看完這篇, 我承認我太小看 MPF 了。

 

It is much more sophisticated than what I was thinking.

Thanks for the great article from Petr.

http://blog.ine.com/2009/04/19/understanding-modular-policy-framework/

 

Action are applied in the following sequence within MPF.

1. QoS input policing. Applies to traffic entering the firewall, enforces traffic rate. Configured using the command police input| under the policy-map.
2. TCP normalization. TCP and UDP connection limits and timeouts, and TCP sequence number randomization. Performs TCP connection modification and monitoring to enforce security settings. Confiugured using the command set connection and a pre-configured tcp-map with the advanced TCP parameters.
3. CSC (if installed). Content security.
4. Application inspection (multiple types). The core of the stateful firewall. Parses traffic streams and detects application protocols and their commands. Allows enforcing per-application security policies. The command to apply inspection is inspect {protocol-name}. Could be fine-tuned using inspection policy-maps.
5. IPS (if installed). Intrusion prevention – allows the firewall to work as an inline IPS.
6. QoS output policing. Applies to traffic leaving the firewall, enforces specified rate. The command is police output
7. QoS interface priority queue. Services traffic using the interface-level low-latency queue. Configured using the command priority. Could not be applied along with policing feature.
8. QoS traffic shaping, hierarchical priority queue. Mutually exclusive with any other interface-level QoS features. Traffic shaping could be only applied under class-default
   

Feature	Interface-Level Direction	Global Policy Direction	Flow-aware feature
QoS Input Policing	Ingress	Ingress
TCP Normalization, Connection Limits, ISN randomization	Bidirectional	Ingress	Yes
CSC	Bidirectional	Ingress	Yes
Application Inspection	Bidirectional	Ingress	Yes
IPS	Bidirectional	Ingress	Yes
QoS Output Policing	Egress	Egress
QoS Interface-Level PQ	Egress	Egress
QoS Shaping, Hierarchical PQ	Egress	N/A

Feature Incompatibilities

As you remember, you can apply multiple actions under the same class. Some actions just can’t go together. Here is the list of the limitations:

1) You can’t combine policing and interface-level priority queuing for the same class.
2) You can’t configure shaping in global policy map.
3) You can only shape ALL traffic leaving the interface, i.e. you can only shape under class-default.
4) You cannot configure two inspect actions under the same class with except to default-inspection-traffic class.

 

Application priorities:

1. CTIQBE
2. DNS
3. FTP
4. GTP
5. H323
6. HTTP
7. ICMP
8. ICMP error
9. ILS
10. MGCP
11. NetBIOS
12. PPTP
13. Sun RPC
14. RSH
15. RTSP
16. SIP
17. Skinny
18. SMTP
19. SNMP
20. SQL*Net
21. TFTP
22. XDMCP
23. DCERPC
24. Instant Messaging

Here is the list of basic points about MPF:

1) Service policies could be applied globally or per-interface.

2) A packet flow can match multiple classes.

2.1) In case if two ore more classes specify the same feature, firewall applies the deterministic procedure to resolve the conflict.

2.3) In the classes specify different features, they are combined, provided that the features could be used together.

3) Many firewall features are aware of stateful traffic flows.

4) The order that the features are applied is fixed and does not depend on the order of classes in the policy-maps.

ASA – Command Authorization

 

There are three ways to fulfill this.

• using enable command
• using locally defined username and password
• using AAA defined username and password with AAA server

 

Using enable command for authorization

Create different enable password for desired privilege level.

ASA-Roy(config)# enable password level9 level 9
ASA-Roy(config)# enable password level11 level 11

Adjust the commands’ privilege level.
In this example, level9 can show access-list and level 11 can configure access-list.

ASA-Roy(config)# privilege show level 9 mode exec command access-list
ASA-Roy(config)# privilege configure level 11 command access-list

It is important to be careful that ‘parent’ command should be adjust accordingly also, otherwise you will not be able to use the command even if it is configured correctly.
For example, you need to enable ‘configure terminal’ for privilege 11 otherwise you will not be able to enter global configuration mode to issue the ‘access-list’ command.

Enable command authorization and make sure your are NOT enable the “enable authentication” command thru AAA or LOCAL.

ASA-Roy(config)# aaa authorization command LOCAL
ASA-Roy(config)# no aaa authentication enable console LOCAL
or
ASA-Roy(config)# no aaa authentication enable console AAA_Method

If you do, you will get the following error message when you try to issue ‘enable privilege_level’ command.

ASA-Roy> sh curpriv
Username : admin_asa
Current privilege level : 1
Current Mode/s : P_UNPR
ASA-Roy> enable 9
Enabling to privilege levels is not allowed when configured for
AAA authentication. Use 'enable' only.

 

Using local user for command authorization

ASA-Roy(config)# aaa authentication enable console LOCAL
ASA-Roy(config)# username level9 password level9 privilege 9
ASA-Roy(config)# username level11 password level11 privilege 11

User Access Verification

Password:
Type help or '?' for a list of available commands.
ASA-Roy> enable
Username: level11
Password: *******
ASA-Roy# sh curpriv
Username : level11
Current privilege level : 11
Current Mode/s : P_PRIV

 

Using external AAA server for command authorization

aaa authorization command AAA_GROUP LOCAL
ASA-Roy# sh run aaa-
aaa-server AAA_GROUP protocol tacacs+
aaa-server AAA_GROUP (inside) host 1.1.1.1
key *****

ACS Screenshot

ASA – CTP(Cut-Through Proxy) with AAA

 

In some circumstance, using ACL to control the access is still not enough:

For example, you have tow user groups – Finance & HR. You also have two server groups – Finance and HR. You want to have Finance group access to Finance servers but not HR servers. Vice versa, HR users can access to only HR servers but not Finance servers. And if they are in a dhcp environment, how can you enforce the restriction?

The solution is CTP with AAA. It looks like you add an extra lock for the servers and the key is username/password. After passing the Interface ACL, ASA will send prompt to authenticate user if CTP is enabled.

CTP - Authentication

• CTP supports ftp, telnet, ftp & http/https protocol.
• CTP supports multiple proxy connection and can be limited with ‘aaa proxy-limit’ cmd.
• Authentication prompt can be customized by ‘auth-prompt {accept | reject | prompt } prompt_string’ cmd.
• Authentication timeouts can be controlled by ‘timeout uauth hh:mm:ss [absolute | inactivity]’ cmd.
• CTP auth in HTTP protocol
1. Basic Auth (HTTP/HTTPs): Ideal if then destination web server also request Basic Auth and if id/pw are identical. You only need to enter id/pw once.
2. Internal Web (HTTP/HTTPs):
• Two ways to configure CTP authenticatoin
  1. aaa authentication {include | exclude}
  2. aaa authentication match (preferred method)
• To control access for non-supported applicatons
  1. virtual telnet
  2. virtual http

 

CTP – Authorization

There are two main problems with CTP authentication:

• Users need to access multiple internal devices, but with CTP authentication, the user would have to authenticate to each individual device.
• CTP authentication is global: once a user authenticates, he can access all the requested service; in other words, you can’t control who accesses what service.

 

CTP authorization options

• Classic method
  • Only supports TACACS+ with ACS.
  • Disadvantage: each connection the authenticated user opens will incur an initial delay will the policy lookup occurs.
  • Advantage: Policy change on AAA server is in immediate effect.
• Downloadable ACLs (newer & preferred)
  • AAA authenticates user, if authenticated ACS send the name of ACL to appliance.
  • Appliance check if the ACL was already downloaded, either use it or download from ACS.
  • the ACL is used to determine what the user can access, interface ACL is ignored.

 

Reference:

http://www.amazon.com/Cisco-Configuration-Networking-Professionals-Library/dp/0071622691/ref=sr_1_2?ie=UTF8&s=books&qid=1285924140&sr=8-2-spell

ASA – Network Attack Preventation

 

Threat Detection

• Basic threat detection (performance impact low)
  monitor dropped packet rates and security events. If it sees a threat, the appliance generates a log message with a log identifier number of 730100. The kinds of security events or dropped packet rates that the appliance monitors include:
• Matches on deny statements in ACLs.
• Malformed packets (for example, invalid IP header values or an incorrect header length).
• Packets that fail application layer inspection policies defined by the Modular Policy Framework (MPF) or that inherit in the application inspection process itself. (For example, if a specified URL in a policy was seen, causing an HTTP connection to be reset, or if a wiz command was executed on an SMTP/ESMTP connection respectively.)
• Defined connection limits that have been exceeded, which includes global system values as well as limits you’ve defined with MPF or the static/nat commands.
• Seeing unusual ICMP packets or connections.
•   Examining the combined rate of all security-related packet drops in this bulleted list.
• An interface became overloaded, causing packet drops.
• A scanning attack was detected. (For example, the TCP three-way handshake failed, or the first packet in a TCP connection was not a SYN—this is discussed in the “Scanning Threat Detection” section later in the chapter.)
• An incomplete connection was detected. (For example, the TCP three-way handshake failed, or UDP traffic is only seen in one direction of a connection.)
• Scanning threat detection (performance impact high)
• disabled by default
• detect scan attacks and optionally shun the attacker.
• shunning can also be made manually & unconditionally which take precedence over any policy control (acl , inspection, even conn table checking)
• Threat detection statistic (performance impact high)
  -disabled by default 
  -monitor the appliance threat statistics

IP Audit

• Software based IPS
• Information and Attack
• 50+ signatures to detect attacks.

TCP Normalization

• Prevent abnormal or unusual TCP packets.
• Extension of MPF.
• Create TCP map to define abnormal criteria.

RPF - Reverse Path Forwarding

• RFC 2267
• Prevent IP spoofing attacks
• Compare the src in packet with routing table to verifiy where it is coming from.
• Drop if packet is coming from a network that is not associated with the source interface.

Fragmentation Limits

• Use fragment to control how many fragments make up a packet.

http://www.amazon.com/Cisco-Configuration-Networking-Professionals-Library/dp/0071622691/ref=sr_1_2?ie=UTF8&s=books&qid=1285924140&sr=8-2-spell

ASA -Failover

 

Types

• Active/Standby
• Active/Active (need multiple context)

HW,SW and configuration requirement

• Hardware Requirements

The two units in a failover configuration must be the same model, have the same number and types of interfaces, and the same SSMs installed (if any).

If you are using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.

Although it is not required, it is recommended that both units have the same amount of RAM memory installed.

• Software Requirements

The two units in a failover configuration must be in the same operating modes (routed or transparent, single or multiple context). They must have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. We recommend upgrading both units to the same version to ensure long-term compatibility.

License requirement (PIX)

• 3 versions for PIX: UR(Unrestricted), R(Restricted) & FO(Failover)
• Valid combanition
  • UR+UR, R+R, UR+FO, R+FO
• UR+UR support a/a, a/s
• UR+FO support only a/s

Chassis vs. Stateful failover

• With Unit failover, secondary unit sync config with primary and take over when primary role failed. All xlate, conn, vpn session …etc. will be dropped when primary role failed.
• With stateful failover, an extra stateful link is used to replicate the session data from primary to secordary unit which can keep the sessions even primary unit failed.

Failover Link Serial vs. LAN-based failover (LBF)

• Serial: dedicated for PIX with Cisco proprietary RS-232 cable clocked at 115Kbps with DB-15 connector. Cable defines the primary and secondary end.
• LBF: Introduced in v6.2 which use Ethernet interface instead of a serial cable. ASA use LBF as failover link. Can be combined with stateful link.

Failover communications

• The state of the appliances: active or standby
• Power status if PIX with Serial failover link
• Failover hello messages
• Network link status of the appliances interfaces.
• Exchange of MAC addresses used on the appliance interfaces
• Configuration of the active unit synchronized with the standby unit
• With stateful failover, following are synced.
  • xlate table
  • conn table
  • VPN sessions (only in A/S mode)
  • MAC address table(Only in transparent mode)
  • SIP signaling information
  • Current date and time.

Failover link monitoring

• Both failover and data interfaces are monitored by the failover pair.
• Failover hello send on failover link every 15 seconds by default. (minimum 200ms)
• Hold time is 45s (3 hello messages interval).
• Interface test will be made to determine if active unit failed.
• If active unit/interfaces failed, standby unit promote itself to an active state.

Interface Monitoring

If a hello message from a mate is not seen on a monitored interface for one-half the hold-down period, the appliance will run interface tests on the suspect interface to determine what the problem is.
4 tests include,

• Link up/down test
• network activity test
• ARP test
• Broadcast ping test.

ASA – multiple context mode

 

Licensing

PIX 515 and higher and ASA 5510 and higher support contexts.

Context Uses

• active/active failover
• ISP, co-location/hosting companies that host services requiring firewall functions
• Need more than one firewall in the same physical location.
  

Context Restriction

• Dynamic routing protocols (unicast & multicast) are unsupported, only static routes available.
• No VPN support, no matter IPSec, L2TP or WebVPN.
• Threat detection is unsupported.

System Area

• system-wide configuration
• create/delete contexts
• doesn’t count as a context itself.
• accessed by admin context.
• leverage admin context to communicate with external devices/services.

Context

• Have a name, interfaces allocated to it and a configuration file to store the security policies and configuration of actual context itself.
• By default, ‘admin’ context is the administrative context to access system area.
• Any context can be admin context, but just only one. (admin-context context_name)

Context chaining

• Context can be chained by sharing a common physical/vlan interface.
• Only MAC address and translation rules are used to match a packet to a context when interfaces are shared.
• Recommend to assign unique MAC for interface of each context. (mac-address auto)

Managing Resources

Following resources can be defined(limited) for a context.

• Mgmt connections: ASDM, telnet & ssh.
• Hosts.
• MAC addresses
• Xlates in the translation table.
• Connectoins in the state table.
• Syslog messages/second.
• Applicaton inspections/second.

Hard coding speed & duplex 一定是對的嗎? 那可不一定哦!!

 

為了避免 speed/duplex mismatch 的問題, 很多 configuration guide 都會建議在 switch 端 和 end node 端把 speed/duplex 固定住 , 以免產生 duplex mismatch 的問題。這個原則我也已經奉行很久了, 一直沒有遇到什麼問題, 直到那天.....

事情要先從某個 branch office 要 deploy video conference 設備說起。因為 MPLS WAN 的 BW 有限, 所以目前是讓 video conf 跑在 Internet 上, 因此也採購了 firewall , router 和 10M Internet circuit。

FW (e0/0-outside) <-------> (f0/1-LAN ) Router (f0/0-WAN) <----------> ISP BB

根據前面提的經驗法則, 很自然的把 FW, Router Interfaces 的 speed/duplex 都設成 100/full。經過簡單的測試後 Video Conf 的 call 也都能 setup 成功, 因此很快就結案。

But, 當系統啟用後, 有大頭級的使用者抱怨 quality 不好, 所以就開始進行 troubleshooting。透過 Video conference device 的管理介面發現有 packet loss 的問題, 便開始先從 Internet 檢查起。 先確定是否有 asymmetric routing issue (因為兩個 site 在不同國家), 也請 ISP re-route 看是否能解決, 但是都沒有用, packet loss issue 依然存在。

因為 packet loss 的問題只有 one-way, 開始懷疑packet是不是被ISP drop(CIR 10M)了?  因此重新設定了 Video conference 和 router 的 QoS, 結果還是一樣。

正在納悶的時候, 突然注意到在 FW (ASA OS8.0.4) 的 e0/0 (outside) 是 100/half, 看來是我老了, 忘了在 fw 端設成 100/full了, 當下就趧快把它改過來了。

Ya~ 搞定了嗎!?.....................NO, 才怪! Router 和 FW outside 連線竟然斷了!!

再確認一次 FW 和 Router 的介面設定, 設定都對。心裏有種見鬼了的感覺。

ASA(config-if)# sh run int e0/0
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0

Router#sh run int f0/1
interface FastEthernet0/1
description To_Customer_LAN
load-interval 30
duplex full
speed 100

FW介面是 down/down, 而 Router 則是 up/down。 我是在作夢嗎?

ASA(config-if)# sh int e0/0
Interface Ethernet0/0 "outside", is down, line protocol is down
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
        MAC address c84c.7552.15b8, MTU 1500
        IP address 203.117.9.146, subnet mask 255.255.255.240
        42260544 packets input, 32562517068 bytes, 0 no buffer
        Received 103466 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        34853064 packets output, 10635547375 bytes, 0 underruns
        0 output errors, 71776 collisions, 2 interface resets
        0 babbles, 86297 late collisions, 437184 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max packets): hardware (0/17) software (0/0)
        output queue (curr/max packets): hardware (0/0) software (0/0)

SGSIN-B01F09C01-RTI01#sh int f0/1
FastEthernet0/1 is up, line protocol is down
  Hardware is MV96340 Ethernet, address is fcfb.fba0.6541 (bia fcfb.fba0.6541)
  Description: To_Customer_LAN
  Internet address is 203.117.9.145/28
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 03:19:21, output 00:00:09, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec
     34853769 packets input, 1906329303 bytes
     Received 1 broadcasts, 80319 runts, 0 giants, 0 throttles
     163190 input errors, 82871 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     42656842 packets output, 2314899508 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

Bounce 了幾次 interface 都沒用, 最後乾脆都改成 auto/auto, 沒想到一改居然通了, 不信邪又改回 100/full , 結果又斷了。

我想應該是 bug 吧, 不過這又再一次印證了 troubleshooing 雖然有經驗法則, 但是實務上還是要靈活一點, 不要預設任何設定一定都是對的, 否則可能會浪費很多時間。