Summer Webinar Series Cisco ASA AnyConnect VPN with AD Christopher Rose Sr. Client Network Engineer crose@mcnc.org Webinar Links: www.mcnc.org/cne-webinars
Agenda Review the security implications of remote access. Discuss how Remote Access VPN fits into an overall organization IT security strategy. Review what Cisco AnyConnect SSL Remote Access VPN connections are. Explore the benefits of using authentication servers instead of local accounts on the ASA. Demonstration using Cisco ASDM to convert an existing AnyConnect SLL VPN configured for local authentication to AD integrated authentication with DAP policy access controls. 2 8/20/15
Security implications of Remote Access The Target Store Hack is a prime example of why you should care about remote access security and proper firewall zoning of information assets. Hackers broke in through improperly secured remote access given to an HVAC vendor. http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ Payment systems were not properly zoned on the firewall and remote access permissions were not properly vetted and enforced. 3 8/20/15
Security Sensitive Applications Exposed Directly off the Firewall Security Cameras. RDP access to server and desktop resources. Finance Directors Desktop. AD/DNS/DHCP Server. Wireless Administration Systems. Exposing applications directly off the firewall welcomes brute force dictionary attacks. How good is your password policy? When was the last time you checked the audit log? Do you have an IPS or SIEM? 4 8/20/15
Who is knocking on the door? We configured an ASA in our lab with AnyConnect VPN and a syslog server. ASA traffic and authentication attempts were logged <6 days. 2,732 attempts to hack in And some on non-standard ports: 19838 30989 31518 5893 59217 5 8/20/15
Who is knocking on the door? Most Common Usernames Used # attempts username 2016 root 154 admin 100 bin 33 user 21 support 19 test 15 oracle 11 ubuntu 9 git 6 8/20/15
Who is knocking at the door? We were subjected to persistent dictionary attacks: Jul 15,01:48:48,root Jul 15,01:48:53,root Jul 15,01:49:00,root Jul 15,01:49:08,root Jul 15,01:49:13,root Jul 15,01:49:19,root Jul 15,01:49:25,root Jul 15,01:49:32,root 7 8/20/15
Who is knocking on the door? The most persistent hacker was: whois 217.27.159.2? person: address: Oleksandr Yermolenko 4v, Patrisa Lumumbi str., Kiev, Ukraine phone: +380 44 2061978 fax-no: +380 44 2061946 nic-hdl: remarks: created: OY17-RIPE technical director 2003-02-01T20:03:08Z last-modified: 2004-10-10T14:34:17Z source: RIPE # Filtered 8 8/20/15
How does an SSL VPN fits into overall security strategy? Why configure an SSL VPN? To allow access to internal assets without exposing them publicly on the outside of the firewall. This is part of good firewall zoning and security policy. Advantages of SSL VPN No exposure of internal assets to the Internet at large for brute force attacks or DoS. Disadvantages of SSL VPN Some public facing assets may already have secure logins and are used by large numbers of users. Requiring two logins would be inconvenient. An example would be a web application with very good security or Citrix server applications. Typically SSL VPN in an LEA environment is best used for: Remote access for network management (Network or Application Administrators). Locally hosted applications used by small numbers of internal users (Finance, Payroll). RDP access to internal desktops by end users. Access by vendors for support (Such as AC/HVAC, Industrial monitoring, or applications support). Access by local PD to monitor security cameras. 9 8/20/15
Protecting Remote Access Against Dictionary and Hacking Attacks. Don t expose sensitive systems directly off the firewall unless absolutely necessary. Use a secure remote access VPN. IPS/SIEM systems Use two factor authentication for remote access If neither of these solutions are options consider improving password policy: Adding password complexity Require password rotation 10 8/20/15
What is Cisco AnyConnect SSL VPN and what can it do? The Cisco AnyConnect SSL VPN is a remote access VPN client from Cisco that uses port 443 only to make secure VPN connections. AnyConnect clients are available for many popular devices and Operating Systems. These include Windows, Mac, Linux, Android, IOS, and Kindle systems. Client installs from a webpage or application store. Much easier to administer. User profiles can be controlled from the ASA. Usually only a link needs to be sent to the user to give them access. Less configuration than the old IP-Sec client. Supports enhanced features such as IKE V2 for security, DTLS for QOS (VoIP), AD and Kerberos Authentication. Has very good client side logging for debugging purposes. Can integrate with many two factor authentication solutions. 11 8/20/15
Why should we use Active Directory for VPN authentication? Local account databases have issues: Usernames and passwords go in, but they don t come back out. Usually are not configured with complexity or password change policies. Usually are not audited or logged. Password changes can not be initiated from the AnyConnect VPN client itself. 12 8/20/15
ITS managed ASA Firewall AnyConnect VPN presents additional problems if you use the ITS managed firewall service from the state: Have to put in a ticket to change passwords. Have to put in a ticket to delete user accounts. Have to put in a ticket to change access policy. Have to put in a ticket to get auditing configured and or be able to get RA audit logs. 13 8/20/15
Using Active Directory For VPN Authentication Has Benefits All remote access user accounts and permissions can be administered from the AD server. Including password resets. AD logs will show logins and attempted logins. The only tickets required to ITS are to configure any new security group to DAP policy mappings. Password change and complexity policy can be the same as your AD domain policy. Users are happy because they can use their network username and password to login. 14 8/20/15
Preparing to implement AD Authentication with an ASA Create a bind account that the ASA can use to query the Active Directory. Make sure Microsoft Certificate Services have been properly configured and set up on the domain to enable Secure LDAP. Create remote access groups with the network permissions you require. 15 8/20/15
Demonstration AD Setup Add ASA bind account name and password of Bindup123# to demo AD domain. Create AD user groups for Administrative and HVAC users to map to DAP policies. Create two user accounts. One for Tom the network administrator, and one for Bob who is the HVAC system manager. Both are members of the cne2012.org AD domain. 16 8/20/15
Things to remember about DAP policy. DAP policy has priority numbers. Priority is determined from highest number to lowest. (25 is higher than 1) DAP policy has two main configurable items we are concerned with. An action, and Network ACL filters. Your default DAP group policy should be configured in action to terminate. This is the policy used when no other policies match. Basically if you are not in a matching VPN group we care about you get terminated. Network ACLs for DAP policy are a bit counterintuitive. Only access lists with all permits or all deny are allowed to be attached to DAP policy. If multiple ACLS are listed in a DAP policy the ASA does not process them in order but orders them according to blacklist types first. (I.E. Deny ACLs go first) If a user tests conditionally positive for more than one DAP policy, then higher priority DAP rules get precedence. Network ACLS get processed by the ASA as follows: Each DAP rule has its network ACLs retrieved. The ACLs are merged and ordered by DAP priority first. If ACLs have the same DAP priority then ACLS with blacklists come first, white lists next. For example to create the HVAC policy create two DAP rules. The first is attached to an ACL to permit access to the HVAC server. The second policy has a deny any-any ACL applied to implement the default deny policy. Set the priority on the permit DAP to a higher number so it gets processed first. Set the second policy to one number less so it gets processed last. 17 8/20/15
Demonstration ASA Configuration Add the local AD server to the ASA Authentication settings as an LDAP source. Create DAP policy to match AD groups Create default DAP policy Test Authentication and DAP policy in ASDM Switch authentication from local to LDAP 18 8/20/15
DAP Policy Configuration Demonstration ASDM provides a test mechanism where you can input your LDAP conditions and it will show you the resultant DAP policy. DAP Policy Demonstration in ASDM. 19 8/20/15
Wrapping Things Up Proper design decisions in firewall zoning and configuration can improve remote access security. Use secure VPN to your security advantage by not exposing critical or unsecure applications directly on the firewall for remote access. Use AD authentication for VPN if possible. Benefits include single sign on, more robust password policy and enforcement, better auditing, less support calls for managed firewalls, and more efficiency in VPN administration. For Gold Standard Security plan to implement two factor authentication in combination with AD authentication. This is the most effective way to defeat dictionary and brute force attacks. Ask for help if needed! We are here to help you with these types of projects when needed. We can also work with you and ITS to configure managed firewalls for AD Authentication integration. 20 8/20/15
Additional References DAP Policy Reference http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dapdeploy-guide.html Configuring Cisco AnyConnect https://www.mcnc.org/events/training/cne-summer-webinars2015/archive Managing DAP Policy on ASA Firewalls http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/ security_manager/4-1/user/guide/csmuserguide_wrapper/ravpnpag.html 21 8/20/15
Summer Webinar Series Cisco ASA with AD Christopher Rose Sr. Client Network Engineer crose@mcnc.org Webinar Links: www.mcnc.org/cne-webinars