ASA CHAPTER 9 (MPF FTP/ESMTP/TCP inspection)
!
14. FTP Traffic Inspection
• Allow the hosts from outside to access the FTP server at the IP 10.0.0.100
using the outside .
• Disallow the use of commands “RMD”, “SITE” and “DELETE”.
• Deny the download of the IOS images files with names that start with
“c26”, “c36” and “c28”.
• In order to prevent hackers from using the known exploits, mask the FTP
server banner and the system information reply.
• The restrictions should only apply to the users accessing from the outside.
15.SMTP Traffic Inspection
• The outside users should be able to send mail using the server at the IP
address DMZ IP 10.0.0.100.
• Configure the ASA to reject email sent from the e-mail addresses
containing any of the strings “cyberspam.org” or “nullroute.com”.
• The firewall should perform SMTP banner obfuscation in order to prevent
the SMTP server identification.
• The firewall should only accept emails addresses to domain “cisco.com”.
• Reject the emails that have more than 3 invalid recipients.
• In order to protect against TCP SYN flooding, limit the number of halfopen
connections to 50 and the maximum number of connections to 100.
16.TCP Inspection
• Enforce additional security checks for TCP connections established
across the firewall.
o Ensure the firewall checks retransmitted TCP packets.
o The firewall should also validate TCP checksums.
o Additionally, clear all reserved bits in TCP headers.
• The policy should apply all telnet connections crossing the firewall
appliance.
• Limit the concurrent number of open Telnet session to 3 per user.
This task further illustrates the use of inspect class-maps and policy-maps. We
are required to deny certain FTP commands and prevent certain files from
downloading. Usually, when you see something asking about name-based policy,
you mostly likely need to configure regular expressions (regexps) in the firewall.
Explaining regula expressions in depth is outside the score of this book.
However, in short, regular expressions are normal strings with special characters
used to create “wildcard” matching. Most common patterns are outlined below:
^begin– this pattern will match any string that startswith “begin”. Here “^”
means “start of the string”.
term$– this pattern matches any string that endswith “term”, thus “$” means
“end of the string”. Using “^” or “$” is also called “anchoring”. When you use the
pattern ^test$it will match only the whole word “test”.
[tT]est– matches both “test” and “Test”, thus “[]” means “range of characters”.
You can use the dash sign to define consecutive ranges, e.g. [1-9] means
“[123456789]” and “[a-z]” covers the whole alphabet. It is common to use the “[]”
to match the letter of different case.
test.123– pay attention to the “dot” – it means “any character”, thus the
pattern will match “test0123”, “testA123”, “testX123” and so on.
ab* - matches “a”, “ab”, “abb”, “abbbb” and so on. The asterisk symbol mean
that the previous character could be repeated any number of times including
zero.
ab+- matches “ab”, “abb”, “abbb” – similar to the asterisk, but means repeating
at least one time. It is common to see “*“ and “+” used with “.”, for example “.*”
would match any string, even empty.
ab?– matches “ab” and “a”. The question mark means the previous character
could be repeated one or zero times.
In the ASA firewall, you define regular expressions using the regexcommand.
Every regex has a name which could be used in the inspect class-maps that
support matching on regex. You can use the special regex class-maps to group
regular expressions using AND/OR logic. For example, the following class-map
would match if the string matches ANY of the containing regular expressions:
class-map type regex match-any OR_LOGIC
match REGEX1
match REGEX2
On the contrary, the match-all class-map will require the string to match ALL of
the containing regular expressions. In our scenario, we create three regular
expressions and group them into the regex class-map, although you could
simplify the configuration and use just one regex, such as “^c[23][68].*”
Next note that the FTP inspection policy-maps allows matching filenames
directly, without creating any special inspection class-maps. The syntax is match
filename regex class <CLASS>directly within the inspect policy map. The
same inspection policy-map allows setting the FTP inspection options directly.
However, note the use of the FTP inspection class-map to match FTP command:
class-map type inspect ftp match-all DENIED_COMMANDS
match request-command site dele rmd
you need to know how FTP protocol operates in order to understand which
commands should be banned under different conditions. Read the RFC on FTP
protocol to get more information.
For both the denied names and denied commands we instruct the inspection
engine to reset the active FTP connection. This finishes the configuration of the
FTP inspection policy map. Next we proceed to creation of the L3/L4 policy map
that matches FTP traffic. This class is matched using the normal policy map, and
the custom FTP inspection policy-map that we created is applied here. Note that
you need to use the command inspect ftp strictin order to apply the FTP
inspection policy-map. Finally, the regular policy map is applied to the outside
interface.
-->
ASA:
!
! Outside ACL to permit FTP traffic
!
access-list OUTSIDE_IN permit tcp any host 10.0.0.100 eq 21
access-group OUTSIDE_IN in interface outside
!
! Regexps
!
regex REG_26XX "^c26.*"
regex REG_36XX "^c36.*"
regex REG_28XX "^c28.*"
!
! Class-map to group regexps
!
class-map type regex match-any DENIED_FILES
match regex REG_26XX
match regex REG_28XX
match regex REG_36XX
!
! Class-map to group together the denied commands
!
class-map type inspect ftp match-all DENIED_COMMANDS
match request-command site dele rmd
!
! FTP inspection policy. Note the obfuscation options
!
policy-map type inspect ftp FTP_INSPECT
parameters
mask-banner
mask-syst-reply
match filename regex class DENIED_FILES
reset
class DENIED_COMMANDS
reset
!
! Class to match FTP port (L3/L4)
!
class-map FTP
match port tcp eq 21
!
! Policy map to apply to outside interface
!
policy-map OUTSIDE
class FTP
inspect ftp strict FTP_INSPECT
!
!
! Apply policy to outside interface
!
service-policy OUTSIDE interface outside
!
15.SMTP Traffic Inspection
• The outside users should be able to send mail using the server at the IP
address DMZ IP 10.0.0.100.
• Configure the ASA to reject email sent from the e-mail addresses
containing any of the strings “cyberspam.org” or “nullroute.com”.
• The firewall should perform SMTP banner obfuscation in order to prevent
the SMTP server identification.
• The firewall should only accept emails addresses to domain “cisco.com”.
• Reject the emails that have more than 3 invalid recipients.
• In order to protect against TCP SYN flooding, limit the number of halfopen
connections to 50 and the maximum number of connections to 100.
-->
This example is practically the same as the two previous, just this time
configurations apply to the SMTP inspection policy map. For detailed information
on all SMTP inspection options, refer to the ASA configuration reference guide.
In this task we configure a regex to match senders email addresses. This regex
is later used in the SMTP inspection policy map. The same inspection policy map
is configured for SMTP banner obfuscation in addition to allowing email relaying
only for domain cisco.com.
Finally, we create an access-list and L3/L4 class-map that matches SMTP traffic
to the server. Lastly, a regular policy-map is created, matching the L3/L4 class
and setting various TCP connection options. Additionally, ESMTP inspection is
configured along with the custom inspection policy map.
ASA1:
!
access-list OUTSIDE_IN permit tcp any host 10.0.0.100 eq 25
access-group OUTSIDE_IN in interface outside
!
! Regexps to match potentially unwanted content
!
regex UNWANTED “(cyberspam.org|nullroute.com)”
!
! SMTP Inspection Policy
!
policy-map type inspect esmtp SMTP_INSPECT
!
parameters
mask-banner
mail-relay cisco.com action drop-connection
exit
match invalid-recipients count gt 3
reset
match sender-address regex UNWANTED
reset
!
! Access-list and L3/L4 class-map
!
access-list SMTP_SERVER permit tcp any host 10.0.0.100 eq 25
class-map SMTP_SERVER
match access-list SMTP_SERVER
!
! Create and apply outside policy-map
!
policy-map OUTSIDE
class SMTP_SERVER
set connection conn-max 100
set connection embryonic-conn-max 50
inspect esmtp SMTP_INSPECT
!
service-policy OUTSIDE interface outside
!
16.TCP Inspection
• Enforce additional security checks for TCP connections established
across the firewall.
o Ensure the firewall checks retransmitted TCP packets.
o The firewall should also validate TCP checksums.
o Additionally, clear all reserved bits in TCP headers.
• The policy should apply all telnet connections crossing the firewall
appliance.
• Limit the concurrent number of open Telnet session to 3 per user.
-->
TCP carries most of the user traffic, and thus TCP inspection and security is top
priority for the firewall. The appliance allows setting well-know TCP connection
options such as:
1) Total number of open connections per MPF L3/L4 class (e.g. host, group of
hosts, subnet etc) using the command set connection conn-max N
2) Total number of embryonic (aka half-open or incomplete) sessions per MPF
L3/L4 class to prevent the well-known class of TCP SYN-flooding attacks. This
feature supersedes the legacy staticcommand TCP parameters. The syntax
is set connection embryonic-conn-max Nunder the class-map assigned
to a policy-map.
3) TCP Initial Sequence Number (ISN) randomization to prevent connection
hijaaking or packet injection attacks. Use the command set randomsequence-number {enable|disable}to switch this feature for the hosts
matched by the particular class-map.
The firewall also allows settings the connection limits on per-host (individual)
basic. For example, if you configure set connection per-client max N
command under a class, the limit will apply to every single host matched by this
class-map and not to the aggregated number of connections. Of course, you an
also limit the embryonic connections on per-client basis using the command set
connection per-client-embryonic-max N.
In addition to these features, the ASA firewall allows you tuning various aspects
of TCP connection normalization. The firewall applies number of security checks
and modifications to the TCP connections in order to prevent potential attacks.
You can modify some TCP normalization settings using the special tcp-map
applied under L3/L4 class-map using the command set connection
advanced-optionslike follows:
tcp-map TCP_MAP
window-variation drop
access-list SSH permit tcp any any eq 22
class-map SSH
match access-list SSH
policy-map TEST
class SSH
set connection advanced-options TCP_MAP
Note that when you apply TCP inspection/normalization features per interface,
they affect both ingress and egress traffic. When the TCP features are applied
using the global policy map, the affect ingress traffic on all interfaces.
ASA1:
!
! Define the TCP Map first
!
tcp-map TCP
check-retransmission
checksum-verification
reserved-bits clear
!
! Class-Map that matches Telnet Traffic
!
class-map TELNET
match port tcp eq 23
!
! Enforce the TCP normalization/connection settings
!
policy-map global_policy
class TELNET
set connection per-client-max 3
set connection advanced-options TCP
!
ASA1(config)# show service-policy global
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, resetdrop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop
0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 10, drop 0, reset-drop 0
Class-map: TELNET
Set connection policy:
Set connection advanced-options: TCP
Retransmission drops: 0 TCP checksum drops : 0
Exceeded MSS drops : 0 SYN with data drops: 0
Out-of-order packets: 0 No buffer drops : 0
Reserved bit cleared: 0 Reserved bit drops : 0
IP TTL modified : 0 Urgent flag cleared: 0
Window varied resets: 0
TCP-options:
Selective ACK cleared: 0 Timestamp cleared : 0
Window scale cleared : 0
Other options cleared: 0
Other options drops: 0
!
!
14. FTP Traffic Inspection
• Allow the hosts from outside to access the FTP server at the IP 10.0.0.100
using the outside .
• Disallow the use of commands “RMD”, “SITE” and “DELETE”.
• Deny the download of the IOS images files with names that start with
“c26”, “c36” and “c28”.
• In order to prevent hackers from using the known exploits, mask the FTP
server banner and the system information reply.
• The restrictions should only apply to the users accessing from the outside.
15.SMTP Traffic Inspection
• The outside users should be able to send mail using the server at the IP
address DMZ IP 10.0.0.100.
• Configure the ASA to reject email sent from the e-mail addresses
containing any of the strings “cyberspam.org” or “nullroute.com”.
• The firewall should perform SMTP banner obfuscation in order to prevent
the SMTP server identification.
• The firewall should only accept emails addresses to domain “cisco.com”.
• Reject the emails that have more than 3 invalid recipients.
• In order to protect against TCP SYN flooding, limit the number of halfopen
connections to 50 and the maximum number of connections to 100.
16.TCP Inspection
• Enforce additional security checks for TCP connections established
across the firewall.
o Ensure the firewall checks retransmitted TCP packets.
o The firewall should also validate TCP checksums.
o Additionally, clear all reserved bits in TCP headers.
• The policy should apply all telnet connections crossing the firewall
appliance.
• Limit the concurrent number of open Telnet session to 3 per user.
This task further illustrates the use of inspect class-maps and policy-maps. We
are required to deny certain FTP commands and prevent certain files from
downloading. Usually, when you see something asking about name-based policy,
you mostly likely need to configure regular expressions (regexps) in the firewall.
Explaining regula expressions in depth is outside the score of this book.
However, in short, regular expressions are normal strings with special characters
used to create “wildcard” matching. Most common patterns are outlined below:
^begin– this pattern will match any string that startswith “begin”. Here “^”
means “start of the string”.
term$– this pattern matches any string that endswith “term”, thus “$” means
“end of the string”. Using “^” or “$” is also called “anchoring”. When you use the
pattern ^test$it will match only the whole word “test”.
[tT]est– matches both “test” and “Test”, thus “[]” means “range of characters”.
You can use the dash sign to define consecutive ranges, e.g. [1-9] means
“[123456789]” and “[a-z]” covers the whole alphabet. It is common to use the “[]”
to match the letter of different case.
test.123– pay attention to the “dot” – it means “any character”, thus the
pattern will match “test0123”, “testA123”, “testX123” and so on.
ab* - matches “a”, “ab”, “abb”, “abbbb” and so on. The asterisk symbol mean
that the previous character could be repeated any number of times including
zero.
ab+- matches “ab”, “abb”, “abbb” – similar to the asterisk, but means repeating
at least one time. It is common to see “*“ and “+” used with “.”, for example “.*”
would match any string, even empty.
ab?– matches “ab” and “a”. The question mark means the previous character
could be repeated one or zero times.
In the ASA firewall, you define regular expressions using the regexcommand.
Every regex has a name which could be used in the inspect class-maps that
support matching on regex. You can use the special regex class-maps to group
regular expressions using AND/OR logic. For example, the following class-map
would match if the string matches ANY of the containing regular expressions:
class-map type regex match-any OR_LOGIC
match REGEX1
match REGEX2
On the contrary, the match-all class-map will require the string to match ALL of
the containing regular expressions. In our scenario, we create three regular
expressions and group them into the regex class-map, although you could
simplify the configuration and use just one regex, such as “^c[23][68].*”
Next note that the FTP inspection policy-maps allows matching filenames
directly, without creating any special inspection class-maps. The syntax is match
filename regex class <CLASS>directly within the inspect policy map. The
same inspection policy-map allows setting the FTP inspection options directly.
However, note the use of the FTP inspection class-map to match FTP command:
class-map type inspect ftp match-all DENIED_COMMANDS
match request-command site dele rmd
you need to know how FTP protocol operates in order to understand which
commands should be banned under different conditions. Read the RFC on FTP
protocol to get more information.
For both the denied names and denied commands we instruct the inspection
engine to reset the active FTP connection. This finishes the configuration of the
FTP inspection policy map. Next we proceed to creation of the L3/L4 policy map
that matches FTP traffic. This class is matched using the normal policy map, and
the custom FTP inspection policy-map that we created is applied here. Note that
you need to use the command inspect ftp strictin order to apply the FTP
inspection policy-map. Finally, the regular policy map is applied to the outside
interface.
-->
ASA:
!
! Outside ACL to permit FTP traffic
!
access-list OUTSIDE_IN permit tcp any host 10.0.0.100 eq 21
access-group OUTSIDE_IN in interface outside
!
! Regexps
!
regex REG_26XX "^c26.*"
regex REG_36XX "^c36.*"
regex REG_28XX "^c28.*"
!
! Class-map to group regexps
!
class-map type regex match-any DENIED_FILES
match regex REG_26XX
match regex REG_28XX
match regex REG_36XX
!
! Class-map to group together the denied commands
!
class-map type inspect ftp match-all DENIED_COMMANDS
match request-command site dele rmd
!
! FTP inspection policy. Note the obfuscation options
!
policy-map type inspect ftp FTP_INSPECT
parameters
mask-banner
mask-syst-reply
match filename regex class DENIED_FILES
reset
class DENIED_COMMANDS
reset
!
! Class to match FTP port (L3/L4)
!
class-map FTP
match port tcp eq 21
!
! Policy map to apply to outside interface
!
policy-map OUTSIDE
class FTP
inspect ftp strict FTP_INSPECT
!
!
! Apply policy to outside interface
!
service-policy OUTSIDE interface outside
!
15.SMTP Traffic Inspection
• The outside users should be able to send mail using the server at the IP
address DMZ IP 10.0.0.100.
• Configure the ASA to reject email sent from the e-mail addresses
containing any of the strings “cyberspam.org” or “nullroute.com”.
• The firewall should perform SMTP banner obfuscation in order to prevent
the SMTP server identification.
• The firewall should only accept emails addresses to domain “cisco.com”.
• Reject the emails that have more than 3 invalid recipients.
• In order to protect against TCP SYN flooding, limit the number of halfopen
connections to 50 and the maximum number of connections to 100.
-->
This example is practically the same as the two previous, just this time
configurations apply to the SMTP inspection policy map. For detailed information
on all SMTP inspection options, refer to the ASA configuration reference guide.
In this task we configure a regex to match senders email addresses. This regex
is later used in the SMTP inspection policy map. The same inspection policy map
is configured for SMTP banner obfuscation in addition to allowing email relaying
only for domain cisco.com.
Finally, we create an access-list and L3/L4 class-map that matches SMTP traffic
to the server. Lastly, a regular policy-map is created, matching the L3/L4 class
and setting various TCP connection options. Additionally, ESMTP inspection is
configured along with the custom inspection policy map.
ASA1:
!
access-list OUTSIDE_IN permit tcp any host 10.0.0.100 eq 25
access-group OUTSIDE_IN in interface outside
!
! Regexps to match potentially unwanted content
!
regex UNWANTED “(cyberspam.org|nullroute.com)”
!
! SMTP Inspection Policy
!
policy-map type inspect esmtp SMTP_INSPECT
!
parameters
mask-banner
mail-relay cisco.com action drop-connection
exit
match invalid-recipients count gt 3
reset
match sender-address regex UNWANTED
reset
!
! Access-list and L3/L4 class-map
!
access-list SMTP_SERVER permit tcp any host 10.0.0.100 eq 25
class-map SMTP_SERVER
match access-list SMTP_SERVER
!
! Create and apply outside policy-map
!
policy-map OUTSIDE
class SMTP_SERVER
set connection conn-max 100
set connection embryonic-conn-max 50
inspect esmtp SMTP_INSPECT
!
service-policy OUTSIDE interface outside
!
16.TCP Inspection
• Enforce additional security checks for TCP connections established
across the firewall.
o Ensure the firewall checks retransmitted TCP packets.
o The firewall should also validate TCP checksums.
o Additionally, clear all reserved bits in TCP headers.
• The policy should apply all telnet connections crossing the firewall
appliance.
• Limit the concurrent number of open Telnet session to 3 per user.
-->
TCP carries most of the user traffic, and thus TCP inspection and security is top
priority for the firewall. The appliance allows setting well-know TCP connection
options such as:
1) Total number of open connections per MPF L3/L4 class (e.g. host, group of
hosts, subnet etc) using the command set connection conn-max N
2) Total number of embryonic (aka half-open or incomplete) sessions per MPF
L3/L4 class to prevent the well-known class of TCP SYN-flooding attacks. This
feature supersedes the legacy staticcommand TCP parameters. The syntax
is set connection embryonic-conn-max Nunder the class-map assigned
to a policy-map.
3) TCP Initial Sequence Number (ISN) randomization to prevent connection
hijaaking or packet injection attacks. Use the command set randomsequence-number {enable|disable}to switch this feature for the hosts
matched by the particular class-map.
The firewall also allows settings the connection limits on per-host (individual)
basic. For example, if you configure set connection per-client max N
command under a class, the limit will apply to every single host matched by this
class-map and not to the aggregated number of connections. Of course, you an
also limit the embryonic connections on per-client basis using the command set
connection per-client-embryonic-max N.
In addition to these features, the ASA firewall allows you tuning various aspects
of TCP connection normalization. The firewall applies number of security checks
and modifications to the TCP connections in order to prevent potential attacks.
You can modify some TCP normalization settings using the special tcp-map
applied under L3/L4 class-map using the command set connection
advanced-optionslike follows:
tcp-map TCP_MAP
window-variation drop
access-list SSH permit tcp any any eq 22
class-map SSH
match access-list SSH
policy-map TEST
class SSH
set connection advanced-options TCP_MAP
Note that when you apply TCP inspection/normalization features per interface,
they affect both ingress and egress traffic. When the TCP features are applied
using the global policy map, the affect ingress traffic on all interfaces.
ASA1:
!
! Define the TCP Map first
!
tcp-map TCP
check-retransmission
checksum-verification
reserved-bits clear
!
! Class-Map that matches Telnet Traffic
!
class-map TELNET
match port tcp eq 23
!
! Enforce the TCP normalization/connection settings
!
policy-map global_policy
class TELNET
set connection per-client-max 3
set connection advanced-options TCP
!
ASA1(config)# show service-policy global
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, resetdrop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop
0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 10, drop 0, reset-drop 0
Class-map: TELNET
Set connection policy:
Set connection advanced-options: TCP
Retransmission drops: 0 TCP checksum drops : 0
Exceeded MSS drops : 0 SYN with data drops: 0
Out-of-order packets: 0 No buffer drops : 0
Reserved bit cleared: 0 Reserved bit drops : 0
IP TTL modified : 0 Urgent flag cleared: 0
Window varied resets: 0
TCP-options:
Selective ACK cleared: 0 Timestamp cleared : 0
Window scale cleared : 0
Other options cleared: 0
Other options drops: 0
!
No comments:
Post a Comment