Upload
rohit-singhal
View
216
Download
0
Embed Size (px)
Citation preview
7/30/2019 ASA - Copy
1/44
Introduction to Network Security
First we have to understand the concept of
SECURITY in general.
SECURITY may be define as safe guarding of
our assets or important good.
The degree of security provide to our assets is
based on nature of importance and its need
for us.
7/30/2019 ASA - Copy
2/44
SECURITY
Family Security
Social Security
Home/ Internal Security National Security
International Security
IT/Networking Security
7/30/2019 ASA - Copy
3/44
IT/Network Security
The Computer Security Institute (CSI) has producedmany reports on security.
IT Security deals with every terms used in
Information Technology including N/W Security. Network Security deals with only component
utilized in networking (Internet/Intranet) includingmanipulation of Internet Protocols.
Internet protocols (TCP/UDP/ICMP/IGMP) arecustomized by the Networking administrator as perthe security policies of the company.
7/30/2019 ASA - Copy
4/44
NETWORKING SECURITY
N/W Security involves securing the Network frominternal or external threats.
It also involves finding the balance between open
and evolving network and protecting companysprivate data.
In brief, we can say that Networking security is a
process to counter any unauthorized access or
illegal intrusion in to the network.
7/30/2019 ASA - Copy
5/44
TO PROVIDE AN EFFECTIVE SECURITY, A
COMPANY MUST DEAL WITH THREE THINGS
Adversaries : An Adversaries is a person, interested in attacking your network.Some common adversaries :-
Disgruntled employees
Skilled or unskilled hackers
Criminal or Terrorist
Other Countries
Competing Companies
Motivation : The Range of Adversarys motivation are : - To gathering or stealing information (competing companies and criminals
To Denial of Services (Terrorist, Other counties and criminals)
To Challenge (Hackers)
Class of Attacks : Adversaries can employ five types of attacks :-
Passive
Active
Distributed
Insider
Close-in
7/30/2019 ASA - Copy
6/44
Class of Attacks
Passive:
In this Attackers gain access to the information or
data without knowledge of users.
Capturing & monitoring unencrypted/ unprotectedcommunication.
Looking for Clear text password
7/30/2019 ASA - Copy
7/44
A FIREWALL IS A SYSTEM OF HARDWARE OR SOFTWARE THATCONTORLS ACCESS BETWEEN TWO OR MORE NETWORKS.
THE PERFORMANCE OF THE FIREWALL IS SIMILAR TO THAT OF APHYSICAL WALL THAT HELPS TO KEEP FIRE FROM SREADING.
HERE WE CAN SAY FOR EASY OF UNDERSTANDING THAT :
FIRE MEANS
Illegal Intrusion or unauthorized access of system or network
AND
WALL MEANSProtection or Policies to counter unauthorized access
7/30/2019 ASA - Copy
8/44
FUNCTION OF FIREWALL
The firewall has only two major functions :a. To permit the trafficb. To deny the traffic
All firewalls perform above functions of examinethe network traffic and directing that traffic basedon the rules set (may be predefine in system ormay be defined by Administrator as per theCompanies network policies.
7/30/2019 ASA - Copy
9/44
METHODE OR TYPES OF FIREWALL
There are methods of traffic control in the network andFirewall using one of these method.
a Packet Filtering
b Proxy Service
C State-full Inspection
1. Packet Filtering :- Oldest and most commonly used Firewall Technology.
- Inspecting only the traffic occurs at L3 and L4 layer.
- Analyze IP packets and compare them to the set ofestablish rules called ACL
- Following elements are inspected for this method :a. Source & Destination IP Address
b. Source & Destination Port.
c. Protocols (Used by name or number)
7/30/2019 ASA - Copy
10/44
7/30/2019 ASA - Copy
11/44
2. Proxy Service:
When information from the Internet isretrieved by the Firewall and then itis sent to the system for the host
who had requested the same.Proxy works on behalf of the host on
the protected network segment.
The protected host never actually
make any connection with the outside world.
7/30/2019 ASA - Copy
12/44
Proxy ServerInside or
Protected Network
7/30/2019 ASA - Copy
13/44
3. State-full Inspection:
In this method , certain parts of packet arecompared to a database of trustedinformation.
Firewall maintain state table for each trafficpassing through the Firewall from InsideNetwork and allow response for traffic thatgenerated from Inside. This arrangement isinbuilt in Firewall Algorithm.
7/30/2019 ASA - Copy
14/44
Stateful packet filtering
They are more intelligent than simple packet filters in that they
can block all incoming traffic and still can allow return trafficgenerated by the machines sitting behind them.
These can keep track of a variety of information regarding the
packets that are traversing them, including the following:
1. Source & destination TCP & UDP port nos.
2. TCP sequence numbering
3. TCP flags
4. UDP traffic tracking based on timers
7/30/2019 ASA - Copy
15/44
TYPES OF FIREWALL
a. Packet Filtering
- Static Filtering
- Dynamic Filtering
- State full Inspectionb. Circuit Gateway
c. Application Proxy
d. Hybrid
PC Firewall, SOHO Firewall,
F/W Application, Large Enterprise Firewall
7/30/2019 ASA - Copy
16/44
COMPONENT OF FIREWALL Consol : Provides constant updates of Network traffic
- contain Status of Security Level & Application
Logs : Firewall maintain three types of logs
a) Security LogsIt records potential threatening activities such as port scanning, DoS etc.The logged event consist date & time of event, No. of attacks, Severity,
direction (Inbound/outbound)
b) System Logs : It records operational changes such as S/w execution error, S/Wmodification, Start/ending services etc. Systems logs are useful for
troubleshooting because they carry information about error & warnings.
c) Traffic & Packet Logs : It allow to capture & record all the data that enter or leave fromcomputer or network. It gives information about traffic passes throughthe firewall , blocked traffic at F/W, Time/Date, Type of traffic, No. of event
occur during certain period, IP address of attempted attacks, name of thehost computer and IP address of user.
Application List : It is the list of running Application and displays all application andservices. User is able to make changes to the list by restricting access to
some application and giving permission to others
Configuration Option : It allows the user to set up configuration and contains log files,Network browsing rights, password protection and notification for attacks.
Advanced Rules: These rules are apply to all application. Administrator sets theserules as per Networks policies
7/30/2019 ASA - Copy
17/44
Positioning of FirewallSome of the basic guidelines for positioning of a
firewall are as follows:-
1. Topological location of the firewall:It is often a good idea to place a firewall on the
periphery of a private network, as close to the
final exit and the initial entry point into the
network.
In most cases firewalls shouldnt be placed in
parallel to other network devices such as routers.
This can cause firewall to be bypassed.
7/30/2019 ASA - Copy
18/44
Positioning of Firewall2. Accessibility & Security Zones: If there are servers that need to be accessed
from the public network, such as Web servers, it
is often a good idea to put them in demilitarized
zone (DMZ)
A DMZ allows publicly accessible servers to be
placed in an area that is physically separate
from the private network, forcing the attackers
who have somehow gained control over these
servers to go through the firewall again to gain
access to the private network.
7/30/2019 ASA - Copy
19/44
Positioning of Firewall3. Layering Firewalls: In networks where a high degree of security is
desired, often two or more firewalls can be deployedin series. If the first firewalls fails, the second one
can continue to function.
This technique is often used as a safeguard againstnetwork attacks that exploit bugs in a firewallssoftware, if one firewall software is vulnerable to an
attack, hopefully the software of the second firewallsitting behind it will not be.
Firewalls from different vendors are often used inthese setups.
7/30/2019 ASA - Copy
20/44
Adaptive Security
Algorithm
7/30/2019 ASA - Copy
21/44
Flavors of ASA&Introduction to Security AppliancesPIX (Packet Internet Exchange) Using Finesse Operating System
ASA (Adaptive Security Appliance)- Cisco Proprietary used with
Security Policy
SOHO ROBO SMB ENTERPRISE SPPIX PIX501 PIX506E 515E PIX525 PIX535ASA 5505 5510 5520 5540 5580-205580-40
SOHOSmall Office Home Office
ROBO-Remote office Branch Office
SMBSmall/ Medium Size Business
SPService provider
7/30/2019 ASA - Copy
22/44
Adaptive Security Algorithm ASA is the foundation on which a firewall is built. It defines how
firewall examines traffic passing through it and applies various
rules The basic concept behind ASA is to keep track of various
connections being formed from networks behind the firewall tothe public network.
ASA also defines the information a firewall saves for any givenconnection made through it (this is called state information whereTCP is used).
The ASA algorithm also defines how the state and the otherinformation is used to track the session passing through the
firewall. To achieve this behavior, firewall keeps track of followinginformation:
1. IP packet source and destination information.
2. TCP sequence nos & additional TCP flags.
3. UDP packet flow & timers.
7/30/2019 ASA - Copy
23/44
ASA FIREWALL The Cisco Adaptive Security Appliances are purpose-built solutions
that combine the most effective security and VPN services with the
innovative Cisco Adaptive Identification and Mitigation (AIM)architecture.
Additionally, the adaptive security appliance software supports
Cisco Adaptive Security Device Manager (ASDM). ASDM delivers
world-class security management and monitoring through anintuitive, easy-to-use web-based management interface. Bundled
with the adaptive security appliance, ASDM accelerates adaptive
security appliance deployment with intelligent wizards, robust
administration tools, and versatile monitoring services that
complement the advanced integrated security and networking
features offered by the market-leading suite of the adaptive
security appliance
7/30/2019 ASA - Copy
24/44
Basic Features of ASA FirewallThis section discusses some of the basic features of ASA,these features are the fundamental building blocks of thefirewall.
1. Secure and proprietary Operating System
2. State-full Inspection of Traffic
3. Sequence Number Randomization (SNR) to secure TCP
connections4. Cut through Proxy for authenticating telnet, HTTP and FTP
5. Default Security Policy to ensure maximum protection, as
well as the ability to customize these policies and build
your own policies
6. VPN abilities : IP Sec, SSL and L2TP
7. NAT and ACL
8. Multiple context/ Virtualization of Policies using context
9. Failover and redundancy.
10. IDS and IPS
7/30/2019 ASA - Copy
25/44
SECURITY POLICY OVERVIEWSecurity policy determines which traffic is allowed to pass through ASA to access another
Network.
By default (a).Traffic from higher Security level to lower Security level is allowed.
(b).Only TCP and UDP traffic are inspected, rest of the traffic are denied.
ACL can be use to customize the default policies for permitting or denying the traffic.
Applying NAT
Applying HTTP, HTTPS or FTP filtering (By conjunction with separate Server running one
of the following internet filtering product.
i. Web Sense Enterprise ii. Secure computing Smart Filter
Applying Application Inspection.
Securing traffic to AIP-SSM (Advanced Inspection & Prevention Security Service Module) &
CCS-SSM (Content Security & Control - Security Service Module) modules.
Applying QoS Policies (for Voice , Video streaming traffic)
Applying connection limits to prevent from DoS attacks and TCP Normalization (Advanced
connection setting to drop abnormal packets.
Enabling threat detection.
7/30/2019 ASA - Copy
26/44
Assigning Varying Security Levels to Interfaces ASA allows varying security levels to be assigned to its various interfaces. These
segments are called
Security Zones.
Each interface can be assigned a level from 0 to 100.
The interface connected to the public network has 0 level assigned to it i.e.,
Outside Int.
The interface sitting on the private network has a security level of 100, i.e.,
Inside int. (most secure).
DMZinterfaces have a security levels between 0 to 100.
NOTE:- By default, traffic can flow freely from a high security level interface to a low security level interface. For trafficto flow from a low security level to a high security level, rules need to be explicitly defined.
St t f l I ti f T ffi
7/30/2019 ASA - Copy
27/44
Stateful Inspection of Traffic:
1. Outbound connections are
allowed, except specificallydenied by ACL.
2. Inbound connections orstates are denied, except
those specifically allowed.
3. All ICMP packets are deniedunless they are specifically
permitted, this includes echoreplies to the pingsoriginated from insidenetwork.
7/30/2019 ASA - Copy
28/44
STATEFULLFIREWALL
CONNECTION TEBLEInside IP Add IP Protocol Inside IP Port Outside IP Add Outside Port
192.168.1.1 TCP 11500 201.201.201.1 80
PC- A192.168.1.1 WebServer
201.201.201.1
1
2
3
Internet
1. A user PC-A located in Inside Network perform HTML request to a Web Server Outside
your network.
2. As the request reaches the Statefull Firewall, the Firewall store the user information
(Src & Dst Address, Protocol and Port information) in State or Connection Table.
3. The Firewall forward the users HTTP request to the destination Web Server.
Internal Network
STATEFUL INSPECTION
7/30/2019 ASA - Copy
29/44
STATEFULLFIREWALL
CONNECTION TEBLEInside IP Add IP Protocol Inside IP Port Outside IP Add Outside Port
192.168.1.1 TCP 11500 201.201.201.1 80
PC- A192.168.1.1 Web Server
201.201.201.1
2A
2
1
Internet
1. The HTTP request received by Destination Web Server and it sends the corresponding web
page to the user PC-A
2. The Firewall intercepts the connection response and compare with the entries that it had in
its State table.
A. If a match found in Connection Table, the returning packets are permitted.
B. If match is not found in Connection Table , the returning packets are dropped.
Internal Network
2B
7/30/2019 ASA - Copy
30/44
A State-full Firewall maintains this Connection
Table. If it sees a connection teardown requestbetween the source and destination, the state-fullfirewall removes the corresponding entry.
If a connection entry is idle for a period, the entrywill time out and the State-full Firewall willremove the entry from connection table.
7/30/2019 ASA - Copy
31/44
If connection
is new
If connection
is already
establishedSession
Mgmnt Path
1.Perform ACL Check
2.Route Look up
3.Allocate NAT (Xlate Table)
Establish session in Fast Path
FAST PATH1.IP Checksum Verification
2.Session look up
3.TCP Sequence No Check
4.NAT Based in existing Session
5.L3/L4 header adjustment
Connection
Established
Connection
Dropped
YES
YES
NO
NO
Some Packets that required
L7 inspections are pass through
Control Plane Path. L7 inspection
Required for protocol that have
Two or more channels
-Data Channel Known ports
-Control Channels- Unknown Ports
STATEFULL INSPECTION
7/30/2019 ASA - Copy
32/44
Sequence Number Randomization
The Security Appliances includes a security Feature called SNR,Which implemented by Security Algorithm. SNR used to protectyou reconnaissance and TCP hijacking by hacker.
TCP protocol The Most TCP/IP stacks use a fairly predictable
method when using sequence number and that TCP segmentindicates the number of bytes sent. In this case, Hacker can usethis information to make predictions concerning the next set ofdata to be sent. Hacker can use this information to hijack thesession.
The Security Appliances SNR feature address this problem byrandomizing the TCP Sequence Number.
CONNECTION TEBLE
7/30/2019 ASA - Copy
33/44
STATEFULLFIREWALL
CONNECTION TEBLEInside TCP SNRSequence Number Sequence Number
600 910
PC- A192.168.1.1
Web Server201.201.201.1
InternetInternal Network 600
910
601 911
TCP Segment passes through ASA where the Sequence Number is 600 in the segment. The SNR
feature in ASA change this Sequence number to a random number 910 and place it in state table
and forward the TCP segment to destination.
Destination in not aware of this change and acknowledge to source the receipt of Segment, using
ack number 911.
The ASA receive the reply, compare with state table, undoes the SNR process by changing the 911
to 601, so that the source device is not confused.
7/30/2019 ASA - Copy
34/44
CUT-THROUGH PROXY
CTP Feature of ASA is to enhance the Security
CTP allows the appliances to intercept incoming / outgoing connection and
authenticate them before they are permitted.
CTP is used where the end-servers the user is connecting to can not perform
authentication itself.
The user connection are not typically authenticated by the ASA itself, but by an
external security server, such as the CISCO Secure Access Control Server (CSACS). CISCO
supports both , the TACACS+ and RADIUS protocols for Authentication.
The CTP feature on an ASA can authenticate the following connection type :a. FTP
b. HTTP and HTTPS
c. Telnet
CUT THROUGH PROXY
7/30/2019 ASA - Copy
35/44
ASA
InternetInternal Network
CISCOACS Server
FTP Server100.100.100.2HTTP Server100.100.100.1User A
User B
1
234
4A
4B
Authentication TableAllowed User Allowed Application
A HTTP to 100.100.100.1
B FTP to 100.100.100.2
CUT-THROUGH PROXY
1.User A initiate an FTP request to 100.100.100.22. The ASA intercept the connection and compare for an entry in its connection table. If entry exist , the ASA permitsthe connection (4A). In this case, the user is previously authenticated.3. If ASA does not found an entry in Connection Table, it will prompt the User A for a username and password andforward the information to Security Server for authentication.4. The Security Server examine its internal authentication table for the username and password and what service thisuser is allowed access to the Security Server sends an allow or deny message to ASA- If Security Server sends allow message after checking user credentials, It add the users connectioninformation to the connection table and permit the connection.- If the ASA receives deny message, it drops the users connection, or possibly, re-prompt the user for anotherusername/password combination
7/30/2019 ASA - Copy
36/44
G 0/0
G 0/1.20VLAN 20G 0/1.30VLAN 30
G 0/1.10Shared InterfaceIn VLAN 10
Internal
Context
Admin
Context
CTX-1
Context
Security or Multiple ContextThis feature of ASA, a device can partitioned into multiple virtual devices know as
Security Context
Each context is an independent device with own Security Policies, interfaces &administrator
7/30/2019 ASA - Copy
37/44
How to access the ASA ?CISCO offers three main methods for configuring your Security Appliances (ASA)
1. Command Line Interface (CLI) - To gain access to CLI, you can use one of the following
access method :
a. Console Port - Cisco Ribbon Serial Cable is used. On PC Hyper Terminal, Putty,
or Tera Term S/W may be used
b. Auxiliary Post (On certain ASA models)
c. Telnet and SSH : For Security reason CISCO is not recommending these type of remote
access
2. Adaptive Security Device Manager (ADSM) : GUI Based Interface
3. CISCO Security Manager (CSM) : GUI Based Interface with more mgmt tools
7/30/2019 ASA - Copy
38/44
BOOT SEQUENCE OF ASA
1. ASA first load its BIOS2. Perform diagnostic checks on its hardware componants
3. Load the Operating System
LEVEL OF ACCESS TO THE ASA
Level of
Access
User Prompt Capabilities
User EXEC
Mode
ciscoasa> This mode allows only limited basic mgmt &
T/shooting commands
Privilege EXEC
Mode
ciscoasa# One step above to User EXEC Mode & it gives
complete access to ASA
ConfigurationMode
Ciscoasa(config)# For configuration implementation and changes
Monitor or
ROMMON
Mode
Rommon> Used for password recovery, low level T/shooting and
to recover from a lost or corrupt Operating system
7/30/2019 ASA - Copy
39/44
ASA FIREWALL MODE
ASA functioning under two different modes
a. Routed Mode : ASA considered to be next hope in Network
b. Transparent Mode : ASA not considered as next hop. It act as
stealth firewall or Bump in the wire
____________________________________________________________
Two create virtual device (Security Context), ASA has two mode.
a. Single Mode - Act as single device
b. Multiple Mode Act as multiple device (Based on the license)
7/30/2019 ASA - Copy
40/44
BASIC ASA INITIALIZATIONInside
Security Level-100
10.1.1.0/24
Outside
Security Level-0
20.1.1.0/24
DMZ
Security Level-50
30.1.1.0/24
10.1.1.4
30.1.1.6
e1 e0
e2
20.1.1.5
ASA
f0/0
f0/0
f0/0
ASA Interfaces are classified by two names to distinguish them :
1. Physical Name : It is used when we configure the physical properties of an interface. They begin with the
name ethernet. ethernet 0 in PIX and ethernet 0/number (e0/0,e0/1) in ASA
2. Logical Name : Two common names used are Inside (connected to Internal N/W) & outside (connected
to external or public N/W).
Security Levels : Ranging from 0 to 100. 0 is least secure and 100 is most secure. The Security Algorithm uses theSecurity level to enforce its security policy. The rules that SA used are as under :
Traffic from higher to lower Security level is permitted by-default unless restricted with an ACL. This is
called an outbound connection.
Traffic from lower to higher Security level is denied by-default unless explicitly permitted it by ACL. This is
called inbound connection
Traffic from same security level to same level is denied by-default.
7/30/2019 ASA - Copy
41/44
BASIC ASA INITIALIZATIONInside
Security Level-100
10.1.1.0/24
Outside
Security Level-0
20.1.1.0/24
DMZ
Security Level-50
30.1.1.0/24
10.1.1.4
30.1.1.6
e1 e0
e2
20.1.1.5
ASA
f0/0
f0/0
f0/0
ciscoasa (config) # interface e0 - physical interface
ciscoasa (config-if)# nameif - to assign logical name to the interfaceciscoasa (config-if)# ip address < ip address & subnet mask> - to assign the IP Address
ciscoasa (config-if)#security-level - to assign security level as required
ciscoasa (config-if)#speed - to set the speed
ciscoasa (config-if)#dulpex - to set type
ciscoasa (config-if)#no shutdown - to enable the interface
ciscoasa# show interface ip brief - to see the configuration of interfaces
ciscoasa (config)# same-security-traffic permit inter-interface - to allow the traffic between interface with
same security level
Method of assigning IP Address to ASA
i. Mannually
ii. By DHCP
iii. PPP over Ethernet (PPPoE)
7/30/2019 ASA - Copy
42/44
Routing Protocol Supported by ASA :
a. Static & Dynamic
b. RIPc. EIGRP
d. OSPF
7/30/2019 ASA - Copy
43/44
7/30/2019 ASA - Copy
44/44