Sunday, December 15, 2019

Configuring Layer 3 Data Plane Security on a Cisco IOS Router and ASA Firewall

I was craving for Filipino food, so I took my family to Islas Pinas in Pasay City, Philippines (near SM Mall of Asia). The buffet was reasonably priced and the highlights for me were the salmon sinigang, pancit, pork lechon and traditional desserts such as the halo-halo, kamote cue and ginataang mais.

The food hall is very spacious and they've got mini version of tourist spots around the Philippines such as the Banaue Rice Terraces and Intramuros. They also showcase pinoy icons like the jeepney, bahay kubo and sari-sari store. Not too far away is DreamPlay located in City of Dreams Manila, where my daughter (Sophia) played and had fun activities in the indoor theme park.





Task 1: Configure uRPF on the Cisco IOS Router


Open a terminal in Kali Linux (192.168.1.110) and issue an nping to perfrom an IP spoofing attack by pinging CSRv WAN IP address 192.168.1.140 using a spoof source IP 10.1.1.20 (CSRv LAN IP).

root@kali:~# nping 192.168.1.140 -S 10.1.1.20

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2019-12-05 02:13 EST
SENT (0.0504s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0) id=33489 seq=1] IP [ttl=64 id=14042 iplen=28 ]
SENT (1.0522s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0) id=33489 seq=2] IP [ttl=64 id=14042 iplen=28 ]
SENT (2.0538s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0) id=33489 seq=3] IP [ttl=64 id=14042 iplen=28 ]
SENT (3.0564s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0) id=33489 seq=4] IP [ttl=64 id=14042 iplen=28 ]
SENT (4.0585s) ICMP [10.1.1.20 > 192.168.1.140 Echo request (type=8/code=0) id=33489 seq=5] IP [ttl=64 id=14042 iplen=28 ]

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 5 (140B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)
Nping done: 1 IP address pinged in 5.10 seconds


Configure unicast Reverse Path Forwarding (uRPF) on both the CSRv WAN and LAN interfaces.

CSRv(config)#interface g1
CSRv(config-if)#ip verify ?
  unicast  Enable per packet validation for unicast

CSRv(config-if)#ip verify unicast ?
  notification  drop-rate notify
  reverse-path  Reverse path validation of source address (old command format)
  source        Validation of source address

CSRv(config-if)#ip verify unicast source ?
  reachable-via  Specify reachability check to apply to the source address

CSRv(config-if)#ip verify unicast source reachable-via ?
  any  Source is reachable via any interface
  rx   Source is reachable via interface on which packet was received

CSRv(config-if)#ip verify unicast source reachable-via rx ?
  <1-199>          IP access list (standard or extended)
  <1300-2699>      IP expanded access list (standard or extended)
  allow-default    Allow default route to match when checking source address
  allow-self-ping  Allow router to ping itself (opens vulnerability in verification)
  l2-src           Check packets arrive with correct L2 source address
  <cr>

CSRv(config-if)#ip verify unicast source reachable-via rx allow-default

CSRv(config)#interface loopback1
CSRv(config-if)#ip verify unicast source ?
  reachable-via  Specify reachability check to apply to the source address

CSRv(config-if)#ip verify unicast source reachable-via ?
  any  Source is reachable via any interface
  rx   Source is reachable via interface on which packet was received

CSRv(config-if)#ip verify unicast source reachable-via rx


Run nping to launch again the IP spoofing attack. Verify uRPF statistics using the show ip interface command.

Notice the verification drops has incremented.

CSRv#show ip interface g1
GigabitEthernet1 is up, line protocol is up
  Internet address is 192.168.1.140/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing Common access list is not set
  Outgoing access list is not set
  Inbound Common access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP Null turbo vector
  Associated unicast routing topologies:
        Topology "base", operation state is UP
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  BGP Policy Mapping is disabled
  Input features: Virtual Fragment Reassembly, uRPF, NAT Outside, MCI Check
  Output features: Post-routing NAT Outside
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled
  IP verify source reachable-via RX, allow default
   10 verification drops
   0 suppressed verification drops
   0 verification drop-rate


Task 2: Configure uRPF on the Cisco ASA

Run nping and ping the DMZ server 172.16.1.50 using a spoof source IP of 172.16.1.100.

oot@kali:~# nping 172.16.1.50 -S 172.16.1.100

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2019-12-05 03:54 EST
SENT (0.0382s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=30508 seq=1] IP [ttl=64 id=17914 iplen=28 ]
SENT (1.0391s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=30508 seq=2] IP [ttl=64 id=17914 iplen=28 ]
SENT (2.0407s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=30508 seq=3] IP [ttl=64 id=17914 iplen=28 ]
SENT (3.0425s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=30508 seq=4] IP [ttl=64 id=17914 iplen=28 ]
SENT (4.0442s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=30508 seq=5] IP [ttl=64 id=17914 iplen=28 ]

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 5 (140B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)
Nping done: 1 IP address pinged in 5.13 seconds


Configure uRPF on the Cisco ASA firewall under Configuration > Firewall > Advanced > Anti-Spoofing.


Select the Interfaces: dmz, inside, outside > click Enable > Apply > Send.



Launch the ASA Real-time Log View under Monitoring > Logging > Real-Time Log Viewer > View.


Run nping again to launch an IP spoofing attack.

root@kali:~# nping 172.16.1.50 -S 172.16.1.100

Starting Nping 0.7.80 ( https://nmap.org/nping ) at 2019-12-05 03:56 EST
SENT (0.0470s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=19627 seq=1] IP [ttl=64 id=19503 iplen=28 ]
SENT (1.0483s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=19627 seq=2] IP [ttl=64 id=19503 iplen=28 ]
SENT (2.0504s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=19627 seq=3] IP [ttl=64 id=19503 iplen=28 ]
SENT (3.0520s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=19627 seq=4] IP [ttl=64 id=19503 iplen=28 ]
SENT (4.0577s) ICMP [172.16.1.100 > 172.16.1.50 Echo request (type=8/code=0) id=19627 seq=5] IP [ttl=64 id=19503 iplen=28 ]

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 5 (140B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)
Nping done: 1 IP address pinged in 5.10 seconds


Notice the spoofed ICMP packets were denied due to uRPF check.


No comments:

Post a Comment