CCNAS

Network Security (Part 2)
Professional Certification NetworkSims PIX/ASA Configuration

Interfaces. Fixup. Static Routes. Access-lists. Failover. VPN.
Author: Prof Bill Buchanan Author: Prof Bill Buchanan
Stateful firewall PIX/ASA
Author: Bill Buchanan
Prof Bill Buchanan, Leader, Centre for Distributed Computing and Security http://www.dcs.napier.ac.uk/~bill Room: C.63
Academic Element On-line test: 40% MCQ Test Coursework: Agent-based IDS Web-CT submission: 40% Web-CT submission .NET Security On-line test: 20% Network Security On-line test: 20%
On-line test
Author: Prof Bill Buchanan
W 2 3
Date 9 Feb 16 Feb
Academic 1: Security Fundamentals 2: IDS
Assessment
Lab/Tutorial Lab 1: Packet Capture Lab 2: Packet Capture (Filter) Lab 3: Packet Capture (IDS)
4 5 6 7 8 10 11 12 13 14
23 Feb 2 Mar 9 Mar 16 Mar 23 Mar 6 Apr 27 Apr 4 May 11 May 18 May
3: Encryption 4: Authentication (Part 1) MCQ Test 5. Software Security 6. Network Security
Lab 5: IDS Snort 1 Lab 6: IDS Snort 2 Lab 7: Private-key Encryption Lab 8: Public-key Encryption Lab 9: Log/Process/Hashing Lab 10: TCP Forensics Lab 11: Binary Analysis/Sig Det
Security Specialism Security Specialism MCQ Test
Security Specialism Security Specialism

Bob
Alice
CIA
Applications (Integrated Security) Services (Integrated Security)
AAA
Application Communications (TCP, IP, and so on)
Network Infrastructure (Firewalls, Proxies, and so on)

Eve
Eve
Integration between the levels often causes the most problems

CIA and AAAfirewall Stateful PIX/ASA
Firewall Switch Internet
Bob
Intrusion Detection System
Alice
Router Firewall Switch
Web server Email server FTP server Proxy server
Example Infrastructure Stateful firewall PIX/ASA
Switch
Firewall (Packet filter) Internet
Bob
Alice
Router (NAT)
Firewall (Statefull)
DMZ
Cisco Switch
Cisco Firewall
Internet
Bob
Alice
Router (NAT)
Cisco PIX Cisco ASA 5500 Web server Email server FTP server Proxy server
DMZ
Bob
Switch
Application (FTP, Telnet, etc) L4. Transport (TCP) L3. Internet (IP)
L2. Network (Ethernet)
Physical security requires restricted areas and padlocked equipment

Firewall (Stateful)
Router (NAT)
Restricted areas
Web server Email server
DMZ
Restricted areas
Proxy server
VLAN 1
VLAN 2
FTP server
Bob
Switch
Different VLANs cannot communication directly, and need to go through a router to communicate
Firewall (Stateful)
Router (NAT)
DMZ
Proxy server
VLAN 1
VLAN 2
FTP server
Bob
Switch
VLAN 1
Different VLANs cannot communication directly, and need to go through a router to communicate
Firewall (Stateful)
Router (NAT)
802.1q Trunk
DMZ
Proxy server
VLAN 1
VLAN 2
FTP server
Bob
Switch
Screening Firewalls filter for IP and TCP packet details, such as addresses and TCP ports, for incoming/outgoing traffic
Router (NAT)
Firewall (Stateful)
Web server Email server FTP server
DMZ
Intrusion Detection System Proxy server
Alice
Bob
Switch
Stateful Firewalls filter for Application, IP and TCP packet details. They remember previous data packets, and keep track of connections
Router (NAT)
Firewall (Stateful)
DMZ
Alice Intrusion Detection System Proxy server
Bob
Switch
All Application-layer traffic goes through the Proxy (eg FTP, Telnet, and so on) aka Application Gateways
Router (NAT) Firewall (Stateful)
DMZ
Alice Intrusion Detection System Proxy server
Professional Cert.
Routing & Switching
Design
Net Security
Service Provider
Storage Network
Voice
Wireless
CCIE Security
CCSP
CCNA Security
Cisco Certification Stateful firewall PIX/ASA
CCNA ENT
CCNA
CCNA Security
CCSP
Core
642-504 SNRS Securing Networks with Cisco Routers and Switches
642-524 SNAF Securing Networks with ASA Foundation
642-533 IPS Implementing Cisco Intrusion Prevention System (IPS)
Option (select one)
Cisco Certification Stateful firewall PIX/ASA
642-591 CANAC Implementing Cisco NAC Appliance
642-545 MARS Implementing Cisco Security Monitoring, Analysis and Response System
642-515 SNAA Securing Networks with ASA Advanced
Network Security
Stateful firewall CCSP Cert.
Stateful firewall NetworkSims Stateful firewall PIX/ASA
Software firewall
Host-based: Zone alarm
Hardware firewall
Cisco router With firewall (non-stateful)
CheckPoint firewall (software)

Runs within: Windows Server, VMWare LINUX
Cisco PIX/ASA (stateful)
LINUX iptables CheckPoint firewall (dedicated) Nokia
Hardware firewall: Optimized engine/architecture Copes better with large trafficBill Buchanan Author: Prof conditions Improved failover
Stateful firewall Firewalls PIX/ASA
Software firewall: Easy to reconfigure Slower Less expensive Can be used with a range of computers/OSs
Firewall rules. These are contained within ACLs (using the access-list and access-group commands), and block or permit traffic. A key feature of this is the usage of URL filtering which defines the Web pages which are allowed and which are not. Port blocking. These use the fixup command to change, enable or disable network services. Cut-through proxy. This allows the definition of the users who are allowed services such as HTTP, Telnet and FTP. This authentication is a single initial authentication, which differs from the normal proxy operation which checks every single packet.
Bob
Intrusion detection. These use the ip audit command to detect intrusions. Shunning. This, along with intrusion detection, allows a defined response to an intrusion.
Encryption. This allows the PIX firewall to support enhanced encryption, such as being a server for VPN connections, typically with IPSec and tunnelling techniques such as PPTP.
Failover. This allows other devices to detect that a PIX device has crashed, and that another device needs to take its place. Author: Prof Bill Buchanan
Network Security Stateful firewall
Enterprise PIX 525. This has a 600MHz processor with 256MB RAM, and handles a throughput of 360Mbps for a maximum of 280,000 connections. It supports failover, and has the support for up to eight connections.
Enterprise PIX 535. This has a 1GHz processor with 1GB RAM, and handles a throughput of 1Gbps for a maximum of 500,000 connections. It supports failover, and has the support for up to ten network interfaces.
ASA 5520 Intel Pentium 4, 2GHz 512MB RAM PIX 7.x, ASA 8.x IOS 8 interfaces Integrated VPN SSL VPN Throughput: 450Mbps 3DES: 225Mbps Max conn: 280,000 VPN peers: 750
PIX/ASA Configuration
Network Security PIX/ASAfirewall Stateful Config
PIX/ASA firewall (ASDM) Stateful firewall PIX/ASA
PIX/ASA firewall (ASDM) Stateful firewall PIX/ASA
PIX 6.x # config t (config)# hostname freds (config)# domain-name fred.com (config)# ip address outside 192.168.1.1 255.255.255.0 (config)# interface e0 auto
(config)# hostname freds PIX/ASA 7.x/8.x (config)# domain-name fred.com (config)# int e0 (config-if)# ip address 192.168.2.1 255.255.255.0 (config-if)# no shutdown (config-if)# exit
E1 (inside) E0 (outside)
E2 (inf2)
PIX/ASA firewall Stateful firewall PIX/ASA
PIX 6.x # config t (config)# hostname freds (config)# domain-name fred.com (config)# ip address outside 192.168.1.1 255.255.255.0 (config)# interface e0 auto
(config)# hostname freds PIX/ASA 7.x/8.x (config)# domain-name fred.com (config)# int e0 (config-if)# ip address 192.168.2.1 255.255.255.0 (config-if)# no shutdown (config-if)# exit
E1 (inside) E0 (outside)
E2 (inf2)
PIX 6.x
PIX/ASA 7.x/8.x
E1 (inside)
E2 (inf2)
PIX/ASA PIX/ASA firewall Stateful firewall
E0 (outside)
PIX 6.x
PIX/ASA 7.x/8.x
E1 (inside)
E2 (inf2)
PIX/ASA Configuring the interfaces Stateful firewall
E0 (outside)
E0 (outside)
E2 (inf2)
E1 (inside)
E0 (outside)
E1 (inside)
Setting the default route Stateful firewall PIX/ASA
E2 (inf2)
E0 (outside)
E1 (inside)
Setting the default route Stateful firewall PIX/ASA
E2 (inf2)
Perimeter gateway
10.1.1.254
E0
10.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
192.168.2.5
176.10.1.2
Stateful firewall Setting routes PIX/ASA
Perimeter gateway
10.1.1.254
E0
10.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
192.168.2.5
176.10.1.2
Perimeter gateway
10.1.1.254
E0
10.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
192.168.2.5
176.10.1.2
(config)# show fixup fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 (config)# fixup protocol http 161 (config)# fixup protocol ftp 60 (config)# fixup protocol smtp 84
FTP requires a server port on the initiator. SQL*Net requires a negiotation on the connected port.
E2 (inf2)
Stateful firewall PIX/ASA Fixup
E0 (outside)
E1 (inside)
Perimeter gateway
10.1.1.254
E0
10.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Stateful firewall PIX/ASA NAT
192.168.2.5
176.10.1.2
Perimeter gateway
10.1.1.254
E0
10.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Stateful firewall PIX/ASA PAT
192.168.2.5
176.10.1.2
Do not NAT!
10.1.1.254
E0
10.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Stateful firewall PIX/ASA PAT
192.168.2.5
176.10.1.2
Perimeter gateway
10.1.1.254
E0
10.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Static mappings Stateful firewall PIX/ASA
192.168.2.5
176.10.1.2
10.1.1.254
E0
10.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
192.168.2.5
176.10.1.2
Perimeter gateway
10.1.1.254
E0
10.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
192.168.2.5
176.10.1.2
10.1.1.254
E0
10.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
192.168.2.5
176.10.1.2
Perimeter gateway
10.1.1.254
E0
10.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
Stateful firewall PIX/ASA ACL
192.168.2.5
176.10.1.2
10.1.1.254
E0
10.1.1.1 172.10.10.1
192.168.2.1
192.168.2.3
E1 E2
176.10.1.1
Perimeter gateway
172.10.10.2
192.168.2.5
176.10.1.2
PIX/ASA Failover
Power supply failures, Primary reboot. Interface problems Memory Overflow.

40 U
UPS 1
5U
1U
1U
UPS 2
Stateful firewall PIX/ASA Failure
E2 (inf2) E0 (outside) E1 (inside)
MAIN
Failover cable
Either Prim (UR)/Sec (UR) Or: Prim (UR)/Sec (FO) Activation key is required!
STANDBY
Stateful firewall PIX/ASA Failover
UR Unrestricted licence (must be used for primary). FO Failover licence (for secondary). R Restricted licence (cannot be used).
Same PIX type Same RAM Same Flash memory. Same type and interfaces. Same software version. Same activation keys for DES or 3DES
E2 (inf2) E0 (outside) E1 (inside)
Hello
Failover cable
Hello
Sent on ALL interfaces, including failover connection.

Stateful firewall PIX/ASA Failover
Hello messages are sent every 1-15 seconds on every interface. Hello time. (PIX default 15 second, ASA default 1 second) If messages are not received with the holdtime Holdtime (PIX default: 45 seconds 3 times hello time, ASA default: 15 seconds), failover happens. If secondary doesnt work, primary assumes control, and no failover.
Tests: Test 1. NIC status test. Up/down status of interface. Test 2. Network activity. Monitor for 5 seconds. If detected, cancel tests. Test 3. ARP test. Requests last 10 IP addresses in the ARP table. Test 4. Ping test. Broadcast ping of 255.255.255.255. If any replies the test is quit.
Failover cable Or Ethernet (LAN-based)
Standby
outside
e0 e2
inf2
e1
inside
On start-up config is automated copied over. All new commands are replicated. The write startby command sends the config to the secondary.
Either Prim (UR) Sec (UR) Or Prim (UR) Sec (FO) Activation key is required!
Standby
outside
e0 e2
inf2
e1
inside
Stateful Restores everything. ARP table, Xlate, Fixup tables, ARP, routing information, IPSec/ISAKMP tables, MAC addresses, Hello messages. Secondary Inherits: IP addresses and MAC addresses of the primary. Primary Inherits: IP addresses and MAC addresses of the secondary. Require an additional Ethernet connection
e3
Stateful connection
e3
Failover cable
outside
e0 e2
inf2
e1
inside
Non-stateful Only RAM config and session details. Secondary Inherits: IP addresses and MAC addresses of the primary. Primary Inherits: IP addresses and MAC addresses of the secondary. Lost: NAT translations and connections.
Standby
outside
e0 e2
inf2
e1
inside
Standby
e2
Dedicated switch/hub
e2 outside
e0
e1
inside
Non-stateful Only RAM config and session details. Secondary Inherits: IP addresses and MAC addresses of the primary. Primary Inherits: IP addresses and MAC addresses of the secondary. Lost: NAT translations and connections.
e3
Failover cable
e3
outside
e0 e2
inf2
e1
inside
myPIX (config)# failover active myPIX (config)# failover active myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address inside 73.105.56.11 myPIX (config)# failover ip address inside 73.105.56.11 myPIX (config)# failover ip address inf2 166.209.230.11 myPIX (config)# failover ip address inf2 166.209.230.11 myPIX (config)# failover poll 2 myPIX (config)# failover poll 2 myPIX (config)# show failover myPIX (config)# show failover
e3
Stateful connection
e3
Failover cable
outside
e0 e2
inf2
e1
inside
myPIX (config)# ip address outside 157.202.212.1 myPIX (config)# ip address LAN-based Failover outside 157.202.212.1
myPIX (config)# ip address inside 73.105.56.1 myPIX (config)# ip address inside 73.105.56.1 myPIX (config)# ip address inf2 166.209.230.1 myPIX (config)# ip address inf2 166.209.230.1 myPIX (config)# failover active myPIX (config)# failover active myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address inside 73.105.56.2 myPIX (config)# failover ip address inside 73.105.56.2 myPIX (config)# failover ip address inf2 166.209.230.2 myPIX (config)# failover ip address inf2 166.209.230.2 myPIX (config)# failover lan key mypix myPIX (config)# failover lan key mypix myPIX (config)# failover lan unit primary myPIX (config)# failover lan unit primary myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan enable myPIX (config)# failover lan enable
e2
Stateful connection
e2
outside
e0
e1
inside
myPIX (config)# ip address inf2 166.209.230.2 myPIX (config)# ip address inf2 166.209.230.2 myPIX (config)# failover active myPIX (config)# failover active myPIX (config)# failover lan key mypix myPIX (config)# failover lan key mypix myPIX (config)# failover lan unit secondary myPIX (config)# failover lan unit secondary myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan enable myPIX (config)# failover lan enable
LAN-based Failover
e2
Stateful connection
e2
outside
e0
e1
inside
VPN
Eve
Eve could eavesdrop on the public communications Untrusted network

Bob Alice
Gateway
Gateway
What is required is: Encryption. Authentication of devices (to overcome spoofing) Authentication of packets (for integrity)
Eve
Eve could change the data packets

Gateway
Eve
Stateful firewall Issues involved PIX/ASA
Eve could setup an alternative gateway
Eve
Bob
Alice
Gateway
Gateway
Untrusted network What is required is: Encryption. Authentication of devices (to overcome spoofing) Authentication of packets (for integrity)
PPTP (Point-to-point Tunneling Protocol). Created by Microsoft and is routable. It uses MPPE (Microsoft Point-to-point Encryption) and user authentication. L2TP (Layer 2 Tunneling Protocol). Works at Layer 2 to Forward IP, IPX and AppleTalk (RFC2661). Cisco, Microsoft, Ascent and 3Com developed it. User and machine authentication, but no encryption (but can be used with L2TP over IPSec). IPSec. An open standard. Includes both encryption and Authentication.
Tunnellingfirewall Stateful methods PIX/ASA
Traffic is encrypted over the untrusted network.
Bob
Alice
Encrypted traffic Unencrypted traffic Tunelling mode (over untrusted connections) Unencrypted traffic
Bob
Alice
Tunnelling mode or transport mode Stateful firewall PIX/ASA
Transport mode. End-to-end (host-tohost) tunnelling
Bob Co. VPN VPN Alice Co.
Extranet VPN
VPN VPN Bob Co.
Bob Co.
Intranet VPN
VPN Bob Co.
Bob@ home
Remote Access VPN

Statefultypes VPN firewall PIX/ASA
Bob
Traffic only encrypted over the public channel

Alice
Traffic is encrypted and cannot be checked by firewalls, IDS, and so on
Tunnelling mode or transport mode Stateful firewall PIX/ASA
Bob
Traffic only encrypted over the public channel

Alice
Firewall blocks all encrypted content and any negation of a tunnel
For IPSec (one of the most popular tunnelling Web methods): server UDP Port 500 is the port. If it is blocked there can be no tunnel. FTP server TCP Port 50 for IPSec ESP (Encapsulated Security Proxy server Protocol). TCP Port 51 for IPSec AH (Authentication Header)
Email server key exchange
Blocking end-to-end encryption Stateful firewall PIX/ASA
Authentication scope ESP Auth. ESP trailer IP packet (encrypted) ESP header IP header
The IPSec protocol has: ESP (Encapsulated Security Protocol). ESP takes the original data packet, and breaks off the IP header. The rest of the packet is encrypted, with the original header added at the start, along with a new ESP field at the start, and one at the end. It is important that the IP header is not encrypted as the data packet must still be read by routers as it travels over the Internet. Only the host at the other end of the IPSec tunnel can decrypt the contents of the IPSec data packet. AH (Authentication Header). This encrypts the complete contents of the IP data packet, and adds a new packet header. ESP has the weakness that an intruder can replay previously sent data, whereas AH provides a mechanism of sequence numbers to reduce this problem.
ESP transport mode method (Weakness: Replay attack)
IP packet contents
IP header
Authentication scope AH header New IP header
IP packet contents
AH transport method (Provides complete authentication for the packet) IP packet contents IP header
Stateful firewall PIX/ASA IPSec
IP IP
TCP TCP
Higher-level protocol/data Higher-level protocol/data
Version Version
Header length Header length
Type of service Type of service
Total length Total length Identification Identification 0 D M 0 D M Time-to-Live Time-to-Live Fragment Offset Fragment Offset Protocol Protocol
Header Checksum Header Checksum Source IP Address Source IP Address Destination IP Address Destination IP Address
1 ICMP Internet Control Message [RFC792] 6 TCP Transmission Control [RFC793] 8 EGP Exterior Gateway Protocol [RFC888] 9 IGP any private interior gateway [IANA] 47 GRE General Routing Encapsulation (PPTP) 50 ESP Encap Security Payload [RFC2406] 51 AH Authentication Header [RFC2402] 55 MOBILE IP Mobility 88 EIGRP EIGRP [CISCO] 89 OSPFIGP OSPFIGP [RFC1583] 115 L2TP Layer Two Tunneling Protocol
VPN Bob Co.

Bob@ home
Remote Access VPN
Phase 1 (IKE Internet Key Exchange)

UDP port 500 is used for IKE Define the policies between the peers
IKE Policies
Hashing algorithm (SHA/MD5) Encryption (DES/3DES) Diffie-Hellman agreements Authentication (pre-share, RSA nonces, RSA sig).
isakmp enable outside isakmp key ABC&FDD address 176.16.0.2 netmask 255.255.255.255 isakmp identity address isakmp policy 5 authen pre-share isakmp policy 5 encrypt des isakmp policy 5 hash sha isakmp policy 5 group 1 isakmp policy 5 lifetime 86400 sysopt connection permit-ipsec
Phase 2
Defines the policies for transform sets, peer IP addresses/hostnames and lifetime settings. Crypto maps are exchanged
AH, ESP (or both) Encryption (DES, 3DES) ESP (tunnel or transport) Authentication (SHA/MD5) SA lifetimes defined Define the traffic of interest
crypto ipsec transform-set MYIPSECFORMAT esp-des esp-sha-hmac crypto map MYIPSEC 10 ipsec-isakmp access-list 111 permit ip 10.0.0.0 255.255.255.0 176.16.0.0 255.255.255.0 crypto map MYIPSEC 10 match address 111 crypto map MYIPSEC 10 set peer 176.16.0.2 crypto map MYIPSEC 10 set transform-set MYIPSECFORMAT crypto map MYIPSEC interface outside
Public Key (Kpb1)
Public Key (Kpb2)
Shared key passed (DiffieHellman) used to encrypt all the data Kpv1 Public key is used to authenticate the device Hashed value Hashed value
Result
Challenge?
Blocking end-to-end encryption Stateful firewall PIX/ASA
10.0.0.1
172.16.0.1
172.16.0.2
192.168.0.1
Stateful firewall IPSec (PIX) PIX/ASA
10.0.0.1
172.16.0.1
172.16.0.2
192.168.0.1
IPSec (PIX and Router) Stateful firewall PIX/ASA
No. Time 81 5.237402
Source 192.168.0.3
Destination 146.176.210.2
Protocol Info ISAKMP Aggressive
Frame 81 (918 bytes on wire, 918 bytes captured) Ethernet II, Src: IntelCor_34:02:f0 (00:15:20:34:62:f0), Dst: Netgear_b0:d6:8c (00:18:4d:b0:d6:8c) Internet Protocol, Src: 192.168.0.3 (192.168.0.3), Dst: 146.176.210.2 (146.176.210.2)
10.0.0.1
172.16.0.1
172.16.0.2
192.168.0.1
IPSec (PIX and Router) Stateful firewall PIX/ASA
Internet Security Association and Key Management Protocol Initiator cookie: 5ABABE2D49A2D42A Responder cookie: 0000000000000000 Next payload: Security Association (1) Version: 1.0 Exchange type: Aggressive (4) Flags: 0x00 Message ID: 0x00000000 Length: 860 Security Association payload Next payload: Key Exchange (4) Payload length: 556 Domain of interpretation: IPSEC (1) Situation: IDENTITY (1) Proposal payload # 1 Next payload: NONE (0) Payload length: 544 Proposal number: 1 Protocol ID: ISAKMP (1) SPI Size: 0 Proposal transforms: 14 Transform payload # 1 Next payload: Transform (3) Payload length: 40 Transform number: 1 Transform ID: KEY_IKE (1) Encryption-Algorithm (1): AES-CBC (7) Hash-Algorithm (2): SHA (2) Group-Description (4): Alternate 1024-bit MODP group (2) Authentication-Method (3): XAUTHInitPreShared (65001) Life-Type (11): Seconds (1) Life-Duration (12): Duration-Value (2147483) Key-Length (14): Key-Length (256)
VPN Bob Co.

Bob@ home
Remote Access VPN
C:\>route print =========================================================================== Interface List 10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast Ethernet 7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless 3945ABG Network Connection 1 ........................... Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.0.0 255.255.255.0 On-link 192.168.0.3 281 192.168.0.3 255.255.255.255 On-link 192.168.0.3 281 192.168.0.255 255.255.255.255 On-link 192.168.0.3 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.0.3 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.0.3 281 =========================================================================== Persistent Routes: None Author: Prof Bill Buchanan
Before Stateful firewall VPN connecting to the PIX/ASA
VPN Bob Co.

Bob@ home
Remote Access VPN

C:\>route print =========================================================================== Interface List 21 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter 10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast Ethernet 7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless 3945ABG Network Connectio 1 ........................... Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 146.176.0.0 255.255.0.0 On-link 146.176.212.218 281 146.176.1.0 255.255.255.0 146.176.0.1 146.176.212.218 100 146.176.2.0 255.255.255.0 146.176.0.1 146.176.212.218 100 ... 146.176.210.2 255.255.255.255 192.168.0.1 192.168.0.3 100 146.176.211.0 255.255.255.0 146.176.0.1 146.176.212.218 100 146.176.212.218 255.255.255.255 On-link 146.176.212.218 281 ... 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.0.3 281 255.255.255.255 255.255.255.255 On-link 146.176.212.218 281 Author: Prof Bill Buchanan =========================================================================== Persist
After connecting to the VPN Stateful firewall PIX/ASA
VPN Bob Co.

Bob@ home
Remote Access VPN 146.176.212.218 192.168.0.3 VPN connection 146.176.0.1
C:\>route print =========================================================================== Interface List 21 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter 10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast Ethernet 7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless 3945ABG Network Connectio 1 ........................... Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 146.176.0.0 255.255.0.0 On-link 146.176.212.218 281 146.176.1.0 255.255.255.0 146.176.0.1 146.176.212.218 100 146.176.2.0 255.255.255.0 146.176.0.1 146.176.212.218 100 Author: Prof Bill Buchanan ... =========================================================================== Persist After connecting to the VPN Stateful firewall PIX/ASA
All other traffic goes not on 146.176.0.0 network goes through non-VPN connection
VPN Bob Co.

Bob@ home
Remote Access VPN 146.176.212.218

C:\>tracert www.napier.ac.uk Tracing route to www.napier.ac.uk [146.176.222.174] over a maximum of 30 hops: 1 2 3 4 5 6 7 8 9 10 11 2 36 31 43 48 45 49 58 59 57 ms ms ms ms ms ms ms ms ms ms 2 38 31 43 45 44 79 56 57 59 ms ms ms ms ms ms ms ms ms ms 6 38 30 43 45 45 49 56 57 58 ms ms ms ms ms ms ms ms ms ms
Before VPN connection
VPN connection
146.176.0.1
192.168.0.1 cr0.escra.uk.easynet.net [87.87.249.224] ip-87-87-146-129.easynet.co.uk [87.87.146.129] be2.er10.thlon.ov.easynet.net [195.66.224.43] linx-gw1.ja.net [195.66.224.15] so-0-1-0.lond-sbr4.ja.net [146.97.35.129] so-2-1-0.leed-sbr1.ja.net [146.97.33.29] EastMAN-E1.site.ja.net [146.97.42.46] vlan16.s-pop2.eastman.net.uk [194.81.56.66] gi0-1.napier-pop.eastman.net.uk [194.81.56.46]
C:\>tracert www.napier.ac.uk Tracing route to www.napier.ac.uk [146.176.222.174] over a maximum of 30 hops: 1 2 3 57 ms 58 ms 58 ms 58 ms 56 ms 59 ms 57 ms 57 ms 56 ms 146.176.210.2 www.napier.ac.uk [146.176.222.174] www.napier.ac.uk [146.176.222.174]
After VPN connection

Traceroute for VPN Stateful firewall PIX/ASA
VPN Bob Co.

Bob@ home
Remote Access VPN 146.176.212.218

C:\>tracert www.intel.com Tracing route to a961.g.akamai.net [90.223.246.33] over a maximum of 30 hops: 1 2 3 4 5 3 35 32 46 46 ms ms ms ms ms 1 43 31 45 47 ms ms ms ms ms 1 36 32 45 47 ms ms ms ms ms
Before VPN connection
VPN connection
146.176.0.1
192.168.0.1 cr0.escra.uk.easynet.net [87.87.249.224] ip-87-87-146-129.easynet.co.uk [87.87.146.129] te7-0-0.sr0.enlcs.ov.easynet.net [89.200.132.109] 5adff621.bb.sky.com [90.223.246.33]
C:\>tracert www.intel.com Tracing route to a961.g.akamai.net [90.223.246.33] over a maximum of 30 hops: 1 2 3 4 5 3 35 32 46 46 ms ms ms ms ms 1 43 31 45 47 ms ms ms ms ms 1 36 32 45 47 ms ms ms ms ms

After VPN connection
Traceroute for VPN Stateful firewall PIX/ASA
192.168.0.1 cr0.escra.uk.easynet.net [87.87.249.224] ip-87-87-146-129.easynet.co.uk [87.87.146.129] te7-0-0.sr0.enlcs.ov.easynet.net [89.200.132.109] 5adff621.bb.sky.com [90.223.246.33]

Prof Bill Buchanan, Leader, Centre for Distributed Computing and Security http://www.dcs.napier.ac.uk/~bill Room: C.63

CCNAS

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNAS

Uploaded by

Copyright:

Available Formats

Network Security (Part 2)

Professional Certification NetworkSims PIX/ASA Configuration

Author: Prof Bill Buchanan Author: Prof Bill Buchanan

Stateful firewall PIX/ASA

Author: Bill Buchanan

Stateful firewall PIX/ASA

Author: Bill Buchanan

Date 9 Feb 16 Feb

Academic 1: Security Fundamentals 2: IDS

3: Encryption 4: Authentication (Part 1) MCQ Test 5. Software Security 6. Network Security

Security Specialism Security Specialism MCQ Test

Security Specialism Security Specialism

Author: Prof Bill Buchanan Author: Prof Bill Buchanan

Stateful firewall PIX/ASA

Author: Bill Buchanan

Author: Prof Bill Buchanan

Stateful firewall PIX/ASA

Author: Bill Buchanan

Network Security (Part 2)

Author: Prof Bill Buchanan Author: Prof Bill Buchanan

Stateful firewall PIX/ASA

Author: Bill Buchanan

Application Communications (TCP, IP, and so on)

Network Infrastructure (Firewalls, Proxies, and so on)

Integration between the levels often causes the most problems

CIA and AAAfirewall Stateful PIX/ASA

Firewall Switch Internet

Intrusion Detection System

Router Firewall Switch

Web server Email server FTP server Proxy server

Intrusion Detection System

Author: Prof Bill Buchanan Author: Prof Bill Buchanan

Example Infrastructure Stateful firewall PIX/ASA

Author: Bill Buchanan

Firewall (Packet filter) Internet

Intrusion Detection System

Web server Email server FTP server Proxy server

Intrusion Detection System

Author: Prof Bill Buchanan Author: Prof Bill Buchanan

Example Infrastructure Stateful firewall PIX/ASA

Author: Bill Buchanan

Intrusion Detection System

Intrusion Detection System

Author: Prof Bill Buchanan Author: Prof Bill Buchanan

Example Infrastructure Stateful firewall PIX/ASA

Author: Bill Buchanan

Intrusion Detection System

L2. Network (Ethernet)

Physical security requires restricted areas and padlocked equipment

Web server Email server

Example Infrastructure Stateful firewall PIX/ASA

Author: Bill Buchanan

Intrusion Detection System

L2. Network (Ethernet)

Web server Email server

Example Infrastructure Stateful firewall PIX/ASA

Author: Bill Buchanan

Web server Email server

Example Infrastructure Stateful firewall PIX/ASA

Author: Bill Buchanan

Intrusion Detection System

L2. Network (Ethernet)

Web server Email server FTP server