ASA – Network Attack Preventation

 

Threat Detection

• Basic threat detection (performance impact low)
  monitor dropped packet rates and security events. If it sees a threat, the appliance generates a log message with a log identifier number of 730100. The kinds of security events or dropped packet rates that the appliance monitors include:
• Matches on deny statements in ACLs.
• Malformed packets (for example, invalid IP header values or an incorrect header length).
• Packets that fail application layer inspection policies defined by the Modular Policy Framework (MPF) or that inherit in the application inspection process itself. (For example, if a specified URL in a policy was seen, causing an HTTP connection to be reset, or if a wiz command was executed on an SMTP/ESMTP connection respectively.)
• Defined connection limits that have been exceeded, which includes global system values as well as limits you’ve defined with MPF or the static/nat commands.
• Seeing unusual ICMP packets or connections.
•   Examining the combined rate of all security-related packet drops in this bulleted list.
• An interface became overloaded, causing packet drops.
• A scanning attack was detected. (For example, the TCP three-way handshake failed, or the first packet in a TCP connection was not a SYN—this is discussed in the “Scanning Threat Detection” section later in the chapter.)
• An incomplete connection was detected. (For example, the TCP three-way handshake failed, or UDP traffic is only seen in one direction of a connection.)
• Scanning threat detection (performance impact high)
• disabled by default
• detect scan attacks and optionally shun the attacker.
• shunning can also be made manually & unconditionally which take precedence over any policy control (acl , inspection, even conn table checking)
• Threat detection statistic (performance impact high)
  -disabled by default 
  -monitor the appliance threat statistics

IP Audit

• Software based IPS
• Information and Attack
• 50+ signatures to detect attacks.

TCP Normalization

• Prevent abnormal or unusual TCP packets.
• Extension of MPF.
• Create TCP map to define abnormal criteria.

RPF - Reverse Path Forwarding

• RFC 2267
• Prevent IP spoofing attacks
• Compare the src in packet with routing table to verifiy where it is coming from.
• Drop if packet is coming from a network that is not associated with the source interface.

Fragmentation Limits

• Use fragment to control how many fragments make up a packet.

http://www.amazon.com/Cisco-Configuration-Networking-Professionals-Library/dp/0071622691/ref=sr_1_2?ie=UTF8&s=books&qid=1285924140&sr=8-2-spell

ASA -Failover

 

Types

• Active/Standby
• Active/Active (need multiple context)

HW,SW and configuration requirement

• Hardware Requirements

The two units in a failover configuration must be the same model, have the same number and types of interfaces, and the same SSMs installed (if any).

If you are using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.

Although it is not required, it is recommended that both units have the same amount of RAM memory installed.

• Software Requirements

The two units in a failover configuration must be in the same operating modes (routed or transparent, single or multiple context). They must have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. We recommend upgrading both units to the same version to ensure long-term compatibility.

License requirement (PIX)

• 3 versions for PIX: UR(Unrestricted), R(Restricted) & FO(Failover)
• Valid combanition
  • UR+UR, R+R, UR+FO, R+FO
• UR+UR support a/a, a/s
• UR+FO support only a/s

Chassis vs. Stateful failover

• With Unit failover, secondary unit sync config with primary and take over when primary role failed. All xlate, conn, vpn session …etc. will be dropped when primary role failed.
• With stateful failover, an extra stateful link is used to replicate the session data from primary to secordary unit which can keep the sessions even primary unit failed.

Failover Link Serial vs. LAN-based failover (LBF)

• Serial: dedicated for PIX with Cisco proprietary RS-232 cable clocked at 115Kbps with DB-15 connector. Cable defines the primary and secondary end.
• LBF: Introduced in v6.2 which use Ethernet interface instead of a serial cable. ASA use LBF as failover link. Can be combined with stateful link.

Failover communications

• The state of the appliances: active or standby
• Power status if PIX with Serial failover link
• Failover hello messages
• Network link status of the appliances interfaces.
• Exchange of MAC addresses used on the appliance interfaces
• Configuration of the active unit synchronized with the standby unit
• With stateful failover, following are synced.
  • xlate table
  • conn table
  • VPN sessions (only in A/S mode)
  • MAC address table(Only in transparent mode)
  • SIP signaling information
  • Current date and time.

Failover link monitoring

• Both failover and data interfaces are monitored by the failover pair.
• Failover hello send on failover link every 15 seconds by default. (minimum 200ms)
• Hold time is 45s (3 hello messages interval).
• Interface test will be made to determine if active unit failed.
• If active unit/interfaces failed, standby unit promote itself to an active state.

Interface Monitoring

If a hello message from a mate is not seen on a monitored interface for one-half the hold-down period, the appliance will run interface tests on the suspect interface to determine what the problem is.
4 tests include,

• Link up/down test
• network activity test
• ARP test
• Broadcast ping test.

ASA – multiple context mode

 

Licensing

PIX 515 and higher and ASA 5510 and higher support contexts.

Context Uses

• active/active failover
• ISP, co-location/hosting companies that host services requiring firewall functions
• Need more than one firewall in the same physical location.
  

Context Restriction

• Dynamic routing protocols (unicast & multicast) are unsupported, only static routes available.
• No VPN support, no matter IPSec, L2TP or WebVPN.
• Threat detection is unsupported.

System Area

• system-wide configuration
• create/delete contexts
• doesn’t count as a context itself.
• accessed by admin context.
• leverage admin context to communicate with external devices/services.

Context

• Have a name, interfaces allocated to it and a configuration file to store the security policies and configuration of actual context itself.
• By default, ‘admin’ context is the administrative context to access system area.
• Any context can be admin context, but just only one. (admin-context context_name)

Context chaining

• Context can be chained by sharing a common physical/vlan interface.
• Only MAC address and translation rules are used to match a packet to a context when interfaces are shared.
• Recommend to assign unique MAC for interface of each context. (mac-address auto)

Managing Resources

Following resources can be defined(limited) for a context.

• Mgmt connections: ASDM, telnet & ssh.
• Hosts.
• MAC addresses
• Xlates in the translation table.
• Connectoins in the state table.
• Syslog messages/second.
• Applicaton inspections/second.

Hard coding speed & duplex 一定是對的嗎? 那可不一定哦!!

 

為了避免 speed/duplex mismatch 的問題, 很多 configuration guide 都會建議在 switch 端 和 end node 端把 speed/duplex 固定住 , 以免產生 duplex mismatch 的問題。這個原則我也已經奉行很久了, 一直沒有遇到什麼問題, 直到那天.....

事情要先從某個 branch office 要 deploy video conference 設備說起。因為 MPLS WAN 的 BW 有限, 所以目前是讓 video conf 跑在 Internet 上, 因此也採購了 firewall , router 和 10M Internet circuit。

FW (e0/0-outside) <-------> (f0/1-LAN ) Router (f0/0-WAN) <----------> ISP BB

根據前面提的經驗法則, 很自然的把 FW, Router Interfaces 的 speed/duplex 都設成 100/full。經過簡單的測試後 Video Conf 的 call 也都能 setup 成功, 因此很快就結案。

But, 當系統啟用後, 有大頭級的使用者抱怨 quality 不好, 所以就開始進行 troubleshooting。透過 Video conference device 的管理介面發現有 packet loss 的問題, 便開始先從 Internet 檢查起。 先確定是否有 asymmetric routing issue (因為兩個 site 在不同國家), 也請 ISP re-route 看是否能解決, 但是都沒有用, packet loss issue 依然存在。

因為 packet loss 的問題只有 one-way, 開始懷疑packet是不是被ISP drop(CIR 10M)了?  因此重新設定了 Video conference 和 router 的 QoS, 結果還是一樣。

正在納悶的時候, 突然注意到在 FW (ASA OS8.0.4) 的 e0/0 (outside) 是 100/half, 看來是我老了, 忘了在 fw 端設成 100/full了, 當下就趧快把它改過來了。

Ya~ 搞定了嗎!?.....................NO, 才怪! Router 和 FW outside 連線竟然斷了!!

再確認一次 FW 和 Router 的介面設定, 設定都對。心裏有種見鬼了的感覺。

ASA(config-if)# sh run int e0/0
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0

Router#sh run int f0/1
interface FastEthernet0/1
description To_Customer_LAN
load-interval 30
duplex full
speed 100

FW介面是 down/down, 而 Router 則是 up/down。 我是在作夢嗎?

ASA(config-if)# sh int e0/0
Interface Ethernet0/0 "outside", is down, line protocol is down
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
        MAC address c84c.7552.15b8, MTU 1500
        IP address 203.117.9.146, subnet mask 255.255.255.240
        42260544 packets input, 32562517068 bytes, 0 no buffer
        Received 103466 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        34853064 packets output, 10635547375 bytes, 0 underruns
        0 output errors, 71776 collisions, 2 interface resets
        0 babbles, 86297 late collisions, 437184 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max packets): hardware (0/17) software (0/0)
        output queue (curr/max packets): hardware (0/0) software (0/0)

SGSIN-B01F09C01-RTI01#sh int f0/1
FastEthernet0/1 is up, line protocol is down
  Hardware is MV96340 Ethernet, address is fcfb.fba0.6541 (bia fcfb.fba0.6541)
  Description: To_Customer_LAN
  Internet address is 203.117.9.145/28
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 03:19:21, output 00:00:09, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec
     34853769 packets input, 1906329303 bytes
     Received 1 broadcasts, 80319 runts, 0 giants, 0 throttles
     163190 input errors, 82871 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     42656842 packets output, 2314899508 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

Bounce 了幾次 interface 都沒用, 最後乾脆都改成 auto/auto, 沒想到一改居然通了, 不信邪又改回 100/full , 結果又斷了。

我想應該是 bug 吧, 不過這又再一次印證了 troubleshooing 雖然有經驗法則, 但是實務上還是要靈活一點, 不要預設任何設定一定都是對的, 否則可能會浪費很多時間。