300-207.pdf

C C N P S e c u r i t y

I m p l e m e n t i n g C i s c o T h r e a t C o n t r o l S o l u t i o n s

( 3 0 0 - 2 0 7 S I T C S )

I r o n P o r t W S A O v e r v i e w

IronPort WSA Overview •  Advanced web content-filtering solution

–  Provides Web Proxy service –  Protects networks against malware & spyware programs

v  Accomplished by combines several technologies into a single unit

•  Key features –  Fast Web Proxy service –  URL Filtering (IronPort URL Filtering or Web Usage Controls) –  Application Visibility & Control –  Anti-Malware Scanning –  L4 Traffic Monitor


Deployment Modes •  Web Proxy

1.  Explicit Forward –  WSA can be placed pretty much anywhere in the network –  All clients must configure their browser to point to the WSA

v  IP Spoofing is DISABLED by default –  Good for testing

2.  Transparent –  Client applications are unaware of the Web Proxy –  Requires a L4 switch or WCCPv2 router/ASA –  In this mode, if IP Spoofing is enabled, two WCCP services must be configured


Deployment Modes •  L4 Traffic Monitor

–  Enables WSA to passively listen for packets (traffic is redirected to the WSA) –  Can be used to detect malware over non-HTTP ports –  Three ways of configuring redirection :

1.  Network Tap 2.  Hub 3.  SPAN/RSPAN

–  Make sure packets are mirrored before any NAT takes place

•  WSA can be configured for multiple modes in the same time : –  Explicit Forward + optional L4 Traffic Monitor –  Explicit Forward + Transparent + optional L4 Traffic Monitor


WSA Interfaces •  Management (M1)

–  Provides remote access to the appliance (HTTP, HTTPs & SSH) –  It is possible to use it for both, management and Web Proxy

v  Simply don’t check „Restrict M1 port to appliance management services only”

•  Data Ports - Web Proxy (P1, P2) –  Single interface can be used for both, incoming & outgoing traffic (P1) –  If both ports are used one will be connected toward users, the other one toward the Internet

•  Data Ports - L4 Monitor Ports (T1, T2) –  Single interface can receive both, incoming and outgoing traffic (T1) –  If both are used, T1 connects to the internal network, T2 to the Internet


WCCP •  WCCP enables transparent redirection of traffic to the content/caching appliances

–  Helps reduce bandwidth utilization –  WSA only supports WCCP version 2 (control plane packets are exchanged over UDP 2048) –  If configured on Catalyst Switches (3560s) make sure SDM Tempate is set to „routing”

•  WCCP Service Group –  Defines what traffic should be intercepted and how the packets should be handled –  Service Group Types :

1.  Standard (ip wccp web-cache) - well-known group; only redirects packets -> port 80 2.  Dynamic (ip wccp group_id) - WSA tells router/switch/ASA what traffic to redirect

•  Forwarding Method –  Layer 2 (destination MAC of the frame is changed) –  GRE (original packet is encapsulated in GRE)


WCCP Examples •  Standard Service Group

ip wccp version 2 ip wccp web-cache [redirect-list acl] [group-list acl] interface g0/0 ip wccp web-cache redirect in

•  Dynamic Service Group ip wccp version 2 ip wccp 90 [redirect-list acl] [group-list acl] interface g0/0 ip wccp 90 redirect in


WSA Initialization •  Management interface (M1) is preconfigured with 192.168.42.42/24

•  The default HTTP[s] port numbers are 8080 and 8443

–  Login as „admin” with the password „ironport” (first-time login activates the Setup Wizard) –  To change the default IP address & HTTP[s] ports use interfaceconfig –  To change the default gateway IP use the setgateway command –  After any configuration change is done through CLI submit it (commit)

•  All settings can be verified with showconfig –  To revert back to factory defaults use resetconfig

W S A P o l i c i e s & R e l a t e d T o p i c s

Identities •  Identity Policy serves as an authentication mechanism

1.  Allows to differentiate connections/transactions based on their characteristics –  Client IP address/subnet, Protocol, Proxy Port, User Agent & URL Category

2.  Determines whether authentication is required for a session or not

•  Identity Membership is the first thing that’s being evaluated for the request –  Identity Groups are compared sequentially until first match is found –  If there is no match the default Global Identity Policy will be associated with the transaction –  It is also possible to create an Identity for users who failed authentication (Guests) –  Once the Identity is determined it can be then used as a condition in other Policies (e.g. Access or Decryption)


Access Policy •  Defines how web traffic should be processed by WSA

–  Access Policy Groups/Rules are checked sequentially up to the first match –  There are multiple conditions that can be configured for a Rule

v  Identity, Subnet, Protocol, Proxy Port, User Agent, URL Category & Time Range –  If no specific Group/Rule was found, Global Policy Rule will be processed

•  Each Access Policy Group/Rule consists of the following Security Components : –  Protocols & User Agents –  URL Categories –  Applications (AVC) –  Objects –  Web Reputation & Anti-Malware


•  Access Policy Actions –  Three „final” actions are defined :

v  Allow, Drop, Redirect –  The „Monitor” action is intermediary – it means evaluate next control setting

•  Access Policy Order of Operations (Requests) 1.  HTTP CONNECT ports 2.  User Agent 3.  Protocol 4.  URL Categories 5.  Safe Search, then Site Content Rating 6.  Web Reputation 7.  AVC (only if scan was returned by Web Reputation and was OK)


•  Access Policy Order of Operations (Responses) 1.  HTTP CONNECT ports 2.  File size 3.  AVC 4.  Web Reputation


URL Filtering (URL Categories) •  Used to control web access based on URL Categories

–  Two URL Filtering engines available on WSA are : 1.  Web Usage Controls 2.  IronPort URL Filters

•  Web Usage Controls –  Filters URLs based on pre-defined prefixes and keywords –  Dynamic Content Analysis (DLC) allows to dynamically categorize unknown URLs

•  IronPort URL Filters –  Filters URLs based on pre-defined list of domains


Web Reputation •  Calculates the likelihood that a particular URL being accessed contains malware

–  This probability is expressed as a score (-10 to 10) –  The less reputable the site is, the lower the value (-10 means „least trusted”) –  This feature can be enabled in Access & Decryption Policies

•  Default score ranges & actions for Access & Decryption Policies –  Access (-10 to -6), Decryption (-10 to -9) – drop the packet without scanning/decryption –  Access (-5.9 to 5.9), Decryption (-8.9 to 5.9) – scan/decrypt –  Access (6 to 10), Decryption (6 to 10) – allow the packet without scanning/decryption


Application Visibility & Control (AVC) •  Deep content inspection at the application layer

–  Allows to drop traffic on a per-application basis –  Some applications can be controlled with a per-function/feature (e.g. chat vs file transfer)

•  AVC database is constantly updated –  New applications are added –  Existing ones are updated

•  Some applications can be controlled using bandwidth limits –  Either as an aggregate or per-user


Decryption Policy •  Defines how WSA should handle HTTPs connections

–  Decryption Policy Groups/Rules are processed in the same way as Access Policy –  Global Policy applies to connections that did not match any specific Rule

•  Decryption Policy Actions –  Drop, Allow – drop/allow without decrypting the packet –  Decrypt – decrypt the content and proceed to Access Policy –  Monitor – evaluate next control setting

•  Caveats –  HTTPs Proxy must be enabled to activate the feature (Security Services -> HTTPs Proxy) –  Once enabled some HTTPs-related settings previously available in Access Policy can be no longer defined (in the Access Policy)


Web Proxy Bypass •  Allows certain connection requests bypass the WSA

–  Source or destination IP address/subnet can be used as a matching criteria v  Hostnames & Domain names are also supported

–  Only works for Transparent Web Proxy •  If Domain names are used then make sure at least one „T” interface is connected to the network even if L4 Traffic Monitor is not user

–  Required for DNS Snooping

C i s c o E S A O v e r v i e w

Cisco Email Security Appliance (ESA) •  Advanced solution for email security, protection and control •  ESA Key Features :

–  Inbound e-mail control and rate-limiting –  Outbound e-mail control and high-performance delivery –  Email security (SPAM, viruses, malware, fraud, phishing and more) –  Data Loss Prevention (DLP) and encryption –  Advanced filtering capabilities

Currently available ESA models include the C-/X- series appliances and virtual ESAV

S M T P

SMTP (Simple Mail Transfer Protocol) •  TCP-based clear-text protocol used for e-mail transmission (TCP destination port 25) •  Originally defined in RFC 821 but finally updated in RFC 5321 (includes ESMTP additions) •  Implemented using Command-Response model

–  Client sends commands and data –  Server parses the commands and responds

•  SMTP server is also known as Mail Transfer Agent (MTA)

SMTP is never used to retrieve e-mails •  POP3 (Post Office Protocol) and IMAP (Internet Message Access Protocol) are used instead

–  These protocols „pull” e-mails from a SMTP server

S M T P

E-mail Structure •  Envelope (processed by MTAs to deliver an e-mail; not visible to the user) •  Data (visible to the user)

a)  Header b)  Body/Message + optional Attachments

Common Data Headers : •  From (sender’s address) – mandatory field •  To (recipient’s address) •  Date (timestamp) – mandatory field •  Subject (subject of the message, if any) •  CC („secondary” recipients) •  Received (a path the message followed)

S M T P

SMTP Commands •  Not all commands were implemented on the ESA (e.g. VRFY)

•  Commonly used commands : a.  HELO/EHLO – client greeting b.  MAIL FROM – envelope sender address c.  RCPT TO – envelope recipient d.  DATA – client is ready to send a message (headers and body) e.  NOOP – „no operation” f.  STARTTLS – client wants to use TLS g.  RSET – resets current conversation to a default state h.  QUIT – terminates SMTP session & TCP connection

S M T P

SMTP Response Codes •  Returned in a 3-digit format (xyz) where usually only „x” is accurate :

–  2yz/3yz means „success” (3yz means server is waiting for more data) –  4yz indicates a non-fatal error where 5yz describes a fatal error

•  Commonly seen Response Codes : a.  250 – command accepted b.  354 – response to client’s DATA (OK but waiting for more data) c.  421 – temporary rejection at the connection level d.  452 – temporary rejection at the recipient level e.  550 – fatal error (typically means that the recipient does not exist) f.  554 – error shown to low-reputation or explicitly blacklisted hosts

S M T P

Sample SMTP conversation :

–  1 220 esa.ipexpert.com ESMTP –  2 HELO sdomain.com –  3 250 esa.ipexpert.com –  4 MAIL FROM: <[email protected]> –  5 250 sender <[email protected]> ok –  6 RCPT TO: <[email protected]> –  7 250 recipient <[email protected]> ok –  8 DATA –  9 354 go ahead –  10 Subject: Example Message –  11 –  12 This is the text of an example message. –  13 . –  14 250 ok: Message 31274 accepted –  15 QUIT –  16 221 esa.ipexpert.com

E S A B a s i c C o n f i g u r a t i o n

ESA Interfaces & Initialization •  The number of available interfaces depends on a platform •  Ports are labeled as „Data” and „Management” but they can all be used for any purpose •  Data1/Management port is preconfigured with an IP address 192.168.42.42/24

–  HTTP, HTTPS and SSH is enabled –  Default username is „admin”, password „ironport”

•  Useful CLI commands : –  CLI-equivalent of GUI’s System Setup Wizard can be enabled with systemsetup –  To change the default IP address & HTTP[s] ports use interfaceconfig –  To change the default gateway IP use the setgateway command –  Check if ESA can send e-mails with mailconfig –  After any configuration change is done through CLI submit it (commit)

E S A W o r k f l o w & P o l i c i e s

ESA SMTP Listeners •  SMTP Listeners handle the connection and SMTP conversation

–  At least one Listener must be enabled to process incoming/outgoing e-mails –  There are separate HAT and RAT tables for each of the Listeners

E-mail Processing •  Source IP address from the first TCP packet (SYN) is used to perform :

–  Reverse DNS Lookup (PTR) –  DNS „A” lookup on the returned FQDN (if any) –  Reputation Score is evaluated for that IP –  (Optional) Other DNS features are checked like DNS Blacklist

•  This information is used to classify the connection in the HAT table


Host Access Table (HAT) •  Controls incoming connections to the Listener (senders) •  Rules consist of conditions (Sender Groups) and Results (Mail Flow Policies) •  Rules are processed top-down up to the first match

–  Order is important (WHITELIST should come first etc.)

Mail Flow Policy Actions •  Accept (classifies a message as incoming)

–  Connection is accepted but the sender is limited to recipients defined in the RAT table •  Relay (classifies a message as outgoing)

–  Connection is accepted and the sender is NOT limited to recipients defined in the RAT table •  TCP Refuse •  Reject


Recipient Access Table (RAT) •  Every HAT-accepted conversation (Mail Flow Policy Action -> ACCEPT) is evaluated against RAT •  For every „RCPT TO” issued ESA checks the RAT to see if a recipient/domain is allowed

–  You have an option reject individual users within a domain •  LDAP can be also used to perform a recipient lookup (if you use it) •  Private Listeners don’t use RAT (dual-arm design)

After HAT & RAT checks are successful, Sender is allowed to continue with the DATA command •  Message is internally moved to the Work Queue for further processing

–  Anti-SPAM –  Anti-Virus & Virus Outbreak Filtering –  Content Filtering –  Data Loss Prevention (outgoing mails only)


Work Queue •  Policies are defined seperately for Incoming (HAT:ACCEPT) and Outgoing (HAT:RELAY) messages

Anti-SPAM Scanning •  Allows you to drop/quarantine/bounce SPAM- positive/suspected messages

Anti-Virus Scanning •  Message can be found to be infected, encrypted or unscannable

Content Filtering •  Allows you to take certain action depending on a message content

–  Encrypt & deliver –  Strip attachment –  Quarantine, drop and more


Virus Outbreak Filters (VOF) •  Detects and stops 0-Day malware outbreaks

Data Loss Prevention (DLP) •  Stops outgoing e-mails with company’s sensitive information •  When sensitive data is found, ESA can drop/quarantine/encrypt or just deliver a message

O t h e r E S A F e a t u r e s

Address Mappings (change envelope’s recipient addresses) •  Default Domain •  Domain Map (1-1 mappings for the domain, e.g. abc.com -> xyz.com)

–  User portion is not changed –  Occurs before the RAT check –  Configure via listenerconfig

•  Aliases (1-1, 1-many, many-many mappings) –  Processed after Domain Maps –  Configure with aliasconfig

Masquerading (changes sender’s address) •  Typically peformed on envelope address but can also modify addresses seen in the Headers •  Useful to hide internal domains or flatten domain hierarchies (e.g. @.abc.com -> @abc.com)


SMTP Routes •  Used to find a destination IP address for an envelope’s recipient[s] •  Processed top-down but the most specific entry always wins regardless of the order •  Accepts entries for domains or sub-domains, but not individual recipients •  Route Destination can be defined as :

–  Domain (first „MX” lookup is performed, then „A” for returned hosts) –  Hostname (first tries „MX” and only if it fails „A” is performed) –  Hostname/Domain in brackets (e.g. [smtp.abc.com] – means only use „A”lookup) –  IP address

•  Providing multiple destinations allows for load balancing and/or failover –  When priorities are different, only the highest-priority host (lowest number) is used –  With equal priorities messages are load-balanced in a round-robin fashion


Encryption •  Encryption on the ESA can be performed using two methods :

1.  Envelope Encryption 2.  TLS

Envelope Encryption

•  Triggered by Content Filters or DLP •  Requires a Key Server and Encryption Profile defined


TLS Encryption •  ESMTP supports TLS encryption (STARTTLS) •  Destination Controls table controls if TLS should be used or not if ESA acts as a SMTP client

–  None –  Preferred –  Required –  Preferred/Required Verify (includes cert validation)

a.  Expiration Dates b.  Signature c.  CN’s hostname must match MTU’s DNS FQDN or domain of envelope’s recipient

•  HAT controls TLS settings when ESA acts as a SMTP server


LDAP Integration •  Not required but useful for a variety of reasons :

–  Recipient validation –  Reduced administration overhead –  Increased security

Verification & Troubleshooting Tools

•  Trace •  Packet Capture •  Nslookup •  Tail •  Remote Access (Reverse SSH)

C o n t e n t S e c u r i t y A r c h i t e c t u r e

WSA •  Explicit Forward Mode

–  WSA can be placed anywhere –  Firewall should block web access from devices other than WSA

•  Transparent Mode –  WSA is typically deployed in the Internet Edge (inside of the ASA) –  No reconfiguration needed on the client stations. WCCPv2 handles redirection

High Availability

•  WCCP •  External Load-Balancer (e.g. ACE)

–  WCCP is not used, original client IP address can be preserved

C o n t e n t S e c u r i t y A r c h i t e c t u r e

ESA •  In a typical design ESA is placed in the DMZ of the Internet Edge •  Single-Arm Design

–  Firewall configuration may include NAT and must allow SMTP, LDAP, DNS, HTTP and HTTPs •  Two-Arm Design

–  One Data port connects to the inside (private Listener), other to the DMZ (public Listener) –  If you add an OOB port it is known as Three-Arm design

High Availability

•  Multiple ESAs (reconfigure DNS – multiple MX records) •  External Load-Balancer (e.g. ACE)

–  Especially useful for outgoing e-mails

C i s c o C l o u d W e b S e c u r i t y

Cloud Web Security (CWS) •  Software-as-a-Service (SaaS) solution •  Previously known as ScanSafe •  Redirected web traffic (no FTP support) is inspected by multiple SIO engines •  Traffic redirection can be performed :

–  Explicitly (Proxy AutoConfiguration – PAC file) –  Transparently with Connectors (ISR G2 routers, ASA firewalls) –  Transparently with AnyConnect Secure Mobility Client (remote access and mobile)


Features •  Web Usage Controls •  Application Visibility & Control (AVC) •  Zero-Day Threat Protection •  Cognitive Threat Analytics •  Advanced Malware Protection (AMP)

–  File Reputation –  File Sandboxing –  File Retrospection

•  HTTPS Decryption (Secure Traffic Inspection)


Licensing •  Web Security Essentials

–  Web Content Filtering –  AVC –  Secure Mobility Integration (AnyConnect) –  Anti-Malware Protection

•  Advanced Malware Protection (AMP) •  Web Security Premium

–  Web Security Essentials + AMP CWS Licenses are term-based subscriptions (1/3/5 years)

C W S C o n n e c t o r s

CWS Connectors •  Cloud Connector is an embedded software used to redirect web traffic to the Cloud •  To start make sure at least one Authentication Key (license) was generated (ScanCenter)

–  Company/Group Key is used authenticate your traffic in the Cloud –  Multiple Group Keys can be generated (simple way to to apply different policies, e.g. per ASA)

ASA Connector Configuration •  Configure Proxy (aka „Tower”) addresses and license (Authentication Key) :

scansafe general-options server primary ip primary_ip_addr port 8080 server backup ip bckp_ip_addr port 8080 license license_number

•  In multiple mode also add scansafe under a context config


•  Configure a Whitelist (Optional) class-map type inspect scansafe whitelist_class_name match [user|group] name

•  Configure Redirection Options

policy-map type inspect scansafe sf_policy_name parameters [http|https] default [user|group] name class whitelist_class_name whitelist


•  Configure L3/L4 class & policy maps (ensure no overlap exists with CX) class-map class_name match access-list acl_name policy-map policy_name class class_name inspect scansafe sf_policy_name [fail-open|fail-close] service-policy policy_name interface if_name


CWS IOS Connector •  Works similarly to the ASA •  User/user-group can be used to find a policy (e.g. via AD/LDAP, Authentication Proxy) •  Whitelists can be configured for :

–  IP addresses –  HTTP Header fields (e.g „Host” or „User-Agent”)

parameter-map type regex AllowedWebSites pattern cisco content-scan whitelisting whitelist header host regex AllowedWebSites


IOS Connector Configuration •  Configure the Towers, Authentication Key, possibly a default user/group & optional parameters

parameter-map type content-scan global server scansafe primary ipv4 ip1 port http 8080 https 8080 server scansafe secondary ipv4 ip2 port http 8080 https 8080 license 1234XXXXXXXXXXXXXXXXXXXxx1234 user-group groupname username username server scansafe on-failure [allow-all|block-all]

•  Enable transparent redirection on the egress interface interface g0/1 content-scan out

C W S - A n y C o n n e c t

AnyConnect CWS •  AnyConnect uses Trusted Network Detection (TND) to determine if a connection is trusted or not

–  Internet web traffic from untrusted connections (remote access) is split-tunneled to the Cloud –  Web Security Module acts as a CWS Connector

Configuration •  Web Security Service AnyConnect Profile :

–  Up-to-date list of CWS Proxy Servers and a Proxy Exception List –  TND & Authentication

•  VPN Group Policy : –  VPN Filter should block HTTPS to the TND server (permit everything else) –  Split Tunneling must exclude traffic to the CWS Proxy Servers –  Local LAN Access must be enabled

C o n t e x t - A w a r e A S A

Context-Aware (CX) ASA •  Next-Generation ASA family (5500-X Series) includes the following models :

–  5512-X, 5515-X, 5525-X, 5545-X, 5555-X and 5585-X •  Next-Generation Security Services (powered by SIO) :

–  WSE and AVC (starting in ASA software 9.1.1; requires a CX module 9.1.1+) –  NG IPS (IPS software needed is 7.1.4; requires CX) –  CWS (starting in ASA software 9.0.1)

Context-Aware (CX) Module •  Software/hardware solution configured with Prime Security Manager (PRSM)

–  First initialize the module via ASDM or CLI –  To access CX CLI session directly from the ASA or SSH to the ASA’s interface

•  Traffic must be still redirected to the module using MPF (CLI/ASDM)

C o n t e x t - A w a r e A S A

Traffic Redirection •  Configure it with ASDM („ASA CX Inspection” tab under Service Policy) or CLI :

cxsc [fail-open|fail-close] [auth-proxy|monitor-only] •  Monitor Mode can be used to test module functionality without affecting the traffic (CLI only)

–  Enable it in the Policy-Map (cxsc monitor-only) –  Or use a Traffic-Forwarding interface (traffic-forward cxsc monitor-only)

•  Don’t enable CWS or regular HTTP inspection on traffic redirected to the CX module

CX Workflow a)  Incoming VPN traffic is decrypted b)  Firewall policies are applied c)  Traffic is redirected to the CX module where policies are applied d)  Allowed traffic is sent back to the ASA for further processing (e.g. encryption)

I P S B a s i c s

IPS Sensor Interfaces •  Management (Command & Control)

–  Used to remotely access IPS for configuration –  Initiates blocking connections –  Should be part of management VLAN

•  Sensing –  Used to monitor and analyze traffic –  Can be configured for various IPS Deployment Modes

•  Alternate TCP Reset –  Used when switch does not support ingress traffic on SPAN/RSPAN port –  Should be part of monitored VLAN so TCP Resets can make their work

I P S B a s i c s

IPS User Roles •  Administrator

–  Highest privilege level -> unrestricted access •  Operator

–  Full read-only access and ability to modify own passwords, tune signatures, and manage blocking devices

•  Viewer –  Can view configuration, event data and modify their own password

•  Service –  This is for support and troubleshooting only. It bypasses the CLI and gains shell access to the underlying Linux OS using the „su” command

I P S B a s i c s

IPS CLI •  Somewhat similar to IOS

–  You can use „?” and complete commands with „Tab” –  Not case sensitive

•  IPS CLI Command Modes –  Privileged EXEC –  Global Config (accessible via configure terminal) –  Service –  Multi Instance (signature definition,event rules, anomaly detection)

I P S B a s i c s

Useful CLI Commands •  Initialize IPS (Admin Role required) – setup •  Check interface types – show interfaces brief •  Show running configuration – show configuration •  Check if traffic is received by IPS – packet display •  Show real-time alerts – show events alerts •  Show denied attackers – show statistics denied-attackers •  Verify what signatures fired – show statistics virtual-sensor

I P S B a s i c s

IPS Initialization Steps (setup) •  Hostname in the „<ipv4_addr>/<mask_bits>,<default_gw_ip_addr>” format •  Management Access-List as „<subnet>/<mask_bits>”

–  Specifies who can manage the sensor (PING, HTTP[s], SSH and Telnet” •  DNS Server or HTTP Proxy IP addresses (Global Correlation) •  System Clock Settings •  SensorBase Network Participation

–  Off (no participation) –  Partial (no sensitive information is sent to SensorBase) –  Full (all data is contributed to the SensorBase)

S P A N a n d R S P A N

SPAN/RSPAN •  A method of copying network traffic passing through ports or VLANs

–  Useful for IDS/IPS or Call Recording –  Mirrors only received traffic for a VLAN –  For an interface it can be sent, received or both

•  SwitchPort Analyzer (SPAN) vs Remote SPAN (RSPAN) –  Session Source and Destination must be on the same switch (SPAN) –  Session Destination port is on another switch (RSPAN)

monitor session 1 source interface Fa0/8 both monitor session 1 destination interface Fa0/9 [options]

•  ingress vlan (TCP Resets) •  encapsulation replicate (VLAN Groups)

S P A N a n d R S P A N

RSPAN Configuration •  Remote SPAN VLAN must be configured and end-to-end Switch 1

vlan 555 remote-span monitor session 1 source interface Fa0/2 both monitor session 1 destination remote vlan 555

Switch 2 vlan 555 remote-span monitor session 2 source remote vlan 555 monitor session 2 destination interface Fa0/15 [options]

I P S D e p l o y m e n t M o d e s

IPS Deployment Modes 1.  Promiscuous (IDS)

•  Monitoring a single VLAN (default on each sensing interface) –  Technically more than one VLAN can be SPANed/RSPANed

•  VLAN Group –  Monitoring a trunk

2.  Inline (IPS) •  Inline Interface Pair (two physical interfaces) •  Inline VLAN Pair (single physical interface) •  VLAN Group

–  IPS placed between two switches (in the „middle” of the trunk)

I P S V i r t u a l S e n s o r

IPS Virtual Sensor •  Main IPS element connecting Policy and Data Traffic with the Analysis Engine

–  Default „vs0” cannot be deleted –  Up to four different Virtual Sensors can be defined (virtualization) –  Each VS can be configured with a different policy

Virtual Sensor Components •  Interfaces •  IPS Policy

–  Signature Definition –  Event Action Rules –  Anomaly Detection

I P S S i g n a t u r e s

IPS Signatures and Signatures Engines •  Signature is a set of rules describing characteristics of an offending packet

Signature Engines •  Application Inspection and Control (AIC)

–  Advanced control of HTTP and FTP –  Disabled by default

•  Atomic (ARP, IPv4 and IPv6) –  Detects attacks on a per-packet basis –  IPv6 atomic sub-engine inspects IPv6 ND packets; not configurable

•  Flood –  Detects ICMP or UDP floods


•  Meta –  Detects attacks based on existing signatures, not data packets

•  String –  Searches for a single regex (per signature)

•  Service –  Provides protocol-specific inspections (e.g. HTTP, DNS, etc.)

•  Sweep –  Detects network reconnaissance scans from a single host

•  Normalizer –  Performs anti-evasive techniques –  Deals with IPv4/IPv6 fragmentation and TCP Stream Reassembly (normalizes packets when in inline mode) –  Only allows to tune existing signatures (no new can be added)


Signature Actions •  Per Signature •  Based on Risk Rating

Common signature actions •  Log Attacker Packets - Capture packets (attacker address) •  Log Pair Packets - Capture packets (attacker-victim address pair) •  Log Victim Packets - Capture packets (victim address) •  Produce Alert - Generate an alert •  Produce Verbose Alert - Include dump of an offending packet in the alert •  Request SNMP Trap - Send SNMP Notification


Inline Signature Actions

•  Deny Attacker Inline - Block all traffic from the attacker •  Deny Attacker Service Pair Inline - Deny all traffic to the destination port •  Deny Attacker Victim Pair Inline - Deny all traffic between the attacker and victim •  Deny Connection Inline - Drop current TCP flow from the attacker •  Deny Packet Inline - Drop the offending packet •  Modify Packet Inline - Modify the packet’s content, e.g. clear IP Options •  Reset TCP Connection - Send TCP Reset to terminate the flow


Promiscuous Signature Actions

•  Request Block Connection - Initiate connection block (no shunning here) •  Request Block Host - Block/shun the attacker •  Request Rate Limit - Rate-limit packets from the attacker •  Reset TCP Connection - Send TCP Reset. Initial packet made it to the victim


Signature Tuning •  Signature/Engine specific

–  Regular Expression –  Header fields (flags, ports, type/code)

•  Common Settings –  Action (Produce Alert, Deny Packet Inline) –  Alert Message –  Alert Severity –  Event/Alert Summarization

Event/Alert Summarization •  Event Counter •  Alert Summarization Mode (e.g. Fire All, Fire Once, Summary)

I P S E v e n t A c t i o n s

Risk and Threat Rating •  Risk Rating is a number describing a risk associated with a signature. Calculated as :

RR = [(ASR * TVR * SFR) + ARR – PD + WLR] / 10000

Threat Rating is RR lowered by the numerical value of the taken Signature Action •  Sample Action Values

–  Deny Attacker Inline (45) –  Deny Packet Inline (35) –  TCP Reset (20)

I P S E v e n t A c t i o n s

Event Actions •  Another method of tuning signatures

1.  Event Action Overrides –  Add an action to a signature based on its calculated Risk Rating –  By default „Deny Packet Inline” action will be taken for all signatures with Risk Rating higher than 90 (in addition to signature-specific actions)

2.  Event Action Filters –  Remove an action from a signature based on :

• Signature and sub-signature ID • Attacker/Victim IPv4/IPv6 address or port • Risk Rating value

–  Processed after Event Action Overrides

I P S B l o c k i n g

IPS Blocking •  Temporary attack mitigation tool available in Promiscuous Deployment

•  Allows IPS to connect to a router/firewall to apply an ACL or shunning configuration –  Connections are always initiated from the Management Interface –  Rate Limiting is also supported. Then Service Policy is applied

•  IPS Blocking on the ASA is implemented using shunning (shun)

•  Rate Limiting and Blocking is NOT supported for IPv6


IPS Blocking Access-List Logic : 1.  Allow IP address of IPS itself 2.  Pre Access-List (pre-ACL) 3.  Actual blocking configuration 4.  Post Access-list (post-ACL)

Pre and Post Access-lists are defined locally on the router

Watch out for NAT (between IPS Management Interface and the blocking device) –  Use „Sensor’s NAT address” to fix

Configure „Never Block Addresses” if needed


IPS Blocking Configuration

•  Make sure blocking is enabled •  Create Device Login Profile •  Specify Blocking Device •  Identify Blocking Interface and direction •  For SSH add Blocking Device to „SSH Known Host Keys” •  Prepare router/ASA for remote IPS connections

I P S A n o m a l y D e t e c t i o n

Anomaly Detection (AD) •  IPS Component used to detect worm-infected hosts •  Works by comparing traffic baseline to the current activity

–  Most worms use scanning techniques to find vulnerable hosts to propagate –  This changes/increases network activity

Scanner is a single host trying to discover (scan) multiple destinations (IPs)

–  For TCP it would be multiple non-established sessions –  For UDP and Other protocols it is traffic seen in only one direction

Histogram defines the number of tolerable concurrent scans and Scanners –  E.g. 5 hosts issuing „LOW” scans each (LOW is between 5 and 19 scans) –  If Histogram Threshold is exceeded, AD considers a worm outbreak


Anomaly Detection can be running in one of three modes 1.  Learn Mode

–  Develops network baseline for 24 hours since first sensor Initialization –  Can be set manually to force longer learning period –  No scanning/worms should occur during that time

2.  Detect Mode –  Activates Anomaly Detection –  Gradual changes to the Knowledge Base are recorded that update baseline

3.  Inactive Mode –  Disables Anomaly Detection –  „A must” in assymetric enviornments


Anomaly Detection Zones

1.  Internal –  Should contain all IP ranges used in the network

2.  Illegal –  Describes all unallocated ranges and bogons

3.  External –  Everything else

Zones are intended to help achieving lower false negative rate

I O S I P S

IOS IPS •  Software-based solution available on IOS routers

–  Many features and terminology are similar to ones used by Sensor Appliances –  Not all is supported, e.g. Anomaly Detection, Signature configuration options

Configuration •  Load Cisco’s Public Key to decrypt/verify signature package

crypto key pubkey-chain rsa named-key realm-cisco.pub signature

•  Create a folder for IPS configuration files ip ips config location

I O S I P S

•  Retire everything you will NOT be using

ip ips signature-category category all retired true category ios_ips basic retired false

•  Create IPS rule and apply it

ip ips name IPS_RULE [list acl] int g0/0 ip ips IPS_RULE [in|out]

I O S I P S

•  Compile selected signatures

copy flash:IOS-S258-CLI-kd.pkg idconf

•  Tune signatures

–  Per Category ip ips signature-category

–  Per Signature ip ips signature-definition

A S A I P S

ASA IPS •  Special IPS module (physical or software depending on platform)

–  Runs the exact IPS 4200 series code –  Use IPS 4200 series documentation for configuration (same as for physical 4200 appliance)

Accessing the Module 1.  Session directly from the ASA (gives you CLI access)

•  Issue session ips console (disconnect using CTRL+SHIFT+6 X) 2.  Use the GUI

•  IPS Management Interface is shared with ASA’s Management F0/0 . You can plug-in PC directly and access it using 192.168.1.2/24 by default •  ASDM : Configuration -> IPS

A S A I P S

Diverting traffic to the IPS •  MPF (ips inline|promiscuous [options] under a class in the policy)

Options 1.  Bypass Mode (fail-open or fail-close) 2.  Virtual Sensor number (sensor nr)

Virtual Sensors can be used in both, Single and Multiple-Context Modes •  First create them from within IPS GUI/CLI (service analysis-engine) •  In Multiple-Context allocate one or more to the context (allocate-ips) •  Then divert the traffic on the ASA (MPF)

To see the list of available sensors use show ips

IPS module configuration is NOT replicated in any failover scenario

A S A I P S

context Cust1 allocate-ips vs0 allocate-ips VS1 default policy-map IPS_POLICY class TRAFFIC_TO_IPS_CLASS_1 ips inline fail-open sensor vs0 class TRAFFIC_TO_IPS_CLASS_2 ips inline fail-open sensor VS1 class TRAFFIC_TO_IPS_CLASS_3 ips inline fail-open service-policy IPS_POLICY interface outside

300-207.pdf

Documents

Transcript of 300-207.pdf