 5
Security Services Modules
When you click the Launch Startup Wizard button, the wizard brings you to a sensor setup page. This page can be used to define the hostname, IP address, subnet mask, and default gateway. You can a h manage access lists from this screen. Remember, when configuring IDS products the term access list refers to administrative access, or access to the device, as opposed to trmc through the device. You can also set the time, date, time zone, daylight savings time, and an NTP server.
Q 2009 Ckco
Inc. AM rlghtmrosurvrd. TN.pubkath is-p
by
P k m see ~ page 181for mom deiails.
5 I
CHAPTER 5
158 I CCSP SMAA Quick Reference by Ryan Lindfield
Security Services Modules
After you have co~gured,or verified, the basic configuration i n f o d o n of the SSM,you can define the traffic flows
that should be passed to this module for analysis.
5 I
11591 CCSP SNAA Quick Reference by Ryan Lindfield
CHAPTER 5
Security Services Modules
By clicking the Add button on the right side, you can define the W c flow for analysis. First,specify the interface, source IP address, destination IP address, destination port number (service), and then possibly a description. These paramem are then followed by how analysis should be performed (inline or promiscuous) and what should happen to this trafEc if the sensing process should fail (fail open or fail closed).
Q 2009 Claco Sysbms Inc. All rights msarvd Thb
b
by copyrlgM. Please see page 16 1 for more details
P I
CHAPTER 5
[1WI CCSP SMAA Quick Reference by Ryan Lindfield
Security Services Modules
After rules have been added, the window will be populated, and you can see an animation displaying the path of the packet. If everything looks appropriate, click Finish.
Further configuration of the modules is beyond the scope of this Quick Reference.
Feedback Information
CCSP SNAA Quick Reference
AtCiscoPress,wrgoalistoaubeiPdephtecfinicalboortsofthe~q~aadvalue.Bachboolris~ with care and precision, undergoin8 rlgonms devclopmeat that imolves the unique expertise of members of the professid tcchiad community. Reader feedback is a natural m u h d c m of this proms. If yau have any commmta on how we could impme the qualityofthisdlgilalehoncut.ar~~Se~tt~be#ersUayom~youcan~us~e-mailat f ~ @ c i s c o p r w a c o mPlea# . be sue to include the dlgltal Shon Cut ti& and ISBN in your message.
Ryan Lindfidd Cqyright 0 U)09 Cisco Systems, Inc.
Published by: Cisco Pnss &00 EaPt 96th Street Indianapolis, Indiana 46240 USA
AU rights merved. No pan of this digital shon cut may be reprommd a hamnitted in any fwm or by any means, electronic or mechanical, including photocopying, recmdhg, or by any infonnatim storage aud retrieval system, without written permission from the publisher, except for the inclusion of brief quotatiam in a nview.
Corporate and Government Sales Tbepublisher~excellentdiscauatsonthisdigirals h n r t c u t w b m o r d e r e d ~ q u a a t i t y f o r ~ p u r c ~ o r special s i b , which may include eleclroaic version6 a d o r Eustm covers Pnd content partidm to your busiaesq tnining goals. mrlmhg focus. andbranding interests.Far m m infocmatim, please contact: US. Corporate and Garclnmwt S&S 1-800-382-3419 ~ a p s a l e s @ w t & -
Pint Digital Edition February 2009 ISBN-10: 1-58705-8774 ISBN-13: 978-1-58705-877-6
Fbr sales outside the United States please contaw h b m d o d S a k i n t e m a b n a l @ ~ . m m
Warning and Disclaimer This digital Short Cut is designed to pmMe infonuation abwt network@. Every effort has been made to make this digital Short Cut as complete and accrwte as p i b l e , but w wananty or fimess is implied.
The infonuation is provided on an "as is" basis. The author, Cisco Press, and Cisco Systems, Inc. ahall have neither liability nor responsibility to any person or entity wlth respect to any loss a damages arising from the information coaElined m this digital short cut The opinions expssed in this digital Short Cut belong to the authors and are not necessarily those of Cisco Systems. Inc.
-0111.1110
CISCO.
%msaZs8Wl -CA06Lm r n -
T*:10882b1om
am-gsla) Re-
* I -
ZzCz& -m12 IBWlOpLYIDr*
TY&m??rn
~crdbcn711~0
Trademark Acknowledgments All terms mentioned in this digital Short Cut that are known to be traduarrksm
service marks have been appr&ately c a p i M C i a Press or Cisco Systems. Inc. faawt attest to the accuracy of Ulis information. Use of r term in this digital Short Cut should not be regarded as affecting the validity of any iradenwk or service mark.
@ 2009 C b o Systems Inc. All rights msewed. Thii p r b l i b p r o b d d by copyright Pbase see this page for m
w details ~ ~