Вы находитесь на странице: 1из 161

Chapter 1

Understanding
Traffic Classification ...............................3

Chapter 2
VLANs .....................................................52
Chapter 3
IPsec VPNs .............................................78
Chapter 4
CCSP SNAA WebVPN and
Endpoint Security ...............................104
Quick Reference Chapter 5
Security Services Modules ...............14 1

Lindfield, Ryan

Your Short Cut to Knowledqe


12 I

I1 CHAPTER 1
7 Traffic Classification
CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding

About the Author


Ryan Lindffeld is an instructor and network administrator with Boson. He has more than 10 years of network adminis-
tration experience. He has taught many courses designed for CCNA, CCIW, and CCSP preparation, among others. He has
written many practice exams and study guides for various networking technologies. He also works as a consultant, where
among his tasks are installing and configuring Cisco routers, switches, VPNs, IDSs, and firewalls.

About the Technical Editor:


David W. Chapman, CISSP-ISSAP, CCSI, CCSP is a 22-year veteran of the IT industry. He is an internationally recog-
nized information security practitioner, instructor, and author. David has been a certified Cisco instructor since 2000. He
was the first instructor in North America to teach the Cisco Secure PIX Firewall course (now SNPA). In the last seven
years, David has delivered over 200 Cisco Security courses, including many custom on-site engagements to US military
and commercial accounts. He has taught for Cisco's internal Associate Systems Engineer (ASE) training program in the
United States and Europe. In 2001, he co-edited the first Cisco Press title on the PIX Firewall, Cisco Secure PIX
Firewdls. The book was very popular and eventually translated into seven languages. In 2003, the IEEE awarded him
Senior Member status for significant career achievement. David divides his lime between his consulting practice and
teaching Cisco security courses for Fast Lane, Consulting and Education Services, Inc.

8 2009 C b Inc. Al rlgMa re-. Ms pubkaUon k p m by Please see page 181for mom details
131

CHAPTER 1 CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Chapter 1
Understanding Traffic Classification
Throughout this Quick Reference, I rapidly take you through some of the more advanced forms of traffic filtering. We
begin this journey with the familiar access control list (ACL), and progress into deep packet inspection with regular
expressions and parameter-specific conditional statements. I think that many people would flip to the center of this Quick
Reference and feel intimidated by some of the content, but if we step through the technologies one by one and remember
that our entire configuration is based on a simple "if-then" logic, everything will make sense. My goal, at least, is that
when we have finished you will become much more effective as a firewall administrator.
I assume that you know the fundamentals based on the SNAF material that precedes this. However, I will quickly redefine
some things just to make sure that you truly understand what is happening "beneath the hood," rather than just knowing
the definition of a term.
Just remember, almost everything we cover in the first half of this Quick Reference follows the same simple logic: If you
see a packet that looks like this, forward it to this interface; if it looks like this, then drop, NAT, encrypt, and so on. We
will just add classifications and additional actions beyond what you may be used to using, but the core logic always
remains the same. This logic is true of anything computer related, ifand then. Remember this when troubleshooting, or
when studying for the exam. If things seem to get complicated or you feel lost at any point in this Quick Reference,
remember that it all boils down this simple logic.
If you intend to create traffic policies on a Cisco &wall, it is imperative that you solidly understand ACLs. One of the
first questions that I ask during my classes is this: What are ACL's used for? The most common answer that I receive is
"to block traffic," but this answer is only partially correct. An access list can certainly be used to block t r a c , but it is
more appropriate to think of an ACL as a way to define interesting traffic, and once you define that interesting trdc you
can manipulate it in some way. As we continue through this Quick Reference, remember that an ACL by itself doesn't
have any effect. We must associate that traffic classification with a function. From this day forward, think of an ACL as
an incomplete sentence that requires a verb or action. The function associated with this ACL would be synonymous to a
verb within a sentence.
141

CHAPTER 1 CCSP SMAA Quick Reference by Ryan Lindfield


I

Understanding Traffic Classification

When you create an ACL, it is similar to telling the device "Hey ASA, when you see traffic sourced from network A
destined for host B[el]," and that is where you've left it. No action is associated with it yet; ail you have done is define a
traffic flow. That alone will not do anything. After this ACL has been associated with some action, then it will become
useful to you.
For example, when you place the ACL on an interface, it will permit or deny the trafFrc flow that you specified. When you
associate an ACL with a nat statement, you will control address translation based on the address pairs that you specified,
permit means translate the source IP address, and deny means mute without address translation occurring. When you
reference an ACL within a crypto map, this tells the security appliance to encrypt the traffic that matches permit state-
ments; deny statements tell the ASA to forward the tral3ic without encryption. We can association even more actions with
traffic flows, but the point being made here is that a permit statement says to perform the action, whereas a deny state-
ment says do not perform this action.

Types of Access Control Lists


Type of Access List Criteria to Match Upon
Standard Source IP address.
Extended Source IP,destination IP address, Layer 4 protocol (TCP, UDP, EIGRP, ESP, GRE, and so on)
source port number, destination port number.
Webtype Destination TCP port, or Uniform Resource Locator (UBL), which can include the asterisk as a
wildcard,the question mark a s single character wild card, and square brackets to &£be a range.
Ethertype, bridge protocol data unit (BPDU),and Layer 3 information (IPXcan be permitted or
denied). Ethertype ACLs are available only when operating in transparent mode.
'IEme based Associates a specifrc month, day, or hour range with an access list, enabling you to permit or
(subcategory of extended) deny traffic based on these parameters.

Remember that a single ACL can have many access control entries (ACES)and that each line in the access list (ACE) will
contain a permit or deny action. As you should recall, these entries are processed in a top-down order.

Q 2OOQ C b Inc. Al rl-a nswved. This kp m by Please see page 181f# more deMds.
I1
151

CHAPTER 1 CCSP SMAA Quick Reference by Ryan Lindfield

I
7 Traffic Classification
Understanding
When creating an ACL, don't always think of this in terms of "forward the packet, drop the packet." Permit or deny
simply means to or not to .You fill in these blanks with the action that you hope to associate, it could be
encrypt, NAT, inspect, rate limit, and so forth. For instance, suppose that we have an ACL that references traffic from
your workstation destined anywhere, and we are using the deny action:
access-list 191 extended deny i p host 192.168.1.180 any

Is this a good thing or a bad thing? Generally we don't like to be denied entry, denied a hotel room, denied a loan, denied
by anyone for anything. But wait, this is different. Being denied could actually be a good thing; it depends on where that
ACL is being applied. Remember, this is a security appliance, and we are applying different types of filtering and restric-
tions to users.
If we were referring to the I . address of your workstation, we would not want this ACL to be applied inbound on the fire-
wall interface that connects to your subnet because it would prevent you from getting to other networks. However, if rate
limiting were king placed upon all users in the enterprise, and this statement were placed at the top of the ACL used for
rate limiting, our traffic would proceed without any rate limit, so it would be preferable. If you were to implement Cut-
through Proxy on the inside interface of the &wall, forcing all users to authenticate before browsing the web, again this
deny statement would exclude you from Cut-through Proxy. Your traffic would flow through uninterrupted while every-
one else must first authenticate to go out. Similar logic applies to other functions, such as authentication, policy NAT,
URL filtering, and so forth.

Logging
As mentioned previously, ACLs have many purposes. One that is commonly overlooked is intrusion detection. This might
sound surprising, but it makes sense when you think about it. Intrusion detection does not have to be accomplished by
using network sensors or modules within other network equipment. You can use ACLs for troubleshooting and detection.
For instance, I sometimes use a very specific permit statement and apply it at the top of an ACL to make sure traffic is
reaching a device and being processed appropriately. It is less disruptive than a debug, but it can also prove that "the
network is not the problem." The catch is that I have to watch and refksh and look at hit counts. Is there an easier way?

@ 2009 C i Systems Inc. All rlgMs rsswwd. This publication is protected by copyright Please see page 16 1 for miom details
161

CHAPTER 1 CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Most ACLs consist of a collection of permit statements followed by that implicit deny. I was once in a training class and
the instructor recommended manually adding the deny ip any any log at the end of the ACL so that we could see a l l
packets that are denied. This was not the right idea in my mind, but it was a good start. Logging all denied packets will
generate too much information, and chances are slim that the administrator will take these notifications seriously because
he'll see a great deal of useless information. Things such as routing updates, broadcasts, and multicasts are going to hit
that ACL and be denied, which will generate entries that you have to scroll past, or will generate hit counts that are too
high to do us any good.
For the past several years, what I have been doing is building a list of specific protocols that I want to deny demilitarized
zone (DMZ) servers from accessing m, F'W, SSH, IRC, and even HTI'P at certain hours, and so on), and placing the
log statement at the end of each line. This way, when a server is compromised using some new exploit that is not detected
by the intrusion prevention system (IPS), and the attacker attempts to fetch his rootkit from a remote server using
TFTP/FI'P/HITP or log in to a botnet on IRC, not only will the connection be denied, but it will also generate a notifica-
tion. When logged in at the server's desktop, it may look okay. If you inspect the event log, it might be normal, but the
syslog notification is proof that something is not right. Why was your server attempting to connect to a T F R sever in
Malaysia at 245 a.m.? I have been compromised more than once, but I've also been fortunate enough to detect the
compromise within a few hours. Quite often, this is not the case, and a machine might go undetected for months, or even
years.
You can configure ACLs to send information to a syslog server using the command-line interface (CLI). At the end of an
access list entry, use the log parameter. For instance, suppose that we want to v e n t a SQL server on the inside network
whose IP is 192.168.50.7 from accessing any IRC network, and should this ever occur we want to be notified via syslog.
We could use the following statement to make this happen:
Router(config)# access-list 1@1deny tcp host 192.168.59.7 any sq a667 log

Note
Logging of access list matches requires the prior configuration of syslog. It is also possible to set different logging
levels for different access list entries.

@ 2009 C i Systems Inc. All r i m s rsswwd. Thip publication is protected by copyright Plesse see page 16 1 for mom details
171

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

You can also configure this through the graphical user interface (GUT), as shown in Figure 1-1.

NAT
Based on your previous studies, you should already know how to perform basic NAT operations, so let's begin looking at
how not to NAT.
Identity NAT,or using NAT with the ID of zero, has the highest priority of all NAT operations. Identity NAT overrules a
similar static or dynamic NAT rule. So, when would you want to use identity NAT? The most common example is tr&c
flows between two protected networks. Examine the diagram shown in Figure 1-2.
181

CCSP SMAA Quick Reference by Ryan Lindfield

1 Understanding Traffic Classification

As you can see, traffic flowing from the 192.168.1.0/24 network destined for the 10.1.1.0124 does not require NAT opera-
tions. These networks are trusted, and there is no overlap in IP addresses. Therefore, to disable the requirement to NAT,
use the following commands:
r c c e r r - l i s t 191 deny i p 182.16@,1 255,2@.2@.0 la.1.1,0 .25-5:tS+?p,O
nat 9 rccess-list 191

You can also configure this from the Cisco Adaptive Security Device Manager (ASDM). Just select Codgumtion, the
Firewall pane on the left, and then NAT Rules.Within the NAT Rules conEiguration, se18ct Add, and then Add NAT
Exempt Rule.

8 2009 C b Systenm Inc. AM rlgMm re- M.pu#lcatson k p m by Please see page 181for mom details
191

CCSP SNAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Figure 1-4 shows the configuration for our N N policy. We will select an interface, the source IP address, and then the
destination IP address.

8 2009 C b Systanm Inc. M rlgM8 m.


TN. kp m by Please see page 181for mom details
[ 101

CCSP SNAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

First we will select the source IP address range. In this case, 192.168.1.0is our inside network.

8 2009 C b Syetum Inc. Al rlgM. nosrmd. TN. kp m by Please see page 161 for mom details
1111

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

I like to define object groups and then reference the object groups within an ACL, which can also be done here. While in
the same Edit NAT Exempt Rule window as earlier, I selected Destination,and then in the Browse Destination windows,
I selected the Add drop down, then Network Object. Here I define the name and address range for the remote office.
[ 121

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

At this point, the new network object called Remok-Office can be seen in the Browse Destination window. I select that
as the Destination and click OK.
[ 131

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Now that we have selected both source and destination for our N N exempt rule, we are almost done.
[ 141

CCSP SNAA Quick Reference by Ryan Lindfield

I Understanding Traffic Clsodflcatian

After you have accepted this change, you can see the new rule at the top of your Access Rules.
We are issuing this statement with the assumption that it is required, but this is not always the case. Before version 7.0 of
the m a l l OS, all packets that traverse a PIX firewall had to be translated When the Adaptive Security Appliances
(ASAs) were introduced along with 7.0, this was not the case, and by default packets did not have to be NAT'd. To enable
this rsquirement, you can use the command nat-contmL After you issue this command, all packets flows require mat and
global statements for the packet to pass through the firewall, similar to behavior before 7.0. You can then use the nat 0
command to break this requirement and allow packets to pass without source address translation
[ 151

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

The order of NAT processing is as follows:


Identity NAT
Static NAT
Dynamic NAT

Within these high-level categories, a statement that references an ACL takes precedence over another rule that is more
general. Just think of this concept as "the most specific match rules."

8 2009 C b Systanm Inc. M rlgM8 m.


TN. kp m by Please see page 181for mom details
1
I
CHAPTER 1
Understanding Traffic Classification

Example
[ 161

CCSP SMAA Quick Reference by Ryan Lindfield

ASA5505(config)# nat (inside) 1 192.168.1.1 255.255.255.1


ASA5505(config)# access-list 1@2p e m l t tcp host 192.168.1.11 any eq W
ASASSBS(config)# nat (inside) 2 a c c e s s - l l t 102

In this example, a packet from 192.168.1.10 destined for www.google.com on port 80 matches both statements, nat 1and
nat 2. However, because nat 2 is more specific, it takes precedence over nat 1.

When configuring an ASA 5505 for NAT, you will notice that the terms inside and outside refer to VLAN inter-
faces, as opposed to physical interfaces. The physical interfaces are switch ports and must be associated with a
VLAN to pass traffic.

The concept of nat 0 is fairly simple, but it serves as an excellent example of the logic we will be embracing. Instead of
using an ACL to permit traffic through an interface, in this example we are using an ACL to define what should not be
translated. So notice how, in this scenario, using apermit within the ACL to not do something is actually address transla-
tion.
If the ACL referenced by the nat 0 statement has a deny statement within it, what will happen to source IP address?
Perhaps you said to yourself "nothing at all"; it's easy to get confused with multiple operations. Remember that nat 0 is a
command that says "do not translate." Therefore, the deny would be a double-negative, effectivelytelling the security
appliance "don't not translate" (or in other words, this packet should be translated).
If you have followed the examples so far, you are in good shape and we can delve further into the logic of the security
appliance. Remember, everything we do in IT follows an "if-then" logic. lf this condition occurs, then perform this action.
[ 171

CHAPTER 1 CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

We can now expand our knowledge of NAT operations with Policy NAT. The first time I heard the term Policy NAT I was
on a bridge call with several engineers. At the time, it sounded pretty fancy, and even intimidating. My strategy then was
just to keep my mouth shut and not ask any dumb questions.
Just what is this policy thing? For instance, what is policy-based routing (PBR)(another term that can sound intimidating
at first). Policy NAT and policy-based routing are just making forwarding operations based on criteria within the packet
outside of the usual things that we look at.
You might still be wondering what that means. To help you understand, let's look at routing. A router makes forwarding
decisions based on the destination IP address in the IP header (Layer 3), and that is dl. "That's it?" you ask. Essentially,
Yes-
Simply put, PBR is making a forwarding decision based on other information. You can specify lots of different criteria,
but imagine routing t d i c j b m your call center to the Internet over a 5-MWs cable modem, and traffic sourced from your
executives to the same destination out of a different, faster link, such as a 50-Mb/s FiOS link. Now we are making a
forwarding decision based on both the source and destination IP address. You can also specify other criteria, such as
Layer 3 and Layer 4 information like type of senrice (ToS), time of day, protocol, and service (HTTl?,SMTP, POP3, and
so forth).
So, to clarify, you can perform NAT and routing operations based on criteria that you can specify within an ACL.
If you are with me so far, we are making great progress. Things will continue to build in a similar logical manner. For
more than a decade, we have been making forwarding decisions based on some, but not a l l of the information contained
within Layers 2,3, and 4 of the OSI model. Primarily, we have looked at source and destination MAC addresses, IP
addresses, and port numbers. What about the payload, what about other fields within the IP header and TCP header? In
the latest versions of FOS and IOS software, you will find a growing number of parameters that you can specify to match
upon the contents of the payload. Dozens of combinations of conditions are available that we can d e k e to control the
flow of packets through the security appliance.

Q 2OOQ C b Inc. Al rl-a nswved. This kp m by Please see page 181for mom details
[ 181

CHAPTER 1 CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

We will now move beyond the familiar Layer 3 and Layer 4 conditions and into specifying criteria within the payload.
Each protocol will have specific parameten that we can specify upon. For instance, think about FTP.When you connect
to a remote FIT' server, you first log in with a username and password, and then transfer files. All the file operations have
specific commands. You can tind these commands within an RFC. In other words, standards define how a client and
server communicate. Every protocol has these standards defined, whether it is H'ITP, FIT,SMTP, or so forth. When a
client connects to a server, certain commands are available. Each protocol is almost a language in itself. Think of the
client and server as two peers having a conversation while the firewall is eavesdropping on them. If the £irewallhas the
capability to inspect a conversation, we can create conditions upon commands or actions / conditions of this conversation.
In terms of configuration, think of the entire process of "advanced protocol inspection*'as a simple conversation between
the administrator and the h a l l . Essentially, you are saying, "Hey firewall, if you see a packt corning from the outside
world, destined for our FIP server, and someone tries to create a new directory." Notice there is no action. Once again,
it's an "if-then" logic that we are dealing with here; the action is defined in a separate step.
From a bird'seye view, you're saying, "Hey firewall, if you see a packet that looks like this, then do this action." The
action may be drop the packet, reset the connection, implement rate limiting, generate syslog notification, or so on. A
number of actions can be taken upon a traffic flow. This "advanced protocol handling" is implemented through the
Modular policy Framework (MPF). The MPF, although seemingly complex, gives administrators a powerful means of
implementing strict control over traffic flows.

Note I
MPF replaces the fixup commands that were used in earlier versions of the 0 s .

Every protocol should be thought of as a separate language, and the firewall must have an understanding of the language
before you can match upon protocol-specific parameters (such as deleting a We or making a new directory in FTP).
As we go forward and explore these protocols, you will gain a better understanding of what is possible with the ASA and
PIX perimeter security appliances.

Q 2OOQ C b Inc. Al rl-a nswved. This kp m by Please see page 181for mom details
1191

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Modular Policy Framework is the term Cisco gives to the use of class maps and policy maps to control the flow of traffic
through your device. This is sometimes referred to as Modular Quality of Service Command Line Interface, or Modular
QoS CLI, when dealing with routers. The MPF uses class maps to identify a flow of tdTic and a policy map to imple-
ment some action on that tratfic flow. Based on earlier explanations, think of the class map as the "if" condition and the
policy map as the "then" condition.

I Class Map
(define traffic flow)
Pdic~ Map
(associate action)
Service Policy
(apply policy here)

Public IPS Outside


Remote Users Police Outside
BrartchOftice Priority Outaide

First let's tackle class maps. A class map is used to define a traffic flow. A class map will have a name (for instance,
DMZ_Services). Within the class map named DMZ-Services, we will defmz some criteria ts match upon.

8 2009 C b Inc. Al rl-a nswved. This kp m by Please see page 181for mom details
1201

CCSP SlYAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Class map criteria include the following:


Access control lists
H Type of service
H lhnel group
H Differentiated services code points
H Destination IP address
TCP or UDP port number
H Real-time Transport Pmtucol (RTP)port numbers
H Default inspection traffic
Any packet
H Flow

Q 2OOQ C b Inc. AM rl-a r a m . This pubkatknk protected by copy~4ghtPlease sse page 161 for mom details
121 I

CCSP SNAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification


Therefore, if we use the following topology.

And if we write the following access list:


ASA(config)# access-list 101 permit tcp any host 10.10.18.108 eq 80
ASA(config)# access-list 101 permit tcp any host 10.10.10.101 eq 25
ASA(config)# access-list 101 permit tcp any host 10.10.10.100 eq 443
ASA(config)# access-list 101 permit tcp any host 10.1kl.10.101 eq 110
ASA(config)# access-list 101 permit udp any host 10.10.10.102 eq 53

We can place access list 101 into the class map called DMZ-Services by using the following CLI command:
M A ( conf ig ) # class-map DMZ-8emice8
ASA(config -cmap)R match access-list 101

At this point, we have taken several ttaffic flows and associated them with a single name: DMZ_Services. However, we
have not done anything to these packets. Previously we have discussed things such as dropping packets, routing, and

8 2009 Chco Inc. Al rlgM. rewrued. Thk pr#lcstsonk p m by Please see page 181for mom details.
[ 22 I

I1 CHAPTER 1
7 Classification
CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic
NAT'ing. In this example, we will take this traffic flow that applies to users from the Internet destined for our DMZ serv-
ices and pass that traffic to an IPS module for inspection. We can do this by using a policy map, and we can use the
following codiguration to forward this traffic flow to the AIP-SSM:
1. Cmte a policy map called Outside-Policy:
ASA(config)# policy-map Outside-Policy

2. Reference our previously defined traffic flow called DMZ-Services:


ASA(config-pmap)# class DMZ-Services

3. Pass this traffic flow to the IPS module for inspection. If the IPS module is unable to process the traffic, ignore this
failure and forward it without inspection:
ASA(config-pmap-c)# i p s inline fail-open

In the preceding example, we identified traffic destined for the services on our DMZ. After identifying the traffic flows
using an ACL, we referenced this ACL within a class map. Finally, the class map was placed within a policy map, and an
action was associated with that traffic flow. In this case, any traffic destined for our DMZ servers will be passed to an IPS
module within the ASA.
Let's examine different actions we can take on a traffic flow using the MPF:
Permit
Deny
Application inspection
Send to IPS module
Send to CSC module

@ 2009 C i Systems Inc. All rigMs rsswwd. This publication is protected by copyright Please see page 16 1 for miom details
1231

CHAPTER 1 CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Expedite this traffic with priority queuing


Tune connection parameters
Police (rate limit)
Traffic shaping

Let's review what we have covered so far: An ACL can be used to define a flow of traffic, then, that ACL can then be
referenced within a class map, and the class map is then placed within a policy map to take some action on the flow of
traffic previously described in the ACL.
The final step is to apply the policy map to an interface. You can do this by using the service-policy command.
ASA(config)# service-policy Outside-Policy interface outside

In this example, we applied the previously generated policy Outside-Policy to our outside interface.
Do you have to use an ACL within a class map? No, this is not a requirement. ACLs are one of several options available
to you for specifying packet criteria. You can find the complete list earlier in the chapter.
Configuration is a bit different when performed from ASDM; you actually start at the interface, and work your way back-
ward. First, select Configuration, then Firewall, followed by Service Policy Rules.

@ 2009 C i Systems Inc. All rigM8 reserved. Thk publication is protected by copyright Please see page 16 1 for miom details
[ 241

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Click the Add button, and then Add Service Policy Rule from the drop-down window.
[ 251

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Because only one policy can be applied to an interface, you must modify the existing policy if one has already been
configured. By default, there is a policy called global_policy that is applied globally, and the interfaces do not have any
configuration. Assuming that we are working with a fresh configuration, we will continue by selecting the Interface radio
button and selecting the Outside interface. Similar to the previous example, I will use the policy name OutsideJolicy,
add a description, and then click Next.
[ 26 I

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

As previously mentioned, we have several methods available for classifying traffic. Because the most familiar is using an
ACL,I will select Some and Destination IP Address fkom the Traffic Match Criteria selection. As you can see, other
methods are aIso available.
1271

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

It is extremely easy to configure ACLs from the GUI, as you can see here. Just select a source, destination, and service.
The button on the right will present a list of preconfigured network objects that you can select, or you can type the
network addresses by hand. The last requirement is to specify the service. A preconfigured list is available, or you can
manually enter the protocol and port.

8 2009 C b Systanm Inc. M rlgM8 m.


TN.pu#lcatsonk p m by Please see page 181for mom details
[ 28 I

CCSP SNAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

612009 C i Syrrtorrm Inc. All rights reserved. ThiD publicationis pmtacted by copyright Please see page 16 1 for miom details
129I

CCSP SNAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

The following window is used to configure protocol inspection, connection settings, QoS, and other rules. This is the
actual action covered in the next section of this Quick Reference.

8 2OOQ C h Sysmm Inc. Al rlgM. n#rmd. Thh pu#lcatsonk-p by Pie86e see page 181for mom details.
1301

CHAPTER 1 CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Application Inspection (Deep Packet Inspection)


At this point, we know that it is possible create criteria that matches parameters that exist in the payload (Layer 5 to 7) of
a packet. For instance, if a packet is sent from a remote user's browser to our web server, we can permit or deny the
packet based on HTTP parameters within the payload. HTTP uses a different set of commands between the client and
server than other protocols (such as FTP, S m , and so on). Although many protocols are in use today, and there are
multiple versions of the clients and servers for each of these protocols, the commands are still based on standards defined
in a protocol-specific RFC or group of RFCs. This is why any web browser (Firefox, Internet Explorer, Safari, Netscape)
can communicate with any web server (Apache, IIS, Tomcat, and so on). A sequence of events always occurs, and
speclfic commands are passed back and forth between client and server for any protocol (HTTPS, HTIT, FP, SMTP,
POP3, IMAP, RTSP, and so on). If the security appliance understands the language that is being spoken @ITIF in this
case), then as a &wall administrator we have the ability to match criteria within HTTP communications and associate a
security policy with that traffic flow.
Suppose that we have a web server within our DMZ that is running a single web application that is under our company's
control. The web developers have informed us that this specific application supports the GET request, but not a POST
request. Using the ASA, we have the ability to inspect within the payload of the packet and interpret the HTTP
commands that are being passed from a client to a server. If we see a client sending a packet toward our web application
that contains a POST command in the payload, we know that this is malicious activity (because our web application does
not support POST). After identifying this activity, we can react accordingly. For instance, someone may be running a web
application vulnerability scanner against our application, or sending custom messages created by hand with a utility such
as Burp.
By similar logic, if we inspect a packet sent from an unknown client to our server and it contains a GET request, we
know this packet is not malicious, correct? Nope, not really. An attacker can still perform web application attacks using
the GET command, but by blocking the POST command we have eliminated our exposure to some of the attacks that
exist.
131 I

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

So far we know that we want to allow traffic from the outside interface (the public Internet) into our web server, but we
also want to protect this server from malicious attacks that it is sure to receive. We know not all port 80 traffic is going to
be friendly, so we have filtered out HTTP requests that support the POST request header.
Let's start where we previously left off when configuring service policy rules on the ASA. The screen was asking for rule
actions (allows for QoS, connection settings, IPS, application inspection, and more). We will select the Protocol
Inspection tab. Make sure HlTP inspection is enabled, and then select Con6gure.

8 2OOB C h Inc. AM rl-a r a m . Thk publlcatknk protected by Please see page 181for mom details
[ 32 I

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Now we will create an inspect map for HTIF. Select the radio button that reads Select a H l T P Inspect Map for Fine
Control over Inspection, then click the Add button.

8 2009 C b Systmm Inc. M rlgM8 m.


TN.pu#lcstsonk p m by Please see page 181for mom details
[ 33 I

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Name this HTlT inspection map, and then provide a description. Then, select Details.

8 2009 C b Syetum Inc. Al rlgM. nosrmd. TN.pu#lcstson k p m by Plegse see page 161 for mom details
1341

CCSP SNAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Under the Inspections tab, click Add.

8 2009 C b Systamm Inc. M rlgM8 m.


TN.pu#lcstsonk p m by copyright Please see page 161 for mom details
1351

CCSP SNAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

The final step is to set the actual parameter that we are trying to block. From the Method dropdown box, select Post, and
then ensure that the action is set to Dmp Co~ection,and that Log is set to Enabled.
1361

CHAPTER 1 CCSP SNAA Quick Reference by Ryan Lindfield

1 Understanding Traffic Classification

In the future if you want to modify inspection maps, you can find them by following this path: Configuration> Firewall
> Objects > Inspect Maps.
[ 37 I

CCSP SNAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

To properly protect this server, we need to make a few more tweaks to minimize our exposure. Let's take a look at a few
more ways to do this.

Regular Expressions
Some of you may be familiar with regular expressions (regex) from prior programming or scripting experience. If you
have not had experience with this type of classXcation before, you will probably be a bit intimidated at first, but with a
bit of practice it all makes sense.

8 2009 C b Systanm Inc. M rlgM8 m.


TN.pu#lcatsonk p m by Please see page 181for mom details
[ 38 I

CHAPTER 1 CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

For instance, if I want to coniigure the firewall to notify me if the word Hacked passes through the firewall on port 80, I
could define the word as it is styled right here (with only the H capitalized). But, what if I want to match on all cases (for
instance, Hacked or hacked)? What if I also want to match upon alphabet characters that have been swapped with
numbers (such as h4ck3d) or a mixture of upper- and lowercase (such as hAcKeD)?
You can use a regular expression to mach up a string of characters and combinations of those characters, including ranges
and the position of the pattern within other text. For example, if I want to match all the previously mentioned variations
of hacked, I could use the following regular expression:

If the payload of a packet contains six characters in order that match any single character within these six sets of brackets,
we will consider this a match. Creating regular expressions can be tricky at first, but you have a tool built in to the ASA
to test your regular expression to ensure that is it matching the way you planned, as follows:
ASA55tBH t e s t ragex H4ck3d [Hh][Aa46][Cc][Kk][Ee3][W]
INFO: Regular expression match succeeded.
rrsAs5W t e s t n a e x H4ck3r [Hh][A14QE][Ce][Kk][Et3][W]
INFO: Regular expression match f a i l e d .

You can also wildcard a single character by using the period (.), as follows:
ASA55851Y test rrgex HIck3d [Hh][Aa46][Cc][Kk][Ee3].
INFO: Regular expression match succeeded.
ASA55g51 test regex H4ck3r [Nh][Aa#][Cc][Kk][Ee3].
INFO: Regular expression match succeeded.
A S A 5 M test ragex 4cWr [Hh][Aa4@][Cc][Kk][E&].
INFO: Regular expression match f a i l e d .

ASA558M t e s t rrgex If4ck3rr8128Z18312 [Hh][Aa4@][Cc][Kk][Ee3].


INFO: Regular expression match succeeded.

2009 C i Systems inc. All rights roserwd. Thip publicationis protoctecl by copyright Please see page 16 1 for mwe details
+
Understanding Traffic Classification
CCSP SMAA Quick Reference by Ryan Lindfield
1391

Beware of special characters, however. If you want to match on a file, such as nc.exe, the period will be used as a wild-
card. But, suppose you want to match literally on the period itself:
ASA5585# test regex nc.exe nc.exe
INFO: Regular expression match succeeded.
ASA55W test rrgex nclexm nc.exe
INFO: Regular expression match succeeded.

To correct this issue, just place the backslash (\) before a character to match on it, as follows:
ASA55W test .
regex mc .exe nc\ exe
INFO: Regular expression match succeeded.
ASA55595# test regex nclexe nc\.exe
INFO: Regular expression match f a i l e d .

Remember to use the \ character when matching against a domain:


ASA56@5(config)# test regex myspace.com myepace\.cor
INFO: Regular expression match succeeded.

You can configure regular expressions from ASDM. Just navigate to the following location: Codgumtion > Firewall >
Objects > Regular Expmsions.
[ 40 I

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

For example, if I want to block anything that contains myspace.com myspace.co.uk, or some other variation, I could try
this.

8 2009 C h Systanm Inc. M rlgM8 m.


TN. is p m by Ple86e see page 181 for mom details
141 I

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

A tool is built in to assist you in constructing regular expressions. Click the Build button to use the tool. I have typed
Myspace.com into the character string, but I want to match on both uppercase and lowercase, so I have selected the
Ignore Case option.
[ 42 I

CCSP SNAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

It's always good to test things out h t , so click the Append Snippet button to copy the regular expressions code into the
dialog box.

8 2009 C b Systanm Inc. M rlgM8 m.


TN. kp m by Please see page 181for mom details
[ 43 I

CCSP SNAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

You can now tweak the code that was generated, or test it by clicking the Test button.
[ 44 I

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

You can create multiple regular expressions that are used for a similar purpose and group them within a regular
expression class. That class can then be referenced in other parts of the configurations. For instance, if you were to
create a regex class called SocialNetworking, you could then include the individual regular expressions for
Myspace, Facebook, LinkedIn, and so on.

8 2009 C b Systanm Inc. M rlgM8 m.


TN. kp m by Please see page 181for mom details
1451

CHAPTER 1 CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Protocol-Specific Parameters
Our goal is to look deep within the flow of packets and identify certain circumstances that require special handling by the
security appliance. So far, you have read about ACLs, class maps, and ~ g u l a expressions.
r I now want to provide more
detail about packet inspection.
I like the term deep packet inspection (it works for me), but many other terms also describe this process: advanced proto-
col handling, advanced protocol inspection, inspection class maps, or modular QoS CLI (when dealing with routers).
Before we get too caught up in terminology, let's step back to the 32,000-foot view. I say 32,000 feet because I'm
currently on an airplane, at 32,000feet, while writing this.
A good way to think of protocols is that each one is like a different language. And, think of our inspection of the traffic
flow as eavesdropping on a phone call between two other parties.
The Marriot Park Hotel in Rome has a gated facility, and a guard is posted at this gate. Imagine that you are the guard
working there. Many different people (guests and otherwise), from many different places, are coming and going. It is
your duty to make sure that only guests with reservations are allowed through the front gate.
To stretch this a bit further, imagine that you have the capability to monitor all inbound phone calls and eavesdrop on the
ensuing conversations. If a guest (think client) is talking to your guest services desk (think internal server) in German,
and you understand German, you can understand what is being said. Although most of the information being passed is
not of interest to you (type of room, cost, discount rates), you at^ waiting for keywords such as arrival, departure, a.m.,
p.m., days of week, specific dates, number of adults, number of children, and so on. After you have obtained this infor-
mation from the inbound phone call, you can then make note of it in your log. Well, &walls maintain a similar log,
called a state table. You should know this already from the SNAF course. So, here is a quick recap of what has happened:
We have an inbound phone call, we inspect in, listen for the guest name and the arrival date, and make a note of it in the
log. Your k w a l l does the exact same thing on a day-to-day basis.
Therefore, if you understand German, French, Dutch, Italian, English, and Spanish, these customers will be passed
through the gate without any additional checks. You will be expecting their arrival, and when they arrive at the gate, they
will be passed through.
@ 2009 Ckco Systems Inc. AH rights reeerwd. Thk publicationis protected by copyright Please see page 16 1 for miom details
146 I

CHAPTER 1 CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

But what happens when someone calls the hotel and makes a reservation speaking Luxembourgish? Did you know that
there is a language called Luxembourgish? Obviously, this phone call will not be able to be inspected. Therefore, we have
no idea when the guest from Luxembourg will arrive, and when he does arrive he will be denied access.
So what does this mean in the technology world? Your security appliance lacks the capability to inspect every protocol.
Therefore, when well-known protocols are used, we can automatically alter the security policy to accommodate the traffic
flow. When an unknown protocol is used, it will fail. This is generally where you, as administrator, come into the picture.
A user tells you that the firewall his application, for example. The first question to ask yourself is what protocol the qpli-
cation is using to communicate through the firewall. Then, you ask whether that protocol is supported, and finally,
whether inspection is enabled for that protocol.
Protocol inspection can be enabled or disabled within the policy map codiguration. The following table shows the avail-
able protocols that can be enabled for a traflic flow, as follows:
ASA5585(config-pmap-c)# inspect ?

MPF Policy Map and Class Map Mode Inspection Protocols


ctiqbe im sip
dcerp~ ipsec-pass-thru *Y

esmtp -P sqbt
netbios

hW rsh waas
icm~ *SP xdmcp

8 2OOQ C h Inc. Al rl-a re-. T h i pubkaUon


~ kp m by Please see page 181far more detaids.
[ 47 I

CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Beyond just inspecting these policies for parameters that are negotiated, we can also filter upon protocol-specific condi-
tions. I covered HTTP briefly earlier in the chapter, and these protocols are handed the same way. Inspection maps are
created with protocol-specific conditions and then applied using MPF.Although d g u r a t i o n is possible from the CLI,
ASDM is much more intuitive when performing granular filtering with MPF.
To configure protocol inspection from ASDM, navigate to the following location, where you will find a list of protocols
that support inspection maps: Configuration > Firewall > Objects > Inspect Maps.

*-wm-
-E
. I
-IC

--
-R
-IC
-m
--m!
.I0
.m
-.
.-
a m !

'IL
-=

Q 2OOQ C b Inc. Al rl-a nswved. This kp m by Please see page 181for mom details
[ 48 I

CHAPTER 1 CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

As an administrator, you have the ability to create inspection maps to match specific criteria for each of these protocols. I
have given you only the tip of the iceberg here. The im you see listed in the table is for the instant messaging class. You
can permit or deny certain functions within instant messenger, such as whiteboard, file transfer, chat, games, and more.
Each protocol has specific parameters that you can tune to enhance the security of your network.

Banner Masking
One of the first steps of a network attack is reconnaissance; attackers will map out your network resources before launch-
ing an attack. By default, when users connect to certain services, they are greeted by a banner, which the service uses to
announce the type of software in use and the version number, as follows:
mac-pro:- sin$ telnet rm.ciscopress. COD 89
Trying 209.2fB2.161.68 ...
Connected t o ciscopress.com.
.
Escape character i s ' * ] '
HEAD I HTTPl1.I

HTTPIl. 1 302 Found


Connection: close
Date: Sun, 21 Dec 2008 23:22:57 QMT
server: Microsoft-IIS16.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: https:llmemberservices.informit
Cache-Control: private
Content-Type: textlhtml; charset=utf-8
Content-Length: 221

Connection closed by foreign host.


IIUC-pro:- sin$

@ 2009 Cisco Systems Inc. All rights roserwd. Thip publicationis protoctecl by copyright Please see page 161 for mwe details
[ 49 I

CCSP SNAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

When configuring H'ITP, FT'P, and SMTP inspection, you can mask or even spoof the server reply. However, coafigura-
tion of these features is beyond the scope of this Quick Reference.

DNS Inspection
DNS inspection is used to alter DNS replies @NS doctoring) for internal hosts and to filter DNS traffic based on specific
criteria. Altering DNS replies is necessary if you have internal users who are using external DNS servers to discover
internal resources.
1501

II CHAPTER I
Understanding Traffic Classification
CCSP SMAA Quick Reference by Ryan Lindfield

The external DNS server replies to the client using the real-world IP,but the internal host should be using the internal IP
address to contact the server. DNS doctoring is the process of rewriting the DNS reply, changing the public IP address to
the tradated private IP address.
For instance, consider the following static statement:
ASA(config)# static (dnz,outside) 192.168.50.50 18.18.10.5a dns

From this statement, we can tell that the outside IP address is 192.168.50.50 and the internal IP address is 10.10.10.50. If
we do a DNS lookup to the external DNS server, the reply will read 192.168.50.50. When the ASA receives this DNS
reply, it will be inspected, and the 192.168.50.50 address will be overwritten with 10.10.10.50 and then fomarded to the
client.
Another DNS feature provided by the ASA is stateful inspection of DNS. When a host sends a DNS request through the
firewall, a slot is created in the translation table. As soon as one reply is received, that reply is forwarded, and the slot is
then cleared. Should any additional replies arrive, they will be discarded.

Advanced DNS Inspection


The ASA firewalls provide advanced DNS inspection features that protect your network h m DNS spoofing and cache-
poisoning attacks. In spring of 2008, Dan Karninsky discovered one of the greatest vulnerabilities in the history of the
Internet, and it had to do with poisoning major DNS servers. Although the details of the attack are fascinating, they are
beyond the scope of this Quick Reference. Refer to www.doxpara.com for more information. The ASA provides the
following advanced DNS inspection features to combat DNS attacks:
Require transaction signatures (TSIG)
Notification for excessive mismatched DNS responses
DNS ID randomization

@ 2009 C i Systems Inc. All rlgMs rsswwd. This publication is protected by copyright Please see page 16 1 for miom details
151 I

CHAPTER 1 CCSP SMAA Quick Reference by Ryan Lindfield

I Understanding Traffic Classification

Mask DNS flags


Block DNS types
Limithg of domains that can be queried
Mask the recursion desired (RD) bit
B Set maximum message-length

You can configure all these features by using a DNS inspection class map.
In summary, many different methods are available to identify a trafEc flow and then alter the traffic flow in some way.
Historically, we have done most of our filtering based on parameters at Layer 3 or 4 of the OSI model. Presently, we are
diving into the payload of the packet and making our atering decisions there. The security appliances add a great number
of improvements over the PIX firewalls, not only in terms of performance but also in hctionality. We can now perform
rate limiting, intrusion prevention, malware analysis, and priority queuing.

Q 2OOQ C b Inc. Al rl-s rewrvod. This kp m by Please see page 181for mom details
1521

CCSP SMAA Quick Reference by Ryan Lindfield

I VLANs

Chapter 2
VLANs
Beginning in Version 6.2 of the PIX &wall, there is support for subinterfaces, trunk links, and VLANs. The PIX and
ASA can support 802.lq encapsulation and a number of logical interfaces depending on the platform. This enables you to
scale your perimeter security solution without the cost of additional hardware. For instance, I have had many clients in
the past with a three-interface firewall configuration (inside, outside, DMZ).
DMZ

VLAN 50

Outside

@ 2009 Clsco Systems Im.All r i m s r s s e r d . This publicationis protected by copyright Please see page 16 1 for mom details
[ 53 I

CHAPTER 2 CCSP SMAA Quick Reference by Ryan Lindfield

I VLANs

The problem that lies here is that all the web services are hosted on the same subnet, and while filtering is being
performed between the outside and the DMZ, there is no filtering within the DMZ.
Suppose a security breach occurs on your web server through a web application vulnerability. After the web server has
been compromised, it has unrestricted access to the other hosts on the DMZ.The mail semer can now be compromised
using an exploit against ports that would have been off limits, such as 135,139,445. In addition, servers and network
devices that were previously inaccessible from the Internet can now be attacked from the compromised host.
Through the use of subinterfaces and VLANs, we can now segregate our DMZ servers and apply different security poli-
cies to each server or each group depending on your configuration. We can take control over what traffic, if any, will pass
between these servers.
DMZ

VLAN 25 VLAN 50

Inside

Q 2OOQ C b Inc. Al rl-a nswved. This kp m by Please see page 181for mom details
1541

CCSP SMAA Quick Reference by Ryan Lindfield

I VLANs

To configure a subinterface from the command line, simply enter the interface command followed by the interface,
including a fractional decimal value:
ASA5510(config)# interface ethernet @/@.I

Within the interface configuration mode, assign additional parameters, such as logical name, IP address, security level,
and VLAN:
ASA551W confin t
ASA5510(config)# int 0012.1
-
ASA551 0(conf ig subif ) # vlrn 25
MA5510(conf ig-subif) # security-level 25
ASA5510(conf ig-subit)# nameif web
ASA551B(config-subif)# i p addre88 172.16.17.1 255.255.255.248
ASA5510(config)# int 0012.2
ASA5510(config-subif)# vlrn 50
-
ASA551 B(conf ig subif ) # security-lrwel88
ASA55l@(config-subif)# nameif n a i l
ASA5510(config-subif)# i p address 172.16.17.0 255.255.255.248
MA551 B(conf ig ) # int 0012.1
ASA5510(config-subif)# vlrn 75
ASAS510(config-subif)# security-level 75
ASA5510(config-subif)# nrmoit DNS
ASA551B(config-subif)# i p addreor 172.16.17.17 255.255.255.248

After configuring the interface, you configure NAT rules and access control lists (ACLs) and apply these the same way
that you do when using physical interfaces.

@ 2009 C i Systems Inc. Al rl-s rsswwd. This publlcatbnis protected by copyright Please see page 16 1 for miom details
1551

CHAPTER 2 CCSP SNAA Quick Reference by Ryan Lindfield

I VLANs

Routing Information Protocol


The security appliances have support for dynamic routing protocols. As you may know,Routing Information Protocol
(RIP) is a distance-vector routing protocol that is supported by the majority of network devices. The ASA can support
RIP Version 1 and Version 2. You can run RIP vl, v2, both vl and v2 on the same interface or different interfaces at the
same time.
You can enable RIP from the command line with the router rip command. RIP can also be enabled from the Cisco
Adaptive Security Device Manager (ASDM) from the following location: Codgumtion > Routing > RIP > Setup.
From this screen, RIP can be enabled, interfaces can be set to passive if necessary, and network statements can be added.
In this case, I have configured the outside interface.
[ 56 I

CCSP SMAA Quick Reference by Ryan Lindfield

I VLANs

As you should know, one of RIP v2's improvements over vl is the support for authentication. Although authentication of
routing protocols is a best practice that makes lots of sense to me, I have found that it is not used the majority of the time
in production networks. If this is something that is under your control, invest the small amount of time required to secure
your muting tables.
You can configure authentication on a per-interface basis. To enable authentication of RIP, navigate to Codguration >
Device Setup > Routing > RIP > Interface. On this screen, select an interface, and then click Edit.

8 2OOQ C h Inc. Al rl-a re-. Thk pubkaUon k p m by Please see page 181for mom details
[ 57 I

II CHAPTER
VLANs
-
2 -
CCSP SMAA Quick Reference by Ryan Lindfield

Notice that you can control the version and authentication on a per-interface basis. You can also choose between MD5
and clear text authentication. Although many devices default to clear text, MD5 should be implemented when possible.

If there are routes being advertised to you that you want to ignore, or networks that you do not want advertised to other
devices, you can control this using RIP filter rules. From the command line or when using a mt,erathis is referred to as a
distribute list. Select the Filter Rules tab and then click the Add button.
[ 58 I

CHAPTER 2 CCSP SNAA Quick Reference by Ryan Lindfield

I VLANs

Click the Add button again to add the network that you want to filter.

@ 2009 Circo Syetuns Inc. Al rlgM. rosurmd. TN. kp m by cowght Please see page 161 for mom details
[ 59 I

CHAPTER 2 CCSP SMAA Quick Reference by Ryan Lindfield

I VLANs

Finally, define the interface and direction to which this filter should be applied. In this example, I want to prevent the
192.168.1.0network from being advertised through the outside interface.

@ 2009 Cisco Sy.temr Inc. Al rights reserved. TNa publicationis protected by copyright see page 161for mom details.
1601

CCSP SMAA Quick Reference by Ryan Lindfield

I VLANs

Redistribution is used to pass information from one muting protocol, such as Open Shortest Path F~rst(OSPF), into
another routing protocol, such as RIP. The ASA can perform redistribution of routes between routing processes. This is
not generally something that you want to do, but something that you might be required to implement because of a merger
or to support legacy hardware. Redistribution can be d g u r e d h m the Redistribution tab beneath the routing process.
Just click the Add button, and then specify the criteria for the process that you want to redistribute into RIP. Notice that
Static, Connected, EIGRP, and OSPF are supported.

@ 2009 Ckco Syrrtorrm Inc. All rights reserved. ThiD publicationis protected by copyright b a s e see page 16 1 for miom details
161 I

CCSP SNAA Quick Reference by Ryan Lindfield

I VLANs

Open Shortest Path First Protocol


OSPF,a link-state protocol, has been supported by the PIX since 6.3, and the ASA since Version 7. OSPF is an open stan-
dard, and therefore supported by many vendors. Although OSPF adapts to network changes more quickly than RIP, it also
requires more resources.
1621

CCSP SMAA Quick Reference by Ryan Lindfield

I VLANs

OSPF highlights include the following:


H The ability to act as a designated router @R), Area Border Router, and even an Autonomous System Boundary
Router (ASBR)
Support for two separate OSPF processes
H Support for both clear text and MD5 authentication
H Filtering of 7 ) p 3 link-state advertisements (LSAs)
H Support for OSPF virtual links

OSPF can be enabled from the command line with the muter ospf process-id command. You can enable OSPF from
ASDM via Configuration > Routing > OSPF > Setup.
The first step is to enable OSPF and assign a process ID. Notice there are two processes available. You can configure
separate routing processes for two different groups of interfaces, ensuring there is no leak of information from the topol-
ogy tables of mission-critical networks to less-trusted networks.

Q 2OOQ Clrco Inc. Al rl-a nswved. This kp m by Please see page 181for mom details
1631

CCSP SMAA Quick Reference by Ryan Lindfield

I VLANs

ll-l I
mu-
-.
l [wr*-'
I

Routers running an OSPF routing process perform summarhation on ABRs. When administering the MA, you can
manipulate summarization manually by adding statements to the OSPP process. You can do this via the command-line
interface (CLI) or ASDM.To configure using ASDM,navigate to Codgtwation > Device Setup > Routing > OSPF >
Summary Address.
1641

CCSP SMAA Quick Reference by Ryan Lindfield

I VLANs

MD5 and clear text authentication are supported by OSPF, similar to what we saw in RIP. Authentication requires some
configuration within the muting process and within the interface. Overall,it is easy to configure and will protect your
network h m possibIe man-in-the-middle attacks or denial-of-service (DoS) via route poisoning.
To configure authentication, navigate to Codigmation > Device Setup > Routing > OSPF > Interface.
Under the Authentication tab, select the interface that you want to modify authentication properties for, and then click the
Edit button.
[ 651

CCSP SMAA Quick Reference by Ryan Lindfield

I VLANs

If you tve pedoming authentication of routing updates, I mommend using MD5 autbentcatioa To enable this, first
select the MD5 Authentication radio buttan. Under the MD5 IDSand Keys Won, speciqr a key identifier, and key, and
then click Add.
1661

CCSP SMAA Quick Reference by Ryan Lindfield

I VLANs

Type 3 LSAs (summary LSAs sent to ABRs) exchanged between OSPF neighbors can be limited through the use of
filtering. If you configure filtering from the CLI, you use a prefix list rather than a distribute list. ASDM simplifies
configuration by simply calling it filtering, and you can configure it via Configuration > Device Setup > Routing >
OSPF > Filtering.
1671

CCSP SMAA Quick Reference by Ryan Lindfield

VLANs

One of the principle chamkrbtics of OSPF is the bierachy that is enfowed regarding area 0, and that aIl inteaarea t d E c
must pass through area 0. As you might wall, if you want to get fbm area 1 to area 2, it must pass from area 1 to 0 to 2,
aud then back from 2 to 0 to 1. Each area within an OSPF topology must be directly ammcmdto area 0.
As there is an exception to wery rule, virtual links enable us to connect to area O without a physical direct connection.
We can build a logid link through another area, into the backbone area.This is never samething you would do from a
design perspective, but something you d d do in a pinch to make things work
1681

CHAPTER 2 CCSP SMAA Quick Reference by Ryan Lindfield


- - -

I VLANs

The ASA supports virtual links, and you can configure them from the CLI or GUI. CLT configuration is similar to that of
a router. ASDM configuration is simpler and can be accomplished via Configuration> Device Setup > Routing > OSPF
> Vrrtual Link.
1691

CHAPTER 2 CCSP SMAA Quick Reference by Ryan Lindfield

I VLANs

Enhanced Interior Gateway Routing Protocol


The support of Enhanced Interior Gateway Routing Protocol (EIGRP) was added in Version 8.0 of the security appliance
code; over the past several years, only RIP and OSPF were supported.
Devices running EIGRP must be associated with an autonomous system. Other routers that you hope to form neighbor-
ship with must be in the same autonomous system if you want to exchange routes. To configure EIGRP, you must define
an autonomous system and the interfaces that will participate in the routing process. Configuration of EIGRP from the
command line and from ASA is almost identical to that of a router. You can also configure EIGRP by using ASDM via
Configuration > Device Setup > Routing > EIGRP > Setup.
Under the Process Instances tab, check the box to enable EIGRP,followed by the autonomous system number for EIGRP.
The EIGRP autonomous system actually goes in the Process field; this could be confusing.

@ 2009 Ckco Systems Inc. All r i m s rseerwd. This publicationis protected by copyright Please see page 16 1 for mom details
[ 72 I

CCSP SNAA Quick Reference by Ryan Lindfield

I VLANs

Similar to RIP and OSPF, routing filtering is sugported.

@ 2009 Circo Syetuns Inc. Al rlgM. rosurmd. TN. kp m by cowght Please see page 161 for mom details
[ 73 I

CCSP SMAA Quick Reference by Ryan Lindfield

I VLANs

Hello intervals, hold times, split horizon, and authentication can be configured on a per-interface basis. Keep in mind that
adjacent EIGRP neighbors need to agree on these parameters,
[ 74 I

CHAPTER 2 CCSP SMAA Quick Reference by Ryan Lindfield


- - -

I VLANs

Redistribution can also be cor@ured by selecting the redistribution link under the EIGRP process. Notice that static
routes, directly connected routes, RIP,and OSPF can be redistributed into EIGRP.
1751

CCSP SMAA Quick Reference by Ryan Lindfield

1 VLANs

You can verify the routes within the routing table from the CLI by using the show route command Routes can be veri-
fied using ASDM by selecting the Monitoring tab, the Routing panel, and then clicking the Routes link.
[ 76 I

CHAPTER 2 CCSP SMAA Quick Reference by Ryan Lindfield

I VLANs

Redistribution
If multiple routing protocols are being used within a single environment, redistribution of reachability from one routing
protocol to another might be required. This is not something that you would usually build in to your network on purpose,
but is often the result of mergers and acquisitions.
Redistribution is possible between all protocols, but the thing to remember is that the metrics do not match. Suppose, for
instance, that you want to pass routing information from RIP to OSPF. Well, OSPF does not use hop count. Therefore,
you must manually set a metric for what the cost of these routes should be. The same is true if you were to pass OSPF
routes into RIP. RZP does not have a cost, so you must manually define the hop count for these external mutes.

Reverse Route Injection


Reverse route injection (RRI) is used to advertise remote-access virtual private network (VPN)clients to devices on the
internal network; this is usually not required unless you have multiple VPN gateways. Imagine a scenario in which you
have several ASAs configured in a VPN cluster. This cluster is a grouping of ASAs that are working as a team to handle
incoming remote W N client connections. When you are using this load-balancing technique, incoming VPN co~ections
are distributed to the security appliance with the lowest load, so different users are connecting to different gateways
dynamically. If a user is disconnected and then reconnects, he is likely to be assigned to a differentgateway. So in a
nutshell, RRI is used to advertise remote users to internal network devices, and to notify the internal device that this
particular ASA is used to reach the client.
After an IP address has been pushed to the client, that address is injected to the routing table of the ASA as a static route.
The static route would basically says, "If you want to get to the assigned address, go to this public address." These static
routes are then advertised to internal hosts at the corporate LAN using EIGRP,RIP,or OSPF.
RRI sends a host route or I32 route update to the internal network, notifying internal devices that if they need to reach
that particular remote host, that this is the next hop to get to that host.

CQ 2008 Cbmo Systems Inc. AH rights nswved. This kp m by Ple86e see page 181for mom details
[ 77 I

CHAPTER 2 CCSP SMAA Quick Reference by Ryan Lindfield

I VLANs

There is another operating mode called network RRI. This is used with network extension mode of EasyVPN. When a
remote network connects to the central network, the ASA can inject a network route (f24 perhaps) for the remote office.
This update notifies internal devices as to whether the remote network is reachable and instructs them that to get there
they must send traffic to this ASA.

Multicast
The ASA and P l a l l Services Module (FWSM) are making their way iiuther into our networks. Companies have begun
moving &walls from the perimeter of the network toward the center of the network Instead of relying on Layer 3 switches
and ACLs, we can now perform stateful packet inspection and application layer inspection of inter-VLAN traffic. Although
this drastically enhances security, it also introduces new challenges. One of these challenges is forwarding multicast traffic.
As you know, multicast is used by videoconferencing, telepresence, software distribution services, stock quotes, routing
protocols, video games, and many other technologies. Beginning in software Version 6.2, the PIX £irewalls could support
multicast applications with Stub Multicast Routing (SMR). Currently, the ASA supports SMR,Internet Group
Management Protocol (IGMP), and Protocol Independent Multicast (PIM)
Although IGMP and PIM both handle the delivery of multicast traffic to recipients, they are slightly different. Routers use
IGMP to discover hosts that want to subscribe to a multicast transmission by sending IGMP queries. A host may respond
to an IGMP query by sending an IGMP report upsmarn. IGMP is traditionally used within the network, whereas PIM is a
multicast routing protocol that provides reverse path forwarding information independent of the interior routing protocol.
It is used mostly in the LAN, but can also provide multicast feeds to remote WAN sites. PIM uses unicast and multicast
forwarding tables to pass multicast traffic from one network to another. IGMP is used within a network for clients and
routers to communicate.
PIM also uses a concept called a rendezvous point (RP), which almost acts as a central meeting place for multicast
sources and multicast clients. If a server is to offer a multicast resource,it will register with an RP. Clients interested in
multicast resources can also register with the RP to discover servers. The ASA can be configured to act as an RP.
* Configuration and troubleshooting of multicast is beyond the scope of this book.
@ 2009 C i Systems Inc. All rlgMs rsswwd. This publication is protected by copyright Please see page 16 1 for miom details
[ 78 I

CHAPTER 3 CCSP SMAA Quick Reference by Ryan Lindfield

I lPsec VPNs

Chapter 3
lPsec VPNs

Essential Terminology
Simpiy put, IPsec is a framework for providing reliable and secure communication between hosts. This additional protec-
tion is provided at the IP layer of the OSI model. IPsec is based on Internet Key Exchange (IKE), Authentication Header
(AH), and Encapsulating Security Payload (ESP). These protocols work together to provide secure tunnels between a pair
of hosts that are IPsec capable. The list of potential hosts includes but is not limited to ikewalls, VPN concentrators,
routers, cellular phones, PDAs, workstations, laptops, and servers. Let's examine each of these protocols individually.
Internet Key Exchange (IKE)
Handles the negotiation of security associations (SAs).
Communications occur using UDP port 500.
Phase 1 is responsible for negotiating an ISAKMP (management) SA.
Phase 2 is responsible for negotiating an IPsec (data) SA.
Main mode or aggressive mode can be used during IKE phase 1.
Main mode consists of six messages between the IPsec peers.
Aggressive mode uses only three messages.
Quick mode is used during IKE phase 2.

@ 2009 Clsco Systems Inc. All r i m s reserved. This publicationis protected by copyright Please see page 16 1 for mom details
[ 79 I

CHAPTER 3 CCSP SMAA Quick Reference by Ryan Lindfield

Encapsulating Security Payload (ESP)


ESP handles the encapsulation of confidential data at the network layer of the OSI model. ESP is IP protocol
number 50 and should be allowed through perimeter security devices if site-&site tunnels are to be used.
Provides confidentiality.
Provides integrity.
Provides origin authentication.
Provides antireplay.
Authentication Header (AH)
Authentication Header also encapsulates at the network layer of the OSI model, but it does not provide confiden-
tially (encryption). AH can work alone or in conjunction with ESP.
Provides an integrity check of the packet that includes the nontransitive fields of the IP header.
Provides origin authentication.
Provides antireplay.

1 Note
AH is not supported on Cisco security appliances beginning with software Version 7.0. AH was previously supported
on the PIX platform in softwareVersions 6.3 and earlier.

Previously, we used the terms confidentiality, integrity, and authentication; each of these can be achieved through the
use of appropriate protocols.
Confidentiality.
Ensure that data is secure from eavesdropping.
Symmetric encryption is used to secure the data.

@ 2009 C i Systems Inc. All r i m s reserved. This publication is protected by copyright Please see page 16 1 for miom details
1801

CCSP SMAA Quick Reference by Ryan Lindfield

Commonly implemented through the use of Advanced Encryption Standard (AES), 3 Data Encryption Standard
(3DES), and Data Encryption Standard Integrity.
Ensure that data has not been altered during transmission.
Achieved through the use of a keyed hash algorithm.
Commonly used algorithms include Message Digest 5 (MDS-HMAC) and Secure Hash Algorithm 1 (SHA-1-
HMAC).
Authentication
Guarantee that the remote peer is authentic.
Methods of authentication include digital certificates and pre-shared keys.

Encryption and hash algorithms vary in strength. Here is a refresher of these values:
AES: Symmetric encryption algorithm that has a key length that can vary between 128, 192, and 256 bits
3DES: Symmetric encryptions algorithm that was supposed to have an effective key strength of 168 bits (3 x 56),
but many cryptanalysts argue that the strength is effectively 112. The factors that determine the types of attacks used
against 3DES are beyond the scope of this book.
DES:Another symmetric encryption algorithm, which became a standard in July 1977. DES has a 54-bit key and is
no longer considered cryptographically adequate promion for production data.
RSA: Asymmetric encryption algorithm whose length of key varies, but often 512 to 2048 bits
MD5: 128-bit hash algorithm.
SHA-1:l a b i t hash algorithm.
Me-Hellman: Unauthenticated key exchange algorithm used to securely establish symmetric encryption keys over
a nonsecure medium (such as the Internet).

Q 2OOQ Clrco Inc. Al rl-a nswved. This kp m by Please see page 181for mom details
181 I

CCSP SMAA Quick Reference by Ryan Lindfield

The Life Cycle of a VPN Tunnel


The tunnels that are constructed between IPsec peers are not permanent. These tunnels are constructed dynamically
between peers when deemed necessary. Let's examine the five stages of an IPsec tunnel:
1. Interesting traffic must be detected. Remember we define interesting W c in an ACL. In this case, the ACL is
referred to as a crypto ACL. In reality, this ACL is no different from any other extended ACL on the security appli-
ance, besides the fact that it is referenced by a transform set, which is applied to a crypto map, which goes on an
interface.
2. When interesting t d l c is detected, the two peers negotiate a management session through the successful negotiation
of an ISAKMP SA. This is achieved through successful negotiation of policy sets during ME phase 1.
3. After an ISAKMP SA has been successfully negotiated, the two peers begin IKE phase 2. IKE phase 2 uses the
transform set to determine how end-user data should be protected. Upon successful negotiation of transform sets, the
two peers will establish two IPsec SAs (one for transmit, one for receive). Each SA is independently keyed. IKE
phase 2 defines how the payload should be protected.
4. Data can now be transferred between the two peers.
5, Tunnel termination occurs if an idle timer is reached or one side disconnects from the other.

Symmetric Encryption
Symmetric encryption refers to encrypting and decrypting data using the same key by both peers. This type of encryption
has been used for thousands of years, and continues to be used today. Whenever you construct an IPsec or Secure Sockets
Layer (SSL)virtual private network (VPN),you are using symmetric encryption to protect data as it crosses the network.
Whenever you use SSH to administer a remote device, or HTI'PS to read email or purchase items online, you are using
symmetric encryption. Although symmetric encryption is very fast by comparison to asymmetric encryption, there is a
catch: key distribution. How do you get that secret key that will be used to decrypt data to the other side?
[ 82 I

CCSP SMAA Quick Reference by Ryan Lindfield

Symmetric key comparison


Advantage: Very fast
Disadvantage: Key distribution (How do we transmit the secret key to the other side?)

Asymmetric Encryption
Unlike symmetric encryption algorithms, asymmetric encryption algorithms use a different key for encryption than for
decryption. In other words, a user knowing the encryption key of an asymmetric algorithm can encrypt messages, but
cannot decrypt the message because he does not possess the decryption key. The encrypted message can be decrypted
only by the other party.
Each host that is communicating using asymmetric encryption needs to generate a key pair. One of these keys is referred
to as a private key and the other as a public key. As you can tell from the names of these keys, one is meant for distribu-
tion, the other is to be kept secret. If Alice encrypts a message using her private key, the message can be decrypted by
anyone who has a copy of Alice's public key. The encryption of the hash of a message using the private key is the basis of
digital signatures and digital certificates.
If Alice wants to encrypt a message to her associate Bob, they will first exchange public keys. Alice will encrypt the
message using Bob's public key. Bob will decrypt the message using his private key, known only to him. Because of the
large key sizes and the algorithm used, asymmetric encryption is very slow and rarely used for bulk data encryption.
Asymmetric encryption is mainly used for peer authentication and message integrity.
Asymmetric key comparison
Advantage: Key distribution
Disadvantage: Very slow (estimated 1500 times more CPU intensive)

@ 2009 C~ICO Inc. AH rlgM. rsravsd. TN. kp m by Please see page 181for more details
1831

CHAPTER 3 CCSP SMAA Quick Reference by Ryan Lindfield

Diff ie-Hellman
The Diffie-Hellman algorithm is used between IPsec devices during IKE phase 1 to buiId a secret key. After this secret
key has been calculated, it is used to protect end user data and management trafficbetween the IPsec peers. Now that you
have that basic understanding, let's review the things you should know already about IPsec.

IPsec Components
IKE policy set: Used for negotiation of an ISAKMP SA. Includes encryption algorithm, DifEie-Hellman group,
hashing algorithm, SA lifetime, and authentication method.
1% transform set: Used for negotiation of an IPsec SA. A transform set includes parameters such as cipher,
integrity algorithm, lifetime, and mode.
Security &tion: The negotiated algorithms and parameters used to protect traffic are referred to as security
associations.
Crypto access control list: An extended ACL identifies the W c we want to encrypt, or not encrypt.
Crypto map: Ties together other portions of our configuration (transform set and ACL) and maps this information to
a remote peer.

So if we look over the preceding list, everyone should agree that during IKE phase 1 two IPsec-capable devices would
negotiate an ISAKMP SA. Within this SA, you will see a symmetric encryption algorithm, such as AES, 3DES, or DES.
As you should know, symmetric encryption algorithms use the same key on each side to encrypt and decrypt data.
So my question to you is this: How did it get there?

Q 2OOQ C h Inc. Al rl-a nswved. This kp m by Please see page 181for mom details
[ 84 I

CCSP SMAA Quick Reference by Ryan Lindfield

If ASAl is encrypting data, using AES-128 for instance, we know that ASA2 must decrypt these messages using the same
key. If we look over the configuration, do we see a key?
MA551B# show run
.
, .omitted
tunnel-group 1B2.168.2.2 type ipsec-121
tunnel-group 1B2.168.2.2 ipsec-attributes
prs-shared-key
...omitted

Above is the only key that we see for our peer ASA2, and some people would think that this must be the key used for
AES encryption, but it is not. The key shown here is used for authentication during IKE phase 1. In the policy set, you
define an authentication method, pre-shared keys, or digital certificates.If a pre-shared key is used, this is set up on each
ASA before the first tunnel can be established.
We now have two questions to answer. What is Diffie-Hellman used for, and how do we get a key on ASAl and ASA2 so
that AES can be used to carry end-user data from site 1 to site 2? Some of you may have just figured it out.
Simply put, Diffie-Hellman is an asymmetric means to symmetric encryption. ASAl and ASA2 want to pass encrypted
data between one another, and because asymmetric encryption requires excessive overhead they will need to use a
symmetric encryption algorithm to perform payload protection. Diffie-Hellmanmakes this possible by calculating a
%hared key" across a nonsecure medium such as the Internet
1851

CCSP SMAA Quick Reference by Ryan Lindfield

I lPsec VPNs

IKE Phase 1

Each ASA will generate two values, a public value and a private value.
Each peer transmits the public value it calculated and transmits it to its peer.
Each ASA will run its private value and the peer's public value through an algorithm, which results in a shared secret on
each side of the connection. The shared secret is then used to generate several encryption keys, one of which is used to
protect the phase 1 SA. The use of the other keys is beyond the scope of this book.
IKE phase 1 and phase 2 each have a lifetime. The phase 1 lifetime is configured in the ISAKMP policy, and the phase 2
lifetime is configured in the transform set. If Perfect Forward Secrecy (PFS)is configured in the crypt0 map, Diffie-
Hellman is run at the end of the phase 2 lifetime. PFS ensures the new keys are not derived from the old keys.
[ 86 I

CHAPTER 3 CCSP SMAA Quick Reference by Ryan Lindfield

Security Associations
A security association (SA) is a collection of parameters that specify how data is to be protected when communicating
with a peer. An ISAKMP SA defines how to protect the IPsec policy negotiation horn one ASA to another ASA. An IPsec
SA defines how user t r m c from one host to another host should be protected. ISAKMP SAs are bidirectional, whereas
IPsec SAs are unidirectional. Therefore, each site-to-site connection will have one ISAKMP SA and two IPsec data SAs,
one for inbound traffic, and another for outbound traffic.

1 Note I
Although it is not technically correct, Cisco documentation consistently uses ISAKMP and IKE phase 1 to mean the
same thing. Likewise, IPsec is used interchangeably with IKE phase 2.

Security Association Components


1 Destination IP addms: Your IPsec peer.
1 Security Parameter Index (SPI): A unique 32-bit number that is used to associate an SA with an encrypted packet.
Within the ESP header, there is a field for the SPI that is used to map that encrypted data with an SA. The parame-
ters found in the SADB are used to select the key to encrypt of decrypt the payload of the packet.
1 Protocol: ESP or AH. AH is no longer supported on Cisco security appliances as of OS 7.0.
Encryption algorithm: Dehes how the data is protected: AES, 3DES, DES.
1 Authentication algorithm: A keyed hash, or HMAC (Hashed Message Authentication Code): MD5-HMAC, SHAl-
HMAC.
1 Mode: The mode IPsec is working as: tunnel or transport.
1 Lifetime: The number of seconds or kilobytes that a key should be used; when this lifetime is exceeded, a new key
is created.

8 2009 Cisso Systems Inc. Al m a nswvd. Thk pu#lcatsonk p m by Please see page 181for mom details
[ 87 I

CCSP SMAA Quick Reference by Ryan Lindfield

I Note
YOU can vlew tne SA atter an wsec tonne1 llas been estatlhmeci tly uslng tne mow crypt0 ipsec sa command. YOU
will notice the SF'I values. If you inspect the traflic flow and analyze the ESP header, you will notice the same SPI
values from the SAs, but this time they are found the in the ESP header.
I

Digital Certificates
When choosing a method of authentication, your options are pre-shared keys and digitaI certificates. A pre-shared key is
simply a password or key that matches on both sides of the tunnel. If the foreign IP knows the password, it is safe to
assume that we are communicating with a legitimate host. Although pre-shared keys are commonly implemented, they are
not the most secure method of authentication available. The most secure method of authentication is RSA signatures, also
known as digital certificates.
Not only are digital certificates more secure, but they are also much more scalable than pre-shared keys. If you were to
configure a network that allowed office-to-office communication and there wet.e currently 12 offices, you would need a
pre-shared key for each connection. Based on the well-known formula to calculate the number of peers in a full mesh,
n(n-1)/2, you would need 66 pre-shared keys. Each time you add an office, this number grows exponentially. With 12
sites, you need to configure 66 pre-shared key entries on each peer SA. If you add 8 more sites, the number of entries
jumps to 190 on each peer. Clearly, this is not a workable solution for large meshes. Many companies solve this full-mesh
issue by using the same key for a l l sites (a wildcard pre-shared key), but this is a security risk. If the pre-shared key is
compromised on one peer, it is compromised for all peers.
If you use digital certificates in place of pre-shared keys, each device must enroll with the CA server. After a device has
been added to your domain, it can then authenticate to other devices, and now your network has become much more
easily scalable.

@ 2008 Ciaco Systems Inc. Al rims reserved. This publication is protected by copyright Plesse see page 16 1 for mom details
1881

CCSP SMAA Quick Reference by Ryan Lindfield

1 IPsec VPNs

So what exactly is a digital certificate? Earlier we learned the differences between public keys and private keys, and we
know that a private key is kept secret whereas a public key can be distributed. The question is this: How exactly do we
distribute the public key?
If you look at a public key, it is not very pretty:
QRlR show crypt0 key mypubkey r r a
% Key p a i r was generated at: 20:21:23 UTC Sep 7 2008
Key name: TP-self-signed-31274211W
Usage: General Purpose Key
Key i s not exportable.
Key Data:
30819F30 0D06092A 864886F7 00010101 8!5001381 80803081 89028181 008ECF48
C4B06988 40A7CF42 46C031C9 1D95A77C 58695E4E B59CC533 F7E3D5B1 DFD2FC85
F0B2B814 8ASlECC4 822EC72A 4EEC78C9 E07ACB50 FFElE307 lDE64E11 A3423ADA
85D6874B DBElQBAD EA4971C3 2301CA93 W6BEBB BBAlCB82 D3C8442C FB8C0158
E9340B3F 1E295953 C3A26ECD BBFA6171 F3489BD4 97FBD9EE B1462E5E 83020301 0@
% Key p a i r was generated at: 02:58:38 UTC Rec 1 2008
Key name: TP-self-signed-312742119$.serv~r
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01818185 01836800 30680261 00BF8BE7 D925725E
B5D54D82 BA36237B 85822929 59BF33E3 44A4FDAE C956028E F439C7AB F70DDBlD
4592CC36 50D020CA B40839C6 6FB0093C 2DBF8888 7BBAFC59 DCB8D89E 6FD46374
0BC30EBE 93A892EB 6C5A9601 37382997 89986Bm 7C2C8B23 C5020301 0001

@ 2OOQ Cisco Systems Inc. Al rlgMs roserwd. Thip publicationie protected by copyright Please see page 16 1 for mwe details
189 I

CHAPTER 3 CCSP SMAA Quick Reference by Ryan Lindfield

I lPsec VPNs

As you can see here, an RSA public key looks to be a large block of hexadecimal characters, which leaves us with many
questions:
How is this key to be distributed?
How will someone know that this strange block of hex belongs to me?
How can someone else tell whether my private key has been compromised?
The answer to all these questions lies in the X.509~3standard. X.509~3defines standard formats for digital certificates
and for many other components of the Public Key Infrastructure (PKI).Although a public key on its own is not very
impressive to look at, after it has been formatted with the X.509~3specification as a digital certificate everything seems
much more logical. This formatting enables us to define the following parameters and associate them with our key pair.

Digital Certificate Parameters


Version
Serial number
Algorithm ID
Issuer
Validity
Not before
Not after
Subject

@ 2009 CIsco Systems Inc. All rigMs rsswwd. This publication is protected by copyright Please see page 16 1 for miom details
1901

CCSP SMAA Quick Reference by Ryan Lindfield

Subject public key info


Public key algorithm
Subject public key
Issuer unique identifier (optional)
Subject unique identifier (optional)
Extensions (optional)
Certificate signature algorithm
Certilicate signature

To obtain a digital certificate, one must be requested from a certificate authority (CA). This is referred to as certificate
enrollment. You log in to a device and generate an RSA key pair. The public key is then bundled into a certificate signing
request (CSR) along with information that you want to associate with the key (as discussed earlier). The protocol used by
Cisco security appliances for the enrollment of a digital certificate is called Simple Certificate Enrollment h.Otocol
(SCEP).
After the enrollment request has been sent to the CA server, the administrator verifies the information and, if accurate,
approves the creation of a digital certificate. This final product includes the public key generated by your device, the
information you entered during enrollment (FQDN,OU, 0, and so on), and the signature of the CA. This signature is
similar to the holographic seal on your driver's license, which guarantees the authenticity of the digital certificate. After
digital certificates have been installed on network devices within your organization, they can then be used as a means of
authentication of one device to another. This authentication type is referred to as MA-sig within the configuration of the
ASA.

Q 2OOQ Clrco Systems Inc. AH rights nswvd. Thk kp m by Please see page 181for mom details
191I

CHAPTER 3 CCSP SMAA Quick Reference by Ryan Lindfield

I lPsec VPNs

lPsec Step by Step


Interesting Traffic
The first step of IPsec is interesting traffic; that is, some traffic must enter the security appliance that requires encryption.
This traffic is identified with an extended access control list (ACL); this is sometimes referred to as a crypto ACL.
The local network would be the source in this ACL, and the remote address space would be the destination. This ACL
will later be applied to a crypto map, and that crypto map will be applied to an interface, generally the outside interface.

The first step of an IPsec tunnel is that a packet matches the crypto ACL. Therefore, this is a good place to begin
troubleshooting IPsec. Make sure that this ACL has matches by using the show access-list command to inspect the
hit count.

IKE Phase 1
When the security appliance detects interesting trmc, it begins negotiation with the remote peer using port UDP port 500
for ISAKMP phase 1 negotiations. These negotiations are to determine which policies or methods will be used to protect
management t r a c between the two IPsec VPN peers. The collection of polices used to secure the ISAKMP SA is called
a policy set.
A policy set includes the following parameters:
Encryption @ES, 3DES, AES)
Hash algorithm (MD5, SHA- 1)

@ 2009 Ckco -S Inc. All rims reserved. This publication is protected by copyright Please see page 16 1 for mom details
192 I

CCSP SMAA Quick Reference by Ryan Lindfield

I lPsec VPNs

DiffieHellrnan group (1,2,5,7)


Authentication (pre-shared, RSA-sig)
Lifetime (seconds)

Although it is possible to have many policy sets, only one is required to construct an ISAKMP SA. If there are multiple
sites with different security requirements, you must then create different policy sets. Each policy set will have a sequence
number, and the lower sequence number has a higher priority. Therefore, it is essential that your most secure polices have
the lowest priority number. For example:
ASA5505# show run crypto isrkrp
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes -256
hash sha
group =5
l i f e t i m e 86408
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
l i f e t i m e 86408
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
l i f e t i m e 86408

@ 2OOQ Cisco Systems Inc. All r i m s reserved. This publicationis protected by copyright b a s e see page 16 1 for mwe details
[ 93 I

CHAPTER 3 CCSP SMAA Quick Reference by Ryan Lindfield

I lPsec VPNs

Based on the policy sets listed here, if this device were to initiate an IPsec tunnel with another device it would first offer
policy 5 to the remote side, and if there is a match encrypt data using AES-256. If policy 5 is rejected by the remote peer,
this device will then attempt to connect with policy 10, and then policy 20, until there is a match.
There are two modes of negotiation for IKE phase 1: aggressive mode and main mode. Aggressive mode is used when
pre-shared keys are used as a form of authentication, and main mode is used for negotiation if digital certificates are
being used for authentication. The type of authentication to be used is defined in the policy set, as shown previously.
In summary, IKE phase 1 is the process of negotiating policy, key exchange, and peer authentication. This negotiation
results in the formation of an ISAKMP security association (ISAKMP SA).

IKE Phase 2
Upon completion of ME phase 1, the security appliance will commence IKE phase 2 (called quick mode), which secures
the end-user data as it passes through a nonsecure network such as the Internet. In this step, a transform set defmes the
parameters used to form an IPsec SA. The protocol used to protect the end user data will always be ESP.

Q 2OOQ C b Inc. Al rl-a nswved. This kp m by Please see page 181for mom details
1941

CCSP SMAA Quick Reference by Ryan Lindfield

I lPsec VPNs

L-
Transform SE

Use the following command to view the values of the transform set named ESP-AES-256-MD5
and the phase 2 SA lifetime:
ASASSgSIYshow running-wntig crypto iprec
crypto ipsec transform-set ESP-AES-256-MD5esp-aes-256 esp-md5-hmac
crypto ipsec lecurity-aseociation lifetime seconds 288W
After IPsec SAs have been crated based on matching phase 2 policies, tunnels are established and end-user data can
pass.
An IPsec SA contains the following:
Destination IP address (remote peer)
Security Parameter Index (randomvalue used to identify relevant packets)
Protocol (ESP)
Encryption algorithm @ES, 3DES,AES)
Mode (tunnel or transport)
Key lifetime (how often keys should be changed)

@ 2009 C b systmm Inc. M rlgM8 m.


TN.pu#lcstsonk p m by Please see page 181for mom details.
1951

CHAPTER 3 CCSP SNAA Quick Reference by Ryan Lindfield

I lPsec VPNs

After IKE Phase 2 negotiations have completed successfully, the end users can transmit data across the tunnel. The tunnel
will remain active as long as interesting traffic is passing through the tunnel. If a specific period of time has passed and
no interesting traffic has been detected, the SAs will be removed and the tunnel torn down.

Configuring an lPsec Tunnel Using ASDM


IPsec site-to-site configuration has been simplified within Cisco Adaptive Security Device Manager (ASDM) with the
IPsec VPN Wizard. Although configuration is possible from the command line, the graphical user interface (GUI) offers
an extremely fast, effortless wizard that reduces misconfigurations by streamlining most of the configuration parameters.
To use the IPsec VPN Wizard, just select the appropriate option from the W d toolbar within ASDM.

Q 2OOQ Clrco Inc. Al rl-a nswved. This kp m by Please see page 181for mom details
196 I

CCSP SMAA Quick Reference by Ryan Lindfield

I lPsec VPNs

Select the type of tunnel that you want to create: Site-to-Site or Remote Access. Remote Access must be used if the
This is appropriate for small offices

After launching the wizard, specify IP address of the IPsec peer and authentication credentials.
1971

CCSP SMAA Quick Reference by Ryan Lindfield

Define parameters for your IKE policy set. Remember, these are the parameters that will be used during IKE phase 1 to
negotiate an ISAKMP SA. These are the algorithms used to encrypt the management traffic (our ASA communicating
with the remote-sideASA about the IPS= tunnel).
198 I

CCSP SMAA Quick Reference by Ryan Lindfield

I lPsec VPNs

Next we define parameters for the transform set; here it is called IPsec Rule. These are the parameters that d e h e how
end-user data will be protected as it crosses the Internet, or unprotected network.
Next we define the tmEc that is to be protected. If this step were being con@ured from the CLI, we would write an
extended ACL to define the traffic to be protected. In this case, we just define the local network, and the remote private
network (that is, the network address space behind the public IP address defined earlier).You will notice at the bottom
there is also an option to make this traffic flow exempt from Network Address Translation (NAT) rules.
[ 99 I

CHAPTER 3 CCSP SNAA Quick Reference by Ryan Lindfield

I lPsec VPNs

@ 2009 Circo Syetuns Inc. Al rlgM. rosurmd. TN. kp m by cowght Please see page 161 for mom details
[loo1
CCSP SMAA Quick Reference by Ryan Lindfield

Finally, we are done. You see a list of the attributes that you have defined in the preceding steps. If all the infomation is
correct, accept these changes by clicking the Finish button.

@ 2009 Ckco Syrrtorrm Inc. All rights reserved. ThiD publicationis protected by copyright b a s e see page 16 1 for miom details
[ l o 1I

CCSP SMAA Quick Reference by Ryan Lindfield

I lPsec VPNs

Load Balancing
It is possible to pair two or more Cisco security appliances into a single logical unit for the purpose of load distribution.
This logical grouping is referred to as a cluster. Although it is recommended to build this cluster from similar devices
(ASAs, for instance), it is possible to mix ASA, VPN concentrators, and PIX fhwalls.Remember, however, that the PIX
firewall does not support WebWN.
[ 102 I

CHAPTER 3 CCSP SNAA Quick Reference by Ryan Lindfield

I lPsec VPNs

When you create the cluster, a single IP address is assigned to the group as a whole. This IP address should be a globally
routable IP address from the same subnet as the security appliances that are participating in the group.
5.5.6.5

As you can see from the diagram, we have four ASAs that are part of the cluster. When a connection is made to the
cluster IP address (5.5.53, that request is handled by the master of the cluster (in this case, ASA1). You can control
which of the ASAs become the master by manipulating the priority. The priority is a numeric value between 1 and 10.
Similar to routing protocol elections, the higher number means greater preference. Therefore, setting the priority to 10 on
ASAl establishes that this should be the master.
When clients connect from the outside, their VPN client will be configured to connect to the virtual IP address (5.5.5.5).
However, when a client initiates a connection to this address, a redirect occurs, passing the client to the security appIiance
with the lightest load.
L
CHAPTER
lPsec VPNs
3 CCSP SMAA Quick Reference by Ryan Lindfield

Load is calculated by a weighted ratio of the number of active connections to the total number of active connections. This
information is then sent from the secondary appliance, or slave, to the master. These load messages can be encrypted and
are sent using UDP 9023. When remote users or offices establish IPsec connections to the virtual IP, they are then redi-
103 I

rected to the concentrator with the lightest load. All current IPsec and Anyconnect clients support this redirect. IPsec site-
to-site tunnels should be built using the physical interface IP addresses of concentrators; their connections still count
toward the load and play a factor in load balancing. The difference is that site-to-site tunnels will not experience the redi-
rect at the beginning of the session.
I Note I
LonrlgUrSLnon or loaa manang a n m penurme~~
uung me LLJur UUI. UUI cvmgun!uun suppunti a w a r u ciiueu
the High Availability and Scalability Wizard.

References
Introduction to cryptography, IBM,h~://www.ibm.com/develope~~mksfib~/s-cryptO2.html

Q 2OOQ Clrco Inc. Al rl-a nswved. This kp m by Please see page 181for mom details
[1041

CHAPTER 4 CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

Chapter 4
WebVPN and Endpoint Security
Serving as an alternative to traditional IPsec VPN clients, Cisco now offers WebVPN (also known as SSL VPN) solutions
to customers. A WebVPN can make use of the client's web browser alone, or download the AnyConnect client (replacing
SSL VPN client) to build a secure connection to company resources. One of the biggest advantages to WebVPN is that
the user does not require a software client to build the secure connection. The user can connect using a web browser, and
then after successful authentication gain access to certain corporate resources, or possibly download the AnyConnect
WebVPN client, which will allow a greater level of access than the browser alone.

WebVPN functionality is provided by the ASA 5500 security appliances. WebVPN is not supported by the mX 500
series firewalls because of the lack of a Secure Sockets Layer (SSL) crypto processor.

Similar to the function of an IPsec virtual private network (VPN)gateway, an SSL VPN gateway terminates the encrypted
session and forwards data into the network in its standard format. For instance, if a user were to initiate a Telnet session
though an SSL tunnel, the Telnet mffic would be encrypted between the user and the ASA, and then sent "in the clear"
to the corporate LAN. If security within the corporate network is a concern, secure protocols such as Secure Copy (SCP),
Secure Shell (SSH), and HTTPS should be used for remote administration.
WebVPN can be implemented with three different client configurations: clientless, thin client, and the AnyConnect VPN
client.
11051

CHAPTER 4 CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

The intended application for clientless or thin client SSL VPN is as follows:
Corporate user at a public kiosk (such as a business center in a hotel)
1 Residential workstation
1 Partner
1 Corporate desktop, if applications are limited
1 Appropriate for users when a simplified portal is preferred to full ~ m s s .
1 Users who require remote connectivity occasionally

The intended application for Anyconnect SSL VPN is as follows:


Network engineers
Mobile employees who require LAN-like access
B VoIP users
1 Company-managed workstations and laptops
1 Users with diverse application requirements
1 Users who frequently require secure remote access to the corporate LAN

SSL provides a secure means for communication between client and server. A digital certificate is used for server and
client authentication. The exchange of the session key is protected by RSA keys. The session key is based on a symmetric
cipher such as DES,RC4,3DES, or AES.

@ 2009 C i Systems Inc. All rlgMs rsswwd. This publication is protected by copyright Please see page 16 1 for miom details
106 I

CCSP SlYAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

SeMkOone

(fa
Certificate

cri-w :I

Q 2009 Clsco Systems Inc. All ri&ts resewed. Thi. publication is protacted by copyright Please see page 16 1 for miom details
107 I

CHAPTER 4 CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

Clientless SSL VPN


The simplest implementation of WebVPN is clientless SSL VPN. In this scenario, a remote user connects to the ASA
using only a web browser, and upon successful authentication, is granted access to a web portal. This portal can be
configured on a per-group or per-user basis, to include hyperlinks to internal resources using the Common Internet File
System (CIFS) or HTI'P. Users can also be granted access to a URL Entry field, allowing users to define their own URLs
for internal resources.
This is a nice simple solution for certain roles within your organization, such as sales and marketing personnel who
require access to only a particular file share or internal website.
Clientless SSL is supported on the following:
Browsers
Flrefox
Internet Explorer
Netscape
Safari
Operating systems
Apple 0 s X

Microsoft Windows

@ 2009 Ckco Systems Inc. All rims reswwd. This publication is protected by copyright Please see page 16 1 for miom details
[lo81
CCSP SNAA Qukk Reference by Ryan Lindfield

I WebVPN and Endpoint Security

Thin Client
The thin client remote-access method refers to the use of tiny applet (typically less than 100 KB)being pushed to the
client after authentication. This applet will be ActiveX or Java based and will require permission to run within the
browser. Once launched successfully, the thin client allows for port forward applications through the SSL connection.
This allows access to internal devices using Telnet and SSH;access to mail servers using IMAP, POP3, and SMTP, and
other nonweb applications.

Q 2009 C h Inc. Al rlghta rowrvrd. TN.pu#lcaUon is pmtectA by copyright Pleam see page 161for mom details
[1091

CHAPTER 4 CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

When configuring the thin client, the firewall administrator must define the port that will be used on the client side (TCP
port 2323, for example) and the internal resource that this will be forwarded to. When the client establishes an SSL VPN
connection, he can then connect to that port to access corporate resources. This is referred to as port forwarding.
Example:
telnet 127.0.0.1 2323

This Telnet connection will then be forwarded through SSL to the ASA, where the SSL encapsulation is removed and the
unencrypted Telnet traffic is forwarded to the server that was mapped by the b a l l administrator.

One restriction of using the thin client is that it requires administrative privileges to install the client.

Smart Tunnels
Smart tunnels can be thought of as the evolution of the thin client, because they allow the similar access without the need
for a local port on the client's machine, thus removing the requirement for administrative access. This feature was intro-
duced in Version 8.0(2) of the ASA operating system. The only operating systems that currently support this are Wmdows
2000, XP,and Vista. Similar to the thin client, smart tunnel connections also require access to Java or ActiveX.

Anyconnect
The Anyconnect client was introduced in the 8.0 version of the ASA operating system to replace the SSL VPN client
(SVC). Anyconnect provides transparent network access, similar to what is provided by the Cisco IPsec VPN client.

Q 2OOQ Clrco Inc. Al rl-a nswved. This kp m by Please see page 181for mom details
I1
[1101

CHAPTER 4 CCSP SNAA Qukk Reference by Ryan Lindfield

I WebVPN and7 Endpoint Security


Unlike the Psec client, however, it can be installed dynamically after a user establishes an SSL VPN connection to the
ASA.

Instalhion of the Anyconnect cbent requires ahmktrltive privileges on the loud machine.

Anyconnect SSL VPN Client


Version 8 . h
Supports Windows, OS X, and Linux
Supports DTLS for latency-sensitive applications Version 7.W
Support for 64-bit operating systems Supports Windows 2000 and XP
2.3 MB download Lacks DTLS support
lPV6 access over IW4 networks 400 KB download
Standalone installation

Q 2009 C h Inc. AM rlghtmrosurvrd. TN. is p m by Ple86e see page 181 f # more deMds.
[I11 I

CHAPTER 4 CCSP SNAA Quick Reference by Ryan Lindfield

TW~~VPN
and ~nd;oint Security

Upon successful connection of a traditional WebVPN connection, the user may be presented with a link within the portal
to download and install the AnyComect client.

Q 2009 C b Inc. Al rlghtmmsavrd. TN.pu#lcatbn is pmtectA by copyright Please see page 161for mom details
I
I
CHAPTER 4
WebVPN and Endpoint Security
CCSP SNAA Quick Reference by Ryan Lindfield
[ 1121

If you click the hyperlink, the Cisco Anyconnect SSL VPN client will be installed on the users workstation.

t p m h k I by m
@ 2009 Ckco Systom~Inc. M rlms twarVed. 'M.PubkaUonk a h t Please see page 16T for mom details
[1131

CHAPTER 4 CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

Once installed, the Cisco Anyconnect VPN can be launched from the Start menu.

@ 2009 Circo Syetuns Inc. Al rlgM. rosurmd. TN. kp m by Please see page 161 for mom details
11141

s
WebVPN and Endpoint Security
CCSP SMAA Quick Reference by Ryan Lindfield

Launching the Cisco Anyconnect VPN client brings you to the interface found here. Just insert the IP address or host-
name of the ASA and then click Select.

@ 2009 Ckco Syrrtorrm Inc. All rights reserved. ThiD publicationis protected by copyright b a s e see page 16 1 for miom details
[ 1151

CCSP SNAA Quick Reference by Ryan Lindfield


CHAPTER 4
~ W ~ ~ and
V P N
Endpoint Security

Finally, add your username and password and click Cannect.

@ 2009 Ci- Systems Inc. Al rlgMs reserved. TN. publication is pmtactad by copyright Please see page 16 1 for miom details
[ 1161

CHAPTER 4 CCSP SNAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

Once connected, the user receives a welcome banner.

@ 2009 C h Systanm Inc. M rlgMs nswved. Thk kp m by cowght Please see page 161 for mom details
11171

II CHAPTER 4
WebVPN and Endpoint Security
CCSP SMAA Quick Reference by Ryan Lindfield

Basic i n f o d o n about the connection can be vefied. Notice the IP address that has been assigned, bytes sent, bytes
received, and time connected.
[I181

CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

If you select Details, you can view additional information, including protocol, cipher, compression, and more.
II
[ 1191

CHAPTER 4 CCSP SNAA Quick Reference by Ryan Lindfield

WebVPN and Endpoint Security

One neat detail that you can find that is similar to the Cisco IPsec VPN client is the additional virtual adapter that is
installed. When an IP address is assigned from the server side, you can see that this IP is associated with the virtual inter-
face by using ipcodig from the command prompt.

Cisco Secure Desktop


Cisco Secure Desktop (CSD) enables you to secure an endpoint before allowing it to join your network, protect data that
is in use during the session, and then clean up after the session is complete. These actions are actually classified as three
unique stages:
1s
CHAPTER d

WebVPN and Endpoint Security


CCSP S N M Quick Reference by Ryan Lindfield
[I201

IJ?reco~ectassessment
Check 0s.
Check antivirus.
Check firewall.
Check antispyware.
Scan for filenames.
Scan for processes.
Scan for registry entries.

8 2OOQ C b Sysbms Inc. AM righb msuved. This kp m by cow* Please see page 161 for mom details
'salg papaopop pm ' a q m a 8 ~ d% ~ w s y bsagoo3jo pornax
*(sasedLZ 01 1) uoissas bq gal saly bm e m 01 pasn q p o % puogwpm asuajaa jo 1uau41edaa
dn-p nops-pq
aJBMl?m
.UO!l3%~
*uoIssasW p m y ~zx~ord
01 pasn sr xoqpms
nopw~d
[ 1221

CHAPTER 4 CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

I Note 1
mtauatlon or me csu client requms acmmttatwe pnvlleges on tae row rnacme.

The use of CSD is an excellent precautionary measure if you are considering allowing users to connect from workstations
that are not owned and controlled by your organization. When a user establishes a clientless SSL or AnyComect VPN
connection, the CSD can be pushed down. Before the connection is finalized and the user is allowed into the network,
CSD scans the host to make sure that it is free of rnalware, and checks various parameters of the operating system. The
results of this scan can then be compared against a profile stored on the ASA, and then access can be granted based on
these results. The process of comparing client-generated results to a server-side (ASA) policy is referred to as dynamic
access policy PAP).
Dynamic access policies can be pushed down to the client based on a combination of endpoint attribute values such as
operating system, prelogin policies, basic host scan results, and more. Whenever a user connects, a level of access is
granted based on these parameters, and should something change qualifying a host for a greater level of access, it is
possible to alter the access policy while the user is connected.

Windows Macintosh Linux


Keylogger detection
Pre-login assessment
Host scan Host scan Host scan
Cache cleaner Cache cleaner Cache cleaner

O 2008 Claco Sysbms Inc. A i righb maerved. This kp m by Please see page 181f# more deMds.
mawssasse ~u!odpua p a ~ u e ~ JO
p eb l u a ~ s s alurodpua
s~ 'urr~s~ s o q
lsoq a u 'T'Z'E uo!sJaA u! pappE aaM xnuq pw 3~141nq 'smopu!~03 p a 1 y q L p u
-uoge3guaylnr!~ a 1 p s a u
aylo) umop paysnd alnpour ~euo!l!ppe ur! SF u e ~ ]soy
~ oZuppay
j 3 am noL
l e q amuaIy ayl a)ep!IrrA 01 q s ~ qe apnpu! uaAa ms ynurJa1em s ! pm! ~ ' y ~ r m u a r eu ~sle 01 paua3a.1s~IOJ %u!y~aqaarr!
noiC aeyl alnqgle aqL - a ~ q ~ es,~ua!p
~ . u a q no pallelsy ley1 uo!le3!ldde 10a n p hrls!%a~s,mopu!~q p a d s e roj 733143
e %uyuunrLIIB~!SV~ sl ~ 3 y m ' u e ~ s)soy r! woddns xnug p m '3~14' s ~ o p u )! ~~yaas
l noL 'alqe) 8u!pa~ard a q no pasea
11241

CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security


A basic host scan identifies the remote operating system down to the service pack, and performs checks against the
Registry and memory for watermarks. The basic host scan could be used to determine a great deal of information about
the remote host, and then this information is used to apply a DAP to this user.
Endpoint assessment goes a step beyond the basic host scan, by checking the Emote host for antivirus and antispyware
applications and their version. Endpoint assessment can also check for the presence of a software firewall. You can use
the results returned by endpoint assessment to further enhance DAP.
Advanced endpoint assessment goes a step further than the previously mentioned techniques, by pushing updates to the
client based on results of the other scans.

The lulvwed endpint assessment feature requires h Security Plus license.

Secure Session
The data accessed by users during their WebVPN sessions can be encrypted upon a secure partition if Windows 2000 or
XP are in use. This process is referred to as Secure Session, Secure Desktop, or Vault. That's three names to define a
single technology; furthermore, it would make Secure Desktop a feature of Cisco Secure Desktop, two different things
with a very similar name. The technology itself is easy to understand, but the wording may confuse you in the future, so
be aware. In a nutshell, the data is stored in a safe place during the session, and then wiped using a Department of
Defense @OD) sanitation algorithm.

Q 2OOQ C b Inc. Al rl-a nswved. This kp m by Please see page 181for mom details
125 I

CHAPTER 4 CCSP SMAA Quick Reference by Ryan Lindfield

1 WebVPN and Endpoint Security

Cache Cleaner
Although Secure Session is an extremely powerful feature, it is not supported on all operating systems. As a matter of
fact, it works only on certain versions of Windows. If you are supporting Windows Vista-, OS X- and Linux-based clients,
you can still perform post-session cleanup with the cache cleaner. The cache cleaner is used to erase all the data that was
downloaded from the corporate network, and any data that was input by the user.

@ 2008 C b Syotemr Inc. All r i m s reserved. This publicationis protoctecl by copyright see page 181fm mom details
126 I

CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

Cisco Secure Desktop Onscreen Keyboard


The Cisco Secure Desktop Onscreen Keyboard (OSK) is a great utility that presents an onscreen keyboard when users
attempt to type in their password for authentication of a WebVPN session. This feature mitigates the effects of both hard-
ware- and software-based keyloggers. Whereas many software-based keyloggers can be detected by CSD,newer releases
of this malware may go undetected, and hardware-based keyloggers can be very difficult to detect. Therefore, the OSK is
an excellent mitigation technique.

-#z,"-
ll 1
l Wl
a
-lE
k-
w

..,.*,,
127 I

CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

When a user connects to the ASA WebVPN and enters a username, the user is then prompted for a password. At that
point, the OSK launches, and the user will use the mouse to select the appropriate characters.
P- Fq-mo
no snmj a~ 7nq '113 arp m o l ~ q dw ~
a a alq~ssod q a? 'S~RMPsv - w w ~ @ p 3 w &dmp LPPW imp
Masv) =w4-s WWV WY w=w =~JBO '4q-od *dws 4 d-wsw 30 uo?m%~=
ap3 @ n q nob p I -mTSS ssapna~pa p q s s a m q o m a JO poqram aaldqs q ~d
a ' X ~ m p pampuam q+
IS
uo!aern61auog ~ S ssqaue!lg
[ 129 I

CCSP SNAA Quick Reference by Ryan Lindfield

WebVPN 3rd Endpoint SecwrSty


s. o n G E ~ , ~ m ~ ~ ~ a m ~ w a ~ 1 m *

3. Select a name for this connection, and the interface upon which SSL VPN will run. From this screen, we can also
select a digital certificate that will be used by the ASA to authenticate itself to clients. By default, this is a self-
signed certificate. However, you can also use your own certificate authority (CA) or a purchased certificate from a
well-known CA such as Verisign or Thawte.
[I301

CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

Note
ASDM and SSL VPN can in tact be used on tne same interrace, on me same port. Tnis was not possible
in earlier versions of code.
The URL used to access SSL VPN is https://hostname.

The URL used to access ASDM is https:/hstn&admin.

@ 2009 C b Systan8 Inc. AM r m mrmd.Thk pubkath is pmtectA by eopyrlght P h m see page 181for mom details
[ 131 I

CCSP SMAA Quick Reference by Ryan Lindfield

~ W ~ ~ and
V Endpoint
P N Security

4. Configure user authentication. When end usem connect to the ASA, they will authenticate, and the ASA musl: check
the local user database, or an external AAA me t The wizard enables us to populate the local user database *g
this step.
r = -
WebVPN and Endpoint Security
CCSP SMAA Quick Reference by Ryan Lindfield

5. Select the group policy. You can use an existing group policy or create a new group policy. Policies can be defined at
[ 132 I

the group level or the user level. If a profile is configured specifically for a user, it overrides the policy defined at the
group level.
133 I

II CHAPTER 4
WebVPN and Endpoint Security
CCSP SMAA Quick Reference by Ryan Lindfield

8. Configure a Bookmark list. The Bookmark list is a collection of URLs that a user is presented within the SSL VPN
portal. You can choose an existing URL list, or create a new list during the setup. Bookmarks can be created for
134 I

CCSP SMAA Quick Reference by Ryan Lindfield

WebVPN and Endpoint Security

7. The final task is to verify the attributes that you have defined before finishing the wizard.When you click Finish,
commands are pushed to the ASA. You can view all the commands that are pushed down; just select the option
(under Preferences) within ASDM to preview commands before sending to device.
[ 1351

CHAPTER 4 CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

Additional Features of Clientless SSL VPN


Client/Server Plug-Ins
The ASA supports third-party application support through the WebVPN portal. As an administrator, you can download
Java applications from Cisco and put them in flash on your ASA. Once installed, these applications can then be linked to
portals of end users, so when they connect they will have access to client applications that are written in Java. The list of
applications currently includes VNC, Telnet, Citrix, and Windows Terminal Services.
Users can use the plug-in by selecting predefined URLs. Notice that the URL will begin with the acronym for the appli-
cation being used. For instance, if you want to create a bookmark for an end user that allows the user to access an internal
Linux server using VNC, the URL may look like this:

When the user click this link, however, he will actually connect to the ASA, which launches an applet that manipulates
the packets in such a way that you can use the application without opening ports on the local machine and proxying
through them.

User Interface Configuration


The web portal provided by the ASA for clientless WebVPN is greatly improved over the look and feel of the 7.0 imple-
mentation. The new version not only looks better, it offers better controls for the administrator. Previously, you could
name categories, hyperlinks, and replace the Cisco logo with your company's logo. Now you can create custom XML and
push it to the ASA; generate custom panes; and add Really Simple Syndication (RSS) feeds, Cascading Style Sheets
(CSS), and more. This flexibility enables you to create completely customized web portals to cater to your company's
needs. To simplify the creation of the custom portal, there is an SSL VPN Customization Editor.

@ 2009 CLwo Syntanm Inc. Al rlgM. m.


T h h pu#lcstsonk p m by Please see page 181for mom details.
I1
11361

CHAPTER 4 CCSP SMAA Quick Reference by Ryan Lindfield

I
7 Security
WebVPN and Endpoint

Caching and Content Rewriting


The ASA can perform caching, or storing frequently reused objects, to enhance the perfonnance and efficiency of
WebVPN sessions. Caching is disabled by default but can be enabled from the CLI or GUI,and then configured to store
files with a maximum size of up to a maximum of 10 MB.
Another useful feature called content rewriting can be enabled on the ASA. This feature allows users to browse to public
websites while a WebVPN tunnel is established. This changes the default behavior, which relays all web browsing
through the ASA. Content rewriting functionality is similar to split tunneling in the IPsec VPN configuration. This feature
is disabled by default, but can be enabled from the CLI or GUI.

Smart Tunnels
Smart tunneb are a new feature that was introduced in the 8.0.2 version of the ASA operating system. Smart tunnels
replace the port forwarding techniques that were used in 7.x code, which required a user to connect to a local port, which
would proxy the connection over SSL.One of the disadvantages with the earlier technique is that it required administra-
tive access on the client machine. Smart tunnels circumvent the requirements for administrative rights, while allowing use
of applications such as Outlook, Outlook Express, and Lotus Same Time through the SSL VPN.
When configuring smart tunnel access, you can define specific paths to executables that can be used to access internal
applications. Beyond specifying a path, you can also perform an integrity check by comparing the hash of the executable
with a known-good hash. You can use a utility (fciv.exe) to generate. a SHA-1 hash of a file. You can generate. the hash,
and then import this value into the ASA and make a comparison against the same-name executable file on the client's
machine.
137 I

CHAPTER 4 CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

Advanced Features of SSL VPN


AnyConnect SSL VPN Client Installer
After a user successfully establishes an SSL VPN session to an ASA, they may have the ability to install the AnyConnect
client. Installation of the AnyConnect requires additional administrative overhead, because the administrator must config-
ure additional software and parameters to allow this download to take place. The AnyConnect VPN client package must
be downloaded from http://www.cisco.com, and then must be uploaded to the M A and configured within the CLI or GUI
for download. As an administrator, you can control the end users' experience, and you have a few options as to how the
Anyconnect client can be used. First, you can make it accessible to the user for use, and then beyond that you can allow
a user to install the client persistently, meaning that the AnyConnect client will remain installed after tunnel termination,
or you can disallow this and the client must download the AnyCo~ectinstgdkr each t h e it c~nnects,

Dead Peer Detection and Keepalives


Dead Peer Detection (DPD) is a mechanism used behHeen client and headend to detect link failure. The way that DPD
works is that if the session goes idle and no tra£fic passes for a configurable amount of time (defined as a worry timer), an
"R-U-There" message is sent across the connection. If the other side receives this message, an aclcnowledgment (ACK) is
sent back to the client.
Besides DPD, you can also configure keepalives to assist in maintaining a session. Occasionally, you will find clients that
are behind Network Address Translation (NAT) devices, or firewalls with very strict rules, including exceptionally short
idle timers. A simple unidirectional message that passes from the client to the security appliance is enough to keep a
session from being terminated by intermediate filtering devices. This keepalive is encapsulated in SSL and appears as part
of the user communication to any other devices in the path of transit.

612009 C i Sy8tema Inc. Al rimsreserved. Thir publication is protected by copyright Please see page 16 1 for miom details
138 I

CHAPTER 4 CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

The difference between keepalives and DPD is that DPD waits until a worry timer expires befom sending an %-U-
There" message. When configured for keepalives, the client sends a "Hello" message regardless of the amount of tra£Ec
on the link.

Dynamic Transport Layer Security


When using Transport Layer Security (TLS) to encapsulate user data, additional overhead is generated that we would like
to avoid. If you look at the application that is being used across the SSL VPN,such as Remote Desktop, you will see that
TCP is usually the transport protocol. The TCP header provides for synchronization of both parties, and retransmission of
lost packets, for reliable delivery. When you are using TLS for tunneling, TCP is used once again for the transfer of
encapsulated packets, thus resulting in two TCP connections per flow. There is an encrypted TCP header within the SSL
payload, and an unencrypted TCP header, which is used by TLS between the client and the ASA, resulting in unnecessary
overhead Dynamic Transport Layer Security (DTLS) provides a more efficient means of communication.
DTLS is a more efficient way to implement an SSL VPN solution. DTLS establishes two separate TLS tunnels: a stan-
dard TLS tunnel, which handles session information (control messages and key exchange); and a DTLS tunnel, which is
used for h e transport of end user data. The DTLS session actually uses UDP port 443. The advantage with DTLS/UDP is
that a smaller header is used during the encapsulation phase (UDP opposed to TCP), and retransmissions only occur once,
and that is done by the client application. When you are using WebVPN without DTLS,if a packet is lost in transit,
retransmission occurs twice, once by the client application and once again by the SSL VPN client.

Split Tunneling
When users build a connection to the ASA using IPsec or WebVPN, by default all traffic is routed through the tunnel.
This logic behind this configuration is that if the user is blocked from communicating with any host outside of the corpo-
rate network, there is no way that the user's machine can be compromised and then serve as a proxy for an attacker to

Q 2OOQ C b Inc. Al rl-a nswvd. This is p m by Ple86e see page 181 for mom details
11391

CHAPTER 4 CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

gain access into the network. Currently, there are many browser vulnerabilities, and there have been exploits against
browsers that would allow an attacker to relay an attack into the corporate network through the user's browser if the user
were to visit the attacker's site while comected to the corporate network through VPN.
While forcing alI traffic through the VPN tunnel is a good security measure, it is not efficient, and can be frustrating for
users. Split tunneling allows for tral3ic destined to corporate network to pass through the VPN,and all other traffic is
routed normally. The end result is that a user can log in to the coprate network using IPsec or WebVPN and still browse
the Internet and have access to local resources such as file shares or printers on his personal network,
Additional configuration is required for traffic to pass through the tunnel and then back out to the Internet. First, traffic
must be allowed to enter and then leave your outside interface. This is enabled with the same-secnrity-traftlc permit
intra-interface command, which is also required if the ASA is configured as a hub between two remote offices.You will
also need a nat statement for the outside interfaces, grouping it with a global statement that is also on your outside inter-
face, allowing users to come through the tunnel to the ASA and then out to the Internet.

Certif icate-Based Authentication


Authentication of remote-access VPNs can be performed using a traditional username and password, a digital certificate.,
or both methods. When I say both methods, that means you will use both a digital certificate and a username/password
combination to authenticate. To perform certificate-based authentication, both the ASA and the remote users must obtain
a certi£icate. After a certificate has been generated for the ASA, you then associate this digital certificate with the inter-
face that is terminating the incoming VPN connections.
To perform certificate-based authentication, the clients must obtain a digital certificate. The ASA can be used for this
process, believe it or not, as of the 8.0 operating system. The ASA can serve a CA, issuing and managing certificates.
The CA service is disabled by default, but it can be enabled easily. After the CA has been configured, it can generate
certifites for users. These certificates are valid for 365 days by default. You can manage the user database for the local

Q 2OOQ C b Inc. AM rl-a re-vrd. This publlcatkn is protected by Ple8m see page 181 for mom details
140 I

CHAPTER 4 CCSP SMAA Quick Reference by Ryan Lindfield

I WebVPN and Endpoint Security

CA server by creating user accounts, and then setting a one-time password ((TrP) for the user to obtain the certificate.
There is a link within ASDM to email the OTP to the user. When the user collects thii key, he can then connect to
WebVPN and download his digital certificate. Once installed locally, this certificate can be used for authentication alone
or with a usemame and password.
Before a user or device installs a digital certificate, it must trust the CA server and install the CA's certificate, also known
as the root certificate.
When you introduce time as a factor of authentication, you are likely to experience users who receive an 'qnvalid
Certificate" error because of a time mismatch. The configuration error could be as simple as the wrong time zone, or a
date that is off by a few days to a few years. Whenever troubleshooting certi€icate issues, always be sure that the time and
date correct.

I Note
The ASA can act as a CA server only when operating as a single context in routed mode. Transparent mode and
multiple contexts are not supported

Q 2OOQ Clrco Inc. Al rl-a nswved. This kp m by Please see page 181for mom details
1141 I

II CHAPTER 5
Security Services Modules
CCSP SMAA Quick Reference by Ryan Lindfield

Chapter 5
Security Services Modules
One of the primary benefits of an ASA over the PIX is the ability to support security service modules (SSMs). There are
two modules that exist for security purposes and one that is for interface expansion. The Content Security and ControI
(CSC-SSM) and the Advanced Inspection and Prevention (AIP-SSM) provide security services, while the 4GE-SSM
offers additional gigabit interfaces. There are different hardware platforms for each of the security services modules: the
SSM-10, SSM-20, and a third option called the 4GE-SSM. Yes, you guessed it, 4-Gb interfaces. The AIP-SSM and CSC-
SSM host a singIe 10/100/1000 Ethernet interface that can be used for in-band or out-of-band management, and software
recovery. The software recovery procedure is covered at the end of this chapter. These modules can be managed from the
command-line interface (CLI), Advanced Security Device Manger (ASDM), or Cisco Security Manager. Security
modules can be monitored via the CLI, ASDM, or Cisco Secure Monitoring, Analysis, and Response System (MARS).
The hardware specifications of each module are listed here:

2.0Ghz CPU
1.OGB RAM
Flash-based file storage
15OMbps throughput with ASA 55 10
225Mbps throughput with ASA 5520
10/100/1000 interface for management
Two logical interfaces: data channel and control channel
142 I

1 CHAPTER 5 I
CCSP SMAA Quick Reference by Ryan Lindfield

Security Services Modules

SSM-20
2.4Gbz CPU
2.OGB RAM
Flash-basedfile storage
375Mbps throughput with ASA 5520
450Mbps throughput with ASA 5540
10/100/1000 interface for management
-0 logical interfaces: data channel and control channel

4GE-SSM
Does not provide intelligent processing services,just additional ports.
Supports four UTP or four fiber interfaces.
Only four interfaces of the eight can be used to pass traffic.

1 Note
Cisco released the SSM-40 after the SNAA course was released. It supports up to 650 Mbps of throughput when
installed in an ASA 5540.

Cisco CSC-SSM
The Cisco CSC-SSM has the ability to block or clean malicious traffic within the following protocols: SMTP,FTP, EITT'P,
and POP3. The application layer intelligence is provided by Trend-Micro. While inspecting the aforementioned protocols,
the CSC-SSMcan monitor for signs of known spyware and viruses, known phishing sites, URLs that host prohibited
content, and can even perform content-type validation.

8 2008 C b Systems Inc. All r i m s rmswwd. This publicationis protected by copyright Plesse see page 16 1 for mom details
143 I

CHAPTER 5 CCSP SMAA Quick Reference by Ryan Lindfield

I Security Services Modules

Content-type validation is a new feature also supported on Integrated Services Routers (ISRs). The way that it works is by
examining the header of a file and comparing it to the file type (.mp3, .doc, .exe, and so on). Every file type has what is
sometimes called a magic number. A magic number is a unique string of characters that when opened with a hex editor
can be seen. For instance, if you open three different Microsoft Word .doc files in a hex editor, you will notice that they
all have the same string of characters at the head of the file and at the tail of the file. The CSC module can make compar-
isons to known file types. Therefore, when a user renames an executable file ( m e ) to .doc and tries to pass it through the
firewaIl in an email, the CSC-SSM will identify the mismatch and take the appropriate action.
The antispam engine within the CSC-SSM is equally impressive. Not only does it perform your standard filtering bas&
on the content of the email, but it also does a reverse lookup, or repudiation check to mala sure that the email was not
spoofed and did come from the correct source. Furthermore, the antispam engine uses blacklists similar to other filtering
software on the market. These features are limited based on software license, but with the features enabled fbm the Plus
License, Cisco claims to be able to catch 99 percent of spam before it reaches your mail server.
As mentioned previously, the CSC-SMM is available on both the SSM-10 and SSM-20platforms. Beyond having an
option of which platform you select, there is also licensing options to choose.

Security Services Licensing Models


CSC-SSM 10
Base License
50 users
Antivirus, antispyware, and file-blocking services

Q 2OOQ C b Inc. Al rl-a nswvd. This is p m by Ple86e see page 181 for mom details
144 I

CHAPTER 5 CCSP SMAA Quick Reference by Ryan Lindfield

I Security Services Modules

Additional licensing includes


100,250, or 500 users
Antispam, antiphishing, and URL filtering

CSC SSM-20
Base License
500 Users
Antivirus, antispyware, file-blocking services

Additional licensing includes


750,1000 users
Antispam, antiphishing, and URL filtering
Cisco AIP-SSM
The Cisco Advanced Inspection and Prevention Security Services Module (AIP-SSM)provides IPS services at your
network perimeter, similar to that of a Cisco 4200 series Intrusion Prevention Sensor (IPS). The AIP-SSM uses the same
software (currently 6.x) as the 4200 series sensors, which makes migration and administration easy, especially if you have
prior experience with the 4200 series sensors. As traffic passes through the ASA, it can be redirectedto pass through the
AIP-SSM, where it will be analyzed for signs of malicious intent.
As mentioned previously, the AIP-SSM runs the same software as the standalone sensor, which means they carry the
same signatures, currently more than 1500. What is a signature? you ask. Well, in its most basic sense, it is a set of
parameters, that match a traffic condition or value found in particular field of a particular protocol. Remember, everything
in IT is a collection of if's and then's. Therefore, the signature is our if condition. A signature is used as a matching
condition before an action is put into place. Simply put, the IPS module has a database of known attacks, and it compares
data that is passing through your network to this database. The only catch is that the IPS is not always accurate.
11451

CCSP SMAA Quick Reference by Ryan Lindfield

I Security Services Modules


A few different terms are used to describe the accuracy of an alert generated by an IPS. First, positive, which means an
alert was generated, followed by negative, which refers to any condition in which an alert was not generated. This brings
us to the following terms:
T h e positive: An attack was passing through the network and was successfully identified.
False positive: An alarm was generated, but the traffic that was passing through the network was legitimate trafiic
and was not harmful.
Tkue negative: An alarm was not generated, and legitimate traffic is passing. This is a normal state.
False negative:An alarm was not generated, but an attack has passed by undetected.

Signatures are not the only way to identify that an attack is taking place on your network. Cisco IPS products also
perform analysis of your standard network traffic and maintain somewhat of a baseline called a histogram. This histogram
is a ratio of hosts to half-open connections. This table is maintained by the sensor and is updated on a regular basis (every
24 hours by default). While network traffic may rise over time, if the number of half-open co~ectionsincreases by more
than 20 percent the sensor will become aware of this and notify the administrator that an attack such as a worm outbreak
or port scanning may be taking place.
The aforementioned method of detecting attacks is referred to as statistical anomaly detection. This term makes sense
because we are building a profle of what is normal and then making comparisons to it. Another type of anomaly detec-
tion is nonstatistical, in which case the sensor compares the behavior of protocols on your network to the behavior
expected based on how the white papers or RFCs say how a protocol should behave.

Q 2OOQ Clrco Inc. Al rl-a nswved. This kp m by Please see page 181for mdetails
146 I

CHAPTER 5 CCSP SMAA Quick Reference by Ryan Lindfield

I Security Services Modules

IDS Versus IPS


So, your sales rep has just called and is trying to sell you on the idea that you need an intrusion prevention system (IPS)
to replace your intrusion detection system (IDS). The IPS actually stops the attack inline, whereas your IDS only tells you
about it. Is there any truth to this? Let's look at how each of these solutions works.
An IDS works in what is referred to as promiscuous mode. The sensor receives a copy of each packet. If you were to look
at the network topology, the sensor is not directly in the path of the packet, but off to the side. With a standalone sensor
(for instance, a 4200 series product), a switch is generally configured with a Switched Port Analyzer (SPAN) port that
will mirror traffic from one port on the switch to another. In other words, duplicate packets are forwarded to a second
port, strictly for analysis. If an IDS identifies a packet that is malicious, it performs a few different actions, but it cannot
drop the packet. By the time the IDS receives a copy of a packet, the target host also receives a copy of the malicious
packet at the same time. In real-world terms, it is like a parking lot security guard watching from the roof. The security
guard watches a girl pull up in a car, throw a brick through your car window, and then drive away. He can tell you all
about the incident, but your window is still broken.
Let's now look how an IPS differs from an IDS. You see, an IPS works inline. Yes, inline is the keyword here. The IPS
sensor is in the forwarding path between the source and destination. Therefore, if the sensor identifies traffic that is
deemed malicious, it has the capability to drop the packet, and that packet will never reach the intended destination. In
other words, if the parking lot security guard is in the parking lot, where he belongs, and he sees a crazed woman drive
into the parking lot, he can stop her before she reaches your car with the brick.

Dropping packets is most effective when implemented with atomic signatures. It is possible that if an elaborate
exploit is detected using a TCP stream signature, the damage may be already done.

@ 2009 C i Inc. Al rlghta nswved. This kp m by Please see page 181for mom details
[ 147 I

CCSP SNAA Quick Reference by Ryan Lindfield

I Modules
Security S e r ~ i ~ e s
PromisFwus Mode

IPS

Now let's look at this realistically. How does an IDS or IPS identify an attack? Most of the time (in fact, 99 percent of the
time), it is based on a signature. Well, where do these signatures come from?
1. Vulnerability is announced publicly (1 day).
2. An exploit is written for this vulnerability (0 to 24 hours).
3. A patch is written for your operating system by a third party or the open source community (2 to 5 days).
4. An official patch is released from the vendor (7 to 14, sometimes even 30 days).
5. A signature updated from your IDSlIPS vendor is released that identifies the attack (generally released within 14 to
30 days, if ever).

6 2009 Clsco Systems Inc. All r i m s reservd. Thi.publication is protoctecl by copyright Please see page 16 1 for mom details
148 I

CHAPTER 5 CCSP SMAA Quick Reference by Ryan Lindfield

I Security Services Modules

Based on this timeline, does an IPS stop the attack inline? Chances are, probably not. Your new shiny IPS will watch this
new cutting-edge attack go by just like the IDS will. The tirneline in the preceding list is not the protocol or standard, but
it is an estimate based on what I have seen in the security world over the past several years. Exceptions apply, however.
Sometimes the vendors are quick. Sometimes custom signatures can be created and deployed before the operating system
patch is released. However, consider an attacker who is using attacks that have not been publicly disclosed. In such a
scenario, the chance of detection is minimal. Although network IDS/IPS solutions are good, try to remain realistic about
their capabilities and remember that they work best when paired with a host-based IPS solution such as Cisco Security
Agent.
One thing to consider when deploying an IDS/IPS solution is the amount of traffic that the sensor can analyze. It is possi-
ble to overwhelm the sensor with too much information. A good rule of thumb when deploying an IPS is to analyze the
parts of the network where attacks are most likely to exist, such as the outside interface and the demilitarized zone
(DMZ)interface. The majority of the trafEc that the ASA handles may be coming from the inside interface, which is the
least likely to contain malicious content.

Software Bypass
The software bypass feature refers to the condition in which inspection is not possible because of hardware or software
failure. There are two different configurations to consider: fail open and fail closed. In the event of failure of an IPS or
CSC module, what should the ASA do with the traffic that is to be inspected? If the sensor is configured to "fdrl open,"
the traffic should be forwarded through the security appliance without IPS or CSC inspection. This is less secure but
provides for a more resilient network Keep in mind that all the other protections of the security appliance are still in
effect. If the security appliance is configured to ' Y d closed," in the event of hardware or software failure of the IPS/CSC
module, any traffic analyzed by those modules will cease to pass. This is a more secure mode of operation but will obvi-
ously affect network connectivity in an adverse way. Fail open and fail closed are applicable only when the module is
configured for inline operation. This setting is not used for promiscuous operation.

@ 2009 C i Systems Inc. All rlgMs rsswwd. This publication is protected by copyright Please see page 16 1 for miom details
149 I

CHAPTER 5 CCSP SMAA Quick Reference by Ryan Lindfield

I Security Services Modules

Sensor Initialization
You can begin configuring the sensor by first verifying that it is operating properly. You can do so from the CLI by using
the show module 1details command:
hostname# r h mdule 1 detail
Getting d e t a i l s from the Service Module, please wait ...
ASA 55W Series Security Services Module-10
Wel: ASA-SSM-10
Hardware version: 1.0
S e r i a l Number : JAF10000009
F i r m r e version: 1.0(11)2
$oftware version: 6.1 (1 )El
WC Address Range : 0018. b@lb .56cB t o 8018. b91b. 5 8 ~ 8
App. n m : IPS
App. Status: UP
App. Status Desc:
App. version: 6.1(1 )El
Data plane Status: Up
Status: UP
Mgmt I P addr: 18.10.1.66
Mgnt web ports: 443
Mgmt TLS enabled: true

In the preceding output, notice that the model of hardware. is an ASA-SSM-10.You can also see a -ware version and
software version. To access the sensor, you need to take note of the management IP address and port number. Also notice
that TLS is enabled, which is required for secure management access to the sensor's command and control interface.

8 2009 C b 8ystems Inc. All -8 resorvpd. TN. publication is protected by copyright Please see page 16 1 for mom details
[1WI

CHAPTER 5 CCSP SMAA Quick Reference by Ryan Lindfield

I Security Services Modules

In the event that you have a corrupt or missing operating system, the output would differ and the Software Version field
will be blank. To recover the operating system, you must follow these steps:
1. In the event that there is not an IP address assigned to the SSM,you will not be able to manage it remotely, and
must access it from the CLI or from the appropriate tab within ASDM.
2. When initializing the sensor, you will also want to verify the time and date of the sensor, because having accurate
time stamps on event notifications is critical for correlation and analysis. You can synchronize using the time from
the ASA itself or an NTP server.
3. The h a 1 step of configuration is to add your license codes. The AIP module requires a license to perform signature
updates, whereas the CSC module requires a Base License or Plus License to implement the corresponding features.

In the event of corrupt software, you will need to recover the software image from a remote server, as follows:
1. Configure a TFTP server with the AIPICSC image.
2. On the ASA, configure the location of the TFlT server using the following command:
hw module slot recover configure

3. The previous command will bring you to a configuration dialog where you will define the following parameters:
Image URL (tftp:l/192.168.1.7/csc6.2.16U5.bin)
IP address of the Ethernet interface of the SSM (192.168.1.15)
VLAN ID if required
Gateway IP address if required

8 2OOQ C h Syetuns Inc. Al rlgMa re-. T h i pubkaUon


~ kp m by Please see page 181for mom details
P
I
CHAPTER 5
Security Services Modules

4. Begin recovery using the hw module slot recover boot command.


CCSP SMAA Quick Reference by Ryan Lindfield
[ 151 I

I Note
Use the debug module command to watch the details of the recovery process.

Sensor Configuration
After the sensor software has been restored (if necessary), you can begin configuration of the sensor. This can be done
fromthe CLI or using ASDM.To connect to the sensor through the ASA console (or vty), use the session 1 command.
Doing so moves your shell environment from the ASA configuration to SSM configuration. This is sometimes referred to
as a reverse Telnet:
AM551W sassion 1
Opening command session with s l o t 1.
Connected t o s l o t 1. Escape character sequence i s 'CTRL-"X'.

login: cisoo
Password:
*'*N~I~*I*
This product contains cryptographic features and i s subject t o United States
and l o c a l country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority t o import,
export, distribute o r use encryption. Importers, exporters, distributors and
users ere responsible f o r coqliance with U.8. and l o c a l country laws. By using
t h i s product you agree t o comply with applicable laws and reaulations. I f you
[ 152 I

CCSP SMAA Quick Reference by Ryan Lindfield

1 Security Services Modules

are unable t o comply with U.S. and l o c a l law$, return t h i s product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
Attp:!Ivlnm.cisco.cm/wl/e~ort/crypto/tool/stqrg.html

I t you require further assistance please contact us'by sending email t o


export8cisco. con.

***LICERE NOTICE***
mere is no license key installed on the GSM-IPS10.
The system w i l l continue t o operate with the currently installed
signature set. A v a l i d license must be obtained i n order t o apply
signature updates. Please go t o http://mwm.cisco.com/go/license
t o obtain a new license o r i n s t a l l a license.
seneor#

The first thing that you will encounter in the SSM environment is a login prompt. The default username is cisco, with a
password of cisco. When you log in, you are asked to change your password. From this point, you can perform most of
the administration tasks. However, the GUI interface provides a much more effectiveenvironment for management.
Generally, when you first access any IDS sensor, whether it is the AIP-SSM, 4200 series sensor, or IDSM2, you will nm
the setup script from the CLI.The setup script walks you through the basic configuration of the sensor. As of IPS Version
5.0, the sensor has switched from TCP Wrappers and a default access list of permit 10.0.0.018 to IP Tables and a default
of deny all for remote access:

--m s i c Setup - -
[ 153 I

CCSP SNAA Quick Reference by Ryan Lindfield

I Security Services Modules

- -System Configuration Dialog --


A t any point you may enter a question nark f o r help.
'?I

User c t r l - c t o abort configuration dialog a t any prompt.


Default sattinge are i n square brackets ' [ I 8 .

Current time: Man Oec 15 14:81:44 2-8

Setup Configuration l a s t modified: Yon Dec 01 07:42:10 294'88

Enter host name[sensor]:


Enter I P interface[1@.2.2.33/24,10.2.2.1]:
Modify current eccess l i s t ? [ n o l :
Modify system clock settings?[no]:

The following configuration was entered.

service host
network-setting8
h o s t - i p 10.2.2.33/24,10.2.2.1
host-nam sensor
telnet-option disabled
accmss-list 1&9.2.2.0/24
ttp-timeout 300
- -
no l o g i n banner t e x t

C3 2009 Clscx, Systems ImAM r i m msrwd. TNs publication ie protected by copyright Please see page 161 for mom details
[ 154 I

CCSP SMAA Quick Reference by Ryan Lindfield

1 Security Services Modules

exit
tine-tone-settings
offset t!~
standard time -zone -name UTC
exit
summertime-option disabled
ntp-option disabled
exit

Go t o the cemand prompt without saving t h i s config.


[I]
[I]Return t o setup without saving t h i s config.
[2] Save t h i s configuration and e x i t setup.
[3] Continue t o Advanced setup.

Entsr your selectlon[3] :

After an IP address has been defined, and you have added the administrator's workstation to the access list, you are ready
to log in to the AIP-SSM with the GUI.
First log in to the ASDM GUI, and then select Configmation> IPS. When you click this hyperlink, ASDM will open a
new window. A notification from ASDM will tell you about the new connection. Click Continue to move forward.
5
I
CHAPTER 5 -
Security Services Modules
CCSP SNAA Quick Reference by Ryan Lindfield
11551

When you click Continue, ASDM will load data from the IPS sensor.

O 2008 Ciww Systuns Inc. A9 rigM.mwnmd. This pr#lcatson k p m by cowght Please see page 161 for mom details
5
I
CHAPTER 5
Security Services Modules
CCSP SMAA Quick Reference by Ryan Lindfield
156 I

After data has finished loading, you will see a picture of a security appliance and security services module. In this
diagram, the management ports have been highlighted. Notice there is an ASA management port and an SSM manage
ment port. In my experience, 1 have needed separate IP addresses to perform both functions (ASDM 1 AIP-SSM).
Notice that there is a wizard here that we can launch to begin passing W c to the SSM.
157 I

CHAPTER 5 CCSP SNAA Quick Reference by Ryan Lindfield


I

I Security Services Modules

When you click the Launch Startup Wizard button, the wizard brings you to a sensor setup page. This page can be used
to define the hostname, IP address, subnet mask, and default gateway. You can a h manage access lists from this screen.
Remember, when configuring IDS products the term access list refers to administrative access, or access to the device, as
opposed to trmc through the device. You can also set the time, date, time zone, daylight savings time, and an NTP
server.

Q 2009 Ckco Inc. AM rlghtmrosurvrd. TN.pubkath is-p by P k m see


~ page 181for mom deiails.
5
I
CHAPTER 5
Security Services Modules
CCSP SMAA Quick Reference by Ryan Lindfield
158 I

After you have co~gured,or verified, the basic configuration i n f o d o n of the SSM,you can define the traffic flows
that should be passed to this module for analysis.
5
I
CHAPTER 5
Security Services Modules
CCSP SNAA Quick Reference by Ryan Lindfield
11591

By clicking the Add button on the right side, you can define the W c flow for analysis. First,specify the interface,
source IP address, destination IP address, destination port number (service), and then possibly a description. These
paramem are then followed by how analysis should be performed (inline or promiscuous) and what should happen to
this trafEc if the sensing process should fail (fail open or fail closed).

Q 2009 Claco Sysbms Inc. All rights msarvd Thb b by copyrlgM. Please see page 16 1 for more details
P
I
CHAPTER 5
Security Services Modules
CCSP SMAA Quick Reference by Ryan Lindfield
[1WI

After rules have been added, the window will be populated, and you can see an animation displaying the path of the
packet. If everything looks appropriate, click Finish.
Further configuration of the modules is beyond the scope of this Quick Reference.
CCSP SNAA Quick Reference Feedback Information
AtCiscoPress,wrgoalistoaubeiPdephtecfinicalboortsofthe~q~aadvalue.Bachboolris~
Ryan Lindfidd with care and precision, undergoin8 rlgonms devclopmeat that imolves the unique expertise of members of the
Cqyright 0 U)09 Cisco Systems, Inc. professid tcchiad community.
Published by: Reader feedback is a natural m u h d c m of this proms. If yau have any commmta on how we could impme the
Cisco Pnss qualityofthisdlgilalehoncut.ar~~Se~tt~be#ersUayom~youcan~us~e-mailat
&00 EaPt 96th Street f ~ @ c i s c o p r w a c o mPlea#
. be sue to include the dlgltal Shon Cut ti& and ISBN in your message.
Indianapolis, Indiana 46240 USA
AU rights merved. No pan of this digital shon cut may be reprommd a hamnit-
ted in any fwm or by any means, electronic or mechanical, including photocopying, Corporate and Government Sales
recmdhg, or by any infonnatim storage aud retrieval system, without written Tbepublisher~excellentdiscauatsonthisdigirals h n r t c u t w b m o r d e r e d ~ q u a a t i t y f o r ~ p u r c ~ o r
permission from the publisher, except for the inclusion of brief quotatiam in a special s i b , which may include eleclroaic version6 a d o r Eustm covers Pnd content partidm to your busiaesq
nview. tnining goals. mrlmhg focus. andbranding interests.Far m m infocmatim, please contact: US. Corporate and
Pint Digital Edition February 2009 Garclnmwt S&S 1-800-382-3419 ~ a p s a l e s @ w t & -
ISBN-10: 1-58705-8774 Fbr sales outside the United States please contaw h b m d o d S a k i n t e m a b n a l @ ~ . m m
ISBN-13: 978-1-58705-877-6

Warning and Disclaimer


This digital Short Cut is designed to pmMe infonuation abwt network@. Every
effort has been made to make this digital Short Cut as complete and accrwte as
p i b l e , but w wananty or fimess is implied.

--
-
The infonuation is provided on an "as is" basis. The author, Cisco Press, and Cisco
*I--
Systems, Inc. ahall have neither liability nor responsibility to any person or entity
wlth respect to any loss a damages arising from the information coaElined m this
%msaZs-
8Wl
-CA06-
ZzCz&
0111.1110 Lm -m12
IBWlOpLYIDr*
digital short cut r
n -
CISCO. T*:10882b1om TY&m??rn
The opinions expssed in this digital Short Cut belong to the authors and are not am-gsla)
Re-
~crdbcn711~0
necessarily those of Cisco Systems. Inc.

Trademark Acknowledgments
All terms mentioned in this digital Short Cut that are known to be traduarrksm
service marks have been appr&ately c a p i M C i a Press or Cisco Systems.
Inc. faawt attest to the accuracy of Ulis information. Use of r term in this digital
Short Cut should not be regarded as affecting the validity of any iradenwk or
service mark.

@ 2009 C b o Systems Inc. All rights msewed. Thii p r b l i b p r o b d d by copyright Pbase see this page for m w details
~ ~