Thursday, January 3, 2013

Cisco ASA 5500s

I am learning Cisco ASA in pursuit of  CCNP Security certification. And what a platform this is!
Firewall, Remote Access VPNs, Virtual Firewall, Botnet Filtering, Anti-X, DOS prevention, user-based access control, URL filtering,  IP Routing, NAT and what not!! WHAT NOT!!
If Routers are not cool enough for you, here are the Cisco ASAs.. WoW!

So, Currently Cisco rolls out various flavors of ASAs with varying performance, scale to meet requirements for businesses of all sizes.

ASA 5505, 5510, 5512-X, 5515-X, 5585-X

Google out "cisco asa" and visit the first link. There's an ocean to dive into after Routing/Switching for me now.

Tuesday, July 31, 2012

Zone-Based Policy FireWalls (Explanation + Tutorial + Lab Example)

When it comes to Cisco's networking, I think everything as it is in the real world, and to my astonishment, everything fits like a glove. For example, Zone-Based Policy Firewalls. First impression - something related to security!!

Router interfaces are placed into security zones.
So, Imagine a jail with 4 different blocks, 2 each situated in 2 different wings, each wing separated by a surveilled wired fence. One wing - Wing Fear consists of the most "feared" persons, which needs to be the most "secured" area (like the Arkham Asylum). The other one Wing Peace contains comparatively peaceful people, which does not require much security.

Traffic can travel freely between interfaces in the same zone, but is blocked by default from traveling between zones. The prisoners in each block in the same wing obviously can interact/talk with each other during the play/lunch hours, or whenever there is need. However, they cannot interact with the prisoners in the other wing.

 Traffic is also blocked between interfaces that have been assigned to a security zone and those that have not. Obviously the prisoners cannot interact with the normal people ( who are not imprisoned and hence, no security).

 You must explicitly apply a policy to allow traffic between zones. Zone policies are configured using the Cisco Common Class-Based Policy Language (C3PL or CPL), which is similar to the Modular QoS Command Line Interface (MQC)  in its use of class maps and policy maps. Selected prisoners from Wing Peace may/maynot interact with selected prisoners Wing Fear based on the selection (class) and permission (policy) by the warden.

 A Traffic policy is applied unidirectionally between zones using zone pairs. When traffic needs to flow between zones, a zone pair is set up in the direction of the traffic flow. If a bidirectional traffic flow is required, two zone pairs are required, one in each direction. This second zone pair is not required if using stateful inspection (type inspect) and the only expected traffic is return traffic. The second zone pair is not required because this traffic is permitted by default.

Simply put, if you donot want the Internet Zone to initiate traffic to the LAN Zone, leave it at the defaults. Note that the traffic from the Internet Zone to the LAN Zone in response to the requests initiated from within LAN Zone to an Internet Server will be permitted by the FireWall (if policy from LAN to Internet is configured for stateful inspection).

 The system-defined self zone includes all traffic that is directed at the device directly or traffic that is generated by the device. By default the traffic flow to or from “SELF” zone to another zone is “ALLOW ALL”, but, as with other zones, traffic policy can be applied to the self zone as both the source or destination zone and is also configured unidirectionally.
Now, consider the interaction  between the jailers and the prisoners. Do you think there is any restriction that they have ? No!!

Steps to configure ZBFW :
Again, imagine the transport b/w India and Pakistan.
Step 1   Decide the zones you will need, and create them on the router.
Two Zones - India and Pakistan. 
 R3(config)#zone security INDIA
 R3(config)#zone security PAKISTAN
Step 2   Assign interfaces to zones. An interface may be assigned to only one security zone.
Transport b/w  Lahore- Pakistan  and  Amritsar - India 
 R3(config)#inter fastEthernet 0/0
 R3(config-if)#zone-member security INDIA
 R3(config)#interface fastEthernet 1/0
 R3(config-if)#zone-member security PAKISTAN

Step 3 Decide how traffic should travel between the zones, and create zone-pairs on the router.
Do we need to establish transport from-to or between Lahore and Pakistan .. Only one-way or bi-directional .. ??
 R3(config)#zone-pair security IND_PAK source INDIA destination PAKISTAN
 R3(config)#zone-pair security PAK_IND source PAKISTAN destination INDIA
Step 4 Create class maps to identify the inter-zone traffic that must be inspected by the firewall.
Who are the people travelling .. Check their background !! 
 R3(config)#ip access-list extended IN_TO_OUT
 R3(config-ext-nacl)#permit tcp any eq www
 R3(config-ext-nacl)#permit tcp any eq echo

 R3(config)#ip access-list extended OUT_TO_IN
 R3(config-ext-nacl)#permit icmp any unreachable

 R3(config)#class-map type inspect IND_TO_PAK
 R3(config-cmap)#match access-group name IN_TO_OUT

 R3(config)#class-map type inspect PAK_TO_IND
 R3(config-cmap)#match access-group name OUT_TO_IN
Step 5  Assign policies to the traffic by creating policy maps and associating class maps with them.
Grant/Deny VISA to the people. Also set the permissions/duration during the travel for those allowed to travel. 
 R3(config)#policy-map type inspect ZBFW_IN_OUT_PM
 R3(config-pmap)#class type inspect IND_TO_PAK
%No specific protocol configured in class IND_TO_PAK for inspection. All protocols will be inspected

 R3(config)#policy-map type inspect ZBFW_OUT_IN_PM
 R3(config-pmap)#class type inspect PAK_TO_IND

Step 6   Assign the policy maps to the appropriate zone-pair.
 hunhh .. Enough .. Self-Explanatory!!
 R3(config)#zone-pair security IND_PAK
 R3(config-sec-zone-pair)#service-policy type inspect ZBFW_IN_OUT_PM
 R3(config)#zone-pair security PAK_IND
 R3(config-sec-zone-pair)#service-policy type inspect ZBFW_OUT_IN_PM

Done with the explanation. Read the other technical details and example on Cisco's website, and, get the lab rolling!!
Here's a great basic lab for ZBFW from GNS3Vault using GNS3.

Monday, June 20, 2011

SWITCHPORT PORT-SECURITY : Lock Down Security on Cisco Switches

Hello everyone, its been ages since I have posted on this blog. Sorry!! Mainly because, my focus shifted from Security to Networking, because I realized I gotta master Networking first to be a Security Professional. So, I have cleared CCNA, CCNA Security, CCNP ROUTE in the meanwhile and I am currently studying for CCNP SWITCH right now.
I wish to share an awesome feature of Cisco Switches - SwitchPort Security.


Wireless Networking has changed the face of the Switch Security. Until now, we believed that the only way to break into the network was through the Internet. Because the Wireless Access Points defaults to no security and allow anyone to connect to the Enterprise Network, SwitchPort Security was essential to limit who can and who cannot connect to the Switch Ports and access the Network.

A growing challenge facing network administrators is determining how to control who can access the organization’s internal network — and who can’t. For example, can anyone walk into your office, plug in a laptop, and access your network? Moreover, in today's network, needless to say, you donot trust each of your employees. And if none of the above two scenarios is correct, it may be an infected PC that is generating a broadcast storm or generating frames from thousand different MAC addresses to populate Switch's CAM (Content Addressable Memory) table and turn the Switch into a miserable Hub.

Understand the basics

In its most basic form, the Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will take an action configured by you, which is either ignoring the packet from unknown MAC address or disabling the port. Most of the time, network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port’s disabled for security reasons.

Of course, implementing any security solution always involves a trade-off — most often, you trade increased security for less convenience. When using port security, you can prevent devices from accessing the network, which increases security.

Configure port security

Configuring the Port Security feature is relatively easy. In its simplest form, port security requires going to an already enabled switch port and entering the port-security Interface Mode command. Here’s an example:

Switch)# config t
Switch(config)# int fa0/18
Switch(config-if)# switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode

Switch(config-if)# switchport port-security

By entering the most basic command to configure port security, we accepted the default settings of only allowing one MAC address, determining that MAC address from the first device that communicates on this switch port, and shutting down that switch port if another MAC address attempts to communicate via the port. But you don’t have to accept the defaults.

Know your options

As you can see in the example, there are a number of other port security commands that you can configure. Here are some of your options:
  • switchport port-security maximum {max # of MAC addresses allowed}: You can use this option to allow more than the default number of MAC addresses, which is one. For example, if you had a 12-port hub connected to this switch port, you would want to allow 12 MAC addresses — one for each device. The maximum number of secure MAC addresses per port is 132.

  • switchport port-security violation {shutdown | restrict | protect}: This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum. The default is to shut down the port. However, you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other unknown MAC addresses (i.e., protect).

  • switchport port-security mac-address {MAC address}: You can use this option to manually define the MAC address allowed for this port rather than letting the port dynamically determine the MAC address.

Of course, you can also configure port security on a range of ports. Here’s an example:
Switch)# config t
Switch(config)# int range fastEthernet 0/1 - 24
Switch(config-if)# switchport port-security
However, you need to be very careful with this option if you enter this command on an uplink port that goes to more than one device. As soon as the second device sends a packet, the entire port will shut down.

View the status of port security

Once you’ve configured port security and the Ethernet device on that port has sent traffic, the switch will record the MAC address and secure the port using that address. To find out the status of port security on the switch, you can use the show port-security address and show port-security interface commands. Below are examples for each command’s output:

Switch# show port-security address
Secure Mac Address Table
Vlan Mac Address Type Ports Remaining Age
---- ----------- ---- ----- -------------
1 0004.00d5.285d SecureDynamic Fa0/18 -
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024

Switch# show port-security interface fa0/18
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0004.00d5.285d
Security Violation Count : 0


For more information on switch port commands and configuring the Port Security feature, check out Cisco’s Enabling Port Security documentation for the Catalyst 2950. What steps have you taken to lock down switch port security? Share your tips in this article’s discussion.