ASA CHAPTER 10 (Management/ICMP traffic inspection/Un-Stealthing firewall)
18. ICMP Traffic Inspection
• Ensure that R1’s inside IP address 136.X.121.1 translates to the IP
136.X.122.1 on the outside.
• Ensure R1’s Loopback1 is advertised into RIP and reachable to R3.
• Configure the firewall to allow the UNIX-style traceroute operation from
the outside.
• When someone traces off R3 to R1’s Loopback1 interface he should not
see the inside IP address of R3 in reply packets.
• Additionally, users from the inside should be able to ping outside without
an explicit permit entry in the outside ingress ACL.
19. Un-Stealthing the Firewall
• Configure the firewall so that anyone can ping it.
• Additionally, ensure that the firewall shows up in the traceroute command
output
• Account for both the UNIX and Windows Traceroute commands.
• Add access-list entries if needed to accomplish this task.
-->
With the recent ASA code, you may inspect ICMP traffic in stateful manner, to
allow the firewall opening dynamic pinholes for returning traffic. Thus, instead of
explicitly permitting ICMP echo-reply packets in the firewall, you may just inspect
ICMP packets going from inside to outside and get the same result. This also
enforces more strict security, as the pinholes are opened only for the duration of
the ICMP “session”.
As for ICMP error inspection, it serves a special purpose – replacing IP
addresses/Ports embedded in the ICMP error messages (such as port
unreachable, time exceeded and so on). This feature is best explained with the
traceroute command. As we know, the traceroute send probe packets with
increasing TTL values, expecting ICMP time-exceeded or ICMP port unreachable
in response. The returning ICMP error messages contain the original IP
addresses of the hosts discarding the original probes. Now imagine that the
firewall performs address translation for inside hosts and you initiate a traceroute
from the outside towards the translated IP addresses. As the probes will reach
the inside IP addresses, the returning ICMP error messages will reveal the actual
inside addresses of the hosts being traced. To prevent this information leaking,
enable the ICMP error inspection, which will modify the IP addresses carried
inside the error messages to match the translation rules.
In this scenario, we make sure that R1’s inside IP address could not be revealed
by tracing from the outside. Additionally, the configuration permits pinging from
the inside to the outside without explicitly permitting the returning traffic.
.
--->
18. ICMP Traffic Inspection
• Ensure that R1’s inside IP address 136.X.121.1 translates to the IP
136.X.122.1 on the outside.
• Ensure R1’s Loopback1 is advertised into RIP and reachable to R3.
• Configure the firewall to allow the UNIX-style traceroute operation from
the outside.
• When someone traces off R3 to R1’s Loopback1 interface he should not
see the inside IP address of R3 in reply packets.
• Additionally, users from the inside should be able to ping outside without
an explicit permit entry in the outside ingress ACL.
-->
With the recent ASA code, you may inspect ICMP traffic in stateful manner, to
allow the firewall opening dynamic pinholes for returning traffic. Thus, instead of
explicitly permitting ICMP echo-reply packets in the firewall, you may just inspect
ICMP packets going from inside to outside and get the same result. This also
enforces more strict security, as the pinholes are opened only for the duration of
the ICMP “session”.
As for ICMP error inspection, it serves a special purpose – replacing IP
addresses/Ports embedded in the ICMP error messages (such as port
unreachable, time exceeded and so on). This feature is best explained with the
traceroute command. As we know, the traceroutesend probe packets with
increasing TTL values, expecting ICMP time-exceeded or ICMP port unreachable
in response. The returning ICMP error messages contain the original IP
addresses of the hosts discarding the original probes. Now imagine that the
firewall performs address translation for inside hosts and you initiate a traceroute
from the outside towards the translated IP addresses. As the probes will reach
the inside IP addresses, the returning ICMP error messages will reveal the actual
inside addresses of the hosts being traced. To prevent this information leaking,
enable the ICMP error inspection, which will modify the IP addresses carried
inside the error messages to match the translation rules.
In this scenario, we make sure that R1’s inside IP address could not be revealed
by tracing from the outside. Additionally, the configuration permits pinging from
the inside to the outside without explicitly permitting the returning traffic.
!
!
static (inside,outside) 136.1.122.1 136.1.121.1
!
! Access-list to permit inboud traceroute
!
access-list OUTSIDE_IN permit udp any any
access-group OUTSIDE_IN in interface outside
!
! Apply ICMP inspection
!
policy-map global_policy
class inspection_default
inspect icmp error
inspect icmp
!
19. Un-Stealthing the Firewall
• Configure the firewall so that anyone can ping it.
• Additionally, ensure that the firewall shows up in the traceroute command
output
• Account for both the UNIX and Windows Traceroute commands.
• Add access-list entries if needed to accomplish this task.
-->
As we know, the firewall allows to ping itself on all interfaces by default. It only
does not respond to ICMP echoes sent to broadcast addresses. However, when
you do the traceroute across the firewall, it does no show up in the traces. This is
because the firewall does not decrement the TTL field in IP headers. In order to
make the firewall show up completely, you need to do the following:
1) Ensure the ICMP echo messages are allowed to terminate on the firewall
interfaces (default)
2) Enable TTL decrement for packets traversing the firewall.
3) Tune the rate of ICMP error messages generated by the firewall. By default it
is set to 1 message per second, and it will result in time-outs for the ASA hop in
the traceroute output (the probes are sent more often than once per second).
The command to change ICMP unreachables rate is:
icmp unreachable rate <N> burst <B>
Where Nis packet rate per second and Bis not currently used by the firewall.
In order to enable TTL decrement, apply it in the global policy-map under the
class-default
policy-map global_policy
class class-default
set connection ttl-decrement
This configuration will enable TTL decrement for all packets going across the
firewall. Let’s take an important note here. What if we have overlapping classes
under the policy-map? For example:
policy-map global_policy
class ICMP
inspect
class class-default
set connection decrement-ttl
Will the above configuration apply TTL decrement to ICMP traffic? The answer is
– yes, it will. Even though ICMP class is more specific, the feature applied under
this class is inspectand not set connection. The MPF matches the first
class in sequence only for the same feature (e.g. QoS, inspection, connection
options). If the classes have different features configured, they will bothmatch
the same packet flow.
Now, the last thing to configure for our task is enabling returning traffic for the
traceroute commands. UNIX traceroute expects ICMP port-unrechable and ICMP
time-exceeded message. Windows-style traceroute expects only ICMP timeexceeded message. Allow both types in the inbound access-list applied to the
outside interface.
!
icmp unreachable rate 10 burst 10
!
access-list OUTSIDE_IN permit icmp any any unreachable
access-list OUTSIDE_IN permit icmp any any time-exceeded
access-group OUTSIDE_IN in interface outside
!
policy-map global_policy
class class-default
set connection decrement-ttl
!
R1#traceroute 150.1.2.2
Type escape sequence to abort.
Tracing the route to 150.1.2.2
1 136.1.122.12 0 msec 0 msec 0 msec
2 136.1.122.2 4 msec * 0 msec
!
18. ICMP Traffic Inspection
• Ensure that R1’s inside IP address 136.X.121.1 translates to the IP
136.X.122.1 on the outside.
• Ensure R1’s Loopback1 is advertised into RIP and reachable to R3.
• Configure the firewall to allow the UNIX-style traceroute operation from
the outside.
• When someone traces off R3 to R1’s Loopback1 interface he should not
see the inside IP address of R3 in reply packets.
• Additionally, users from the inside should be able to ping outside without
an explicit permit entry in the outside ingress ACL.
19. Un-Stealthing the Firewall
• Configure the firewall so that anyone can ping it.
• Additionally, ensure that the firewall shows up in the traceroute command
output
• Account for both the UNIX and Windows Traceroute commands.
• Add access-list entries if needed to accomplish this task.
-->
With the recent ASA code, you may inspect ICMP traffic in stateful manner, to
allow the firewall opening dynamic pinholes for returning traffic. Thus, instead of
explicitly permitting ICMP echo-reply packets in the firewall, you may just inspect
ICMP packets going from inside to outside and get the same result. This also
enforces more strict security, as the pinholes are opened only for the duration of
the ICMP “session”.
As for ICMP error inspection, it serves a special purpose – replacing IP
addresses/Ports embedded in the ICMP error messages (such as port
unreachable, time exceeded and so on). This feature is best explained with the
traceroute command. As we know, the traceroute send probe packets with
increasing TTL values, expecting ICMP time-exceeded or ICMP port unreachable
in response. The returning ICMP error messages contain the original IP
addresses of the hosts discarding the original probes. Now imagine that the
firewall performs address translation for inside hosts and you initiate a traceroute
from the outside towards the translated IP addresses. As the probes will reach
the inside IP addresses, the returning ICMP error messages will reveal the actual
inside addresses of the hosts being traced. To prevent this information leaking,
enable the ICMP error inspection, which will modify the IP addresses carried
inside the error messages to match the translation rules.
In this scenario, we make sure that R1’s inside IP address could not be revealed
by tracing from the outside. Additionally, the configuration permits pinging from
the inside to the outside without explicitly permitting the returning traffic.
.
--->
18. ICMP Traffic Inspection
• Ensure that R1’s inside IP address 136.X.121.1 translates to the IP
136.X.122.1 on the outside.
• Ensure R1’s Loopback1 is advertised into RIP and reachable to R3.
• Configure the firewall to allow the UNIX-style traceroute operation from
the outside.
• When someone traces off R3 to R1’s Loopback1 interface he should not
see the inside IP address of R3 in reply packets.
• Additionally, users from the inside should be able to ping outside without
an explicit permit entry in the outside ingress ACL.
-->
With the recent ASA code, you may inspect ICMP traffic in stateful manner, to
allow the firewall opening dynamic pinholes for returning traffic. Thus, instead of
explicitly permitting ICMP echo-reply packets in the firewall, you may just inspect
ICMP packets going from inside to outside and get the same result. This also
enforces more strict security, as the pinholes are opened only for the duration of
the ICMP “session”.
As for ICMP error inspection, it serves a special purpose – replacing IP
addresses/Ports embedded in the ICMP error messages (such as port
unreachable, time exceeded and so on). This feature is best explained with the
traceroute command. As we know, the traceroutesend probe packets with
increasing TTL values, expecting ICMP time-exceeded or ICMP port unreachable
in response. The returning ICMP error messages contain the original IP
addresses of the hosts discarding the original probes. Now imagine that the
firewall performs address translation for inside hosts and you initiate a traceroute
from the outside towards the translated IP addresses. As the probes will reach
the inside IP addresses, the returning ICMP error messages will reveal the actual
inside addresses of the hosts being traced. To prevent this information leaking,
enable the ICMP error inspection, which will modify the IP addresses carried
inside the error messages to match the translation rules.
In this scenario, we make sure that R1’s inside IP address could not be revealed
by tracing from the outside. Additionally, the configuration permits pinging from
the inside to the outside without explicitly permitting the returning traffic.
!
!
static (inside,outside) 136.1.122.1 136.1.121.1
!
! Access-list to permit inboud traceroute
!
access-list OUTSIDE_IN permit udp any any
access-group OUTSIDE_IN in interface outside
!
! Apply ICMP inspection
!
policy-map global_policy
class inspection_default
inspect icmp error
inspect icmp
!
19. Un-Stealthing the Firewall
• Configure the firewall so that anyone can ping it.
• Additionally, ensure that the firewall shows up in the traceroute command
output
• Account for both the UNIX and Windows Traceroute commands.
• Add access-list entries if needed to accomplish this task.
-->
As we know, the firewall allows to ping itself on all interfaces by default. It only
does not respond to ICMP echoes sent to broadcast addresses. However, when
you do the traceroute across the firewall, it does no show up in the traces. This is
because the firewall does not decrement the TTL field in IP headers. In order to
make the firewall show up completely, you need to do the following:
1) Ensure the ICMP echo messages are allowed to terminate on the firewall
interfaces (default)
2) Enable TTL decrement for packets traversing the firewall.
3) Tune the rate of ICMP error messages generated by the firewall. By default it
is set to 1 message per second, and it will result in time-outs for the ASA hop in
the traceroute output (the probes are sent more often than once per second).
The command to change ICMP unreachables rate is:
icmp unreachable rate <N> burst <B>
Where Nis packet rate per second and Bis not currently used by the firewall.
In order to enable TTL decrement, apply it in the global policy-map under the
class-default
policy-map global_policy
class class-default
set connection ttl-decrement
This configuration will enable TTL decrement for all packets going across the
firewall. Let’s take an important note here. What if we have overlapping classes
under the policy-map? For example:
policy-map global_policy
class ICMP
inspect
class class-default
set connection decrement-ttl
Will the above configuration apply TTL decrement to ICMP traffic? The answer is
– yes, it will. Even though ICMP class is more specific, the feature applied under
this class is inspectand not set connection. The MPF matches the first
class in sequence only for the same feature (e.g. QoS, inspection, connection
options). If the classes have different features configured, they will bothmatch
the same packet flow.
Now, the last thing to configure for our task is enabling returning traffic for the
traceroute commands. UNIX traceroute expects ICMP port-unrechable and ICMP
time-exceeded message. Windows-style traceroute expects only ICMP timeexceeded message. Allow both types in the inbound access-list applied to the
outside interface.
!
icmp unreachable rate 10 burst 10
!
access-list OUTSIDE_IN permit icmp any any unreachable
access-list OUTSIDE_IN permit icmp any any time-exceeded
access-group OUTSIDE_IN in interface outside
!
policy-map global_policy
class class-default
set connection decrement-ttl
!
R1#traceroute 150.1.2.2
Type escape sequence to abort.
Tracing the route to 150.1.2.2
1 136.1.122.12 0 msec 0 msec 0 msec
2 136.1.122.2 4 msec * 0 msec
!
No comments:
Post a Comment