Practical Firewall Security

Author: Herbert Haas
Address: 
herbert AT perihel DOT at
http://www.perihel.at/sec/
Revision: 0.1
Date: 2007-08-20
Copyright: Copyright (c) 2007 Herbert Haas.

Abstract

This document summarizes important facts about modern firewall features with a strong focus on the Cisco Adaptive Security Appliance (ASA). This is not a tutorial. The reader should already be familiar with security fundamentals. Besides theory, practial issues are exemplified on the basis of Cisco firewall products. If you find any mistakes please send me an E-Mail, thanks!

Contents

1   Basic Configuration Issues

clear local-host
clears xlate and conn table

1.1   aaa

aaa-server host
  • Max 15 server groups in single mode
  • Or 4 server groups per context in multiple mode
  • Each group can have up to 16 servers in single mode
  • or 4 servers in multiple mode.

When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.

authentication serial|enable|... console
A system administrator with a privilege level of 15 cannot be locked out.
authentication match ACL interface AAA-Group

This is the Cut-through Proxy configuration. Note that RADIUS automatically returns an ACL in the access-accept message. That is, only when you configure a TACACS+ group you must also use the aaa authorization match command to identify interesting traffic to be authorized.

Note that when the user session arrives at a lower security level interface then there MUST be an interface ACL already configured and this ACL must permit the traffic that should be used for authentication (HTTP, HTTPS, Telnet, FTP). Remember that the user starts by sending e. g. a HTTP request to a server behind the ASA. If this initial request would be denied, then the ASA cannot send a HTTP redirect to the user.

When using TACACS+ for authorization the traffic MUST be authenticated first, otherwise it is denied.

It is recommended to configure aaa authentication secure-http-client whenever HTTP authentication is planned to enforce HTTPS-based authentication.

It is also possible to directly access the authentication pages on the ASA without being redirected using the following URLS:

http://interface_ip:1080/netaccess/connstatus.html
https://interface_ip:1443/netaccess/connstatus.html

Use the per-user-override keyword in an access-group command to override the interface ACL with the downloadable ACL:

  • Without per-user-override both ACLs must permit the traffic of a user session.
  • With per-user-override only the downloaded ACL is used by the ASA.

1.2   access-list

...log [level] [interval ival]
issues syslog message 106100 at the specified level (default: 6) and interval (default: 300 seconds).
...deny-flow-max number
Specifies the maximum number of concurrent deny flows that can be created. Default: 4096. Return to the default with the no form. Syslog message 106101 if the maximum number is reached.
...alert-interval secs
When to send the deny-flow-max syslog message 106101. Default: 300 seconds.
object-group
Cannot be removed (with no form) when currently in use in an ACL!

1.3   icmp

  • By default (if there is no ICMP control list) all ICMP traffic destined for any ASA interface is allowed!
  • For ICMP traffic that is terminating at the ASA.
  • Ends with implicit deny.
  • Recommended to permit ICMP unreachable which is needed for ICMP Path MTU discovery when the ASA tries to establish IPsec tunnels.

1.4   nat

nat (inside) 0 access-list 101
Does NOT require the connection to be initiated from the higher security interface (inside) before the host on the lower security interface (outside) can create a connection to the host on the higher security level interface. This is rather strange.
nat (inside) 0 0.0.0.0 0.0.0.0
Does require the host on the higher security interface (inside) to initiate the connection. This is what you assume.

1.5   route

...track

The track feature uses a monitoring process to check whether a static route is still working. The monitoring process periodically sends ICMP echo requests to the target. If an echo reply is not received within a specified time period, the object is considered down and the associated route is removed from the routing table. A previously configured backup route is used in place of the removed route. Check whether the monitoring target can respond to ICMP echo requests.

The configuration is this:

(config)# route outside 20.5.0.0 255.255.0.0 10.1.1.1 track 999
(config)# sla monitor 7
(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside
(config)# sla monitor schedule 7 life forever start-time now
(config)# track 999 rtr 7 reachability
show run all
Shows you also the hidden commands. For example the built-in regex lists.

2   Modular Policy Framework

police output|input ...

Allows for the following parameters:

  • <conform-rate> is a rate limit - only applied when <burst-size> is reached
  • <burst-size> can be optionally specified - specifies how many instantaneous bytes may be received without applying any rate limitations.

Since 7.2 the input option is available. LLQ traffic is not rate limited. Police and priority cannot be configured together.

priority

Requires that a priority-queue has been configured on particular outbound interfaces first! Optionally some additional parameters can be configured:

(config)# priority-queue outside
(config-priority-queue)# queue-limit 2048
(config-priority-queue)# tx-ring-limit 256
TCP normalization: tcp-map
  • check-retransmissions !!! prevents inconsistent retransmissions
  • checksum-verification
  • exceed-mss allow|drop
  • queue-limit <pkt-num> !!! max nr of out-of-order packets
  • reserverd-bits allow|clear|drop
  • syn-data allow|drop !!! allow SYN packets with data?
  • tcp-options selective-ack|timestamp|window-scale allow|clear !!! allow these?
  • ttl-evasion-protection !!! DISABLES evasion protection (=> DO NOT USE THIS COMMAND!)
  • urgent-flag allow|clear
  • window-variation allow|drop !!! when window size changed unexpectedly

Apply the tcp-map:

tcp-map MyTCPMap
 checksum-verification
policy-map XYZ
  class ABC
  set connection advanced-options MyTCPMap
audit commands
Usable for ASAs without external AIP-SSM.
match flow ip destination-address
Can only be used together with match tunnel-group and enforces that any configured policy should be applied on each single flow, not on the entire class of traffic (flows are identified by their destination address).
inspect ftp strict

The strict option checks:

  • whether the number of commas in the PORT and PASV reply commands is exactly five - otherwise the command is truncated and the connection will be closed.
  • whether each command ends with <CR><LF> characters as required by the RFC.
  • the size of the RETR and STOR commands
  • whether command spoofing is performed such as sending the PORT command from the server.
  • whether reply spoofing is performed such as sending the PASV reply command (227) from the client.
  • whether negotiated ports are within the reserved and forbidden well-known range (1-1023)
  • whether command pipelining is performed such as placing commands after the port numbers in the PORT and PASV reply commands.
inspect dns
Besides various protocol checks it can translate A records when the dns keyword is used with static or nat commands (before 6.3 the alias command was used).
match-all
This is an optional keyword for the class-map type inspect and it is a default. Alternatively you can specify match-any so that it is sufficient that at least a single match command matches.

2.1   Policy processing order

  1. Connection limits, timeouts, TCP randomization
  2. CSC
  3. Application Inspection
  4. IPS
  5. QoS input policing
  6. QoS output policing
  7. QoS priority queuing

3   VPN

The ASA supports the following VPN protocols:

There is no GRE support.

3.1   Other important things

sysopt connection permit-vpn
Lets VPN traffic bypass ACLs (also IKE). This is enabled by default. (Before version 7.1 the syntax was permit-ipsec)
group-lock
Restrict remote users to use the tunnel for access only. That is, remote users cannot access the central site via connections outside the tunnel.
mutual group authentication
This feature is supported by the Cisco VPN client and uses a central-site certificate (the client must have the root certificate installed) for authentication. Group pre-shared secrets are not used (and are generally vulnerable to MITM attacks).

3.2   WebVPN

Now called SSL-VPN.

3.2.1   Disadvantages

  • Cannot prevent split tunneling - client can always access anything
  • Browser caches credentials (Cookies are used to remember an authenticated user!)
  • Only supports RA-VPN
  • TCP-based attacks, SQNRs desync (DoS)
  • Routers: CPU-based encryption only (on-board VPN acceleration on ISRs only support IPsec)

3.2.2   Proxy servers

Locally terminated by the ASA, then decrypted and forwarded to a configured server.

  • Imap4s accepts incoming IMAP4 over SSL (Port 993)
  • Pop3s accepts incoming POP3 over SSL (Port 995)
  • Smtps accepts incoming SMTP over SSL (Port 988)

Abbreviations:

MAPI
Messaging Application Interface, developed by MS to allow programs to utilize E-Mail functions
CIFS
Common Internet File System, developed by MS

NOTE: The SSL VPN Client (SVC) can also be used with the ASA!

3.2.3   Configuration

Here is a onfiguration example with the most important commands:

http server enable
webvpn
 enable outside ! on every interface where webvpn users come in

 title Smoerebroed WebSeite
 title-color ...

access-list acl_company webtype deny url http://*.company.com

url-list MYURLS "CentralServer" http://10.1.1.2
url-list MYURLS "CIFS Share" cifs://10.1.1.3/shared

port-forward MYAPPLICATIONS 2023 10.1.1.4 23 ! Telnet to 127.0.0.1:2023
port-forward MYAPPLICATIONS 3023 Termserv 23 ! Telnet to 'Termserv'

pop3s
 server 10.1.1.30
 authentication-server-group (inside) MYRADIUS
 authentication piggyback ! requires established WebVPN HTTPS session (alternatives: aaa|certificate)

group-policy MyWEBVPN attributes
 vpn-tunnel-protocol webvpn
 webvpn
   functions url-entry file-access file-entry file-browsing port-forward mapi
   url-list value MYURLS
   port-forward value MYAPPLICATIONS
   filter value MyWebVPNACL

tunnel-group MyWebVPN type webvpn
  nbns-server 10.1.1.100  ! NetBIOS Server if name resolution for CIFS shares required

tunnel-group MyWebVPN general-attributes
  authentication-server-group (inside) MyRADIUS

3.2.4   WebVPN on Routers

Three modes:

  1. Clientless mode: HTTP, CIFS, Outlook Web Access (OWA)
  2. Thin-client mode
  • Java applet with port forwarding
  • Only selected applications such as Telnet, e-mail, SSH, ...
  1. Tunnel mode
  • Tunnel client "SSL VPN Client (SVC)" loaded through Java or ActiveX
  • Less than 250 kByte
  • Supports all IP based applications !!!

Config steps

  1. virtual gateway: IP and port for WebVPN, also trustpoint (default: SSLVPN)
  2. virtual context: define features (e.g. URL list) and connect with virtual gateway - multiple contexts possible
  3. policy group: within virtual context, used to apply objects such as URL lists, CIFS shares, port fwd definitions

3.3   AnyConnect Client

  • The firewall decides whether to download/upgrade/remove the client software from the remote PC

  • Client can also be installed manually in advance

  • Besides TLS also DTLS (Datagram Transport Layer Security) is supported (for realtime traffic)

  • DTLS is automatically supported but can be disabled:

    webvpn
  enable outside tls-only  !!! normally you would omit the latter parameter !!!

  • You can install multiple clients on the ASA (simply copy into flash) but you must tell the ASA which binary to use:

    !!! the latter number is the order for download - place the most needed first !!!
# svc image anyconnect-a.bin 1  !!! this could be the windows client (most often used)
# svc image anyconnect-b.bin 2  !!! this could be the linux client

!!! check:
# show webvpn svc

  • Always enable Dead Peer Detection (DPD) when enabling DTLS because the remote firewalls may use an inactivity timout for UDP traffic.

4   Transparent Firewall

4.1   General rules

  • Whole ASA (with all contexts) is either in Transparent or Routed mode
  • Only two active interfaces plus (required!) management interface
  • Each context has two physical interfaces (no overlap possible) plus a management interface (mandatory!)
  • If centrally deployed (i. e. attached to a single backbone switch) then each interface must be in a different VLAN but in the same subnet. (Different VLANs necessary otherwise the switch would make an internal shortcut)
  • Security levels supported (Default policy as usual!)
  • By default ARPs may pass through even from lower to higher security level interfaces
  • Other traffic MUST be permitted via (Layer-2) ACL

Basically the transparent FW uses the learning principle similar as a bridge. But there is no flooding if the destination is not found - instead:

  1. The packet is dropped
  2. If destination is local then an ARP is sent to learn the associated port
  3. If destination is not local then a PING is sent to learn the associated port

4.2   Not supported

  • NAT
  • Routing protocols
  • IPv6
  • DHCP Relay
  • QoS
  • Multicast
  • VPN termination for through traffic

4.3   Configuration

Simply switch to transparent mode via:

[no] firewall transparent
show firewall

Configure management IP address in global config mode:

ip address 10.0.1.1 255.255.255.0

Observe bridging table:

show mac-address-table

4.3.1   ARP Inspection

Optionally mitigate MITM via ARP inspection:

arp outside 5.4.3.2 000c.abcd.9876
arp inspection outside enable [flood | no-flood]
  • Every ARP packet is checked against static table
  • Malicious ARP-response is dropped - Prevents ARP spoofing!
  • flood: if IP not known than ARP-request is flooded through all interfaces

4.3.2   Recommendations:

  1. Add static entries:

    mac-address-table static inside 000c.affe.affe

  2. Disable learning e. g. on outside interface:

    mac-learn outside disable

4.3.3   ACLs

  1. Extended (normal)
  2. Ethertype - only Type field and BPDU-frames

4.3.4   Note

If you have two parallel and independent (no FO configuration) firewalls then configure the firewalls to permit BPDU traffic so that the spanning tree can avoid loops. (In active/standby or active/active configurations there is always one active path.)

5   Failover

write standby
  • Synchronizes the running config in case the ASAs got out of sync
  • Must be issued on the active Fw
  • Normally every command entered on the active FW will be immediately replicated on the standby
  • But FWs can get out of sync if commands are entered on the standby only. Then write standby will enforce re-sync.

If a FW thinks that is in a failed state but this is not true (any longer) then reset the state machine via failover reset.

Failure detection

(config)# failover polltime ?

configure mode commands/options:
  <1-15>     Poll interval in seconds, default is 1 second
  interface  Configure failover poll interval for the failover interface
  msec       msec keyword, specify milliseconds interval after msec keyword
  unit       Configure failover poll interval for the unit

6   Product Comparison

See Cisco's ASA Model Comparison for a detailed comparison.

See Cisco's ASA Software Version 7.0 for a feature listing.

All ASAs support:
  • Layer 2 transparent FW feature.
  • IPsec and WebVPN

6.1   Models

Here only some important facts are listed:

ASA 5505
  • 3/20 VLANs (trunking disabled/enabled)
  • No SSM expansion slot (only SSC)
  • No security contexts
ASA 5510
  • 50/100 VLANs
  • Max 5 Security contexts
ASA 5520
  • 150 VLANs
  • Max 20 Security contexts
  • Supports VPN clustering and load balancing
ASA 5540
  • 200 VLANs
  • Max 50 Security contexts
  • Supports VPN clustering and load balancing
ASA 5550
  • 250 VLANs
  • Max 50 Security contexts
  • Supports VPN clustering and load balancing

6.2   LEDs

  • Power
  • Status - POST passed (green) or failed (amber)
  • Active - Active FO (green) or standby FO (amber)
  • VPN - tunnel established
  • Flash - CompactFlash being accessed

6.3   Service Modules

AIP-SSM
The Advanced Inspection and Prevention Security Services Module (AIP-SSM) provides IDS or IPS.
CSC-SSM
The Content Security and Control Security Services Module (CSC-SSM) provides:
  • comprehensive antivirus and anti-spyware protection using Trend Micro's technologies
  • file blocking
  • anti-spam
  • anti-phishing
  • URL blocking and filtering
  • content filtering

7   ASA IP services

7.1   DHCP

ASA does not support DHCP requests from a DHCP relay agent.

8   Interesting Commands

8.1   Avoid Identity NAT

Also known as NAT zero or NAT exeption.

If combined with an ACL (as usual) such as:

nat (inside) 0 access-list 101

then any host on a lower security level interface can establish a connection to an inside host matched by this ACL. There is no need for an beforegoing outbound connection!

Note that when using nat (inside) 0  0.0.0.0  0.0.0.0 an outside host can only reach an inside host when an outbound connection exists.

8.2   Track your ISP next hops

Especially when you have redundant ISP connections use the track option with the route command to enable periodic reachability tests via ICMP echo requests. If there is no echo response that route will be removed from the routing table. You can also ping something behind the next hop of course, such as a server.

Here is the general configuration:

(config)# sla monitor 7  !!! any tracking ID will do
(config-sla-monitor)# type echo protocol ipIcmpEcho 91.23.45.19 interface outside  !!! This is the Next Hop IP
(config)# sla monitor schedule 7 life forever start-time now   !!! lots of alternative options possible
(config)# track 42 rtr 7 reachability  !!! associates a tracked static route with the SLA monitoring process
(config)# route outside 0.0.0.0 0.0.0.0 91.23.45.19 1 track 42

Also a DHCP learned route can be tracked:

(config-if)# ip address dhcp setroute    !!! setroute allows the ASA to learn default gateway via DHCP
(config-if)# dhcp client route track 42

8.3   Specify a default tunnel route

It is possible to define an additional default route which is only used for traffic from a tunnel terminating on the ASA:

route dmz 0 0 172.17.9.9 tunneled

Note: Does not work with RPF on that egress interface (here: dmz), TCP interface, and VoIP inspection.

8.4   Use OSPF authentication

Enable OSPF:

hostname(config)# router ospf 2
hostname(config-router)# network 2.0.0.0 255.0.0.0 area 0

Optionally, set some interface parameters:

hostname(config-router)# interface inside
hostname(config-interface)# ospf cost 20
hostname(config-interface)# ospf retransmit-interval 15
hostname(config-interface)# ospf transmit-delay 10
hostname(config-interface)# ospf priority 20
hostname(config-interface)# ospf hello-interval 10
hostname(config-interface)# ospf dead-interval 40

Also on the interface, enable message authentication:

hostname(config-interface)# ospf authentication-key cisco       !!! Which password used for RX
hostname(config-interface)# ospf message-digest-key 1 md5 cisco !!! Which password used for TX
hostname(config-interface)# ospf authentication message-digest  !!! Yes, use message authentication

The ASA also supports route-maps and distribute-lists.

8.5   Use Logging options

Syslog: default facility number is 20 (LOCAL4). Can be changed using the logging facility command. Syslog servers file message based on the facility number in the messages. Eight possible numbers: 16 (LOCAL0) through 23 (LOCAL7)

logging mail critical
logging from-address asa11@neimou.com
logging recipient-address admin@dahoam.com
smtp-server 10.0.0.1 172.16.0.1               ! primary and secondary server

8.6   Context Mode

  • Use mac-address auto if you have shared interfaces (much better than relying on different global IP addresses). By default all subinterfaces use the same mac address as the physical interface.
  • write memory all can be used by the system administrator to save all running configs in all contexts (into their specified config-url).
  • Normal UR-license allows 1 Admin CTX plus 2 other CTXs (=3 CTXs).

8.7   Failover Scenarios

  • write standby only synchronizes the running-config. Enter copy run start (or write mem) to additionaly save it to the NVRAM.

  • Configure stateful failover using the failover link <if-name> command.

  • Specify number of defect interfaces before failover condition:

    (config)# failover interface-policy <1-250>

  • Disable health monitoring on certain uncritical interfaces:

    (config)# no monitor-interface ethernet4

8.8   Redundant interfaces

Pairs an active and standby physical interface. When the active interface fails, the standby interface becomes active and starts passing traffic. You can assign only two member interfaces to a redundant interface and the interfaces must not have a name assigned.

(config)# interface redundant 1 (config-if)# member-interface gigabitethernet 0/0 !!! the order is important: first one will be active !!! (config-if)# member-interface gigabitethernet 0/1 (config)# interface redundant 2 (config-if)# member-interface gigabitethernet 0/2 (config-if)# member-interface gigabitethernet 0/3

The redundant interface uses the MAC address of the first physical interface that you add. If you change the order of the member interfaces in the configuration, then the MAC address changes to match the MAC address of the interface that is now listed first.

Optionally set the active interface:

(config-if)# redundant-interface redundant1 active-member gigabitethernet0/1

Available since 8.0(2), supports routed, transparent, single and system-context mode.

8.9   Multicast

Two options:

  • Stub Multicast Routing (SMR) which simply proxies all IGMP messages between inside and outside interface
  • PIM-SM (also PIM-BIDIR supported) with static RP configuration (Auto-RP or PIM BSR not supported!)

You cannot configure both. ASA password recovery ======================

  1. Reboot
  2. Press Escape to enter ROMMON
  3. confreg 0x41 and reload (will use default config with default passwords)
  4. copy start run
  5. edit passwords
  6. (config)# config-register 0x1

Optionally enter: no service password-recovery (user can only enter ROMMON when the flash is erased)

Another possibility with interactive dialogue:

  1. Press ESC during boot to get into the ROMMON

  2. Enter confreg

  3. Write down the actual register values

  4. Enter 'Y' to the question "Do you wish to change this configuration? y/n [n]:"

  5. During the interactive dialog leave all default values except for "Disable system configuration?" answer 'Y'

  6. Back at the rommon prompt enter 'boot'

  7. When the ASA has reloaded press return at the password prompt

  8. clear the configuration (write erase)

  9. reset the configuration register:

    #conf t
(config)# config-register 0x00000001  (or whatever you had - this is the default value (short: 0x1))