Saturday, November 23, 2013

Using Transparent Firewall Mode on an ASA

An ASA can be configured to operate in transparent firewall mode, such that it appears to operate as a Layer 2 device, without becoming a router hop or a gateway to its connected networks. This is also knwon as a Layer 2 firewall or a stealth firewall, because the ASA's interfaces have no assigned IP addresses and cannot be detected or manipulated. Only a single management address is used for traffic sourced by the transparent firewall itself or destined for a management session.

As a Layer 2 device, an ASA in transparent firewall mode can be installed or wedged into an existing network, separating the inside and outside without changing any IP address. This is commonly called a "bump-in-the-wire" because the ASA doesn't break or segment the IP subnet along a wire but instead more or less becomes part of the wire. This makes a new installation straigthforward.

You can also think of a transparent mode firewall as a type of transparent bridge, where packets are bridged from one interface to another based only on their MAC addresses. The ASA must maintain a MAC address table of the source address learned in each received packet, along with the interface on which the packet arrived. Once a MAC address has been learned, the ASA is able to forward a packet to that address by knowing the location or the egress interface where that same address has been active before.

Comparison of the Routed and Transparent Firewall Modes

Routed Firewall Mode

* Use only when IP packets are to be inspected.

* Network readdressing is necessary across the ASA.

* All interfaces can be used.

* All ASA interfaces are available.


Transparent Firewall Mode

* Use when non-IP packets must be forwarded.

* Network readdressing is not necessary.

* Only 2-4 interfaces can be used per bridge group.

* The following features are not available:

   - Dynamic routing protocols
    - Dynamic DNS
    - DHCP Relay
    - Multicast IP routing
    - Quality of service
    - VPN termination for transit traffic


Configuring Transparent Firewall Mode

Before you begin configuring transparent firewall mode, you should verify which mode is currently in use. You can do that with the show firewall EXEC command. The ASA runs in default routed (or "router") mode.

ciscoasa# show firewall
Firewall mode: Router


You can enable transparent firewall mode with the following command:

ciscoasa(config)# firewall ?

configure mode commands/options:
  transparent  Switch to transparent mode
ciscoasa(config)# firewall transparent
ERROR: Password recovery was not changed, unable to access
the configuration register.
COREDUMP UPDATE: open message queue fail: No such file or directory/2


Transparent firewall mode begins immediately and doesn't require a reload; however, because transparent and routed firewall modes uses different approaches to network security, the running configuration will be cleared as soon as transparent mode begins. The idea is to enter transparent firewall mode and build an appropriate configuration from scratch.

For that reason, you should save the routed firewall mode running configuration to flash memory or to an external server before enabling transparent firewall mdoe. That way, you will have a copy of the configuration in case you need to revert to routed firewall mode or refer to some portion of that configuration. Because the configuration is cleared, ASDM does not offer any way to change the firewall mode.

Next, you will need to set aside ASA interfaces and configure them for transparent firewall use. For ASA release 8.4(1) or later, you can configure up to four interfaces as part of a bridge group. With earlier releases, you must use exactly two interfaces - one interface will face the "outside," less secure part of the network, while the other will face the "inside," more secure area.

Configure the interfaces exactly as you would with routed firewall mode, with the exception of any IP addresses, by supplying the following parameters:

* Interface speed and duplex mode

* Interface name

* Security level

* Bridge group number (ASA release 8.4(1) and later)


In ASDM, navigate to Configuration > Device Setup > Interfaces, select an interface, and click Edit.



If you choose to configure interfaces with the CLI instead, you can use the nameif, security-level, and bridge-group interface configuration commands.

ciscoasa(config)# interface gigabitethernet0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# bridge-group ?

interface mode commands/options:
  <1-100>  Group number of this interface
ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface gigabitethernet1
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# no shutdown


Next, assign a single IP address to each bridge group as a whole. This address will be used for management traffic, such as Telnet, SSH, HTTP, SNMP, syslog, TFTP, FTP, and so on. If you configure the ASA for multiple context mode, you should configure one IP address for each bridge group on each security context, including the admin context. From the interface list in ASDM, select Add and choose Bridge Virtual Interface (BVI).

ciscoasa(config-if)# interface ?

configure mode commands/options:
  BVI              Bridge-Group Virtual Interface
  GigabitEthernet  GigabitEthernet IEEE 802.3z
  Port-channel     Ethernet Channel of interfaces
  Redundant        Redundant Interface
  <cr>
ciscoasa(config-if)# interface bvi ?

configure mode commands/options:
  <1-100>  BVI interface number
ciscoasa(config-if)# interface bvi 1
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0

Posted by at No comments:

Saturday, November 9, 2013

Detecting and Filtering Botnet Traffic on an ASA

In a botnet attack, hosts on the private side of an ASA becomes infected with malware. Each of the infected hosts tries to contact a botnet control server located somewhere on the public Internet to receive further instructions. The control server is then able to remotely control many infected hosts and align them in a coordinated attack against other resources.

Because the infected hosts are located on a secure side of the ASA, they are likely to be free to open outbound connections just like any other protected host. You can leverage the Cisco ASA Botnet Traffic Filter feature to detect botnet activity and prevent infected hosts from contacting their control servers.

When the Botnet Traffic Filter is enabled, an ASA maintains two reputation databases:

* A dynamic SensorBase database that is downloaded periodically from Cisco, which contains information about known botnet control servers.

* A static database that you can populate, which can contain a "whitelist" of known good IP addresses and domain names or a "blacklist" of known bad servers.

The Botnet Traffic Filter feature is dependent upon four things:

* A Botnet Traffic Filter license purchased from Cisco and installed on the ASA

* A DNS server, which the ASA uses to lookup names and addresses in the static database

* Botnet Traffic Filter DNS snooping, which enables the ASA to intercept DNS queries from infected hosts and match against hostnames it finds in the databases

* Live connectivity to the Internet, so that the Botnet Traffic Filter feature can communicate with Cisco

Before you begin configuring Botnet Traffic Filtering, verify that the feature license has been enabled. You can use the show version command to see a list of ASA features and their license status. Make sure Botnet Traffic Filter is listed as Enabled

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 8.4(2)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

ciscoasa up 11 mins 39 secs

Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB


 0: Ext: GigabitEthernet0    : address is 00ab.cd92.5200, irq 0
 1: Ext: GigabitEthernet1    : address is 0000.abf1.d701, irq 0
 2: Ext: GigabitEthernet2    : address is 0000.ab9a.0e02, irq 0
 3: Ext: GigabitEthernet3    : address is 0000.ab64.2f03, irq 0
 4: Ext: GigabitEthernet4    : address is 0000.ab84.7804, irq 0
 5: Ext: GigabitEthernet5    : address is 0000.abfa.5105, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 5              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 25             perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Enabled        perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
UC Phone Proxy Sessions           : 10             perpetual
Total UC Proxy Sessions           : 10             perpetual
Botnet Traffic Filter             : Enabled        perpetual
Intercompany Media Engine         : Enabled        perpetual

This platform has an ASA 5520 VPN Plus license.


Use the following steps to configure botnet traffic filtering:

Step 1: Configure the dynamic database.

Step 2: Configure the static database.

Step 3: Enable DNS snooping.

Step 4: Enable the Botnet Traffic Filter.

ciscoasa(config)# dynamic-filter ?

configure mode commands/options:
  ambiguous-is-black  Handle (ambiguous) greylist matched traffic as blacklist
                      for Dynamic Filter drop
  blacklist           Configure Dynamic Filter blacklist
  drop                Enable traffic drop based on Dynamic Filter traffic
                      classification
  enable              Enable Dynamic Filter classification
  updater-client      Configure Dynamic Filter updater client
  use-database        Use Dynamic Filter data downloaded from updater-server
  whitelist           Configure Dynamic Filter whitelist

exec mode commands/options:
  database  Dynamic Filter data commands
ciscoasa(config)# dynamic-filter updater-client ?

configure mode commands/options:
  enable  Enable Dynamic Filter updater client
ciscoasa(config)# dynamic-filter updater-client enable
WARNING: Can't resolve update-manifests.ironport.com, make sure dns nameserver is configured  // CISCO'S DYNAMIC DATABASE UPDATE
ciscoasa(config)# dynamic-filter use-database
ciscoasa(config)# dns ?   // CONFIGURE DNS AS PER ERROR GIVEN

configure mode commands/options:
  domain-lookup       Enable/Disable DNS host-to-address translation
  expire-entry-timer  Specify DNS entry expire timer
  name-server         Specify DNS servers
  poll-timer          Specify dns update interval
  retries             Configure DNS retries
  server-group        Configure a DNS server group
  timeout             Configure DNS query timeout
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config)# dns server-group MY-DNS-GROUP
ciscoasa(config-dns-server-group)# ?
DNS server group commands:
  domain-name  Domain name to append to DNS queries for this server group
  name-server  Specify DNS servers
  no           Remove a server-group command or set to its default
  retries      DNS retries
  timeout      DNS query timeout
ciscoasa(config-dns-server-group)# name-server 4.2.2.2
ciscoasa(config)# dynamic-filter blacklist
ciscoasa(config-llist)# ?

Dynamic Filter list configuration
  address  Add IP address to local list
  name     Add domain name to local list
  no       Negate a command
ciscoasa(config-llist)# name ?

dynamic-filter-list mode commands/options:
  WORD < 256 char  Enter domain name

configure mode commands/options:
  A.B.C.D     The IPv4 address of the host/network being named
  X:X:X:X::X  The IPv6 address of the host/network being named
ciscoasa(config-llist)# name www.badsite.com
ciscoasa(config-llist)#exit
ciscoasa(config)# dynamic-filter whitelist
ciscoasa(config-llist)# name www.goodsite.com
ciscoasa(config-llist)#exit
ciscoasa(config)# policy-map ?

configure mode commands/options:
  type            Specifies the type of policy-map
Policy-map names:
  global_policy
  WORD < 41 char  New policy-map name
ciscoasa(config-pmap)# policy-map global_policy
ciscoasa(config-pmap)# class ?

mpf-policy-map mode commands/options:
  WORD            class-map name
  class-default   System default class matching otherwise unclassified packets

configure mode commands/options:
  WORD < 41 char  class-map name
  type            Specifies the type of class-map
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# ?

MPF policy-map class configuration commands:
  exit             Exit from MPF class action configuration mode
  help             Help for MPF policy-map class/match submode commands
  no               Negate or set default values of a command
  police           Rate limit traffic for this class
  priority         Strict scheduling priority for this class
  quit             Exit from MPF class action configuration mode
  service-policy   Configure QoS Service Policy
  set              Set connection values
  shape            Traffic Shaping
  user-statistics  configure user statistics for identity firewall
  <cr>
  csc              Content Security and Control service module
  flow-export      Configure filters for NetFlow events
  inspect          Protocol inspection services
  ips              Intrusion prevention services
ciscoasa(config-pmap-c)# inspect ?

mpf-policy-map-class mode commands/options:
  ctiqbe
  dcerpc
  dns
  esmtp
  ftp
  gtp
  h323
  http
  icmp
  ils
  im
  ip-options
  ipsec-pass-thru
  ipv6
  mgcp
  mmp
  netbios
  pptp
  rsh
  rtsp
  sip
  skinny
  snmp
ciscoasa(config-pmap-c)# inspect dns ?

mpf-policy-map-class mode commands/options:
  WORD < 41 char        Optional DNS type policy-map name
  dynamic-filter-snoop  Enable DNS snooping for Dynamic Filter
  <cr>
ciscoasa(config-pmap-c)# inspect dns preset_dns_map ?

mpf-policy-map-class mode commands/options:
  dynamic-filter-snoop  Enable DNS snooping for Dynamic Filter
  <cr>
ciscoasa(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# dynamic-filter enable ?

configure mode commands/options:
  classify-list  Set the access-list for classification
  interface      Enable classification on an interface
  <cr>
ciscoasa(config)# dynamic-filter enable interface ?

configure mode commands/options:
Current available interface(s):
  inside  Name of interface GigabitEthernet0
  outside Name of interface GigabitEthernet1
ciscoasa(config)# dynamic-filter enable interface outside?

configure mode commands/options:
  classify-list  Set the access-list for classification
  <cr>
ciscoasa(config)# dynamic-filter enable interface outside classify-list ?

configure mode commands/options:
  WORD  Specify the name of an access-list
ciscoasa(config)# dynamic-filter enable interface outside classify-list BOTNET_ACL
ciscoasa(config)# dynamic-filter drop ?

configure mode commands/options:
  blacklist  Drop traffic matching blacklist
ciscoasa(config)# dynamic-filter drop blacklist ?

configure mode commands/options:
  action-classify-list  Set the access-list for drop
  interface             Enable drop on an interface
  threat-level          Set the threat-level for drop
  <cr>
ciscoasa(config)# dynamic-filter drop blacklist interface ?

configure mode commands/options:
Current available interface(s):
  inside  Name of interface GigabitEthernet0
  outside  Name of interface GigabitEthernet1
ciscoasa(config)# dynamic-filter drop blacklist interface outside ?

configure mode commands/options:
  action-classify-list  Set the access-list for drop
  threat-level          Set the threat-level for drop
  <cr>
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list ?

configure mode commands/options:
  WORD  Specify the name of an access-list
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL ?

configure mode commands/options:
  threat-level  Set the threat-level for drop
  <cr>
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL threat-level ?

configure mode commands/options:
  eq     Threat-level equal to operator
  range  Threat-level range operator
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL threat-level eq ?

configure mode commands/options:
  high       high threat
  low        Low threat
  moderate   moderate threat
  very-high  Highest threat
  very-low   lowest threat
ciscoasa(config)# dynamic-filter drop blacklist interface outside action-classify-list BOTNET_ACL threat-level eq very-high





Posted by at No comments:
Subscribe to: Posts (Atom)