Basic Firewall Initialization via the CLI

Posted on by
Reply

In my last post I showed you how to do basic firewall configuration via the initial interactive prompt when booting the ASA (an ASA5520 in my example). Here I will show you how to set the same options via the CLI.

You can by pass the interactive prompt by typing “No” at the prompt asking if you’d like to  ”Pre-configure Firewall now through interactive prompts”. You can then enter enabled mode by typing ‘enable’ or ‘en’ at the prompt. The default password on a freshly started ASA is blank, you just need to hit the enter or return key.

Pre-configure Firewall now through interactive prompts [yes]? no

 

 

 

 

Type help or ‘?’ for a list of available commands.

ciscoasa> en

Password:

ciscoasa#

 

The first question asked during the interactive setup is what firewall mode you’d like to use. There are two modes to the ASA 55xx firewalls, Routed and Transparent. The difference between the two is that in routed mode, the firewall is considered a hop and will show up on a traceroute. You can run routing protocols in this mode such as RIP/OSPF/EIGRP, and you can have multiple interfaces in different subnets. You can also have interfaces shared between contexts. Like other Layer 3 devices, some traffic will not pass through the firewall, even if allowed by an access list.

In transparent mode, the firewall acts as a layer 2 device and will NOT show up as a hop on a traceroute. The same networks are connected on both the inside and outside interfaces and L3 traffic is allowed through the firewall from a higher security interface through a lower security interface without the requirement of an access list. ARP is allowed through the firewall in this mode without an access list and is controlled by ARP inspection.

The default setting for this is routed, so there’s no need to make any configuration change in order to put the firewall into this mode.

The second configuration item is setting the enable password. This is completed by using the “enable password <password>” command.

ciscoasa# conf t

ciscoasa(config)# enable password cisco

ciscoasa(config)#

The next configuration item is password recovery. By default, the ASA is set to allow password recovery. You can disable password recovery with the command “no service password-recovery”. With password recovery disabled, the only way to recover a lost password would be to have ROMMON erase all the file systems including the ios images and configuration files.  You will then require a way to restore the images to ROMMON.

ciscoasa# conf t

ciscoasa(config)# no service password-recovery

WARNING: Executing “no service password-recovery” has disabled the password recovery mechanism and disabled access to ROMMON. The only means of recovering from lost or forgotten passwords will be for ROMMON to erase all file systems including configuration files and images. You should make a backup of your configuration and have a mechanism to restore images from the ROMMON command line.

ciscoasa(config)# end

ciscoasa#

 

Next is setting the clock. Take note that this is not done in the configuration, but from the enable prompt. You can check the clock before and after setting it with the “show clock” command.

ciscoasa#

ciscoasa# clock set 14:54:00 Dec 21 2011

ciscoasa# show clock 14:54:07.759 UTC Wed Dec 21 2011

ciscoasa#

 

After setting the clock, the next item to configure is the ip address of the inside interface. The default interface that the interactive menu uses is G0/1 however you can use any of the ports you choose. For this example I’ll use G0/1 as well just to keep it similar.

 

ciscoasa# conf t

ciscoasa(config)# int g0/1

ciscoasa(config-if)# ip address 172.16.10.1 255.255.255.0

ciscoasa(config-if)# nameif inside

INFO: Security level for “inside” set to 100 by default.

ciscoasa(config-if)# no shut

ciscoasa(config-if)# end

ciscoasa#

 

Next we set the hostname and the domain name.

iscoasa# conf t

ciscoasa(config)# hostname TestAsa

TestAsa(config)# domain-name testlab.com

TestAsa(config)# end

TestAsa#

 

The last item to configure is the ip address of the device manager. This is done in two parts. You need to first enable the http server, and then allow access to it from an ip address or range via the inside interface. For this example, I’m allowing access from only one single ip address so the subnet will be 255.255.255.255. If I wanted to allow access from a larger subnet, then the subnet address would change according to the range I wanted to allow.

 

TestAsa#

TestAsa# conf t

TestAsa(config)# http server enable

TestAsa(config)#http 172.16.10.77 255.255.255.255 inside

TestAsa(config)# end

TestAsa#

 

So that’s how to perform firewall initialization via the command line. If you missed the prior article on performing firewall initialization via the interactive prompt, that can be found here.

I’m currently still deciding if I’ll post any more before the holiday weekend, but regardless if it’s later this week or early next week, the next set of posts will be all about configuring device management.

Basic Firewall Initialization via the interactive prompt

Posted on by
1

The first section of the CCIE Security blueprint is “Implement secure networks using cisco ASA firewall”. I’m going to concentrate on the first step in this section, “Perform basic firewall initialization”.

Implement secure networks using Cisco ASA Firewalls

  1. Perform basic firewall Initialization
  2. Configure device management
  3. Configure address translation (nat, global, static)
  4. Configure ACLs
  5. Configure IP routing
  6. Configure object groups
  7. Configure VLANs
  8. Configure filtering
  9. Configure failover
  10. Configure Layer 2 Transparent Firewall
  11. Configure security contexts (virtual firewall)
  12. Configure Modular Policy Framework
  13. Configure Application-Aware Inspection
  14. Configure high availability solutions
  15. Configure QoS policies

For reference, I’m using an ASA5520 in the examples here. There are a few options when setting up the ASA for the first time.  When the device boots for the first time, you have the option of going through the interactive prompts, or exiting out and configuring the device through the CLI by yourself.

The interactive prompts will ask you a series of questions about how you want the device configured, and once you enter the information, the ASA then builds the configuration based on the input. Below is a screenshot of this process.

From the screenshot above, you can see that the interactive setup gives you the ability to set the firewall mode, the enable password, password recovery, date, the inside ip address/netmask, the hostname and domain name, and the ip adress of the Device Manager.

A ‘show running-config’ will show you the entire config (which is below) and you can see where all of this information is located. By default, the ASA will use G0/1 as the inside interface. In the next post, I’ll go through how to configure these options through the CLI without using the interactive prompts.

ASA Version 8.0(4)

!

hostname TestAsa

domain-name testlab.com

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.16.10.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name testlab.com

pager lines 24

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.16.10.77 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:22ae122beccc2511aed8c3503c707600

: end

TestAsa#

 

 

Information Gathering

Posted on by
Reply

One of the important aspects of the lab exam is information gathering. The lab itself consists of so much material that it’s impossible to memorize it all. A good strategy used by many successful CCIE candidates has been to learn the core technologies so well that their configuration is something that can be done with little thought. With the core technologies locked down, it leaves the candidate open to spend time working on the lesser known technologies. Remember, the lab itself is only 8 hours. While it seems like it’s a lot of time, when you start actually sitting down and configuring this equipment, time starts to fly by much quicker then it seems. It’s very easy to blow through a couple of hours without realizing it. By knowing the core technologies, their configuration becomes quick and the amount of time wasted on them is minimal. The lesser known technologies are the real time sink.

The only thing that you’re allowed to use as reference material in the actual lab is a copy of the cisco documentation CD. While this isn’t a CD anymore (it’s on the cisco website), you won’t be allowed to go anywhere else on the web to do any research. The documentation that you are allowed to use can be found here. Before attempting the lab, it’s important that you know how to navigate that documentation. It seems easier then it is, but once you get a handle on how things are laid out in the documentation, the amount of time you spend looking for an answer will drop dramatically.

 

CCIE Security V3.0 Book List

Posted on by
Reply

Cisco was nice enough to go ahead and provide a list of books that cover the material that’s included on the CCIE Security exam. While the list itself is a decent size, the part that’s soul-crushing is the associated costs with purchasing the books themselves. Most of the books in the list are Cisco Press editions, and while everyone might not be familiar with Cisco Press, those of us that are know that they don’t come cheap. The average cost for the books in this list is between 50.00 and 70.00 per book. If money is no object, then by all means, buy them all, but that doesn’t seem very cost effective to me.

The solution I decided to go with is the Safari Bookshelf.  The Safari Bookshelf gives you access to a huge library of books for a monthly fee. The fee depends on what options you go with (I went with the unlimited option), with some only allowing 10 books per month on your “shelf” and the unlimited option allowing you access to as many as you want. I opted to go with the unlimited option because I thought it would be easier to switch back and forth between all the reference material with greater ease. If I decide later on that I don’t think it’s worth the cash (It’s around 40/month as of this post), then I’ll downgrade to a cheaper option.

While Safari carries most of the books on the list (30 out of 36), there are still 6 that they don’t have. The titles missing seem to either be quick reference guides or books published prior to 2001. While there may be material in the titles published over a decade ago that could be helpful, in my opinion the titles are too old to really shed anything more then maybe a helping hand at understanding newer technologies or designs. I don’t think it’s worthwhile to hunt these few titles down as I don’t think the reward is worth the effort.

In the list below, I have asterisks next to the titles that Safari doesn’t currently carry.

Cisco Press Titles

 

Other Publications

 

CCIE Security Lab Blueprint V3.0

Posted on by
Reply

In my first post I mentioned that I would be using the Security lab blueprint as the basis for the majority of the posts here. Cisco has the blueprint laid out in a decent fashion starting with the easiest topics (Perform basic firewall initialization) and then moving through to more in-depth topics such as IPS 4200 sensor and mitigation techniques to respond to network attacks.

The blueprint (V3.0) can be found here, and I’ve also provided it below. I plan on moving through it one step at a time, showing you what sources I used to learn the configuration, what the actual configuration was that i used, and then showing you how I verified that the configuration worked.

  1. Implement secure networks using Cisco ASA Firewalls
    1. Perform basic firewall Initialization
    2. Configure device management
    3. Configure address translation (nat, global, static)
    4. Configure ACLs
    5. Configure IP routing
    6. Configure object groups
    7. Configure VLANs
    8. Configure filtering
    9. Configure failover
    10. Configure Layer 2 Transparent Firewall
    11. Configure security contexts (virtual firewall)
    12. Configure Modular Policy Framework
    13. Configure Application-Aware Inspection
    14. Configure high availability solutions
    15. Configure QoS policies
  2. Implement secure networks using Cisco IOS Firewalls
    1. Configure CBAC
    2. Configure Zone-Based Firewall
    3. Configure Audit
    4. Configure Auth Proxy
    5. Configure PAM
    6. Configure access control
    7. Configure performance tuning
    8. Configure advanced IOS Firewall features
  3. Implement secure networks using Cisco VPN solutions
    1. Configure IPsec LAN-to-LAN (IOS/ASA)
    2. Configure SSL VPN (IOS/ASA)
    3. Configure Dynamic Multipoint VPN (DMVPN)
    4. Configure Group Encrypted Transport (GET) VPN
    5. Configure Easy VPN (IOS/ASA)
    6. Configure CA (PKI)
    7. Configure Remote Access VPN
    8. Configure Cisco Unity Client
    9. Configure Clientless WebVPN
    10. Configure AnyConnect VPN
    11. Configure XAuth, Split-Tunnel, RRI, NAT-T
    12. Configure High Availability
    13. Configure QoS for VPN
    14. Configure GRE, mGRE
    15. Configure L2TP
    16. Configure advanced Cisco VPN features
  4. Configure Cisco IPS to mitigate network threats
    1. Configure IPS 4200 Series Sensor Appliance
    2. Initialize the Sensor Appliance
    3. Configure Sensor Appliance management
    4. Configure virtual Sensors on the Sensor Appliance
    5. Configure security policies
    6. Configure promiscuous and inline monitoring on the Sensor Appliance
    7. Configure and tune signatures on the Sensor Appliance
    8. Configure custom signatures on the Sensor Appliance
    9. Configure blocking on the Sensor Appliance
    10. Configure TCP resets on the Sensor Appliance
    11. Configure rate limiting on the Sensor Appliance
    12. Configure signature engines on the Sensor Appliance
    13. Use IDM to configure the Sensor Appliance
    14. Configure event action on the Sensor Appliance
    15. Configure event monitoring on the Sensor Appliance
    16. Configure advanced features on the Sensor Appliance
    17. Configure and tune Cisco IOS IPS
    18. Configure SPAN & RSPAN on Cisco switches
  5. Implement Identity Management
    1. Configure RADIUS and TACACS+ security protocols
    2. Configure LDAP
    3. Configure Cisco Secure ACS
    4. Configure certificate-based authentication
    5. Configure proxy authentication
    6. Configure 802.1x
    7. Configure advanced identity management features
    8. Configure Cisco NAC Framework
  6. Implement Control Plane and Management Plane Security
    1. Implement routing plane security features (protocol authentication, route filtering)
    2. Configure Control Plane Policing
    3. Configure CP protection and management protection
    4. Configure broadcast control and switchport security
    5. Configure additional CPU protection mechanisms (options drop, logging interval)
    6. Disable unnecessary services
    7. Control device access (Telnet, HTTP, SSH, Privilege levels)
    8. Configure SNMP, Syslog, AAA, NTP
    9. Configure service authentication (FTP, Telnet, HTTP, other)
    10. Configure RADIUS and TACACS+ security protocols
    11. Configure device management and security
  7. Configure Advanced Security
    1. Configure mitigation techniques to respond to network attacks
    2. Configure packet marking techniques
    3. Implement security RFCs (RFC1918/3330, RFC2827/3704)
    4. Configure Black Hole and Sink Hole solutions
    5. Configure RTBH filtering (Remote Triggered Black Hole)
    6. Configure Traffic Filtering using Access-Lists
    7. Configure IOS NAT
    8. Configure TCP Intercept
    9. Configure uRPF
    10. Configure CAR
    11. Configure NBAR
    12. Configure NetFlow
    13. Configure Anti-Spoofing solutions
    14. Configure Policing
    15. Capture and utilize packet captures
    16. Configure Transit Traffic Control and Congestion Management
    17. Configure Cisco Catalyst advanced security features
  8. Identify and Mitigate Network Attacks
    1. Identify and protect against fragmentation attacks
    2. Identify and protect against malicious IP option usage
    3. Identify and protect against network reconnaissance attacks
    4. Identify and protect against IP spoofing attacks
    5. Identify and protect against MAC spoofing attacks
    6. Identify and protect against ARP spoofing attacks
    7. Identify and protect against Denial of Service (DoS) attacks
    8. Identify and protect against Distributed Denial of Service (DDoS) attacks
    9. Identify and protect against Man-in-the-Middle (MiM) attacks
    10. Identify and protect against port redirection attacks
    11. Identify and protect against DHCP attacks
    12. Identify and protect against DNS attacks
    13. Identify and protect against Smurf attacks
    14. Identify and protect against SYN attacks
    15. Identify and protect against MAC Flooding attacks
    16. Identify and protect against VLAN hopping attacks
    17. Identify and protect against various Layer2 and Layer3 attacks

 

 

 

The long road ahead

Posted on by
Reply

A couple weeks ago I got together with a close friend of mine and the conversation turned towards the topic of being complacent in your current employment position. With the economy the way it is, no one is really safe from being laid off, but the complacency comes more from the idea that we’re capable of doing what’s currently required and that we’ve been slacking off on learning new technologies.

After talking about this for a bit, we decided to tackle the CCIE Security exam. By going through it together at the same time, we would have the ability to bounce questions or ideas off each other, as well as configure equipment between two networks to test the various requirements of the lab exam.

All of this leads to this blog. Part of the process that I go through to learn is to talk about it with other people. I’ve heard that if you know something well enough to explain it to someone else, then you’re on the right track. That’s my goal with this blog. I’m going to follow the Cisco Lab Blueprint and post updates as I move from step to step and begin the journey of becoming a CCIE. Hopefully you enjoy the ride.