Pages

Thursday, December 31, 2015

Security Interview Questions

Interview questions on Firewall
1. Which feature on a firewall can be used for mitigating IP spoofing attacks
Access control list can be used for the purpose.

2. What type of firewall can be used to block a web security threat
A web application firewall or a layer 7 firewall can be used for the purpose.

3. Which fields in a packet does a network layer firewall look into for making decisions?
IP and transport layer headers for information related to source and destination IP addresses, port numbers etc.

4. Which feature on a Cisco firewall can be used for protection against TCP Syn flood attacks
TCP intercept feature.

5. Which feature on a firewall can be used to block a specific URL or a website.
URL Filtering.

6. Which is the main field in an IP header, which is modified by a NAT firewall.
The source IP address in the IP header.

7. What type of firewall can be configured for providing user-based authentication to users on the LAN network.
Proxy firewall.

Network Security Interview questions
1. How can a brute force attack on a router be prevented
A limit for the maximum number of login attempts can be setup on the router. On exceeding the limit, the account can be locked. Logs can be setup on the router to observe the IP address from which the login attempts is generated and an access list set up to block the IP.

2. Name two radius servers which are used in network environment
IAS Server and FreeRadius.

3. A switch is configured to authenticate users with a radius server. Which port on the server would be used for radius authentication
UDP port 1812 would be used for the same.

4. A user needs to access a Windows PC, which is behind a NAT router in office. What method can be used to access the desktop of the PC from home
To access the desktop of a remote PC, windows remote desktop protocol can be used.Since the PC is behind a NAT router, port forwarding can be setup on the router to forward packets to the internal PC. The user at home would initiate remote desktop connection to the internet IP address of the NAT router, which would forward
the request to the internal PC.

5. A VPN server is to be deployed in an organization. The VPN server would be used by remote users for gaining access to the organization network. The organization has a NAT router, which is used by users inside the organization for internet sharing and has one public IP address. Can the VPN server use the same IP address, which can then be used by remote users?
The VPN server can be setup behind the NAT router and port forwarding configured to allow incoming traffic to the VPN server. The remote users would connect to the public IP address of the NAT router, which would then forward the request to the VPN server.

6. Which feature on a wireless access point can be used for blocking unauthorized access based on the mac-address
Mac-filtering feature on an access point can be used. The list of allowed mac-addresses can be configured using the feature.

7. Which field in a STP packet is manipulated in a STP BPDU attack?
The priority value in the STP header is crafted lower than the actual root bridge value, which would make the STP topology change, as lower priority value packet would be elected as the root bridge.

8. Which is a common feature used by stateless firewalls
Access control lists

9. What is TKIP and why is it used.
TKIP stands for temporal key integrity protocol. It is used by WPA, wifi protected access to provide encryption services on a wireless network.

IPSEC Interview questions
1. In which IPSEC Phase is the keys used for data encryption derived.


The keys are derived in IPSEC phase 2. The derived keys are used by IPSEC
 protocol ESP for encrypting the data.

2. How the IPSEC do protocols, ESP and AH provide replay protection.
ESP and AH include the sequence number fields in the respective headers. The
 values are used by the IPSEC peers to track duplicate packets. If a packet with an
 already received sequence number arrives, it would be rejected, thus providing 
replay protection.

3. In IPSEC, If ESP provides both encryption and authentication, why is AH 
required.
ESP does not provide authentication to the outer IP header, which AH does.

4. Explain two methods by which two IPSEC routers can authenticate with each other.
IPSEC routers can be authenticated using pre-shared keys or using digital 
certificates.

5. Which UDP ports should be open on a firewall to allow traffic from a L2TP/IPSEC based VPN clients to a PPTP VPN server on the inside
UDP port 500 for IKE traffic, UDP port 1701 for L2TP communication between client and server and UDP port 4500 for NAT-T communication.



6. Which IP protocol does AH and ESP headers use in IPSEC.
ESP and AH use IP protocol 50 and 51 respectively.

6. Which type of VPN would you use if data has to be encrypted at the network 
layer
IPSEC VPN encrypts data at the network layer whereas SSL encrypts data at the 
application layer.

Interview questions on network address translation
1. Name one instance where static NAT is used in a real-world deployment
It is used for mapping a public IP address for a Server with a private IP address.

2. Why does Active FTP not work with NAT in an Internet environment?
In Active FTP, the data connection is established to a port on the FTP client by the FTP server. The port number along with the IP address to which the server needs to initiate the connection is provided by the FTP client after the control connection is successful. When the client is behind the NAT router, the FTP server cannot initiate the connection to the provided IP address, as typically it would be a private IP address not routable on the internet.

3. How does NAT work in situations where transport layer protocols are not used. For ex: Ping
Ping does not use transport layer protocols. It uses ICMP at the network layer. NAT uses the sequence number field in the ICMP header to identify packets on which NAT is applied.

4. Two computers are behind a NAT router. The computers use the routers public IP address for sharing internet connection.If a user on the internet pings the public IP address of the router, which device would respond
The router would respond as it is configured for the public ip address.

5. How many times can NAT be applied to a packet before it reaches the destination
Any number of times.

6. Give a good reason as to why a NAT router is preferred over a Proxy for sharing internet connection
NAT works at the network layer. This means that irrespective of the application, all packets can be sent out on the internet. Proxy is application specific. So if a HTTP proxy is deployed, it can send out only HTTP based traffic on to the internet. Other traffic like ping, FTP etc would be blocked.

7. Does TCP checksum change after NAT is applied
TCP checksums are calculated based on a pseudo header which also includes source IP address of the IP header. Since the source IP header address is modified when NAT is applied, the checksum would be affected.

Security Testing Interview Questions and Answers
What is Security Testing?
Security testing is a process intended to reveal flaws in the security mechanisms of an information system that protect data and maintain functionality as intended.
Security testing is the most important type of testing for any application. In this type of testing, tester plays an important role of an attacker and play around the system to find security-related bugs.

Q#1. What is Security Testing?

Ans. Security testing can be considered most important in all type of software testing. Its main objective is to find vulnerabilities in any software (web or networking) based application and protect their data from possible attacks or intruders.
As many applications contain confidential data and needs to be protected being leaked. Software testing needs to be done periodically on such applications to identify threats and to take immediate action on them.

Q#2. What is “Vulnerability”?

Ans. The Vulnerability can be defined as a weakness of any system through which intruders or bugs can attack on the system.
If security testing has not been performed rigorously on the system then chances of vulnerabilities get an increase. Time to time patches or fixes requires preventing a system from the vulnerabilities.

Q#3. What is the Intrusion Detection?

Ans. Intrusion detection is a system which helps in determining possible attacks and deal with it. Intrusion detection includes collecting information from many systems and sources, analysis of the information and find out the possible ways of attack on the system.
Intrusion detection check following:
    1.    Possible attacks
    2.    Any abnormal activity
    3.    Auditing the system data
    4.    Analysis of different collected data etc.

Q#4. What is “SQL injection”?

Ans. SQL Injection is one of the common attacking techniques used by hackers to get the critical data.
Hackers check for any loophole in the system through which they can pass SQL queries which bypassed the security checks and return back the critical data. This is known as SQL injection. It can allow hackers to steal the critical data or even crash a system.
SQL injections are very critical and need to be avoided. Periodic security testing can prevent these kinds of attacks. SQL database security needs to be defined correctly and input boxes and special characters should be handled properly.

Q#5. List the attributes of Security Testing? 

Ans. There are following seven attributes of Security Testing:
    1.    Authentication
    2.    Authorization
    3.    Confidentiality
    4.    Availability
    5.    Integrity
    6.    Non-repudiation
    7.    Resilience

Q#6. What is XSS or Cross Site Scripting?

Ans. XSS or cross-site scripting is a type of vulnerability that hackers used to attack web applications.
It allows hackers to inject HTML or JAVASCRIPT code into a web page which can steal the confidential information from the cookies and returns to the hackers. It is one of the most critical and common techniques which needs to be prevented.

Q#7. What is SSL connection and an SSL session?

Ans. SSL or secured socket layer connection is a transient peer-to-peer communications link where each connection is associated with one SSL Session.
SSL session can be defined as an association between client and server generally created by handshake protocol. There are set of parameters are defined and it may be shared by multiple SSL connections.

Q#8. What is “Penetration Testing”?

Ans. Penetration testing is on the security testing which helps in identifying vulnerabilities in a system. A penetration test is an attempt to evaluate the security of a system by manual or automated techniques and if any vulnerability found testers use that vulnerability to get deeper access to the system and found more vulnerabilities. The main purpose of this testing to prevent a system from any possible attacks.
Penetration testing can be done in two ways –White Box testing and Black box testing.
In white box testing, all the information is available with the testers whereas in black box testing testers don’t have any information and they test the system in real-world scenario to find out the vulnerabilities.

Q#9. Why “Penetration Testing” is important?

Ans. Penetration testing is important because-
    1.    Security breaches and loopholes in the systems can be very costly as threat of attack is always possible and hackers can steal the important data or even crash the system.
    2.    It is impossible
    3.    Penetration testing identifies and protects a system by above mentioned attacks and helps organizations to keep their data safe.
Q#10.  Name the two common techniques used to protect a password file?
Ans. Two common techniques to protect a password file are- hashed passwords and a salt value or password file access control.

Q#11. List the full names of abbreviations related to Software security?

Ans. Abbreviations related to software security are:
    1.    IPsec – Internet Protocol Security is a suite of protocols for securing Internet
    2.    OSI – Open Systems Interconnection
    3.    ISDN Integrated Services Digital Network
    4.    GOSIP- Government Open Systems Interconnection Profile
    5.    FTP – File Transfer Protocol
    6.    DBA – Dynamic Bandwidth Allocation
    7.    DDS – Digital Data System
    8.    DES – Data -Encryption Standard
    9.    CHAP – Challenge Handshake Authentication Protocol
    10.    BONDING – Bandwidth On Demand Interoperability Group
    11.    SSH – The Secure Shell
    12.    COPS Common Open Policy Service
    13.    ISAKMP – Internet Security Association and Key Management Protocol
    14.    USM – User-based Security Model
    15.    TLS – The Transport Layer Security

Q#12. What is ISO 17799?

Ans. ISO/IEC 17799 is originally published in UK and defines best practices for Information Security Management. It has guidelines for all organizations small or big for Information security.

Q#13. List down some factors that can cause vulnerabilities?

Ans. Factors causing vulnerabilities are:
    1.    Design flaws – If there are loopholes in the system that can allow hackers to attack the system easily.
    2.    Passwords – If passwords are known to hackers they can get the information very easily. Password policy should be followed rigorously to minimize the risk of password steal.
    3.    Complexity – Complex software can open the doors on vulnerabilities.
    4.    Human Error – Human error is a significant source of security vulnerabilities.
    5.    Management – Poor management of the data can lead to the vulnerabilities in the system.

Q#14. List the various methodologies in Security testing?

Ans. Methodologies in Security testing are:
    1.    White Box- All the information are provided to the testers.
    2.    Black Box- No information is provided to the testers and they can test the system in real-world scenario.
    3.    Grey Box- Partial information is with the testers and rest they have to test on their own.

Q#15. List down the seven main types of security testing as per Open Source Security Testing methodology manual?

Ans. The seven main types of security testing as per Open Source Security Testing methodology manual are:
    1.    Vulnerability Scanning: Automated software scans a system against known vulnerabilities.
    2.    Security Scanning :Manual or automated technique to identify network and system weaknesses.
    3.    Penetration testing: Penetration testing is on the security testing which helps in identifying vulnerabilities in a system.
    4.    Risk Assessment: It involves analysis of possible risk in the system. Risks are classified as Low, Medium and High.
    5.    Security Auditing :Complete inspection of systems and applications to detect vulnerabilities.
    6.    Ethical hacking :Hacking done on a system to detect flaws in it rather than personal benefits.
    7.    Posture Assessment :This combines Security scanning, Ethical Hacking and Risk Assessments to show an overall security posture of an organization.

Q#16. What is SOAP and WSDL?
Ans. SOAP or Simple Object Access Protocol  is a XML-based protocol through which applications exchange information over HTTP. XML requests are send by web services in SOAP format then a SOAP client sends a SOAP message to the server. The server responds back again with a SOAP message along with the requested service.

Q#17. List the parameters that define an SSL session connection?

Ans. The parameters that define an SSL session connection are:
    1.    Server and client random
    2.    Server write MACsecret
    3.    Client write MACsecret
    4.    Server write key
    5.    Client write key
    6.    Initialization vectors
    7.    Sequence numbers

Q#18. What is file enumeration?

Ans. This kind of attack uses the forceful browsing with the URL manipulation attack. Hackers can manipulate the parameters in URL string and can get the critical data which generally not open for public such as achieved data, old version or data which in under development.

Q#19. List the benefits that can be provided by an intrusion detection system?

Ans. There are three benefits of an intrusion detection system.
    1.    NIDS or Network Intrusion Detection
    2.    NNIDS or Network Node Intrusion detection system
    3.    HIDS or Host Intrusion Detection System

Q#20. What is HIDS?

Ans. HIDS or Host Intrusion Detection system is a system in which snapshot of the existing system is taken and compares with the previous snap shot. It checks if critical files were modified or deleted then a alert is generated and send to the administrator.

Q#21. List down the principal categories of SET participants?

Ans. Following are the participants:
    1.    Cardholder
    2.    Merchant
    3.    Issuer
    4.    Acquirer
    5.    Payment gateway
    6.    Certification authority

Q#22. Explain “URL manipulation”?

Ans. URL manipulation is a type of attack in which hackers manipulate the website URL to get the critical information. The information is passed in the parameters in the query string via HTTP GET method between client and server. Hackers can alter the information between these parameters and get the authentication on the servers and steal the critical data.
In order to avoid this kind of attacks security testing of URL manipulation should be done. Testers themselves can try to manipulate the URL and check for possible attacks and if found they can prevent these kinds of attacks.

Q#23. What are the three classes of intruders?

Ans. Following are the three classes of intruders:
    1.    Masquerader: It can be defined as an individual who is not authorized on the computer but hack the system’s access control and get the access of authenticated user’s account.
    2.    Misfeasor: In this case user is authenticated to use the system resources but he miss uses his access on the system.
    3.    Clandestine user It can be defined as an individual who hacks the control system of the system and bypasses the system security system.

Q#24. List the component used in SSL?

Ans. Secure Sockets Layer protocol or SSL is used to make secure connection between client and computers. Below are the component used in SSL:
    1.    SSL Recorded protocol
    2.    Handshake protocol
    3.    Change Cipher Spec
    4.    Encryption algorithms

Q#25. What is port scanning?

Ans. Ports are the point from where information goes in and out of any system. Scanning of the ports to find out any loop holes in the system are known as Port Scanning. There can be some weak points in the system to which hackers can attack and get the critical information. These points should be identified and prevented from any misuse.
Following are the types of port scans:
    1.    Strobe: Scanning of known services.
    2.    UDP: Scanning of open UDP ports
    3.    Vanilla: In this scanning the scanner attempts to connect to all 65,535 ports.
    4.    Sweep: The scanner connects to the same port on more than one machine.
    5.    Fragmented packets: The scanner sends packet fragments that get through simple packet filters in a firewall
    6.    Stealth scan: The scanner blocks the scanned computer from recording the port scan activities.
    7.    FTP bounce: The scanner goes through an FTP server in order to disguise the source of the scan.

Q#26. What is a Cookie?

Ans. Cookie is a piece of information received from web server and stored in a web browser which can be read anytime later. Cookie can contain password information, some auto-fill information and if any hackers get these details it can be dangerous. Learn here how to test website cookies.

Q#27. What are the types of Cookies?

Ans. Types of Cookies are:
    •    Session Cookies – These cookies are temporary and last in that session only.
    •    Persistent cookies – These cookies stored on the hard disk drive and last till its expiry or manually removal of it.

Q#28. What is a honeypot?

Ans. Honeypot is fake computer system which behaves like a real system and attracts hackers to attack on it. Honeypot is used to find out loop holes in the system and to provide solution for these kinds of attacks.

Q#29. List the parameters that define an SSL session state?

Ans. The parameters that define an SSL session state are:
    1.    Session identifier
    2.    Peer certificate
    3.    Compression method
    4.    Cipher spec
    5.    Master secret
    6.    Is resumable

Q#30. Describe Network Intrusion Detection system?

Ans. Network Intrusion Detection system generally known as NIDS. It is used for analysis of the passing traffic on the entire sub-net and to match with the known attacks. If any loop hole identified then administrator receives an alert.








Tuesday, December 22, 2015

Trunking troubleshooting commands

conf t

default int range fa 0/1-5
int range fa 0/1-5
shutdown
exit

! SW1-auto, SW2-auto
int fa 0/2
switchport trunk encap dot1q
switchport mode dynamic auto
no shutdown

do show int trunk

do show int fa 0/2 switchport | ex private|Unknown

shutdown
exit

! SW1-desirable, SW2-auto
int fa 0/2
switchport trunk encap dot1q
switchport mode dynamic desirable
no shutdown

do show int trunk

! Ping SW2 over VLAN 10
do ping 192.168.1.2

! Ping SW2 over VLAN 20
do ping 192.168.2.2

do show int fa 0/2 switchport | ex private|Unknown

shutdown
exit

! SW1-auto, SW2-ON
int fa0/4
switchport trunk encap dot1q
switchport mode dynamic auto
no shutdown

do show int trunk

! Ping SW2 over VLAN 10
do ping 192.168.1.2

! Ping SW2 over VLAN 20
do ping 192.168.2.2

do show int fa 0/4 switchport | ex private|Unknown

! Chaning native VLAN on 1 side:
switchport trunk native vlan 20

do show int trunk

! Ping SW2 over VLAN 10
do ping 192.168.1.2

! Ping SW2 over VLAN 20
do ping 192.168.2.2 repeat 2

shutdown
exit
default int fa 0/4

! SW1 On/Nonegotiate, SW2-On
int fa 0/4
switchport trun encap dot1q
switchport mode trunk
switchport nonegotiate
no shutdown

do show int trunk

do show int fa 0/4 switchport | ex private|Unknown

! Ping SW2 over VLAN 10
do ping 192.168.1.2

! Ping SW2 over VLAN 20
do ping 192.168.2.2

shutdown
exit

! SW1-On/Nonegotiate, SW2-dynamic desirable
int fa 0/3
switchport trun encap dot1q
switchport mode trunk
switchport nonegotiate
no shut

do show int trunk

do show int fa 0/3 switchport | ex private|Unknown

shutdown
exit

! Flipside:

! SW1-dynamic des, SW2-On/Nonegotiate
int fa 0/5
switchport trun encap dot1q
switchport mode dynamic desirable
no shutdown

do show int trunk

do show int fa 0/5 switchport | ex private|Unknown

shutdown
exit

! SW1-On/Nonegotiate, SW2-On/Nonegotiate
int fa 0/5
switchport trun encap dot1q
switchport mode trunk
switchport nonegotiate
no shut

do show int trunk

do show int fa 0/5 switchport | ex private|Unknown

! Ping SW2 over VLAN 10
do ping 192.168.1.2

! Ping SW2 over VLAN 20
do ping 192.168.2.2

shutdown
exit






























IPv6 Security


Difference in Ipv4 and Ipv6 ACL
In IPv4 for access-list, we have implicit deny at the end

In Ipv6 ACL, there is implicit permit for 2 messages
Neighbor solicitation
Neighbor Advertisement
After that, we have implied deny for everything

To explicitly allow NS and NA in case if any router doesn’t support implicit permit
ipv6 access-list FILTERv6
permit icmp any any nd-na
permit icmp any any nd-ns
ipv6 deny any any

Monday, December 21, 2015

CPP commands IOS

configure terminal
access-list 100 permit icmp any any

! Create class map which calls
! on the ACL
class-map ICMP
match access-group 100
exit

! Create policy map which calls
! on the class map
policy-map ICMP-POLICY
class ICMP

! Tell the policy map that if
! ICMP traffic is seen, that this
! traffic should be rate limited
! down to 8Kbps, and anything over
! that should be dropped
police 8000 conform-action transmit exceed-action drop
exit
exit

! Apply the policy with to the
! logical "control-plane" with
! a service-policy command
! We need to go into control-plane
! configuration:

control-plane

! Apply the service policy, so that
! when any ICMP traffic is being
! sent TO the router (regardless
! of physical interface) it will
! be policed (rate limited).
service-policy input ICMP-POLICY
end

! To verify it is in place:
show policy-map control-plane

IOS Zone Based Firewall



So far we have two different methods to do firewall
ACL and Proxy

The third option is stateful filtering, also called as remembering. Remember session ie source ip dest ip, source port, dest port, tcp flag. All these are stored on tcp session table.  If returned traffic matches the session table then traffic is dynamically allowed.

Earlier we had :

1. Reflexive ACLs
config t

! Create an ACL that we will apply
! outbound on Fa 4/0.
! The "reflect REMEMBER" will create
! a reflexive ACL entry called "REMEMBER"
! that we can apply on a second ACL inbound.

ip access-list extended GOING-OUT
permit tcp any any reflect REMEMBER
permit udp any any reflect REMEMBER
permit icmp any any reflect REMEMBER
deny ip any any log
exit

interface fa 4/0
ip access-group GOING-OUT out

do show access-list

ip access-list extended COMING-IN
evaluate REMEMBER
deny ip any any log
exit

int fa 4/0
ip access-group COMING-IN in
exit

do show access-list

2. Context-Based Access Control
Deny everything coming in and inspect traffic when it goes out. inspect traffic out so that returned traffic is dynamically allowed. 

conf t

! Deny any initial inbound traffic

ip access-list extended DENY
deny ip any any log

int fa 4/0
ip access-group DENY in
exit

! Create a Context-Based Access Control
! (CBAC) inspection rule to remember
! TCP, UDP and ICMP
ip inspect name REMEMBER TCP
ip inspect name REMEMBER UDP
ip inspect name REMEMBER ICMP

! Apply the inspection rule outbound
! on Fa 4/0

int fa 4/0
ip inspect REMEMBER out
exit

do show ip inspect interfaces

show ip inspect sessions

3. ZBF
Identify zones (add interfaces)
Identify traffic (class maps) ie traffic on particular subnet
Identify the action (policy maps) ie inspect, allow/pass, drop
Identify the zones involved (zone pair) ie IN-TO-OUT
Specify the policy to use on the zone pair(service-policy); policy-map match to a zone pair.
































IPv6 and Security

R1#
! Prep work:
conf t
default int fa 1/0
default int fa 1/1
int fa 1/0
 mac-address cc1e.6783.1111
 no ip address
 duplex auto
 speed auto
 no keepalive
int fa 1/1
 mac-address cc1e.6783.1111
 no ip address
 duplex auto
 speed auto
 no keepalive
exit
no ipv6 router ospf 1
end
-----------------------------------------
configure terminal

! Enable IPv6 routing.  It is off by default
ipv6 unicast-routing
do show ipv6 int brief

!  Configure an IPv6 address on the interface
interface FastEthernet1/0
 ipv6 address 2001:0DB8:0000:000B:0000:0000:0000:0001/64
exit
do show ipv6 int brief

!  Configure the other interface on R1
interface FastEthernet1/1
ipv6 address 2001:DB8:0:A::1/64

!  Configure a routing protocol on R1
!  Note: no more "network" statements.

!  OSPFv3 requires a 32-bit router-id 
! If we have any IPv4 addresses, it will use that
! If no IPv4 addresses, we must set the router-id

ipv6 router ospf 1
router-id 1.1.1.1
exit

! To enable OSPFv3 on the interfaces, we need to
! go to each interface to tell them to participate in
! OSPFv3, in the correct process #
interface FastEthernet1/0
ipv6 ospf 1 area 0
exit

interface FastEthernet1/1
ipv6 ospf 1 area 0
exit

configure terminal
ipv6 access-list NO_TELNET
deny tcp 2001:db8:0:a::/64 any eq 23
permit any any

! Apply the ACL to the interface, inbound
int fa 1/1
ipv6 traffic-filter NO_TELNET in

! Verify the ACL
do show access-lists

Additional tools and commands on IOS

enable

configure terminal
enable secret cisco
aaa new-model
exit
disable

! Enter the "Root" parser View
! Use the enable secret to enter
enable view
cisco

! Verify that we are in the root view
show parser view

! From the root view, enter configuration mode
configure terminal

! Create a new View, named "help-desk"
parser view help-desk

! Set the secret for this view"
secret cisco-hd

! Lock down what can be done while
! in this help-desk view
commands exec include all show ip
commands exec include show version
commands exec include show
commands exec include logout

! Optionally, create a user, and lock him
! into this new help-desk view.  
! Even though he has privilege level 15
! the user will only be able to perform! tasks allowed by the view
username bob view help-desk privilege 15 secret cisco-bob

! Train the router to use the local database 
! (the running-config) for authentication and
! authorization on the VTY lines by creating 2 custom
! method lists, and applying those methods to the VTY lines
aaa authentication login VTY-Authen local
aaa authorization exec VTY-Author local

! Applying the custom method lists to the
! VTy lines
line vty 0 4
login authentication VTY-Authen
authorization exec VTY-Author
end

Control plane host with ssh
conf t

! Domain name required for RSA key creation
ip domain-name CBTNuggets.com

! Create the keys for SSH (Use minimum of 1024)
crypto key generate rsa modulus 1024

! One way of kicking out TELNET
line vty 0 4
transport input ssh
exit

! Another way of locking down
! management specific management
! protocols to specific ports
! Best to use Out of Band (OOB) management
! when possible
! Enter the logical control-plane interface
control-plane host

! Tell the router to only allow specific
! protocols on specific ports
management-interface fa2/0 allow ssh http https
end

Prep for CCP
configure terminal
ip http server
ip http secure-server
ip http authentication local
username admin privilege 15 secret cisco
end

config terminal
secure boot-image

secure boot-config

do show secure bootset


Data Plane Security

configure terminal
ip dhcp snooping vlan 3
ip dhcp snooping

! Trust the port where the DHCP
! server lives
int g 0/24
ip dhcp snooping trust
exit
do show ip dhcp snooping binding

conf t
int g 0/7
switchport mode access

! Up to 5 MAC addresses at same time
switchport port-security maximum 5

! Shutdown the port if over limit
! of source MAC addresses (this is the default)
switchport port-security violation shutdown

! Turn on the feature (forgotten by many)
switchport port-security

! Verify settings
do show port-security

! Save the admins time, by having
! the port automatically return from
! "err-diable" state
errdisable recovery cause psecure-violation

! How long before port is restored
errdisable recovery interval 60

configure terminal
interface g0/5
switchport mode access
switchport access vlan 3
switchport nonegotiate

conf t
spanning-tree portfast default
spanning-tree portfast bpduguard default

int g0/5
spanning-tree portfast
spanning-tree bpduguard enable

errdisable recovery cause bpduguard

do show spanning-tree summary











































AAA Config

Terms:
Remote Authentication Dial In User Service
Terminal Access Controller Access Control System

Commands:
enable

Configure terminal

! Create a local admin for safety
! Note: for all production passwords! follow best practices for length
! and complexity
username admin privilege 15 secret cisco
username bob privilege 1 secret cisco

! Configure the privilege 15 secret
enable secret cisco

! Enable AAA
aaa new-model

! Specify where the AAA server is,
! and which protocol to use (TACACS+ in this case)
tacacs-server host 192.168.1.252

! Specify the Key to use for encryption
! between the client (this router) and the AAA
! TACACS+ server
tacacs-server key cisco123

! Create a default method list and specify that
! we want to try one of the AAA servers as our
! first method in the list, and then if that times
! out, we want to use the local database, and if the
! user isn't in the local database, require the
! enable secret for access
aaa authentication login default group tacacs+ local

! Create a custom method list, that if used,
! will have no authentication required at all
! (Just in the lab)
aaa authentication login FREE-BIRD none

! Lets apply the FREE-BIRD method list to the
! Console (to make it easy on me ;)
line console 0
login authentication FREE-BIRD

! (This method list applies only
! to the console 0).  The default will apply
! to the other Lines, such as VTY and AUX.
! Lets set up a couple authorization method lists
! We will use custom lists (not a default one)
! because we don't want this to apply everywhere
! (just on our VTY lines for this demo)
exit

aaa authorization commands 1 TAC1 group tacacs+ local
aaa authorization commands 15 TAC15 group tacacs+ local

! This next command is required for the IOS
! to check for authorization for commands
! issued within configuration mode
aaa authorization config-commands

! Lets create some accounting method lists as well
aaa accounting commands 1 TAC-act1 start-stop group tacacs+
aaa accounting commands 15 TAC-act15 start-stop group tacacs+

! Lets apply the authorization and accounting custom
! method lists just to the VTY lines
! Note: default login authentication method list
! already applies to these VTY lines
line vty 0 4
authorization commands 1 TAC1
authorization commands 15 TAC15
accounting commands 1 TAC-act1
accounting commands 15 TAC-act15

Simple test:

enable

conf t
enable secret cisco
aaa new-model
aaa authentication login default enable
do debug aaa authentication
do telnet 10.1.0.1


ASA CLI L3-4



enable
conf t

show run int m0/0

## Configure interfaces
int m 0/0
no shutdown
nameif management
security-level 100
ip address 192.168.1.100 255.255.255.0
exit

int Gig 0/0
no shutdown
nameif outside
security-level 0
ip address 10.123.0.100 255.255.255.0
exit

int Gig 0/1
no shutdown
nameif inside
security-level 100
ip address 10.1.0.100 255.255.255.0
exit

int Gig 0/2
no shutdown
nameif dmz
security-level 50
ip address 172.16.5.100 255.255.255.0
exit

## To manage ASA from GUI
http server enable
http 192.168.1.0 255.255.255.0 management

## verify the config
show int ip brief

##create a default route pointing to R2
route outside 0.0.0.0 0.0.0.0 10.123.0.1 1 : 1 is AD here. Lower AD is preferred.

##Configure SNMP v3
snmp-server location CBT Nuggets Lab
snmp-server contact Keith Barker
snmp-server group G1 v3 priv
snmp-server user U1 G1 v3 auth sha a-pass priv aes 128 e-pass
snmp-server host management 192.168.1.23 version 3 U1 # who are going to send snmp message to .23
snmp cpu threshold rising 80 1  ## generate traps if CPU rising above 80 %
snmp-server enable traps cpu threshold rising

## Verify
show snmp user
show snmp group

##By default logging is disabled on ASA.

show logging
logging enable
logging host management 192.168.1.23 ## send syslog messages to .23
logging trap 5
logging console 4
logging buffered 6
clear logging buffer
exit
conf t
show log

## to remove particular log message
no logging message 111005

## to change syslog messsage
logging message 111007 level Informational: Informational is level 6
exit
conf t

## Verify
show logging | include 111007

## to clear buffer
clear logging buffer

exit
conf t

### To send some particular syslog messages to email
logging list Our-Event-List message 101001-101003
logging list Our-Event-List level Informational ## send only those messages are Informational or below

smtp-server 192.168.1.23
logging from-address [email protected]
logging recipient-address [email protected] level Informational ## send messages to this email address
logging mail Our-Event-List ## only syslog messages for this list should be sent

##Set up a time Zone
clock timezone PST -8 0
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 60

## Ping NTP server
ping 66.187.233.4

## setup ntp
ntp server 66.187.233.4 source outside

##verify
show ntp associations
show ntp status

## set up net flow
flow-export destination management 192.168.1.23 9996 ## send netwflow record out mgmt interface to .23 on port 9996

##configure MPF
class-map global-class
match any ## match on any traffic
exit

policy-map global_policy
class global-class
flow-export event-type all destination 192.168.1.23  ### any traffic that matches the global class, export the flow to .23 which is running NetFlow collector
exit
exit

## Configure NAT for DMZ server
object network Srv-1
host 172.16.5.5
nat static 10.123.0.5 net-to-net

## if we want to configure multiple hosts, we can create object-groups
object network Srv-2
host 172.16.5.6
object network Srv-3
host 172.16.5.7
object-group network DMZ-Servers
network-object object Srv-1
network-object object Srv-2
network-object object Srv-3

## To create service object group
object-group service WEB-Services
service-object tcp destination eq http
service-object tcp destination eq https
exit

## if traffic is destined to HTTP and https ports that are running on DMZ-servers permit
access-list outside_access_in permit object-group WEB-Services any object-group DMZ-Servers
access-group outside_access_in in interface outside


Sunday, December 20, 2015

ASA and ASDM Essentials



Basic Checks:
Versions and image, certificates like self-signed which is temporary, Access allowed like SSH, user auth etc.

Certificates Options:
Temporary Self-signed
Permanent Self-signed
Permanent from CA

Configuring :
Security Levels and Other Interfaces
NAT and DHCP Services

Verification
To check Licensing on ASDM
Config -> Device Management -> Licensing -> Activation Key

To check boot image :
Config -> Device Management -> System Image -> Boot Image

To check management access :
Config -> Device Management -> Management Access -> ASDM/https/telnet/ssh

To allow http and ssh on inside interface
http 10.0.0.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 inside

Lets create some users under LOCAL on ASA
Config -> device mgmt -> Users/AAA -> user accounts

CLI :
username admin password XXXXXXX encrypted privilege 15

Now for http and ssh access use LOCAL database
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL

Certificate Options:
Config -> device mgmt -> certificate mgmt -> Identity cert

We can have inside host as dhcp server so that it can assign ip address to outside clients.
We can also configure NAT. Anybody coming from 10.0.0.0 network and going to internet from outside interface translates the source ip address

The router is doing some basic NAT as well for the 192.168.1.0/24 address space.

To verify routing :
Monitoring -> Routing -> Routes

To configure NAT:
Config -> Firewall -> NAT

nat (inside, outside) 1 source dynamic any interface
#nat from inside to outside coming from any ip, pat on outside interface.

Configure DHCP server:
config -> device mgmt -> dhcp-> dhcpserver

dhcpd address 10.0.0.51-10.0.0.60 inside
dhcpd enable inside
dhcpd dns 8.8.8.8 interface inside















MPF

Modular Policy Framework

CPS:
Class-map: Identify traffic
Policy-map: Specify Action for that traffic
Service Policy: Where on ASA you want to apply it. Also, we have option for Global-policy

CLI for implementing Application Inspection L3/L4 :

Example :
Let's allow host to dynamically connect to ftp server and inspect ftp

#create access-list
access-list dmz_mpc permit tcp any any eq ftp

#Identity the traffic
class-map FTP-Class-MAp
    match access-list dmz_mpc

#Take action on that traffic
policy-map FTP-Policy-MAP
    class FTP-Class-MAP
    inspect ftp
This will inspect the control channel between host and ftp server

#where to apply
service-policy FTP-Policy-MAP interface dmz

To verify lets transfer some files using ftp
On ASA
show conn

To check MPF config on ASDM:

Config -> Firewall -> service policy rules

show run class-map
by default, there will be default-inspection-traffic

default-inspection-traffic is a pre-defined list of ports, services, and application that Cisco is looking for by default.

show run policy-map
display default policies

we can delete default policy

show run service-policy
we can also apply service-policy globally

CLI for implementing QOS :

priority-queue inside

class-map VOIP
    match dscp 46 : dscp bits 46 is EF

class-map TELNET
    match port tcp eq telnet

policy-map inside-policy
    CLASS VOIP
       priority
    Class TELNET
        police output 8000 1500 confirm-action transmit exceed-action drop

service-policy inside-policy interface inside

Note: prioritize of traffic is always outbound. Policing can be inbound or outbound.

CLI for implementing for connection settings
class-map TCP-sessions
    match port tcp range 1 65000

policy-map Conn-Limits
    class TCP-sessions
        set connection conn-max 500 embryonic-conn-max 50
        set connection timeout embryonic 0:05:00 half-closed 0:10:00

service-policy Conn-Limits interface outside

Note: Unlike CLI, on ASDM first we configure service rule then class and finally policy map

Config -> Firewall -> service policy rules -> Add

Note: inspection can be inbound or outbound, QOS, prioritize always outbound and policing can be inbound or outbound

TCP and UDP are by default therein Inspection list but icmp is not.






NAT on ASA


In 8.2 and older, if we forgot to configure NAT, ASA will send traffic if there is no nat-control configured. Without NAT if we are trying to connect to internet from private address the ISP will kill the packet. The second reason to use NAT is we utilize the existing ipv4 address efficiently.
So to use NAT we have to use command nat-control along with NAT rule.

In version 8.2 and older, the NAT used to work like if-then statement

Dynamic NAT :
nat(inside) 1 10.0.0.0 0 255.255.255.0
#If traffic coming on inside interface and if it is sourced from network 10.0.0.0 then it is part of NAT 1.
global (outside) 1 192.168.1.51-192.168.1.100 : what the address should be translated into
global (outside) 1 192.168.1.101 : global PAT
global (dmz) 1 interface

NAT 0:
In case If we don’t want to use NAT then we should use NAT 0 command
access-list NONAT permit ip (source net to dest net)
nat (inside) 0 access-list NONAT

NAT 0 means do not translate


Static NAT :
static (dmz,outside) 192.168.1.175 172.16.0.5
static (dmz,inside) 172.16.0.5 172.16.0.5 : Identity NAT where it maps its ip address to own ip address. It’s one to one translation

In version 8.3 and above :
Newer NAT is called object NAT or Auto NAT


Network “objects” are like an alias. When we refer to the object, the ASA knows what we are referring to.

No stoppage of traffic if there is no rule but to function, we need NAT rule. Traffic initiated from private network to internet without NAT rule will be dropped.

ASDM :
Config -> firewall -> NAT Rules -> Add

Manual NAT :

object network inside_10
      subnet 10.0.0.0 255.255.255.0
object network outside-pool
      subnet 192.168.1.51 192.168.1.100
 object network inside_10
      nat dynamic outside-pool

For object network inside_10, i want to do dynamic nat to translate address to outside pool address

This nat rule holds good if we want to go from inside to outside and dmz network. we can also create Auto NAT tied to the interface if we want to go either from inside to outside or from inside to dmz.

show nat
show xlate

The three sections of NAT
1. Manual NAT (very granular)
2. Auto NAT/object NAT
3. Manual NAT (again, after “auto NAT”)

Check for Manual NAT if not there in config check for auto if not there check for 3rd rule and if no rule is configured no NAT is applied.

Auto NAT: more specific to the interface, here we specify the interface and whether we want NAT from inside to outside or from inside to dmz.
we can configure multiple Auto NAT in section 2

object network inside_10
  nat (inside, any) dynamic outside-pool
In manual NAT we didn’t have (any or inside) interface configured which means any any.

show xlate

We can remove the xlate
clear xlate

Manual NAT after Auto:To configure any NAT we need.
Say we want to create a rule when same PC is going to network host 192.168.1.253 (R2) , let's do NAT to .101 . In previous case, we were using pool from .51-100. To do this we will create a manual rule and we want to hit it before object rule.

show nat
currently (section 2) is auto NAT portion

object network Raj-global-101_address
    host 192.168.1.101
object network R2_real_addres
        host 192.168.1.253
object network Raj_local_ip
         host 10.0.0.51
nat (inside, outside) 1 source static Raj_local_ip Raj-global-101_address destination static R2_real_adress R2_real_adress

show nat
Now in above config Manual NAT policies is part of (section 1)
and auto NAT policies (section 2)

telnet 192.168.1.253
R2#who

translated ip is shown: 192.169.1.101

We can also put Manual NAT after auto NAT

no nat 1
nat (inside, outside) after-auto 1 source static Raj_local_ip Raj-global-101_address destination static R2_real_adress R2_real_adress

show nat
Now we have section 2 and 3 since we purposefully placed Manual NAT after auto NAT
auto NAT policies (section 2)
Manual NAT Policies (section 3)

Now Auto NAT policy should be hit first.

clear xlate

telnet 192.168.1.253
R2#who
ip address shown is 192.168.1.80 : auto NAt is used

show xlate
10.0.0.51 is mapped to 192.168.1.80

To remove Manaul rule after auto NAt
no nat after-auto 1

So we can mix and match as we want it.

Case Study:
what happens when two company merge together. Say our existing client belongs to company A and new company B has internal network 10.0.0.0/24 too. Both companies have 10 networks. What to do with over-lapping ip address?

Solution: Bi-directional NAT/ Twice NAT. This is basically Manual NAT
we need to lie on both sides. Company A thinks B is in 10.2 and Company B thinks A is in 10.1
To achieve this we use source NAT and destination NAT

Example :
object-network bogus
    host 192.168.1.205
object network Raj-new-global
    host 192.168.1.102
nat (inside, outside) 2 source static Raj_local_ip Raj-new-global destination static bogus R2_real_address

If i go to that bogus address, it should translate me to new global address

show nat
section 1 Manual
section 2 Auto

A packet from 10.0.0.51 going to 192.168.1.205 should result in :

source nat changing source address to 192.168.1.102
destination nat changing destination address in the packets to 192.168.1.253

telnet 192.168.1.205
R2# show users
ip address seen 192.168.1.102

Final piece :
Let's do nat for dmz server
object network dmz-server-real
    host 172.16.0.5
object network dmz_global
    host 192.168.1.176
object network dmz-server-real
   nate(dmz, any) static dmz_global

Open browser to 192.168.1.176
http://192.168.1.176

show xlate
show nat









































Saturday, December 19, 2015

ACL on ASA



ACL (Access Control List)

Note: Traffic between two interfaces, that have same security level is NOT allowed by default.

ACLs can be placed inbound on an interface to allow initial traffic through the ASA(from lower security level to higher security level)

We can have inbound ACL’s on any interfaces. This will over-write the default initial traffic flow that goes through ASA.

There is implicit deny at the end as we used to have on the router.

Types of ACLs

1. Standard
filter based on source ip address. Not much used.

2. Extended
This can match anything in L3 and L4. Basically source and destination ip address. Always applied to inbound on the interface.

3. Global ACL: present on 8.3 and above

Any traffic going out of our network is outbound and any traffic coming to our network in inbound.

Inbound: lower to higher security level
Outbound: higher to lower security level

ACL can be applied to the inbound or outbound interface of ASA but we rarely apply it to outbound.

ASDM :

Config -> Firewall -> Access Rules -> Add

Let's create ACL to permit http traffic from any user on internet to dmz server
Access-list inbound on outside interface
access-list ACL1 permit tcp any object object dmx-server-real-ip eq http
access-group ACL1 in interface outside

Here if we don’t mention keyword extended it will by default assume extended. we can also mention time-range so that ACL will be effective during that period.

time-range During-the-week
 period weekdays 08:00 to 16:50
access-list outside_access_in line 1 extended permit tcp any object dmz-server-real-ip eq http time-range During-the-week
access-group outside_access_in in interface outside

Here line 1 is just the sequence no means this is first entry in ACL . We need not to mention this if we have a single entry.

CLI :
show time-range
show clock

Case : Say we have 3 servers on inside network and for all servers we want to allow TCP 80, 443, 25 . To accomplish this we need to have 9 entries/ lines on ACL. This is pain.

Solution :
Use object groups . One line of access-list will replace 9 lines this way.

We can identify all these servers on network object groups.

 object-group network 3-musketeers
     network-object object server2-on-dmz
     network-object object server3-on-dmz
     network-object object dmz-server-real-ip

object-group service 3-services tcp
    port-object eq http
    port-object eq https
    port-object eq smtp

access-list outside-access_in line 1 extended permit tcp any object-group 3-musketeers object-group 3-services

show access-list
show run | in access

Let’s create NAT rule for two other servers.

object network outside-server2
    host 192.168.1.177
object network server2-on-dmz
    nat static outside-server2

Try to connect to 192.168.1.177 through browser

show conn
show conn detail

Public server: Creates NAT and access-list for a device.

we can do access-list and NAT translation with one option called public server

ASDM :Config -> Firewall -> Public Servers - > Add

object network dmz-server-real-ip
    nat(dmz,outside) static dmz-server-mapped-ip
access-list outside_access line 1 extended permit tcp any object dmz-server-real-ip eq http
access-group outside-access in interface outside.

In ASA we use a normal mask instead of wildcard mask while configuring ACL.

Global ACL :It is an ACL that can hover over entire ASA. Can be applied logically inbound on all the interfaces.

By default, if there are no match on ACL list, there is implicit deny which will deny everything. If we configure global ACL the implicit deny does not have an effect.

So here is rule
1. Interface ACL
2. If no match go to global ACL
3. If no match then implicit Deny

If global ACL is not configured, it is just like normal ACL.

Global ACL is for simplicity purpose.

access-list global_access line 1 extended permit tcp any object dmz-server-real-ip eq http
access-group global_access global

implict deny at the end of ACL is no longer valid.

Packet Tracer :
To identify the initial flow of traffic. Verification of initial flow of packet.

ASDM :
Tools-> Packet Tracer
show animation

CLI :
packet-tracer input inside tcp 10.0.0.51 1065 192.168.1.176 80






























Friday, December 18, 2015

Routing Options on ASA


Giving the ASA the information it needs to take a decision on incoming packets. Train ASA how to reach L3 network.

To check routes on ASA
show route
On IOS router this command is show ip route

On ASDM :
Config -> Device Setup -> Routing -> Add

CLI :
static route
route outside 0.0.0.0 0.0.0.0 192.168.1.1 3
3 is “Distance metric” here

Static route for inside interface to reach 10.0.1.0 network
route inside 10.0.1.0 255.255.255.0 10.0.0.11 2

show route

ping 10.0.0.1

If we have 100’s of a network, we don’t want to add them manually. In that case, we will be using dynamic routing protocols.

Supported Routing Protocols
RIP v1 v2
OSPF
EIGRP

Let's configure ospf
    router ospf 1
    area 1
    network 172.16.0.0 255.255.255.0 area 1
    network 192.168.1.0 255.255.255.0 area 1
    network 10.0.0.0 255.255.255.0 area 1

show ospf neighbour
show route

to remove ospf :
no router ospf 1

RIP Config:
router rip
   no auto-summary
   version 2
   network 10.0.0.0
   network 172.16.0.0
   network 192.168.1.0

show route

To remove RIP
no router rip

EIGRP Config:
router eigrp 1
   network 172.16.0.0 255.255.255.0
   network 192.168.1.0 255.255.255.0
   network 10.0.0.0 255.255.255.0

Note : network 0.0.0.0 0.0.0.0  : This means everything in eigrp

show route

Multicast :
CLI to enable multicast routing capabilities

multicast-routing

Now we can use protocol PIM (protocol independent multicast).
It supports
1. STUB multicast routing also is known as SMR. This is used on edge of multicast network.
2. PIM SPARSE mode: it will not forward traffic until it has good reason to do so. Only forward traffic to multicast group or client whoever request that.

It also supports PIM on bidirectional functionality

ASA doesn’t support Dense mode.







ASA VLAN, Port Channel and Redundant Interfaces

VLAN Port channel and redundant interfaces

Interfaces Options
VLAN Int
EtherChannel
Redundant

How to create multiple interfaces on ASA?
create logical layer 3 interfaces. Switch port connected to ASA should be configured as a trunk port and ASA port need to support 802.1q tag and create multiple sub-interfaces on ASA. This is exactly same like a router on the stick config.

Let's configure ASA1 with three logical subinterfaces.

Config -> Device setup -> interfaces -> Add -> Interface
Once we create sub-interfaces ASA automatically knows that we are going to use 802.1q mechanism.

CLI :

interface g1.10
vlan 10
no shut
nameif inside_10
security-level 100
ip address 10.0.10.1 255.255.255.0

Similarly, we can create sub-interfaces for vlan 20 and 30.

Note: The 5505 uses “interface vlan x” commands to create new logical interfaces. All the rest of 5500 family uses sub-interfaces, as shown above.

To enable traffic between same security-level interfaces
same-security-traffic permit inter-interface

EtherChannel :
To increase throughput. Implement between the switches. To configure etherchannel we can either use PagP cisco propriety or standard LACP as communicating protocol between switches.

Link Aggregation Control protocol (LACP) uses 3 options for negotiating the etherchannel :
Active
Passive
ON (static)


Besides these protocols, we have two types of EtherChannel
L2 and L3

Let's create new logical L3 Etherchannel.

We can configure etherchannel between ASA and switch. Upto 8 active ASA interfaces can participate in etherchannel.

ASDM :
Config -> Device setup -> interfaces -> Add -> EtherChannel
No config should present on interfaces which are going to participate on etherchannel

CLI :
interface g2
    channel-group 1 mode Active
interface g3
    channel-group 1 mode Active
interface port-channel1
    port-channel load-balance src-port
    port-channel min-bundle 1
        lacp max-bundle 8
        no shut
    speed auto
    duplex auto
    nameif dmz
    security-level 50
    ip address 172.16.0.1 255.255.255.0

Redundant :
Let's create a new L3 redundant interface. This will not do load-balancing instead two interfaces active and backup will participate as a pair. At a given time active interface only forward traffic. If an active physical interface fails, standby will take up as active and it will use active interface mac address.

ASDM :

Config -> Device setup -> interfaces -> Add -> redundant interface
No config should present on interfaces which are going to participate in redundant.

CLI :

interface redundant1
    member-interface g4
    member-interface g5
    no shut
    nameif outside
    security-level 0
    ip address 192.168.1.171 255.255.255.0

Note: the interface which is configured first will be active on. in our case it is g4

Verify through CLI

show interface port-channel 1
show port-channel 1

show int redundant 1

We can make g5 as active interface
redundant-interface redundant 1 active-member g5

Now g5 will become active member












Thursday, December 17, 2015

VPN CLustering


VPN Clustering also known as Load balancing enables multiple ASAs to shared their load for remote VPN sessions. Load balancing tracks session to the least loaded ASA thus distributing the load. This not only makes efficient use of the system resources but also provides HA. This also helps to deploy remote access VPN cost effectively.  Different ASA flavors and VPN 3060 Concentrator can co-exist in a single cluster.

VPN Clustering can only be used for remote access VPN. This cannot be used for site to site VPNs.

Remote connection to the VPN Cluster can only be established from remote Cisco VPN s/w or hardware VPN client or SSL VPN .
For the cluster to work all ASA’s must be configured with same services.

Implementing VPN Clustering requires a virtual cluster by logically grouping two or more ASA’s or VPN concentrators on the same subnet. To outside client, virtual cluster looks like a single device accessible by a single virtual ip address. A VPN client attempting a VPN session connects first to this virtual address but it quickly and transparently redirects it to the least loaded device on the cluster.

At a given time one device on the cluster holds the role of the virtual Master cluster and therefore owns the virtual ip address. The virtual cluster master role is not tied to the particular device. It can shift among devices. Say if virtual master cluster fails then one of the backup devices on the cluster will take up as the master role and becomes Master Virtual cluster. The new failover cluster master is not stateful hence all the existing vpn session will drop. A new vpn session needs to be re-established. The virtual master cluster monitors all devices on the cluster, keep tracks of how busy each is and distribute the session load accordingly. Once the client connects to virtual master ip address it will reply with global ip address of the least busy device on the cluster. In the second transaction which is transparent to the device the client directly connect to that device. In this virtual master, cluster divides traffic evenly and efficiently across the devices.

If any device in the cluster fails, The terminated session can immediately re-connect to the virtual cluster ip address. The virtual cluster master then re-connect this session to the active device in the cluster. Even if several devices in the cluster fails, a user can continue to connect to the cluster as long one device in the cluster is available.

Before configuring make sure all ASA’s are configured with public and private ip addresses and all ASA must share same virtual cluster ip address.

ASDM :

Config -> Features -> VPN -> Load Balancing ->
Enable check box for Load balancing
Enter ip address of cluster this should be public
Enable ipsec encryption for encrypting the data
The devices in the cluster communicate via lan to lan tunnel by using ipsec.
Specify the key for encrypt
Select private and public interfaces
priority range is from 1-10
If this ASA is behind the firewall use NAT. This is ip address configured on router for performing the translation and statically assigned to the public interface of the ASA.

Note : 
Clustering supports Single and Multiple contexts, as well as routed and transparent mode. A single configuration is maintained across all units in the cluster using automatic configuration sync.







Wednesday, December 16, 2015

Botnet Filtering on ASA


Botnet Filtering on ASA: Reputation based filtering

Cisco has Security Intelligence Operations known as SIO
Inform, protect and respond
Early-warning intelligence, threat, and vulnerability analysis, and proven Cisco mitigation solutions to help protect networks.
They collect information about malicious traffic patterns all over the world and try to identify the people who are responsible for it.

We need to train ASA to identify malicious ip address and stop any traffic going from pc to that device.

To implement this on ASA, we need to have SIO based infrastructure and need to buy time-based license.

Basic requirements:
ASA should have reachability to cisco server to download dynamic database.

How it works?
DNS on the ASA: to resolve the name of cisco server
Turn on “DNS Snooping” : ASA will look out for each DNS request that customers are making out to the internet
Enable Client and use dynamic database
Optionally create static lists
Specify action in regard to interface

ASDM :
1. Config -> Device Management -> DNS -> DNS Client -> Add info
Primary DNS server : 8.8.8.8
Enable on outside interface

2. Config -> Firewall -> Botnet Traffic Filter -> DNS Snooping  : for botnet option we need license

3. Config -> Firewall -> Botnet Traffic filter -> Botnet Database

4. Config -> Firewall -> Botnet Traffic filter -> Black and White Lists

5.  Config -> Firewall -> Botnet Traffic filter -> Traffic Settings: to specify interface on which traffic to be blocked


Transparent Firewall



Routed vs Transparent : routed is default
Default Flows : higher to lower is allowed
Configuration Steps
Optional L2 Inspection : for spanning-tree and bpdu’s


Routed is default firewall mode.

Transparent mode operates like a L2 switch and do forwarding decision based on the mac addresses. Still it has ability to analyse application layer inspection. It can do NAT as well. ARP is allowed on both sides.

Instead of ip address here we configure Bridge group.
Traffic flows and Inspection rules work same like a routed firewall.

Few things ASA can’t do in transparent mode:
It can’t terminate VPN sessions.
If we want fw as VPN gateway, don’t configure it as transparent.

BVI: Bridge Virtual Interface

We can configure ip address on the transparent firewall to manage it.

#Static routes are required if we are placing NAT for nonlocal network devices. Static or default static route is needed to reach non-local management devices.

Note: Existing configs will be removed when changing from routed to transparent.

Configuration on 5520 :
clear config all
show firewall
firewall transparent
show firewall
hostname ASA1

## Create the logical BVI
this will be used primarily to manage this ASA over the network

interface BVI 1
ip address 192.168.1.150 255.255.255.0: this ip address is just for management purpose.

##Add interfaces to this bridge group. Name and security level commands go on the interface, but no IP address on the interfaces.

int g1
security-level 100
name inside

bridge-group 1
no shut

int g0
security-level 0
name outside

bridge-group 1
no shut

We can have more two interfaces as part of bridge group 1

Now we should be able to ping ip address on the outside

ping 192.168.1.1

#Lets enable http
http sevrer enable
http 0 0 inside

Now we should be able to connect to ASDM

https://192.168.1.150

#ICMP is not inspected by default hence pc is not able to ping to router .1 address. Let inspect imp through ASDM

On ASDM :
Config -> Firewall -> Service Policy -> Edit service policy rule -> enable ICMP

Note: IP ACLs can be used in addition to the special “Ethertype” ACLs on the interfaces.

By default, ASA will not allow  bpdu so to allow bpdu between two switches we can configure Ethertype ACL on ASA.

If we want multicast and broadcast to work we need to include those in the ACL on the interfaces.
By default, ASA doesn’t allow multicast and broadcast traffic.

In this case, router is acting as dhcpserver as well. DHcp discover and offer will use broadcast which is by default not allowed by ASA. Hence let's configure ACL’s to allow broadcast traffic.


for inside to out traffic we have configured ip any any
for out to in
object network broadcast
    host 255.255.255.255
object network dhcp-server
    host 192.168.1.1
access-list outside_access_in line 1 extended permit udp object dhcp-server object broadcast eq biotic
access-group outside_access_in interface outside
Now change the dhcp settings on PC to obtain ip address automatically .

ipconfig /all

ip address is assigned to pc by dhcp server

Note: in transparent mode, ASA will not have any ip addresses so no routing protocols can be configured. no RIP, no EIGRP, no OSPF.

Same Config on 5505:

clear config all
firewall transparent
show firewall
hostname ASA-5505

interface bvi 1
ip add 192.168.1.155 255.255.255.0

int e0/0
no shut
switch-port access vlan 10
exit

int e0/1
no shut
switch-port access vlan 20
exit

Logical interfaces :
int vlan 10
security-level 0
nameif outside
bridge-group 1
no shut

int vlan 20
security-level 100
nameif outside
bridge-group 1
no shut

ping should work

http server enable
http 0 0 inside
http 0 0 outside

http://192.168.1.155

Configure access-list

object network dhcp-server
  host 192.168.1.1
access-list inside_access_in line 1 extended permit ip any any
access-list outside-access_in line 1 extended permit udp object dhcp-server any eq bootpc
access-group inside-access_in interface inside
access-group outside-access_in interface outside

ifconfig
ip address assigned is .26

Allow icmp inspect for ping to work.

Config Steps :
firewall transparent
interface BVI x
Assign IP
Add int’s to group

Another feature: ARP Inspection

Say router mac address is AA  and XP PC send gratuitous arp mentioning router’s ip and mac as BB. If the arp cache is poison ppl will try to forward packet to BB instead of default gateway ie AA. ie man in middle attack
This is called as ARP Spoofing: the XP box is advertising the Router’s IP address, with the XP’s MAC address.


How to avoid this man in the middle attack?
using  ARP Inspection
Create a manual for ARP on the ASA, then tell the ASA to do ARP inspection
If anybody send gratuitous ARP, ASA will block that going through it.

We build the mapped table of ip to mac and turn on the arp inspection feature. Anything that doesn’t match with table will get dropped.

What will happen if some unknown frame come to ASA?
Based on best guessing it can forward or drop the packet
ie flood and no flood.

Config :
Config -> Device Management -> Advanced -> ARP -> ARP Static table -> Add
inside , 001b.7765.4321

This is best in the case where we know exact mapping of ip to mac ie static mapping

Under monitoring, we can check our static ARP table

Now go to ARP Inspection and enable it. Enable it per-interface basis.

When do we need a static route on ASA?
- If we are going to manage ASA from some network other than (192.168.1.0)
- if we are doing NAT














Monday, December 14, 2015

Active/Active Failover


If we have two physical firewalls they both can do active forwarding of traffic. Active/Active which require multiple mode on ASA in which some of the contexts are actively forwarded by physical firewall 1 and rest of the contexts are actively forwarded by another physical firewall 2.

Multiple mode HA, with load sharing

Failover groups (1 and 2)
Assigning a context to a group
Standard failover config

Hierarchy of virtual firewall
System Config
    - Ctx-1
    -Ctx-2 and so on ..

For Active/Active failover we need to create some groups.
For failover, we will create two failover groups. Failover group 1 and failover group 2
We have two ASA’s on failover setup. ASA1 as primary and ASA2 as secondary
We will configure ASA1 to be active ASA for failover group 1 and ASA2 to be active ASA for failover group 2
By default ctx-1 and ctx-2 are part of failover group 1. so we will ask ctx-1 to be part of failover group1 and ctx-2 to be part of failover group 2.
This means ASA1 is active for ctx-1 and ASA2 is active for ctx-2. This is the concept of load-sharing. traffic from user1 will be forwarded by ctx-1 and traffic from user2 will be forwarded by ctx-2. Make sure that each context is sharing 50% or less load out of total.

At this point of time we have ctx-1 and ctx-2 configured on ASA1. Also ASA1 and ASA2 are cabled but ASA2 config is empty.

Rem: when both devices boots up at the same time if they are configured correctly, the primary device will be active for ctx-1 and secondary device will be active for ctx-2. When a secondary device fails, the primary device will be active for both contexts. When the secondary device comes up, its see other device as active as assign itself as standby. By default, there is no pre-emption. We can configure pre-empt on secondary device so that when it comes up, it assign its right role of active for ctx-2. Same is true for primary device. when it goes down, secondary device will become active for both contexts and when it comes up it will be in standby state if we don't configure pre-empt. If we configure pre-empt on the primary device, after it comes up it will take the rightful role as configured before it went down.


Active/Active Failover Pre-requisites:
Verify both appliances have the same hardware
Verify that both appliances are properly Licensed.
Verify the appliances have identical s/w config.
Connect the devices together and to their networks in their failover LAN cable config and verify connectivity.
Configure the secondary appliance for https ip connectivity.

On ASA1 execute:
show context
changeto context ctx-1
show xlate
show conn

It will display the details since we are already connected from PC to browser.

Note: where to implement the failover config :
ASA1/ctx-1(config)# changeto system
ASA1(config)#

##Starting on the unit that will be PRIMARY, and with multiple mode and context already in place
## Create the first of the two failover groups
 failover group 1

## Tell the failover system that the PRIMARY unit should be active in any contexts in this “failover group #1”
primary

# Optionally, tell the system to take over the active role 2 minutes after the reboot by the primary unit of this group
preempt 120
exit

## Do the same for failover group 2
failover group 2

## Tell the failover system that the SECONDARY unit should be active in any contexts in this “failover group #2”
secondary

## Request a preempt 2 minutes after reboot  by the secondary unit for this group
preempt 120
exit

## Now tell the system that each of the contexts is assigned to 1 of the 2 failover groups
## execute this in system context
context Ctx-1
join-failover-group 1
exit

context Ctx-2
join-failover-group 2
exit

## Now we need to tell ASA what the failover links are :
# Prepare the failover interfaces (the LAN failover and stateful link )
int g4
no shut

int g5
no shut

## Tell physical box ASA1 its priority or title (Primary or secondary) . This priority (name) never changes for this physical unit.
Execute in system context
failover lan unit primary

## Configure the names and IP address for the 2 failover connections
ASA1(config)# failover lan interface fail-config g4
failover link fail-state g5
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2

Rem: link is for stateful link

### Set the prompt to include which context if any we are working in. Currently, we are in the system (top level) configuration area.
ASA1(config)#prompt hostname context

## Change from the system execution space to the context of ctx-1 in order to add the standby address
changeto context Ctx-1
interface g1
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
exit

Lets optionally add MAC address on the shared interfaces for this context. Since both interfaces on the same broadcast domain.
mac-address cc1e.6783.1111 standby cc1e.6783.2222

##Now the IP for outside interface on Ctx-1
ip address 192.168.1.171 255.255.255.0 standby 192.168.1.181

## Move to Ctx-2 and standby address for the virtual fw
ASA1/Ctx-1(config-if)#changeto context Ctx-2

conf t
interface ctx2_inside
ip address 10.2.2.1 255.255.255.0 standby 10.2.2.2
exit

interface ctx2_outside
mac-address cc1e.6783.3333 standby cc1e.6783.4444
ip address 192.168.1.172 255.255.255.0 standby 192.168.1.182

## Move back to the system execution space
changeto system

## Turn on failover
failover

## save the system config, and all the contexts individual configs at the same time.
write mem all

## ASA1 is seeing if there is an active failover device for the 2 groups and when it see’s that there isn’t one it will active for both groups

Execute
show failover state
We can see ASA1 is active for both groups 1 and 2
Other host is not detected since it is not yet configured .

# Move over to ASA2. Verify that it is in multiple modes which is required to be used for active/active AND this ASA2 has to match the same mode as ASA1

show mode
it should be multiple

delete any .cfg files if already present
dir *.cfg
del *.cfg

##Now we want to replicate the configuration along with .cfg files from ASA1 to ASA2

## tell ASA2 that it will be secondary unit the failover group
failover lan unit secondary

## Make sure failover interfaces are up
int g4
no shut

## Define failover interfaces names and IP's
ciscoasa #failover lan interface fail-config g4
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2

Note: lan interfaces don’t swap ip address.

## Turn on the feature
failover

# Now config replication will happen. Now the prompt got changed from ciscoasa to ASA1
ASA1(config)#

Execute show context. this will have both Ctx-1 and Ctx-2

show failover state

Initial output :
This host - secondary
group 1 standby ready
group 2 standby ready

other host - primary
group 1 Active
group 2 Active

 Since already primary is active for both contexts, secondary becomes standby for both contexts.
 We have configure pre-empt of 120 sec. Wait for 120 sec and execute show failover state
 Final output: now right roles are assigned.
This host - secondary
group 1 standby ready
group 2 Active

other host - primary
group 1 Active
group 2  standby ready

Lets change the actual prompt . Go to primary

## By default the ASA who is active for group1 is also active in the system configuration
ASA1(config) # prompt hostname priority context state

Let's verify primary traffic is still flowing through
ASA1/pri/Ctx-1/act # show conn
show xlate
show conn

Final result :
ASA1 primary is active for failover grp1 which is assigned ctx-1
ASA2 secondary is active for failover grp2 which is assigned ctx-2
This is also called load sharing.

On ASDM :

Device List -> System -> Config -> Device Mgmt -> HA

Say if we want primary host to be active for both groups 1 and 2

ASA1/pri/Ctx-1/act # failover active group 2
#show failover state
a primary is active for both groups