CCSP: Effective Deployment of Cisco ASA Access Control

Session ID BRKCRT-201

Effective Deployment of Cisco ASA Access Control

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 2

Cisco Live & Networkers VirtualSpecial Offer – Save $100Cisco Live has a well deserved reputation as one the industry’s best educational values. With hundreds of sessions spanning foureducational programs — Networkers, Developer Networker, Service Provider, IT Management, you can build a custom curriculum that can make you a more valuable asset to your workplace and advance your career goals. Cisco Live and Networkers Virtual immerses you in all facets of Cisco Live, from participating in live keynotes and Super Sessions events to accessing session content to networking with your peers.Visit www.ciscolivevirtual.com and register for Cisco Live and Networkers Virtual. To get $100 USD off the Premier pass, which provides access to hundreds of technical sessions, enter “slideshareFY11”.


Agenda and Prerequisites


Agenda� Definition of Access Control Effectiveness� Tune Basic OSI Layer 3-4 Inspection� Configure and Verify the Cisco ASA TCP Normalizer and Advanced Connection Options� Configure Application-layer Inspection


Prerequisites� Understanding of TCP/IP protocol suite and application protocols� Familiarity with common classes of network attacks� Familiarity with basic network firewall concepts� Basic-to-intermediate level of familiarity with Cisco ASA configuration concepts


Definition of Access Control Effectiveness


Access Control EffectivenessLevels of Access Control

� Firewall components can operate on different OSI layers:

Application layer (Layers 5–7) access control: Controls payload and content inside permitted connectionsNetwork layer (Layers 2–4) access control: Minimizes connectivity between hosts and their applications

Host


Access Control EffectivenessAbility to Prevent Current and Future Attacks

� Firewall components can operate in different access control modes:

Restrictive access control: Everything not explicitly allowed is prohibitedPermissive access control: Everything not explicitly prohibited is allowed

Host


Access Control EffectivenessCriterion DescriptionCoverage The control provides protection against a wide

variery of attacksAccuracy The control produces a manageable rate of

false positives or negativesGranularity The control is able to inspect activity at the

desired depthIntegration ability The control can support most applications and

local infrastructure quirksImplementation simplicity

The control is manageable to implement and operate

Effectiveness Criteria


Tune Cisco ASA Basic OSI Layer 3-4 Inspection


Basic Stateful Inspection Tuning Overview

� The ASA enforces a strict traffic filtering policy that may interfere with unexpected or unusual application requirements, or network design

There are many tools in the ASA to create exceptions for such situationsIt is strongly recommended to plan for known exceptions in advance

Overview


Basic Stateful Inspection Tuning Overview

Input DescriptionPotentially problematic TCP/IP stacks in the network, and applications with special TCP requirements

Required to plan for TCP normalizer exceptions

IP fragmentation issues in the network Required to tune fragmentation handling

Asymmetric routing in the network Required to possiby bypass stateful algorithms

Applications with long idle session periods

Required to adjust connection table timers

Dynamic applications used in the network

Required to enable relevant dynamic application inspectors

Dynamic applications using non-standard ports

Required to enable relevant dynamic application inspectors

Non-standard dynamic applications Required to describe such applications to the ASA

Input Parameters


Basic Stateful Inspection Tuning Overview1. Tune Basic OSI Layer 3-4 inspection2. Tune the ASA TCP normalizer3. Configure support for dynamic protocols

Deployment Tasks


Basic Stateful Inspection Tuning Overview� Consider the following overall guidelines:

When creating exceptions, make only minimal required changes to the ASA traffic handling policyConsider the possible adverse effects of your changes to access control reliability and performance

Guidelines


Tune Basic OSI Layer 3-4 Inspection

� The ASA will by default statefully track TCP, UDP, and GRE flows

ICMP PING tracking is disabled by default, and may be enabled

ASA Default Layer 3-4 Stateful Tracking

TCP 10.1.1.2:1474 > 192.168.1.6:22, inseq 346234, outseq 712136UDP 192.168.1.3:58255 > 172.16.2.1:53, DNS id=457348956TCP 10.1.1.2:4685 > 172.16.1.7:80, inseq 49758234, outseq 8345723ICMP ECHO 10.1.1.7 > 172.16.9.1, IDMP ID=48572349...


Tune Basic OSI Layer 3-4 Inspection� Sessions are normally deleted from the connection table based on TCP connection close events (FIN, RST), or idle timeouts (UDP, GRE, PING)

The connection table performs periodic garbage collection for TCP connections based on additional timeoutsThese timeouts may be too aggressive for specific applications, and need to be tuned

ASA Session Timers

TCP Timer Default DescriptionEmbryonic connection timeout

30 seconds Defines the time the ASA will wait for a SYN/ACK reply to a SYN

Half-closed connection timeout

10 minutes Defines the time a TCP connection can be FIN-closed in one direction

Connection timeout 1 hour Defines the time a TCP connection can be idle (i.e. no traffic passed over it)


Tune Basic OSI Layer 3-4 Inspection

� The ASA performs virtual IP reassemblyBuffers fragments of a packet until all have been receivedVerifies that fragments are properly fragmentedReassembles IP fragments internally, to perform TCP normalization and application inspectionForwards fragments as they have been received

ASA IP Fragment Handling

Incoming IP fragments Outgoing IP fragments

Reassembled packet


Tune Basic OSI Layer 3-4 Inspection1. (Optionally) Tune inspection timers and DCD2. (Optionally) Tune fragment management

Configuration Steps


Tune Basic OSI Layer 3-4 InspectionConfiguration Scenario

10.0.0.0/8

For telnet sessions to host, set idle timer to 4 hours and enable DCD

Buffer up to 1000 IP fragments on all interfaces

10.10.1.9


Tune Basic OSI Layer 3-4 InspectionStep 1: (Optionally) Tune Inspection Timers and DCD

Configuration > Firewall > Service Policy Rules

Crate a new ACL-based class that matches specific telnet traffic

Specify the idle timeout

Enable DCD with default parameters

You can reset the connection on forced close


Tune Basic OSI Layer 3-4 InspectionStep 2: (Optionally) Tune Fragment Management


Edit the virtual reassembly policy for each interface

Adjust fragment database parameters


Tune Basic OSI Layer 3-4 InspectionCLI Configuraton

access-list TELNET-TO-HOST-ACL permit tcp 10.0.0.0 255.0.0.0 host 10.10.1.9 eq 23!class-map TELNET-TO-HOSTmatch access-group TELNET-TO-HOST-ACL!policy-map global_policyclass TELNET-TO-HOSTset connection timeout idle 4:00:00 reset dcd

!fragment size 1000 insidefragment size 1000 outside2

1


Tune Basic OSI Layer 3-4 Inspection� Consider the following implementation guidelines:

Only tune connection timers when required by specific applications, for a minimal set of required hosts; use DCD with long-lived connections to avoid resource exhaustionFragmentation management does not normally require tuning; first, try to eliminate the root fragmentation cause before tuning the ASA

Guidelines


Tune the Cisco ASA TCP Normalizer


Tune the ASA TCP Normalizer

� The ASA TCP normalizer feature Verifies adherence to the TCP protocol and prevents evasion attacksDisables some TCP features by defaultPerforms TCP sequence number randomization for protected hostsProvides the reassembled bytestream to upper-layer inspectors

TCP Normalizer Overview

Incoming TCP segments Normalized TCP segments

Reassembled stream


Tune the ASA TCP Normalizer

Parameter DescriptionVerify contents of retransmissions (disabled)

Enables or disables the retransmit data checks.

Verify TCP checksum of all packets (disabled)

Enables or disables checksum verification.

Analyze TCP MSS of flows (allow) Allows or drops packets that exceed MSSAnalyze TCP reserved flags (allow) Sets the reserved flags policySYN packet analysis (allow) Allows or drops SYN packets with data. Analyze unusual TCP options (clear)

Allows or clears TCP options.

Analyze IP TTL of flows (enabled) Enables or disables the TTL evasion protectionURG flag check (allow) Allows or clears the URG pointer.Analyze TCP windowing (drop) Drops a connection that has changed its window

size unexpectedly.

TCP Normalizer Configurable Parameters


Tune the ASA TCP Normalizer� You can bypass ASA stateful inspection algorithms for some flows

Configurable through MPF traffic classesCauses the ASA to treat these flows similarly to Cisco IOS Software stateless ACLsAlso disables AIC, SSCs, cut-through proxy, and TCP normalizer for these flowsUse only for trusted flows

TCP State Bypass

Deny unidirectional TCP flow


Tune the ASA TCP Normalizer1. (Optionally) Tune TCP normalization2. (Optionally) Tune TCP ISN randomization3. (Optionally) Configure TCP state bypass

Configuration Steps


Tune the ASA TCP NormalizerConfiguration Scenario

Support an authenticated BGP session through the ASA

B GP

10.1.1.0/24 10.2.2.0/24

Statelessly handle traffic between 10.1.1.0/24 and 10.2.2.0/24 networks


Tune the ASA TCP NormalizerStep 1: (Optionally) Tune TCP Normalization

Configuration > Firewall > Objects > TCP Maps

Crate a new TCP map that defines TCP normalizer parameters

Allow TCP option 19 (BGP authentication)


Tune the ASA TCP NormalizerStep 2: (Optionally) Tune TCP ISN Randomization


Crate a new ACL-based class that matches specific BGP traffic

Specify the configured TCP map

Disable ISN randomization


Tune the ASA TCP NormalizerStep 3: (Optionally) Configure TCP State Bypass


Crate a new ACL-based class that matches specific networks

Disable stateful checks for this class


Tune the ASA TCP NormalizerCLI Configuration

access-list BGP-PEERING-ACL permit tcp host 10.3.3.3 host 10.4.4.4 eq 179access-list BGP-PEERING-ACL permit tcp host 10.4.4.4 host 10.3.3.3 eq 179!class-map BGP-PEERINGmatch access-group BGP-PEERING-ACL

!access-list STATE-BYPASS-ACL permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0access-list STATE-BYPASS-ACL permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0!class-map STATE-BYPASSmatch access-group STATE-BYPASS-ACL

!tcp-map TCP-BGP-AUTH-MAPtcp-options range 19 19 allow!policy-map global_policyclass STATE-BYPASSset connection advanced-options tcp-state-bypass

class BGP-PEERINGset connection advanced-options TCP-BGP-AUTH-MAPset connection random-sequence-number disable

1

3

1

2

3

21


Tune the ASA TCP Normalizer� Consider the following implementation guidelines:

Exercise extreme care if you are relaxing TCP normalizer parameters – this may cause unreliable application-layer filteringFor application-layer inspection, add TCP checksum verification and retransmission checks to your flow policy, at the expense of lower performanceMake only minimal required changes between specific hosts or networksUse TCP bypass only when absolutely necessary (to support trusted asymmetric flows, or TCP stack quirks of critical hosts)

Guidelines


Configure Support for Dynamic Protocols



� Dynamic protocols are those that negotiate additional sessions on negotiated transport-layer ports

The ASA will by default snoop on many dynamic protocols to automatically permit these sessionsIn ACLs, you only need to permit the initial session

Dynamic Protocols and Stateful Filtering


Configure Support for Dynamic Protocols� The ASA assigns a set of well-known ports used by dynamic applications into the default inspection class

Not all ports are by default inspectedAdditional ports are present for NAT and application-layer inspection

Default Ports in the Default Inspection Class


Configure Support for Dynamic ProtocolsDefault Inspectors in the Default Inspection ClassInspector FunctionFTP Allows FTP data connectionsH.323 (H.225) Allows negotiated RTP flowsH.323 (RAS) Allows negotiated RTP flowsRSH Allows RSH stderr connectionsRTSP Allows negotiated RTP flowsSCCP Allows negotiated RTP flowsSIP Allows negotiated RTP flowsOracle SQL*Net (TNS) Allows dynamic database connections UNIX RPC (SUNRPC) Allows all available UNIX RPC applications

via the RPC portmapperTFTP Allows TFTP data connectionsXDCMP Allows dynamic XWindows display sessions


Configure Support for Dynamic ProtocolsInactive Inspectors in the Default Inspection ClassInspector FunctionCTIQBE Allows negotiated RTP flowsDCERPC Allows dynamic Microsoft DCOM and DCE

RPC connectionsMMP Allows negotiated RTP flowsMGCP Allows negotiated RTP flows


Configure Support for Dynamic Protocols� The ASA also supports a non-default WAAS inspector

WAAS is not a dynamic application, but changes TCP behaviorEnabling the inspector allows WAAS sessions to work through the ASA

WAAS Inspector

WAAS-enabled ISR

WAAS-enabled ISR

WAAS-optimized TCP sessions

WAAS-aware ASA


Configure Support for Dynamic Protocols1. (Optionally) Configure support for non-default

dynamic applications2. (Optionally) Configure support for dynamic

applications on non-standard ports3. (Optionally) Configure support for custom

dynamic applications

Configuration Steps


Configure Support for Dynamic ProtocolsConfiguration Scenario

Enable support for FTP on TCP port 2121

Enable non-default CTIQBE and DCERPC inspectors

Support the custom dynamic application

7 7 7 7U D P

TC P3000


Configure Support for Dynamic ProtocolsStep 1: (Optionally) Configure support for non-default dynamic applications


Modify the default inspection class

Enable additional dynamic protocol inspectors


Configure Support for Dynamic ProtocolsStep 2: (Optionally) Configure support for dynamic applications on non-standard ports


Create a new destination-port-based class

Specify static ports or port ranges of the dynamic application

Enable the dynamic application inspector for this class



This command allows you to describe a dynamic application to the ASABased on an established authorized connection, it will allow additional connections between the same two hostsThis is a better approach compared to permanently permitting these dynamic sessions using ACLs

Step 3: (Optionally) Configure support for custom dynamic applications

established tcp 3000 permitto 7777!access-list INSIDE permit tcp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0 eq 3000!access-group INSIDE in interface inside

established protocol dest_port [ source_port ] [ permitto protocol port [ -port ]] [ permitfrom protocol port [ -port ] ]

ASA(config)#


Configure Support for Dynamic ProtocolsCLI Configuration

class-map NON-STANDARD-FTPmatch port tcp eq 2121

!policy-map global_policyclass inspection_defaultinspect ctiqbe inspect dcerpc

class NON-STANDARD-FTPinspect ftp2

1

2


Configure Support for Dynamic Protocols� Consider the following implementation guidelines

If you do not use a particular dynamic protocol, it is generally better to globally disable its inspection function inside the default classUse the established command instead of static ACLs to support minimal connectivity of custom dynamic applications

Guidelines


Configuring Application-Layer Policies


Application-Layer Access Control Overview� Application-layer access control can

Provide defense in depth by protecting exposed client and server applicationsPrevent malicious content from being delivered to endpointsPrevent covert tunneling

Overview

Protect the client application

Protect the server application

CRM


Application-Layer Access Control Overview

Control DescriptionProtocol Minimization

Allows a minimal required set of protocol features through the ASAIncreases protection by hiding unnecessary featuresCan prevent both known and unknown attacks

Payload Minimization

Allows transport of minimally required payloads over the application sessionIncreases protection by only allowing expected content types andvaluesCan prevent both known and unknown attacks

Application-layer Signatures

Detect and drop known malicious payloads in application-layer sessionsCan generally only prevent known attacksCan be manually configured in ASA native AIC, or you can use full IPS functionality of the AIP SSM or SSC

Protocol Verification

Detects and/or drops anomalous application-layer protocol unitsCan prevent both known and unknown attacksCan prevent covert tunneling

Application-layer Controls


Application-Layer Access Control OverviewInput DescriptionApplication protocols used Required to determine the level of AIC

support on the ASAApplications used Required to determine basic application

behaviorLocal application customization

Required to determine detailed application behavior

Hardening and patching policies; known application vulnerabilities

Required to determine application vulnerability and the need for network protection

Cryptographic protection used

Required to determine implementation feasibility and the possible need for decryption

� Input Parameters


Application-Layer Access Control Overview� Consider the following general deployment guidelines:

Deploy application-layer access control as the primary line of defense, if your applications are known to be vulnerable to application-layer attacksOtherwise, consider application-layer access control for defense in depthAnalyze application behavior in detail, and cooperate with endpoint and application administrators before attempting to create network application-layer access controlsDecrypt application-layer traffic before inspecting it (and possibly re-encrypt it afterwards)

Guidelines


Configure Cisco ASA HTTP Inspection


Configure HTTP Inspection

� The ASA HTTP inspector can granularly parse HTTP requests and responses and allow specific value and regular expression matching inside these containers� Additionally, the inspector can verify adherence to the HTTP protocol, and log accessed URIs

HTTP Inspector Overview

H T T P

GET /go/asa HTTP/1.1Accept: image/jpeg, image/gif, application/x-shockwave-flash, */*User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; ...

HTTP/1.1 200 OKDate: Mon, 22 Mar 2010 12:30:50 GMTServer: Apache/2.2Last-Modified: Sat, 20 Mar 2010 00:39:56 GMT...

<!DOCTYPE html PUBLIC ...


Configure HTTP InspectionHTTP Request and ResponseGET /go/asa HTTP/1.1Accept: image/jpeg, image/gif, application/x-shockwave-flash, */*User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)Accept-Encoding: gzip, deflateHost: www.cisco.comConnection: Keep-AliveCookie: CP_...

HTTP/1.1 200 OKDate: Mon, 22 Mar 2010 12:30:50 GMTServer: Apache/2.2Last-Modified: Sat, 20 Mar 2010 00:39:56 GMTAccept-Ranges: bytesContent-Type: text/htmlContent-Length: 24316Connection: keep-alive

<!DOCTYPE html PUBLIC ...

Request headers

Response headers

Data


Configure HTTP InspectionHTTP Request and Response Details

GET /scripts/myapp?username=joe&sessionid=12 HTTP/1.1

Host: www.cisco.com

Content-Type: text/html

HTTP method HTTP arguments

HTTP URI HTTP versionVirtual server

HostnameType of returned content

HTML content


Configure HTTP Inspection

HTTP Request Field Type of matchRequest Method Specific valuesRequest URI Regular expression(s)Request Length Numeric (greater than)Request Arguments Regular expression(s)Request Header Field (names and values)

Specific values or regular expression(s)

Request Header Field Count Numeric (greater than)Request Header Field Length Numeric (greater than)Request Header Count Numeric (greater than)Request Header Length Numeric (greater than)Request Header Non-ASCII Boolean (true or false)

Request Inspection Options


Configure HTTP InspectionResponse Inspection Options

HTTP Request Field Type of matchResponse Status Line Regular expression(s)Response Body Regular expression(s)Response Body Length Numeric (greater than)Response Header Field (names and values)

Specific values or regular expression(s)

Response Header Field Count Numeric (greater than)Response Header Field Length Numeric (greater than)Response Header Count Numeric (greater than)Response Header Length Numeric (greater than)Response Header Non-ASCII Boolean (true or false)


Configure HTTP Inspection1. Create a HTTP inspection policy map2. (Optionally) Configure HTTP protocol

minimization3. (Optionally) Configure HTTP payload minimization4. (Optionally) Configure HTTP signatures5. (Optionally) Configure HTTP protocol verification6. Apply the HTTP inspection policy map

Configuration Steps


Configure HTTP InspectionConfiguration Scenario

Drop requests that contain basic SQL injection (“SELECT FROM”) in HTTP arguments

Only allow the HTTP GET methodOnly allow URIs starting with “/myapp”

Verify adherence to HTTP protocol

H T T P

10.10.10.1


Configure HTTP InspectionStep 1: Create a HTTP Inspection Policy Map

Configuration > Firewall > Objects > Inspect Maps > HTTP

OR

Choose a pre-configured policy

Use the “Details”view to create custom inspections


Configure HTTP InspectionStep 1: Create a HTTP Inspection Policy Map (Cont.)


You can Addmultiple inspections; any matching inspection will trigger an action

In each inspection, you can match on a single or multiple conditions


Configure HTTP InspectionStep 2: (Optionally) Configure HTTP Protocol Minimization


To minimize protocol features, use the “No Match” criterion, and specify all valid protocol features

Specify the actions taken when protocol feature is not on the “white list”


Configure HTTP InspectionStep 3: (Optionally) Configure HTTP Payload Minimization


To minimize payloads, use the “No Match”criterion, and specify all valid payloads

Specify the actions taken when payload is not on the “white list”

Specify valid payloads using regex or specific values

Create and test a regex in the ASDM interface


Configure HTTP InspectionStep 4: (Optionally) Configure HTTP Signatures


To create signatures, use the “Match”criterion, and specify individual malicious payloads

Specify the actions taken when payload is on the “blacklist”

Specify malicious payloads using regex or specific values


Configure HTTP InspectionStep 5: (Optionally) Configure HTTP Protocol Verification


Enable protocol verification Specify the actions taken for

non-compliant sessions


Configure HTTP InspectionStep 6: Apply the HTTP Inspection Policy Map


Crate a new ACL-based class that matches specific web traffic

Enable HTTP inspection and apply the custom HTTP inspect map


Configure HTTP InspectionCLI Configuratonregex BASIC-SQL-INJECTION "[Ss][Ee][Ll][Ee][Cc][Tt].+[Ff][Rr][Oo][Mm]"regex MY-URI "^\/myapp“!policy-map type inspect http MY-HTTP-POLICYparametersprotocol-violation action drop-connection logmatch not request method getdrop-connection logmatch not request uri regex MY-URIdrop-connection logmatch request args regex BASIC-SQL-INJECTIONdrop-connection log4

3

2

1

5

4

3


Configure HTTP InspectionCLI Configuraton (Cont.)access-list WEB-SERVER-ACL permit tcp any host 10.10.10.1 eq http !class-map WEB-SERVER-PROTECTIONmatch access-list WEB-SERVER-ACL!policy-map global_policyclass WEB-SERVER-PROTECTIONinspect http MY-HTTP-POLICY

6


Configure HTTP InspectionVerify the Policy Map


Verify that all needed inspections are configured in the HTTP inspect map


Configure HTTP Inspection� Consider the following implementation guidelines:

Analyze application behavior well (using traffic captures, and detection policies) before implementing aggressive actionsThe ASA regular expression engine does not support the $ (end-of-line) metacharacters, therefore you can only match on prefixesConsider implementing length-based restrictions in addition to pattern-based filteringUsing minimization (i.e. “least-privilege”) is often more effective than signatures, but is almost always much more challenging to implement

Guidelines


Summary� Exercise extreme care when configuring lower inspection layers, to ensure reliability of more advanced inspection� Consider improving your own controls based on the effectiveness criteria outlined in this session� Use various ASA configuration tools to ensure that your policy is accurately implemented� Deploying application-layer inspection is challenging, but can provide excellent defense-in-depth

Technology

CCSP: Effective Deployment of Cisco ASA Access Control