|
0:00:13
|
In our next session here we are going to take a look at some examples on the ASA
|
|
0:00:17
|
of using the Modular Policy Framework for inspection
|
|
0:00:21
|
some of the possible problems areas when we run into protocols that do not have application inspection engine
|
|
0:00:27
|
and then how we can modify with the layer 3 layer 4 class maps
|
|
0:00:32
|
and the layer7 class maps
|
|
0:00:34
|
in order to do things like http inspection
|
|
0:00:36
|
based on domain names or urls
|
|
0:00:40
|
and different other application policies
|
|
0:00:43
|
now as we can see from the topology here
|
|
0:00:46
|
right now we have ASA2 configured
|
|
0:00:49
|
as we were previously where we have the inside network
|
|
0:00:53
|
that is attached down to router 5 and 6
|
|
0:00:55
|
the DMZ network is connecting to the ACS server
|
|
0:01:00
|
and then the outside network is connecting to the rest of the hosts
|
|
0:01:04
|
now what we should see from the default behaviour
|
|
0:01:08
|
is based on the fact that the inside interface has a security level of 100
|
|
0:01:12
|
the DMZ is 50 and the outside is 0
|
|
0:01:17
|
that the inspection engine is going to allow flows to go from the insides to the DMZ
|
|
0:01:22
|
or inside to outside
|
|
0:01:25
|
then from the DMZ to outside
|
|
0:01:28
|
but from the DMZ to inside, or not from outside to DMZ or outside to inside
|
|
0:01:34
|
so we are going from the higher security level
|
|
0:01:36
|
to the lower security level and then returning
|
|
0:01:39
|
if want it to the reverse way, we can have to make a manual exception
|
|
0:01:44
|
to the inspection engine with an Access list
|
|
0:01:48
|
So, first lets take a look at
|
|
0:01:50
|
the command line, lets start on the inside network
|
|
0:01:54
|
and we want to know just can router5
|
|
0:01:56
|
send traffic out to the rest of the outside network
|
|
0:02:00
|
now as I mentioned before
|
|
0:02:03
|
when we look at the default inspection policy and the ASA
|
|
0:02:06
|
if we say show run all
|
|
0:02:09
|
or first lets say show run , show run policy map
|
|
0:02:17
|
its that we have a default policy
|
|
0:02:19
|
which is the global policy
|
|
0:02:21
|
global policy is matching the inspection default traffic
|
|
0:02:25
|
and somebodies application
|
|
0:02:28
|
level inspections are occuring by default like FTP
|
|
0:02:32
|
the sendmail
|
|
0:02:34
|
sequel traffic
|
|
0:02:36
|
then the DNS traffic, we can see is using a three set DNS map
|
|
0:02:41
|
this is where we are calling the layer 7 policy
|
|
0:02:47
|
where the layer 7 policy is calling is layer 7 class map
|
|
0:02:51
|
and doing some sort of specific application inspection on the DNS
|
|
0:02:58
|
so welcome back to this portion in a little bit once we go through the basic inspections
|
|
0:03:02
|
and we will see exactly whats the default behaviour of the DNS
|
|
0:03:07
|
now if we look at the show
|
|
0:03:09
|
service policy
|
|
0:03:12
|
we could see
|
|
0:03:13
|
what is configured for the global policy
|
|
0:03:16
|
and what are the particular packet maps that are occuring here
|
|
0:03:21
|
now in addition to the class map inspection default
|
|
0:03:24
|
there is actually a default class here
|
|
0:03:27
|
that is matching all of the other TCP and all of the other ICMP flows
|
|
0:03:32
|
so TCP normal applications, UDP normal applications will be allowed
|
|
0:03:37
|
from higher to lower
|
|
0:03:39
|
what would not be allowed
|
|
0:03:41
|
is an ICMP flow
|
|
0:03:45
|
so if we were to ping lets say the loop back address of router 2
|
|
0:03:48
|
is 200.0.0.2
|
|
0:03:51
|
we could see that this is not allowed by default
|
|
0:03:55
|
however if we were to use telnet
|
|
0:03:59
|
instead of ICMP, if we were to telnet to 200.0.0.2
|
|
0:04:03
|
since this is a TCP flow
|
|
0:04:05
|
this is type of traffic is allowed
|
|
0:04:09
|
now on the ASA if we were to turn logging on
|
|
0:04:12
|
if we were to say logging console at level 7
|
|
0:04:16
|
and logging is on
|
|
0:04:18
|
we should see that when the return traffic
|
|
0:04:21
|
for the telnet occurs
|
|
0:04:27
|
that this is being inspected and allowed
|
|
0:04:30
|
it says we are
|
|
0:04:32
|
building a TCP session
|
|
0:04:35
|
that is coming
|
|
0:04:37
|
from the inside 10.0.125.5
|
|
0:04:41
|
the source port is 17861, so thats a random port
|
|
0:04:46
|
and its going to the outside, its 200.0.0.2, at port 23
|
|
0:04:52
|
now we can also verify this if we look at the show connections
|
|
0:04:56
|
its going to show active connections
|
|
0:04:58
|
we said show connections all or show connections detail
|
|
0:05:02
|
this is, its also going to show, what is locally
|
|
0:05:05
|
originating on the ASA or what is locally terminating there
|
|
0:05:09
|
which in this case would be
|
|
0:05:11
|
the EIGRP traffic
|
|
0:05:13
|
the OSPF routing traffic
|
|
0:05:15
|
the RIP routing traffic
|
|
0:05:17
|
in addition to
|
|
0:05:20
|
the telnet session thats going through
|
|
0:05:24
|
now if we were to do an ICMP ping
|
|
0:05:28
|
so ping 200.0.0.2
|
|
0:05:33
|
we look at the ASA's logs
|
|
0:05:36
|
it says this flow is being denied
|
|
0:05:38
|
as it comes in on the outside interface
|
|
0:05:42
|
trying to go to this host on the inside
|
|
0:05:45
|
because the outside interface is again a lower security level
|
|
0:05:48
|
the traffic is denied as it is going from lower to higher
|
|
0:05:52
|
now also notice that it is not doing an inspection for this, if we were to look at the show connections
|
|
0:06:00
|
or show connection all or show connection detail
|
|
0:06:03
|
we are not going to see any information about the ICMP flow
|
|
0:06:07
|
this is because its not going through
|
|
0:06:09
|
the Modular Policy Framework by default
|
|
0:06:13
|
now if we wanted to include this
|
|
0:06:15
|
the only thing we would need to do
|
|
0:06:17
|
is specify a class that is going to match the ICMP traffic
|
|
0:06:22
|
and then inspect that
|
|
0:06:24
|
and in the case ASA we actually do have an inspection engine for ICMP
|
|
0:06:29
|
because it knows when a single ICMP echo goes out
|
|
0:06:32
|
that the ICMP echo reply should come back in
|
|
0:06:37
|
so if we were to go to, lets say show run again policy map
|
|
0:06:43
|
if we were to go to our global policy
|
|
0:06:47
|
and we set policy nat global policy
|
|
0:06:52
|
we could say for the default inspection class
|
|
0:06:56
|
I want to inspect
|
|
0:06:59
|
ICMP
|
|
0:07:02
|
Now if for some reason the individual application that we were trying to use does not have a match here when we look at inspect
|
|
0:07:09
|
it means that we have to do a manual exception with an access list
|
|
0:07:14
|
so anything that cannot be exclusively inspected
|
|
0:07:18
|
thats not already a standard TCP or UDP application
|
|
0:07:21
|
we are going to have to make manual exceptions for that
|
|
0:07:25
|
so now once the inspections occuring
|
|
0:07:28
|
from the inside we should be able to ping to the outside
|
|
0:07:32
|
then if we were to go to the DMZ link
|
|
0:07:36
|
which is where the ACS server is located
|
|
0:07:39
|
we should see that we were able the ping from the DMZ to the outside
|
|
0:07:44
|
because the global policy again is going to apply to all interfaces inbound
|
|
0:07:54
|
So, lets take a look at the ACS server here
|
|
0:07:58
|
we go to its windows command line
|
|
0:08:01
|
I should be able to ping 200.0.0.2
|
|
0:08:08
|
so I am pinging from the DMZ to the outside
|
|
0:08:10
|
but would not be able to ping from the DMZ to the inside
|
|
0:08:16
|
because I am going from a lower security level to a higher value
|
|
0:08:20
|
and if we look at the ASA we will see that those packets are dropped
|
|
0:08:23
|
as they are coming from the DMZ in
|
|
0:08:29
|
so again this change in the inspection policy
|
|
0:08:32
|
and this is now affecting all the traffic flows
|
|
0:08:35
|
if we show run policy map
|
|
0:08:38
|
the global policy
|
|
0:08:40
|
says now include ICMP
|
|
0:08:43
|
this applies to all interfaces, all directions
|
|
0:08:49
|
now lets say I didn't want to apply this to everything, I wanted do a more specific inspection
|
|
0:08:54
|
may be I want to allow ICMP pings from some hosts but not others
|
|
0:08:59
|
lets say I want to allow it from router 6's address here
|
|
0:09:02
|
which is 10.0.56.6
|
|
0:09:07
|
and I want to allow this to go from the inside to the outside
|
|
0:09:12
|
or from the inside to the DMZ
|
|
0:09:15
|
but I don't want anyone else's ICMP traffic to be inspected
|
|
0:09:20
|
So, this would then mean
|
|
0:09:22
|
instead of using the global policy or using the
|
|
0:09:26
|
the default inspeciton class
|
|
0:09:28
|
I going to need a new class map that classifies that individual traffic flow
|
|
0:09:33
|
and I am going to need a new policy map that is applying
|
|
0:09:37
|
specifically to the inside interface
|
|
0:09:42
|
so the first step would be to classify the traffic
|
|
0:09:45
|
I want to match specifically the pings that are coming from router6
|
|
0:09:49
|
so we are going to do this with an access list
|
|
0:09:51
|
I will say access-list
|
|
0:09:54
|
ping from R6
|
|
0:10:00
|
is going to permit ICMP the ping from
|
|
0:10:03
|
10.0.56.6
|
|
0:10:06
|
and I don't really care where its going
|
|
0:10:09
|
there is one message coming from that particular host
|
|
0:10:13
|
hey, now technically its more than ping, its going to be all ICMP ping
|
|
0:10:18
|
If I wanted to be more specific, I could say match the type code as well
|
|
0:10:22
|
and match just the echo
|
|
0:10:25
|
but don't match things like the ICMP mask reply or the ICMP mask request
|
|
0:10:32
|
there is I have my access list that classifying the ICMP
|
|
0:10:36
|
next thing is that I would need a class map
|
|
0:10:38
|
class map I will say that this is the ping from R6 class
|
|
0:10:45
|
and inside the class map we are going to match the individual traffic flow
|
|
0:10:50
|
so again this is a normal layer 3, layer 4 class
|
|
0:10:55
|
which means that I can match the traffic based on an access list
|
|
0:11:00
|
based on the layer 3 QoS markings, DHCP or IP ?? values
|
|
0:11:06
|
if it was voice traffic, I could match it on the rtp port numbers
|
|
0:11:11
|
that would be like for video or for voice
|
|
0:11:14
|
quite a match on the TCP or UDP port number
|
|
0:11:18
|
for VPN traffic I could base it on the individual flow or base on the tunnel group
|
|
0:11:24
|
so these we will look at more detail when we get to the LAN-to-LAN remote access VPNs
|
|
0:11:30
|
but in this case I would match it based on the access list that I can favour
|
|
0:11:34
|
I will say show run access list
|
|
0:11:37
|
I want to match based on the access list
|
|
0:11:40
|
ping from R6
|
|
0:11:44
|
so now I know what is the particular traffic flow that I want
|
|
0:11:48
|
next thing is I need tell is inside a policy
|
|
0:11:52
|
exactly what do I want to do
|
|
0:11:54
|
so this is going to be a new policy map
|
|
0:11:57
|
that is my inside in
|
|
0:12:00
|
or I could
|
|
0:12:03
|
more accurate that I could been is just inside
|
|
0:12:07
|
because technically the flows are going to be bidirectional
|
|
0:12:10
|
In the policy map, I am now going to call the class
|
|
0:12:15
|
the class is called
|
|
0:12:17
|
the ping from R6 class
|
|
0:12:22
|
and whatever I want to do with the particular traffic
|
|
0:12:25
|
So could inspect it, I could do
|
|
0:12:28
|
Qos onto it like police it, or prioritize it or shape it
|
|
0:12:33
|
I could change the advanced options
|
|
0:12:36
|
set the
|
|
0:12:38
|
the timeup for them, set the maximum number of connections, the maximum per client
|
|
0:12:44
|
this would be our TCP normalization engine
|
|
0:12:47
|
in the case of ICMP, generally we wouldn't do this because
|
|
0:12:50
|
its not really a stateful connection oriented protocol like TCP is
|
|
0:12:56
|
So what I want to do here is just inspect it
|
|
0:12:59
|
I am going to inspect it and use the ICMP inspection engine
|
|
0:13:03
|
So, the now the ASA is going to know, when one echo goes out
|
|
0:13:06
|
I should be receiving one echo reply back in
|
|
0:13:11
|
we now look at the show run policy map
|
|
0:13:16
|
we will see the new policy I can figure inside in
|
|
0:13:19
|
its going the match the class on the router6 and its going to inspect the ICMP
|
|
0:13:23
|
now I need to apply the policy map to interface
|
|
0:13:27
|
I will say service policy
|
|
0:13:31
|
service policy, its called inside in
|
|
0:13:35
|
and its supplied to the interface named inside
|
|
0:13:39
|
so here is looking for the name if the not the actual physical nick name
|
|
0:13:45
|
now notice you that it does not ask me for a direction
|
|
0:13:48
|
again the direction of the traffic flow
|
|
0:13:51
|
is implicitly based on how I did the access list classification
|
|
0:13:56
|
so based on the fact
|
|
0:13:58
|
that the access list is matching router6's address as the source
|
|
0:14:03
|
its going to be matching the incoming traffic on the interface
|
|
0:14:08
|
if I matched it as the destination
|
|
0:14:11
|
then it would be matching the out going traffic
|
|
0:14:15
|
but keep in mind once we are calling the inspection engine
|
|
0:14:19
|
this is still technically separate
|
|
0:14:23
|
than the security level associations
|
|
0:14:25
|
so just because the policy is inspecting it
|
|
0:14:28
|
doesn't means that the traffic will go from low to high
|
|
0:14:32
|
If I want to inspect traffic from the outside interface in
|
|
0:14:37
|
so lets say that this segment here is a web server
|
|
0:14:41
|
that I do an inspection for
|
|
0:14:43
|
I would mean that not only would I apply the inspect
|
|
0:14:47
|
to either the outside interface or to the inside interface
|
|
0:14:51
|
but I would still need an ACL
|
|
0:14:53
|
that says its ok to go from this low interface to a high interface
|
|
0:15:00
|
so technically the Modular Policy Framework does not do the permit or deny
|
|
0:15:05
|
its the security level in the access list that you permit or deny
|
|
0:15:08
|
once you get passed that phase then you can go to the inspection
|
|
0:15:15
|
Hey, lets now look at the show
|
|
0:15:18
|
service policy
|
|
0:15:21
|
we see for interface inside right now it says that no packets have been matched
|
|
0:15:25
|
not that they have been dropped
|
|
0:15:27
|
so if we go to router6, we should not be able to ping
|
|
0:15:30
|
200.0.0.2
|
|
0:15:34
|
if we look at the colors now
|
|
0:15:38
|
we see that the classification is occuring
|
|
0:15:41
|
now notice here it has been 10 packets
|
|
0:15:44
|
its 5 out and 5 in
|
|
0:15:47
|
it has for every one echo I sent out
|
|
0:15:49
|
I got one echo reply back
|
|
0:15:52
|
and this is showing that this inspection is bidirectional
|
|
0:15:56
|
what if I were now to go to anyone else on the inside
|
|
0:16:00
|
lets say on router6
|
|
0:16:02
|
that I sourced this traffic from my other interface
|
|
0:16:08
|
that is here 10.0.6.6
|
|
0:16:13
|
and see what is the ASA says, lets say show
|
|
0:16:16
|
connections
|
|
0:16:20
|
and actually what I didn't do lets show run policy map
|
|
0:16:25
|
I did not remove the old inspections, I need to take this one off
|
|
0:16:30
|
lets say policy map global policy
|
|
0:16:34
|
thats inspection default
|
|
0:16:35
|
no inspect ICMP
|
|
0:16:40
|
we look at the show connections
|
|
0:16:42
|
we can see right now there is no trans connections, it says the ones that are 5 in use
|
|
0:16:48
|
those would be local connections
|
|
0:16:50
|
If I wanted to see those, I would say show connections all
|
|
0:16:55
|
So now on router6 I should see
|
|
0:16:57
|
that when traffic is being sourced
|
|
0:17:00
|
from 10.0.6.6
|
|
0:17:04
|
this is not being inspected
|
|
0:17:07
|
however If I were to source it
|
|
0:17:10
|
from the normal interface
|
|
0:17:12
|
which is the one I am matching
|
|
0:17:14
|
10.0.56.6
|
|
0:17:17
|
this one is matching inspection engine
|
|
0:17:24
|
so this is simply a basic way
|
|
0:17:26
|
that we can be more specific of our classification to figure out what type of traffic do we want to
|
|
0:17:32
|
allow or what type of traffic do we not want to allow
|
|
0:17:35
|
So again if we show run
|
|
0:17:37
|
class map
|
|
0:17:39
|
class maps says match the access list
|
|
0:17:41
|
the access list says
|
|
0:17:44
|
that its going to be ICMP's from router6
|
|
0:17:49
|
we show run
|
|
0:17:50
|
policy map
|
|
0:17:53
|
says if it is this pings from router6 then I am going to inspect it with the ICMP engine
|
|
0:18:00
|
then this policy is applied to the inside interface
|
|
0:18:06
|
so if we actually look at the debug now if we turn logging on
|
|
0:18:10
|
and logged to the console at level 7
|
|
0:18:13
|
logging console 7
|
|
0:18:17
|
why do this pings from
|
|
0:18:19
|
the correct interface
|
|
0:18:21
|
and then the incorrect interface
|
|
0:18:24
|
we would see the
|
|
0:18:26
|
outbound connection
|
|
0:18:28
|
from the 56.6
|
|
0:18:30
|
this is being allowed
|
|
0:18:32
|
when the return packet comes in, this is what the teardown means
|
|
0:18:36
|
so the echo when out
|
|
0:18:39
|
the echo reply came back in
|
|
0:18:41
|
then the connection is being deleted
|
|
0:18:44
|
what this is preventing against
|
|
0:18:46
|
is someone on the outside doing a reverse denial of service attack
|
|
0:18:51
|
by trying to float ICMP replies without the request
|
|
0:18:56
|
now this would also prevent
|
|
0:18:59
|
against whats known as either a fraggle or a smurf attack
|
|
0:19:05
|
Now a fragle and a smurf attack they are reverse spoofing attacks
|
|
0:19:10
|
that are designed
|
|
0:19:11
|
with either the ICMP echo or the UDP echo protocol
|
|
0:19:16
|
to try to flood a particular segment on the network is just a basic layer 3 denial of service
|
|
0:19:22
|
Now, the way that this works
|
|
0:19:25
|
is that lets say that the attacker
|
|
0:19:29
|
is on router4's lan segment
|
|
0:19:33
|
and router4 is trying to attack router6
|
|
0:19:37
|
what its going to do
|
|
0:19:39
|
is source traffic
|
|
0:19:42
|
from the address of 6
|
|
0:19:45
|
so its doing a spoofing of router6 at source
|
|
0:19:48
|
its then going to send an ICMP echo
|
|
0:19:51
|
lets say its send it to this segment here
|
|
0:19:55
|
it sends the echo
|
|
0:19:58
|
but the destination it uses
|
|
0:20:00
|
is the directed broadcast
|
|
0:20:03
|
of that link
|
|
0:20:07
|
Now if the host sense it to the directed broadcast whats going to happen
|
|
0:20:13
|
assuming that directed broadcast transmission is on
|
|
0:20:18
|
it means that all host on that VLAN
|
|
0:20:22
|
are going to recieve the echo
|
|
0:20:24
|
and they are all going to try to reply
|
|
0:20:26
|
Now when the reply occurs
|
|
0:20:29
|
they think the traffic came from 10.0.56.6
|
|
0:20:33
|
so when hosts on VLAN 122 reply, they are actually reply this way
|
|
0:20:40
|
So its a kind of a reverse spoofing attack
|
|
0:20:43
|
where the true attacker which is router2, or whoever is on the LAN
|
|
0:20:52
|
they are essentially unsuspentingly becoming the source of the denial of service attack
|
|
0:20:57
|
Now when we get more into the network attacks and preventions
|
|
0:21:01
|
we will see that there is some basic ways that we can prevent this
|
|
0:21:03
|
but the ASA implicitly is preventing against this attack
|
|
0:21:07
|
by saying I can not have an unsolicitated
|
|
0:21:10
|
echo reply
|
|
0:21:15
|
without the echo request
|
|
0:21:18
|
now this is one of the fundamental differences
|
|
0:21:20
|
between using an access list for an exception
|
|
0:21:24
|
versus using the inspection engine
|
|
0:21:26
|
because the inspection engine knows that for every one echo there should be one reply
|
|
0:21:31
|
but if I had ACL that simply said, permit all ICMP
|
|
0:21:35
|
then it is not going to protect against this attack
|
|
0:21:39
|
and you can actually try this out on the router, it is actually real simple to do
|
|
0:21:43
|
if I were to go to router4
|
|
0:21:45
|
lets say that
|
|
0:21:47
|
in
|
|
0:21:50
|
my configuration I am going to create a new loopback, lets say loopback 6
|
|
0:21:54
|
that has the address
|
|
0:21:56
|
that is
|
|
0:22:00
|
10.0.56.6, thats router6's address
|
|
0:22:09
|
now I am going to ping
|
|
0:22:11
|
the address of router2, so 200.0.0.2
|
|
0:22:15
|
here we can see, I can send traffic there
|
|
0:22:18
|
for what I am now going to do
|
|
0:22:19
|
is source this from my loopback 6
|
|
0:22:23
|
and I will give that a high repeat count
|
|
0:22:26
|
and no timeup
|
|
0:22:30
|
so I am essentially just sending packets as fast as the router can
|
|
0:22:33
|
if we look at the ASA
|
|
0:22:36
|
notice whats happening here
|
|
0:22:39
|
its basically being flooded with this ICMP replies
|
|
0:22:44
|
and the reply is coming from
|
|
0:22:47
|
200.0.0.2
|
|
0:22:50
|
the reply is coming from 2 its not coming from 4
|
|
0:22:54
|
now may have actually locked my self out of the command line here, lets say no login console
|
|
0:23:00
|
and see if it will catch up, this is one of the reason why you don't want to send the log messages to the console
|
|
0:23:06
|
Hey, normally you would send them like to the buffer or to the sys log
|
|
0:23:14
|
here we see 4's attack is still going on
|
|
0:23:16
|
Now, if I would have changed this to say
|
|
0:23:20
|
access-list outside
|
|
0:23:23
|
access-list outside in
|
|
0:23:26
|
permit ICMP any any
|
|
0:23:28
|
then access group
|
|
0:23:31
|
outside in, in interface, outside
|
|
0:23:36
|
if we would have looked at router6
|
|
0:23:39
|
and look at
|
|
0:23:42
|
packet accounting
|
|
0:23:44
|
so lets say, lets create a basic access list of router6, lets say access-list 100
|
|
0:23:48
|
permit ICMP any any echo reply
|
|
0:23:53
|
and access-list 100 permit any any
|
|
0:23:57
|
then I am going to apply this in
|
|
0:24:00
|
on my LAN interface in on fast ethernet 0/0
|
|
0:24:04
|
what this is going to do is just give me a basic packet counter
|
|
0:24:08
|
so I will say IP access group 100 in
|
|
0:24:12
|
if you could now look at the show access list
|
|
0:24:16
|
we can see that router6 is getting tonnes of this replies
|
|
0:24:24
|
so this would then be this advantage
|
|
0:24:27
|
of using the ASA with any application
|
|
0:24:30
|
that it is not already have an inspection engine for
|
|
0:24:35
|
so if you need to do a manual exception in the access list
|
|
0:24:38
|
you are potentially open yourself up for some sort of attack whether its just denial of service
|
|
0:24:43
|
or an application level attack
|
|
0:24:45
|
thats related to that individual service
|
|
0:24:49
|
so its going to be more taxing on the ASA to do the inspection
|
|
0:24:52
|
versus just the ACL pass
|
|
0:24:56
|
but you are sacrificing the performance for more security
|
|
0:25:02
|
its kind of a give and take on the platform there
|
|
0:25:09
|
Okay, now lets look at a case
|
|
0:25:11
|
does anybody have any questions on this
|
|
0:25:13
|
the inspection that I did on the ASA here
|
|
0:25:30
|
so again its four pieces to tie this together have the access list match in this ICMP
|
|
0:25:35
|
the class matching the access-list
|
|
0:25:38
|
the policy map matching the class
|
|
0:25:41
|
doing the inspection
|
|
0:25:43
|
and then the policy map is then applied as a
|
|
0:25:46
|
service policy
|
|
0:25:49
|
so this is just our basic layer 3, layer 4 inspection
|
|
0:25:54
|
now as for the second part when I was doing the spoofing attack
|
|
0:25:58
|
the only thing I did on router4
|
|
0:26:00
|
is I created a
|
|
0:26:02
|
loopback, this is the person I am trying to attack
|
|
0:26:06
|
then I sourced packets
|
|
0:26:08
|
from this address
|
|
0:26:11
|
going to router2 so when router2 replies to my pings
|
|
0:26:16
|
the reply is going back to router6, the reply is not going back to router4
|
|
0:26:22
|
so we will look some more examples on this when we get to know more about the network attacks
|
|
0:26:26
|
the way that you can use the network itself to test it out to make sure that the
|
|
0:26:30
|
the attack is prevented
|
|
0:26:51
|
okay, so lets look at another case here
|
|
0:26:53
|
where we are trying to send a non standard application through the inspection engine
|
|
0:26:59
|
and one way that we can test this out, is to use the
|
|
0:27:03
|
traceroute application
|
|
0:27:07
|
now traceroute is implemented differently depending on the individual vendor
|
|
0:27:12
|
whether we are looking at the unix variation of the traceroute
|
|
0:27:15
|
or windows traceroute
|
|
0:27:17
|
where the overall idea
|
|
0:27:20
|
is that we are trying to figure out what are the hops in the network between me and a particular destination
|
|
0:27:27
|
now that the way that this is actually implemented
|
|
0:27:30
|
there is a lot of different ways that you can do it
|
|
0:27:33
|
hey, but in general if I am saying that router6 is the source of my traces
|
|
0:27:38
|
its going send some sort of packet out
|
|
0:27:41
|
with a time to live of 1
|
|
0:27:46
|
in order to solicit a reply from router5
|
|
0:27:49
|
saying that the time has exceeded
|
|
0:27:55
|
or that the ttl has expired
|
|
0:27:57
|
basically router5 is going to reply back saying I had to drop your packet
|
|
0:28:00
|
because the time delivered is too small
|
|
0:28:03
|
now router6 knows that 5 is the first hop on the transit path
|
|
0:28:08
|
next thing it does is that it sends another packet out
|
|
0:28:12
|
with a ttl of 2
|
|
0:28:15
|
so now the second of should explore itself
|
|
0:28:18
|
so on and on and on and on its going to keep incrementing the ttl
|
|
0:28:22
|
sending the packet to whatever final trace is, lets say we are tracing to router4
|
|
0:28:27
|
when the packet actually gets to router4
|
|
0:28:30
|
router4 is going to reply saying I am the last hop in the path
|
|
0:28:37
|
now ther is a couple of different ways to implement this, you could do it with ICMP
|
|
0:28:40
|
you could do it with UDP
|
|
0:28:42
|
or could even do it with TCP
|
|
0:28:46
|
in the case of cisco IOS
|
|
0:28:48
|
it uses the unix variation of traceroute
|
|
0:28:51
|
which means that the outbound traffic
|
|
0:28:53
|
is going to be UDP
|
|
0:28:56
|
and the return traffic
|
|
0:28:58
|
is going to be either
|
|
0:29:00
|
an ICMP message telling us that the time has exceeded
|
|
0:29:05
|
or the final message coming back in
|
|
0:29:08
|
saying that the port is unreachable
|
|
0:29:14
|
so essentially router4 should reply saying I don't have that particular service open
|
|
0:29:19
|
so if I send a TCP packet to web server at port 81
|
|
0:29:23
|
most likely they are going to reply back to me with port unreachable
|
|
0:29:27
|
saying I don't have port 81 open
|
|
0:29:31
|
now the potential problem with this
|
|
0:29:33
|
is that for this type of application
|
|
0:29:36
|
the outbound traffic flow
|
|
0:29:39
|
is different than the inbound return flow
|
|
0:29:44
|
so from router6 to router4
|
|
0:29:47
|
the outbound traffic is UDP
|
|
0:29:52
|
so its UDP thats going to go to some random port value
|
|
0:29:55
|
however the return traffic
|
|
0:29:58
|
is going to be either
|
|
0:30:00
|
the ICMP
|
|
0:30:02
|
ttl expire or the time exceeded or
|
|
0:30:07
|
the ICMP port unreachable
|
|
0:30:13
|
this is the type of case where a stateful firewall
|
|
0:30:17
|
would have a problem understanding this traffic flow
|
|
0:30:20
|
because the outbound traffic is not a mere image of the inbound return flow
|
|
0:30:28
|
now we saw already with our configuration with ASA
|
|
0:30:32
|
that we were allowing ICMP to be inspected
|
|
0:30:35
|
as the traffic went out
|
|
0:30:37
|
so on the ASA
|
|
0:30:40
|
I am going to temporarily remove
|
|
0:30:45
|
this is access-list that is allowing the
|
|
0:30:48
|
the outside in traffic
|
|
0:30:51
|
so nothing is, there is no exception to whats allowed other than the inspection engine
|
|
0:30:56
|
so from router6
|
|
0:30:58
|
I should be able to ping to router4
|
|
0:31:01
|
okay one of the addresses on router4 is 172.16.4.4
|
|
0:31:17
|
hey, lets try something closer, lets say ping to
|
|
0:31:20
|
lets try router2, here two works
|
|
0:31:24
|
3 works
|
|
0:31:26
|
then we may have, we may have a routing problem here
|
|
0:31:35
|
and actually the routing problem thats the previous loopback that I configured, I need to remove that
|
|
0:31:48
|
okay, so 6 should be able to ping router4
|
|
0:31:51
|
so we know that the outbound ICMP echo flow is getting there
|
|
0:31:54
|
and we know that the inbound echo reply is coming back
|
|
0:31:58
|
if I were to telnet to this address
|
|
0:32:01
|
since TCP is already being inspected
|
|
0:32:04
|
we see that there is no problem with the telnet flow
|
|
0:32:07
|
however if I were to do a traceroute to the same address
|
|
0:32:12
|
the flow should be dropped
|
|
0:32:14
|
as it tries to come in
|
|
0:32:16
|
on the outside interface of the ASA
|
|
0:32:21
|
and we would see this if we went to the ASA and turned logging back on
|
|
0:32:27
|
so logging on, logging console 7
|
|
0:32:30
|
we should see that in on the outside interface
|
|
0:32:35
|
we are denying a couple of different of ICMP flows
|
|
0:32:40
|
it says there is ICMP type 3 code 3
|
|
0:32:47
|
specifically that came
|
|
0:32:49
|
from 172.16.34.4
|
|
0:32:53
|
Hey, now lets try this again, lets do another trace from router6
|
|
0:32:58
|
I should see two different types of ICMP flows being denied
|
|
0:33:04
|
its ICMP type 11, code 0
|
|
0:33:09
|
and then eventually ICMP type 3, code 3
|
|
0:33:21
|
Now, lets turn logging back off
|
|
0:33:23
|
Now if we look at exactly where these are coming from
|
|
0:33:26
|
it says that the ICMP type 11, code 0
|
|
0:33:32
|
this came in from router3
|
|
0:33:35
|
and if we would scroll up, we would see it came in from router2 also
|
|
0:33:39
|
then the other type of flow
|
|
0:33:42
|
which is coming from router4
|
|
0:33:45
|
this is the type 3, code 3
|
|
0:33:50
|
so unless we already knew what those type values are
|
|
0:33:53
|
its going to be hard to decode exactly what they says
|
|
0:33:56
|
so lets go ahead and look this up
|
|
0:33:59
|
lets just search for the ICMP type codes
|
|
0:34:08
|
So, I want to know what is
|
|
0:34:11
|
type 11, code 0
|
|
0:34:14
|
and type 3, code 3
|
|
0:34:23
|
so official document this is via the INA, those who does the protocol numbers assignment, remember
|
|
0:34:28
|
it says type 11 is time exceeded
|
|
0:34:33
|
where type 11 sub code 0
|
|
0:34:37
|
was the time to live exceeded in transit
|
|
0:34:40
|
so this is our ttl expire or time exceeded
|
|
0:34:44
|
and this is the message that should be coming in from the intermediate hops
|
|
0:34:49
|
from the source to the destination
|
|
0:34:53
|
then we have the second code that is type 3 code 3
|
|
0:34:57
|
type 3, code 3
|
|
0:35:00
|
where type 2 is destination unreachable
|
|
0:35:03
|
sub code 3 is port unreachable
|
|
0:35:10
|
so just as I was mentioning, when we go
|
|
0:35:13
|
from the source to the intermediary hops
|
|
0:35:17
|
they are going to be replying with ICMP
|
|
0:35:20
|
time exceeded or ttl expired
|
|
0:35:23
|
then the final hop which is router4 should be replying with port unreachable
|
|
0:35:29
|
but the now the issue is if we look at the ASA
|
|
0:35:32
|
and look at the show connections
|
|
0:35:38
|
the ASA things that all of these UDP packets
|
|
0:35:42
|
should be having return inbound flows
|
|
0:35:48
|
now eventually these are going to timeout, if we look at the show connections detail
|
|
0:35:54
|
will see that, it says that the timeout here is 2 minutes 0 seconds for this one
|
|
0:35:59
|
some of the older ones are going to have
|
|
0:36:02
|
the different time outs based on the ideal time of the actual flow
|
|
0:36:07
|
but the problem is now
|
|
0:36:10
|
the ASA essentially does not understand
|
|
0:36:12
|
that the outbound flow is UDP
|
|
0:36:16
|
but the inbound flow should be ICMP
|
|
0:36:20
|
this is type of case where we are required to use an access list
|
|
0:36:26
|
there is no other way to solve this type
|
|
0:36:30
|
the reason why is that the ASA does not have an inspection engine
|
|
0:36:34
|
for the unix variation of traceroute
|
|
0:36:38
|
now ideally we would just say inspect traceroute and we would know for the outbound flows which should return the
|
|
0:36:45
|
but the in this particular version it doesn't support
|
|
0:36:48
|
so if we wanted to allow this type of traffic flow
|
|
0:36:52
|
to move from the inside network out
|
|
0:36:55
|
we are not having any problems there because we know that the UDP traffic
|
|
0:37:00
|
this is being allowed from inside out
|
|
0:37:02
|
because inside is security 100 and outside is 0
|
|
0:37:07
|
the problem is really that is the traffic comes back
|
|
0:37:09
|
in moving from 0 to 100
|
|
0:37:12
|
the ICMP codes
|
|
0:37:14
|
the type 3, code 3
|
|
0:37:16
|
and the type 11, code 0
|
|
0:37:18
|
these are the two getting dropped
|
|
0:37:21
|
so are these are the two exceptions that I will need to make
|
|
0:37:24
|
to the outbound interface in
|
|
0:37:28
|
or, excuse me, the outside interface inbound
|
|
0:37:33
|
so on the ASA, I am going to make an access list, this access list
|
|
0:37:37
|
its going to be outside in
|
|
0:37:42
|
it says permit ICMP
|
|
0:37:44
|
that is the
|
|
0:37:47
|
time exceeded
|
|
0:37:50
|
again sometimes this is called time
|
|
0:37:52
|
exceeded, sometimes its ttl expired
|
|
0:37:55
|
means the same thing, type 3, code 3
|
|
0:37:59
|
then I need to permit
|
|
0:38:01
|
type 11
|
|
0:38:04
|
so access list outside in
|
|
0:38:09
|
is, actually I am sorry, time exceeded, this is the type 11
|
|
0:38:13
|
I need to permit now, type 3, code 3
|
|
0:38:17
|
which is part of the unreachables
|
|
0:38:22
|
now you will see depending on the platforms, sometimes you can say
|
|
0:38:25
|
the type and the code
|
|
0:38:28
|
in this case the ASA supports just the type, but not the subcode
|
|
0:38:33
|
where the router you could classify both, If I were to say I am router 1
|
|
0:38:37
|
access-list 100 permit ICMP
|
|
0:38:42
|
any any
|
|
0:38:45
|
I could say, port unreachable
|
|
0:38:49
|
which is
|
|
0:38:55
|
that specific sub code as well
|
|
0:38:58
|
but in the case of ASA, we are
|
|
0:39:01
|
saying just type 3
|
|
0:39:04
|
not the sub code, so if I am going to allow this in the ASA, basically I need all of this
|
|
0:39:10
|
which is not neccessarily bad
|
|
0:39:12
|
as long as someone does not figure this out and then do some sort of reverse denial of service attack
|
|
0:39:17
|
based on may be fragmentation needed or source route fail
|
|
0:39:25
|
so these two lines were same
|
|
0:39:26
|
permit the ICMP time exceeded and the ICMP unreachables
|
|
0:39:30
|
now if we apply this, access group
|
|
0:39:33
|
outside in
|
|
0:39:35
|
in interface outside
|
|
0:39:40
|
if we look at now the results, now 6 should be able to trace route out
|
|
0:39:50
|
Notice also here
|
|
0:39:52
|
that the ASA, does not itself
|
|
0:39:55
|
as one of the hops
|
|
0:39:58
|
so from the router6's perspective, it thinks that the traffic is going from
|
|
0:40:03
|
itself to 5
|
|
0:40:06
|
then directly to 2
|
|
0:40:08
|
the ASA does not expose its own address its address in the traceroute
|
|
0:40:17
|
so its a security feature, because I don't want people to know
|
|
0:40:20
|
whats the address of the actual firewall
|
|
0:40:22
|
because then they can packets of attacks directly to the ASAs interfaces
|
|
0:40:31
|
but again the key with this
|
|
0:40:34
|
is that when we look at the show run policy map
|
|
0:40:39
|
we know what are the default inspections and the exceptions to those, that we configured
|
|
0:40:45
|
which in this case was the inspect ICMP
|
|
0:40:50
|
but the ASA is still going to have any problems
|
|
0:40:54
|
with the non standard application
|
|
0:40:56
|
that it is not already have an inspection engine for
|
|
0:41:01
|
So, remember that will be talked about with FTP
|
|
0:41:04
|
the firewall knows that when the traffic goes out as 21
|
|
0:41:08
|
its actually going to come back in as TCP 20
|
|
0:41:12
|
because thats how active FTP works
|
|
0:41:14
|
if it was passed to FTP, its going to start on
|
|
0:41:18
|
21, for the control channel
|
|
0:41:21
|
and the a secondary channel, a high port is going to go out as well
|
|
0:41:26
|
but unless it can predict
|
|
0:41:29
|
what is the resulting inbound flow
|
|
0:41:32
|
based on my originating outbound flow
|
|
0:41:35
|
thats what we are going to have problems with this
|
|
0:41:39
|
now we will see that this is the same case when we get to the IOS firewall with either CBAC or zone based policy firewall
|
|
0:41:45
|
traceroute is not going to be allowed there by default
|
|
0:41:48
|
because it cannot predict based on the outbound UDP packets
|
|
0:41:52
|
that we should be receiving the ICMP time exceeded or the port which we are back in
|
|
0:42:00
|
okay, there is a question, is there a facility to inspect non standard custom application like the mbar on the router
|
|
0:42:09
|
- You can do that just by specifying whatever the port number you want is
|
|
0:42:13
|
so if lets say we have
|
|
0:42:16
|
our web server running over port
|
|
0:42:19
|
8080 instead of just port 80
|
|
0:42:23
|
what I would need to do, is say
|
|
0:42:26
|
class map http on port 8080
|
|
0:42:31
|
that says match port value
|
|
0:42:33
|
TCP 8080
|
|
0:42:36
|
or equal to 8080
|
|
0:42:42
|
then under the inspection policy
|
|
0:42:46
|
so I will say policy map global policy
|
|
0:42:49
|
for class http on port
|
|
0:42:54
|
8080
|
|
0:42:56
|
I am going to inspect this
|
|
0:42:58
|
with the http engine
|
|
0:43:02
|
so now it knows that
|
|
0:43:04
|
even though 8080 is not the normal port value
|
|
0:43:09
|
I can do whatever custom inspection that I want
|
|
0:43:14
|
So, this here, this would be the equivalent
|
|
0:43:16
|
of the IP port map command on the router
|
|
0:43:22
|
So, with the router you are changing, matching will be matching same protocol
|
|
0:43:26
|
with ASA we can just classify whatever we want and then tell it what specific inspection engine to use
|
|
0:43:34
|
Hey, there is another question
|
|
0:43:36
|
this is only a problem for IOS on unix
|
|
0:43:39
|
UDP generator traceroute, should Windows generator traceroute using ICMP
|
|
0:43:44
|
be okay, lets actually try, because we have a windows machine there
|
|
0:43:50
|
So, lets go to the
|
|
0:43:53
|
lets go the ACS server, this is running Windows 2000
|
|
0:43:58
|
and lets see what happens when we traceroute out
|
|
0:44:01
|
So where are we going from
|
|
0:44:03
|
high to low
|
|
0:44:08
|
Now to make sure that the access list like
|
|
0:44:10
|
created is not
|
|
0:44:11
|
automatically making an exception
|
|
0:44:14
|
to this, I am going to temporarily remove it, so, we show run access-group
|
|
0:44:18
|
I am going to say
|
|
0:44:21
|
No
|
|
0:44:24
|
access-group outside in in interface outside
|
|
0:44:28
|
hey, additionally under the
|
|
0:44:31
|
default policy
|
|
0:44:34
|
I am going to inspect ICMP
|
|
0:44:38
|
which means that now
|
|
0:44:42
|
the AAA server should be allowed to ping outbound
|
|
0:44:46
|
if we ping 200.0.0.2
|
|
0:44:49
|
that traffic is fine
|
|
0:44:52
|
next lets go to the ASA
|
|
0:44:56
|
and we will say
|
|
0:44:58
|
login console
|
|
0:45:00
|
7, I am loggin on
|
|
0:45:11
|
then from the windows machine, we will say
|
|
0:45:14
|
traceroute to
|
|
0:45:19
|
lets trace something from that way, lets ping
|
|
0:45:22
|
172.16.4.4 this is router4
|
|
0:45:26
|
hey see, we can reach all the way there
|
|
0:45:28
|
so lets try this same host
|
|
0:45:30
|
but now a traceroute
|
|
0:45:33
|
to 172.16.4.4
|
|
0:45:44
|
so its still being denied
|
|
0:45:48
|
Now if we look at the
|
|
0:45:51
|
lets say no login console
|
|
0:45:53
|
if we look at the show connections
|
|
0:45:59
|
lets say, show connections all
|
|
0:46:05
|
I want to see what traffic came from
|
|
0:46:08
|
the
|
|
0:46:11
|
what traffic came from the AAA server, lets go back lets see, if we can see it in the
|
|
0:46:18
|
I will put.., lets, lets try this again
|
|
0:46:23
|
lets cancel that
|
|
0:46:27
|
try the traceroute again
|
|
0:46:47
|
So its a build in outbound UDP connection
|
|
0:46:55
|
for 200.0.0.2 at 53, actually that was a DNS resolution first
|
|
0:47:01
|
then deny inbound ICMP
|
|
0:47:23
|
so what this means is that the, the outbound flow is being
|
|
0:47:28
|
is using ICMP
|
|
0:47:31
|
the return flow
|
|
0:47:34
|
is also ICMP
|
|
0:47:36
|
but they are different types
|
|
0:47:39
|
so windows is using a
|
|
0:47:41
|
ping to go out
|
|
0:47:43
|
which is an ICMP echo
|
|
0:47:46
|
but the inspection engine in ASA
|
|
0:47:49
|
if an echo is going out, what is it expecting to come back in
|
|
0:47:57
|
echo going out is expecting echo reply to come back in
|
|
0:48:01
|
So the issue now is that
|
|
0:48:04
|
it is using ICMP, hey, thats not the issue
|
|
0:48:12
|
So it is sending
|
|
0:48:15
|
echo out
|
|
0:48:18
|
but when router2 replies, it is replying with ttl expiring
|
|
0:48:23
|
3 is doing the same thing, ttl expired
|
|
0:48:26
|
then 4 is replying with
|
|
0:48:29
|
echo reply
|
|
0:48:32
|
now this very last reply, this is okay, that matches
|
|
0:48:36
|
this is why when we look at the windows machine, the only hop that it saw, is the very last one
|
|
0:48:41
|
But these inner media once that were denied, this is the time exceeded
|
|
0:48:46
|
So, its the same type of problem its just we are using a different protocol stack to do it
|
|
0:48:51
|
So windows is using ICMP
|
|
0:48:53
|
Unix and IOS is using UDP
|
|
0:48:55
|
Now you can actually also use TCP to do this
|
|
0:48:59
|
If I wanted to do a traceroute to a web server
|
|
0:49:01
|
I could say use the trace
|
|
0:49:04
|
using port 80 on the transit path
|
|
0:49:07
|
so, that would make sure, that there is no disconnect between an ICMP filtering
|
|
0:49:13
|
versus the actual application that I am trying to trace
|
|
0:49:16
|
but regardless, we are going to end up in the same logic problem with the firewall
|
|
0:49:20
|
that the outbound flow is different than the inbound flow
|
|
0:49:25
|
so, its not going to allow us to return this back in
|
|
0:49:30
|
Hey, there is another question here
|
|
0:49:32
|
With the eshtablished parameter help in the access list
|
|
0:49:38
|
the problem is that ICMP is not connection oriented
|
|
0:49:44
|
so, there is not way to match the eshtablish flag, the eshtablish flag is in TCP header
|
|
0:49:50
|
Now we will take a look at some variations on this when we get into the IOS firewall
|
|
0:49:55
|
and if we are not using like the zone firewall or the CBAC
|
|
0:49:58
|
Some of the older iteration, the state list
|
|
0:50:01
|
firewall, with just standard access list
|
|
0:50:04
|
then the first iteration of the state firewall which is reflexive list
|
|
0:50:08
|
and what are some of the logic problems that we run into
|
|
0:50:11
|
with the older versions, versus the newer version
|
