Transcript Web Security

ASA 5500 series
adaptive security appliances
• Has replaced Cisco’s PIX firewalls since 2008
• Security services
Source:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
–application-aware firewall
–SSL and IPsec VPN
–IPS with global correlation and guaranteed coverage
–Antivirus
–Antispam
–Antiphishing
–web filtering services
T. A. Yang
Network Security
1
Cisco’s Firewall Service Module
(FWSM)
• http://www.cisco.com/en/US/products/h
w/modules/ps2706/ps4452/index.html
– a high-speed, integrated
firewall module for Cisco
Catalyst 6500 switches and
Cisco 7600 Series routers
– provides the fastest firewall
data rates in the industry
• 5-Gbps throughput,
• 100,000 CPS (connections per
second)
• 1M concurrent connections
T. A. Yang
Network Security
2
Firewall Modes
1. Routed mode
–
–
–
The device is considered a router hop in the network
Requires an IP address for each interface
The default mode
2. Transparent mode (aka stealth firewalls)
–
–
–
–
The device operates in a secure bridging mode
Same subnet on its inside and outside interfaces
Has an IP address assigned to the entire device
The appliance continues to perform stateful
application-aware inspection and other firewall
functions
Benefits: hide its presence from the attackers/intruders
T. A. Yang
Network Security
3
Stealth mode example
• Default gateway for PCs in
VLAN 10 is 10.1.1.1 (the
upstream router).
T. A. Yang
Network Security
4
Example 2
• Source:
http://www.cisco.com/en/US/products/hw/vp
ndevc/ps2030/products_configuration_exam
ple09186a008089f467.shtml#backinfo
• The default gateway of Host A
is not the Internet router
(192.168.1.2) but the internal
router (192.168.1.3).
• Scenario: an inside user visits
an inside Web server - Host A
(192.168.1.5) sends the request
packet to the Internet router (since it is
a default gateway) through the ASA
from the inside to the outside. Then
the packet is redirected to the web
server (10.1.1.1) through ASA (outside
to inside) and the internal router.
T. A. Yang
Network Security
5
Adaptive Security Algorithm (ASA)
•
An algorithm that defines how traffic passing
through the firewall are examined.
Basic concepts:
•
-
-
T. A. Yang
Keep track of the connections being formed from
the networks behind the PIX to the public network
Based on info about these connections, ASA
allows packets to come back into the private
network through the firewall.
All other traffic destined for the private network is
blocked by the firewall (unless specifically
allowed).
Network Security
6
ASA Operations
• Three basic operations
1. ACLs
2. Connections: xlate and conn tables
3. Inspection engines (per RFC standards)
• Figure 6-5: a scenario where an external host
requested a connection to an internal server
T. A. Yang
Network Security
7
ASA
•
ASA defines how the state and other information is
used to track the sessions passing through the PIX.
•
ASA keeps track of the following information:
–
–
–
T. A. Yang
Source and destination info of IP packets
TCP Sequence numbers and TCP flags
UDP packet flow and timers
Network Security
8
ASA and TCP
•
•
•
•
T. A. Yang
TCP is connection-oriented, and provides most of
the information the firewall needs.
The firewall keeps track of each session being
formed, utilized, and terminated.
ASA only allows for the packets confirming to the
state of a session to go through. All other packets
are dropped.
However, TCP has inherent weakness, which
requires ASA to perform additional work managing
the sessions  SYN flood, session hijacking
Network Security
9
ASA and TCP
•
SYN flooding
–
“The SYN flood attack sends TCP connections
requests faster than a machine can process
them.”
(Internet Security Systems,
http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/de
fault.htm)
–
T. A. Yang
Illustration: next
Network Security
10
Syn Flood
• A: the initiator; B: the destination
• TCP connection multi-step
– A: SYN to initiate
– B: SYN+ACK to respond
– C: ACK gets agreement
• Sequence numbers then
incremented for future messages
– Ensures message order
– Retransmit if lost
– Verifies party really initiated
connection
T. A. Yang
Network Security
11
Syn Flood
• Implementation:
A, the attacker; B: the victim
–B
•
•
•
•
Receives SYN
Allocate connection
Acknowledge
Wait for response
• See the problem?
–What if no response
–And many SYNs
• All space for connections
allocated
–None left for legitimate ones
T. A. Yang
Network Security
Time?
12
ASA vs Syn Flood
•
(Beginning in version 5.2 and later)
–
When the number of incomplete connections
through the PIX reaches a pre-configured limit
(the limit on embryonic connections), ASA turns
the PIX into a proxy for connection attempts
(SYNs) to servers or other resources sitting
behind it.
•
•
–
T. A. Yang
PIX responds to SYN requests with SYN ACKs and
continues proxying the connection until the three-way
TCP handshake is complete.
Only when the three-way handshake is complete would
the PIX allow the connection through to the server or
resource on the private or DMZ network.
Benefit: Limits the exposure of the servers
behind the PIX to SYN floods
Network Security
13
PIX: Basic Features
•
•
•
•
•
•
•
ASA’s stateful inspection of traffic
Assigning varying security levels to interfaces
ACL
Extensive logging
Basic routing capability (including RIP)
Failover and redundancy
Traffic authentication
T. A. Yang
Network Security
14
PIX: Basic Features
- ASA’s stateful inspection of traffic
•
PIX uses a basic set of rules to control traffic flow:
–
–
–
–
–
•
T. A. Yang
No packets can traverse the PIX w/o a translation,
connection, and state.
Outbound connections are allowed, except those
specifically denied by the ACLs.
Inbound connections are denied, except for those
specifically allowed.
All ICMP packets are denied unless specifically permitted.
All attempts to circumvent the rules are dropped, and a
message is sent to syslog.
To tighten or relax some of these default rules: next
few slides
Network Security
15
PIX: Basic Features
•
Assigning varying security levels to interfaces
–
–
–
–
PIX allows varying security levels to be assigned to its
various interfaces, creating the so called security zones.
A PIX may have 2 to 10 interfaces.
Each i/f can be assigned a level from 0 (least secure,
usually the Internet) to 100 (most secure, usually the
internal private network).
Default rules:
o
o
T. A. Yang
Traffic from a higher security zone can enter a lower security
zone.  PIX keeps track of the connections for this traffic
and allows the return traffic through.
Traffic from a lower security zone is not allowed to enter a
higher security zone, unless explicitly permitted (such as
using ACLs).
Network Security
16
PIX: Basic Features
•
ACL
–
Mainly used to allow traffic from a less-secure portion of
the network to enter a more-secure portion of the network.
–
Information used in ACLs:
Source address
Destination address
Protocol numbers
Port numbers
–
Examples:
To allow connections to be made to web or mail servers sitting on
the DMZ of the PIX from the public network
To allow a machine on a DMZ network to access the private
network behind the DMZ
–
T. A. Yang
Use of ACLs must be governed by the network security
policy.
Network Security
17
PIX: Basic Features
•
Failover and redundancy
–
The failover capability allows a standby PIX to take over the
functionality of the primary PIX, as soon as it fails.
–
Stateful failover : The connection info stored on the failing PIX is
–
The standby PIX assumes the IP and MAC addresses of the
failed PIX.
–
Terminology related to failover :
transferred to the PIX taking over.
•
•
Active unit vs Standby unit
Primary unit vs Secondary unit
Question: relationships between
active/standby and primary/secondary ?
•
Secondary
Active
standby
System IP vs Failover IP
–
–
T. A. Yang
Primary
System IP: the address of the primary
unit upon bootup
Failover IP: that of the secondary unit
Network Security
18
PIX: Basic Features
- Failover and redundancy
How does failover work?
•
–
–
–
–
T. A. Yang
A failover cable (RS-232 serial) connects the primary unit
and the secondary unit, allowing the secondary unit to
detect the primary unit’s power status, and failover
communication in between.
(In the case of stateful failover) The state info is
transferred via an Ethernet cable connecting the primary
unit and the secondary unit.
Every 15 seconds, special failover hello packets are sent
in between the two units for synchronization.
Requirements: The h/w, s/w, and configurations on the
two PIXes must be identical.
Network Security
19
PIX: Basic Features
- Failover and redundancy
Limitations of CISCO PIX failover ?
•
–
–
T. A. Yang
Some info are not replicated between the two units:
•
•
•
•
User authentication table
ISAKMP and IPsec SA table
ARP table
Routing info
The secondary unit must rebuild the info to perform the
functions of the failed unit.
Network Security
20
PIX: Basic Features
•
Traffic authentication on PIX:
–
Cut-through proxy authentication
•
•
•
–
T. A. Yang
Only when the authentication occurring during the
establishment of a given connection succeeds would PIX
allows the data flow to be established through it.
A successfully authenticated connection is entered the ASA
as a valid state.
As soon as an authenticated connection is established, PIX
lets the rest of the packets belonging to that connection go
through without further authentication.
PIX supports both TACACS+ and Radius as the AAA
servers.
Network Security
21
ASA and TCP:
•
TCP session hijacking attack
Problem with the ISN: The initial sequence number (ISN) of
TCP is not really random!
possible TCP session hijacking attack
Case study: Kevin Metnick’s attack on Tsutomu Shimomura’s
computers in 1994-1995
Six steps :
1. an initial reconnaissance attack: gather info about the victim
2. a SYN flood attack: disable the login server; a DOS attack
3. A reconnaissance attack: determine how one of the x-term
generated its TCP sequence numbers
4. Spoof the server’s identity, and establish a session with the
x-term (using the sequence number the x-term must have
sent)  result: a one-way connection to the x-term
5. modify the x-term’s .rhosts file to trust every host
6. Gain root access to the x-term
T. A. Yang
Network Security
22
TCP session hijacking attack (cont.)
ASA’s solution  “proxy” the sequence number in
an outgoing packet
a. create a new, more random sequence number;
b. use the new number as the sequence number in
the outgoing packet, and store the difference
between the new and the original number;
c. When return traffic for that packet is received,
ASA restores the sequence number before
forwarding the packet to the destination on the
inside network.
T. A. Yang
Network Security
23
Source: Malik, Network Security Principles and Practices, 2003.
initiator
T. A. Yang
Network Security
24
Security Contexts
• Software version 7.0 and up
• Multiple security contexts (aka virtual firewalls) can be
created within a single PIX or ASA firewall.
• Each virtual firewall is an independent device
– Has its own set of security policies, logical interfaces, and admin
domain
• Interfaces can be shared btwn contexts (routed mode
only)
• Limitations:
– Features such as VPN and dynamic routing protocols are not
supported.
T. A. Yang
Network Security
25
Security Contexts: two modes
• Routed Mode
– Figure 6-6
– A physical firewall is configured with three contexts (Admin, Dept
1, Dept 2).
– Each virtual firewall has one Inside, one Outside, and one
Shared interface.
– Each context has its own private segment.
– Resources to be shared among the three contexts are placed in
the Shared segment, accessible through a shared intreface.
• Transparent Mode
T. A. Yang
Network Security
26
Security Contexts: two modes
• Transparent Mode
– Each context is in the transparent mode.
– A transparent firewall has only one Inside and one Outside
interfaces, both of which belong to the same subnet.
– Transparent mode does not allow shared interfaces (unlike the
routed mode).
– Example: Figure 6-7
T. A. Yang
Network Security
27