Wednesday, June 19, 2013

Some facts on ASA part 1


Some facts on ASA part 1

·         Maintaining connection information in a State table, refereed to as aConnection table.

·         The Security appliences provides a Stateful process for TCP and UDP traffic only, by default in version 7, ICMP can also be treated statfully, but this is disabled by default.

·         The security appliences use the conn table to enforce the security policies for user connection.

·         If a connection entry is idle for a period, the entry will timeout, and the stateful firewall will remove the connection entry.

·         Cisco IOS routers, however, do support two features that implement Stateful firewall functions like the Security appliences :- Context-based access control (CBAC) and its replacement, Zero-based firewall (ZBF).

·         A Sequence number in a TCP segment indicates the number of bytes sent.

·         The Security appliences include a security feature called Sequence number called Sequence number randomization (SNR), which is implemented by the security algorithum. SNR is used to protect you against reconnaissences andTCP session hijacking attacks by Crackers.

·         The Security appliances will place the old sequence number as well as new sequence number in the connection table

·          When the security algorithum is configured for CTP, it first authenticates connections before permitting through the firewall.

·         CTP authenticates the connection at the application layer, but process the subsequent data stream at layer 3 & 4.

·         The Security algorithum is responsiable for implementing and enforcing your security policies.

·         The security algorithum adds a connection in the Conn table so that the returning traffic from the external web-server will be permitted back to the user. Once the user terminates the connection, the entry will be removed from the appliences.

·         ACLs are the most common method of allowing traffic to travel from a lower to higher interfaces.

  • ASA support RIP , EIGRP and OSPF routing protocols.
  • ·         You can also start the script manually by entering configuration mode and executing the setup command.

    ·         The Security appliences use the flash memory to store the OS, the ASDM images, and the appliences configuration files.

    Viewing configurations:-
    On the appliences, you have two locations for a configuration file
     RAM :- Commonly called the running-config
     Flash :- Commonly called the Startup-config

    Viewing the Running- config file :-
    To view the configuration running in RAM, use the show running-config command.
    Rumy# show running-config

    Viewing the Stratup-config file:-
    Rumy# show startup-config

    Viewing partial Configuration :-
    Ciscoasa # show { running-config | stratup-config } command
    Ex:- ciscoasa # show running-config interface

    Write memory (WR) :- Saves your active configuration file in RAM to Flash.

    Clear commands:-
    1. ciscoasa # clear interface physical-if-name
    This command clear the interface name
    2. If you want to remove or undo a configuration from your appliences, use the clear
    configure command.
    Ciscoasa # clear configure command
    Ex:- cisocasa # clear configure access-list
    This would delete every ACL on your appliences.

    ·         You could enter clear configure access-list Acl-ID, specefying exact ACL, you wish to delete.

    Outbound connection :- Traffic from a higher to a lower security level is permitted by
    Default, unless you have restricted traffic with ACL. This is
    called Outbound connection.

    Inbound connection:- Traffic from a lower to higher security level is permitted by
    Default, unless you have restricted traffic with ACL. This is
    called inbound connection.

    ·         SSH basically provides an encrypted CLI connection between the client and the Appliences by using the RSA encryption algorithum.One limitation of using telnet is that you cannot telnet to the appliances from the outside interfaces. SSH does not have the limitation.

    ·         A Public/Private RSA key pair is used to secure the connection for the Secure shell.
    To create your keying information, use the crypto key generate rsa
    command:-
    Ciscoasa(config) # crypto key generate rsa

    To see the Public key by the crypto generate rsa command, use the
    show crypto mypublickey rsa command like this :-
    Ciscoasa(config)# show crypto key mypublcikey rsa

    To see what users have current SSH connections to the appliances, use the
    show ssh sessios command.
    Ciscoasa# show ssh sessions

    If you cannot ping a destination, verify that the appliances interfaces are up
    and that you have the correct IP address assigned to them. You can use the
    Show interfaces and show ip command.

     You can also use the debug icmp trace command to see the actual ICMP packets

    ·         Traceroute command allows you to trace the layer3 hops that packets go through to reach a destination.
    ·         The default timeout for replies is 3 seconds in traceroute.
    ·         By default, traceroute uses UDP port 33,434, but can change with the port parametere.
    ·         To view the Appliences ARP table, use the show arpcommand.
    ·         You can clear the entries in the ARP table with the clear arp logical_if_name command.
    Hardware and Software Information:-
    Asa # show version
    Asa# show memory
    Asa# show cpu usages

    ·         Using a Console cable is called an Out-of-bandconnections.
    ·         Using a Telnet or SSH is called an In-band connection.


    ASDM is a Java based application.
    The ASA has a built in Web-server. This is what serves the ASDM to user requesting it
    through web-browsers.
    By default, this webserver is not enabled.

    The internal web-server in the ASA is enabled with the following command:-
    Ciscoasa(config) # http server enable
    This enables the HTTP server on the ASA, but if you tried a connection to the ASDM,
    you still would not be able to connect. This failure to connect results, because the ASA
    operations in a closed policy, unlike the HTTPS server on a router.
    On the ASA, all connections to the HTTP server are denied by default, and you msut
    enter a configuration command to specefiy the IP address that are allowed to access to
    the ASDM.

    If you want to allow the whole inside network access to the ASDM :-
    Ciscoasa(config) # http 192.168.1.0 255.255.255.0 inside

    The three aspects to configuration an interfaces on a Cisco Asa are :-
    ·         IP address and subnet mask
    ·         Interface name
    ·         Interface Security level

    ·         The Appliances treat UDP as a stateful connection, like TCP. However, because there is no defined connection teardown process, the appliances will examine the idle period of a UDP connection to determine when it should be removed from the connection table.

    ·         ICMP is a connection-less protocol and like UDP, has no real defined State machine.

    The three main problems that Stateful firewall face include:-
    ·         Application that have multiple connection (like FTP), Multimedia, Voice and Database connectivity
    ·         Applications and protocols that embed addressing and connection information in the application layer payloads.
    ·         Applications and protocols that have security issue.

    ·         The translation is an IP-to-IP address (and possibly Port ) mapping.
    ·         A Connection, on the other hand, is basically a TCP, UDP or ICMP session between two devices.
    ·         The no. of sessions supported by an appliance depends on the model as well as the license that you are currently installed on the Appliances.
    ·         Starting in Version 7, Address translation is optional and disabled by default.


    ·         However, once you require address translation, you must define a translation policy for all traffic that will flow through a Appliences ---- inbound or Outbound—otherwise the Appliences will drop the traffic. The one exception to this rule is if two interfaces have the same security-level, and address translation is enabled.

    ·         When you enable a address translation, the translations that represent a device or a connection are stored in a separate table, called a Translation or more commonly, an Xlate table.

    ·         NAT entries are removed from the table once they are idle for a time (by default 3 hours). You can control this with thetimeout xlate command.

    ·         PAT entries are removed from the translation table when the corresponding connections in the state table expired.

    ·         NAT and PAT entries are both removed from the table when they match criteria in the clear xlate command .

No comments:

Post a Comment

Information Technology LAB 365

Deal followers, Please VISIT  ITLab365