2010年10月19日 星期二

看完這篇, 我承認我太小看 MPF 了。

 

It is much more sophisticated than what I was thinking.

Thanks for the great article from Petr.

http://blog.ine.com/2009/04/19/understanding-modular-policy-framework/

 

Action are applied in the following sequence within MPF.

  1. QoS input policing. Applies to traffic entering the firewall, enforces traffic rate. Configured using the command police input| under the policy-map.
  2. TCP normalization. TCP and UDP connection limits and timeouts, and TCP sequence number randomization. Performs TCP connection modification and monitoring to enforce security settings. Confiugured using the command set connection and a pre-configured tcp-map with the advanced TCP parameters.
  3. CSC (if installed). Content security.
  4. Application inspection (multiple types). The core of the stateful firewall. Parses traffic streams and detects application protocols and their commands. Allows enforcing per-application security policies. The command to apply inspection is inspect {protocol-name}. Could be fine-tuned using inspection policy-maps.
  5. IPS (if installed). Intrusion prevention – allows the firewall to work as an inline IPS.
  6. QoS output policing. Applies to traffic leaving the firewall, enforces specified rate. The command is police output
  7. QoS interface priority queue. Services traffic using the interface-level low-latency queue. Configured using the command priority. Could not be applied along with policing feature.
  8. QoS traffic shaping, hierarchical priority queue. Mutually exclusive with any other interface-level QoS features. Traffic shaping could be only applied under class-default
Feature Interface-Level Direction Global Policy Direction Flow-aware feature
QoS Input Policing Ingress Ingress  
TCP Normalization, Connection Limits, ISN randomization Bidirectional Ingress Yes
CSC Bidirectional Ingress Yes
Application Inspection Bidirectional Ingress Yes
IPS Bidirectional Ingress Yes
QoS Output Policing Egress Egress  
QoS Interface-Level PQ Egress Egress  
QoS Shaping, Hierarchical PQ Egress N/A  

Feature Incompatibilities

As you remember, you can apply multiple actions under the same class. Some actions just can’t go together. Here is the list of the limitations:

1) You can’t combine policing and interface-level priority queuing for the same class.
2) You can’t configure shaping in global policy map.
3) You can only shape ALL traffic leaving the interface, i.e. you can only shape under class-default.
4) You cannot configure two inspect actions under the same class with except to default-inspection-traffic class.

 

Application priorities:

  1. CTIQBE
  2. DNS
  3. FTP
  4. GTP
  5. H323
  6. HTTP
  7. ICMP
  8. ICMP error
  9. ILS
  10. MGCP
  11. NetBIOS
  12. PPTP
  13. Sun RPC
  14. RSH
  15. RTSP
  16. SIP
  17. Skinny
  18. SMTP
  19. SNMP
  20. SQL*Net
  21. TFTP
  22. XDMCP
  23. DCERPC
  24. Instant Messaging

Here is the list of basic points about MPF:

1) Service policies could be applied globally or per-interface.

2) A packet flow can match multiple classes.

2.1) In case if two ore more classes specify the same feature, firewall applies the deterministic procedure to resolve the conflict.

2.3) In the classes specify different features, they are combined, provided that the features could be used together.

3) Many firewall features are aware of stateful traffic flows.

4) The order that the features are applied is fixed and does not depend on the order of classes in the policy-maps.

2010年10月6日 星期三

ASA – Command Authorization

 

There are three ways to fulfill this.

  • using enable command
  • using locally defined username and password
  • using AAA defined username and password with AAA server

 

Using enable command for authorization

Create different enable password for desired privilege level.

ASA-Roy(config)# enable password level9 level 9
ASA-Roy(config)# enable password level11 level 11

Adjust the commands’ privilege level.
In this example, level9 can show access-list and level 11 can configure access-list.

ASA-Roy(config)# privilege show level 9 mode exec command access-list
ASA-Roy(config)# privilege configure level 11 command access-list

It is important to be careful that ‘parent’ command should be adjust accordingly also, otherwise you will not be able to use the command even if it is configured correctly.
For example, you need to enable ‘configure terminal’ for privilege 11 otherwise you will not be able to enter global configuration mode to issue the ‘access-list’ command.

Enable command authorization and make sure your are NOT enable the “enable authentication” command thru AAA or LOCAL.

ASA-Roy(config)# aaa authorization command LOCAL
ASA-Roy(config)# no aaa authentication enable console LOCAL
or
ASA-Roy(config)# no aaa authentication enable console AAA_Method

If you do, you will get the following error message when you try to issue ‘enable privilege_level’ command.

ASA-Roy> sh curpriv
Username : admin_asa
Current privilege level : 1
Current Mode/s : P_UNPR
ASA-Roy> enable 9
Enabling to privilege levels is not allowed when configured for
AAA authentication. Use 'enable' only.

 

Using local user for command authorization

ASA-Roy(config)# aaa authentication enable console LOCAL
ASA-Roy(config)# username level9 password level9 privilege 9
ASA-Roy(config)# username level11 password level11 privilege 11

User Access Verification

Password:
Type help or '?' for a list of available commands.
ASA-Roy> enable
Username: level11
Password: *******
ASA-Roy# sh curpriv
Username : level11
Current privilege level : 11
Current Mode/s : P_PRIV

 

Using external AAA server for command authorization

aaa authorization command AAA_GROUP LOCAL
ASA-Roy# sh run aaa-
aaa-server AAA_GROUP protocol tacacs+
aaa-server AAA_GROUP (inside) host 1.1.1.1
key *****


ACS Screenshot

image
image
image

2010年10月1日 星期五

ASA – CTP(Cut-Through Proxy) with AAA

 

In some circumstance, using ACL to control the access is still not enough:

For example, you have tow user groups – Finance & HR. You also have two server groups – Finance and HR. You want to have Finance group access to Finance servers but not HR servers. Vice versa, HR users can access to only HR servers but not Finance servers. And if they are in a dhcp environment, how can you enforce the restriction?

The solution is CTP with AAA. It looks like you add an extra lock for the servers and the key is username/password. After passing the Interface ACL, ASA will send prompt to authenticate user if CTP is enabled.

CTP - Authentication

  • CTP supports ftp, telnet, ftp & http/https protocol.
  • CTP supports multiple proxy connection and can be limited with ‘aaa proxy-limit’ cmd.
  • Authentication prompt can be customized by ‘auth-prompt {accept | reject | prompt } prompt_string’ cmd.
  • Authentication timeouts can be controlled by ‘timeout uauth hh:mm:ss [absolute | inactivity]’ cmd.
  • CTP auth in HTTP protocol
    1. Basic Auth (HTTP/HTTPs): Ideal if then destination web server also request Basic Auth and if id/pw are identical. You only need to enter id/pw once.
    2. Internal Web (HTTP/HTTPs):
  • Two ways to configure CTP authenticatoin
    1. aaa authentication {include | exclude}
    2. aaa authentication match (preferred method)
  • To control access for non-supported applicatons
    1. virtual telnet
    2. virtual http

 

CTP – Authorization

There are two main problems with CTP authentication:

  • Users need to access multiple internal devices, but with CTP authentication, the user would have to authenticate to each individual device.
  • CTP authentication is global: once a user authenticates, he can access all the requested service; in other words, you can’t control who accesses what service.

 

CTP authorization options

  • Classic method
    • Only supports TACACS+ with ACS.
    • Disadvantage: each connection the authenticated user opens will incur an initial delay will the policy lookup occurs.
    • Advantage: Policy change on AAA server is in immediate effect.
  • Downloadable ACLs (newer & preferred)
    • AAA authenticates user, if authenticated ACS send the name of ACL to appliance.
    • Appliance check if the ACL was already downloaded, either use it or download from ACS.
    • the ACL is used to determine what the user can access, interface ACL is ignored.

 

Reference:

http://www.amazon.com/Cisco-Configuration-Networking-Professionals-Library/dp/0071622691/ref=sr_1_2?ie=UTF8&s=books&qid=1285924140&sr=8-2-spell