Cisco Firewall Basics -...

Cisco Firewall Basics

BRKSEC – 1020

Michael Overstreet

Security Consulting Systems Engineer

[email protected]

Introduction

© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-1020 Cisco Public

Michael Overstreet

• Security Consulting Systems Engineer for Federal

• 16 years Cisco Security

– SPAs, ASA courseware development, Security & Wireless Certification Testing

• 20 years in Security

• Pursuing my CCIE Security (0 for 2 with the v4 Lab)

• South Carolinian residing in Texas

• Passionate about brewing and drinking beer

– Scotches and Bourbons fall under the drinking passion, too

4


Session Information

• This is an introductory session

– It is not meant those for professionals with deep knowledge of firewalls and Cisco ASA

• If you want

– Deep knowledge of the ASA and details about advanced configuration examples

– This session is not for you

• Note: Session will NOT cover IPv6, IPS, VPN, FWSM or Pricing

• Basic FW Understanding with Simplistic ASA Configuration

5


Agenda

• Introduction

• Firewalls in General

• ASA Product Family

• CLINet Overview

• ASA Firewall Basics

• Other Cisco Firewalls

• Q&A

6

Firewalls in General


Securing/Hardening for What Purpose or Need?

Subversion Bots, Viruses, and Worms

Spyware and Adware

Disruption Denial of service attacks

Advanced Persistent Threats (APTs)

Penetration Attempt

Zero-day Attacks

Hacker Attacks

Data Loss Data theft and/or interception

Identity theft

8


Next Generation Security

BEFORE Control

Enforce

Harden

DURING AFTER Detect

Block

Defend

Scope

Contain

Remediate

Attack Continuum

Visibility and Context

Firewall

NGFW

NAC + Identity Services

VPN

UTM

NGIPS

Web Security

Email Security

Advanced Malware Protection

Network Behavior Analysis

9


Network Security Components

• Multiple network components are needed by security administrators to combat these threats in an effort to secure the network

– Firewalls with stateful packet inspection and micro application filtering (NGFW)

– Virtual Private Networks (VPNs) for secure communication over an untrusted network

– Intrusion prevention systems (NGIPS) to identity threats and attacks

– Anti-virus and anti-spyware to combat viruses, worms, and other malware

• Firewalls are the core component for defense from the threats to network security

• The firewall often is the conduit from which other defense components combat the threats that face the network

10


Firewalls

• Stateful packet and application inspection and filtering appliances that working at both the network and application layers

• Provide a platform for the features/functionality needed for network security

– VPNs (remote-access and site to site)

– Anti-malware

– IPS

• Next-generation security should not abandoned proven stateful inspection capabilities in favor of application and user ID awareness by itself

• Comprehensive network security solution needs includes firewalls, next-generation firewalls (application inspection and filtering), next generation intrusion prevention systems (context aware)

What are they?

Add graphics

11


Firewall Features

• Filtering – Security policy enforcement for network connections inbound and outbound

• Stateful Inspection – Tracking allowed outbound or inbound network connections

• Network Address Translation – Translation of IPs from one network to another

• Application visibility and control – Ability to determine what application is with the packet

• Features and Services Flexibility – Adding functionality to meet security needs

Common Features

ISP Internal

Packet Packet Packet Packet Packet Packet

Packet Packet Packet



12


Filtering

• The genesis of firewalls was initially a means to filter traffic based on the five tuple

– Source IP address – the IP address of the initiator of the IP packet

– Destination IP Address – the IP address of the destination of the IP packet

– Source Port – UDP or TCP port used by initiator to establish communications with destination

– Destination Port – UDP or TCP port used by destination to establish communications with source

– IP Protocol – the specific IP protocol used in the communication • UDP/53 – Domain Name Service (DNS)

• TCP/25 – Simple Mail Transfer Protocol (SMTP)

• TCP/21 – File Transfer Protocol (FTP)

ISP Internal

DMZ Network

(Public Web/DB)


Src IP – 5.5.5.5

13


Stateful inspection of traffic

• Most routers and switches can filter based on the five tuple…why a firewall then?

• Stateful firewalls track L3/L4 traffic as it leaves and returns to the network

– Connections are maintained in the connection table tracking five tuple and additional information such as sequence

More than just a filter

ISP Internal


Src IP – 1.1.1.1

Dest IP – 2.2.2.2

Src Port – TCP/35478

Dest Port – TCP/80


Src IP – 2.2.2.2

Dest IP – 1.1.1.1

Src Port – TCP/80


Connection Table

TCP outside:2.2.2.2/80 (2.2.2.2/80) inside:1.1.1.1/35478 (1.1.1.1/35478), flags UfIOB, idle 4m39s, uptime 6m16s, timeout 1h0m, bytes 3002

14


Network Address Translation

• Network address translation (NAT) is the mapping of IP addresses from a private network to a public network

• NAT gives network administrators and security administrators:

– Access to non-publically routable IPv4 space

– Cost savings because addresses are not cheap

– Allows for masquerading of internal network addresses

– IPv4 Address space is exhausted

ISP Internal


Src IP – 1.1.1.1

Dest IP – 2.2.2.2




Src IP – 10.10.10.10

Dest IP – 2.2.2.2


Dest Port – TCP/80 15


Next Generation Security

• The ability to security the network has grown beyond stateful packet inspection and filtering based on the five tuple

• Next generation security is a paradigm shift focusing on network security holistically

• Application visibility and control along with context information from network traffic allows security administrators to applying granular controls to traffic flows on the network

• The firewall is the platform to apply next generation security to the network

= Plus Equals

16


Feature and Service Flexibility

• Threats and our counter-measures to these threats are changing quickly

• The firewall must have the feature richness and service flexibility to allow security administrator to evolve network defense to polymorphic threats faced today

• Stateful firewall inspection coupled next-generation features and services increases security administrators arsenal to defend against today’s and tomorrow’s threats

• Today…Tomorrow…Next Month…Next Year…

17

The ASA Product Family


Cisco ASA is Available on a Broad Range of Platforms to Meet Different Needs

Edge and Campus

ASA 5505

SOHO and Branch

ASA 5512-X

ASA 5515-X

ASA 5525-X

ASA 5545-X

Data Center and Virtual

ASA 5555-X

ASA 5585-X SSP 10 / 20 / 40 / 60

ASAv*

*Shipping in Q2 CY2014

ASASM

19


Key Attributes: SOHO and Branch

Metric 5505 5512-X 5515-X Max. FW throughput 150 Mbps 1 Gbps 1.2 Gbps

Max. IPS throughput 75 Mbps 250 Mbps 400 Mbps

Max. NGFW throughput NA 200 Mbps 350 Mbps

Max. VPN throughput 100 Mbps 200 Mbps 250 Mbps

Max. VPN Peers 25* 250*

I/O 8 Fast Ethernet

Switch

Integrated: 6 GE Copper

Extended: 8 GE Copper or SFP

Clustering Not Supported Yes. Requires

Security Plus License Yes

*Site-to-Site VPN is Free. AnyConnect VPN is a Licensed Feature

20


Key Attributes: Edge and Campus

Metric 5525-X 5545-X 5555-X Max. FW throughput 2 Gbps 3 Gbps 4 Gbps

Max. IPS throughput 600 Mbps 900 Mbps 1.3 Gbps

Max. NGFW throughput 650 Mbps 1 Gbps 1.4 Gbps

Max. VPN throughput 300 Mbps 400 Mbps 700 Mbps

Max. VPN Peers 750* 2500* 5000*

Power Supply Single Dual

I/O Integrated: 8 GE Copper / Extended: 6GE Copper or SFP

Clustering Enabled by default in the base license

*Site-to-Site VPN is Free. AnyConnect VPN is a Licensed Feature

21


5585-X

Key Attributes: Data Center

Metric SSP 10 SSP 20 SSP 30 SSP 40 ASASM Max. FW

throughput 4 Gbps 10 Gbps 20 Gbps 40 Gbps 20 Gbps

Max. IPS

throughput 2 Gbps 3 Gbps 5 Gbps 10 Gbps NA

Max. NGFW

throughput 2 Gbps 5 Gbps 9 Gbps 13 Gbps NA

Max. VPN

throughput 1 Gbps 2 Gbps 3 Gbps 5 Gbps 2 Gbps

Integrated I/O 8-port 10/100/1000 and

2-port 10 GE (SFP+)

6-port 10/100/1000 and

4-port 10 GE (SFP+) NA

Extended I/O 4-port or 8-port 10 GE(SFP/SFP+) or

20-port 1 GE (12-port 1 GE SFP and 8-port 10/100/1000) NA

Clustering Enabled by default in the base license NA

22


Cisco ASA Allows You to Pay-As-You-Grow with ASA Clustering

• 2 unit clustering available on all 5500-X

platforms

• Up to 16* units in 5585-X cluster

• Max. firewall throughput:

640Gbps

• Max. IPS inspection capacity:

160Gbps

• Average IPS inspection capacity:

80Gbps

* Q2 CY2014

23


ASAv

Key Attributes: Virtual

Metric ASAv10 ASAv30

Max. FW throughput 1 Gbps 2 Gbps

IPS Stateful FW Only

NGFW Stateful FW Only

Max. VPN Peers 250 750

VLANs 50 250

Max. Concurrent Sessions 100k 500k

Note:

• Performance numbers are indicative and not final until the product is generally available

• Clustering and multi-context are NOT supported in ASAv

24

Case Study Network – CLINet.com


CLINet.com

• CLINet is a fictional company created for these use cases in ASA Firewall deployment

– CLINet has embarked on a network/security deployment project entitled

“The Security 10/20 Project” which you will now be a part of

• Company requirements and configuration examples are based upon real-life customer conversations and deployments

– Only designs we have fully certified

– Cisco Validated Design (CVD) approved configuration(s) • i.e. VMDC (Data Center CVD) www.cisco.com/go/vmdc

• Cisco LIVE Information Networking Company

26


CLINet Security Priorities for SEC-1020 Project

CLINet network & security team has five requirements for the initial deployment:

1. Initial Deployment

2. Configure Interfaces for inside, outside and DMZ networks

3. NAT DMZ host to external address

4. Apply the initial ACL to the outside interface

5. Monitor connection table

Initialize Interface

Setup

Connection Table

NAT for DMZ ACL for

outside Interface

27


CLINet Network Diagram

Deploy Redundant ASA(s) in

Routed Mode for Edge/DMZ

Note: DC security architecture not depicted in this layout, nor will it be discussed

Edge Agg

VDC

Edge

Aggregation

ISP-A ISP-B

DMZ Network

(Public Web/DB)

Internal

Network

28

ASA Firewall Initial Setup


ASA Management

• The ASA has a command line interface (CLI) with similar syntax and other conventions to the Cisco IOS CLI, but the adaptive security appliance operating system is not a version of Cisco IOS software

• Do not assume that a Cisco IOS CLI command works with or has the same function on the adaptive security appliance

• The adaptive security device manage (ASDM) is a Java based web user interface that can be used to configure the ASA

• Because ASDM is Java based it allows any operating system that supports Java to be used to configure the ASA

On the Box

30


ASA CLI

CLINet-ASA(config)# show interface ip brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 10.10.11.2 YES CONFIG up up

GigabitEthernet0/1 172.16.60.1 YES CONFIG up up

GigabitEthernet0/2 unassigned YES unset administratively down down




Internal-Control0/0 127.0.1.1 YES unset up up

Internal-Data0/0 unassigned YES unset up up



Management0/0 192.168.20.236 YES CONFIG up up CLINet-

ASA(config)#

31


ASDM

32


CLINet Network Diagram

Deploy Redundant ASA(s) in

Routed Mode for Edge/DMZ

Note: DC security architecture not depicted in this layout, nor will it be discussed

Edge Agg

VDC

Edge

Aggregation

ISP-A ISP-B

DMZ Network

(Public Web/DB)

Internal

Network

33


CLINet-ASA

– Initial Deployment CLI view

ASDM

– Basic Interface Setup Two legged

Three legged firewall

– NAT Simple NAT for DMZ host

– Filtering via ACLs

Interface ACLs

– Stateful Connection State Table via CLI

ASDM Connection Table

CLINet ASA

Edge

Aggregation

ISP-A ISP-B

DMZ Network

(Public Web/DB)

Internal

Network

34


Initial ASA Setup

• ASA Bootstrapping – 2 options

– Option 1: (If new) May connect directly to Management interface using a PC (DHCP) and execute: https://192.168.1.1/admin • No username / password needed

• ASDM GUI will be used to run Startup Wizard

• Once complete the ASA configuration guide can be used for further configuration: • http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html

– Load desired version of ASA 9x code – may be done via USB (64-bit appliances)

– To use GUI – Make the latest ASDM image available in flash (disk0:/disk1:/,etc)

Valid for Appliance or Module

35


Initial FW Setup

• ASA Bootstrapping – 2 options

– Option 2: Connect PC to the management interface on ASA, then connect with console cable and execute in terminal

– From a PC configured on the 192.168.1.0/24 subnet, you can launch ASDM and run startup wizard

• Valid for Appliance or Module

ciscoasa# config t

(config)#hostname EDGE-FW

EGDE-FW(config)# int m0/0

(config-if)#nameif management

(config-if)#sec 100

(config-if)#ip address 192.168.1.1 255.255.255.0

(config-if)#no shut

(config-if)#http server enable

(config)#http 0 0 management

(config)#domain-name CLINet.com

(config)#asdm image disk0:/nameofASDMimage.bin

(config)#username admin password cisco priv 15

(config)#crypto key gen rsa gen mod 1024 (use if SSL shows certificate error)

36


Interface Security Levels

• A security level is a number between 0 and 100 that determines how firewall rules are processed for the data plane

• Security levels are tied to an interface: the inside or private side interface is always 100 (most trusted) and the outside or public interface is always 0 (least trusted)

• All conversations are based only on two interfaces at a time – one will be considered inside, one outside, based on Sec-level that is set

• Traffic on the ASA is allowed by default from a higher security level interface to a lower security level interface

• An ACL must explicitly permit traffic from a lower security level interface to a higher (e.g. outside to inside)

The foundation for passing traffic through an ASA

Inside Network

DMZ Network

Outside Network

G0/0

G0/1

G0/2

ACL Req.

0

100

No ACL Req.

50

37


Interface Configuration via CLI • Simple Interface Setup

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.10.11.2 255.255.255.0


nameif inside

security-level 100

ip address 172.16.60.1 255.255.255.0


nameif DMZ

security-level 50

ip address 1.1.1.254 255.255.255.0

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

ISP

Internal

Physical Int – g0/0

Name – outside

IP – 10.10.11.2/24

Security-level 0


Name – inside

IP – 172.16.60.1/24

Security-level 100


Name – DMZ

IP – 1.1.1.254/24

Security-level 50

38


Interface Configuration via ASDM Configuration > Device Setup > Interfaces > Add > Interface…

39


NAT Implementation

– Static NAT – A consistent mapping between a real and mapped IP address. Allows bidirectional traffic initiation

– Dynamic NAT – A group of real IP addresses are mapped to a (usually smaller) group of mapped IP addresses, on a first come, first served basis. Only the real host can initiate traffic. The mapped group could be a single IP address or port address translation (PAT)

– Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP address using a unique source port of that IP address.

– Identity NAT—A real address is statically translated to itself, essentially bypassing NAT. You might want to configure identity NAT to exempt a subset of address from translate a large group of addresses

• The ASA supports four NAT methods:

ISP Internal


Src IP – 1.1.1.1

Dest IP – 2.2.2.2




Src IP – 10.10.10.10

Dest IP – 2.2.2.2



40

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html#15394




NAT on the ASA

• The ASA Single translation table

• Access Lists reference the internal (real) IP address and not the global

• Automatic NAT (Auto NAT or Object-based)

– Single rule per object

– Useful for less complex scenarios

ISP DMZ


Src IP – 1.1.1.1

Dest IP – 2.2.2.2




Src IP – 10.10.10.10

Dest IP – 2.2.2.2



41


NAT Configuration via CLI CLINet Object Based NAT

ISP DMZ


Src IP – 1.1.1.1

Dest IP – 2.2.2.2




Src IP – 10.10.10.10

Dest IP – 2.2.2.2



CLINet-ASA(config)# object network CLINet-Web-Server

CLINet-ASA(config-network-object)# host 1.1.1.1

CLINet-ASA(config-network-object)# nat (inside,outside) static 10.10.10.10

CLINet-ASA(config-network-object)# exit

CLINet-ASA(config)# sh xlate

1 in use, 1 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

s - static, T - twice, N - net-to-net

NAT from inside:1.1.1.1 to outside:10.10.10.10

flags s idle 0:01:03 timeout 0:00:00

CLINet-ASA(config)#

42


NAT Configuration via ASDM

Configuration > Firewall > NAT Rules > Add “Network Object” NAT Rule

ISP Internal


Src IP – 1.1.1.1

Dest IP – 2.2.2.2




Src IP – 10.10.10.10

Dest IP – 2.2.2.2


Dest Port – TCP/80 43


Filtering Configuration

• The ASA provides basic traffic filtering capabilities with access control lists to control access in the network by preventing certain traffic from entering or exiting.

• ACLs are made up of one or more access control entries (ACEs)

– An ACE is a single entry in an ACL that specifies a permit or deny rule (to forward or drop the packet) and is applied to the specific five tuple

• ACLs are used in a variety of features such as named or numbered, objects, logging, activation

Access Control Lists (ACL)

ISP Internal

DMZ Network

(Public Web/DB)


Src IP – 5.5.5.5

44


Supported ACLs

• Standard ACLs – Identify the destination IP addresses of traffic

– Standard ACLs cannot be applied to interfaces to control traffic

• Extended ACLs – Use one or more access control entries (ACE) in which you can specify the line number to insert the ACE, the source and destination addresses, and, depending upon the ACE type, the protocol, the ports (for TCP or UDP), or the IPCMP type (for ICMP)

• EtherType ACLs – Used to filter traffic at layer when the ASA is in transparent firewall mode

• Webtype ACLs – Used in a configuration that supports filtering for clientless SSL VPN connections

The ASA supports four different types of ACLs

45

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/acl_ethertype.html#wpxref47810


ACL Configuration via CLI CLINet ACL

CLINet-ASA(config)#

CLINet-ASA(config)# access-list OUTSIDE->DMZ extended deny tcp host 5.5.5.5 host 1.1.1.1 eq www

CLINet-ASA(config)# access-list OUTSIDE->DMZ extended deny tcp host 5.5.5.5 host 1.1.1.1 eq https

CLINet-ASA(config)# access-list OUTSIDE->DMZ extended permit tcp any host 1.1.1.1 eq www

CLINet-ASA(config)# access-list OUTSIDE->DMZ extended permit tcp any host 1.1.1.1 eq https

CLINet-ASA(config)#

CLINet-ASA(config)# access-group OUTSIDE->DMZ in interface outside

CLINet-ASA(config)#

ISP Internal

DMZ Network

(Public Web/DB)


Src IP – 5.5.5.5

46


ACL Configuration via ASDM Configuration > Firewall > Access Rules > Add Access Rule…

47


Connection Table via CLI

• The show conn command displays the number of, and information about, active TCP connection that are flowing through the ASA

• There are numerous flags and options for the show conn command which allows security administrators to view specific outgoing or incoming TCP traffic

• For more on the various options refer to this URL: – http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s4.html#pgfId-1437635

What is flowing through the ASA

CLINet-ASA(config)# show conn all

flags UfIOB TCP outside:10.10.10.10/1965 (10.10.10.10/1965) inside:192.168.55.172/4567

(10.10.10.111/4567), flags UfIOB, idle 52m38s, uptime 54m21s, timeout 1h0m, bytes 3063

flags UfIOB TCP outside:10.10.10.201/1485 (10.10.10.201/1485) inside:192.168.55.172/4567

(10.10.10.111/4567), flags UfIOB, idle 41m38s, uptime 43m12s, timeout 1h0m, bytes 3063

flags UB TCP outside:192.168.22.195/16208 (192.168.22.195/16208) inside:192.168.55.172/4567

(10.10.10.111/4567), flags UB, idle 45m6s, uptime 48m17s, timeout 1h0m, bytes 0

flags UB TCP outside:172.16.45.22/24654 (172.16.45.22/24654) inside:192.168.55.172/4567

(10.10.10.111/4567), flags UB, idle 45m54s, uptime 49m4s, timeout 1h0m, bytes 0

CLINet-ASA(config)#

48


Connection Table via ASDM Monitoring > Properties > Connections

49

Other Cisco Firewalls


IOS Zone Based FW

• IOS Zone Based FW offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy

• Traffic between firewall security zones is prohibited until an explicit policy is applied to allow desirable traffic

• Interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones

• Inter-zone policies offer considerable flexibility and granularity, so different inspection policies can be applied to multiple host groups connected to the same router interface.

The Other Firewall (IOS)

51


Meraki MX

• Meraki MX cloud managed security appliance automatically pulls policies and configuration from the cloud

– enabling branch deployments without on-site IT

• The Meraki cloud delivers seamless firmware and security signature updates, automatically establishes site-to-site VPN tunnels, and provides automatic network monitoring and alerts.

• Since the MX is managed entirely through the Cisco Meraki web-based dashboard, configuration and diagnostics can be performed remotely just as easily as they can be performed on-site, eliminating costly field visits.

– Even firmware updates are performed seamlessly, over the web.

Cisco Cloud Managed Security Applicance

52

Conclusion


Firewalls

• Firewalls are the core component for defense from the threats to network security

• The firewall often is the conduit from which other defense components combat the threat that face the network

• Next-Generation Security such as NGFW and NGIPS require a rock solid stateful inspection firewall at their foundation

54


Follow on Sessions

• BRKSEC-2020

– Firewall Deployment – Mike Storm

• BRKSEC-2023

– Firewall Architectures – Mason Harris

• BRKSEC-2024

– Deploying Next-Generation Firewall Services on the ASA - Kureli Sankar

• BRKSEC-3020

– Troubleshooting Firewalls – Jay Johnston

• BRKSEC-3021

– Maximizing Firewall Performance – Andrew Ossipov

55


Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

– Your favorite speaker’s Twitter handle @StreetCCIESec

– Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could be a Winner

56

http://bit.ly/CLUSwin


Complete Your Online Session Evaluation

• Give us your feedback and you could win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

57

https://www.ciscolive.com/online


Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

58

Cisco Firewall Basics -...

Documents

Transcript of Cisco Firewall Basics -...