CISCO ASA Firewall Training

March 29, 2018 | Author: hassoun01 | Category: Firewall (Computing), Proxy Server, Ip Address, Computer Network, Network Layer Protocols


Comments



Description

REPORT OF SUMMER TRAININGCCNP SECURITY-ASA FIREWALL Prepared by: Hussein El-Hajj Presented for: Dr. Jamal Haydar Islamic University Of Lebanon Faculty of Engineering – CCE Fourth Year October 9, 2013 Report of summer training CCNP SECURITY-ASA Firewall P a g e 1 | 40 Report of summer training CCNP SECURITY-ASA Firewall P a g e 2 | 40 ACKNOLEDGMENTS I would like to thank my university and especially our responsible, Dr. Jamal Haydar, for giving me the opportunity to work in such a great company. I would like to thank the staff of TerraNet for helping me improving my skills in networking. I would like to offer my special thanks to Mr. Hussein Majed (Cisco ASA Specialist) for helping me and giving me the information needed in this field. Report of summer training CCNP SECURITY-ASA Firewall P a g e 3 | 40 Table of contents: I. Introduction ........................................................................................................................... 4 II. Firewall ............................................................................................................................... 5 II.1. Definition ........................................................................................................................... 5 II.2. Firewall techniques .............................................................................................................. 7 II.3. Firewall Features ................................................................................................................. 7 III. ASA Firewall ...................................................................................................................... 9 III.1. ASA Features ..................................................................................................................... 9 III.2. ASA Models ..................................................................................................................... 10 IV. Virtual work environment and default inspection ....................................................... 13 IV.1. Virtual work environment ................................................................................................ 13 IV.1.1. GNS 3 ........................................................................................................................ 13 IV.1.2. Virtual Box ................................................................................................................ 14 IV.2. Default inspection ............................................................................................................ 18 IV.2.1. Scenario 1 .................................................................................................................. 19 V. Access rules and NAT rules ................................................................................................ 27 V.1. Access rules ....................................................................................................................... 27 V.1.1. Scenario 2 ................................................................................................................... 28 V.2. Network Address Translation (NAT) ................................................................................ 32 V.2.1. Difference between NAT and PAT ............................................................................ 32 V.2.2. Scenario 3 ................................................................................................................... 34 VI. Conclusion ........................................................................................................................ 39 VII. References ........................................................................................................................ 40 Report of summer training CCNP SECURITY-ASA Firewall P a g e 4 | 40 I. Introduction Founded in 1999, TarraNet launched a comprehensive range of leading Internet connectivity services and Web solutions. TerraNet designs, develops, and customizes a complete line of industry-leading, high-performance Internet services and solutions. TerraNet offers hosting and Web development services, customized Web solutions, wireless data, and other Internet technologies and applications that are redefining the country's communications around the power and potential of the Internet. My training was based on the CCNP security course, we worked on the ASA firewall and we learned the configurations and some of its features. In the first chapter we prepared the virtual environment to test and work on the ASA firewall using GNS3 and the Oracle virtual box. In the second chapter we will define the firewall, its functions and features. In the third chapter we will show the features and the types of an ASA firewall and we will configure the default inspection on the firewall’s interfaces. In the fifth chapter we will define and configure access lists and the NAT and the PAT rules and we configured NAT rules on the interfaces. Report of summer training CCNP SECURITY-ASA Firewall P a g e 5 | 40 II. Firewall II.1. Definition A firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on a rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trusted. Basically, a firewall, working closely with a router program, examines each network packet to determine whether to forward it toward its destination. A firewall also includes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network so that no incoming request can get directly at private network resources. There are a number of firewall screening methods. A simple one is to screen requests to make sure they come from acceptable (previously identified) domain name and Internet Protocol addresses. For mobile users, firewalls allow remote access in to the private network by the use of secure logon procedures and authentication certificates. As a simple example, a small company decides to protect itself from the public Internet. The security domain forms where the company’s network meets the Internet, and everything inside the company network resides within a secure boundary Figure 1: A Simple Security Domain The most common and effective way to implement a security domain is to place a firewall at the boundary between the trusted and untrusted parts of a network. By definition, a firewall is a device that enforces an access control policy between two or more security domains. Firewalls have interfaces that connect into the network. In order for a firewall to do its job, all traffic that crosses a security domain boundary must pass through the firewall. In effect, a firewall becomes the only pathway or “chokepoint” to get in or out of the security domain. Report of summer training CCNP SECURITY-ASA Firewall P a g e 6 | 40 For the simple network shown in the figure above a firewall would sit on the trust boundary and become the only path between Company A’s internal trusted network and the untrusted public Internet. The firewall must be the only path into and out of the secured network. No other paths around the firewall or “backdoors” into the network behind the firewall can exist. The firewall can enforce security policies on only the traffic that passes through it, not around or behind it. The firewall itself must be hardened or made resistant to attack or compromise. Otherwise, malicious users on the untrusted side might take control of the firewall and alter its security policies. Now consider a different scenario. Company A is surrounded by a security domain at the Internet boundary. It wants to allow its internal, trusted users to connect to resources out on the public Internet through the Internet firewall. Company A also has some web servers that it wants to have face the public so that untrusted Internet users can interact with the business. If the web servers are located somewhere inside the security domain, then untrusted users would be granted access into the trusted environment. That isn’t necessarily bad, except that malicious users might be able to attack or compromise one of the web servers. Because the web server is already a trusted resource, the malicious users might then use that server to attack other trusted resources. A better solution is to put the web servers into a security domain of their own, somewhere between the trusted internal network and the untrusted Internet. This is commonly called a demilitarized zone (DMZ). Figure 2: Using a Single Firewall to Form Multiple Security Domains Report of summer training CCNP SECURITY-ASA Firewall P a g e 7 | 40 II.2. Firewall techniques A firewall can take one of the following approaches to its access control:  Permissive access control: All traffic is allowed to pass through unless it is explicitly blocked.  Restrictive access control: No traffic is allowed to pass through unless it is explicitly allowed. II.3. Firewall Features A firewall can use its access control approach to evaluate and filter traffic based on the methods and techniques described in the following sections:  Stateless Packet Filtering: Some firewalls examine traffic based solely on values found in a packet’s header at the network or transport layer. Decisions to forward or block a packet are made on each packet independently. Therefore, the firewall has no concept of a connection state; it knows only whether each packet conforms to the security policies.  Stateful Packet Filtering: Stateful packet filtering (SPF) requires that a firewall keep track of individual connections or sessions as packets are encountered. The firewall must maintain a state table for each active connection that is permitted, to verify that the pair of hosts is following an expected behavior as they communicate.  Stateful Packet Filtering with Application Inspection and Control: To move beyond stateful packet filtering, firewalls must add additional analysis at the application layer. Inspection engines in the firewall reassemble UDP and TCP sessions and look inside the application layer protocols that are passing through. Application inspection and control (AIC) filtering, also known as deep packet inspection (DPI), can be performed based on the application protocol header and its contents, allowing greater visibility into a user’s activity.  Network Intrusion Prevention System: A network intrusion prevention system (NIPS) examines and analyzes network traffic and compares it to a database of known malicious activity. The database contains a large number of signatures or patterns that describe specific known attacks or exploits. As new attacks are discovered, new signatures are added to the database. In some cases, NIPS devices can detect malicious activity from single packets or atomic attacks. In other cases, groups or streams of packets must be collected, reassembled, and examined. A NIPS can also detect malicious activity based on packet and session rates, such as a denial-of-service TCP SYN flood, that differ significantly from normal activity on the network. Report of summer training CCNP SECURITY-ASA Firewall P a g e 8 | 40  Network Behavior Analysis: Network behavior analysis (NBA) systems examine network traffic over time to build statistical models of normal, baseline activity. This isn’t a simple bandwidth or utilization average; rather, the models consider things like traffic volume, traffic rates, connection rates, and types of application protocols that are normally used. An NBA system continually examines traffic and refines its models automatically, although human intervention is needed to tune the results.  Application Layer Gateway (Proxy): An application layer gateway (ALG) or proxy is a device that acts as a gateway or intermediary between clients and servers. A client must send its application layer requests to the proxy, in place of any destination servers. The proxy masquerades as the client and relays the client’s requests on to the actual servers. Once the servers answer the requests, the proxy evaluates the content and decides what to do with them. Because a proxy operates on application requests, it can filter traffic based on the IP addresses involved, the type of application request, and the content of any data that is returned from the server. Report of summer training CCNP SECURITY-ASA Firewall P a g e 9 | 40 III. ASA Firewall III.1. ASA Features Even further, the ASA has many features that go beyond the basic firewall techniques, giving it great versatility. A summary of the ASA features is presented in the following sections. Stateful packet filtering engine: The SPF engine tracks connections and their states, performing TCP normalization and conformity checks, as well as dynamic session negotiation. Application inspection and control: The AIC function analyzes application layer protocols to track their state and to make sure they conform to protocol standards. User-based access control: The ASA can perform inline user authentication followed by Cut- through Proxy, which controls the access that specific users are allowed to have. Once a user is authenticated, Cut-through Proxy also accelerates inspection of a user’s traffic flows. Cryptographic Unified Communications (UC) proxy: When Cisco Unified Communications traffic must pass through an ASA, the ASA can be configured as an authorized UC proxy. The ASA can then terminate and relay cryptographically protected UC sessions between clients and servers. Denial-of-service prevention: An ASA can leverage traffic-control features like protocol normalization, traffic policing, and connection rate controls to minimize the effects of denial-of- service (DoS) attacks. Site-to-site VPNs: An ASA can support IPsec VPN connections between sites or enterprises. Site- to-site or LAN-to-LAN VPN connections are usually built between firewalls or routers at each location. Powerful Network Address Translation (NAT): As an ASA inspects and forwards packets, it can apply a rich set of NAT functions to alter source and destination addresses. And so many other features… Report of summer training CCNP SECURITY-ASA Firewall P a g e 10 | 40 III.2. ASA Models The Cisco ASA family consists of seven different models:  ASA 5505 The ASA 5505 is the smallest model in the ASA lineup, in both physical size and performance. It is designed for small offices and home offices (SOHO). For a larger enterprise, the ASA 5505 is frequently used to support teleworkers in remote locations. Figure 3: ASA 5505  ASA 5510, 5520, and 5540 The ASA 5510, 5520, and 5540 models all use a common chassis and have identical front panel indicators and hardware connections. Figure 4: ASA 5520 Report of summer training CCNP SECURITY-ASA Firewall P a g e 11 | 40  ASA 5550 The ASA 5550 is designed to support large enterprises and service provider networks. Figure 5: ASA 5550  ASA 5580 The ASA 5580 is a high-performing model in the family and is designed for large enterprises, data centers, and large service providers. Figure 6: ASA 5580 Report of summer training CCNP SECURITY-ASA Firewall P a g e 12 | 40  ASA 5585-X The ASA 5585-X is the highest-performing model in the family and is designed for large enterprises and mission critical data centers. Figure 7: ASA 5585-X Report of summer training CCNP SECURITY-ASA Firewall P a g e 13 | 40 IV. Virtual work environment and default inspection IV.1. Virtual work environment Since ASA firewall is not available because of its price and its access that requires a high privilege, we will use a simulation environment. The simulation needs two softwares: GNS 3 and Virtual Box. IV.1.1. GNS 3 It is a simulation program of professional networking capable of booting multiple images of various Cisco equipment (routers, switches, firewalls …). Figure 8: GNS 3 interface To use the equipment we must first specify the appropriate Cisco image for each device. Report of summer training CCNP SECURITY-ASA Firewall P a g e 14 | 40 Figure 9: choosing the cisco image In the figure above, we used the ASA 8.4 image that allows us to use the ASA firewall device in GNS3. IV.1.2. Virtual Box We need to create three different areas of interaction (inside, outside, DMZ) so we used three instances of the virtual box XP reacting as real networks in our simulation. This program is able to start these instances simultaneously. Report of summer training CCNP SECURITY-ASA Firewall P a g e 15 | 40 Figure 10: 3 instances in the Virtual Box In this figure we created three instances XP with predefined configurations that depend on the physical capabilities of the machine. Figure 11: use of three different instances Report of summer training CCNP SECURITY-ASA Firewall P a g e 16 | 40 After the startup of an instance we must install the ASDM. It’s an application created by Cisco to organize and simplify the configuration of the ASA firewall from a GUI. To install the ASDM an image ASDM must be installed in the ASA firewall, this file can be downloaded via a TFTP server. We used the SUPERPUTTY as a connection method to make the configurations on the ASA firewall, give the IP and subnet mask to the intefaces and start the HTTP server used to allow the download of the ASDM application on the authorized hosts via the web browser. Figure 12: downloading the ASDM using the web browser After downloading the application we are now able to access the ASA firewall easily. Report of summer training CCNP SECURITY-ASA Firewall P a g e 17 | 40 Figure 13: access on the ASA firewall Figure 14 : configuration interface And now we have a simple interface to make all the necessary configurations. Report of summer training CCNP SECURITY-ASA Firewall P a g e 18 | 40 IV.2. Default inspection This inspection allows us to have a security based on different security levels. For example if you have two hosts, the first with a security level 50 and the second with a security level 100 in this case the one having a higher level can communicate with the other one but in the opposite case, the one having lower security level cannot communicate with the other. The communication permitted by this inspection can be defined by the network administrator that can add or remove specific protocols. The default inspection is organized by the ASA in 3 different levels: Service policy: An entire set of policies that is applied to one or all ASA interfaces, configured with the service-policy command ■ Policy map: Where an action is taken on matched traffic, configured with the policy-map command ■ Class map: Where specific traffic flows are identified or classified, configured with the class- map command A service policy can contain one or more policy maps, which can, in turn, contain one or more class maps. As well, any class maps you define can be referenced in multiple policy maps and service policies. Report of summer training CCNP SECURITY-ASA Firewall P a g e 19 | 40 Figure 15 : MPF Organisation and Structure IV.2.1. Scenario 1 In this scenario we divided the network into three parts: the first is the inside network (with the highest security level (100), the second is the demilitarized zone (DMZ) with a medium security level (50) and the third is the outside network with the lowest security level (0). So we can conclude that after the configuration of the default inspection the inside network can communicate with the DMZ and the outside because it has a higher level of security, the DMZ can communicate only with the outside and the outside cannot communicate with anyone. The figure below shows the construction of network in GNS with the necessary IP addresses. Report of summer training CCNP SECURITY-ASA Firewall P a g e 20 | 40 Figure 16: network division The Figure below shows the commands required to configure the IP addresses of the networks: Figure 17: configuration of the interfaces Report of summer training CCNP SECURITY-ASA Firewall P a g e 21 | 40 The configuration of the inside network is: Figure 18: configuration of the inside network We have now two LAN networks and we only use the second one so we have to disable the first one. Figure 19: two different LAN networks The configuration of the DMZ network is: Figure 20: configuration of the DMZ network And the configuration of the outside network is: Figure 21: configuration of the outside network Report of summer training CCNP SECURITY-ASA Firewall P a g e 22 | 40 After the configuration is applied and without the default inspection, the three networks cannot communicate with each other so we have to configure it and choose the desired protocols. First of all, we should open the ASDM on the host of the inside network: Figure 22: Access from the inside network We choose the configuration of the firewall we add a new global service-policy (global indicates that it will be applied on all of the firewall’s interfaces). Figure 23: adding a new service-policy Then we should create a class-map and choose that it is a default inspection. Report of summer training CCNP SECURITY-ASA Firewall P a g e 23 | 40 Figure 24: creation of a new class-map Then we should choose the protocols that will be inspected on the interfaces: Figure 25: adding protocols to the default inspection Report of summer training CCNP SECURITY-ASA Firewall P a g e 24 | 40 Figure 26: choosing the protocols After the configuration, some access rules will be applied on each interface: Report of summer training CCNP SECURITY-ASA Firewall P a g e 25 | 40 Figure 27: default access rules And with these steps we finished the configuration we should test the communication between the networks: Ping from the inside to the two other networks: SUCCEEDED Figure 28: ping from the inside to the other networks Ping from DMZ to the inside network: FAILED Figure 29: ping from the DMZ to the inside network Report of summer training CCNP SECURITY-ASA Firewall P a g e 26 | 40 Ping from DMZ to the outside network: SUCCEEDED Figure 30: ping from the DMZ to the outside Ping from the outside to the other networks: FAILED Figure 31: ping from the outside to the other networks Report of summer training CCNP SECURITY-ASA Firewall P a g e 27 | 40 V. Access rules and NAT rules V.1. Access rules The Cisco ASA is, at its foundation, a stateful packet filtering device that is application aware, and is capable of verifying the legitimacy and correctness of packets arriving at its interfaces by using various state tables combined with configured access policies. If a packet arrives at an ASA interface, it either must match expected traffic definitions from an existing session or will be compared against the inbound interface security policy applied to that interface. To determine whether the interface security policy will be applied to packets, therefore, the ASA must be able to determine if arriving packets match expected traffic from an existing connection. The ASA does this by maintaining state tables, as just mentioned. State tables act as short-term memory for the device on active connections. Figure 32: output of the command show run Report of summer training CCNP SECURITY-ASA Firewall P a g e 28 | 40 V.1.1. Scenario 2 To understand the access lists we took the previous scenario and we considered the host of the DMZ as a TFTP server and we must allow the access from the outside network on the server: Figure 33: division of the network Configurations are already mentioned in the previous part (default inspection). To allow connection from outside network to the TFTP server we must create an access list. This rule should allow the 10.10.10.0/24 network to only use the protocol TFTP server to the network 172.16.0.0/24. On the outside network we should add the new access rule: Figure 34: adding the access rule Report of summer training CCNP SECURITY-ASA Firewall P a g e 29 | 40 Figure 35: configuration of the access rule And we replace the IP in the service field by the TFTP protocol: Figure 36: choosing the TFTP protocol Report of summer training CCNP SECURITY-ASA Firewall P a g e 30 | 40 Figure 37: configured access rule And now we have the new access rule. We can see the access rule command with the command show run Figure 38: output of the command show run Now we should save the configuration using the command copy running-config startup-config Figure 39 : saving the configurations And now we should test the communication: On the DMZ host we created a text file (test.txt) on the Desktop to try to download it from the outside host. Then we start the TFTP server on the DMZ host and we specified the Desktop as the directory: Figure 40 : TFTP server Report of summer training CCNP SECURITY-ASA Firewall P a g e 31 | 40 If we try to ping the DMZ from the outside it will failed because we didn’t permit the ICMP protocol: Figure 41: ping from the outside to the DMZ Now we try to download the file on the outside network using this command: Figure 42: output of the command GET And it will succeed. The access lists are very important to manage the access through the firewall’s interfaces and especially when we needed to permit packets from lower to higher security level. Report of summer training CCNP SECURITY-ASA Firewall P a g e 32 | 40 V.2. Network Address Translation (NAT) The ASA firewall is often deployed on the border between a network using a private IP addressing scheme and the Internet. To solve the problems in the interconnection of these networks, the Cisco ASA supports IP address translation (NAT) and Port Address Translation (PAT). There simply were not enough addresses available in the originally designed IP addressing scheme to accommodate universal connectivity, especially given the manner in which addresses were originally assigned. Therefore, a system of “private” IP addresses was developed, first in RFC 1597, which was then superseded by the better-known RFC 1918, which allows multiple networks around the world to deploy the exact same IP addresses for addresses that require only local uniqueness. This eliminates the need to maintain globally unique addresses for every connected host worldwide. Because private IP addresses are intended for local use only and are considered “nonroutable” on the public Internet, NAT is required to translate these private (local) IP addresses to public (global), routable addresses when hosts on a private network need to communicate with hosts outside of that private network. Additionally, because many organizations can deploy the same private IP addresses, due to local significance, NAT is required if hosts on these networks with overlapping addresses need to communicate with each other. Figure 43: basic address translation example V.2.1. Difference between NAT and PAT When you use inside NAT, only the source IP address of the internal host is translated, and a one- to-one mapping is made between the original (local) IP address and the translated (global) address assigned to the host. The global address can be assigned in either a static (fixed and permanent) or dynamic (from a pool and temporary) manner. If there are not enough global IP addresses to support all internal hosts, some hosts will not be able to communicate through the ASA. Report of summer training CCNP SECURITY-ASA Firewall P a g e 33 | 40 Figure below illustrates the use of NAT with an example of inside NAT. Recall that inside NAT means that traffic from the host subject to translation ingresses the ASA on a more secure interface than it egresses the ASA. In the figure, two hosts connected to the inside interface of the ASA both need to communicate with destinations on the Internet. Figure 44: dynamic inside NAT scenario In this Figure, hosts on the internal 10.0.0.0/24 network share a pool of global addresses, 209.165.200.235-254, from which addresses are dynamically allocated to hosts as they make connections, and to which addresses are returned after an idle period. But in the previous example we have a static NAT which all addresses will be translated to a single global address. When you use inside NAT, only the source IP address of the internal host is translated, and a one- to-one mapping is made between the original (local) IP address and the translated (global) address assigned to the host. With PAT, however, both the source IP address and source port (for TCP and UDP packets) are translated, which creates a many-to-one mapping, with multiple internal hosts sharing a single global IP address, and each of their TCP or UDP connections being assigned a unique port number, tracked by the ASA for the duration of the connection. This allows for maximum efficiency in conserving global IP addresses, but is not compatible with all applications. Report of summer training CCNP SECURITY-ASA Firewall P a g e 34 | 40 Figure below illustrates the use of a dynamic NAT with an interior PAT: Figure 45: Dynamic inside PAT scenario V.2.2. Scenario 3 To understand the NAT we had a scenario where we have three security zones: inside, outside and DMZ. In this scenario we have to do a NAT for the http server in the DMZ to the outside and we should permit the DMZ to use the FTP server of the interior network. Figure 46: network division To configure a NAT rule we need to open the ASDM window on the inside host and select NAT Rules then ADD: Report of summer training CCNP SECURITY-ASA Firewall P a g e 35 | 40 Figure 47: NAT rule configuration Source interface is the outside the destination interface is the DMZ the source address is any because any external host wants to access the http server must pass through the NAT rule Destination address is a fake IP from the outside network (10.10.10.80) it permits the translation of the server IP address (172.16.0.2) to this fake address Service: any Type of NAT: Static destination address: 172.16.0.2 is the address of the web server Report of summer training CCNP SECURITY-ASA Firewall P a g e 36 | 40 Figure 48: configuration of the interfaces Figure 49 : NAT rule Any host of the outside network tries to access the DMZ with the fake ip will be directed to the web server. But first we must add an access rule to allow access from a lower security level (outside) to a higher security level (DMZ). Report of summer training CCNP SECURITY-ASA Firewall P a g e 37 | 40 Figure 50: configuration of the access rule needed for the NAT rule Source is Any & destination is the web server because they have two different security levels. Now we should test the connection: on the outside host we open the web browser and use the fake IP 10.10.10.80: Figure 51: loading the web page Report of summer training CCNP SECURITY-ASA Firewall P a g e 38 | 40 The web page is loaded successfully We can confirm it by using the command netstat –n on the outside host Figure 52: output of the command netstat –n This is a sample page that can be found in the IIS by default. The IIS is the web server launched on the DMZ host. Now we should permit the access from the DMZ host to the ftp server on the inside host. Figure 53: configuring the access rule Now we should test the ftp connection using this command: Figure 54: FTP connection The result of this command will be the same as the connection to the TFTP server. Report of summer training CCNP SECURITY-ASA Firewall P a g e 39 | 40 VI. Conclusion I learned during the training the importance and the necessity of the hardware based firewall in the security domain by controlling access through multi-optional access rules, masking private ip by applying simple or sophisticated NAT rules, protecting critical data, filtering and detecting malicious activities, intrusion prevention ,detection and many other features. Also I learned how to create multiple instances of virtual machines to operate and simulate real cases networks. Finally, I learned that security is very important parameter in implementing networks due the escalating threats ,excessive attacks, viruses spreading and hacking techniques all over the cyber world. Report of summer training CCNP SECURITY-ASA Firewall P a g e 40 | 40 VII. References - CCNP Security-FIREWALL 642-618-Official Cert Guide - www.wikipedia.com
Copyright © 2024 DOKUMEN.SITE Inc.