Showing posts with label ASA. Show all posts
Showing posts with label ASA. Show all posts

Saturday, 6 December 2014

SSLVPN on an ASA

Here we go, the last piece of the VPN puzzle.


How do we configure an SSLVPN on a Cisco ASA.

We're going to do this all from the CLI but it is extremely easy to do via the ASDM wizard.

I've simply configured a Windows 7 box to point directly at the inside interface of the ASA, and allow a VPN to be configured there.
For reference, the inside interface IP is 10.0.0.1 and the Windows 7 box is 10.0.0.20.

Lets lay out a few requirements:


- Users will connect to https://10.0.0.1/Test to sign into the VPN
- We will use a self signed certificate generated on the ASA
- Users will be authenticated against a local database
- Once connected, users will only be able to access https://10.0.0.15

We're starting with a totally clean ASA so first up we need to configure the interface:

ciscoasa(config)# int g0
ciscoasa(config-if)# ip address 10.0.0.1 255.255.255.0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no shut

Now lets lay out the steps required for a VPN to work:

- Generate rsa keys
- create a self signed certificate
- enable webvpn
- create a pool of addresses for the VPN
- create a default group policy
- create a specific group policy
- bypass the interface ACLs
- ensure the VPN traffic is not NATed
- create a tunnel group
- configure user accounts

It looks like a lot, but it's actually quite simple, lets get cracking:

Create keys and certificate:


ciscoasa(config)# crypto key generate rsa label sslvpnkey
INFO: The name for the keys will be: sslvpnkey
Keypair generation process begin. Please wait...
ciscoasa(config)# crypto ca trustpoint localtrust
ciscoasa(config-ca-trustpoint)# enrollment self
ciscoasa(config-ca-trustpoint)# fqdn sslvpn.test.com
ciscoasa(config-ca-trustpoint)# subject-name CN=sslvpn.test.com
ciscoasa(config-ca-trustpoint)# keypair sslvpnkey
ciscoasa(config-ca-trustpoint)# crypto ca enroll localtrust noconfirm

% The fully-qualified domain name in the certificate will be: sslvpn.test.com
ciscoasa(config)# ssl trust-point localtrust inside

The last line is important here, typically we would use the outside interface of the ASA as the whole point of the VPN is terminate traffic from the Internet, but in this case I've just used the inside interface.

Enable webvpn


ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# enable inside
ciscoasa(config-webvpn)# svc enable

Create an address pool for the VPN users:


ciscoasa(config)# ip local pool VPN 10.0.1.1-10.0.1.100 mask 255.255.255.0

Create a default group policy and specific group policy


The default policy is one that will apply to all users and is typically where would configure name servers and other global attributes.  The specific policy can apply to groups of users, for instance you might have one for IT employees and a different one for sales employees.

ciscoasa(config-webvpn)# group-policy DfltGrpPolicy attributes
ciscoasa(config-group-policy)# dns-server value 10.0.0.2
ciscoasa(config-group-policy)# wins-server value 10.0.0.3
ciscoasa(config-group-policy)# vpn-tunnel-protocol svc webvpn
ciscoasa(config-group-policy)# address-pools value VPN

 ciscoasa(config)# group-policy IT internal
ciscoasa(config)# group-policy IT attributes
ciscoasa(config-group-policy)# banner value IT Remote Access
ciscoasa(config-group-policy)# vpn-tunnel-protocol webvpn
ciscoasa(config-group-policy)# webvpn

Here we would configure specific rules for IT users, such as what URLs are accessible, but we'll just leave it as default for now.

Configure ACL bypass:


ciscoasa(config)# sysopt connection permit-vpn

NAT exemption:


ciscoasa(config)# access-list no_nat extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
ciscoasa(config)#nat (inside) 0 access-list no_nat

Create a tunnel group:


ciscoasa(config)# tunnel-group ITSSL type remote-access
ciscoasa(config)# tunnel
ciscoasa(config)# tunnel-group ITSSL webvpn-attributes
ciscoasa(config-tunnel-webvpn)# group-alias IT enable
ciscoasa(config-tunnel-webvpn)# group-url https://10.0.0.1/Test enable

Create user accounts:


ciscoasa(config)# username bob password testpass
ciscoasa(config)# username bob attributes
ciscoasa(config-username)# service-type remote-access

And that's it, we should now have a connection working, lets test it out:


Posted by at No comments:
Labels: , , , , , , ,

Monday, 1 December 2014

Public Key Infrastructure

We cannot properly understand and implement secure technologies without understanding the principles behind them.  So to continue I this vain we’ll take a deeper look into the principles of public and private keys, and how we use them in our security.

There are a number of different protocols in use today to generate key-pairs:

•    RSA – primarily used for authentication
•    DH – Whilst the algorithm is asymmetric, it generates symmetric keys, and we typically use this in conjunction with 3DES and AES.
•    ElGamal – used with DH
•    DSA – Digital Signature Algorithm
•    ECC – Elliptical Curve Cryptography

Public Keys in use


Both parties who want to communicate will have a public and private key pair.  They are both enrolled with a Certificate Authority (CA), which used the public keys of both and created their digital certificates.  To communicate, we now send our digital certificate to the other party.  The receiving party will verify that the certificate was issued by a trusted CA.  Now that both parties have each other’s public keys, they can communicate securely. 

Certificate Authorities


We briefly mentioned Certificate Authorities (CA) above, so let’s talk a bit more about the role they play for us.  They are an entity which has the ability to create and issue digital certificates.  These certificates include the Fully Qualified Domain Name (FQDN) of the device along with its IP address and public key, and also contain validity dates to ensure that the certificate has no expired.  Most web browsers come with a list of CAs which are trusted, thus relieving us of the problem of being able to verify the identity of these CAs
A root certificate is the certificate associated with the CA and contains the CAs public key.  An identity certificate is similar, but it describes a client and contains that client’s public key.

Digital certificates will contain either all or most of the following:
•    Serial number of the certificate
•    Subject
•    Signature algorithm
•    Signature
•    Issuer
•    Valid from
•    Valid to
•    Key usage
•    Public key
•    Thumbprint algorithm
•    Thumbprint
•    Certificate revocation list location

Public Key Standards


•    PKCS 1 – RSA
•    PKCS 3 – Diffie-Hellman
•    PKCS 7 – format of a response to a PKCS 10 request
•    PKCS 10 – format of a certificate request sent to a CA.
•    PKCS 12 – format for storing public and private keys using a symmetric password

Implementing PKI


Single Root CA


A typical solution for a small environment is to have one single CA server handling all requests; however there is no fault tolerance in this case.

Hierarchical CA with Subordinate CAs


Here we have a root CA which delegates the authority to subordinate CAs to create and assign identity certificates. 

Cross-certifying CAs


In this situation we have multiple CAs acting at the same level.  Clients of either CA will trust the signatures of the other CA.

Configuring certificates on an ASA:


ciscoasa(config)# crypto key generate rsa label TestPair modulus 2048 noconfirm
INFO: The name for the keys will be: TestPair
Keypair generation process begin. Please wait...

ciscoasa(config)# crypto ca trustpoint TestCA
ciscoasa(config-ca-trustpoint)# keypair TestPair
ciscoasa(config-ca-trustpoint)# id-usage ssl-ipsec
ciscoasa(config-ca-trustpoint)# no fqdn
ciscoasa(config-ca-trustpoint)# subject-name CN=ciscoasa
ciscoasa(config-ca-trustpoint)# enrollment url http://192.168.1.1
ciscoasa(config-ca-trustpoint)# exit
ciscoasa(config)# crypto ca authenticate TestCA nointeractive
ciscoasa(config)# crypto ca enroll TestCA noconfirm


Posted by at No comments:
Labels: , , , , , ,

Thursday, 27 November 2014

Introducing the ASA

Meet the ASA


Finally the time has come for us to talk about a dedicated firewall device.  The ASA has been around for a long time, although it has often been called the PIX firewall.

There are a number of different hardware models of the ASA, however the all behave pretty much exactly the same, with the exception of the 5505.  The 5505 has an inbuilt switch model and uses VLANs rather than physical interfaces for its IP addressing and configuration.  However all the same principles apply.  The 5510 up to the 5585 gradually move up in terms of capacity but for all intents and purposes can be treated the same, there also exists the Firewall Services Module which is a blade which can be plugged in to a compatible switch.

I won’t go into all the features which the ASA supports, but it has all the features you would expect from an enterprise firewall.

The basics


The ASA uses the concepts of security levels which are assigned to interfaces.  The security level is a number between 0 and 100 and correlates to the trust you would place in that network.  By default, an interface labelled ‘inside’ will have the security level 100 while an interface labelled ‘outside’ will have the security level 0.  By default (and this is very important) if a packet is coming from a higher security level interface than it is destined for (eg, going from inside to outside) that traffic will be permitted even with no matching access-list.  However the inverse of this is also true, any traffic going from a lower security to a higher security interface will be blocked.  We also need to remember, that just like an IOS router, there is an implicit deny at the end of every access list, so if there are no matching permit statements that traffic will be dropped.

Let’s get into the fun stuff, we’re going to remove our central router and replace it with an ASA.  We’re going to playing with a 5520 running version 8.4(2) so if you’re using a 5505 at home then the commands will differ slightly, however the theory behind them remains the same.










ciscoasa(config)# hostname CentralFW
CentralFW(config)# int g2
CentralFW(config-if)# ip address 192.168.21.1 255.255.255.0
CentralFW(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
CentralFW(config-if)# no shut
CentralFW(config-if)# int g1
CentralFW(config-if)# ip address 172.16.31.1 255.255.255.0
CentralFW(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
CentralFW(config-if)# security-level 50
CentralFW(config-if)# no shut
CentralFW(config-if)# int g0
CentralFW(config-if)# ip address 45.45.45.1 255.255.255.0
CentralFW(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
CentralFW(config-if)# no shut

We can also configure the ASA to act as a DHCP server, so first let’s change the configuration of our internal device to receive their IP addresses automatically.
InternalRTR(config)#int f0/0
InternalRTR(config-if)#no ip address 192.168.21.20 255.255.255.0
InternalRTR(config-if)#ip address dhcp

CentralFW(config)# dhcpd address 192.168.21.10-192.168.21.50 inside
CentralFW(config)# dhcpd enable inside

If we go back to InternalRTR now and check it’s IP address:

InternalRTR#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.21.10   YES DHCP   up                    up

We also need to define routing just like a router, so let’s define a static route to the internet:

CentralFW(config)# route outside 0.0.0.0 0.0.0.0 45.45.45.20

NAT


NAT is where things can get very confusing on the ASA.  When Cisco released version 8.3 they completely rewrote the way NAT is configured on the firewall.  Whilst you will be expected to know how to configure NAT on a pre 8.3 device, this blog will go over NAT configuration on the newer devices.
We want to set up NAT like we did earlier, so that when hosts on the inside access hosts on the outside, they are translated to the external interface of the firewall.

CentralFW(config)# object network InternalNet
CentralFW(config-network-object)# subnet 192.168.21.0 255.255.255.0
CentralFW(config-network-object)# nat (inside,outside) static interface

Let’s setup an SSH session from inside to outside again to verify it is working:

ExternalRTR#show users
    Line       User       Host(s)              Idle       Location
*  2 vty 0     admin      idle                 00:00:00 45.45.45.1

Note: on a pre 8.3 ASA instead of defining the NAT as part of the object group – we would define it as line like this:

nat (inside,outside) 1 source dynamic InternalNet interface

Now we’re going to want to define some access-lists to lock down this traffic a bit better than it is currently.

CentralFW(config)# access-list inside_to_outside extended permit tcp object InternalNet any eq ssh log
CentralFW(config)# access-group inside_to_outside in interface inside

We need to be very clear with what we are permitting now, because now that we have defined an access-list for traffic entering the inside interface, all traffic that is not explicitly permitted will be dropped.

One of the great tools that comes with the ASA is the packet-tracer command which allows us to simulate traffic and see the processing steps the firewall would take as if it were a real packet.  Lets try it for ssh traffic (which will be allowed) and http traffic (which will be dropped).

CentralFW# packet-tracer input inside tcp 192.168.21.10 5342 45.45.45.20 ssh detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   45.45.45.0      255.255.255.0   outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_to_outside in interface inside
access-list inside_to_outside extended permit tcp object InternalNet any eq ssh log
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbc3236e0, priority=13, domain=permit, deny=false
        hits=0, user_data=0xb9466b40, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=192.168.21.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=22, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbc2a6700, priority=0, domain=inspect-ip-options, deny=true
        hits=12, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network InternalNet
 nat (inside,outside) static interface
Additional Information:
Static translate 192.168.21.10/5342 to 45.45.45.1/5342
 Forward Flow based lookup yields rule:
 in  id=0xbc3215e0, priority=6, domain=nat, deny=false
        hits=2, user_data=0xbc3116c8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.21.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xbc3055c8, priority=0, domain=inspect-ip-options, deny=true
        hits=4, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 13, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

This shows all the processing steps the firewall takes on traffic that is coming from 192.168.21.10 to 45.45.45.20 on ssh on the inside interface.  Pay particular attention to Phase 2 and Phase 4, which show the ACL it is hitting, and the NAT rule.  Now let’s try it for http:

CentralFW# packet-tracer input inside tcp 192.168.21.10 5342 45.45.45.20 http detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   45.45.45.0      255.255.255.0   outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xbc323778, priority=11, domain=permit, deny=true
        hits=0, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Here we see that the traffic is dropped in phase 2, because it is not specified in the ACL.

That’s a basic rundown on how to use an ASA, but of course there’s much more that can be done with them.

Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)