CCNP Security: SENSS Part 1-1

Notes for the SENSS exam, mapped against Cisco's blueprint for the 300-206.  As there are no books for this exam, my sources for this primarily came from various manuals and documentation available on Cisco's site.  Whether a blueprint item is listed as "implement" or "describe" determined how far in depth I studied the particular topic.  Notes focus on CLI 

Threat Defense: 1.1 Implement firewall (ASA or IOS depending on which supports the implementation)

1.1.a Implement ACLs

ACL Types

Extended ACLs-main type used, used for access rules, traffic matching for service policies, AAA rules, WCCP, botnet traffic filter, VPN group, and DAP policies

EtherType ACLs- apply to non-IP layer 2 traffic for transparent mode

WebType ACLs - Used for filtering clientless SSL VPN traffic

Standard ACLs - identify traffic based on destination address only.  Used by route maps and VPN filters.

ACLs and NAT

Important to note distinction on when Real IP addresses (the untranslated IP address) and Mapped IP addresses (NAT translated IPs).  Major distinction occurs between 8.2 code and 8.3+ code for the ASA.

Use Real IP Adddresses

-Access rules (referenced by access-group command)

-Service Policy Rules (referenced by match access-list command

-Botnet Traffic Filter classification (referenced by dynamic-filter enable classify-list command)

-AAA rules (aaa match command)

-WCCP (wccp redirect-list group-list command)

Use Translated IP Addresses

-IPSec ACLs

-capture command ACLs

-Per-user ACLs

-Routing protocol ACLs

-All other feature ACLs

Network mask is different from IOS access-list command. ASA uses a network mask.  IOS uses wildcard bits.

Configuration and Management

Show ACL contents, line numbers, and hit counts

asa# show access-list outside_access_in

Add an ACE- access-list [name] [line line-num] type

If no line num is specified, ACE is appended to the end of the ACL

Add comments to an ACL (does not apply to webtype)- access-list [name] [line line-num] remark

Best practice is to insert the remark before the ACE.  Remark is limited to 100 char. If a line number is not specified, remark is added to the end of the ACL.

ACE's and remarks cannot be edited or moved.  Instead a new one must be created at the right location via line number.  The old ACE or remark should then be deleted.  ASDM is easier to use for this purpose.

Delete an ACE or remark- no access-list parameters 

Parameters must match the ACE or remark exactly to remove it

Delete an entire ACL including remarks - clear configure access-list name

If no name is specified, all ACL's are deleted.  There is no confirmation with this command.

Rename an ACL- access-list name rename new_name

Apply an ACL to a policy- must use the access-group command to apply an extended ACL to an interface.  ACL's must be applied to a policy to have any effect on traffic.

Configure Extended ACLs

Syntax:

access-list access_list_name [line line_number] extended {deny | permit}
protocol_argument source_address_argument dest_address_argument
[log [[level] [interval secs] | disable | default]]
[time-range time_range_name]
[inactive]

1.1.b Implement static/dynamic NAT/PAT

Nat Types

Dynamic NAT- group of real IP addresses mapped to a group of mapped IP addresses

Dynamic PAT- group of real IP addresses mapped to a single IP address using a unique source port

Static NAT - consistent mapping between a real and mapped IP address, allows bidirectional traffic

Identity NAT- reall address statically translated to itself.  Used to bypass NAT

ASA can implement NAT by network object NAT and twice NAT.  Recommended to use network object NAT unless extra twice NAT features required.

Network Object NAT

Defines all NAT rules configured as a parameter of a network object.  

Twice NAT

Identifies source and destination address in a single rule.  Can allow both source and destination to be translated

Identity NAT

Map an IP to itself, used for bypassing NAT

Configure Dynamic Network Object NAT

-Create a host or range network object for the mapped addresses

-Define target real addresses to be translated

-Configure dynamic NAT for object IP addresses.  

Nat config to translate inside subnet 192.168.1.0/24 dynamically to 10.1.1.1-100 pool

ciscoasa(config)# object network in-out-nat

ciscoasa(config-network-object)# range 10.1.1.1 10.1.1.100

ciscoasa(config)# object network inside-network

ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0

ciscoasa(config-network-object)# nat (inside,outside) dynamic in-out-nat

Configure Dynamic Twice NAT

-Create host or range network objects  for the source real, source mapped, destination real, and destination mapped addresses

-Create service objects for destination real and destination mapped ports

Configure Dynamic PAT

ciscoasa(config)# nat (inside,outside) source dynamic inside-subnet interface 

Configure Static NAT

ciscoasa(config)# nat (inside, dmz) source static inside-net inside-net-mapped destination static Server1 Server1 service real-service mapped-service

Configure Identity NAT

ciscoasa#(config-network-object) nat (inside, outside) static host-obj host-obj-identity

-mapped ip should match the real IP.  host-obj ip = host-obj-identity

1.1.c Implement object groups

Object groups allow the resuse and grouping of IP addresses, which can greatly shorten ACE entries in an ACL.  The syntax is object-group network [name]

Example

ciscoasa(config)# object-group network malicious

ciscoasa(config-network)# network-object host 10.1.1.101

ciscoasa(config-network)# network-object host 10.1.1.102

ciscoasa(config-network)# network-object host 10.1.1.103

ciscoasa(config-network)# object-group network inside-hosts

ciscoasa(config-network)# network-object host 192.168.1.4

ciscoasa(config-network)# network-object host 192.168.1.5

ciscoasa(config-network)# access-list ACL_IN extended deny ip object-group inside-hosts object-group malicious

ciscoasa(config-network)# access-list ACL_IN extended permit ip any any

ciscoasa(config-network)# access-group ACL_IN in interface inside

1.1.d Describe threat detection features

Works at layers 3 and 4 to develop a baseline for traffic on the device, checking packet drop stats and accumulating reports based on traffic patterns.  Three main types-basic, advanced, and scanning.  Only scanning can be configured to be reactive, via the shunning of hosts.

Basic Threat Detection

Monitors rate of dropped packets and security events due to:

-ACL drops

-Bad packet format

-Connection limits exceeded

-DoS attack

-Basic firewall checks failed

-Suspicious ICMP packets detected

-Packets failed application inspection

-Interface overload

-Scanning attack detected

-Incomplete session detection

When threat is detected, ASA generates system log message 733100.  Basic threat detection measures the rate the drops occur over a period of time, called the average rate interval (ARI).  Range is 600 seconds to 30 days.  If the number events within the ARI exceed the thresholds, the events are considered a threat.  Basic threat detection does not take action and is informational only.  Burst rate interval (BRI) is always smaller then the ARI.  It looks at smaller periods of snapshot data. BRI is 1/30th of the ARI.

Advanced Threat Detection

More granular, such as for tracking stats for host IPs, ports, protocols, individual ACLs, etc.  Default setting, is enabled only for ACL statistics.  Time periods are 20 min, 1 hour, 8 hours, and 24 hours. Advanced threat detection is purely informational.

Scanning Threat Detection

Used to keep track of suspected attackers which create connections on too many hosts in a subnet, or ports on a host/subnet.  Disabled by default.

The ARI and BRI settings are shared between Basic and Scanning Threat detection.  Scanning Threat Detection maintains a database of attacker and target IP addresses.  Traffic is only considered if it passes an ACL, whereas basic threat detection will consider traffic valid even if it is dropped by an ACL.

Can be reactive by shunning an attacker's IP address.  If an attack is detected, a syslog message 733101 is logged.  If configured to react, a syslog message 733102 is logged.  When the shun expires, syslog message 733103 is logged. 

1.1.e Implement botnet traffic filtering

Workflow

-Enable used of dynamic database

ciscoasa(config)# dynamic-filter updater-client enable

ciscoasa(config)# dynamic-filter use-database

-Add static entries to database, optional

ciscoasa(config)# dynamic-filter blacklist

ciscoasa(config-llist)# name malicious.site.example.com

ciscoasa(config)# dynamic-filter whitelist

ciscoasa(config-llist)# name good.site.example.com

-Enable DNS snooping

Default config inspects all UDP DNS traffic on all interfaces, but DNS snooping is disabled

Recommendation-enable DNS snooping only on interfaces where external DNS requests are traveling

ciscoasa(config)# class-map dynamic-filter_snoop_class

ciscoasa(config-cmap)# match port udp eq domain

ciscoasa(config)# policy-map dynamic-filter_snoop_policy

ciscoasa(config-pmap)# class dynamic-filter_snoop_class

ciscoasa(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop

ciscoasa(config)# service-policy dynamic-filter_snoop_policy interface outside

-Enable traffic classification and actions

ciscoasa(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80

ciscoasa(config)# dynamic-filter enable interface outside

ciscoasa(config)# dynamic-filter drop blacklist interface outside 

-Block traffic manually based on syslog msg info, optional

1.1.f Configure application filtering and protocol inspection

Inspection engines are required for services which embed IP addresses into the user data packet, or which open secondary connections on dynamic ports.  Requires the ASA to do DPI.  

Configured via service policies.  Uses the MPF.

-(optional) Create an ACL to identify the traffic which inspections will be applied to in a l3/l4 class map.  Default inspects all traffic

-specify additional optional parameters for applying inspection to the traffic

-Add or edit a l3/l4 policy map that sets the actions to enact on the class map traffic

ciscoasa(config)# policy-map [name]

ciscoasa(config-pmap)# class [name]

ciscoasa(config-pmap-c)# inspect [protocol]

ciscoasa(config)# service-policy policymap_name [global | interface int-name]

default config:

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

dns-guard

protocol-enforcement

nat-rewrite

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225 _default_h323_map

inspect h323 ras _default_h323_map

inspect ip-options _default_ip_options_map

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp _default_esmtp_map

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

1.1.g Describe ASA security contexts

The ASA can be partitioned into multiple contexts, each of which acts independently with separately defined administrators, security policies, and interfaces.  Similiar to running multiple ASA's within a single box, with some limitations.

Features not supported in multiple context mode:

-RIP

-OSPFv3 (OSPFv2 supported)

-Multicast Routing

-Threat Detection

-Unified Communications

-QoS

-Remote Access VPN (site to site supported)

Config files

Context configurations: separate file for each context, identifies security policy, interfaces.  Context configs stored in flash memory, or downloaded from external source (ext, TFTP server)

System configuration: context configuration locations, interfaces, and other context operations parameters are defined by the system admin in the system configuration.  Acts simliar to the startup configuration.  System config does not define interfaces for itself, uses the admin context config for this purpose.  Includes a failover interface for failover traffic

Admin context configuration: Admin context can access both the system and all other contexts.  Lives on flash memory and cannot be remote.  Admin context is created automatically when converted from single mode, on flash memory, and is named admin.cfg.

Packet Classification

To determine which context is used to send/receive packets, the ASA uses 

Unique interfaces:This method is always used for transparent mode as unique interfaces are always required for contexts.  If only one context (non transparent mode) is associated with the ingress interface, the traffic is classified to the associated context

Unique MAC Addresses:Auto generation of MAC addresses for context interfaces is enabled by default, or they can be configured manually.  Context interface MAC's must be unique if multiple contexts share an interface.

NAT Configuration:  If unique MAC addresses are disabled, then the ASA uses mapped addresses via the NAT config to classify packets to the appropriate context.  Cisco recommendation is to use unique MAC addresses over NAT traffic classification.

If the destination MAC is a multicast or broadcast MAC address, the packet is duplicated and sent to each context.

Cascading Contexts

Contexts can be placed in front of other contexts.  The outside interface of one context is the same interface as the inside interface of a different context.

Context User Management

System Administrator-accessed via the console port, or via the admin context via remote management.  System administrators can access all contexts.  

Context Administrator-these admins can only manage the context the user account is assigned to.  Accessible via telnet, ssh, ASDM.

Resource Management

Default setting-all security contexts have unlimited access to ASA resources.  VPN resources are disabled by default.  Resource management can be configured to limit use per context.  

Resource classes-contexts are assigned to resource classes to determine the limits.  All contexts belong to the default class if they are not assigned to a new resource class.  Contexts can only be assigned to one resource class.  

Resource Limits-Can be defined as a percentage or an absolute value.  Services (except VPN resources) can be oversubscribed, however if another context uses too many resources, the situation could result in other contexts dropping connections due to oversubscription.

Default Class-if a context belongs to a class other than the default, the other class settings ovveride the default class settings.  If settings are undefined in the new class, and the context is assigned to both the default class and the new class (the only multi-class membership permitted), then the default class values will take effect for the undefined values in the custom class.  Default class has unlimited access to resources for all contexts, except the following:

Telnet, SSH, IPSec- 5 sessions each max per context

MAC addresses- 65,535 entries

VPN site-to-site tunnels - 0 sessions.  Class must be configured manually to allow VPN sessions

Licensing

5506-X - not supported

5512-X - Requires Security Plus license, 2 contexts.  Additional context license-5 contexts

5515-X - Base license 2 contexts, additional context license, 5 contexts

5525-X - Base license 2 contexts, additional context license, 5, 10, 20 contexts

5545-X - Base license 2 contexts, additional context license, 5,10,20,50 contexts

5555-X - Base license 2 contexts, additional context license, 5,10,20,50,100

5585-X SSP-10- Base 2 contexts, additional 5,10,20,50,100 contexts

SSP-20, 40, 60 - Base 2 contexts, additional 5,10,20,50,100,250 contexts

ASAv - Not supported