Lab 8: Firewalls – ASA Firewall Device - School of Computing40001507/CSN11111/Lab8.pdf · lab 8:...

Network Security ASA Firewall – Rich Macfarlane 1

Lab 8: Firewalls – ASA Firewall Device Rich Macfarlane 2015

8.1 Details

Aim: The aim of this lab is to investigate a Cisco ASA Firewall Device, its default traffic flows, its

stateful firewalling functionality, and the creation of a DMZ network and associated

firewall rulesets.

8.2 Activities

9.2.1 Create Virtual Topology

Connect to our vSphere virtual environment at vc2003.napier.ac.uk using a vSphere Client.

Navigate to the Module folder such as VMs & Templates>Production>CSN11111/8. You will be

assigned a group folder to work with which contains the 4 VMs needed for the lab (check Moodle for

the Groups and IP Addressing for each Group). Lab VMs: Windows7 VM running GNS3, a

Windows2003 VM and 2 Linux Ubuntu VMs running network services.

Power on your Windows7-GNS3 VM, open a console window, login to the Windows7-GNS3 VM, and

run the GNS3 network simulator AS ADMINISTRATOR

You can create a new project for Lab8, or a preconfigured starting project should be in the Projects

folder. If you wish to start with that just click Recent Projects button and select lab8_start, then

save as a project called lab8 or suchlike (save as, before you power on devices).

The topology, shown below, mimics an organisation with an ASA firewall at its perimeter. It is

connected via the untrusted Internet via the 10.1.Y.0/24 network. The ASA will be configured to

provide security for the organisation from the network policy.

Starting Topology

You will be assigned networks to address the hosts and ASA gateway interfaces to – from Moodle: 192.168.X.0/24, 10.1.Y.0/24 and 192.168.Z.0/24

THE CORRECT NETWORKS MUST BE USED BY EACH STUDENT AS WE ARE SHARING VIRTUAL NETWORKS. ANNOTATE YOUR DIAGRAM/TAKE NOTE OF THE ADDRESS RANGES FOR YOUR GRP.

PLEASE ONLY USE GROUP VMs AND NETWORK IP ADDRESSES ASSIGNED TO YOUR GROUP.


PLEASE DO NOT USE YOUR OWN IP ADDRESSES OR THE LAB DEMO ADDRESSES IN THIS DOCUMENT!

(For Windows versions up to and including Windows 7, BES can be used to limit the percentage CPU

usage for applications. It can be download from http://mion.faireal.net/BES/)

9.2.2 Configure the Hosts

Power on your Linux Ubuntu_205 VM and Windows2003_206 VM. Configure the 192.168.X.10 and

10.1.Y.10 network IP Addresses on the Ubuntu_205 and Windows2003_206 systems respectively,

and set the Default Gateways to the ASA interface addresses at X.254 and Y.254 the appropriate

hosts.

To configure the Linux system for IP Address and Default Gateway:

http://www.howtogeek.com/118337/stupid-geek-tricks-change-your-ip-address-from-the-

command-line-in-linux/

Or for the new style ip address / ip route Linux commands:

https://help.ubuntu.com/community/NetworkConfigurationCommandLine/Automatic

The following document has a section on setting the Windows IP and default gateway:

www.dcs.napier.ac.uk/~cs342/CSN11111/GNSAddVM.pdf

(Section: Windows-Setting Static IP Address and Default Gateway)

9.2.3 Basic ASA Configuration

Boot the ASA security device, and open a Console Window.

Using a similar CLI to a router, the ASA uses the same command modes structure, starting in User Exec Mode with the ciscoasa> prompt. Use ? to see the available commands for the current

command mode. Even less commands are available than on a router in this mode:

Change from User Exec Mode to Privileged Exec command mode, the password should not be set so

just press <RETURN>. Use the show version command to check the device setup.

Questions

Q: Which Cisco ASA security appliance is being simulated?

http://mion.faireal.net/BES/



http://www.dcs.napier.ac.uk/~cs342/CSN11111/GNSAddVM.pdf


Q: Which version is the OS?

Q: How much RAM does it have?

The Cisco PIX and ASA firewall devices are hardware devices built specifically for firewalling, unlike

the firewall software running on routers which we have encountered in previous labs. The device (or

being simulated) in this lab is a PIX 525, a medium to large enterprise device, with up to eight 10/100

Fast Ethernet interfaces, or three Gigabit interfaces.

Display the list of commands available in Privilege mode using ?

View the PIX configuration file with the command show running-config

Questions

Q: Which version of the ASA firewall Operating System is running?

Q: Compared to a router, which extra attributes can be defined for each interface of the ASA?

9.2.4 Configure Interfaces and Security Levels

ASA security devices use an algorithm called the Adaptive Security Algorithm (ASA), which allows

traffic to flow between the interfaces depending on the security level set on the interfaces (related

to the trust levels for each attached network). The security trust level value can be set from 0 (the

lowest) to 100) the highest). By default the inside interface (trusted network) is set to 100, and the

outside interface (untrusted Internet) is set to 0. Other networks, such as DMZs are set to values of

1-99.

By default, the ASA allows traffic to flow from a higher security level to a lower one, and between

levels with the same value, but blocks traffic flowing from a lower level to a higher one, as shown in

the figure below.


Trusted

Internal Network

DMZ

Public Facing

Servers

Untrusted Internet

Trust

Level 0

Trust

Level

100

Trust

Level 50

PIX

ASA

Configure the Interfaces

Certain attributes must be set on the interfaces, and then the default security behaviour can be

observed.

Set up the outside interface, which is connected to the internet, using the following commands.

ciscoasa(config)# interface gigabitEthernet 0

ciscoasa(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)# ip address 10.1.Y.254 255.255.255.0

Additionally configure the MAC Address on the interfaces with the following command, using the format <ca0 module code grpno 0 intno> such as the following for module csn11118 group 99:

ciscoasa(config-if)# mac-address 0001.1118.9900

ciscoasa(config-if)# no shutdown

Set up the inside interface, which is connected to the trusted internal network:

ciscoasa(config)# interface gigabitEthernet 1

ciscoasa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# ip address 192.168.X.254 255.255.255.0

ciscoasa(config-if)# mac-address 000p.pppp.qq0r


Set up the DMZ interface, which is connected to the DMZ network:

ciscoasa(config)# interface Ethernet2

ciscoasa(config-if)# nameif dmz

ciscoasa(config-if)# security-level 50

ciscoasa(config-if)# ip address 192.168.Z.254 255.255.255.0

ciscoasa(config-if)# mac-address 000p.pppp.qq0r


Annotate your diagram/notes with the security trust levels for each interaface/connected network.

Questions


Q: Why did we only set the security level on the dmz interface, and not the inside or outside

interfaces?

Review Interface configuration

Check the interfaces security levels have been configured correctly using the show nameif

command:

Check the addressing has been set up correctly on the right interfaces, by viewing the running

configuration, and by using the show ip address command, as shown.

For detail on the interfaces status, use the show interface ip brief command:

For detail on the interfaces, use the show interface detail command, as shown below.

Save the firewall configuration using copy run start.

9.2.5 Test Connectivity

From the firewall, ping each local interface, and each of the attached VM’s interfaces in turn to test

the interfaces are up and connectivity to the VMs:


Questions

Q: Where the pings to the firewall interfaces successful?

Q: Where the pings to the directly connected VM’s successful?

If not, troubleshoot the configuration, until connectivity is achieved.

Switch on the ICMP debugging trace logging, using the following command:

ciscoasa(config)# debug icmp trace

From the two VM’s connectivity can be checked using ping from console windows.

Limit the ping packets to a max of 3 with –n3 –c3 or CTRL+C to stop the ping. DO NOT LEAVE

PINGS RUNNING AS WE ARE WORKING ON SHARED VIRTUAL NETWORKS!

Linux: ping –c3 dest_adddress Windows: ping –n3 dest_adddress

Questions

Q: Can the WINDOWS VM ping the Linux VM?

Q: Can the Linux VM ping the WINDOWS VM?

Q: What might be causing this?

The ICMP ping traffic and traceroute traffic on the ASA are handled differently to a router by default.

ICMP to an interface is replied to, but inbound ICMP through the ASA is blocked by default, as traffic is not allowed to go from an interface with a lower security level to an interface with a higher level (outside 0 to inside 100 is not allowed). Outbound ICMP is permitted (inside 100 to ouside 0 is allowed), but the reply is blocked by default.


There are two options which will allow inside users to ping hosts on the outside. The first option is to setup a specific firewall rule for the echo-reply traffic, and the other is to create application inspection for ICMP.

Create an ACL Rule. Note the command is access-list , not ip access-list, as on a router, the syntax is slightly different, having to enter the ruleset name for every rule.

ciscoasa(config)# access-list ICMP_REPLY extended permit icmp any any echo-

reply

Review ugin the show access-list command to check it is configured correctly.

Apply the ACL to the outside interface. Note that the syntax is again slightly different from a router.

ciscoasa(config)# access-group ICMP_REPLY in interface outside

Use the show run command to check it is configured correctly.

The show run command can be used with filters to only config lines of interest: show run | include ICMP_REPLY

Questions

Q: What filter might be used to show all access list config lines?

Check the VM’s connectivity again.

Questions

Q: Can the WINDOWS VM ping the Linux VM now?


Use the show access-list command to check the ACL passed the ICMP traffic.

The ICMP debugging trace logging can be switched off, using::

ciscoasa(config)# undebug all

9.2.6 Network Services – Test the Linux VM Server

Test the Inside Linux VM Web Server from the Outside Network

From the Linux system, check the network services running, using the netstat command. Try netstat

–h to check the options for the command.

You can also filter output using grep, (or use the –l flag)

There should be an Apache server running on the Linux VM. This is on the inside network (behind

the perimeter firewall).

From the Linux VM, check the local web server is running correctly, using the web browser:

From the Outside Windows VM, use a web browser to test if the PIX firewall allows the web traffic

through to the Inside network. (Use CTRL+F5 to refresh the web page from the server, and make use

the page is not from the local cache).

Questions

Q: Was the Web site successfully loaded?

Q: Why is this?


9.2.7 Network Services – Test the Linux VM Server

Test the Outside Windows Web Server from the Inside Network

There should be an IIS web server running on the WINDOWS VM. This is out on the untrusted

outside network (typically the Internet).

From the Window system, check the network services running, using the Windows version of the

netstat tool. Try netstat –h to check the options for the command.

Questions:

Q. What command could be used to only list TCP connections?

You can also filter output using findstr:

From the Windows VM, check the local web server is running correctly, using the web browser:


From the Linux VM, use a web browser to test if the PIX firewall allows the traffic from Inside to the

Windows server Outside and back. (Use CTRL+F5 to refresh the page from the server, and not just

the local cache).

Questions

Q: Was the Web site successfully loaded?

Test the FTP Server

From the Linux VM, connect to the FTP Server from, via a web browser using ftp://w.x.y.z. Log in

with the Windows server credential.

Questions

Q: Was the FTP Server successfully accessed?

Test the Telnet server

From the Linux VM, Telnet to the Windows VM, using Putty - user: napier password: napier123.

Then use ifconfig to check you are logged into the Linux VM.

Questions

Q: Could the Linux server be accessed with Telnet?

Q: Why is this traffic not being blocked?

The tests should look like the following:

Windows Web Server

ftp://w.x.y.z/


Windows FTP Server

Windows Remote Admin via Telnet Server

9.2.8 Scan the ASA Perimeter Perimeter Router for Vulnerabilities

Using the nmap network scanner, check for public services running on the PIX, by running a port scan against the firewall device’s outside interface.

From the Windows VM open a console window and run nmap against the router, as shown below.

nmap –n 10.1.Y.254

Monitor Traffic

On Windows, run Wireshark and resize to the width to width of the window. Start a capture on the

ethernet interface, and then use a display filter to monitor only packets on the Outside network.

Try the nmap scan again, and you should see some traffic:


Questions

Q: What services are shown to be running on the firewall?

Q: Does the ASA seem up. i.e. responding to the host scan packets?

Q: Why do we get this result?

The ASA firewall device implements a closed firewall on the outside interface, by default. (based on

the security level settings)

Try from WINDOWS VM, scanning the firewalls inside interface.

Questions

Q: What services are shown to be running on the firewall?

9.2.9 ASA Stateful Firewall

The ASA performs stateful firewalling as default for TCP and UDP traffic. It stores connection details

for inbound or outbound TCP sessions established through the firewall (either passed through due to

the security levels, or explicit ACL firewall rules).

Network Connections State Table

The connection details are stored in a session/connection state cache. If a connection is passed

through the firewall (via security levels, or an ACL rule), its details are stored in the Conn table. Then

returning traffic is checked against the Conn table and passed without checking security levels or

ACLs.


PIX

ASA

ACL Firewall Rules

Conn State Table

The sessions/connections currently stored in the conn table can be viewed using:

ciscoasa(config)# show conn

Details on the states of connections can be viewed using show conn detail as shown below.

On the Linux VM, refresh the web page from the Outside Windows VM server.

Questions

Q: How many connections are in the PIX firewalls connections state table?

Q: What are the services, and their source and destination IP Addresses and Port Numbers?

Q: Compare to how this type of stateful firewalling would be implemented on a Cisco Router

Would similar functionality take more of less complex configuration on a router?

Wait for a period, and check the connections being stored again.

Questions



Q: Which service has been removed?

Q: Why was the connection removed?

Log out of the Telnet session from the Linux VM to the Windows Server, and check the connections

being stored again.

Questions


Q: Why was the connection removed?

When the connection is terminated, for example with a teardown handshake, the connection

information is removed from the firewalls state connection table. Also timeouts are used to remove

idle connections.

Stateful Session Timeouts

The connection timeout settings can be reviewed using the show run timeout command, or the

show timeout command.

ciscoasa(config)# show run timeout

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect

0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

ciscoasa(config)#

Questions

Q: What is the default time out (in minutes), for standard TCP connections?


9.2.10 Create a DMZ Network

Add a DMZ Server to the Topology

Attach a 2nd Linux_202 VM server to the DMZ via LAN CONNECTION 2, as shown below.

In the new Linux DMZ Server, navigate to the /var/www directory. Use the ls command to list the

contents of the directory. Edit the index.html file using vi or a GUI-based editor such as gedit.

Change the text to indicate this is the DMZ Web Server:

Saves the changes and exit the editor (:wq command in vi). Test the webserver locally from the

Linux DMZ Server using the loopback IP address, as shown below.

Test the DMZ Web Server from the Inside network Linux VM

From the Linux VM on theinside network, use a web browser to connect to the Apache web server

running on the Linux VM DMZ Server (CTRL+F5 to refresh the cache)

Questions

Q: Is the Linux VM Web traffic allowed to the Linux DMZ Server?


Q: Why?

The security levels should allow traffic moving from a higher security level to a lower one, and the

stateful firewall functionality allows the return traffic

The web page should be accessible from the inside network:

Test the DMZ Web Server from Outside the Firewall

From the Windows outside VM, use a web browser to connect to the web server running on the

Linux VM DMZ Server (CTRL+F5 to refresh the cache)

Questions

Q: Can the Internet VM get Web traffic, fromthe Linux Server?

Q: Why?

The Internet system should not be able to connect, as the outside interface has a lower security trust

level than the DMZ.

9.2.11 Allow Outside Access to the DMZ Server

To allow access from the lower trust level outside network to the higher security trust level DMZ, a

firewall rule must be created!

Create Out>DMZ Ingress ACL

We can create the ACL to only allow access to the Web Server on the DMZ server.

Create an Ingress ACL Rule. Earlier we added a ICMP_REPLY ACL to the outside interface, so first remove that, and we can incorporate into the new ACL.


Remove from outside interface.

pix(config# no access-group ICMP_REPLY in interface outside

Remove the ACL ruleset.

ciscoasa(config)# no access-list ICMP_REPLY extended permit icmp any any echo-

reply

Create the new INGRESS ACL. Allow only Web traffic to the single DMZ Web server.

ciscoasa(config)# access-list INGRESS extended permit tcp any host 192.168.Z.10

eq 80

Add rest of previous ICMP_REPLY ruleset.

ciscoasa(config)# access-list INGRESS extended permit icmp any any echo-reply

Apply the new ruleset to the outside interface for Ingress traffic.

pix(config# access-group INGRESS in interface outside

E0

pix(config# access-group INGRESS in interface outside

Trusted, Internal

NetworkUntrusted

InternetE1

DMZ Http traffic to the web

server

Use the show run access-list command to check the ruleset is configured correctly.

Use show run access-group and show run access-list to check the ruleset has been

applied correctly to the ouside interface for ingress traffic. (another way of filtering out parts of the

running config)

Use the show access-list command to check if the rules have been matched on yet (hitcnt=??).


Test the DMZ Web Server from the Windows VM Outside the Firewall

From the Internet VM, use a web browser to connect to the web server running on the Linux VM

DMZ Server

Questions

Q: Can the Internet VM connect to the Linux Web Server on the DMZ now?

Q: Can you see the HTTP connection in the ASA state table (be quick before it times out)

The web server should be available now:

Use the show access-list command to check the the ACL passed the web traffic.

Test the Internet Web Server from the Linux DMZ VM

From the Linux DMZ VM, use a web browser to connect to the web server running on the Linux VM

Internet Server (CTRL+F5 to refresh the cache)

Questions

Q: Can the DMZ VM connect to the Linux Internet Server?

The server should be available to the DMZ VM currently as the higher trust level can initiate

connections and receive return traffic.

Questions

Q: Why might this default policy not be a good idea?


9.2.12 Misuse the DMZ >OutsideTrust Relationship

From the Inside Linux VM, send 3 ICMP packets to the DMZ Linux VM using the ping tool.

Questions

Q: Do we have connectivity?

Now try the same using the hping tool. Use hping –h |more to check the help for the format of the

command.

Send 3 ICMP packets, using –c 3 and -1 (ICMP):

Now try using the –a Outside_Win2003_VM_IP to spoof our source IP:

Questions

Q: Can you see the packets arriving at the Outside server? (wireshark)

Q: What type of attack is this?

NOTE: Be VERY VERY careful when using tools such as hping, to only send a limited number of

packets, and do not use random source or destination addresses as this can cause unexpected

results.

9.2.13 Restrict Traffic Originating from the DMZ

It is typically good practice to allow no traffic out to the Internet which originates on a DMZ, if none

is required by the security policy. This can stop a host of malware based attacks, and well as

backdoors and suchlike.

Create a new Egress traffic ACL ruleset blocking all traffic originating on the DMZ network.


ciscoasa(config)# access-list EGRESS extended deny ip any any

Before applying the rule, check you can ping the Outside VM from the DMZ VM.

Apply the new ruleset to the dmz interface for Egress traffic.

pix(config# access-group EGRESS in interface dmz

Use the show access-list command to check that the rules have not been matched yet (hitcnt).

Test the Internet Web Server from the Linux DMZ VM

From the Linux DMZ VM, use a web browser to connect to the web server running on the Linux VM

Internet Server (CTRL+F5 to refresh the cache).

Try using ping from the DMZ VM to the outside VM.

Questions

Q: Can the DMZ VM connect to the Linux Internet Server?

The traffic originating on the DMZ should now be blocked.

Use the show access-list command to check that the rules have been matched (hitcnt>0).

Questions

Q: Reflect on the type of threats which may be mitigated by blocking traffic originating on the DMZ

out to the Internet?

Test the DMZ Web Server from the Linux VM Outside the Firewall

From the Linux Internet VM, check the VM DMZ Server is still accessible (CTRL+F5 to refresh the

cache). Back to the question from before:

Questions

Q: Why is DMZ return traffic still being passed back to the Internet Linux VM, even though we have

blocked all traffic from the DMZ?


9.2.14 Allow Only Web Access to the Internet from Inside Network

The users including the Linux VM user on the inside network, are now to be restricted to only have

Web access to the Internet, and no other services should be accessed from the inside network. An

ACL firewall ruleset should be created to allow the allowed traffic, and block and log all other traffic.

Questions

Q: What ACL firewall rules should be used?

Q: Draw on the figure below should the ACL firewall rules be applied, and in which direction?

Test the Web, FTP, and Telnet Server

Before the ACL is added, test the services from the inside host. From the Inside Linux VM,

browse to the outside website, access the FTP server via a browser, and Telnet to the

Windows VM.

Questions

Q: Could the Linux Web server, FTP server, and Telnet server be accessed?

Now create the ACL(s) and apply to interface(s). Test the services again.

Questions

Q: Are the Linux FTP server, and Telnet server being blocked?

Q: Can the Web server still be accessed?

If the answers are not YES, rethink the ACLs


9.2.15 Allow Administrative Access to the DMZ Server

To allow administration of the DMZ server only from the Administrators machine on the inside

network (use the Linux VM for testing), an ACL firewall ruleset should be created. Access to the

lower security level DMZ from the higher level inside network is allowed by default, but a rule is

needed to prevent any other hosts to access the server via Telnet.

Questions

Q: What ACL firewall rules should be used?

Q: Draw on the figure below should the ACL firewall rules be applied, and in which direction?

Now create the ACL(s) and apply to interface(s).

Test the Telnet server

From the Linux VM, Telnet to the Linux DMZ VM. Then use ifconfig to check you are logged into

the Linux DMZ VM. Maybe change the web page contents.

Questions

Q: Could the Linux server be accessed with Telnet?

If the answer is not YES, rethink your ACL

To test the ACL is only allowing access from the administrators system, change the IP Address of the

WINDOWS VM to 192.168.5.11 and test the telnet server again.

Questions

Q: Is the Telnet access being blocked?

If the answer is not YES, rethink the ACLs


8.3 Appendix A – Adding ASA to GNS3

Download the ASA OS Kernal and RAM files (should be on the lab machines already).

http://socrdlvideo.napier.ac.uk/~csn11118/ASA%20Image/

Start GNS3, as Administrator. Select Edit>Preferences, and QEMU VMs. Then new, and select ASA.

Add the files in the Advanced tab, and leave everything else to default.


8.4 Appendix B – ASA Firewall with DMZ Configuration

PIX PIX Version 8.0(4)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface gigabitEthernet0

nameif outside

security-level 0

ip address 10.1.Y.254 255.255.255.0

!

interface gigabitEthernet 1

nameif inside

security-level 100

ip address 192.168.X.254 255.255.255.0

!

interface gigabitEthernet 2

nameif dmz

security-level 50

ip address 192.168.Z.254 255.255.255.0

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

access-list INGRESS extended permit tcp any host 192.168.Z.10 eq www

access-list INGRESS extended permit icmp any any echo-reply

access-list EGRESS extended deny ip any any

... SNIPPED ...

Lab 8: Firewalls – ASA Firewall Device - School of Computing40001507/CSN11111/Lab8.pdf · lab 8:...

Documents

Transcript of Lab 8: Firewalls – ASA Firewall Device - School of Computing40001507/CSN11111/Lab8.pdf · lab 8:...