CCIE Security Advanced Technologies Class - ASA Advanced TCP Inspection with MPF

Transcript

1	Introduction	0h 37m
2	CCIE Security Preparation Resources	0h 50m
3	ASA Overview	0h 37m
4	Basic ASA Initialization	1h 02m
5	ASA Routing	0h 37m
6	ASA Reliable Static Routing	0h 20m
7	ASA Access Control Lists (ACLs)	0h 41m
8	ASA Modular Policy Framework (MPF) Overview	0h 53m
9	ASA Modular Policy Framework (MPF) Configuration	0h 51m
10	ASA Advanced TCP Inspection with MPF	0h 40m
11	ASA Advanced Application Inspection with MPF	0h 36m
12	ASA Quality of Service (QoS)	0h 30m
13	ASA Network Address Translation (NAT) Part 1	0h 50m
14	ASA Network Address Translation (NAT) Part 2	0h 30m
15	ASA Transparent Firewall Overview	0h 25m
16	ASA Transparent Firewall Configuration	0h 43m
17	ASA ARP Inspection with Transparent Firewall	0h 21m
18	ASA Multiple Context Mode Overview	0h 42m
19	ASA Multiple Context Mode Configuration	0h 59m
20	ASA Redundant Interfaces	0h 22m
21	ASA Failover Overview	0h 19m
22	ASA Active/Standby Failover Routed Firewall Configuration	0h 29m
23	ASA Active/Standby Failover Transparent Firewall Configuration	0h 17m
24	ASA Active/Active Failover Routed Firewall Configuration	0h 37m
25	ASA Multiple Context Transparent Firewall Configuration	0h 29m
26	ASA Active/Active Failover Transparent Firewall Configuration	0h 29m
27	IOS Access Control Lists (ACLs)	0h 23m
28	IOS Time Based ACLs	0h 13m
29	IOS Lock & Key Security with Dynamic ACLs	0h 24m
30	IOS Reflexive ACLs	0h 44m
31	IOS TCP Intercept and Content Based Access Control (CBAC)	0h 39m
32	Zone Based Policy Firewall Overview	0h 26m
33	Zone Based Policy Firewall Configuration	0h 44m
34	ZBPF Self Zone & ZBPF Exceptions	0h 48m
35	Port to Application Mapping (PAM)	0h 32m
36	ZBPF Parameter Tuning	0h 32m
37	ZBPF Application Inspection	0h 27m
38	IOS Transparent Firewall	0h 28m
39	IPsec Overview	0h 37m
40	IOS IPsec LAN-to-LAN Configuration	0h 58m
41	IPsec Troubleshooting	0h 42m
42	GRE over IPsec, IPsec Profiles, & VTIs	0h 51m
43	ASA IPsec Overview	0h 24m
44	ASA IPsec LAN-to-LAN Configuration	0h 20m
45	Certificate Authority (CA) Overview	0h 16m
46	IOS & ASA LAN-to-LAN IPsec with Certificates	0h 57m
47	Easy VPN Overview	0h 12m
48	IOS Easy VPN Server	1h 10m
49	IOS Easy VPN Client	0h 30m
50	IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles	0h 49m
51	ASA Easy VPN Server	0h 51m
52	ASA Easy VPN Server & IOS Easy VPN Client	0h 17m
53	ASA Clientless & AnyConnect SSL VPN	1h 04m
54	DMVPN	1h 05m
55	IPS Overview, Promiscuous Mode & SPAN	0h 43m
56	IPS Promiscuous Mode & RSPAN	0h 28m
57	IPS Blocking Devices & Custom Signatures	0h 50m
58	IPS Inline Mode, VLAN Pairing	0h 15m
59	IPS Virtual Sensors and Signature Engines	0h 16m
60	AAA Overview, Local AAA, & Role Based CLI	0h 51m
61	RADIUS, TACACS+, & Cisco Secure ACS Configuration	0h 51m
62	RADIUS & TACACS+ Exec Authorization & Accounting	0h 39m
63	TACACS+ Command Accounting	0h 30m
64	RADIUS & TACACS+ Enable Authentication	0h 14m
65	IOS Authentication Proxy	0h 33m
Total Duration		39h 19m

Base Configs

Diagrams

Slides - Introduction

Slides - ASA

Slides - IOS Firewall

Slides - VPN

Slides - IPS

Slides - Identity Management

0:00:01
0:00:13	in next section here for the ASA we going to look some more at the details in the changing the inpection engine
0:00:20	of the layer the basic layer 3 and layer 4 policies
0:00:23	in order to apply TCP normalisation
0:00:26	and limit the amount of connections for how is to occur
0:00:30	our destination
0:00:32	that is going to prevent against TCP type tact
0:00:37	so again right now we have
0:00:39	ASA two connection to the inside
0:00:42	that is assinged as security level 100
0:00:45	the DMZ is assigned as 50
0:00:48	and the outside is assigned as 0
0:00:51	so the both from the inside and DMZ we can reach outside
0:00:54	for inside we can reach the DMZ
0:00:57	DMZ is not to reach inside outside is not going to reach DMZ or inside
0:01:03	again if you want exceptions to that
0:01:05	we need will need to configure an access list first
0:01:08	before the traffic is going to flow through the monitor policy framework
0:01:12	for the inspection engine
0:01:16	so the first thing we will look at here
0:01:18	is changing
0:01:20	as traffic is flowing from the dmz to the outside
0:01:24	specfically from the ACS server
0:01:27	how we can control
0:01:29	the individual parameters that r going to apply on to its TCP connection
0:01:34	now to demonstrate this what im going to do on router 2
0:01:38	is turn on the IP HTTP server process
0:01:42	which is going to be for the. . .
0:01:44	web management
0:01:46	from the regular web effects
0:01:49	so going to
0:01:52	in global config
0:01:55	i will simply say IP HTTP server
0:01:58	i am just to turn the server's server's on
0:02:00	this will also be how we will turn the sdm on
0:02:04	if we want the advanced
0:02:07	web management for the route
0:02:09	in this we are using the default web effect
0:02:13	so now we're going to take a look at the
0:02:15	triple a server or the acs server that is on the inside
0:02:19	if i we're to open up a web session
0:02:22	to the address of router 2 we will use 200.0.02
0:02:28	it should ask me for the authentication parameters
0:02:32	which in this case i have the user in cisco and password cisco configure
0:02:36	now lets give us access to the web in effects
0:02:41	now if we look at the asa the end result of this
0:02:44	should be there is an active connection
0:02:47	to show connections or show connections
0:02:50	detail
0:02:52	there is going to be an active connection from the dmz
0:02:56	that is going outside
0:02:58	and this is going to be before that
0:03:00	that web browsing session
0:03:02	now we may be actually look at to it as we are making changes
0:03:06	so lets say we
0:03:07	issue some sort of
0:03:10	show command
0:03:11	when we look at the asa
0:03:13	we see now there is a session
0:03:16	that is going from
0:03:19	200.0.02 back to 10.0.0.100
0:03:23	this is the return session of that http managment
0:03:28	so esstially every time we'r issuing the get
0:03:31	and then the server's repling back us with the information
0:03:34	its opening and closing a session
0:03:37	so the session does n stay open
0:03:39	quite from the server its only you r requesting detail
0:03:43	now what are the way we can see active open connection
0:03:47	would be to tell that to router 2
0:03:51	and issue some sort of commands that's going to keep
0:03:54	the connection open, let say for example
0:03:57	show text report
0:03:59	so router 2 is generating a bunch of telnet characters
0:04:03	back to the
0:04:05	acs server
0:04:08	if we look at the asa
0:04:10	and now look at the show connections
0:04:13	we see we have the TCP session
0:04:17	from 10.0.0.100
0:04:19	its being allowed back en interface from 10.0.0.2
0:04:25	now what i am going to do next
0:04:27	is change the inspection parameters as traffic is going from
0:04:31	the aaa server
0:04:33	as it is going to any destination on the outside
0:04:38	so first and foremost i need to match the traffic
0:04:42	based from where it is coming from, i need to classify the traffic
0:04:45	so im going to configure an access list
0:04:47	that is going to match the aaa server
0:04:51	so its so simply say permit
0:04:53	any ip traffic that is coming from
0:04:56	10.0.0.100
0:04:58	and it can go anywhere
0:05:00	i could be very specific if i wanted to say its exactally going to router 2's address
0:05:05	then i could be as granted as i want for the change in inspection
0:05:10	but in this iam just saying
0:05:12	for any traffic that comes from the aaa server
0:05:16	next iam to match this in a class map
0:05:20	so i have the class map of say this is aaa server
0:05:23	class
0:05:25	that is going to match the acces list
0:05:28	named aaa server
0:05:34	and now iam going to do an inspection for this
0:05:37	but it going to be inside a new policy now
0:05:41	that iam then going to apply in
0:05:43	on the dmz interface
0:05:46	so if i were to apply this to my already existing global policy
0:05:49	that will be for all interfaces in the inbound direction
0:05:54	which rembers means all interfaces in all directions
0:05:58	so i want a new policy i going to say this policy now
0:06:02	is for the dmz in
0:06:05	for the specific class
0:06:08	that i matched which is the aaa server class
0:06:12	iam going to set the different connection parameters
0:06:16	and again the most of these servers are going to specific to TCP
0:06:20	so things like the sequence nos.
0:06:23	the embrionic connections
0:06:25	the advanced options
0:06:27	most of those are specfic to TCP
0:06:30	and that would make any sense use those with the UDP or ICMP flubs
0:06:36	so lets say for example i want to limit
0:06:38	on a perclined basis
0:06:41	how many connections can the triple a server have
0:06:45	so i will say the per-client maximum
0:06:49	is going to be, let's say 3 connections
0:06:54	so now i know what is the particular traffic
0:06:57	that i am matching again it is classfied with the class map
0:07:01	the aaa server
0:07:04	i know how im inspecting
0:07:06	the traffic this is with the policy map
0:07:09	policy map says if this class is true that's if traffic coming from the aaa server
0:07:14	limited to 3 connections
0:07:16	simultaneously
0:07:18	so when u look at the show connections
0:07:22	the acs is going to have more than 3 in here
0:07:25	if it goes beyond that the new connections are going to be denyed
0:07:29	unless i need to actually apply the policy, so now this paricular policy now
0:07:34	which is dmz in i will say service policy
0:07:38	is dmz in im applying this on interface dmz
0:07:45	So now lets look at the actual statictics let say show
0:07:48	service policy
0:07:50	interface
0:07:53	dmz
0:07:56	right now the current connections are zero
0:08:00	if we go back to
0:08:04	the acs server
0:08:07	lets make a new connection, will tell to router 2
0:08:15	if we now look at the show
0:08:17	service policy
0:08:19	say we right now have one concurrent connection
0:08:23	if i'were have to open up an additional telnet session
0:08:27	lets say i telnet to router 1
0:08:34	this should now be my second connection
0:08:38	like wise i were to telnet
0:08:41	to router 3
0:08:43	200.0.0.3
0:08:47	this should be my 3rd connection
0:08:50	so now at this point since i hit the maximum
0:08:53	next time i try to open a session
0:08:56	lets say i telnet again to router 2
0:08:59	this one should be denied
0:09:02	so were to be actually pack a debug on router 2
0:09:06	we would see that this session is not getting through
0:09:09	the asa the reach router 2
0:09:13	we will look at the show service policy interface
0:09:16	we could see these new connections attempt these are being dropped
0:09:20	only once i delete one of my older connection
0:09:24	so i exit of the session
0:09:26	this is going now drop my concurrent connections to 2
0:09:30	i would then be able to
0:09:33	let's say open up another web browsing session
0:09:36	to router 2
0:09:43	so that should be my 3rd connection
0:09:46	now again here with the web server
0:09:49	once i get the page
0:09:51	and the page is successfully retreived
0:09:53	the connection is automatically going to clubbed
0:09:58	so wer to look into this in real time and look at the debug i actually start the 3rd session
0:10:02	and it works
0:10:04	but now lets say i do another telnet that's telnet back to router 3
0:10:10	now my concurrent connections are back up to 3
0:10:14	if i now try to web browse to router 2 again
0:10:18	we should see that this connection is now going to be denied
0:10:22	now we going to see this in pro-client basis
0:10:25	because im the source of the session
0:10:27	whats the total no. of concurrent sessions that i can use
0:10:33	if we look at the show run all policy now
0:10:38	we will see for this individual class
0:10:41	what r the other connection options
0:10:44	so we have normally the maximum connection is zero
0:10:48	the max no. of half open sessions is zero as well
0:10:53	which probably is now what you would want
0:10:55	because it means its no longer protecting it against any type of denial service attack
0:11:02	now one way we could actually test the imbrionic connections
0:11:07	would be to
0:11:09	look at the TCP flow in the network
0:11:16	let say the TCP flow is going go from
0:11:20	the acs server
0:11:22	to router 1
0:11:24	this is the
0:11:27	a this is the syn
0:11:30	now the asa a way back is going to expecting
0:11:35	the sin, and the ack, this is the 2nd portion of the ****
0:11:39	so if this time
0:11:41	we have the first step, we have the 2nd step
0:11:44	now the connection is half over
0:11:46	its half open or its embrionic
0:11:51	now if the acs server doesnt actually
0:11:53	open the connection completely with the 3rd step
0:11:56	by sending the acknowledgement
0:11:59	then
0:12:00	the asa is going acomplish as
0:12:03	half open connection
0:12:05	and once bridge total treshold for this
0:12:08	then that's going to be
0:12:09	denied from coming back in
0:12:13	so if you wanted to test this out
0:12:16	on the routers, one thing you could do
0:12:19	would be, lets say originate the session from router 1
0:12:22	going to, the
0:12:24	lets say to router 5, so wer' going from outside in
0:12:28	and i m going to use this with telnet, so TCP
0:12:32	TCP 23
0:12:34	so im sending the syn
0:12:36	im getting the syn
0:12:38	ack, in retun
0:12:42	im going to configure router 2 to filter the 2nd portion of the handshake
0:12:47	as it comes back in on the interface
0:12:53	so the first thing, im do on the asa
0:12:56	im going to do an exception to allow traffic from the outside to go in
0:13:00	that is
0:13:01	TCP 23, that for the telnet packets
0:13:08	if we show access list
0:13:10	we have access list outside in
0:13:13	right now that's permitting our 2 different
0:13:15	are two different, icp types the time exceeded on the unreachable
0:13:20	im also going to say access list outside in
0:13:23	permit TCP any any eq 23
0:13:28	so this is going to allow all the telnet
0:13:31	access-group outside in in interface outside
0:13:38	so from the outside network for example from router 1
0:13:41	i should now be able to, telnet to router 5
0:13:46	so 10.0.125.5
0:13:50	so we can see this connection works
0:13:58	the next im going to do
0:14:01	is on router 2
0:14:02	im going to filter that 2nd of the connection that comes back in
0:14:08	so router 2 out access list
0:14:11	that says deny TCP any any that is,
0:14:17	specific an ack
0:14:21	because im trying to deny the 2nd portion of the handshake which the syn and the ack
0:14:28	can say all log this is well
0:14:31	and on access list 100 wer going to deny or actually permit
0:14:35	permit everything else
0:14:41	then inbound on its land interface ip access group 100 in
0:14:47	what this should now mean
0:14:50	is that when router 1 tries to start a TCP session
0:14:53	its going to get filtered out
0:14:57	because router 2 is now denied that acknowledment that it comes back in
0:15:03	but from the asa's perspective now the session is half open
0:15:08	so if we look at the specfic corners
0:15:10	if we show
0:15:12	service policy
0:15:15	i want to know for
0:15:18	my particular inspection lets say that its the inside in policy that we are going to use
0:15:23	im going to change what is the total no.
0:15:26	of half open sessions that we could have
0:15:30	if we show run policy now
0:15:35	i would make this change in the
0:15:37	the inside in class
0:15:43	so for policy map that's going to be inside in policy
0:15:46	the policy map inside in
0:15:48	this is going to apply to everything class hash default
0:15:54	and i want to set the connection options
0:15:58	i want to know what is max no. of embryonic connections that i can have
0:16:03	lets say this is going to be
0:16:05	lets say 2
0:16:10	if we now look at the service policy
0:16:15	show service policy
0:16:17	lets say interface inside
0:16:22	say right now there are 0 concurrent embryonic connections
0:16:27	if i now start another telnet session from 1
0:16:31	the asa should see this as one half of the connection
0:16:37	if i wer to start an additional one
0:16:43	this is now the 2nd half of the session
0:16:47	third one then
0:16:51	should go towards the drop count
0:16:54	if you have to do this concurrently so...
0:16:59	if we send the telnets over and over
0:17:02	then eventually the connections are going to get dropped
0:17:09	so you can see, u can use the router itself
0:17:12	to check on how somebodies corners are matched
0:17:15	but this is the main difference between what is the total no. of connections
0:17:19	vs the half open or embryonic connections
0:17:23	so this one is preventing against the TCP syn attack
0:17:27	the denial service for TCP
0:17:29	where just the total no. of connections
0:17:31	that would just be to limit
0:17:33	how much
0:17:35	traffic an individual host can send into the network
0:17:40	now the reason you may want to do that
0:17:43	is that the platform itself has a hard worth of it
0:17:46	as the total no. of connections that it can actually have
0:17:50	now you have to look at the differences between the
0:17:54	the actual hardware model, if you go to cisco.com/go/asa
0:18:00	then look at the model comparison
0:18:06	we will see for example the
0:18:09	55.10 its in mid range
0:18:14	5510 has a max no. of
0:18:19	130 thou plus which the image im going running
0:18:26	so typically you would want put some sort of limit
0:18:29	on the in host connections how many they can make
0:18:33	there is no necessary recomemded values thats going to depend on the individual traffic flows
0:18:38	because if one host eradically opens a 100 thou connections
0:18:42	then the other devices on the network they could get start from
0:18:46	access to the resources
0:18:49	if the same would be true for max no of connections per sec
0:18:52	so if i need a firewall trying to open 10 thou connections per sec
0:18:56	then i am essentially doing a denial service attack against any one else
0:19:00	for being able to go through the inspection engine
0:19:07	now the other thing that we can do with the
0:19:09	TCP normalisation
0:19:11	is to edit whether
0:19:13	TCP options or other
0:19:16	feels inside the TCP actually going to be allowed
0:19:20	when the traffic is transitting the firewall
0:19:23	now specifically within the case of the
0:19:26	CCIE sercurity lab exam
0:19:28	one of these could be a potential problem
0:19:30	is it wer trying to do a edgp peering
0:19:33	over the ASA
0:19:35	we are also trying to do mb fire authentication at the same time
0:19:39	so lets say we'r trying to do
0:19:42	a bgp peeing between
0:19:44	router 6 and router 1
0:19:46	there going to be EBGP peers
0:19:51	now BGP is a standard TCP application
0:19:55	which means, that if the client is on the inside of the firewall
0:19:59	its going to send the SYN
0:20:02	to router 1
0:20:04	and this is going to destination port 179
0:20:07	when router 1 replies with the syn ack
0:20:12	its going to be using source port 179
0:20:17	then finally router 6 actually opens the connections it replies with its final acknowledgment
0:20:21	its going to be using destination port 179
0:20:27	so since this is a standard TCP application
0:20:30	at this point we do not need any exceptions
0:20:32	for the master policy framework
0:20:35	or for any access less exceptions
0:20:37	because TCP already is being inspected
0:20:42	so lets a look at this now, i going remove the previous filter that i did
0:20:46	on router 2
0:20:48	lets say acces list 100
0:20:52	and one router 1
0:20:55	we configure bgp 1
0:20:57	that is going to peer
0:20:59	with router 6 or 10.0.56.6
0:21:02	is router 6 address
0:21:04	so say its in turn of sys 6
0:21:07	since this is a multi up any 2 increase my time delay
0:21:12	so we need bgp multi hub
0:21:17	same configuration on router 6
0:21:20	router 6 is going to appear 1
0:21:23	and then is the address 200.0.12.1
0:21:28	and this is going to be
0:21:30	an ebgp multi hop peering
0:21:35	now assuming that i already reach that addrss
0:21:38	200.0.12.1
0:21:41	i should have problems with the basic TCP transport
0:21:46	because the asa is already inspecting this
0:21:48	and we can see this when we log this on router 6
0:21:52	that the bgp peeing did come up
0:21:55	so its not an issue of the normal
0:21:57	bgp control plan going from inside to outside
0:22:01	if we go to the asa, and look at the show connections
0:22:05	we see that the in active session
0:22:09	that says the outside interface, i m expecting to come in from router 1
0:22:14	using source port 179
0:22:16	its going to router 6 and using this random high port as the destination
0:22:23	now the actual port value is based on six negotiate with one
0:22:27	one of the sending the original bgp open message
0:22:31	so there is nothing wrong with it upto this point
0:22:34	now the problem comes in
0:22:36	when we try to use
0:22:38	non standard options inside the TCP hub
0:22:42	so if we to go under the bgp process
0:22:45	and change this
0:22:46	so that the neighbours are now doing authentication
0:22:52	dcp just like ldp
0:22:55	for mpls
0:22:56	is using TCP as transport
0:23:00	what this means that the authentication mechanicms
0:23:04	don't using new built in
0:23:09	they simply going to use the mechanism that is already there in the TCP
0:23:14	now you can see the specification for this if you look for
0:23:18	the TCP mp 5
0:23:20	signature rfc
0:23:29	rfc 2380
0:23:30	5 protectional dgp session via the tcmp 5signature option
0:23:35	its how it should be implemented
0:23:38	its also going to point back what is the particular rfc
0:23:41	that is
0:23:44	TCP extensions for
0:23:50	high performance, one of these is going to show the specifically for TCP
0:23:55	how the md5 option is implemented
0:23:57	this one here is just saying that dgp is going to use that
0:24:00	because TCP md5 authentications are already there
0:24:05	now the problem we run into
0:24:08	we see now on router 1
0:24:10	its says there is no md5 digest
0:24:13	coming in from router 6
0:24:17	if we look at the bebug ip dgp
0:24:20	and do the same thing on router 6, debug ip bgp
0:24:25	we will see exactally what's happening is that the bgp open message
0:24:29	is being send between the two of them
0:24:32	but its failing the authentication
0:24:35	because the passport feel is being straight
0:24:39	and this what the asa is doing with its TCP normalisation engine
0:24:46	now there is essentially two different
0:24:48	tribute that we need to take into here
0:24:51	the actual md5 signature
0:24:53	that is one of the TCP options
0:24:55	and the TCP sequence nos.
0:24:58	that are used as a seed or salt value for the mb 5 patch
0:25:04	now i mentioned this a little bit before, but
0:25:07	by default the asa does run
0:25:10	randomization of the sequence nos
0:25:13	and u see this when we look at the
0:25:15	the show all policy now
0:25:21	show run all policy now
0:25:25	that random sequence nos are enable
0:25:31	so actually there two fold problem wer having here
0:25:34	that the actual md5 password is being stripped
0:25:37	and even it were to be included
0:25:40	its going to end up be the worng value
0:25:43	because we using the sequence no plus the password to derive the hash
0:25:47	the sequence no is wrong or the password is wrong we end up with wrong hash value
0:25:52	so now we need to two things
0:25:54	i need the asa
0:25:57	that the traffic is moving between
0:25:59	router 1 and router 6
0:26:02	so for this dgp session
0:26:04	i donot want to
0:26:06	randamise the sequence values or the sequence nos
0:26:09	and i want to allow the md5
0:26:12	hash in the TCP hub
0:26:17	now specificlly the option no is TCP option no 19
0:26:23	so if you look for search for TCP option no 19
0:26:27	this is the md5 signature
0:26:30	this is the actual portion of the header that is the password is stored
0:26:36	so when the asa first sees the ethernet header
0:26:39	sees the ip header
0:26:41	ip header says TCP is next, TCP header
0:26:45	then its sees option over 19
0:26:47	it thinks its a male form of TCP packet
0:26:51	so its trying to remove
0:26:53	this portion from the packet
0:26:56	we need to tell her do not do that
0:26:59	and this is what we'r going to use the TCP for
0:27:02	to the change the TCP normalisation sets
0:27:08	so thenext thing i need to do
0:27:10	is tell the asa how exactlly do i classify this traffic flow
0:27:15	well when know when dgp uses it uses TCP as a transport
0:27:19	and it uses port 179
0:27:22	now it could be more specific when i say its coming from router 6 address and going to 1 and vice versa
0:27:29	but assuming its our only dgp session
0:27:33	i could just match it based on port no. 179
0:27:38	so first step im going to create a class map
0:27:41	class map is going to say, bgp, this is going to match the port no.
0:27:48	and this is TCP
0:27:51	that is equal to 179
0:27:55	so now i know what the traffic im going to match
0:27:58	next thing i need to do is to inspect this traffic
0:28:03	with the new policy that's going tell TCP
0:28:07	to tell the asa suspection engine to allow TCP option no 19
0:28:11	and do not change
0:28:13	the sequence nos.
0:28:17	so first thing im going to find next is going to be
0:28:20	the TCP map
0:28:23	say this is bgp
0:28:25	bgp TCP map
0:28:31	now you could see all the other options here
0:28:33	this would be things like
0:28:35	do i exceed the max segment size of the packet
0:28:39	or is the data inside the syn packet
0:28:44	or im i trying to change the time to live
0:28:48	most of these
0:28:49	the default values are going to be 1
0:28:52	because its going to prevent against
0:28:53	the best majority of the male formed
0:28:55	ip or TCP header attacks
0:29:01	specifically what i want to do
0:29:03	is change how the TCP options
0:29:06	are
0:29:08	and for option no. 19
0:29:11	i need to allow this
0:29:14	normally this is being clear
0:29:16	which means that the packet is allowed through
0:29:19	when it gets to the other side it no longer has the password anymore
0:29:24	the other thing i need to do is tell her not randomise the sequence nos.
0:29:29	this is not going to be on the TCP map this is going to be on the normal class
0:29:34	so now i have my class map
0:29:36	and have my TCP map
0:29:38	show run class map bgp
0:29:42	show run TCP map
0:29:46	next we have the policy that's already applied
0:29:50	i can apply this to inside in
0:29:52	or i can apply it to the global policy
0:29:55	because remember if i apply to inside
0:29:58	its going to be by direction, so its going to be from outside in and inside out
0:30:03	global policy this would apply it to all interfaces
0:30:09	for this new policy in the class that i defined
0:30:14	which is the bgp class
0:30:18	i want to set the advanced options of the connection
0:30:24	and the TCP map names specificaly is
0:30:30	bgp tcp map
0:30:34	so this is now going to allow option no19
0:30:37	the other thing i need to do
0:30:39	is for the random sequence nos
0:30:43	set random sequence nos
0:31:02	set connection random sequence nos
0:31:05	diable this because this again this is on by default
0:31:10	so if we look at the show run policy now
0:31:15	for the default inspection
0:31:18	bgp now has its own inspection class
0:31:21	that says do not randamise sequence nos do not strip tcp option no 19
0:31:28	so this is what we should see now is that the peering
0:31:32	from router 1 and 6 is going to come up
0:31:37	we look at the ipbgp summary
0:31:42	eventually this should change from
0:31:44	active to open
0:32:22	now to actually force the new policy i may need to clear out the connections on asa
0:32:27	if we look at the show connections
0:32:29	we already have these
0:32:31	tcp sessions from router 1 & 6
0:32:34	so to get the new
0:32:36	attributes to apply on to them
0:32:38	i should clear
0:32:40	lets say clear connections all, this is going to do everything
0:32:58	now may be converging here but in the meantime
0:33:01	lets take a look at asa and see if we'r actually getting packet on
0:33:05	this particular policy
0:33:07	so lets say show
0:33:09	service policy
0:33:12	show service policy, global
0:33:28	and it looks like its not classifing
0:33:30	what we can do here next
0:33:33	is change the order of the classes
0:33:36	because as i mentioned if something else is already matching the bgp flow first
0:33:41	it may be taking those parameters over these ones
0:33:44	so lets say show run
0:33:46	service policy
0:33:49	and temporarily im going to remove inside in policy
0:33:55	so i now know that's its not going to conflict with that
0:33:58	then also if i show run policy map
0:34:02	and look at the global policy
0:34:05	im going to re build this so that the bgp inspection is at the top
0:34:13	so i will take the current policy
0:34:16	say no class inspection default
0:34:21	no class http
0:34:24	no class bgp
0:34:26	and then re-bulid it in
0:34:28	the order with the bgp map top on or the bgp class on top
0:34:37	to make sure that this is the first one that gets classified
0:35:08	and we can now see the bgp neighbours are
0:35:10	so as i mentioned
0:35:12	the mpf can be problematic when you run into the order of operation issues
0:35:18	that ideally your most specific
0:35:21	inspection shuld be at the top of the policy
0:35:24	and then the less specific ones at the bottom
0:35:27	but the problem is with the default policy
0:35:30	anytime u make changes to global policy
0:35:33	it always takes it on the bottom
0:35:36	so by deleting these and reordering it
0:35:38	im now ensuring that the bgp traffic is inspected first
0:35:42	before it falls back down to any of the inspection default
0:35:46	now where i actually have a problem with the other policy wheterh the dmz or the inside in
0:35:52	i will then need to reapply that
0:35:54	clear the bgp session see if it comes back
0:35:57	if the session doesn't come back then i know there is a mode of operation problem between two of them
0:36:06	so some of these problems like they can be very unsecure
0:36:09	and it requires that you realy understand what's going on at the application level
0:36:14	of the particular protocol you'r trying to use
0:36:17	we will also see that this problem
0:36:19	could appear in the ips sensor
0:36:22	if we'r doing inline monitoring
0:36:25	the ips sensor does have its own tcp normalisation engine
0:36:30	and if like wise we will try to strip the tcp options
0:36:33	because under normal circumstances
0:36:36	the normal applicaiton should not be using them
0:36:39	like in the case of web browsing there is not really a valid case when you need something , the ip options with the tcp options header
0:36:45	most of time that's the indication of an application attack
0:36:49	what we know in this specific case
0:36:52	that bgp needs to be the exception to this
0:36:55	because it cannot deal with random sequence nos
0:36:59	nor it can have the option no 19 removed
0:37:05	so agian lets look at the final configuration for this, if we sh run class -map bgp
0:37:10	sh run tcp map
0:37:14	sh run policy map
0:37:18	the key is that the
0:37:20	the traffic is first classified based on the port
0:37:23	so its that saying port 179
0:37:27	if it is port 179
0:37:29	allow it to have option 19
0:37:32	but additionally
0:37:33	make sure we'r not randamising the sequence nos
0:37:40	for the best majority of changes you would make here
0:37:44	we would want to use the documentation as a reference
0:37:48	so if you go to the configuration guide for asa
0:37:51	under
0:37:53	using the modular policy framework
0:38:01	this may also be under application
0:38:06	level inspection search for tcp
0:38:19	so its one of the documents that's in the configuration guide
0:38:22	what you could do is work backwards from the
0:38:25	the command reference
0:38:27	so we'r go to the command reference
0:38:31	then go to t for tcp map
0:38:38	you will see some of the
0:38:42	some of the usage guide line, it say for more
0:38:46	for more information how Modular framework policy works check the
0:38:51	configuration guide, just rem exactally where it is located
0:38:56	so you can see some of the examples
0:38:57	but this is one of the reasons that you really need to spend time on the documenation
0:39:02	because the place that the stuff is located is not really straight forward
0:39:07	unless hardly gone through the manual navigation path
0:39:10	you could end up wasting up lot of time in the exam actually trying to find it
0:39:15	because as we know the easiest way which is used to say
0:39:19	search for like bgp through asa firewall
0:39:24	and then you could see there is a configuration example for it
0:39:27	but you r not going to have accesss to these type of docs in the exam, the search engine is not going to be available
0:39:34

Now Viewing

CCIE Security Advanced Technologies Class
Title:	CCIE Security Advanced Technologies Class
Duration:	39h 19m
The CCIE Security Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Security lab will be described in detail using an instructor led hands on demonstration. The class consists of over 40 hours of in depth explanations and examples.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$299.00	Add to Cart

ASA Advanced TCP Inspection with MPF

Create Bookmark