Posts Tagged ‘asa’
Well, we had all heard the rumors that it was coming down the line, and today Cisco decided to make it official just ahead of Cisco Live. Something very interesting thing about this update -no doubt as a result of really listening to the community’s voice in regards to the things that threaten the enterprise most these days- is that they’ve added a heavy emphasis on Bring Your Own Device (BYOD) over wireless threats. With the addition of a Wireless Lan Controller (WLC) and at least a single AP, along with the Identity Services Engine (ISE). For those of you who may not be familiar with the ISE, this is basically an evolution of a few devices combined into one – it is sort of a mix of the ACS, NAC Appliance and NAC Profiler. However, it is NOT a replacement for the ACS, namely because it does not do TACACS+, instead only supporting RADIUS for 802.1x and NAC. This is the reason that Cisco decided to leave ACS server in there – but upgrading it to v5.x (most likely 5.3). Also, if you happen to not have any experience with wireless technologies in general – you’re in luck! INE is releasing our 20-hour CCNA Wireless class later today, which covers Lightweight Access Points (LWAP) being controlled by WLCs, and those WLCs being controlled by higher-up Wireless Control System (WCS). In fact, since I’ve mentioned the WCS, it’s quite interesting that Cisco (in sort of a nonchalant way) mentions that the ASA firewalls may be configured by “Cisco Prime Tools”. If you aren’t familiar with Cisco Prime, it is basically the new branding of Cisco’s network management as a whole. LMS would now fall under Prime, something called Prime NCS (evolution of Cisco’s WCS), and Prime Tools fall under the new Prime branding.
There’s also a smidge of Voice device authentication as well, though it doesn’t even begin to really touch on Unified Communications security – something I still think will largely be addressed in the next CCIE Voice update. Basically they have a 7900 phone (probably 7965) and you do NOT have to configure the Unified Communications Manager (UCM) server to get it to work, you only have to dot1x authenticate it onto the wired network. Basically setup the ISE or ACS to auth it and interact with the actual phone display to input your credentials. Don’t be concerned – it’s nothing difficult at all.
Cisco also (finally) introduces their IronPort acquisition to the exam, by way of the S-series Web Security Appliance (WSA). This device goes way beyond days of old where you blocked or allowed certain websites, but rather digs deep into the functionality of websites and web-based applications and provides ‘acceptable use enforcement’ of these sites or webapps. Take for example Facebook. Many (if not most) companies these days have a social presence and use Facebook as a tool to conduct business, but that doesn’t mean they want their users surfing FB all day. The WSA allows strategic enforcement of what is and is not allowed to occur via these type web sites. It also blocks against threats such as malware.
They mention simply including “VPN Client Software” which will no doubt be the Cisco Secure Services Client v5 installed on one or possibly more Windows 7 virtual desktops placed around the topology. This would make sense for both wired and wireless 802.1x authentication with the ACS/ISE. Something we also go into in the new 20-hour CCNA Wireless class I just recorded a few weeks back. Question is whether AnyConnect Secure Mobility Client will also be tested. It’s not in there per-se, but that doesn’t mean it isn’t possible.
The addition of at least one 2911 ISR-G2 only makes sense, as IOS version 15.2 can’t be run on an older ISRs (making me wonder why the inclusion of the older ISR is even there, save maybe that there are far more deployed currently).
Links to both the new v4 blueprint and v4 hardware/software equipment list, as well as a more detailed checklist for studying:
There are obviously still a lot of questions that need to be answered by Cisco to have a complete and full picture of this new version of the prestigious CCIE Security exam, and those will no doubt be addressed during the 8-hour seminar this Sunday at Cisco Live in San Diego. I should note that this 8-hour session is an additional charge ($799) on top of your normal admittance to the convention – it is not considered a “breakout session”, all of which come included with your convention pass. Some obvious questions might be:
- Will we need to know how to configure ASA via Prime Tools, or is that simply another option?
- How many Windows 7 desktops will there be, and will we be using AnyConnect NAM on them or something like CSSC?
- Will there be both ASA and ASA-x versions? And if so, what would be the reason? (ASA-X series runs 8.6, whereas ASA only goes up to 8.4, amongst other things
- And many others we’ll come up with and have asked and answered
You can be sure that INE will be there, tweeting and live-blogging from the event.
Follow me and stay updated throughout the conference!
The first portion of INE’s new CCIE Security Advanced Technologies Class for the 3.0 blueprint is now available in both streaming and download formats. Subscribers to the All Access Pass already have access to this new course, and can upgrade to the download version for $159. Non-subscribers can purchase the standalone download for $299, or subscribe to the AAP for just $159 per month. Customers who have access to previous versions of the CCIE Security ATC will get access to the new streaming version at no extra charge.
The current release of the class contains the first 18 hours of videos. New videos will be posted incrementally over the next few weeks, to bring the final runtime somewhere between 40 and 60 hours. Specifically the following topics are covered in this first portion of the release:
INE is proud to announce the upcoming release of our new CCIE Security Advanced Technologies Class and CCIE Security 5-Day Bootcamp. The 5-Day Bootcamp will be available in streaming and download format starting this weekend, followed shortly by the Advanced Technologies class. Both of these video series are included with the All Access Pass subscriptions, or can be purchased as standalone downloads. Samples of both classes are available below.
Change is in the air. I’ve noticed that over the last several weeks, we’ve had at least five security CCIE candidates pass who used INE’s security products as part of their study plan. What these students have done is use a combination of our version 3 and version 5 products. Congratulations to all those who passed!
After returning from vacation, Bob (the optimistic firewall technician) decided that he wanted to take some time and get a little bit more familiar with firewall configuration. He was able to get permission to use some spare equipment for practice.
It was a dark, cold night in late December, and Bob, (the optimistic firewall technician), had a single ASA to deploy before going home for the holidays. The requirements for the firewall were simple. Bob read them slowly as follows:
- R1 should be able to ping the server “Radio.INE.com” by name.
- PC should be able to ping the server “Radio.INE.com” by name.
Bob also read the background information to see if this was something he could finish before leaving the office. Bob read the following:
we have just uploaded the initial update of IEWB-SC VOL1 “VPN” section to all subscribed accounts. The update contains 15 new labs listed below:
LAN-to-LAN VPN between IOS and ASA
IPsec and NAT Interaction in ASA Firewall
Peer Authentication using Digital Signatures
ASA Tunnel Group Names
ASA Certificate Mapping Rules
Filtering traffic inside LAN-to-LAN tunnels
LAN-to-LAN tunnel between IOS Routers
IOS IPsec NAT Traversal
IOS IKE Aggressive Mode
VPN between Overlapping Subnets
IOS VPN with Digital Signatures Authentication
IOS Certificate Access Lists
Virtual Tunnel Interfaces
GRE over IPsec
The following labs are in process of being developed should be available soon. Notice that there might be more labs than currently are on the list.
IOS ezVPN Server
IOS ezVPN Server with RADIUS
IOS ezVPN Server with Digital Certificates
IOS ezVPN Remote
ASA ezVPN Server
ASA ezVPN Server with RADIUS
ASA ezVPN Server with Digital Certificates
IOS Clientless SSL VPN
IOS SSL VPN
ASA SSL VPN
ASA Clientless SSL VPN
ASA L2TP over IPsec
IPSec High Availability
The next thing you guys would see updated is the long-awaited IEWB-RS VOL1 v5.0 “BGP” section
General Logic Overview
When establishing a VPN tunnel, ASA firewall matches tunnel-group names based on the following criteria list:
1) Using the IKE ID presented by the remote peer. It may be an IP address (default) or hostname. In some cases this might be an ezVPN group name, for example when you are using Cisco ezVPN client or ezVPN Remote feature.
2) Using the OU (Organization Unit) field from the DN found in digital certificate presented by the peer OR by using the certificate mapping rules. This only works when ISAKMP phase uses digital signatures for authentication. Certificate mapping rules translate the DN (distinguished name) found in the certificate to the tunnel-group name.
3) Using the remote endpoint’s IP address. It’s the last resort rule, and this is the only way to match the identity with PSK (pre-shared keys) and IKE Main Mode.
Recall that IKE uses either of two modes of operation for Phase 1: Main Mode (default) and Aggressive Mode:
a) Main Mode (MM), which is mandatory per the RFC – creates an encrypted channel before exchanging the identities.
b) Aggressive Mode (AM), which is quicker than Main Mode, exchanges endpoint IDs in “clear text”, while performing DH (Diffie Hellman) exchange and establishing the secure channel. AM is less secure than MM is thus should be less preferred. However, there are some properties that make AM uniquely useful.
IKE MM with PSK
There are some important consequences of MM behavior, when implementing authentication based on pre-shared keys (PSK). When pre-shared keys are used for authentication, they are also used to generate the shared encryption key for ISAKMP SA (along with the DH generated key). This feature is very important to prevent man-in-the middle attacks. When ISAKMP responder receives a MM proposal from initiator and choses authentication based on pre-shared keys, it should generate the shared encryption key. This procedure requires knowing the PSK of the remote peer in advance. However, the responder does NOT know the IKE ID of the initiator yet, only its IP address. Therefore, the only way to select the proper pre-shared key in MM is by looking the key in the database based on the initiator’s IP address. Even if you use of hostnames for IKE IDs with PSK authentication, the keys and tunnel-group names are still matched based on the IP addresses. This is the unique “feature” of ISAKMP MM with PSK.
IKE MM with digital signatures
Now consider the case when you are using IKE MM along with digital signatures (RSA sigs) authentication. In this situation, session encryption key is not derived based on the pre-shared authentication key. Thus, the respondent that accepts the policy based on digital signatures may delay the proper tunnel-group selection until it learns the IKE ID of the initiator. More than that, it may use the information from the DN field of the digital certificate presented by the initiator for more detailed matching. With the default configuration, the subject’s OU field in the certificate is used to match the tunnel group names, but it is possible to set up flexible mapping rules.
In ASA firewall, the following default commands enable tunnel-group name lookup based on the OU (first) than IKE-ID (if present) and finally the Peer IP address:
tunnel-group-map enable ou tunnel-group-map enable ike-id tunnel-group-map enable peer-ip
IKE AM and names matching
When the responding node receives an AM proposal, the proposal already contains the initiator’s IKE ID, regardless of the authentication method selected. The IKE ID might be an IP address or hostname or just any text string – e.g. ezVPN group name. The responder may use it to match the local tunnel-group and pre-shared key if needed. Thus, you may utilize tunnel-group names based on hostnames with IKE AM even with PSK authentication.
Activating IKE AM
IKE AM is automatically enabled with some VPN features, such as ezVPN remote. In order to engage AM negotiation in ASA firewalls manually, use the command crypto map [TAG] [SEQ#] set phase1-mode aggressive. Enabling this feature in IOS is a bit more trickier. You should configure an ISAKMP profile first and then use it with a crypto map similar to the following:
crypto isakmp profile AGGRESSIVE initiate mode aggressive self-identity fqdn keyring default ! crypto map VPN isakmp-profile AGGRESSIVE crypto map VPN 10 ipsec-isakmp
You may globally disable AM in Cisco IOS router using the command crypto isakmp aggressive-mode disable or using the command isakmp am-disable in ASA firewall. This will prevent the devices from ever accepting or initiaing any IKE AM connections.
What happens if none of the configured tunnel groups matches? In this case, the firewall would use the default group that is always present in the system: DefaultRAGroup. Thus, if you don’t have a specific group configured for the remote endpoint, but the authentication using the default group succeeds, the system will use the default policy for the new tunnel. In case you wonder, you may change the default tunnel-group name using the command tunnel-group-map default-group <NAME> and specify your own group.
Certificate Mapping Rules
When using digital signatures authentication, ASA firewall supports certificate mapping rules to translate issuer and subject names in the certificate to the tunnel-group name. The rules are configured using the command crypto ca certificate map [<NAME>] <SEQ#>. If no name is specified, the default map named DefaultCertificateMap is used for this purpose. Every entry in this map matches either part of issuer or subject DN in the certificate. For example
crypto ca certificate map MYMAP 10 issuer-name attr cn eq IESERVER1 subject-name co R3
You may match the DN as a whole string, without specifying any particular attribute like the second line in the above example does. When you have the map configured, you need to perform the following two steps:
1) Enable the mapping rules using the command tunnel-group-map enable rules.
2) Configure certificate map to tunnel-group mapping using the global commands tunnel-group-map [<NAME>] <SEQ#> <Tunnel-Group-Name>.
You may repeat the second step how many times you want to map the particular entry to a tunnel group that exists in the sytem. If you don’t specify the name for the certificate map, the default is DefaultCertificateMap used. Notice that OR logic is implemented by mapping multiple certificate map entries to the same group. Thus, any of the matching entries will result in the incoming session being matched on the same group.
Modular Policy Framework (MPF) configuration defines set of rules for applying firewall features, such as traffic inspection, QoS etc. to the traffic transiting the firewall. MPF has many similarities to MQC (Modular QoS CLI) syntax found in Cisco IOS, but there are some major differences in the flow of operations, even though many commands look the same. The following post assumes basic understanding of ASA firewall and its configuration. It covers the basic logic of the MPF, but does not go over all firewall features in depth.