Scribd
Upload
18 views36 pages

Technical and Configuration Specifications

The document discusses the importance of firewall security in protecting computers from various threats such as remote login, application backdoors, and denial of service attacks. It outlines the configuration of Cisco ASA firewalls, including interface setup, NAT, and access control lists, as well as troubleshooting commands. Additionally, it highlights the need for a layered security approach, combining firewalls with antivirus software and proper network management practices.

Uploaded by

Loki Sundhar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views36 pages

Technical and Configuration Specifications

The document discusses the importance of firewall security in protecting computers from various threats such as remote login, application backdoors, and denial of service attacks. It outlines the configuration of Cisco ASA firewalls, including interface setup, NAT, and access control lists, as well as troubleshooting commands. Additionally, it highlights the need for a layered security approach, combining firewalls with antivirus software and proper network management practices.

Uploaded by

Loki Sundhar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 36

Why Firewall Security?

• Access or abuse of unprotected computers


– There are many creative ways that unscrupulous people use to access or
abuse unprotected computers:
➢ Remote login
➢ Application backdoors
➢ SMTP session hijacking
➢ Operating system bugs
➢ Denial of service
➢ E-mail bombs
➢ Macros
➢ Viruses
➢ Spam
➢ Redirect bombs
➢ Source routing
Why Firewall Security?
• Remote Login
➢When someone is able to connect to your computer
and control it in some form.
➢This can range from being able to view or access
your files to actually running programs on your
computer.
Why Firewall Security?
• Application backdoors
➢Some programs have special features that allow for
remote access.
➢Others contain bugs that provide a backdoor, or
hidden access that provides some level of control
of the program.
Why Firewall Security?
• SMTP session hijacking
➢SMTP is the most common method of sending e-
mail over the Internet.
➢By gaining access to a list of e-mail addresses, a
person can send unsolicited junk e-mail (spam) to
thousands of users.
➢This is done quite often by redirecting the e-mail
through the SMTP server of an unsuspecting host,
making the actual sender of the spam difficult to
trace.
Why Firewall Security?
• Operating system bugs
➢Like applications, some operating systems have
backdoors.
➢Others provide remote access with insufficient
security controls or have bugs that an experienced
hacker can take advantage of.
Why Firewall Security?
• Denial of service
➢You have probably heard this phrase used in news
reports on the attacks on major Web sites.
➢This type of attack is nearly impossible to counter.
➢What happens is that the hacker sends a request to the
server to connect to it.
➢When the server responds with an acknowledgement
and tries to establish a session, it cannot find the
system that made the request. By inundating a server
with these unanswerable session requests, a hacker
causes the server to slow to a crawl or eventually
crash.
–.
Why Firewall Security?
• E-mail bombs
➢An e-mail bomb is usually a personal attack.
➢Someone sends you the same e-mail hundreds or
thousands of times until your e-mail system cannot
accept any more messages.
Why Firewall Security?
• Macros
➢To simplify complicated procedures, many
applications allow you to create a script of
commands that the application can run. This script
is known as a macro.
➢Hackers have taken advantage of this to create
their own macros that, depending on the
application, can destroy your data or crash your
computer.
Why Firewall Security?
• Viruses
➢Probably the most well-known threat is computer
viruses.
➢A virus is a small program that can copy itself to
other computers. This way it can spread quickly
from one system to the next. Viruses range from
harmless messages to erasing all of your data.
Why Firewall Security?
• Spam
➢Typically, harmless but always annoying, spam is
the electronic equivalent of junk mail.
➢Spam can be dangerous though.
➢Quite often it contains links to Web sites.
➢Be careful of clicking on these because you may
accidentally accept a cookie that provides a
backdoor to your computer.
Why Firewall Security?
• Redirect bombs
➢Hackers can use ICMP to change (redirect) the
path information takes by sending it to a different
router.
➢This is one of the ways that a denial of service
attack is set up.
Why Firewall Security?
• Source routing
➢In most cases, the path a packet travels over the
Internet (or any other network) is determined by
the routers along that path.
➢But the source providing the packet can arbitrarily
specify the route that the packet should travel.
➢Hackers sometimes take advantage of this to make
information appear to come from a trusted source
or even from inside the network! Most firewall
products disable source routing by default.
Proxy Servers and DMZ
• There are times that you may want remote
users to have access to items on your network.
Some examples are:
➢Web site
➢Online business
➢FTP download and upload area
Why Firewall Security?
• Security against unauthorized access or abuse
➢ Some of the items in the list above are hard, if not
impossible, to filter using a firewall.
➢ While some firewalls offer virus protection, it is worth the
investment to install anti-virus software on each computer.
➢ The level of security you establish will determine how
many of these threats can be stopped by your firewall.
➢ You can also restrict traffic that travels through the firewall
so that only certain types of information, such as e-mail,
can get through.
➢ This is a good rule for businesses that have an experienced
network administrator that understands what the needs are
and knows exactly what traffic to allow through.
➢ ne of the best things about a firewall from a security
standpoint is that it stops anyone on the outside from
logging onto a computer in your private network.
Proxy Servers and DMZ
➢ DMZ is just an area that is outside the firewall.
➢ Think of DMZ as the front yard of a house.
➢ It belongs to the owner, who may put some things there,
but would put anything valuable inside the house where
it can be properly secured.
➢ Setting up a DMZ is very easy.
➢ If you have multiple computers, you can choose to
simply place one of the computers between the Internet
connection and the firewall. Most of the software
firewalls available will allow you to designate a
directory on the gateway computer as a DMZ.
ASA Firewall

• Cisco firewalls since 2000

• The legacy PIX models existed before the introduction of the


ASA 5500 and the newest are ASA 5500-X series
Start Configuring the firewall

• ciscoasa> enable
• Password:
• [Enter into “Privileged Mode”. This will require to enter the
“enable” password]

• ciscoasa# configure terminal


• ciscoasa(config)#
• [Enter into “Global Configuration Mode” to start configuring the
device]
Viewing and Saving the configuration
• ciscoasa# show running-config
• [Show the currently running configuration]

• ciscoasa# show startup-config


• [Show the configuration which is stored on the device. This is the one
which will be loaded if you reboot the firewall]

• ciscoasa# copy run start


• or
• ciscoasa# write memory

• [Save the running configuration so it won’t be lost if you reboot]


Firewall Configuration
Interface Configuration and Security
Levels
• ciscoasa(config)# interface GigabitEthernet0/1
• ciscoasa(config-if)# nameif DMZ
• ciscoasa(config-if)# ip address 192.168.1.2 255.255.255.0
• ciscoasa(config-if)# security-level 50
• ciscoasa(config-if)# no shutdown

• nameif “interface name”: Assigns a name to an interface


• ip address “ip_address” “subnet_mask” : Assigns an IP address to the
interface
• security-level “number 0 to 100” : Assigns a security level to the interface
• no shutdown : By default all interfaces are shut down, so enable them.

Static and Default Routes
• ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 100.1.1.1

• [Configure a default route via the “outside” interface with gateway IP of


100.1.1.1 ]

• ciscoasa(config)# route inside 192.168.2.0 255.255.255.0 192.168.1.1

• [Configure a static route via the “inside” interface. To reach network


192.168.2.0/24 go via gateway IP 192.168.1.1 ]
Network Address Translation (NAT)
• ciscoasa(config)# object network internal_lan
• ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
• ciscoasa(config-network-object)# nat (inside,outside) dynamic interface

• [Configure PAT for internal LAN (192.168.1.0/24) to access the Internet


using the outside interface]

• ciscoasa(config)# object network obj_any


• ciscoasa(config-network-object)# subnet 0.0.0.0 0.0.0.0
• ciscoasa(config-network-object)# nat (any,outside) dynamic interface

• [Configure PAT for all (“any”) networks to access the Internet using the
outside interface]
Network Address Translation (NAT)
• ciscoasa(config)# object network web_server_static
• ciscoasa(config-network-object)# host 192.168.1.1
• ciscoasa(config-network-object)# nat (DMZ , outside) static 100.1.1.1

• [Configure static NAT. The private IP 192.168.1.1 in DMZ will be mapped


statically to public IP 100.1.1.1 in outside zone]

• ciscoasa(config)# object network web_server_static


• ciscoasa(config-network-object)# host 192.168.1.1
• ciscoasa(config-network-object)# nat (DMZ , outside) static 100.1.1.1 service
tcp 80 80

• [Configure static Port NAT. The private IP 192.168.1.1 in DMZ will be mapped
statically to public IP 100.1.1.1 in outside zone only for port 80]
Access Control Lists (ACL)
• ciscoasa(config)# access-list OUTSIDE_IN extended permit tcp any host
192.168.1.1 eq 80

• [Create an ACL to allow TCP access from “any” source IP to host


192.168.1.1 port 80]

• ciscoasa(config)# access-group OUTSIDE_IN in interface outside

• [Apply the ACL above at the “outside” interface for traffic coming “in” the
interface]
Access Control Lists (ACL)
• ciscoasa(config)# access-list INSIDE_IN extended deny ip host
192.168.1.1 any
• ciscoasa(config)# access-list INSIDE_IN extended permit ip any any
• ciscoasa(config)# access-group INSIDE_IN in interface inside

• [Create an ACL to deny all traffic from host 192.168.1.1 to any destination
and allow everything else. This ACL is then applied at the “inside”
interface for traffic coming “in” the interface]
Object Groups
• ciscoasa(config)# object-group network WEB_SRV
• ciscoasa(config-network)# network-object host 192.168.1.1
• ciscoasa(config-network)# network-object host 192.168.1.2

• [Create a network group having two hosts (192.168.1.1 and 192.168.1.2).


This group can be used in other configuration commands such as ACLs]

• ciscoasa(config)# object-group network DMZ_SUBNETS


• ciscoasa(config-network)# network-object 10.1.1.0 255.255.255.0
• ciscoasa(config-network)# network-object 10.2.2.0 255.255.255.0

• [Create a network group having two subnets (10.1.1.0/24 and 10.2.2.0/24).


This group can be used in other configuration commands such as ACLs]
Object Groups
• ciscoasa(config)# object-group service DMZ_SERVICES tcp
• ciscoasa(config-service)# port-object eq http
• ciscoasa(config-service)# port-object eq https
• ciscoasa(config-service)# port-object range 21 23

• [Create a service group having several ports. This group can be used in
other configuration commands such as ACLs]
Subinterfaces and VLANs
• ciscoasa(config)# interface gigabitethernet 0/1
• ciscoasa(config-if)# no nameif
• ciscoasa(config-if)# no security-level
• ciscoasa(config-if)# no ip address
• ciscoasa(config-if)# exit

• ciscoasa(config)# interface gigabitethernet 0/1.1


• ciscoasa(config-subif)# vlan 10
• ciscoasa(config-subif)# nameif inside1
• ciscoasa(config-subif)# security-level 80
• ciscoasa(config-subif)# ip address 192.168.1.1 255.255.255.0
Subinterfaces and VLANs
• ciscoasa(config)# interface gigabitethernet 0/1.2
• ciscoasa(config-subif)# vlan 20
• ciscoasa(config-subif)# nameif inside2
• ciscoasa(config-subif)# security-level 90
• ciscoasa(config-subif)# ip address 192.168.2.1 255.255.255.0

• [In example above we have a physical interface (GE0/1) which is split


into two subinterfaces (GE0/1.1 and GE0/1.2) belonging to two different
VLANs with different IPs and security levels]
DHCP (Assign IP addresses to computers
from the ASA device)
• ciscoasa(config)# dhcpd address 192.168.1.101-192.168.1.110 inside

• [Create a DHCP address pool to assign to clients. This address pool must
be on the same subnet as the ASA interface]

• ciscoasa(config)# dhcpd dns 209.165.201.2 209.165.202.129


• [The DNS servers to assign to clients via DHCP]

• ciscoasa(config)# dhcpd enable inside


• [Enable the DHCP server on the inside interface]
Useful Verification and Troubleshooting
Commands
• ciscoasa# show access-list OUTSIDE-IN

• [Shows hit-counts on ACL with name “OUTSIDE-IN”. It shows how many hits
each entry has on the ACL]

• Sample output:
• access-list OUTSIDE-IN line 1 extended permit tcp 100.100.100.0
255.255.255.0 10.10.10.0 255.255.255.0 eq telnet (hitcnt=15) 0xca10ca21

• ciscoasa# show conn

• [The show conn command displays the number of active TCP and UDP
connections, and provides information about connections of various types.]
Useful Verification and Troubleshooting
Commands
• ciscoasa# show cpu usage
• [show CPU utilization]

• ciscoasa# show crypto ipsec sa


• [show details about IPSEC VPNs like packets encrypted/decrypted, tunnel
peers etc]

• ciscoasa# show crypto isakmp sa


• [show details if an IPSEC VPN tunnel is up or not. MM_ACTIVE means
the tunnel is up]
Reference Links

Basic ASA Configuration

https://www.youtube.com/watch?v=nA8SjOhE5Ys

ASA 5506-X Basic Configurations

https://www.youtube.com/watch?v=jwjCufzgseI&t=319s

Security in Firewall

https://www.youtube.com/watch?v=dTUNJejeMxI

You might also like