Upload
truongtram
View
223
Download
2
Embed Size (px)
Citation preview
NCET 2014 Conference
NC School Connectivity Initiative – Firewall Best Practices
Session Presenters
n Chris Rose, MCNC – Client Network Engineer
n Dianne Dunlap, MCNC – Client Network Engineer
2 3/21/14
Agenda
1. ITS/ASA Firewall Service Descrip5on
2. Firewall Configura5on Best Prac5ces
3. ASA Monitoring and Troubleshoo5ng
4. Where to go for informa5on; MCNC Support
5. Q&A
3 3/21/14
State Firewall Service Summary
4 3/21/14
Additional information: https://www.mcnc.org/our-community/k12/services/firewall
n Cisco ASA platform with site-to-site VPN and SSL VPN functionality
n Offered as ITS fully managed or customer managed
n LEA Adoption - 30 ITS fully managed/33 customer managed
n Charter School Adoption - 42 ITS fully managed/8 customer managed
State Firewall Service Summary
5 3/21/14
Additional information: https://www.mcnc.org/our-community/k12/services/firewall
Service Implementation and Support ITS Fully Managed
Customer Management
Consultation regarding service options and security configurations
Y Y
All required activities to complete service installation Y Y
All hardware and software components required to deliver the security service
Y Y
Ongoing operating system release and patch management Y On request by customer
Ongoing configuration management Y N
Configuration backup Y Y
24x7 Device Monitoring Y N
24x7 Support Y Y
Real-time view of security policy Optional Optional
Log retention at customer location Available Available
6 3/21/14
Current LEA ASA Map
7 3/21/14
Current Charter ASA Map
n Be as speci!c as possible - avoid any/any.
n Allow only essential services in (ingress !ltering).
n Use DMZ if possible for public servers (web, FTP)
n Allow only essential services out (egress !ltering).
n Log traffic as necessary.
n Use good naming conventions and comments
n Group network objects, ports
n Remove unneeded ACLs
n Use AnyConnect where possible in lieu of broad outside access
8 3/21/14
Firewall Best Practices
Avoid any/any
access-list outside_access_in permit ip any 152.26.1.20 access-list outside_access_in permit tcp any 152.26.1.20 eq http access-list outside_access_in permit tcp any 152.26.1.20 eq https (or destination 10.26.1.20 in later ASA versions)
10 3/21/14
Use a DMZ
access-list outside_access_in permit tcp any 152.26.1.20 eq http access-list outside_access_in permit tcp any 152.26.1.20 eq https access-list dmz_access_inside deny ip any any access-list inside_access_dmz permit tcp any 10.46.1.20 eq http access-list inside_access_dmz permit tcp any 10.46.1.20 eq https
n No access-list on inside interface or access-list with ‘permit ip any any’ permits all outbound traffic.
n Blacklisting is possible if outbound traffic becomes malicious due to viruses, malware, or malcontents.
n Good Internet citizenship limits or prevents:
BitTorrent
Viruses/malware (Iloveyou, Stuxnet, Cutwail)
Web proxies (Ultrasurf, Tor)
11 3/21/14
Allow Only Essential Services Out
ITS Standard Service Groups (outbound):
object-group service School-standard-tcp tcp
port-object eq https
port-object eq www
port-object eq 9443
object-group service School-standard-udp udp
port-object eq domain
12 3/21/14
Allow only Essential Services Out
13 3/21/14
Log Traffic – syslog levels
Category Numeric Code Emergency 0
Alert 1
Critical 2
Error 3
Warning 4
Noti!cation 5
Informational 6
Debug 7
ASA-3-305006 portmap translation ASA-6-302014 Teardown TCP connection
n ITS Logging is at “Warning” level for ITS-managed. This is also Cisco recommended best practice.
n ASA log messages should be sent to a local syslog server for customer-managed !rewalls.
n Free syslog servers:
- rsyslogd (Linux)
- syslog-ng (Linux)
- The Dude (Windows)
14 3/21/14
Log Traffic
Use of name command:
access-list inside_in remark for Libby Smith
name 72.22.90.231 PowerWeb description Website host
access-list inside_in extended permit tcp any4 object PowerWeb eq 8443
Use of remark:
access-list outside_acl remark Employee Portal
Creation of a network-object and its description:
object network XYZ_Elementary
subnet 10.25.0.0 255.255.0.0
description XYZ Elementary School
15 3/21/14
Use good naming conventions and comments
Example of Grouped Network Objects, Ports:
name 10.9.5.5 informer description for Jane
object-group service informer_ports tcp-udp
port-object eq 90
port-object eq 9090
object-group INSIDE_NETWORK_2
network-object host 198.6.112.110
network-object host 63.148.144.242
access-list inside_in extended permit object-group TCPUDP object informer object-group INSIDE_NETWORK_2 object-group informer_ports
16 3/21/14
Group Network Objects, Ports
Example of Un-Grouped Network Objects, Ports:
access-list inside_in extended permit tcp host 10.9.5.5 host 198.6.112.110 eq 90
access-list inside_in extended permit tcp host 10.9.5.5 host 198.6.112.110 eq 9090
access-list inside_in extended permit udp host 10.9.5.5 host 198.6.112.110 eq 90
access-list inside_in extended permit udp host 10.9.5.5 host 198.6.112.110 eq 9090
access-list inside_in extended permit tcp host 10.9.5.5 host 63.148.144.242 eq 90
access-list inside_in extended permit tcp host 10.9.5.5 host 63.148.144.242 eq 9090
access-list inside_in extended permit udp host 10.9.5.5 host 63.148.144.242 eq 90
access-list inside_in extended permit udp host 10.9.5.5 host 63.148.144.242 eq 9090
17 3/21/14
Group Network Objects, Ports
name 10.8.1.51 Room-X
static (inside,outside) 152.26.1.2 Room-X netmask 255.255.255.255
access-list outside_acl extended permit ip any host 152.26.1.2
access-list outside_acl extended permit tcp any host 152.26.1.2
access-list outside_acl extended permit udp any host 152.26.1.2
access-list outside_acl extended permit ip any host 152.26.1.3
access-list outside_acl extended permit object-group DM_INLINE_SERVICE any host 152.26.1.3
access-list outside_acl extended permit object-group xyz host AS400 range ftp telnet
access-list outside_acl extended permit tcp host x.x.x.x host AS400 gt ftp
access-list outside_acl extended permit tcp any host AS400 eq ftp
18 3/21/14
Remove Unneeded Access-lists
Why Use AnyConnect for Remote Administration?
access-list outside_in permit tcp any host 152.26.1.11 eq 3389
20 3/21/14
Use AnyConnect
21 3/21/14
Use AnyConnect
Require users to AnyConnect authenticate at the ASA prior to accessing internal resources. - Authentication may be via usernames on ASA or tied to AD - Access can be audit-trailed if on AD - Access-lists can be applied at ASA-level and tied to local users or AD groups
n Microsoft (XP, Vista, 7, 8)
n Mac OSX
n Linux (Red Hat, Ubuntu)
n iOS (iPhone, iPod, iPad) mobile client*
n Android client*
* Requires ASA mobile license
22 3/21/14
AnyConnect Platforms
n ITS can provide read-only access for ITS-managed !rewall
n Access via ASDM (GUI) or SSH (command-line)
n Request account through MCNC
n User credentials are in ITS-managed TACACS+ server
n Read-only access prevents accidents!
23 3/21/14
ASA Monitoring and Troubleshooting- ASA Read-only Access
§ “show” commands
§ “Top 10” services, sources, destinations
§ Interface traffic (kb/connections)
§ Memory and CPU utilization
§ Packet tracer utility
§ Packet capture wizard
§ Logs
24 3/21/14
ASA Monitoring and Troubleshooting
Command Arguments dir disk0:/dap.xml enable exit logout more more system:running-con!g packet-tracer quit read threat-detection Statistics*
25 3/21/14
ASA Monitoring and Troubleshooting– “show” commands
*Not on all models/versions
26 3/21/14
ASA Monitoring and Troubleshooting – “show” commands
* Not on all models/versions
Command Arguments show access-list
activation-key detail
asdm sessions
blocks
cluster info*
con!guration
conn
cpu core all*
crypto ca certi!cate
curpriv
!rewall
interface
27 3/21/14
ASA Monitoring and Troubleshooting – “show” commands
* Not on all models/versions
Command Arguments show ips
mode*
module
nat
pager
pdm logging*
pdm sessions*
route
running-con!g
service-policy-user*
startup-con!g
version
28 3/21/14
ASA Monitoring and Troubleshooting – Interface Traffic
Top 10 access-rules
29 3/21/14
ASA Monitoring and Troubleshooting – “Top 10”
30 3/21/14
ASA Monitoring and Troubleshooting – “Top 10”
Top 10 sources: #1 108.175.34.244=Netflix #2 216.177.128.42=Alentus Internet (hosting)
31 3/21/14
ASA Monitoring and Troubleshooting – Memory and CPU
32 3/21/14
ASA Monitoring and Troubleshooting – Traffic
33 3/21/14
ASA Monitoring and Troubleshooting – Syn Attacks
200.165.244.186=user.velox.com.br
34 3/21/14
ASA Monitoring and Troubleshooting – Connections/Drops
n Packet Tracer allows the administrator to simulate packet #ow through the !rewall to test connectivity.
n Packet Tracer should be the !rst step to troubleshooting connectivity through the !rewall.
35 3/21/14
ASA Monitoring and Troubleshooting – Packet Tracer
n Packet Capture Wizard is used to examine actual traffic in detail.
n Usually used as the second step when Packet Tracer indicates traffic is allowed, but connectivity problems persist.
36 3/21/14
ASA Monitoring and Troubleshooting – Packet Capture Wizard
n ASDM Real Time Log Viewer allows an administrator to view the log !le as it is being generated in real time.
n Allows !ltering based on expressions or search criteria.
n Logging level can be set independently from syslog logging level for the length of the session.
n Limited to buffer size. Maximum buffer size is 2000.
37 3/21/14
ASA Monitoring and Troubleshooting – Logs
Support
Service Inquiries and Requests
n Reach DPI team by contacting Network Analysts listed at: http://www.ncpublicschools.org/connectivity/directory/
Post-deployment Support
n For network related issues, please continue to call Network Operations Center Support at 877-GO-NCREN (877-466-2736) or 919-248-1111.
n For issues related to your web security or !rewall service, please contact the SysOps Team by calling 919-248-4111 or by sending an email to [email protected].
n For questions related to !rewall “Best Practices”, please contact the CNE Team by sending an email to [email protected]
38 3/21/14