Chapter 11: Modular Policy Framework

Transcription

1 Chapter 11: Modular Policy Framework Modular Policy Framework is very simillar to Cisco IOS software QoS CLI which provides a flexiable way to configure security applaince features. MPF is supported with these features QoS input policing TCP normalization, TCP and UDP connection limites and timeouts, and TCP sequence number randomization CSC Application Inspection IPS QoS output policing QoS standard priority queue QoS traffic shaping, hierarchial priority queue Configuration of modular policy framework consists of three main tasks. Class-map : Classifies the traffic on which you want to perform Modular Policy Framework actions by creating layer ¾ class maps. For Example, we might want to perform actions on all traffic that passes through the security appliance or you might only want to perform certain actions on traffic from /24 to any destination address. Various types of match criteria in a class map can be used to classify traffic. The primary criterion is the use of an access control list (ACL). In a case where you want to match traffic on application layer you can create a layer 7 class map. For example if you want to match PUT command in a FTP session. Policy-map : After the security appliance identified the traffic using Class-map it uses Policy-map to apply action on it. Example could be of a policy-map which limits the maximum number of TCP connections towards a certain server. Simillar to class-maps, we can create layer3/4 Policy-map or a layer 7 policy-map. Service-Policy: Actives a policy map globally on all interface or on a selected interface. There can be one global policy and one policy per interface. By default, security appliance includes a default policy which is applied globally. Please note that there can be one global policy at a single time. If we need to change it we need to either edit the global policy or to make a new one. Figure 11.1 : The chart illusterates the structure of how ASA modular policy framework would be implemented. Class Map Policy Map Service Policy Internet Users IPS and Inspect Outside interface Sales Users Police Outside Interface Voice Traffic Prioritize Inside Interface Normal Traffic Inspect All interfaces Configuring Class-Maps By default there is a Layer3/4 class map that the security appliance uses in its default global

2 policy. It is named as inspection_default and matches the default inspection traffic. Another class-map that exists in the default configuration is called class-default which matches all traffic but is not applied using any of service policy. You can use the class-default class map if required, rather than making your own match any class map. Class map supports several types of match entries which includes Match any matches any traffic Match ACL matches traffic based on Access Control List Match port matches traffic based on TCP/UDP port numbers Match default-inspection traffic matches default port on supported applications Match DSCP matches traffic based on DSCP values in the ip header Match Precedence matches specific precedence values in the IP header Match RTP matches port range of RTP traffic Match tunnel-group matches specific site-to-site VPN tunnel or remote access VPN group traffic Match flow ip used with tunnel-group above Please note that default-inspection traffic is a set of pre-defined match entries of several applications working on their default ports. Below is a chart listing those applications Application Protocol Type Port CTIQBE ( Computer Telephony TCP 2748 Interface ) DNS UDP 53 FTP TCP 21 GTP ( GPRS Tunneling Protocol) UDP 2123, 3386 *requires special license H323 H225 TCP 1720 H323 RAS UDP HTTP TCP 80 ICMP N/A N/A ILS (LDAP) TCP 389 IPSec Pass-Through UDP 500 MGCP ( Media Gateway Control UDP 2427,2727 Protocol ) NetBIOS Name Server UDP 137,138 ( Source ports ) PPTP TCP 1723 RADIUS Accounting UDP 1646 RSH TCP 514 RTSP TCP 554 SIP TCP/UDP 5060 SCCP ( Cisco Skinny ) TCP 2000 SMTP-ESMTP TCP 25 SNMP UDP 161,162 SQL*NET TCP 1521 SUN RPC UDP 111 TFTP UDP 69 XDMCP UDP 177 Most of the protocols in table above are inspected by ASA in its default configuration. Inspection plays a major role especially when it comes to returning trurning traffic especially with complicated protocols like FTP. For example BOB who is connected to inside interface of ASA connectes to a FTP server attached to outside interface of the security appliance. Data is initiates towards server on port 21 using control connection. Server returns traffic on port 20 using data connection. Now a stateful firewall will not allow that kind of traffic since traffic is now using different port. In this scnerio inspection feature of security appliance

3 will help the traffic determine if its is legimate or not depending on the protocol used. Other protocols also have problem in data flow as FTP does and thus inspecting them on application layer helps ensuring smooth network connectivity. A default Class-Map exist on the security appliance which matches the default-inspectiontraffic. You can view this default class-map using show run class-map command Configuration Example: Step 1 : Create ACL Ciscoasa(config)#access access-list id [line line-num] [extended] {deny permit} protocol {src_ipaddr src_ipmask any host ip_address} [operator port] { dest_ipaddr dest_ipmask any host ip_address} [operator port] We will create an ACL which would be define traffic source and destination ciscoasa(config)#access-list ftp_traffic permit tcp host any eq 21 Step 2 : Create class-map ciscoasa(config)#class class-map class_map_name Use the class-map command to assign a unique name to the class map. ciscoasa(config)#class-map FTP_TRAFFIC Step 3 : Description ( OPTIONAL ) ciscoasa(config-cmap)#description class_map_description We will put description which helps us identify class map easily Ciscoasa(config-cmap)#description Matches ftp traffic Step 4 : Match statement ciscoasa(config-cmap)#match match access-list ACL_ID We will match traffic based on ACL entry we made before Ciscoasa(config-cmap)#match access-list ftp_traffic Configuring Policy-Maps As discussed earlier there are two types of policy maps Layer 3/4 and Layer 7. We will be restricting our discussion to Layer 3/4 maps in this chapter. Layer 3/4 policy maps associate one of more policies to traffic that matches a match command in layer 3/4 class map. When more than one policy is assocaited with the class map, the policies are enforced in the order listed below

4 1. Connection limits, connection timeouts and TCP sequence number randomization 2. CSC card 3. Stateful and application inspection 4. IPS card 5. Input policing 6. Output policing 7. Priority queuing Configuration Example: Step 1 : Create Policy map ciscoasa(config)# policy-map policy_map_name Use the policy-map command to assign a unique name to the policy-map. ciscoasa(config)#policy-map FTP_TRAFFIC Step 2 : Description ( OPTIONAL ) ciscoasa(config-pmap)#description class_map_description We will put description which helps us identify class map easily Ciscoasa(config-pmap)#description FTP_LIMITS Step 3 : Reference class map ciscoasa(config-pmap)#class class class_map_name We will reference a class map created earlier after which the security appliance will take us into a second subcommand mode. Here we can reference our multiple policies for that traffic. Ciscoasa(config-pmap)#class FTP_TRAFFIC Next we need to configure actions, there are several types of actions which can be applied to a policy map. Below is a a list of available catagories CSC action will send traffic to Content Security service module IPS action will send traffic to Intrusion Prevension service module Set connection will enforce connection limits on traffic Inspect will apply protocol inspection to traffic Policy will limit rate for traffic Priority will apply priority to traffic We will look into each of these actions using couple of scenerios. Configuring Service-Policy Service policy is the third component of Modular Policy Framework. In other words this is the activation of your previously configured policy maps. You can activivate policy-map globally

5 or on specific interface however there can only be one policy applied per location. In a case where you have applied a global policy along with a policy on an interface, the interface policy overrides the global policy settings. Configuration Example: Step 1 : Define Policy ciscoasa(config)#service service-policy policy_map_name interface interface_name OR ciscoasa(config)#service service-policy policy_map_name global By default, the configuration includes a global policy that matches all default application inspection traffic and applies inspection to the traffic globally. Because you can only apply one global policy you need to either edit the default policy or disable it and apply a new one when we are defining a policy globally. Ciscoasa(config)#service-policy FTP_TRAFFIC Using MPF for Content Security Control Module The Cisco ASA 5500 Series Content Security and Control Security Services Module ( CSC- SSM) combines comprehansive malware protection with advanced traffic and message complaiance for Cisco ASA Family of multifunction security appliance. Figure 11.2 : Cisco Content Security Control Module for ASA Below is a feature list of CSC-SSM Feature Antivirus Anti-Spyware Benefit Award-winning antivirus technology shields internal network resources from virus attacks at the most effective point in your infrastructure, the Internet gateway. Cleaning and Internet web traffic at the perimeter helps ensures business continuity and eliminates the need for resource intensive malware infection clean-ups. Blocks spyware from entering the network through Internet web and traffic. Frees up IT support resources from costly spyware removal procedures and improves employee productivity by blocking spyware at the gateway.

6 Anti-Spam Anti-phishing Automatic Updates from TrendLabs Central Administration Real-Time Protection for Web Access, Mail and File Transfers Full URL Filtering Capability with Categories, Scheduling and Caching Content Filtering Effectively blocks spam with extremely low false positives, helping to maintain the effectiveness of communications, so contact with customers, vendors, and partners continues uninterrupted and without distraction. Protection against spoofed identity and sourcing guards against phishing attacks thereby preventing employees from inadvertently disclosing company or personal details which can often lead to financial loss. Backed and supported by one of the largest teams of virus, spyware and spam experts in the industry, working 24x7 to ensure that your solution is providing the most up to date protection, automatically. Easy "set-and-forget" administration through a remotely accessible Web-console and automated updates reduces deployment time and effort as well as recurring IT support costs. Even if company is already protected, many employees will access their own private Webmail from company PCs or laptops introducing another entry point for Internet-borne threats. Employees may also directly download programs or files that may be contaminated. Real-time protection of all Web traffic at the Internet gateway greatly reduces this often-overlooked point of vulnerability. URL filtering can be used to control employee Internet usage by blocking access to inappropriate or non-workrelated websites, thereby improving employee productivity and limiting the risk of legal action being taken by employees exposed to offensive Web content. filtering minimizes legal liability due to exposure to offensive material transferred by and enforces regulatory compliance, helping organizations meet the requirements of legislation such as Graham Leach Bliley and the Data Protection Act. The Cisco ASA 5500 Series CSC-SSM ships with a default feature set that provides antivirus, anti-spyware, and file blocking services. A premium Plus license is available for additional capabilities including anti-spam, anti-phishing, URL blocking/filtering and content control services. The optional Plus pack feature license is available for an additional charge for each CSC-SSM. Figure 11.3 : Network on which traffic would be sent to CSC using MPF

7 The CSC module can inspect and filter http, pop3, smtp and ftp protocols on their default ports. Shown above in figure 11.2 is a network where the security appliance is connected to the Internet on interface Gi0/0 (outside) and to the internal network on interface Gi0/1 (Inside). Servers are connected using interface Gi0/2 (DMZ). We will be configuring the security appliance to send traffic to CSC module which would scan it before sending it to the actual destination. Step 1 : Configure access-list Ciscoasa(config)#access-list CSC extended permit ip any Ciscoasa(config)#access-list CSC extended permit tcp host any host eq 25 We have configured two access control entries of which first is for traffic moving from inside towards outside of the network while in second entry traffic is destined towards server from Internet. Step 2 : Create Class-map ciscoasa(config)#class-map CSC_TRAFFIC Step 3 : Match statement Ciscoasa(config-cmap)#match access-list CSC We will match traffic based on ACL entry we made before Step 4 : Edit Policy-Map

8 Since we want these inspections to be applied globally and there could be only one global service policy active at one time, we will go ahead and edit the existing policy-map which is already applied globally. We can configure the security appliance to send the traffic to csc module in either fail-close or fail-open mode. Please note that csc option will only be configurable and visiable if you have a CSC card inserted in the security appliance. ciscoasa(config)#policy-map global_policy ciscoasa(config-pmap)#class CSC_TRAFFIC ciscoasa(config-pmap-c)#csc fail-open fail-close = if CSC card fails, traffic should be dropped fail-open = if CSC card fails, traffic should be forwarded without inspection Using MPF for Intrusion Prevention System Module The Cisco AIP SSM and AIP SSC combine inline prevention services with innovative technologies to improve accuracy. For you, this means confidence in the protection offered by your IPS solution without the fear of legitimate traffic being dropped. When deployed within Cisco ASA 5500 Series appliances, the AIP SSM and AIP SSC offer comprehensive protection of your IPv6 and IPv4 networks by collaborating with other network security resources, providing a proactive approach to protecting your network. Either CSC or AIP module can be plugged into the security appliance at one time, AIP module can operate in two modes IDS/IPS sensors operate in promiscous mode by default, which means that a device (often a switch) captures traffic for the sensor and forwards a copy for analysis to the sensor. Because the device works with a copy of the traffic, the device performance IDS. It can detect an attack and send an alert but it does not prevent the attack from entering the network. When we use sensors in Inline mode this means that traffic is passing through that device before it reaches its actual destination. This gives sensors the ability to block traffic from entering the network ensuring greater security. We will refer to the Figure 11.3 illustrated in topic Using MPF for Content Security Control Module and will be sending all traffic which comes from Outside zone to DMZ for inspection. Figure 11.4 : IPS Module working in Inline Mode

9 Figure 11.5 : IPS Module working in Promiscuous mode Configuration Example: Step 1 : Configure access-list Ciscoasa(config)#access-list AIP extended permit ip any host Ciscoasa(config)#access-list AIP extended permit ip any host We have configured two access control entries of which first is for traffic moving from inside towards outside of the network while in second entry traffic is destined towards server from Internet. Step 2 : Create Class-map ciscoasa(config)#class-map AIP_TRAFFIC Step 3 : Match statement Ciscoasa(config-cmap)#match access-list AIP We will match traffic based on ACL entry we made before Step 4 : Create Policy-Map We will configure the security appliance to send selected traffic to the IPS module by making a policy map and then associating a class map created earlier with it. Ciscoasa(config)#policy-map IPS Ciscoasa(config-pmap)#class AIP_TRAFFIC Step 5 : Send traffic We will send traffic to IPS module.

10 ciscoasa(config-pmap-c)#ips ips [inline promiscuous ] [ fail-close fail-open ] fail-close = if CSC card fails, traffic should be dropped fail-open = if CSC card fails, traffic should be forwarded without inspection ciscoasa(config-pmap-c)#ips promiscuous fail-open Step 6 : Apply Service-Policy We will attach this policy to the outside interface. ciscoasa(config)#service-policy IPS interface outside Using MPF for setting TCP connection limits Set-connection under policy-map is used to enforce connection limites for selected traffic flows. When a packet matches specified source and destination address it is subject to connection limit as defined. We can use "set-connection" to configure following items conn-max : Maximum number of simultaneous connections allowed. Helps protecting against DoS attacks per-client-max : Limits number of simultaenous connections on per host basis embryonic-conn-max: Limits number of half-open TCP connections. Protects against SYN attacks. per-client-embryonic-max: Limits number of half-open TCP connections per client Figure 11.6 : Network on which tcp connections would be limited using MPF

11 In this scenerio we will configure the security appliance to restrict number of simultaneous sessions for traffic coming from outside to server and for traffic going from Inside to the Internet. Step 1 : Configure access-list A ) ACL for traffic moving from outside to Server in DMZ Ciscoasa(config)#access-list outside_in extended permit tcp any host eq 25 B ) ACL for traffic from Inside machine towards outside world. Ciscoasa(config)#access-list inside_in extended permit ip host any Step 2 : Create Class-map A ) We will create class-map for users accessing server in DMZ from outside ciscoasa(config)#class-map cmap_outside_dmz B ) Class-map for user accessing Internet from Inside Zone Ciscoasa(Config)#class-map cmap_inside_outside Step 3 : Match statement A ) We will make match statement for users accessing server in DMZ from outside under class map cmap_outside_dmz Ciscoasa(config-cmap)#match access-list outside_in B ) We will then match statement for users accessing Internet from Inside zone under class-map cmap_inside_outside Ciscoasa(config-cmap)#match access-list inside_in

12 Step 4 : Create Policy-Map A ) Create policy-map for outside to DMZ We will create a policy map and assign the earlier configured class to it Ciscoasa(config)#policy-map pmap_outside_dmz Ciscoasa(config-pmap)#class cmap_outside_dmz B) Create policy-map for Inside to Outside We will create a policy map and assign the earlier configured class to it Ciscoasa(config)#policy-map pmap_inside_outside Ciscoasa(config-pmap)#class cmap_inside_outside Step 5: Set connection Limits Depending on our requirements we can set restrictions on these policy-maps. A ) Set connection limits for data traveling from outside to DMZ Ciscoasa(config-pmap-c)# set connection conn-max 4000 Ciscoasa(config-pmap-c)# set connection per-client-max 200 Ciscoasa(config-pmap-c)# set connection embryonic-conn-max 2000 B ) Set connection limits for data traveling from inside to outside Ciscoasa(config-pmap-c)# set connection conn-max 4000 Ciscoasa(config-pmap-c)# set connection per-client-max 200 Ciscoasa(config-pmap-c)# set connection embryonic-conn-max 2000 Step 6 : Apply Service-Policy We will attach both of the policies in specific direction ciscoasa(config)#service-policy pmap_outside_dmz interface outside ciscoasa(config)#service-policy pmap_inside_outside interface insid Using MPF for setting for Traffic Inspection As discussed earlier the security appliance has a default class-map, policy-map and service policy. Below is what you see from show running-config. class-map inspection_default match default-inspection-traffic!! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp

13 inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp! service-policy global_policy global prompt hostname context There is a default class-map (class-map inspection_default), default policy-map (policy-map global_policy ) and default service policy applied globally (service-policy global_policy global ). We can go under policy-map, class-inspection_default and type inspect? to see which other protocols are supported for inspection and can add other protocols for inspection as required. The inspect command looks for common security issues in the application layer and prevent them, look for additional connections that need to be opened e.g. FTP or VoIP traffic. It also looks for embedded addressing information inside packets that will be translated with NAT. Using MPF for setting for Policing and Rate Limiting A rate-limiting policy is commonly called a policing policy, which can be configured to affect traffic as it enters (ingress) and / or leaves (egress) an interface. The parameters used to enforce the policy are similar to how Commited Information rate and Commited burst rate are used in frame relay, using the leaky bucket algorithm to handle small bursts of traffic. Let s say we want to apply policing to a specific IPSec remote access user group as following: Maximum allowed bandwidth = 1024kbps Burst Size = 1536kbps Step 1: Configure class-map ciscoasa(config)#class-map VPN_USERS Step 2: Match tunnel-group ciscoasa(config-cmap)#match tunnel-group VPN We discussed earlier that matching of class-maps can also be done on tunnel-groups. We will use tunnel-group of remote user vpn group to match traffic. Step 3 : Create Policy-map

14 ciscoasa(config)#policy-map VPN_Policy Step 4 : Match Class ciscoasa(config-pmap)#class VPN_USERS Step 5 : Define Policy A ) Incoming Policy ciscoasa(config-pmap-c)#police input conform-action transmit exceed-action drop B) Outgoing Policy ciscoasa(config-pmap-c)#police output conform-action transmit exceed-action drop The security appliance accepts police input/output rates in bits per second thus we converted 1024kbps to bits per second. Note that the burst value has to be in bytes [ Burst Size = (conform rate in bps)/8*1.5 ]. Step 6 : Apply Service-Policy We will attach this policy to the outside interface. ciscoasa(config)#service-policy VPN_POLICY interface outside Using MPF for setting for Voice Traffic Prioritization Packet prioritization is used on the egress of an interface to prioritize traffic (before traffic exits an interface. Prioritization is normally used for delay-sensitive traffic, like voice, or video. Only low-latency queuing (LLQ) is supported for prioritization on the security appliance. Each interface of security applaince has two queues namely priority queue which is used to transmit delay-sensitive traffic and a default queue which transmit all other traffic. Step 1 : Configure ACL Ciscoasa(config)#access-list voip_acl extended permit ip Step 1: Configure class-map ciscoasa(config)#class-map cmap_voip_vpn Step 2: Match ACL ciscoasa(config-cmap)#match access-list voip_acl Step 3 : Create Policy-map ciscoasa(config)#policy-map pmap_voip_vpn

15 Step 4 : Match Class ciscoasa(config-pmap)#class cmap_voip_vpn Step 5 : Set priority Ciscoasa(config-pmap-c)#priority Step 6 : Enable Proirity Ciscoasa(config)# priority-queue inside We will enable priority queue on selected interface