CCNAS PPT
Transcript of CCNAS PPT
Network Security (Part 2)Professional Certification NetworkSims PIX/ASA ConfigurationInterfaces. Fixup. Static Routes. Access-lists. Failover. VPN.
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Prof Bill Buchanan, Leader, Centre for Distributed Computing and Security http://www.dcs.napier.ac.uk/~bill Room: C.63
Academic Element On-line test: 40% MCQ Test Coursework: Agent-based IDS Web-CT submission: 40% Web-CT submission .NET Security On-line test: 20% Network Security On-line test: 20%
On-line testAuthor: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
W 2 3
Date 9 Feb 16 Feb
Academic 1: Security Fundamentals 2: IDS
Assessment
Lab/Tutorial Lab 1: Packet Capture Lab 2: Packet Capture (Filter) Lab 3: Packet Capture (IDS)
4 5 6 7 8 10 11 12 13 14
23 Feb 2 Mar 9 Mar 16 Mar 23 Mar 6 Apr 27 Apr 4 May 11 May 18 May
3: Encryption 4: Authentication (Part 1) MCQ Test 5. Software Security 6. Network Security
Lab 5: IDS Snort 1 Lab 6: IDS Snort 2 Lab 7: Private-key Encryption Lab 8: Public-key Encryption Lab 9: Log/Process/Hashing Lab 10: TCP Forensics Lab 11: Binary Analysis/Sig Det
Security Specialism Security Specialism MCQ Test
Security Specialism Security Specialism
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Network Security (Part 2)Professional Certification NetworkSims PIX/ASA ConfigurationInterfaces. Fixup. Static Routes. Access-lists. Failover. VPN.
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Bob
Alice
CIAApplications (Integrated Security) Services (Integrated Security)
AAA
Application Communications (TCP, IP, and so on)
Network Infrastructure (Firewalls, Proxies, and so on)Author: Bill Buchanan
Eve
Eve
Integration between the levels often causes the most problemsAuthor: Prof Bill Buchanan Author: Prof Bill Buchanan
CIA and AAAfirewall Stateful PIX/ASA
Firewall Switch Internet
Bob
Intrusion Detection System
Alice
Router Firewall Switch
Web server Email server FTP server Proxy server
Intrusion Detection System
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
Switch
Firewall (Packet filter) Internet
Bob
Intrusion Detection System
Alice
Router (NAT)
Firewall (Statefull)
Web server Email server FTP server Proxy server
DMZ
Intrusion Detection System
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
Cisco Switch
Cisco Firewall
Internet
Bob
Intrusion Detection System
Alice
Router (NAT)
Cisco PIX Cisco ASA 5500 Web server Email server FTP server Proxy server
DMZ
Intrusion Detection System
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
BobFirewall (Packet filter) Internet
Switch
Application (FTP, Telnet, etc) L4. Transport (TCP) L3. Internet (IP)
Intrusion Detection System
L2. Network (Ethernet)
Physical security requires restricted areas and padlocked equipmentFirewall (Stateful)
Router (NAT)
Restricted areas
Web server Email server
DMZ
Restricted areas
Proxy server
VLAN 1
VLAN 2Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
FTP server
BobFirewall (Packet filter) Internet
Switch
Application (FTP, Telnet, etc) L4. Transport (TCP) L3. Internet (IP)
Intrusion Detection System
L2. Network (Ethernet)
Different VLANs cannot communication directly, and need to go through a router to communicateFirewall (Stateful)
Router (NAT)
Web server Email server
DMZ
Proxy server
VLAN 1
VLAN 2Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
FTP server
BobFirewall (Packet filter) Internet
Switch
VLAN 1Intrusion Detection System
Different VLANs cannot communication directly, and need to go through a router to communicateFirewall (Stateful)
Router (NAT)
802.1q Trunk
Web server Email server
DMZ
Proxy server
VLAN 1
VLAN 2Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
FTP server
BobFirewall (Packet filter) Internet
Switch
Application (FTP, Telnet, etc) L4. Transport (TCP) L3. Internet (IP)
Intrusion Detection System
L2. Network (Ethernet)
Screening Firewalls filter for IP and TCP packet details, such as addresses and TCP ports, for incoming/outgoing traffic
Router (NAT)
Firewall (Stateful)
Web server Email server FTP server
DMZIntrusion Detection System Proxy server
Alice
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
BobFirewall (Packet filter) Internet
Switch
Application (FTP, Telnet, etc) L4. Transport (TCP) L3. Internet (IP)
Intrusion Detection System
L2. Network (Ethernet)
Stateful Firewalls filter for Application, IP and TCP packet details. They remember previous data packets, and keep track of connections
Router (NAT)
Firewall (Stateful)
Web server Email server FTP server
DMZAlice Intrusion Detection System Proxy serverAuthor: Bill Buchanan
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
BobSwitch
Firewall (Packet filter) Internet
Application (FTP, Telnet, etc) L4. Transport (TCP) L3. Internet (IP)
Intrusion Detection System
L2. Network (Ethernet)
All Application-layer traffic goes through the Proxy (eg FTP, Telnet, and so on) aka Application Gateways
Router (NAT) Firewall (Stateful)
Web server Email server FTP server
DMZAlice Intrusion Detection System Proxy server
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Example Infrastructure Stateful firewall PIX/ASA
Author: Bill Buchanan
Professional Cert.Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Routing & Switching
Design
Net Security
Service Provider
Storage Network
Voice
Wireless
CCIE Security
CCSP
CCNA Security
Author: Prof Bill Buchanan
Cisco Certification Stateful firewall PIX/ASA
Author: Bill Buchanan
CCNA ENT
CCNA
CCNA Security
CCSP
Core
642-504 SNRS Securing Networks with Cisco Routers and Switches
642-524 SNAF Securing Networks with ASA Foundation
642-533 IPS Implementing Cisco Intrusion Prevention System (IPS)
Option (select one)
Author: Prof Bill Buchanan
Cisco Certification Stateful firewall PIX/ASA
Author: Bill Buchanan
642-591 CANAC Implementing Cisco NAC Appliance
642-545 MARS Implementing Cisco Security Monitoring, Analysis and Response System
642-515 SNAA Securing Networks with ASA Advanced
Network Security
Stateful firewall CCSP Cert.
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall NetworkSims Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Software firewallHost-based: Zone alarm
Hardware firewall
Cisco router With firewall (non-stateful)
CheckPoint firewall (software)Runs within: Windows Server, VMWare LINUX
Cisco PIX/ASA (stateful)
LINUX iptables CheckPoint firewall (dedicated) Nokia
Hardware firewall: Optimized engine/architecture Copes better with large trafficBill Buchanan Author: Prof conditions Improved failoverStateful firewall Firewalls PIX/ASA
Author: Bill Buchanan
Software firewall: Easy to reconfigure Slower Less expensive Can be used with a range of computers/OSs
Firewall rules. These are contained within ACLs (using the access-list and access-group commands), and block or permit traffic. A key feature of this is the usage of URL filtering which defines the Web pages which are allowed and which are not. Port blocking. These use the fixup command to change, enable or disable network services. Cut-through proxy. This allows the definition of the users who are allowed services such as HTTP, Telnet and FTP. This authentication is a single initial authentication, which differs from the normal proxy operation which checks every single packet.Bob
Intrusion detection. These use the ip audit command to detect intrusions. Shunning. This, along with intrusion detection, allows a defined response to an intrusion.
Stateful firewall PIX/ASA
Author: Bill Buchanan
Encryption. This allows the PIX firewall to support enhanced encryption, such as being a server for VPN connections, typically with IPSec and tunnelling techniques such as PPTP.
Failover. This allows other devices to detect that a PIX device has crashed, and that another device needs to take its place. Author: Prof Bill Buchanan
Network Security Stateful firewall
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Enterprise PIX 525. This has a 600MHz processor with 256MB RAM, and handles a throughput of 360Mbps for a maximum of 280,000 connections. It supports failover, and has the support for up to eight connections.
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Enterprise PIX 535. This has a 1GHz processor with 1GB RAM, and handles a throughput of 1Gbps for a maximum of 500,000 connections. It supports failover, and has the support for up to ten network interfaces.
ASA 5520 Intel Pentium 4, 2GHz 512MB RAM PIX 7.x, ASA 8.x IOS 8 interfaces Integrated VPN SSL VPN Throughput: 450Mbps 3DES: 225Mbps Max conn: 280,000 VPN peers: 750
PIX/ASA ConfigurationAuthor: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Network Security PIX/ASAfirewall Stateful Config
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Network Security PIX/ASAfirewall Stateful Config
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Author: Prof Bill Buchanan
PIX/ASA firewall (ASDM) Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
PIX/ASA firewall (ASDM) Stateful firewall PIX/ASA
Author: Bill Buchanan
PIX 6.x # config t (config)# hostname freds (config)# domain-name fred.com (config)# ip address outside 192.168.1.1 255.255.255.0 (config)# interface e0 auto
(config)# hostname freds PIX/ASA 7.x/8.x (config)# domain-name fred.com (config)# int e0 (config-if)# ip address 192.168.2.1 255.255.255.0 (config-if)# no shutdown (config-if)# exit
E1 (inside) E0 (outside)
E2 (inf2)Author: Bill Buchanan
Author: Prof Bill Buchanan
PIX/ASA firewall Stateful firewall PIX/ASA
PIX 6.x # config t (config)# hostname freds (config)# domain-name fred.com (config)# ip address outside 192.168.1.1 255.255.255.0 (config)# interface e0 auto
(config)# hostname freds PIX/ASA 7.x/8.x (config)# domain-name fred.com (config)# int e0 (config-if)# ip address 192.168.2.1 255.255.255.0 (config-if)# no shutdown (config-if)# exit
E1 (inside) E0 (outside)
E2 (inf2)Author: Bill Buchanan
Author: Prof Bill Buchanan
PIX/ASA firewall Stateful firewall PIX/ASA
PIX 6.x
PIX/ASA 7.x/8.x
E1 (inside)
E2 (inf2)Author: Prof Bill Buchanan
PIX/ASA PIX/ASA firewall Stateful firewall
Author: Bill Buchanan
E0 (outside)
PIX 6.x
PIX/ASA 7.x/8.x
E1 (inside)
E2 (inf2)Author: Prof Bill Buchanan
PIX/ASA Configuring the interfaces Stateful firewall
Author: Bill Buchanan
E0 (outside)
E0 (outside)
E2 (inf2)Author: Prof Bill Buchanan
PIX/ASA firewall Stateful firewall PIX/ASA
Author: Bill Buchanan
E1 (inside)
E0 (outside)
E1 (inside)
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Setting the default route Stateful firewall PIX/ASA
Author: Bill Buchanan
E2 (inf2)
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
E0 (outside)
E1 (inside)
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Setting the default route Stateful firewall PIX/ASA
Author: Bill Buchanan
E2 (inf2)
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
192.168.2.5
176.10.1.2Author: Prof Bill Buchanan
Stateful firewall Setting routes PIX/ASA
Author: Bill Buchanan
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
192.168.2.5
176.10.1.2Author: Prof Bill Buchanan
Stateful firewall Setting routes PIX/ASA
Author: Bill Buchanan
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
192.168.2.5
176.10.1.2
Author: Prof Bill Buchanan
Stateful firewall Setting routes PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
(config)# show fixup fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 (config)# fixup protocol http 161 (config)# fixup protocol ftp 60 (config)# fixup protocol smtp 84
FTP requires a server port on the initiator. SQL*Net requires a negiotation on the connected port.
E2 (inf2)Author: Prof Bill Buchanan
Stateful firewall PIX/ASA Fixup
Author: Bill Buchanan
E0 (outside)
E1 (inside)
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA NAT
Author: Bill Buchanan
192.168.2.5
176.10.1.2
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA PAT
Author: Bill Buchanan
192.168.2.5
176.10.1.2
Do not NAT!
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA PAT
Author: Bill Buchanan
192.168.2.5
176.10.1.2
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Static mappings Stateful firewall PIX/ASA
Author: Bill Buchanan
192.168.2.5
176.10.1.2
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Static mappings Stateful firewall PIX/ASA
Author: Bill Buchanan
192.168.2.5
176.10.1.2
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Static mappings Stateful firewall PIX/ASA
Author: Bill Buchanan
192.168.2.5
176.10.1.2
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Static mappings Stateful firewall PIX/ASA
Author: Bill Buchanan
192.168.2.5
176.10.1.2
Network Security PIX/ASAfirewall Stateful Config
Perimeter gateway
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA ACL
Author: Bill Buchanan
192.168.2.5
176.10.1.2
10.1.1.254
E010.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Author: Prof Bill Buchanan
Static mappings Stateful firewall PIX/ASA
Author: Bill Buchanan
192.168.2.5
176.10.1.2
PIX/ASA FailoverAuthor: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Power supply failures, Primary reboot. Interface problems Memory Overflow.40 U
UPS 1
5U
1U
1U
UPS 2
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA Failure
Author: Bill Buchanan
E2 (inf2) E0 (outside) E1 (inside)
MAINFailover cable
Either Prim (UR)/Sec (UR) Or: Prim (UR)/Sec (FO) Activation key is required!
STANDBY
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA Failover
Author: Bill Buchanan
UR Unrestricted licence (must be used for primary). FO Failover licence (for secondary). R Restricted licence (cannot be used).
Same PIX type Same RAM Same Flash memory. Same type and interfaces. Same software version. Same activation keys for DES or 3DES
E2 (inf2) E0 (outside) E1 (inside)
Hello
Failover cable
Hello
Sent on ALL interfaces, including failover connection.Author: Prof Bill Buchanan
Stateful firewall PIX/ASA Failover
Author: Bill Buchanan
Hello messages are sent every 1-15 seconds on every interface. Hello time. (PIX default 15 second, ASA default 1 second) If messages are not received with the holdtime Holdtime (PIX default: 45 seconds 3 times hello time, ASA default: 15 seconds), failover happens. If secondary doesnt work, primary assumes control, and no failover.
Tests: Test 1. NIC status test. Up/down status of interface. Test 2. Network activity. Monitor for 5 seconds. If detected, cancel tests. Test 3. ARP test. Requests last 10 IP addresses in the ARP table. Test 4. Ping test. Broadcast ping of 255.255.255.255. If any replies the test is quit.
Failover cable Or Ethernet (LAN-based)
Standby
outside
e0 e2inf2
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
On start-up config is automated copied over. All new commands are replicated. The write startby command sends the config to the secondary.
Either Prim (UR) Sec (UR) Or Prim (UR) Sec (FO) Activation key is required!
Failover cable Or Ethernet (LAN-based)
Standby
outside
e0 e2inf2
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Stateful Restores everything. ARP table, Xlate, Fixup tables, ARP, routing information, IPSec/ISAKMP tables, MAC addresses, Hello messages. Secondary Inherits: IP addresses and MAC addresses of the primary. Primary Inherits: IP addresses and MAC addresses of the secondary. Require an additional Ethernet connection
e3
Stateful connectione3
Failover cableAuthor: Bill Buchanan
outside
e0 e2inf2
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Non-stateful Only RAM config and session details. Secondary Inherits: IP addresses and MAC addresses of the primary. Primary Inherits: IP addresses and MAC addresses of the secondary. Lost: NAT translations and connections.
Failover cable Or Ethernet (LAN-based)
Standby
outside
e0 e2inf2
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
.
Standby
e2
Dedicated switch/hub
e2 outside
e0
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Non-stateful Only RAM config and session details. Secondary Inherits: IP addresses and MAC addresses of the primary. Primary Inherits: IP addresses and MAC addresses of the secondary. Lost: NAT translations and connections.
e3
Failover cablee3Author: Bill Buchanan
outside
e0 e2inf2
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
myPIX (config)# failover active myPIX (config)# failover active myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address inside 73.105.56.11 myPIX (config)# failover ip address inside 73.105.56.11 myPIX (config)# failover ip address inf2 166.209.230.11 myPIX (config)# failover ip address inf2 166.209.230.11 myPIX (config)# failover poll 2 myPIX (config)# failover poll 2 myPIX (config)# show failover myPIX (config)# show failover
e3
Stateful connectione3
Failover cableAuthor: Bill Buchanan
outside
e0 e2inf2
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
myPIX (config)# ip address outside 157.202.212.1 myPIX (config)# ip address LAN-based Failover outside 157.202.212.1
myPIX (config)# ip address inside 73.105.56.1 myPIX (config)# ip address inside 73.105.56.1 myPIX (config)# ip address inf2 166.209.230.1 myPIX (config)# ip address inf2 166.209.230.1 myPIX (config)# failover active myPIX (config)# failover active myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address inside 73.105.56.2 myPIX (config)# failover ip address inside 73.105.56.2 myPIX (config)# failover ip address inf2 166.209.230.2 myPIX (config)# failover ip address inf2 166.209.230.2 myPIX (config)# failover lan key mypix myPIX (config)# failover lan key mypix myPIX (config)# failover lan unit primary myPIX (config)# failover lan unit primary myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan enable myPIX (config)# failover lan enable
e2
Stateful connectione2
outside
e0
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
myPIX (config)# ip address inf2 166.209.230.2 myPIX (config)# ip address inf2 166.209.230.2 myPIX (config)# failover active myPIX (config)# failover active myPIX (config)# failover lan key mypix myPIX (config)# failover lan key mypix myPIX (config)# failover lan unit secondary myPIX (config)# failover lan unit secondary myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan enable myPIX (config)# failover lan enable
LAN-based Failover
e2
Stateful connectione2
outside
e0
e1
inside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
VPNAuthor: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Eve
Eve could eavesdrop on the public communications Untrusted networkBob Alice
Gateway
Gateway
What is required is: Encryption. Authentication of devices (to overcome spoofing) Authentication of packets (for integrity)
Eve
Eve could change the data packetsGateway
Eve
Author: Prof Bill Buchanan
Stateful firewall Issues involved PIX/ASA
Author: Bill Buchanan
Eve could setup an alternative gateway
Eve
Bob
Alice
Gateway
Gateway
Untrusted network What is required is: Encryption. Authentication of devices (to overcome spoofing) Authentication of packets (for integrity)PPTP (Point-to-point Tunneling Protocol). Created by Microsoft and is routable. It uses MPPE (Microsoft Point-to-point Encryption) and user authentication. L2TP (Layer 2 Tunneling Protocol). Works at Layer 2 to Forward IP, IPX and AppleTalk (RFC2661). Cisco, Microsoft, Ascent and 3Com developed it. User and machine authentication, but no encryption (but can be used with L2TP over IPSec). IPSec. An open standard. Includes both encryption and Authentication.Author: Prof Bill Buchanan
Tunnellingfirewall Stateful methods PIX/ASA
Author: Bill Buchanan
Traffic is encrypted over the untrusted network.
Bob
Alice
Encrypted traffic Unencrypted traffic Tunelling mode (over untrusted connections) Unencrypted traffic
Bob
Alice
Author: Prof Bill Buchanan
Tunnelling mode or transport mode Stateful firewall PIX/ASA
Author: Bill Buchanan
Transport mode. End-to-end (host-tohost) tunnelling
Bob Co. VPN VPN Alice Co.
Extranet VPNVPN VPN Bob Co.
Bob Co.
Intranet VPN
VPN Bob Co.
Bob@ home
Remote Access VPNAuthor: Prof Bill Buchanan
Statefultypes VPN firewall PIX/ASA
Author: Bill Buchanan
Firewall Switch Internet
Bob
Intrusion Detection System
Traffic only encrypted over the public channelAlice
Traffic is encrypted and cannot be checked by firewalls, IDS, and so on
Router Firewall Switch
Web server Email server FTP server Proxy server
Intrusion Detection System
Author: Prof Bill Buchanan
Tunnelling mode or transport mode Stateful firewall PIX/ASA
Author: Bill Buchanan
Firewall Switch Internet
Bob
Intrusion Detection System
Traffic only encrypted over the public channelAlice
Firewall blocks all encrypted content and any negation of a tunnel
Router Firewall Switch
For IPSec (one of the most popular tunnelling Web methods): server UDP Port 500 is the port. If it is blocked there can be no tunnel. FTP server TCP Port 50 for IPSec ESP (Encapsulated Security Proxy server Protocol). TCP Port 51 for IPSec AH (Authentication Header)Email server key exchange
Intrusion Detection System
Author: Prof Bill Buchanan
Blocking end-to-end encryption Stateful firewall PIX/ASA
Author: Bill Buchanan
Authentication scope ESP Auth. ESP trailer IP packet (encrypted) ESP header IP header
The IPSec protocol has: ESP (Encapsulated Security Protocol). ESP takes the original data packet, and breaks off the IP header. The rest of the packet is encrypted, with the original header added at the start, along with a new ESP field at the start, and one at the end. It is important that the IP header is not encrypted as the data packet must still be read by routers as it travels over the Internet. Only the host at the other end of the IPSec tunnel can decrypt the contents of the IPSec data packet. AH (Authentication Header). This encrypts the complete contents of the IP data packet, and adds a new packet header. ESP has the weakness that an intruder can replay previously sent data, whereas AH provides a mechanism of sequence numbers to reduce this problem.
ESP transport mode method (Weakness: Replay attack)
IP packet contents
IP header
Authentication scope AH header New IP header
IP packet contents
AH transport method (Provides complete authentication for the packet) IP packet contents IP headerAuthor: Bill Buchanan
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA IPSec
IP IP
TCP TCP
Higher-level protocol/data Higher-level protocol/data
Version Version
Header length Header length
Type of service Type of service
Total length Total length Identification Identification 0 D M 0 D M Time-to-Live Time-to-Live Fragment Offset Fragment Offset Protocol Protocol
Header Checksum Header Checksum Source IP Address Source IP Address Destination IP Address Destination IP Address
1 ICMP Internet Control Message [RFC792] 6 TCP Transmission Control [RFC793] 8 EGP Exterior Gateway Protocol [RFC888] 9 IGP any private interior gateway [IANA] 47 GRE General Routing Encapsulation (PPTP) 50 ESP Encap Security Payload [RFC2406] 51 AH Authentication Header [RFC2402] 55 MOBILE IP Mobility 88 EIGRP EIGRP [CISCO] 89 OSPFIGP OSPFIGP [RFC1583] 115 L2TP Layer Two Tunneling ProtocolAuthor: Bill Buchanan
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA IPSec
VPN Bob Co.Bob@ home
Remote Access VPN
Phase 1 (IKE Internet Key Exchange)UDP port 500 is used for IKE Define the policies between the peers
IKE PoliciesHashing algorithm (SHA/MD5) Encryption (DES/3DES) Diffie-Hellman agreements Authentication (pre-share, RSA nonces, RSA sig).
isakmp enable outside isakmp key ABC&FDD address 176.16.0.2 netmask 255.255.255.255 isakmp identity address isakmp policy 5 authen pre-share isakmp policy 5 encrypt des isakmp policy 5 hash sha isakmp policy 5 group 1 isakmp policy 5 lifetime 86400 sysopt connection permit-ipsec
Phase 2Defines the policies for transform sets, peer IP addresses/hostnames and lifetime settings. Crypto maps are exchangedAH, ESP (or both) Encryption (DES, 3DES) ESP (tunnel or transport) Authentication (SHA/MD5) SA lifetimes defined Define the traffic of interestcrypto ipsec transform-set MYIPSECFORMAT esp-des esp-sha-hmac crypto map MYIPSEC 10 ipsec-isakmp access-list 111 permit ip 10.0.0.0 255.255.255.0 176.16.0.0 255.255.255.0 crypto map MYIPSEC 10 match address 111 crypto map MYIPSEC 10 set peer 176.16.0.2 crypto map MYIPSEC 10 set transform-set MYIPSECFORMAT crypto map MYIPSEC interface outside
Author: Prof Bill Buchanan
Stateful firewall PIX/ASA IPSec
Author: Bill Buchanan
Public Key (Kpb1)
Public Key (Kpb2)
Shared key passed (DiffieHellman) used to encrypt all the data Kpv1 Public key is used to authenticate the device Hashed value Hashed value
Result
Challenge?Author: Bill Buchanan
Author: Prof Bill Buchanan
Blocking end-to-end encryption Stateful firewall PIX/ASA
10.0.0.1
172.16.0.1
172.16.0.2
192.168.0.1
Author: Prof Bill Buchanan
Stateful firewall IPSec (PIX) PIX/ASA
Author: Bill Buchanan
10.0.0.1
172.16.0.1
172.16.0.2
192.168.0.1
Author: Prof Bill Buchanan
IPSec (PIX and Router) Stateful firewall PIX/ASA
Author: Bill Buchanan
No. Time 81 5.237402
Source 192.168.0.3
Destination 146.176.210.2
Protocol Info ISAKMP Aggressive
Frame 81 (918 bytes on wire, 918 bytes captured) Ethernet II, Src: IntelCor_34:02:f0 (00:15:20:34:62:f0), Dst: Netgear_b0:d6:8c (00:18:4d:b0:d6:8c) Internet Protocol, Src: 192.168.0.3 (192.168.0.3), Dst: 146.176.210.2 (146.176.210.2)
10.0.0.1
172.16.0.1
172.16.0.2
192.168.0.1
Author: Prof Bill Buchanan
IPSec (PIX and Router) Stateful firewall PIX/ASA
Author: Bill Buchanan
Internet Security Association and Key Management Protocol Initiator cookie: 5ABABE2D49A2D42A Responder cookie: 0000000000000000 Next payload: Security Association (1) Version: 1.0 Exchange type: Aggressive (4) Flags: 0x00 Message ID: 0x00000000 Length: 860 Security Association payload Next payload: Key Exchange (4) Payload length: 556 Domain of interpretation: IPSEC (1) Situation: IDENTITY (1) Proposal payload # 1 Next payload: NONE (0) Payload length: 544 Proposal number: 1 Protocol ID: ISAKMP (1) SPI Size: 0 Proposal transforms: 14 Transform payload # 1 Next payload: Transform (3) Payload length: 40 Transform number: 1 Transform ID: KEY_IKE (1) Encryption-Algorithm (1): AES-CBC (7) Hash-Algorithm (2): SHA (2) Group-Description (4): Alternate 1024-bit MODP group (2) Authentication-Method (3): XAUTHInitPreShared (65001) Life-Type (11): Seconds (1) Life-Duration (12): Duration-Value (2147483) Key-Length (14): Key-Length (256)
VPN Bob Co.Bob@ home
Remote Access VPN
C:\>route print =========================================================================== Interface List 10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast Ethernet 7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless 3945ABG Network Connection 1 ........................... Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.0.0 255.255.255.0 On-link 192.168.0.3 281 192.168.0.3 255.255.255.255 On-link 192.168.0.3 281 192.168.0.255 255.255.255.255 On-link 192.168.0.3 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.0.3 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.0.3 281 =========================================================================== Persistent Routes: None Author: Prof Bill BuchananBefore Stateful firewall VPN connecting to the PIX/ASA
Author: Bill Buchanan
VPN Bob Co.Bob@ home
Remote Access VPNC:\>route print =========================================================================== Interface List 21 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter 10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast Ethernet 7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless 3945ABG Network Connectio 1 ........................... Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 146.176.0.0 255.255.0.0 On-link 146.176.212.218 281 146.176.1.0 255.255.255.0 146.176.0.1 146.176.212.218 100 146.176.2.0 255.255.255.0 146.176.0.1 146.176.212.218 100 ... 146.176.210.2 255.255.255.255 192.168.0.1 192.168.0.3 100 146.176.211.0 255.255.255.0 146.176.0.1 146.176.212.218 100 146.176.212.218 255.255.255.255 On-link 146.176.212.218 281 ... 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.0.3 281 255.255.255.255 255.255.255.255 On-link 146.176.212.218 281 Author: Prof Bill Buchanan =========================================================================== PersistAfter connecting to the VPN Stateful firewall PIX/ASA
Author: Bill Buchanan
VPN Bob Co.Bob@ home
Remote Access VPN 146.176.212.218 192.168.0.3 VPN connection 146.176.0.1
C:\>route print =========================================================================== Interface List 21 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter 10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast Ethernet 7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless 3945ABG Network Connectio 1 ........................... Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 146.176.0.0 255.255.0.0 On-link 146.176.212.218 281 146.176.1.0 255.255.255.0 146.176.0.1 146.176.212.218 100 146.176.2.0 255.255.255.0 146.176.0.1 146.176.212.218 100 Author: Prof Bill Buchanan ... =========================================================================== Persist After connecting to the VPN Stateful firewall PIX/ASA
All other traffic goes not on 146.176.0.0 network goes through non-VPN connection
Author: Bill Buchanan
VPN Bob Co.Bob@ home
Remote Access VPN 146.176.212.218C:\>tracert www.napier.ac.uk Tracing route to www.napier.ac.uk [146.176.222.174] over a maximum of 30 hops: 1 2 3 4 5 6 7 8 9 10 11 2 36 31 43 48 45 49 58 59 57 ms ms ms ms ms ms ms ms ms ms 2 38 31 43 45 44 79 56 57 59 ms ms ms ms ms ms ms ms ms ms 6 38 30 43 45 45 49 56 57 58 ms ms ms ms ms ms ms ms ms msBefore VPN connection
VPN connection
146.176.0.1
192.168.0.1 cr0.escra.uk.easynet.net [87.87.249.224] ip-87-87-146-129.easynet.co.uk [87.87.146.129] be2.er10.thlon.ov.easynet.net [195.66.224.43] linx-gw1.ja.net [195.66.224.15] so-0-1-0.lond-sbr4.ja.net [146.97.35.129] so-2-1-0.leed-sbr1.ja.net [146.97.33.29] EastMAN-E1.site.ja.net [146.97.42.46] vlan16.s-pop2.eastman.net.uk [194.81.56.66] gi0-1.napier-pop.eastman.net.uk [194.81.56.46]
C:\>tracert www.napier.ac.uk Tracing route to www.napier.ac.uk [146.176.222.174] over a maximum of 30 hops: 1 2 3 57 ms 58 ms 58 ms 58 ms 56 ms 59 ms 57 ms 57 ms 56 ms 146.176.210.2 www.napier.ac.uk [146.176.222.174] www.napier.ac.uk [146.176.222.174]Author: Prof Bill Buchanan
After VPN connectionAuthor: Bill Buchanan
Traceroute for VPN Stateful firewall PIX/ASA
VPN Bob Co.Bob@ home
Remote Access VPN 146.176.212.218C:\>tracert www.intel.com Tracing route to a961.g.akamai.net [90.223.246.33] over a maximum of 30 hops: 1 2 3 4 5 3 35 32 46 46 ms ms ms ms ms 1 43 31 45 47 ms ms ms ms ms 1 36 32 45 47 ms ms ms ms msBefore VPN connection
VPN connection
146.176.0.1
192.168.0.1 cr0.escra.uk.easynet.net [87.87.249.224] ip-87-87-146-129.easynet.co.uk [87.87.146.129] te7-0-0.sr0.enlcs.ov.easynet.net [89.200.132.109] 5adff621.bb.sky.com [90.223.246.33]
C:\>tracert www.intel.com Tracing route to a961.g.akamai.net [90.223.246.33] over a maximum of 30 hops: 1 2 3 4 5 3 35 32 46 46 ms ms ms ms ms 1 43 31 45 47 ms ms ms ms ms 1 36 32 45 47 ms ms ms ms msAfter VPN connection
Author: Prof Bill Buchanan
Traceroute for VPN Stateful firewall PIX/ASA
Author: Bill Buchanan
192.168.0.1 cr0.escra.uk.easynet.net [87.87.249.224] ip-87-87-146-129.easynet.co.uk [87.87.146.129] te7-0-0.sr0.enlcs.ov.easynet.net [89.200.132.109] 5adff621.bb.sky.com [90.223.246.33]
Network Security (Part 2)Professional Certification NetworkSims PIX/ASA ConfigurationInterfaces. Fixup. Static Routes. Access-lists. Failover. VPN.
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Prof Bill Buchanan, Leader, Centre for Distributed Computing and Security http://www.dcs.napier.ac.uk/~bill Room: C.63