NC School Connectivity Initiative Firewall Best Practices. NCET 2014 Conference

Transcription

1 NC School Connectivity Initiative Firewall Best Practices NCET 2014 Conference

2 Session Presenters n Chris Rose, MCNC Client Network Engineer n Dianne Dunlap, MCNC Client Network Engineer 2 3/21/14

3 Agenda 1. ITS/ASA Firewall Service Descrip5on 2. Firewall Configura5on Best Prac5ces 3. ASA Monitoring and Troubleshoo5ng 4. Where to go for informa5on; MCNC Support 5. Q&A 3 3/21/14

4 State Firewall Service Summary n Cisco ASA platform with site-to-site VPN and SSL VPN functionality n Offered as ITS fully managed or customer managed n LEA Adoption - 30 ITS fully managed/33 customer managed n Charter School Adoption - 42 ITS fully managed/ 8 customer managed Additional information: 4 3/21/14

5 State Firewall Service Summary Service Implementation and Support ITS Fully Managed Customer Management Consultation regarding service options and security Y Y configurations All required activities to complete service installation Y Y All hardware and software components required to deliver the Y Y security service Ongoing operating system release and patch management Y On request by customer Ongoing configuration management Y N Configuration backup Y Y 24x7 Device Monitoring Y N 24x7 Support Y Y Real-time view of security policy Optional Optional Log retention at customer location Available Available Additional information: 5 3/21/14

6 Current LEA ASA Map 6 3/21/14

7 Current Charter ASA Map 7 3/21/14

8 Firewall Best Practices n Be as specific as possible - avoid any/any. n Allow only essential services in (ingress filtering). n Use DMZ if possible for public servers (web, FTP) n Allow only essential services out (egress filtering). n Log traffic as necessary. n Use good naming conventions and comments n Group network objects, ports n Remove unneeded ACLs n Use AnyConnect where possible in lieu of broad outside access 8 3/21/14

9 Avoid any/any access-list outside_access_in permit ip any access-list outside_access_in permit tcp any eq http access-list outside_access_in permit tcp any eq https (or destination in later ASA versions)

10 Use a DMZ access-list outside_access_in permit tcp any eq http access-list outside_access_in permit tcp any eq https access-list dmz_access_inside deny ip any any access-list inside_access_dmz permit tcp any eq http access-list inside_access_dmz permit tcp any eq https 10 3/21/14

11 Allow Only Essential Services Out n No access-list on inside interface or access-list with permit ip any any permits all outbound traffic. n Blacklisting is possible if outbound traffic becomes malicious due to viruses, malware, or malcontents. n Good Internet citizenship limits or prevents: BitTorrent Viruses/malware (Iloveyou, Stuxnet, Cutwail) Web proxies (Ultrasurf, Tor) 11 3/21/14

12 Allow only Essential Services Out ITS Standard Service Groups (outbound): object-group service School-standard-tcp tcp port-object eq https port-object eq www port-object eq 9443 object-group service School-standard-udp udp port-object eq domain 12 3/21/14

13 Log Traffic syslog levels Category Numeric Code Emergency 0 Alert 1 Critical 2 Error 3 Warning 4 Notification 5 Informational 6 Debug 7 ASA portmap translation ASA Teardown TCP connection 13 3/21/14

14 Log Traffic n ITS Logging is at Warning level for ITS-managed. This is also Cisco recommended best practice. n ASA log messages should be sent to a local syslog server for customer-managed firewalls. n Free syslog servers: - rsyslogd (Linux) - syslog-ng (Linux) - The Dude (Windows) 14 3/21/14

15 Use good naming conventions and comments Use of name command: access-list inside_in remark for Libby Smith name PowerWeb description Website host access-list inside_in extended permit tcp any4 object PowerWeb eq 8443 Use of remark: access-list outside_acl remark Employee Portal Creation of a network-object and its description: object network XYZ_Elementary subnet description XYZ Elementary School 15 3/21/14

16 Group Network Objects, Ports Example of Grouped Network Objects, Ports: name informer description for Jane object-group service informer_ports tcp-udp port-object eq 90 port-object eq 9090 object-group INSIDE_NETWORK_2 network-object host network-object host access-list inside_in extended permit object-group TCPUDP object informer object-group INSIDE_NETWORK_2 object-group informer_ports 16 3/21/14

17 Group Network Objects, Ports Example of Un-Grouped Network Objects, Ports: access-list inside_in extended permit tcp host host eq 90 access-list inside_in extended permit tcp host host eq 9090 access-list inside_in extended permit udp host host eq 90 access-list inside_in extended permit udp host host eq 9090 access-list inside_in extended permit tcp host host eq 90 access-list inside_in extended permit tcp host host eq 9090 access-list inside_in extended permit udp host host eq 90 access-list inside_in extended permit udp host host eq /21/14

18 Remove Unneeded Access-lists name Room-X static (inside,outside) Room-X netmask access-list outside_acl extended permit ip any host access-list outside_acl extended permit tcp any host access-list outside_acl extended permit udp any host access-list outside_acl extended permit ip any host access-list outside_acl extended permit object-group DM_INLINE_SERVICE any host access-list outside_acl extended permit object-group xyz host AS400 range ftp telnet access-list outside_acl extended permit tcp host x.x.x.x host AS400 gt ftp access-list outside_acl extended permit tcp any host AS400 eq ftp 18 3/21/14

19 Why Use AnyConnect for Remote Administration? access-list outside_in permit tcp any host eq 3389

20 Use AnyConnect 20 3/21/14

21 Use AnyConnect Require users to AnyConnect authenticate at the ASA prior to accessing internal resources. - Authentication may be via usernames on ASA or tied to AD - Access can be audit-trailed if on AD - Access-lists can be applied at ASA-level and tied to local users or AD groups 21 3/21/14

22 AnyConnect Platforms n Microsoft (XP, Vista, 7, 8) n Mac OSX n Linux (Red Hat, Ubuntu) n ios (iphone, ipod, ipad) mobile client* n Android client* * Requires ASA mobile license 22 3/21/14

23 ASA Monitoring and Troubleshooting- ASA Read-only Access n ITS can provide read-only access for ITS-managed firewall n Access via ASDM (GUI) or SSH (command-line) n Request account through MCNC n User credentials are in ITS-managed TACACS+ server n Read-only access prevents accidents! 23 3/21/14

24 ASA Monitoring and Troubleshooting show commands Top 10 services, sources, destinations Interface traffic (kb/connections) Memory and CPU utilization Packet tracer utility Packet capture wizard Logs 24 3/21/14

25 ASA Monitoring and Troubleshooting show commands Command dir enable exit logout more more system:running-config packet-tracer quit read threat-detection *Not on all models/versions Arguments disk0:/dap.xml Statistics* 25 3/21/14

26 ASA Monitoring and Troubleshooting show commands Command show * Not on all models/versions 26 3/21/14 Arguments access-list activation-key detail asdm sessions blocks cluster info* configuration conn cpu core all* crypto ca certificate curpriv firewall interface

27 ASA Monitoring and Troubleshooting show commands Command Arguments show ips mode* module nat pager pdm logging* pdm sessions* route running-config service-policy-user* startup-config version * Not on all models/versions 27 3/21/14

28 ASA Monitoring and Troubleshooting Interface Traffic Top 10 access-rules 28 3/21/14

29 ASA Monitoring and Troubleshooting Top /21/14

30 ASA Monitoring and Troubleshooting Top 10 Top 10 sources: # =Netflix # =Alentus Internet (hosting) 30 3/21/14

31 ASA Monitoring and Troubleshooting Memory and CPU 31 3/21/14

32 ASA Monitoring and Troubleshooting Traffic 32 3/21/14

33 ASA Monitoring and Troubleshooting Syn Attacks =user.velox.com.br 33 3/21/14

34 ASA Monitoring and Troubleshooting Connections/ Drops 34 3/21/14

35 ASA Monitoring and Troubleshooting Packet Tracer n Packet Tracer allows the administrator to simulate packet flow through the firewall to test connectivity. n Packet Tracer should be the first step to troubleshooting connectivity through the firewall. 35 3/21/14

36 ASA Monitoring and Troubleshooting Packet Capture Wizard n Packet Capture Wizard is used to examine actual traffic in detail. n Usually used as the second step when Packet Tracer indicates traffic is allowed, but connectivity problems persist. 36 3/21/14

37 ASA Monitoring and Troubleshooting Logs n n n ASDM Real Time Log Viewer allows an administrator to view the log file as it is being generated in real time. Allows filtering based on expressions or search criteria. Logging level can be set independently from syslog logging level for the length of the session. n Limited to buffer size. Maximum buffer size is /21/14

38 Support Service Inquiries and Requests n Reach DPI team by contacting Network Analysts listed at: Post-deployment Support n n n For network related issues, please continue to call Network Operations Center Support at 877-GO-NCREN ( ) or For issues related to your web security or firewall service, please contact the SysOps Team by calling or by sending an to support@mcnc.org. For questions related to firewall Best Practices, please contact the CNE Team by sending an to cne@mcnc.org 38 3/21/14