-
7/30/2019 ASA - Copy
1/44
Introduction to Network Security
First we have to understand the concept of
SECURITY in general.
SECURITY may be define as safe guarding of
our assets or important good.
The degree of security provide to our assets is
based on nature of importance and its need
for us.
-
7/30/2019 ASA - Copy
2/44
SECURITY
Family Security
Social Security
Home/ Internal Security National Security
International Security
IT/Networking Security
-
7/30/2019 ASA - Copy
3/44
IT/Network Security
The Computer Security Institute (CSI) has producedmany reports
on security.
IT Security deals with every terms used in
Information Technology including N/W Security. Network Security
deals with only component
utilized in networking (Internet/Intranet) includingmanipulation
of Internet Protocols.
Internet protocols (TCP/UDP/ICMP/IGMP) arecustomized by the
Networking administrator as perthe security policies of the
company.
-
7/30/2019 ASA - Copy
4/44
NETWORKING SECURITY
N/W Security involves securing the Network frominternal or
external threats.
It also involves finding the balance between open
and evolving network and protecting companysprivate data.
In brief, we can say that Networking security is a
process to counter any unauthorized access or
illegal intrusion in to the network.
-
7/30/2019 ASA - Copy
5/44
TO PROVIDE AN EFFECTIVE SECURITY, A
COMPANY MUST DEAL WITH THREE THINGS
Adversaries : An Adversaries is a person, interested in
attacking your network.Some common adversaries :-
Disgruntled employees
Skilled or unskilled hackers
Criminal or Terrorist
Other Countries
Competing Companies
Motivation : The Range of Adversarys motivation are : - To
gathering or stealing information (competing companies and
criminals
To Denial of Services (Terrorist, Other counties and
criminals)
To Challenge (Hackers)
Class of Attacks : Adversaries can employ five types of attacks
:-
Passive
Active
Distributed
Insider
Close-in
-
7/30/2019 ASA - Copy
6/44
Class of Attacks
Passive:
In this Attackers gain access to the information or
data without knowledge of users.
Capturing & monitoring unencrypted/
unprotectedcommunication.
Looking for Clear text password
-
7/30/2019 ASA - Copy
7/44
A FIREWALL IS A SYSTEM OF HARDWARE OR SOFTWARE THATCONTORLS
ACCESS BETWEEN TWO OR MORE NETWORKS.
THE PERFORMANCE OF THE FIREWALL IS SIMILAR TO THAT OF APHYSICAL
WALL THAT HELPS TO KEEP FIRE FROM SREADING.
HERE WE CAN SAY FOR EASY OF UNDERSTANDING THAT :
FIRE MEANS
Illegal Intrusion or unauthorized access of system or
network
AND
WALL MEANSProtection or Policies to counter unauthorized
access
-
7/30/2019 ASA - Copy
8/44
FUNCTION OF FIREWALL
The firewall has only two major functions :a. To permit the
trafficb. To deny the traffic
All firewalls perform above functions of examinethe network
traffic and directing that traffic basedon the rules set (may be
predefine in system ormay be defined by Administrator as per
theCompanies network policies.
-
7/30/2019 ASA - Copy
9/44
METHODE OR TYPES OF FIREWALL
There are methods of traffic control in the network andFirewall
using one of these method.
a Packet Filtering
b Proxy Service
C State-full Inspection
1. Packet Filtering :- Oldest and most commonly used Firewall
Technology.
- Inspecting only the traffic occurs at L3 and L4 layer.
- Analyze IP packets and compare them to the set ofestablish
rules called ACL
- Following elements are inspected for this method :a. Source
& Destination IP Address
b. Source & Destination Port.
c. Protocols (Used by name or number)
-
7/30/2019 ASA - Copy
10/44
-
7/30/2019 ASA - Copy
11/44
2. Proxy Service:
When information from the Internet isretrieved by the Firewall
and then itis sent to the system for the host
who had requested the same.Proxy works on behalf of the host
on
the protected network segment.
The protected host never actually
make any connection with the outside world.
-
7/30/2019 ASA - Copy
12/44
Proxy ServerInside or
Protected Network
-
7/30/2019 ASA - Copy
13/44
3. State-full Inspection:
In this method , certain parts of packet arecompared to a
database of trustedinformation.
Firewall maintain state table for each trafficpassing through
the Firewall from InsideNetwork and allow response for traffic
thatgenerated from Inside. This arrangement isinbuilt in Firewall
Algorithm.
-
7/30/2019 ASA - Copy
14/44
Stateful packet filtering
They are more intelligent than simple packet filters in that
they
can block all incoming traffic and still can allow return
trafficgenerated by the machines sitting behind them.
These can keep track of a variety of information regarding
the
packets that are traversing them, including the following:
1. Source & destination TCP & UDP port nos.
2. TCP sequence numbering
3. TCP flags
4. UDP traffic tracking based on timers
-
7/30/2019 ASA - Copy
15/44
TYPES OF FIREWALL
a. Packet Filtering
- Static Filtering
- Dynamic Filtering
- State full Inspectionb. Circuit Gateway
c. Application Proxy
d. Hybrid
PC Firewall, SOHO Firewall,
F/W Application, Large Enterprise Firewall
-
7/30/2019 ASA - Copy
16/44
COMPONENT OF FIREWALL Consol : Provides constant updates of
Network traffic
- contain Status of Security Level & Application
Logs : Firewall maintain three types of logs
a) Security LogsIt records potential threatening activities such
as port scanning, DoS etc.The logged event consist date & time
of event, No. of attacks, Severity,
direction (Inbound/outbound)
b) System Logs : It records operational changes such as S/w
execution error, S/Wmodification, Start/ending services etc.
Systems logs are useful for
troubleshooting because they carry information about error &
warnings.
c) Traffic & Packet Logs : It allow to capture & record
all the data that enter or leave fromcomputer or network. It gives
information about traffic passes throughthe firewall , blocked
traffic at F/W, Time/Date, Type of traffic, No. of event
occur during certain period, IP address of attempted attacks,
name of thehost computer and IP address of user.
Application List : It is the list of running Application and
displays all application andservices. User is able to make changes
to the list by restricting access to
some application and giving permission to others
Configuration Option : It allows the user to set up
configuration and contains log files,Network browsing rights,
password protection and notification for attacks.
Advanced Rules: These rules are apply to all application.
Administrator sets theserules as per Networks policies
-
7/30/2019 ASA - Copy
17/44
Positioning of FirewallSome of the basic guidelines for
positioning of a
firewall are as follows:-
1. Topological location of the firewall:It is often a good idea
to place a firewall on the
periphery of a private network, as close to the
final exit and the initial entry point into the
network.
In most cases firewalls shouldnt be placed in
parallel to other network devices such as routers.
This can cause firewall to be bypassed.
-
7/30/2019 ASA - Copy
18/44
Positioning of Firewall2. Accessibility & Security Zones: If
there are servers that need to be accessed
from the public network, such as Web servers, it
is often a good idea to put them in demilitarized
zone (DMZ)
A DMZ allows publicly accessible servers to be
placed in an area that is physically separate
from the private network, forcing the attackers
who have somehow gained control over these
servers to go through the firewall again to gain
access to the private network.
-
7/30/2019 ASA - Copy
19/44
Positioning of Firewall3. Layering Firewalls: In networks where
a high degree of security is
desired, often two or more firewalls can be deployedin series.
If the first firewalls fails, the second one
can continue to function.
This technique is often used as a safeguard againstnetwork
attacks that exploit bugs in a firewallssoftware, if one firewall
software is vulnerable to an
attack, hopefully the software of the second firewallsitting
behind it will not be.
Firewalls from different vendors are often used inthese
setups.
-
7/30/2019 ASA - Copy
20/44
Adaptive Security
Algorithm
-
7/30/2019 ASA - Copy
21/44
Flavors of ASA&Introduction to Security AppliancesPIX
(Packet Internet Exchange) Using Finesse Operating System
ASA (Adaptive Security Appliance)- Cisco Proprietary used
with
Security Policy
SOHO ROBO SMB ENTERPRISE SPPIX PIX501 PIX506E 515E PIX525
PIX535ASA 5505 5510 5520 5540 5580-205580-40
SOHOSmall Office Home Office
ROBO-Remote office Branch Office
SMBSmall/ Medium Size Business
SPService provider
-
7/30/2019 ASA - Copy
22/44
Adaptive Security Algorithm ASA is the foundation on which a
firewall is built. It defines how
firewall examines traffic passing through it and applies
various
rules The basic concept behind ASA is to keep track of
various
connections being formed from networks behind the firewall tothe
public network.
ASA also defines the information a firewall saves for any
givenconnection made through it (this is called state information
whereTCP is used).
The ASA algorithm also defines how the state and the
otherinformation is used to track the session passing through
the
firewall. To achieve this behavior, firewall keeps track of
followinginformation:
1. IP packet source and destination information.
2. TCP sequence nos & additional TCP flags.
3. UDP packet flow & timers.
-
7/30/2019 ASA - Copy
23/44
ASA FIREWALL The Cisco Adaptive Security Appliances are
purpose-built solutions
that combine the most effective security and VPN services with
the
innovative Cisco Adaptive Identification and Mitigation
(AIM)architecture.
Additionally, the adaptive security appliance software
supports
Cisco Adaptive Security Device Manager (ASDM). ASDM delivers
world-class security management and monitoring through
anintuitive, easy-to-use web-based management interface.
Bundled
with the adaptive security appliance, ASDM accelerates
adaptive
security appliance deployment with intelligent wizards,
robust
administration tools, and versatile monitoring services that
complement the advanced integrated security and networking
features offered by the market-leading suite of the adaptive
security appliance
-
7/30/2019 ASA - Copy
24/44
Basic Features of ASA FirewallThis section discusses some of the
basic features of ASA,these features are the fundamental building
blocks of thefirewall.
1. Secure and proprietary Operating System
2. State-full Inspection of Traffic
3. Sequence Number Randomization (SNR) to secure TCP
connections4. Cut through Proxy for authenticating telnet, HTTP
and FTP
5. Default Security Policy to ensure maximum protection, as
well as the ability to customize these policies and build
your own policies
6. VPN abilities : IP Sec, SSL and L2TP
7. NAT and ACL
8. Multiple context/ Virtualization of Policies using
context
9. Failover and redundancy.
10. IDS and IPS
-
7/30/2019 ASA - Copy
25/44
SECURITY POLICY OVERVIEWSecurity policy determines which traffic
is allowed to pass through ASA to access another
Network.
By default (a).Traffic from higher Security level to lower
Security level is allowed.
(b).Only TCP and UDP traffic are inspected, rest of the traffic
are denied.
ACL can be use to customize the default policies for permitting
or denying the traffic.
Applying NAT
Applying HTTP, HTTPS or FTP filtering (By conjunction with
separate Server running one
of the following internet filtering product.
i. Web Sense Enterprise ii. Secure computing Smart Filter
Applying Application Inspection.
Securing traffic to AIP-SSM (Advanced Inspection &
Prevention Security Service Module) &
CCS-SSM (Content Security & Control - Security Service
Module) modules.
Applying QoS Policies (for Voice , Video streaming traffic)
Applying connection limits to prevent from DoS attacks and TCP
Normalization (Advanced
connection setting to drop abnormal packets.
Enabling threat detection.
-
7/30/2019 ASA - Copy
26/44
Assigning Varying Security Levels to Interfaces ASA allows
varying security levels to be assigned to its various interfaces.
These
segments are called
Security Zones.
Each interface can be assigned a level from 0 to 100.
The interface connected to the public network has 0 level
assigned to it i.e.,
Outside Int.
The interface sitting on the private network has a security
level of 100, i.e.,
Inside int. (most secure).
DMZinterfaces have a security levels between 0 to 100.
NOTE:- By default, traffic can flow freely from a high security
level interface to a low security level interface. For trafficto
flow from a low security level to a high security level, rules need
to be explicitly defined.
St t f l I ti f T ffi
-
7/30/2019 ASA - Copy
27/44
Stateful Inspection of Traffic:
1. Outbound connections are
allowed, except specificallydenied by ACL.
2. Inbound connections orstates are denied, except
those specifically allowed.
3. All ICMP packets are deniedunless they are specifically
permitted, this includes echoreplies to the pingsoriginated from
insidenetwork.
-
7/30/2019 ASA - Copy
28/44
STATEFULLFIREWALL
CONNECTION TEBLEInside IP Add IP Protocol Inside IP Port Outside
IP Add Outside Port
192.168.1.1 TCP 11500 201.201.201.1 80
PC- A192.168.1.1 WebServer
201.201.201.1
1
2
3
Internet
1. A user PC-A located in Inside Network perform HTML request to
a Web Server Outside
your network.
2. As the request reaches the Statefull Firewall, the Firewall
store the user information
(Src & Dst Address, Protocol and Port information) in State
or Connection Table.
3. The Firewall forward the users HTTP request to the
destination Web Server.
Internal Network
STATEFUL INSPECTION
-
7/30/2019 ASA - Copy
29/44
STATEFULLFIREWALL
CONNECTION TEBLEInside IP Add IP Protocol Inside IP Port Outside
IP Add Outside Port
192.168.1.1 TCP 11500 201.201.201.1 80
PC- A192.168.1.1 Web Server
201.201.201.1
2A
2
1
Internet
1. The HTTP request received by Destination Web Server and it
sends the corresponding web
page to the user PC-A
2. The Firewall intercepts the connection response and compare
with the entries that it had in
its State table.
A. If a match found in Connection Table, the returning packets
are permitted.
B. If match is not found in Connection Table , the returning
packets are dropped.
Internal Network
2B
-
7/30/2019 ASA - Copy
30/44
A State-full Firewall maintains this Connection
Table. If it sees a connection teardown requestbetween the
source and destination, the state-fullfirewall removes the
corresponding entry.
If a connection entry is idle for a period, the entrywill time
out and the State-full Firewall willremove the entry from
connection table.
-
7/30/2019 ASA - Copy
31/44
If connection
is new
If connection
is already
establishedSession
Mgmnt Path
1.Perform ACL Check
2.Route Look up
3.Allocate NAT (Xlate Table)
Establish session in Fast Path
FAST PATH1.IP Checksum Verification
2.Session look up
3.TCP Sequence No Check
4.NAT Based in existing Session
5.L3/L4 header adjustment
Connection
Established
Connection
Dropped
YES
YES
NO
NO
Some Packets that required
L7 inspections are pass through
Control Plane Path. L7 inspection
Required for protocol that have
Two or more channels
-Data Channel Known ports
-Control Channels- Unknown Ports
STATEFULL INSPECTION
-
7/30/2019 ASA - Copy
32/44
Sequence Number Randomization
The Security Appliances includes a security Feature called
SNR,Which implemented by Security Algorithm. SNR used to protectyou
reconnaissance and TCP hijacking by hacker.
TCP protocol The Most TCP/IP stacks use a fairly predictable
method when using sequence number and that TCP segmentindicates
the number of bytes sent. In this case, Hacker can usethis
information to make predictions concerning the next set ofdata to
be sent. Hacker can use this information to hijack thesession.
The Security Appliances SNR feature address this problem
byrandomizing the TCP Sequence Number.
CONNECTION TEBLE
-
7/30/2019 ASA - Copy
33/44
STATEFULLFIREWALL
CONNECTION TEBLEInside TCP SNRSequence Number Sequence
Number
600 910
PC- A192.168.1.1
Web Server201.201.201.1
InternetInternal Network 600
910
601 911
TCP Segment passes through ASA where the Sequence Number is 600
in the segment. The SNR
feature in ASA change this Sequence number to a random number
910 and place it in state table
and forward the TCP segment to destination.
Destination in not aware of this change and acknowledge to
source the receipt of Segment, using
ack number 911.
The ASA receive the reply, compare with state table, undoes the
SNR process by changing the 911
to 601, so that the source device is not confused.
-
7/30/2019 ASA - Copy
34/44
CUT-THROUGH PROXY
CTP Feature of ASA is to enhance the Security
CTP allows the appliances to intercept incoming / outgoing
connection and
authenticate them before they are permitted.
CTP is used where the end-servers the user is connecting to can
not perform
authentication itself.
The user connection are not typically authenticated by the ASA
itself, but by an
external security server, such as the CISCO Secure Access
Control Server (CSACS). CISCO
supports both , the TACACS+ and RADIUS protocols for
Authentication.
The CTP feature on an ASA can authenticate the following
connection type :a. FTP
b. HTTP and HTTPS
c. Telnet
CUT THROUGH PROXY
-
7/30/2019 ASA - Copy
35/44
ASA
InternetInternal Network
CISCOACS Server
FTP Server100.100.100.2HTTP Server100.100.100.1User A
User B
1
234
4A
4B
Authentication TableAllowed User Allowed Application
A HTTP to 100.100.100.1
B FTP to 100.100.100.2
CUT-THROUGH PROXY
1.User A initiate an FTP request to 100.100.100.22. The ASA
intercept the connection and compare for an entry in its connection
table. If entry exist , the ASA permitsthe connection (4A). In this
case, the user is previously authenticated.3. If ASA does not found
an entry in Connection Table, it will prompt the User A for a
username and password andforward the information to Security Server
for authentication.4. The Security Server examine its internal
authentication table for the username and password and what service
thisuser is allowed access to the Security Server sends an allow or
deny message to ASA- If Security Server sends allow message after
checking user credentials, It add the users connectioninformation
to the connection table and permit the connection.- If the ASA
receives deny message, it drops the users connection, or possibly,
re-prompt the user for anotherusername/password combination
-
7/30/2019 ASA - Copy
36/44
G 0/0
G 0/1.20VLAN 20G 0/1.30VLAN 30
G 0/1.10Shared InterfaceIn VLAN 10
Internal
Context
Admin
Context
CTX-1
Context
Security or Multiple ContextThis feature of ASA, a device can
partitioned into multiple virtual devices know as
Security Context
Each context is an independent device with own Security
Policies, interfaces &administrator
-
7/30/2019 ASA - Copy
37/44
How to access the ASA ?CISCO offers three main methods for
configuring your Security Appliances (ASA)
1. Command Line Interface (CLI) - To gain access to CLI, you can
use one of the following
access method :
a. Console Port - Cisco Ribbon Serial Cable is used. On PC Hyper
Terminal, Putty,
or Tera Term S/W may be used
b. Auxiliary Post (On certain ASA models)
c. Telnet and SSH : For Security reason CISCO is not
recommending these type of remote
access
2. Adaptive Security Device Manager (ADSM) : GUI Based
Interface
3. CISCO Security Manager (CSM) : GUI Based Interface with more
mgmt tools
-
7/30/2019 ASA - Copy
38/44
BOOT SEQUENCE OF ASA
1. ASA first load its BIOS2. Perform diagnostic checks on its
hardware componants
3. Load the Operating System
LEVEL OF ACCESS TO THE ASA
Level of
Access
User Prompt Capabilities
User EXEC
Mode
ciscoasa> This mode allows only limited basic mgmt &
T/shooting commands
Privilege EXEC
Mode
ciscoasa# One step above to User EXEC Mode & it gives
complete access to ASA
ConfigurationMode
Ciscoasa(config)# For configuration implementation and
changes
Monitor or
ROMMON
Mode
Rommon> Used for password recovery, low level T/shooting
and
to recover from a lost or corrupt Operating system
-
7/30/2019 ASA - Copy
39/44
ASA FIREWALL MODE
ASA functioning under two different modes
a. Routed Mode : ASA considered to be next hope in Network
b. Transparent Mode : ASA not considered as next hop. It act
as
stealth firewall or Bump in the wire
____________________________________________________________
Two create virtual device (Security Context), ASA has two
mode.
a. Single Mode - Act as single device
b. Multiple Mode Act as multiple device (Based on the
license)
-
7/30/2019 ASA - Copy
40/44
BASIC ASA INITIALIZATIONInside
Security Level-100
10.1.1.0/24
Outside
Security Level-0
20.1.1.0/24
DMZ
Security Level-50
30.1.1.0/24
10.1.1.4
30.1.1.6
e1 e0
e2
20.1.1.5
ASA
f0/0
f0/0
f0/0
ASA Interfaces are classified by two names to distinguish them
:
1. Physical Name : It is used when we configure the physical
properties of an interface. They begin with the
name ethernet. ethernet 0 in PIX and ethernet 0/number
(e0/0,e0/1) in ASA
2. Logical Name : Two common names used are Inside (connected to
Internal N/W) & outside (connected
to external or public N/W).
Security Levels : Ranging from 0 to 100. 0 is least secure and
100 is most secure. The Security Algorithm uses theSecurity level
to enforce its security policy. The rules that SA used are as under
:
Traffic from higher to lower Security level is permitted
by-default unless restricted with an ACL. This is
called an outbound connection.
Traffic from lower to higher Security level is denied by-default
unless explicitly permitted it by ACL. This is
called inbound connection
Traffic from same security level to same level is denied
by-default.
-
7/30/2019 ASA - Copy
41/44
BASIC ASA INITIALIZATIONInside
Security Level-100
10.1.1.0/24
Outside
Security Level-0
20.1.1.0/24
DMZ
Security Level-50
30.1.1.0/24
10.1.1.4
30.1.1.6
e1 e0
e2
20.1.1.5
ASA
f0/0
f0/0
f0/0
ciscoasa (config) # interface e0 - physical interface
ciscoasa (config-if)# nameif - to assign logical name to the
interfaceciscoasa (config-if)# ip address < ip address &
subnet mask> - to assign the IP Address
ciscoasa (config-if)#security-level - to assign security level
as required
ciscoasa (config-if)#speed - to set the speed
ciscoasa (config-if)#dulpex - to set type
ciscoasa (config-if)#no shutdown - to enable the interface
ciscoasa# show interface ip brief - to see the configuration of
interfaces
ciscoasa (config)# same-security-traffic permit inter-interface
- to allow the traffic between interface with
same security level
Method of assigning IP Address to ASA
i. Mannually
ii. By DHCP
iii. PPP over Ethernet (PPPoE)
-
7/30/2019 ASA - Copy
42/44
Routing Protocol Supported by ASA :
a. Static & Dynamic
b. RIPc. EIGRP
d. OSPF
-
7/30/2019 ASA - Copy
43/44
-
7/30/2019 ASA - Copy
44/44
