REPORT CHAPTER 6

Firewall

NETWORKS AND SERVICES LABORATORY

9 June 2015

Vctor Rojo 173742

Esteban Martn 165916

Daniel Pons 163276

NETWORKS AND SERVICES LABORATORY CHAPTER 6

Firewall

2

6.3 Adaptive Security Device Manager (ASDM)

With de default configuration of the firewall, does the ping command succeed? Why?

The pings between the two internals computers works because the CISCO ASA firewalls assign the internal security level as 100, it means the interface is 100% trusted and a PC from the internal network can have connection with the pcs from the same network and go to an outside network, but the connections from the outside networks are not allowed.

6.4 Default Configuration of the ASA 5505

Observe and explain the different aspects that can be configured using the icons on the left hand side of the screen.

The icons on the left hand side of the screen allow you configure:

o The interface that are connected in the firewall. o The security policy with which can impose different parameters of security(for

example, connections). o NAT configurations, that allows connections with elements outside the private

network. o VPN configuration, that allows configure a security channel for our connections. o CSD Manager, o Routing configure, that allow configure the statics routes in the networks. o Global objects, o Properties, where we observe a different parameters that our network.

What is the default configuration of Ethernet 0/0 (outside)?

The default configuration is:

o Enabled: Yes o Security level: 0 o IP Address: (DHCP) o VLAN: VLAN 2 o Management Only: No o MTU: 1500

NETWORKS AND SERVICES LABORATORY CHAPTER 6

Firewall

3

Explain in a few sentences the default configuration of the firewall and explain why you think it is configured this way.

The default configuration in the firewall allows connections in the internal network, but not permit the connections with external networks because the security policy not allow connections with this. This default configuration is this way because firewall assumes that outside networks are dangerous, and you decide what network are considered trusted.

After change our outside interface to 204.69.103.1, can you ping from the outside PC to an inside PC? Why? We cannot do ping because security policy don't allow connections with outside networks.

What is the difference compared to the previous case? Include the screenshot of the Syslog and/or firewall configuration.

In the previous case, we can do ping because the ping was between internal PCs, and the

firewall allow this connection. But, in this case, the connection are with external PC, and

firewall don't allow this. These constrains are due to the security levels that firewall

impose to the local network access.

6.5 Firewall

What other protocols/programs are allowed from the Device Access menu? From the Device Access menu are allowed different protocols/programs:

- AAA Access: AAA is an architectural framework for configuring a set of three independent security

functions: Authentication, Authorization and Accounting.

- HTTPS/ASDM: Is a communication protocol for secure communication over a computer networks. In this section we need to enable the HTTPS server and allow HTTPS connections to the security appliance.

NETWORKS AND SERVICES LABORATORY CHAPTER 6

Firewall

4

- Secure Shell:

Is a network protocol for initiating text-based shell sessions on remote machines in a

secure way. This allows a user to run commands on a machine's command prompt

without them being physically present near the machine.

- Telnet:

The Telnet protocol enables you to set up TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP connection to a login server at another site. Telnet can accept either an IP address or a domain name as the remote device address.

- Virtual Access:

Is a virtual interface that is created, configured dynamically, used, and then

freed when no longer needed.

Explain the information that the previous command provide.

#show interface:

This command shows us the different interfaces and vlans that are available in the firewall and specify some characteristics like BW, MAC address, IP address, MTU, packets and other traffic statics.

NETWORKS AND SERVICES LABORATORY CHAPTER 6

Firewall

5

#show traffic: We can see a summary of the interfaces and vlans traffic. Specifying the packets and the bytes received and transmitted.

Discuss the security implications of the connecting using Telnet of the console.

Telnet does not encrypt any data sent over the connection, it makes that anyone who have

access to the router, switch or hub located in the network between the two hosts where

Telnet is being used can intercept the packets passing by and obtain the login and

password. For these reasons nowadays we use Secure Shell (SSH), which provides us much

of the functionality of telnet, with the addition of strong encryption.

6.6 The Hosts/Networks Table

Add two internal computers by selection Add > Network Objects. The network mask is 255.255.255.255. Add also a corresponding object for the external computer.

NETWORKS AND SERVICES LABORATORY CHAPTER 6

Firewall

6

6.7 Access Rules

The last rule is any to any deny. Why?

With the last rules we are discarded all the connections we have not setting. The rules are examined sequentially so if we execute the last rules it means that none of the rules before are allowed to access.

Is it possible to access the FTP server from the internal computers?

From the internal computers is allowed to connect with the server in the outside network. It is possible because the internal computers can connect to the networks with lower security level. The inside security level is 100, so the internal pcs have access to external networks.

Include in your report the configuration of the firewall. In this capture we show that the internal pcs 2 dont have access to an outside ftp connection.

NETWORKS AND SERVICES LABORATORY CHAPTER 6

Firewall

7

Report the screenshot of the Syslog showing you successfully configured the firewall.

6.8 Translation Rules

How does this configuration affect outgoing traffic?

By default, the firewall have Dynamic NAT rule. From any network, it allows the connection between inside and outside but keeping the original address of the petition. So, this configuration doesnt affect the outgoing traffic because it will cross the two interfaces.

What is the IP address used after the packets traverse the firewall?

With this default configuration, the IP address will be the same after traverse the firewall.

NETWORKS AND SERVICES LABORATORY CHAPTER 6

Firewall

8

6.9 Monitoring

Include in your report a brief summary of your observations.

We have assigned the lowest log level for each operation, so, it will supervise all the events. Keeping the proper configuration of the Firewall allowing FTP traffic, we have start a transfer while we were monitoring the packet flow. This is the result.

With a single transfer, CPU usage wasnt significant.

NETWORKS AND SERVICES LABORATORY CHAPTER 6

Firewall

9

6.10 Case Study

Explain the changes that we have made and the test performed to verify the correctness of the configuration.

Now, the roles are different. We must install the FTP server in a computer being behind the firewall (inside) listening for incoming petitions allowing it from the outside. It could be a domestic situation: We could have a service in our private network at home listening for incoming petitions (FTP server, testing web server, game). Our typical procedure is mapping the port to a specific address in our ISP router. When we do it, we are configuring the NAT rules but we dont realize it. To perform it on ASA 5505 we must add some ACL rules to allow this incoming traffic and, following the restrictions, allow Ping (ICMP) from inside to external devices but not the other way around. In the outside section we have add a rule allowing the traffic ICMP from the internal network to the outside network. So, if we place it at the top followed by any network to any network denying IP traffic we drop the rest of petitions. Now its time to configure our NAT rules. The case requires that the FTP server is listening in 192.168.1.2 but it must be accessible by 204.69.103.4 from outside. So, our NAT must collects the petition, check the source and the destination. If this rule exists, the firewall have to translate the destination address to our internal computer waiting for FTP connections. This is a one-to-one address translation. Before it, we have add a new object: ConFTP with the IP 204.69.103.2/32

NETWORKS AND SERVICES LABORATORY CHAPTER 6

Firewall

10

New static NAT rule:

ACLs allowing the FTP outside traffic to this new object (204.69.103.4):

Finally, our success FTP connection:

NETWORKS AND SERVICES LABORATORY CHAPTER 6

Firewall

11

From inside we obtain a success ping to the external device.

Now, trying a ping from 204.69.103.2 to 192.168.1.2:

Firewall is dropping packets applying the ALCs.