ASA 5500 series adaptive security appliances - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

ASA 5500 series adaptive security appliances

Description:

Antiphishing web filtering services Network Security * T. A. Yang Cisco s Firewall Service Module (FWSM) Network Security * http://www.cisco.com/en/US/products/hw ... – PowerPoint PPT presentation

Number of Views:402
Avg rating:3.0/5.0
Slides: 28
Provided by: Andrew687
Learn more at: http://sce.uhcl.edu
Category:

less

Transcript and Presenter's Notes

Title: ASA 5500 series adaptive security appliances


1
ASA 5500 seriesadaptive security appliances
  • Has replaced Ciscos PIX firewalls since 2008
  • Security services
  • Source http//www.cisco.com/en/US/prod/collateral
    /vpndevc/ps6032/ps6094/ps6120/product_data_sheet09
    00aecd802930c5.html
  • application-aware firewall
  • SSL and IPsec VPN
  • IPS with global correlation and guaranteed
    coverage
  • Antivirus
  • Antispam
  • Antiphishing
  • web filtering services

2
Ciscos Firewall Service Module(FWSM)
  • http//www.cisco.com/en/US/products/hw/modules/ps2
    706/ps4452/index.html
  • a high-speed, integrated firewall module for
    Cisco Catalyst 6500 switches and Cisco 7600
    Series routers
  • provides the fastest firewall data rates in the
    industry
  • 5-Gbps throughput,
  • 100,000 CPS (connections per second)
  • 1M concurrent connections

3
Firewall Modes
  • Routed mode
  • The device is considered a router hop in the
    network
  • Requires an IP address for each interface
  • The default mode
  • Transparent mode (aka stealth firewalls)
  • The device operates in a secure bridging mode
  • Same subnet on its inside and outside interfaces
  • Has an IP address assigned to the entire device
  • The appliance continues to perform stateful
    application-aware inspection and other firewall
    functions
  • Benefits hide its presence from the
    attackers/intruders

4
Stealth mode example
  • Default gateway for PCs in VLAN 10 is 10.1.1.1
    (the upstream router).

5
Example 2
  • Source http//www.cisco.com/en/US/products/hw/vpn
    devc/ps2030/products_configuration_example09186a00
    8089f467.shtmlbackinfo
  • The default gateway of Host A is not the Internet
    router (192.168.1.2) but the internal router
    (192.168.1.3).
  • Scenario an inside user visits an inside Web
    server - Host A (192.168.1.5) sends the request
    packet to the Internet router (since it is a
    default gateway) through the ASA from the inside
    to the outside. Then the packet is redirected to
    the web server (10.1.1.1) through ASA (outside to
    inside) and the internal router.

6
Adaptive Security Algorithm (ASA)
  • An algorithm that defines how traffic passing
    through the firewall are examined.
  • Basic concepts
  • Keep track of the connections being formed from
    the networks behind the PIX to the public network
  • Based on info about these connections, ASA allows
    packets to come back into the private network
    through the firewall.
  • All other traffic destined for the private
    network is blocked by the firewall (unless
    specifically allowed).

7
ASA Operations
  • Three basic operations
  • ACLs
  • Connections xlate and conn tables
  • Inspection engines (per RFC standards)
  • Figure 6-5 a scenario where an external host
    requested a connection to an internal server

8
ASA
  • ASA defines how the state and other information
    is used to track the sessions passing through the
    PIX.
  • ASA keeps track of the following information
  • Source and destination info of IP packets
  • TCP Sequence numbers and TCP flags
  • UDP packet flow and timers

9
ASA and TCP
  • TCP is connection-oriented, and provides most of
    the information the firewall needs.
  • The firewall keeps track of each session being
    formed, utilized, and terminated.
  • ASA only allows for the packets confirming to the
    state of a session to go through. All other
    packets are dropped.
  • However, TCP has inherent weakness, which
    requires ASA to perform additional work managing
    the sessions ? SYN flood, session hijacking

10
ASA and TCP
  • SYN flooding
  • The SYN flood attack sends TCP connections
    requests faster than a machine can process them.
  • (Internet Security Systems, http//www.iss.net/sec
    urity_center/advice/Exploits/TCP/SYN_flood/default
    .htm)
  • Illustration next

11
Syn Flood
  • A the initiator B the destination
  • TCP connection multi-step
  • A SYN to initiate
  • B SYNACK to respond
  • C ACK gets agreement
  • Sequence numbers then incremented for future
    messages
  • Ensures message order
  • Retransmit if lost
  • Verifies party really initiated connection

12
Syn Flood
  • Implementation
  • A, the attacker B the victim
  • B
  • Receives SYN
  • Allocate connection
  • Acknowledge
  • Wait for response
  • See the problem?
  • What if no response
  • And many SYNs
  • All space for connections allocated
  • None left for legitimate ones

Time?
13
ASA vs Syn Flood
  • (Beginning in version 5.2 and later)
  • When the number of incomplete connections through
    the PIX reaches a pre-configured limit (the limit
    on embryonic connections), ASA turns the PIX into
    a proxy for connection attempts (SYNs) to servers
    or other resources sitting behind it.
  • PIX responds to SYN requests with SYN ACKs and
    continues proxying the connection until the
    three-way TCP handshake is complete.
  • Only when the three-way handshake is complete
    would the PIX allow the connection through to the
    server or resource on the private or DMZ network.
  • Benefit Limits the exposure of the servers
    behind the PIX to SYN floods

14
PIX Basic Features
  • ASAs stateful inspection of traffic
  • Assigning varying security levels to interfaces
  • ACL
  • Extensive logging
  • Basic routing capability (including RIP)
  • Failover and redundancy
  • Traffic authentication

15
PIX Basic Features - ASAs stateful inspection
of traffic
  • PIX uses a basic set of rules to control traffic
    flow
  • No packets can traverse the PIX w/o a
    translation, connection, and state.
  • Outbound connections are allowed, except those
    specifically denied by the ACLs.
  • Inbound connections are denied, except for those
    specifically allowed.
  • All ICMP packets are denied unless specifically
    permitted.
  • All attempts to circumvent the rules are dropped,
    and a message is sent to syslog.
  • To tighten or relax some of these default rules
    next few slides

16
PIX Basic Features
  • Assigning varying security levels to interfaces
  • PIX allows varying security levels to be assigned
    to its various interfaces, creating the so called
    security zones.
  • A PIX may have 2 to 10 interfaces.
  • Each i/f can be assigned a level from 0 (least
    secure, usually the Internet) to 100 (most
    secure, usually the internal private network).
  • Default rules
  • Traffic from a higher security zone can enter a
    lower security zone. ? PIX keeps track of the
    connections for this traffic and allows the
    return traffic through.
  • Traffic from a lower security zone is not allowed
    to enter a higher security zone, unless
    explicitly permitted (such as using ACLs).

17
PIX Basic Features
  • ACL
  • Mainly used to allow traffic from a less-secure
    portion of the network to enter a more-secure
    portion of the network.
  • Information used in ACLs
  • Source address
  • Destination address
  • Protocol numbers
  • Port numbers
  • Examples
  • To allow connections to be made to web or mail
    servers sitting on the DMZ of the PIX from the
    public network
  • To allow a machine on a DMZ network to access the
    private network behind the DMZ
  • Use of ACLs must be governed by the network
    security policy.

18
PIX Basic Features
  • Failover and redundancy
  • The failover capability allows a standby PIX to
    take over the functionality of the primary PIX,
    as soon as it fails.
  • Stateful failover The connection info stored on
    the failing PIX is transferred to the PIX taking
    over.
  • The standby PIX assumes the IP and MAC addresses
    of the failed PIX.
  • Terminology related to failover
  • Active unit vs Standby unit
  • Primary unit vs Secondary unit
  • Question relationships between active/standby
    and primary/secondary ?
  • System IP vs Failover IP
  • System IP the address of the primary unit upon
    bootup
  • Failover IP that of the secondary unit

Primary Secondary
Active
standby
19
PIX Basic Features- Failover and redundancy
  • How does failover work?
  • A failover cable (RS-232 serial) connects the
    primary unit and the secondary unit, allowing the
    secondary unit to detect the primary units power
    status, and failover communication in between.
  • (In the case of stateful failover) The state info
    is transferred via an Ethernet cable connecting
    the primary unit and the secondary unit.
  • Every 15 seconds, special failover hello packets
    are sent in between the two units for
    synchronization.
  • Requirements The h/w, s/w, and configurations on
    the two PIXes must be identical.

20
PIX Basic Features- Failover and redundancy
  • Limitations of CISCO PIX failover ?
  • Some info are not replicated between the two
    units
  • User authentication table
  • ISAKMP and IPsec SA table
  • ARP table
  • Routing info
  • The secondary unit must rebuild the info to
    perform the functions of the failed unit.

21
PIX Basic Features
  • Traffic authentication on PIX
  • Cut-through proxy authentication
  • Only when the authentication occurring during the
    establishment of a given connection succeeds
    would PIX allows the data flow to be established
    through it.
  • A successfully authenticated connection is
    entered the ASA as a valid state.
  • As soon as an authenticated connection is
    established, PIX lets the rest of the packets
    belonging to that connection go through without
    further authentication.
  • PIX supports both TACACS and Radius as the AAA
    servers.

22
ASA and TCP TCP session hijacking attack
  • Problem with the ISN The initial sequence number
    (ISN) of TCP is not really random!
  • ?possible TCP session hijacking attack
  • Case study Kevin Metnicks attack on Tsutomu
    Shimomuras computers in 1994-1995
  • Six steps
  • an initial reconnaissance attack gather info
    about the victim
  • a SYN flood attack disable the login server a
    DOS attack
  • A reconnaissance attack determine how one of the
    x-term generated its TCP sequence numbers
  • Spoof the servers identity, and establish a
    session with the x-term (using the sequence
    number the x-term must have sent) ? result a
    one-way connection to the x-term
  • modify the x-terms .rhosts file to trust every
    host
  • Gain root access to the x-term

23
TCP session hijacking attack (cont.)
  • ASAs solution ? proxy the sequence number in
    an outgoing packet
  • create a new, more random sequence number
  • use the new number as the sequence number in the
    outgoing packet, and store the difference between
    the new and the original number
  • When return traffic for that packet is received,
    ASA restores the sequence number before
    forwarding the packet to the destination on the
    inside network.

24
Source Malik, Network Security Principles and
Practices, 2003.
initiator
25
Security Contexts
  • Software version 7.0 and up
  • Multiple security contexts (aka virtual
    firewalls) can be created within a single PIX or
    ASA firewall.
  • Each virtual firewall is an independent device
  • Has its own set of security policies, logical
    interfaces, and admin domain
  • Interfaces can be shared btwn contexts (routed
    mode only)
  • Limitations
  • Features such as VPN and dynamic routing
    protocols are not supported.

26
Security Contexts two modes
  • Routed Mode
  • Figure 6-6
  • A physical firewall is configured with three
    contexts (Admin, Dept 1, Dept 2).
  • Each virtual firewall has one Inside, one
    Outside, and one Shared interface.
  • Each context has its own private segment.
  • Resources to be shared among the three contexts
    are placed in the Shared segment, accessible
    through a shared intreface.
  • Transparent Mode

27
Security Contexts two modes
  • Transparent Mode
  • Each context is in the transparent mode.
  • A transparent firewall has only one Inside and
    one Outside interfaces, both of which belong to
    the same subnet.
  • Transparent mode does not allow shared interfaces
    (unlike the routed mode).
  • Example Figure 6-7
Write a Comment
User Comments (0)
About PowerShow.com