Monday, July 19, 2010

CCNA Security 22

Now I'm going to revisit ASA basics. When we first turn on the ASA, we'll be in User mode. The User mode, like in IOS, offers a very limited command set. To get into Privileged mode, use:enable

The default password is blank. We can either hit Return on press Backspace. By default, a device would have the Base license. With Base License, you won't have things like Security Contexts. However, you can use 4 interfaces, 10 VLANs, 50 RA hosts, unlimited INSIDE hosts, and all VPN encryption types.

From privileged mode, we can move into the global configuration mode like in an IOS router. To do this, we'll use:
configure terminal

We should now change our enable password:
enable secret cisco

The recommended secure password should contain uppercase and lowercase letters, numbers and symbols. It should also be 8 characters or more.

From here, we can configure interfaces. For the ASA, a Fast Ethernet interface is referred to as simply Ethernet. To go into an interface, use:
interface ethernet0/0

You can turn an interface into a management-only interface using:

This command prevents all traffic THROUGH it (aka it blocks packet mode traffic).

ASA has a help system which can be invoked by typing:
help management-only

The help system also shows commands related to the one you typed.

To save a configuration, you can use:
copy run start

Alternatively, you can use:

You can view the list of commands you typed previously using:
show history

You can clear out your running-configuration using:
clear configure all

You can also go to factory-defaults using:
conf factory-default

To clear the startup-configuration, use:
write erase

You can then reboot the ASA using:

During the reboot process, you may encounter a delay to allow the Administrator to enter the ROMMON mode. Like an IOS router, the ASA also has a ROMMON mode. To do this, we'll need to hit CTRL+R during bootup.

The ASA has a filesystem which you can explore through:

The ASA firmware and the ASDM image is both stored in the flash as .bin files. You can store more than 1 image of each type. You can designate which to boot from using:
boot system flash:asa802-k9.bin

The Adaptive Security Algorithm does a few things. The most obvious one is that it provides stateful control. This is the actual service that the stateful functionality. The ASA allows one-way outbound connections using minimum configuration changes. The ASA also watches all ingress packets. These packets are all watched for state and sequence numbers (which it can also randomize). It allows the appliance to be a more defined security boundary.

Understanding security-levels is extremely important on an ASA/PIX because it is one of the first things we need to configure. It allows to specify how trusted/protected an interface is with relation to another interface. The security-level is a number between 0 to 100. The INSIDE interface is typically 100 while the OUTSIDE interface has a default of 0. The DMZ is typically put to 50.

Traffic that originates from a less secure interface to a higher security interface is denied by default. Traffic from OUTSIDE to INSIDE, or DMZ to INSIDE, or OUTSIDE to DMZ, are such traffic. This is dropped unless specifically permitted by an access-list.

Traffic that originates from two interfaces with the same security-level are also denied by default. We can prevent this behavior using:
same-security-traffic permit

On the other hand, a host from a higher security level can statefully traverse to a lower security interface. Such would be true for INSIDE to OUTSIDE, INSIDE to DMZ, or DMZ to OUTSIDE.

The interfaces are named from interface context using:
nameif INSIDE

To set the security-level, we use:
security-level 100

There are many ways to configure an ASA. One of the ways is to use the ASDM web interface. To do this, we'll need to find a way to connect the computer to the ASA (through a switch or an interface). By default, we can obtain an IP by plugging directly to the management interface because DHCP is turned on for all management interfaces.

Once should make sure that the basics are set up, such as Time, Interface Names, Host Name, and the Auth Hosts. Auth Hosts is a list of the authorized hosts allowed to configure through the web interface. All these configurations are done using:
conf t

clock time zone SGT +08
clock set 11:13:00 19 July 2010
conf t

!Host Name
host ASA
domain-name syraxius.local

!Interface Names
in e0/0
sec 99
ip address
in e0/1
nameif INSIDE
sec 100
ip address

!Auth List
http server enable

On a side note, if you don't have a system with a serial port, we can get a USB-to-Serial converter.

When we're done, we can connect to the ASA through the web browser by putting in the ASA's management interface IP (assuming that we've connected the computer through a crossover to the management interface).

We can manage ASDM as a Windows application or a Java application. If you run it as a Windows application, you will not have to double-authenticate. The launcher also works well if your version of Java is not completely compatible with the Java version.

The ASDM is very similar to the SDM and the IDM we covered in previous articles. ASDM is more similar to SDM, in which you have a Home tab, but the Configuration and Monitoring tabs that we're interested in is common across all the management GUIs.

We'll talk more about configuration in the next article. This about commands more specific to the ASA itself.

No comments :

Post a Comment