530 likes | 810 Views
ASA Essentials Part 2 NAT, Advanced Firewall, VPN October , 2012. Bogdan Doinea Technical Manager CEE&RCIS Cisco Networking Academy bdoinea@cisco.com. Agenda. Translations and Connections. Advanced Firewall Configurations. A look at VPNs on the ASA. Technical Demo. What is NAT.
E N D
ASA Essentials Part 2NAT, Advanced Firewall, VPNOctober , 2012 Bogdan Doinea Technical Manager CEE&RCIS Cisco Networking Academy bdoinea@cisco.com
Agenda Translations and Connections Advanced Firewall Configurations A look at VPNs on the ASA Technical Demo
What is NAT • NAT defines the way that we translate private addresses into public ones and vice-versa • What are the private address spaces? • Class A: 10.0.0.0/8: 16,777,214 hosts • Class B: 172.16.0.0/12: 1,048,574 hosts • Class C: 192.168.0.0/16: 65,534 hosts • Private addresses are defined in RFC • In relation to how many hosts must be translated and how many public IP addresses we have, there are 2 types of translations: • NAT (Network Address Translation) – layer 3 • PAT (Port Address Translation) – layer 4 Welcome to NAT Trivia!!! 1918 ..…..…...
NAT – Inside NAT • In relation to the direction of the translation: • Inside NAT – addresses from the LAN are translated to addresses in the WAN (space) • Outside NAT – addresses from the WAN are translated to addresses in the WAN(space) • Inside NAT • The FW only modifies the layer 3 header to do NAT 209.100.65.10 141.85.99.10 141.85.99.10 209.100.65.10 141.85.99.10 192.168.10.10 141.85.99.10 192.168.10.10 24000 80 24000 80 80 24000 24000 80 141.85.99.10 192.168.10.10 192.168.10.1 209.100.65.1
NAT – Outside NAT • Outside NAT • It’s actually bidirectional NAT • The source address of packets coming from the Internet gets translated • Used in cases where hosts on the outside want to appear like they are on the inside of the Network 192.168.10.30 192.168.10.10 209.100.65.10 141.85.99.10 192.168.10.10 192.168.10.30 209.100.65.10 141.85.99.10 80 24000 24000 80 80 24000 80 24000 141.85.99.10 192.168.10.10 192.168.10.1 209.100.65.1
NAT Myths • “NAT conserves addresses” • The private-public translation is done at a 1-to-1 ratio • PAT conserves addresses • “NAT is a security mechanism” • The security functionality that NAT brings is a consequence of the design, not an objective • It is not a good practice to rely on NAT for inside-outside security • There is another device that does the same thing as NAT from the security of connections point of view: stateful firewall • Plus, a stateful firewall has other extra functionality (Application Inspection etc.)
NAT terminology • Be careful, the NAT terminology is pretty diverse • What is SNAT? • Inside NAT • What is DNAT? • A concept called port forwarding/port redirection, not Outside NAT
PAT • Port address translation • Allows the translation of multiple private addresses, using a single public IP address • Because 1-to-1 mapping cannot be done at level 3 anymore, it’s done at level 4 by mapping ports • Each private pair (IP_intern, port_intern) is mapped to a public pair (IP_extern, port_extern) • By default, PAT will try to map the internal port to the same external port • The PAT translations are saved to the RAM of the FW
Example • For the translated address, we can use: • The address of the outgoing interface • A public IP address that hasn’t been asigned to any interface • For connection-oriented protocol, the FW erases the translated entry from RAM once the connection is terminated (FIN) • For connectionless protocols, each communication has a timeout 192.168.10.0 /24 141.85.99.10 141.85.99.10 192.168.10.10 209.100.65.1 209.100.65.1 192.168.10.20 141.85.99.10 141.85.99.10 24000 24000 80 80 80 80 24000 30000 .10 141.85.99.10 192.168.10.1 209.100.65.1 .20
Connection vs Translation • Be careful, the two words are different concepts for a firewall • Scenario: a user downloads a web pave, transmits an IM and downloads his email with an email client • How many connections does the firewall have in memory? • A minimum of 3 (can depend on the way the protocols work) • How many layer 3 NAT translations does the firewall have in memory? • 1
Advanced Firewall Configuration The insides of Application Inspection
Application Inspection(1) • Why do we need application inspection? • (1) Scenarios in which applications run over non-standard ports • By default, all firewalls identify applications using their standardly assigned port • Ex: if HTTP work over port 8080, all firewalls are going to implicitly drop the HTTP packets 141.85.99.10 192.168.10.10 192.168.10.1 209.100.65.1 HTTP: port 8080
Application Inspection(2) • Why do we need application inspection? • (2) Applications that need to open dynamic ports in order to work • The dynamically opened ports are negociated by the application usually on the control communication channel • Examples: Active FTP, multimedia streaming, VoIP • Case study: • Active FTP vs. Passive FTP
Active FTP Client Server 1. The client initiates a connection to port 21 on the server using a random source port N > 1023. 2. The server responds with an ACK from its port 21 to the N port of the client 3. The client sends the command “PORT N+1” over the control channel and opens port N+1 for receive. By this, the client is telling the server the port it wants to use for data transfer 4. The server tried to open(initiate) a connection from its port nr 20(default data port) to the N+1 port on the client 5. The firewall block the connection at bullet 4, because it does not have a state object for it in RAM memory 1 3 N+1 Data N Cmd 21 Cmd 20 Data 2 4 4
Passive FTP Client Server • The client initiates a connection the the port nr. 21 of the server from a random source port, N>1023. The client opens port N+1 for data transfer • The server sends an ACK from its port nr 21 to the N port on the client • The client sends the PASV command to the server • The server opens a random port X >1024 for data transfer and sends the command “Port X” to the client • The client initiates the data connection from its N+1 port to the X port on the server 1 2 N+1 Data N Cmd 21 Cmd X Data 3 4 5
Active FTP vs Passive FTP • Conclusions: • Active FTP does not work by default if the client is behind a Firewall • Because of the stateful inspection • Because of NAT • Passive FTP should always work • At least if the FTP server lies in a DMZ type of area and access is granted from the outside • Why do we want to use Active FTP? • Because it opens fewer sockets on the server: http://www.faqs.org/rfcs/rfc1579.html • With Application Inspection: • The Firewall can read commands sent on the Control Channel of FTP • When the Firewall sees the “Port N+1” command, it opens port N+1 for data transfer between the 2 IP addresses(client and server)
Application Inspection(3) • Why do we need application inspection? • (3) Aplications that embed the IP address in the control channel messaging and, thus, conflict with NAT • As a result, the IP address in the layer 3 header will not be the same with the one embedded at layer 7 • The Application tries to open sockets to the private IP address and cannot succeed • Application Inspection to the rescue! • The Firewall inspects the IP address in the control channel and rewrites it with the one in the xlate table
Modular Policy Framework • What is MPF? • A set of structures and commands in ASA OS • A way of making logical connections between the various theoretical concepts and their practical implementations • What does MPF offer? • The possibility to control and configure the below features, using the same commands and OS structures • Application Inspection • IPS (AIP-SSM) • Anti {virus | spam | spyware} (CSC –SSM) • Setting connection limits • Traffic policing
MPF – Command structure • MPF is defined through 3 basic structures • Class-map • Used to identify traffic flows using different strategies • We have generic class-maps that identify traffic at layer 3 and 4 and inspection class-maps that can identify traffic at layer 7 • Policy-map • Used to associate one or more actions to packets identified by the class-map • We have generic policy-maps that apply standard actions (inspect, police, set connection etc) and inspection policy-maps that can specifically control application layer information • Service-policy (comandă) • Used to apply a policy at a global or interface level
MPF – Relationship in structure • Class-map • Internet • SE • IP telephony IP telephony System Enginners • Service-policy • Outside • Policy-map • Inspect • Police • Prioritize
MPF – Class-map (1) • Defining a class-map (L3/L4) • The match command is used to identify traffic ciscoasa(config)# class-map identify_by_L3_or_L4 ciscoasa(config-cmap)# ? MPF class-map configuration commands: description Specify class-map description exit Exit from MPF class-map configuration mode help Help for MPF class-map configuration commands match Configure classification criteria no Negate or set default values of a command rename Rename this class-map
MPF – Class-map (2) • What criteria can the match command used to identify data? • access-list: uses an ACL for classification • any • dscp: matches the ToS field using the IETF DSCP standard • precedence: matches the ToS field using the IP Precedence standard • tunnel-group: match traffic going into a tunnel. This can only be used for QoS purposes. • flow ip destination-address: used for identifying a destionation IP inside a tunnel-group. Can only be used together with tunnel-group • port: identifies a UDP or TCP port • default-inspection-traffic: match on a series of protocols that work over their standard, well-known ports
MPF – Class-map (3) • A class-map supports a single match command • the exception lies in the tunnel-group and the default-inspection-traffic that let the admin specify another match statement • when we have 2 match commands, the firewall applies a logical AND between them • By default, the class map inspection_default is activated ciscoasa# sh run .... class-map inspection_default match default-inspection-traffic ....
MPF – Class-map (4) • What does default-inspection-traffic contain? ciscoasa(config-cmap)# match ? mpf-class-map mode commands/options: access-list Match an Access List any Match any packet default-inspection-traffic Match default inspection traffic: ctiqbe----tcp--2748 dns-------udp--53 ftp-------tcp--21 gtp-------udp--2123,3386 h323-h225-tcp--1720 h323-ras--udp--1718-1719 http------tcp--80 icmp------icmp ils-------tcp--389 mgcp------udp--2427,2727 netbios---udp--137-138 radius-acct---udp--1646 rpc-------udp--111 rsh-------tcp--514 rtsp------tcp--554 sip-------tcp--5060 sip-------udp--5060 skinny----tcp--2000 smtp------tcp--25 sqlnet----tcp--1521 tftp------udp--69 waas------tcp--1-65535
MPF – Policy-map • The policy-map determines the action the Firewall will take on inspection • Step1: we give the policy map a name • Step2: we make an association with a class-map • Step3: we specify the action ciscoasa(config)# policy-map test_policy ciscoasa(config-pmap)# class major_protocols ciscoasa(config-pmap-c)# inspect ftp ciscoasa(config-pmap-c)# inspect icmp
MPF – Possible actions • One policy-map can have multiple actions and of different categories ciscoasa(config-pmap-c)# ? MPF policy-map class configuration commands: csc Content Security and Control service module exit Exit from MPF class action configuration mode flow-export Configure filters for NetFlow events help Help for MPF policy-map class/match submode commands inspect Protocol inspection services ips Intrusion prevention services no Negate or set default values of a command police Rate limit traffic for this class priority Strict scheduling priority for this class quit Exit from MPF class action configuration mode service-policy Configure QoS Service Policy set Set connection values shape Traffic Shaping
MPF – Actions examples ciscoasa# shrun .......... ! class-map example match port tcpeq www ! policy-map http_policy class http_map inspect http police input 1000000 set connection conn-max 1000 per-client-embryonic-max 50 ! ..........
MPF – Applying a policy • A policy can be applied globally, or at an interface level • The globally applied policy applies to all the traffic entering the ASA, on any interface, but only the ingress direction • The interface-level applied policy applies to all the traffic on the interface, ingress and egress # applied on the interface ciscoasa(config)# service-policy inspect_http interface inside # applied globally ciscoasa(config)# service-policy inspect_http global
MPF – Processing a policy • If the policy-maps actions are different, the packets can match multiple times inside a policy-map, as long as the same class-map is reffered. • If the policy-maps actions are different, the packets can match multiple times inside a policy-map, as long as the class-maps identify the traffic • If the action is the same, the packets only match one class-map class-map example match port tcpeq www policy-map http_policy class example police input 1000000 set connection conn-max 1000 per-client-embryonic-max 50 class inspection_default inspect http
Virtual Private Networks A look at types of VPNs supported on the ASA
What are VPNs? • A solution to create an end-to-end private connection over an unsafe, open network like the Internet • There are leased solutions that achieve the same end result: leased lines • What’s the difference between having a leased line and a VPN? • The cost
Classifying VPN solution relative to the SP • Relative to the ISP: • Overlay • Point-to-point • The overlay model makes the ISP network invisible to the client • The ISP routers do not get to know the client networks • Types of overlay VPNs: L2TP, PPTP, IPSec ISP
Point-to-point VPNs • In this model, the ISP participates in the routing decision • The routing adjacency is done between the ISP and the client • Overlay VPN models were dominating 90% of the market before the popularity of ……… • Still, MPLS does not provide any confidentiality or authentication scheme ISP MPLS
Classifying VPNs relative to the topology needs • Relative to the topology: • Site-to-Site • Remote-access • A Site-to-Site ties together many fixed locations in the Internet • Configurations only have to be made on the firewalls/routers • There is no need to have a VPN client on the laptop/computer Headquarters Remoteoffice Remoteoffice
Tunneling: encapsulation • Most VPN technologies are based on tunneling • Tunneling means an extra header is added at the layer where the tunnel is built • Example: IPIP tunnel • Used when the end-to-end source or destination network is not known in the routing table of an intermediate router Antet IP tunel Antet IP original Antet nivel 4 Date • The original, end-to-end header is hidden to all the routers that are traversed between the tunnel endpoints
IPSec – Framework • IPSec is a security protocol framework
IPSec – Framework • IPSec: Confidentiality Lungimea cheii: 56 biți Lungimea cheii: 168 biți Lungimea cheii: 256 biți DH7 Lungimea cheii: 160 biți
IPSec – Framework • IPSec: Integrity Lungimea cheii: 128 biți Lungimea cheii: 160 biți DH7
IPSec – Framework • IPSec: authentication with non-repudation DH7
Remote access VPN • Telecommuting is increasing more and more as an option for working • The risk of passing company information over the Internet is very great • Remote access VPN • IPSec • SSL Remoteoffice
IPSec vs SSL • As remote access solutions, the 2 options do not exclud each other • IPSec = security • SSL = mobility, flexibility
SSL VPN • The SSL VPN architecture will presume: • A SSL VPN server at the company headquarters • The SSL VPN client installed on the teleworker’s laptop • The SSL VPN client has 3 operating modes • Clientless • Thin client • Full client Remoteoffice
Thin client/clientless • For both modes, the browser is the client • Clientless does not allow anything else except HTTP and HTTPS • The user authenticates on the SSL portal to get access to internal company web resources • Thin client • In this mode, the user downloads JAVA applets from the portal • The Applets behave like TCP Proxies for applications • The user connections to several applications through the TCP Proxy (POP3, SMTP, IMAP, Telnet, SSH, CIFS) • The Applet makes a HTTP connection to the SSL Server that contains the addressing information in the payload to reach another service • The SSL Server makes the connection to the end service inside the company network
Full client • The full client can usually be downloaded from the SSL portal after the user authenticates • Depending on the vendor, the client could install seamlessly or manually, with user intervention
Establishing an SSL tunnel Utilizatorul face o conexiune TCP către portul 443 1 Firewall-ul răspunde cu o cheie publică semnată cu certificat 2 Software-ul client generează o cheie secretă 3 Clientul transmite cheia secretă criptată cu cheia publică 4 Se face bulk encryption folosindcheiasecretă 5
ASA: Configuration DEMO outside inside R2 R1 ASA Fa0/1 Fa0/1 Fa 0/2 Fa 0/0