Upload
cm1lt0n
View
31
Download
2
Tags:
Embed Size (px)
DESCRIPTION
ASA
Citation preview
Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved.
ASA Essentials Part 2 NAT, Advanced Firewall, VPN October , 2012
Bogdan Doinea
Technical Manager CEE&RCIS
Cisco Networking Academy
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Translations and Connections
Advanced Firewall Configurations
A look at VPNs on the ASA
Technical Demo
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
• NAT defines the way that we translate private addresses into public ones and vice-versa
• What are the private address spaces?
Class A: 10.0.0.0/8: 16,777,214 hosts
Class B: 172.16.0.0/12: 1,048,574 hosts
Class C: 192.168.0.0/16: 65,534 hosts
• Private addresses are defined in RFC
• In relation to how many hosts must be translated and how many public IP addresses we have, there are 2 types of translations:
NAT (Network Address Translation) – layer 3
PAT (Port Address Translation) – layer 4
..…..…... 1918
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
• In relation to the direction of the translation:
Inside NAT – addresses from the LAN are translated to addresses in the WAN (space)
Outside NAT – addresses from the WAN are translated to addresses in the WAN(space)
• Inside NAT
• The FW only modifies the layer 3 header to do NAT
192.168.10.10 24000 141.85.99.10 80 209.100.65.10 24000 141.85.99.10 80
141.85.99.10 80 192.168.10.10 24000 141.85.99.10 80 209.100.65.10 24000
192.168.10.10
192.168.10.1 209.100.65.1
141.85.99.10
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
• Outside NAT
It’s actually bidirectional NAT
The source address of packets coming from the Internet gets translated
• Used in cases where hosts on the outside want to appear like they are on the inside of the Network
192.168.10.30 24000 192.168.10.10 80 141.85.99.10 24000 209.100.65.10 80
192.168.10.10 80 192.168.10.30 24000 209.100.65.10 80 141.85.99.10 24000
192.168.10.10
192.168.10.1 209.100.65.1
141.85.99.10
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
• “NAT conserves addresses” The private-public translation is done at a 1-to-1 ratio
PAT conserves addresses
• “NAT is a security mechanism” The security functionality that NAT brings is a consequence of the design, not an objective
It is not a good practice to rely on NAT for inside-outside security
There is another device that does the same thing as NAT from the security of connections point of view: stateful firewall
Plus, a stateful firewall has other extra functionality (Application Inspection etc.)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
• Be careful, the NAT terminology is pretty diverse
What is SNAT?
Inside NAT
What is DNAT?
A concept called port forwarding/port redirection, not Outside NAT
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
• Port address translation
Allows the translation of multiple private addresses, using a single public IP address
• Because 1-to-1 mapping cannot be done at level 3 anymore, it’s done at level 4 by mapping ports
• Each private pair (IP_intern, port_intern) is mapped to a public pair (IP_extern, port_extern)
• By default, PAT will try to map the internal port to the same external port
• The PAT translations are saved to the RAM of the FW
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
• For the translated address, we can use: The address of the outgoing interface
A public IP address that hasn’t been asigned to any interface
• For connection-oriented protocol, the FW erases the translated entry from RAM once the connection is terminated (FIN)
• For connectionless protocols, each communication has a timeout
192.168.10.10 24000 141.85.99.10 80 209.100.65.1 24000 141.85.99.10 80
192.168.10.20 24000 141.85.99.10 80 209.100.65.1 30000 141.85.99.10 80
192.168.10.0 /24
192.168.10.1 209.100.65.1
141.85.99.10
.10
.20
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
• Be careful, the two words are different concepts for a firewall
• Scenario: a user downloads a web pave, transmits an IM and downloads his email with an email client
• How many connections does the firewall have in memory?
A minimum of 3 (can depend on the way the protocols work)
• How many layer 3 NAT translations does the firewall have in memory?
1
Cisco Confidential © 2011 Cisco and/or its affiliates. All rights reserved. 11
Advanced Firewall Configuration The insides of Application Inspection
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
• Why do we need application inspection?
(1) Scenarios in which applications run over non-standard ports
• By default, all firewalls identify applications using their standardly assigned port
• Ex: if HTTP work over port 8080, all firewalls are going to implicitly drop the HTTP packets
192.168.10.10
192.168.10.1 209.100.65.1
141.85.99.10
HTTP: port 8080
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
• Why do we need application inspection?
(2) Applications that need to open dynamic ports in order to work
The dynamically opened ports are negociated by the application usually on the control communication channel
Examples: Active FTP, multimedia streaming, VoIP
• Case study:
Active FTP vs. Passive FTP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
1. The client initiates a connection to port 21 on the server using a random source port N > 1023.
2. The server responds with an ACK from its port 21 to the N port of the client
3. The client sends the command “PORT N+1” over the control channel and opens port N+1 for receive. By this, the client is telling the server the port it wants to use for data transfer
4. The server tried to open(initiate) a connection from its port nr 20(default data port) to the N+1 port on the client
5. The firewall block the connection at bullet 4, because it does not have a state object for it in RAM memory
Client Server
N+1
Data
N
Cmd
20
Data
21
Cmd
1
2
3
4 4
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
1. The client initiates a connection the the port nr. 21 of the server from a random source port, N>1023. The client opens port N+1 for data transfer
2. The server sends an ACK from its port nr 21 to the N port on the client
3. The client sends the PASV command to the server
4. The server opens a random port X >1024 for data transfer and sends the command “Port X” to the client
5. The client initiates the data connection from its N+1 port to the X port on the server
Client Server
N+1
Data
N
Cmd
X
Data
21
Cmd
1
2
3
4
5
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
• Conclusions: Active FTP does not work by default if the client is behind a Firewall
Because of the stateful inspection
Because of NAT
Passive FTP should always work
At least if the FTP server lies in a DMZ type of area and access is granted from the outside
• Why do we want to use Active FTP? Because it opens fewer sockets on the server: http://www.faqs.org/rfcs/rfc1579.html
• With Application Inspection: The Firewall can read commands sent on the Control Channel of FTP
When the Firewall sees the “Port N+1” command, it opens port N+1 for data transfer between the 2 IP addresses(client and server)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
• Why do we need application inspection?
(3) Aplications that embed the IP address in the control channel messaging and, thus, conflict with NAT
As a result, the IP address in the layer 3 header will not be the same with the one embedded at layer 7
The Application tries to open sockets to the private IP address and cannot succeed
• Application Inspection to the rescue!
The Firewall inspects the IP address in the control
channel and rewrites it with the one in the xlate
table
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
• What is MPF?
A set of structures and commands in ASA OS
A way of making logical connections between the various theoretical concepts and their practical implementations
• What does MPF offer?
The possibility to control and configure the below features, using the same commands and OS structures
Application Inspection
IPS (AIP-SSM)
Anti {virus | spam | spyware} (CSC –SSM)
Setting connection limits
Traffic policing
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
• MPF is defined through 3 basic structures
Class-map
Used to identify traffic flows using different strategies
We have generic class-maps that identify traffic at layer 3 and 4 and inspection class-maps that can identify traffic at layer 7
Policy-map
Used to associate one or more actions to packets identified by the class-map
We have generic policy-maps that apply standard actions (inspect, police, set connection etc) and inspection policy-maps that can specifically control application layer information
Service-policy (comandă)
Used to apply a policy at a global or interface level
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
• Class-map Internet
SE
IP telephony
IP telephony
System Enginners
• Policy-map Inspect Police Prioritize
• Service-policy
Outside
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
• Defining a class-map (L3/L4)
• The match command is used to identify traffic
ciscoasa(config)# class-map identify_by_L3_or_L4
ciscoasa(config-cmap)# ?
MPF class-map configuration commands:
description Specify class-map description
exit Exit from MPF class-map configuration mode
help Help for MPF class-map configuration commands
match Configure classification criteria
no Negate or set default values of a command
rename Rename this class-map
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
• What criteria can the match command used to identify data?
access-list: uses an ACL for classification
any
dscp: matches the ToS field using the IETF DSCP standard
precedence: matches the ToS field using the IP Precedence standard
tunnel-group: match traffic going into a tunnel. This can only be used for QoS purposes.
flow ip destination-address: used for identifying a destionation IP inside a tunnel-group. Can only be used together with tunnel-group
port: identifies a UDP or TCP port
default-inspection-traffic: match on a series of protocols that work over their standard, well-known ports
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
• A class-map supports a single match command
the exception lies in the tunnel-group and the default-inspection-traffic that let the admin specify another match statement
when we have 2 match commands, the firewall applies a logical AND between them
• By default, the class map inspection_default is activated
ciscoasa# sh run
....
class-map inspection_default
match default-inspection-traffic
....
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
• What does default-inspection-traffic contain?
ciscoasa(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 mgcp------udp--2427,2727
netbios---udp--137-138 radius-acct---udp--1646
rpc-------udp--111 rsh-------tcp--514
rtsp------tcp--554 sip-------tcp--5060
sip-------udp--5060 skinny----tcp--2000
smtp------tcp--25 sqlnet----tcp--1521
tftp------udp--69 waas------tcp--1-65535
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
• The policy-map determines the action the Firewall will take on inspection
• Step1: we give the policy map a name
• Step2: we make an association with a class-map
• Step3: we specify the action
ciscoasa(config)# policy-map test_policy
ciscoasa(config-pmap)# class major_protocols
ciscoasa(config-pmap-c)# inspect ftp
ciscoasa(config-pmap-c)# inspect icmp
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
• One policy-map can have multiple actions and of different categories
ciscoasa(config-pmap-c)# ?
MPF policy-map class configuration commands:
csc Content Security and Control service module
exit Exit from MPF class action configuration mode
flow-export Configure filters for NetFlow events
help Help for MPF policy-map class/match submode commands
inspect Protocol inspection services
ips Intrusion prevention services
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set Set connection values
shape Traffic Shaping
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
ciscoasa# sh run
..........
!
class-map example
match port tcp eq www
!
policy-map http_policy
class http_map
inspect http
police input 1000000
set connection conn-max 1000 per-client-embryonic-max 50
!
..........
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
• A policy can be applied globally, or at an interface level
• The globally applied policy applies to all the traffic entering the ASA, on any interface, but only the ingress direction
• The interface-level applied policy applies to all the traffic on the interface, ingress and egress
# applied on the interface
ciscoasa(config)# service-policy inspect_http interface inside
# applied globally
ciscoasa(config)# service-policy inspect_http global
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
• If the policy-maps actions are different, the packets can match multiple times inside a policy-map, as long as the same class-map is reffered.
• If the policy-maps actions are different, the packets can match multiple times inside a policy-map, as long as the class-maps identify the traffic
• If the action is the same, the packets only match one class-map
class-map example
match port tcp eq www
policy-map http_policy
class example
police input 1000000
set connection conn-max 1000 per-client-embryonic-max 50
class inspection_default
inspect http
Cisco Confidential 30 © 2010 Cisco and/or its affiliates. All rights reserved.
Virtual Private Networks A look at types of VPNs supported on the ASA
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
• A solution to create an end-to-end private connection over an unsafe, open network like the Internet
• There are leased solutions that achieve the same end result: leased lines
• What’s the difference between having a leased line and a VPN?
The cost
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
• Relative to the ISP: Overlay
Point-to-point
• The overlay model makes the ISP network invisible to the client
• The ISP routers do not get to know the client networks
• Types of overlay VPNs: L2TP, PPTP, IPSec
ISP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
• In this model, the ISP participates in the routing decision
• The routing adjacency is done between the ISP and the client
• Overlay VPN models were dominating 90% of the market before the popularity of ………
• Still, MPLS does not provide any confidentiality or authentication scheme
MPLS
ISP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
• Relative to the topology:
Site-to-Site
Remote-access
• A Site-to-Site ties together many fixed locations in the Internet
• Configurations only have to be made on the firewalls/routers
• There is no need to have a VPN client on the laptop/computer
Headquarters
Remote office Remote office
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Example: IPIP tunnel
Used when the end-to-end source or destination network is not known in the routing table of an intermediate router
• Most VPN technologies are based on tunneling
• Tunneling means an extra header is added at the layer where the tunnel is built
Antet IP original Antet nivel 4 Date Antet IP tunel
The original, end-to-end header is hidden to all the routers that are traversed between the tunnel endpoints
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
• IPSec is a security protocol framework
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
DH7
Lungimea
cheii: 56 biți
Lungimea
cheii: 168
biți
Lungimea
cheii: 256
biți Lungimea
cheii: 160
biți
• IPSec: Confidentiality
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
• IPSec: Integrity
DH7
Lungimea
cheii: 128
biți
Lungimea
cheii: 160
biți
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
• IPSec: authentication with non-repudation
DH7
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
• Telecommuting is increasing more and more as an option for working
The risk of passing company information over the Internet is very great
• Remote access VPN
IPSec
SSL
Remote office
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
IPSec SSL
Aplications Any IP-based app WEB, e-mail, file sharing
in native mode
(clientless)
Encryption power Very strong– key lengths
from 56 to 256 biți
Moderate– key lengths
from 40 to 128 de bits
Authentication Strong – two-way
authentication
Moderate– one-way or
two-way authentication
Ease of use Moderate – can be
challenging for a non-
technical user
Very easy
Options for connecting A preconfigured client is
necessary
No client is needed, only
a working browser
As remote access solutions, the 2 options do not exclud each other
IPSec = security
SSL = mobility, flexibility
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
• The SSL VPN architecture will presume:
A SSL VPN server at the company headquarters
The SSL VPN client installed on the teleworker’s laptop
• The SSL VPN client has 3 operating modes
Clientless
Thin client
Full client
Remote office
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
• For both modes, the browser is the client
• Clientless does not allow anything else except HTTP and HTTPS
The user authenticates on the SSL portal to get access to internal company web resources
Thin client
In this mode, the user downloads JAVA applets from the portal
The Applets behave like TCP Proxies for applications
The user connections to several applications through the TCP Proxy (POP3, SMTP, IMAP, Telnet, SSH, CIFS)
The Applet makes a HTTP connection to the SSL Server that contains the addressing information in the payload to reach another service
The SSL Server makes the connection to the end service inside the company network
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
• The full client can usually be downloaded from the SSL portal after the user authenticates
• Depending on the vendor, the client could install seamlessly or manually, with user intervention
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
1
2
3
4
5
Utilizatorul face o conexiune
TCP către portul 443
Firewall-ul răspunde cu o
cheie publică semnată cu
certificat
Software-ul client generează o
cheie secretă
Clientul transmite cheia
secretă criptată cu cheia
publică
Se face bulk encryption
folosind cheia secretă
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
ASA Fa0/1 Fa0/1
R1 R2 Fa 0/0 Fa 0/2
outside
inside
Thank you.