Scribd
Upload
64 views29 pages

SCSE Training - Lab 3 - Model Validation and Triggered Collection

This document provides instructions for several lab activities including running network model validation tasks in Skybox, configuring triggered collection and analysis for firewalls, using the change manager to push access control list changes to a firewall, and preparing for a vulnerability scan. The tasks cover validating the network model, monitoring firewall configuration changes, provisioning firewall rules using change management, and scanning for vulnerabilities.

Uploaded by

Prashant Biswas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
64 views29 pages

SCSE Training - Lab 3 - Model Validation and Triggered Collection

This document provides instructions for several lab activities including running network model validation tasks in Skybox, configuring triggered collection and analysis for firewalls, using the change manager to push access control list changes to a firewall, and preparing for a vulnerability scan. The tasks cover validating the network model, monitoring firewall configuration changes, provisioning firewall rules using change management, and scanning for vulnerabilities.

Uploaded by

Prashant Biswas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 29

SCSE Lab 3

Network Model Validation


Change Manager (designing and deploying changes)
Triggered collection

© 2021 Skybox Security, Inc. 1


Lab activities
+ Run Daily Sequence
+ Network Model Validation: run task, review
results, investigate main issues
+ Configuring Triggered Collection and Analysis
for Firewalls
+ Change Manager – pushing ACL changes to the
ASA

© 2021 Skybox Security, Inc. 2


Connecting to the vLab
+ URL: https://vlab.skyboxsecurity.com/

+ Username: the email you registered with


+ Password: your password

© 2021 Skybox Security, Inc. 3


Network Model
Validation

© 2021 Skybox Security, Inc. 4


Run Model Validation Task and Review Results
1. Create a new Task, type “Model – Completion
and Validation”
2. Leave all settings to default
3. Run Task

+ Results are in Model tab | Model Analyses | Model


Validation
o There are many detail analyses out of the box

+ Add a “Model Anomalies” analysis to review all


issues at once
o Right- click “Model Analyses”, choose “New
| Analysis…”
o Leave all parameters at default
• In a real environment this would be
impractical, but our Lab model is very
small
o Click OK to save

© 2021 Skybox Security, Inc. 5


Investigate issues
+ There are several anomalies
relating to missing next hops
+ Most of these can be fixed by
converting the edge networks to
Perimeter Clouds
+ We can do it manually, but more
easily we can let the Model
Validation Task do it for us

© 2021 Skybox Security, Inc. 6


Run Model Validation Task
+ Run the Model Validation Task a second time,
setting the flag “Convert Perimeter Networks to
Clouds” to ON.
+ This will convert all edge networks with
Missing Next Hops to Perimeter clouds

+ When the Task is finished, change the flag back


to OFF and run the Task a third time
+ Review the Model Anomalies Analysis
+ Most of the Critical anomalies should have been
converted to “Fixed”

+ Once you are done, please add this task to the


Daily Sequence as well, right after the
Collection Group and before any Analysis task.

© 2021 Skybox Security, Inc. 7


Triggered collection

© 2021 Skybox Security, Inc. 8


Configure triggered collection on the ASA
+ Must make sure change logs can be processed
by Skybox
o Are change audit entries coming to the
syslog server?
o Are we detecting changes?
o Are “lite” and “full” changes merging?

+ Define new Change Tracking Events – Syslog


Import task

© 2021 Skybox Security, Inc. 9


Adding a Triggered Collection and Analysis Sequence
+ Create new Sequence
+ Type: “Firewalls – Triggered Collection and
Analysis”
+ Add its name and click Next

© 2021 Skybox Security, Inc. 10


Set up Triggered Collection and Analysis Sequence
Add Syslog Import Tasks Add firewall collection tasks

Note this filter

© 2021 Skybox Security, Inc. 11


Set up Triggered Collection and Analysis Sequence
Add all analysis tasks Default scheduling is every 15’ but we can add more,
e.g., every 5’

Note this filter

© 2021 Skybox Security, Inc. 12


Now Skybox will be “listening”
for changes on the ASA
+ When a new change will be observed in the logs,
collection and analysis will be triggered

+ It isn’t “real time”, but we can choose the


frequency for the syslog check
o Every 15 minutes is the
default and usually it’s
enough

+ When we will push the change to the ASA with


CM, we will see the trigger in action

© 2021 Skybox Security, Inc. 13


CM Provisioning

© 2021 Skybox Security, Inc. 14


Rule Provisioning
+ We’ll use CM to create a new access rule, then
“push” it on the ASA, finally check with ASDM
that everything works correctly

+ Make sure CM is in Network Mode

+ Make sure Automatic Implementation is active

© 2021 Skybox Security, Inc. 15


CM Access Update flow
+ Create new ticket using Standard Workflow
o Select Access Update
o Source: 10.0.16.0/24
o Destination: 10.0.15.0/24
o Service: 1433/TCP

+ Verify it identifies the ASA


o In the example, the automatically-
generated object names have been replaced
(manually) with descriptive names

© 2021 Skybox Security, Inc. 16


Risk Review
+ There should be no risks regarding Access
Compliance (“Compliant” column)
o No need for approval, can promote
immediately
o Why are there no risks from vulnerabilities
(the “Secure” column)?

© 2021 Skybox Security, Inc. 17


Implementation
+ Click “Implement” in phase 4
+ Alternatively, select Implementation View,
select the new rule, then click Implement

© 2021 Skybox Security, Inc. 18


Check with ASDM
If ASDM is open in the background, it will flash to alert of the new rule

© 2021 Skybox Security, Inc. 19


Collect “lite” Change Records
Change Tracking – Syslog Import should evidence some
activity
Lite CRs in FA

© 2021 Skybox Security, Inc. 20


Review Cisco ASA after changes
Changes show up in FA with details (Changed by / Change Time) and are
“Authorized”

© 2021 Skybox Security, Inc. 21


Review ticket in CM
All changes should be “Verified”

© 2021 Skybox Security, Inc. 22


Prepare Vulnerability
Scan

© 2021 Skybox Security, Inc. 23


Preparation activities

+ Update Vulnerability Dictionary


o Add task to daily sequence, if you
had not done it already

+ Createnew Vulnerability Detector


for Network Devices task
o All parameters can remain at default
o Click Launch to save and run
immediately

© 2021 Skybox Security, Inc. 24


VD for NW devices
Sample task output

© 2021 Skybox Security, Inc. 25


Scan local VLAN
+ Logon to nessus and scan local VLAN and
DMZ
o The nessus instance is installed locally on
Secops
o Open nessus console on
https://localhost:8834/
o Username: skyboxview
o Password: P@ssw0rd1234

o You can use the helpful window that


appears right after logon
o Set scan target to
10.0.0.0/24, 10.0.10.0/24
then Submit

© 2021 Skybox Security, Inc. 26


Scan local VLAN
+ Nessus will start a quick “discovery” of the
active hosts on those networks
+ Once the discovery is complete, click on “Run
Scan”
+ Let the scan run, it will take several minutes to
complete
+ We’ll retrieve the results in the next lab

© 2021 Skybox Security, Inc. 27


Questions?

© 2021 Skybox Security, Inc. 28


Thank you
Thank you for your time!

© 2021 Skybox Security, Inc. 29

You might also like