CCSP: Effective Deployment of Cisco ASA Access Control

12,090 views

Published on

The Cisco ASA offers a wealth of access control features, many of which are underutilized in modern networks. In this session, we will discuss the methods and best practices for extension of classic firewalling policies to include proper configuration of low-level inspection routines, custom network and application-layer access controls, and anomaly-based access controls available in the latest Cisco ASA release.

Published in: Technology, Business

CCSP: Effective Deployment of Cisco ASA Access Control

  1. 1. Effective Deployment of Cisco ASA Access Control Session ID BRKCRT-201
  2. 2. Cisco Live & Networkers Virtual Special Offer – Save $100 Cisco Live has a well deserved reputation as one the industry’s best educational values. With hundreds of sessions spanning four educational programs — Networkers, Developer Networker, Service Provider, IT Management, you can build a custom curriculum that can make you a more valuable asset to your workplace and advance your career goals. Cisco Live and Networkers Virtual immerses you in all facets of Cisco Live, from participating in live keynotes and Super Sessions events to accessing session content to networking with your peers. Visit www.ciscolivevirtual.com and register for Cisco Live and Networkers Virtual. To get $100 USD off the Premier pass, which provides access to hundreds of technical sessions, enter “slideshareFY11”. Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  3. 3. Agenda and Prerequisites Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  4. 4. Agenda Definition of Access Control Effectiveness Tune Basic OSI Layer 3-4 Inspection Configure and Verify the Cisco ASA TCP Normalizer and Advanced Connection Options Configure Application-layer Inspection Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  5. 5. Prerequisites Understanding of TCP/IP protocol suite and application protocols Familiarity with common classes of network attacks Familiarity with basic network firewall concepts Basic-to-intermediate level of familiarity with Cisco ASA configuration concepts Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  6. 6. Definition of Access Control Effectiveness Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  7. 7. Access Control Effectiveness Levels of Access Control Host Firewall components can operate on different OSI layers: Application layer (Layers 5–7) access control: Controls payload and content inside permitted connections Network layer (Layers 2–4) access control: Minimizes connectivity between hosts and their applications Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  8. 8. Access Control Effectiveness Ability to Prevent Current and Future Attacks Host Firewall components can operate in different access control modes: Restrictive access control: Everything not explicitly allowed is prohibited Permissive access control: Everything not explicitly prohibited is allowed Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  9. 9. Access Control Effectiveness Effectiveness Criteria Criterion Description Coverage The control provides protection against a wide variery of attacks Accuracy The control produces a manageable rate of false positives or negatives Granularity The control is able to inspect activity at the desired depth Integration ability The control can support most applications and local infrastructure quirks Implementation The control is manageable to implement and simplicity operate Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  10. 10. Tune Cisco ASA Basic OSI Layer 3-4 Inspection Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  11. 11. Basic Stateful Inspection Tuning Overview Overview The ASA enforces a strict traffic filtering policy that may interfere with unexpected or unusual application requirements, or network design There are many tools in the ASA to create exceptions for such situations It is strongly recommended to plan for known exceptions in advance Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  12. 12. Basic Stateful Inspection Tuning Overview Input Parameters Input Description Potentially problematic TCP/IP stacks Required to plan for TCP normalizer in the network, and applications with exceptions special TCP requirements IP fragmentation issues in the network Required to tune fragmentation handling Asymmetric routing in the network Required to possiby bypass stateful algorithms Applications with long idle session Required to adjust connection table periods timers Dynamic applications used in the Required to enable relevant dynamic network application inspectors Dynamic applications using non- Required to enable relevant dynamic standard ports application inspectors Non-standard dynamic applications Required to describe such applications to the ASA Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  13. 13. Basic Stateful Inspection Tuning Overview Deployment Tasks 1. Tune Basic OSI Layer 3-4 inspection 2. Tune the ASA TCP normalizer 3. Configure support for dynamic protocols Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  14. 14. Basic Stateful Inspection Tuning Overview Guidelines Consider the following overall guidelines: When creating exceptions, make only minimal required changes to the ASA traffic handling policy Consider the possible adverse effects of your changes to access control reliability and performance Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  15. 15. Tune Basic OSI Layer 3-4 Inspection ASA Default Layer 3-4 Stateful Tracking TCP 10.1.1.2:1474 > 192.168.1.6:22, inseq 346234, outseq 712136 UDP 192.168.1.3:58255 > 172.16.2.1:53, DNS id=457348956 TCP 10.1.1.2:4685 > 172.16.1.7:80, inseq 49758234, outseq 8345723 ICMP ECHO 10.1.1.7 > 172.16.9.1, IDMP ID=48572349 ... The ASA will by default statefully track TCP, UDP, and GRE flows ICMP PING tracking is disabled by default, and may be enabled Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
  16. 16. Tune Basic OSI Layer 3-4 Inspection ASA Session Timers Sessions are normally deleted from the connection table based on TCP connection close events (FIN, RST), or idle timeouts (UDP, GRE, PING) The connection table performs periodic garbage collection for TCP connections based on additional timeouts These timeouts may be too aggressive for specific applications, and need to be tuned TCP Timer Default Description Embryonic connection 30 seconds Defines the time the ASA will wait for a timeout SYN/ACK reply to a SYN Half-closed connection 10 minutes Defines the time a TCP connection can timeout be FIN-closed in one direction Connection timeout 1 hour Defines the time a TCP connection can be idle (i.e. no traffic passed over it) Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
  17. 17. Tune Basic OSI Layer 3-4 Inspection ASA IP Fragment Handling Reassembled packet Incoming IP fragments Outgoing IP fragments The ASA performs virtual IP reassembly Buffers fragments of a packet until all have been received Verifies that fragments are properly fragmented Reassembles IP fragments internally, to perform TCP normalization and application inspection Forwards fragments as they have been received Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  18. 18. Tune Basic OSI Layer 3-4 Inspection Configuration Steps 1. (Optionally) Tune inspection timers and DCD 2. (Optionally) Tune fragment management Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
  19. 19. Tune Basic OSI Layer 3-4 Inspection Configuration Scenario For telnet sessions to host, set idle timer to 4 hours and 10.10.1.9 enable DCD 10.0.0.0/8 Buffer up to 1000 IP fragments on all interfaces Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
  20. 20. Tune Basic OSI Layer 3-4 Inspection Step 1: (Optionally) Tune Inspection Timers and DCD Crate a new Specify the ACL-based class idle timeout that matches specific telnet You can traffic reset the connectio n on forced Enable DCD with close default parameters Configuration > Firewall > Service Policy Rules Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
  21. 21. Tune Basic OSI Layer 3-4 Inspection Step 2: (Optionally) Tune Fragment Management Edit the virtual reassembly policy for each interface Adjust fragment database parameters Configuration > Firewall > Service Policy Rules Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
  22. 22. Tune Basic OSI Layer 3-4 Inspection CLI Configuraton access-list TELNET-TO-HOST-ACL permit tcp 10.0.0.0 255.0.0.0 host 10.10.1.9 eq 23 ! class-map TELNET-TO-HOST 1 match access-group TELNET-TO-HOST-ACL ! policy-map global_policy class TELNET-TO-HOST set connection timeout idle 4:00:00 reset dcd ! 2 fragment size 1000 inside fragment size 1000 outside Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
  23. 23. Tune Basic OSI Layer 3-4 Inspection Guidelines Consider the following implementation guidelines: Only tune connection timers when required by specific applications, for a minimal set of required hosts; use DCD with long-lived connections to avoid resource exhaustion Fragmentation management does not normally require tuning; first, try to eliminate the root fragmentation cause before tuning the ASA Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
  24. 24. Tune the Cisco ASA TCP Normalizer Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
  25. 25. Tune the ASA TCP Normalizer TCP Normalizer Overview Reassembled stream Incoming TCP segments Normalized TCP segments The ASA TCP normalizer feature Verifies adherence to the TCP protocol and prevents evasion attacks Disables some TCP features by default Performs TCP sequence number randomization for protected hosts Provides the reassembled bytestream to upper-layer inspectors Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
  26. 26. Tune the ASA TCP Normalizer TCP Normalizer Configurable Parameters Parameter Description Verify contents of retransmissions Enables or disables the retransmit data checks. (disabled) Verify TCP checksum of all Enables or disables checksum verification. packets (disabled) Analyze TCP MSS of flows (allow) Allows or drops packets that exceed MSS Analyze TCP reserved flags (allow) Sets the reserved flags policy SYN packet analysis (allow) Allows or drops SYN packets with data. Analyze unusual TCP options Allows or clears TCP options. (clear) Analyze IP TTL of flows (enabled) Enables or disables the TTL evasion protection URG flag check (allow) Allows or clears the URG pointer. Analyze TCP windowing (drop) Drops a connection that has changed its window size unexpectedly. Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
  27. 27. Tune the ASA TCP Normalizer TCP State Bypass You can bypass ASA stateful inspection algorithms for some flows Configurable through MPF traffic classes Causes the ASA to treat these flows similarly to Cisco IOS Software Deny stateless ACLs unidirectional Also disables AIC, SSCs, TCP flow cut-through proxy, and TCP normalizer for these flows Use only for trusted flows Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
  28. 28. Tune the ASA TCP Normalizer Configuration Steps 1. (Optionally) Tune TCP normalization 2. (Optionally) Tune TCP ISN randomization 3. (Optionally) Configure TCP state bypass Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
  29. 29. Tune the ASA TCP Normalizer Configuration Scenario Support an authenticated BGP session through the ASA B GP 10.1.1.0/24 10.2.2.0/24 Statelessly handle traffic between 10.1.1.0/24 and 10.2.2.0/24 networks Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
  30. 30. Tune the ASA TCP Normalizer Step 1: (Optionally) Tune TCP Normalization Crate a new TCP map that defines TCP normalizer parameters Allow TCP option 19 (BGP authentication) Configuration > Firewall > Objects > TCP Maps Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
  31. 31. Tune the ASA TCP Normalizer Step 2: (Optionally) Tune TCP ISN Randomization Disable ISN randomization Crate a new ACL-based class that matches Specify the specific BGP configured traffic TCP map Configuration > Firewall > Service Policy Rules Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
  32. 32. Tune the ASA TCP Normalizer Step 3: (Optionally) Configure TCP State Bypass Crate a new ACL-based class that matches specific networks Disable stateful checks for this class Configuration > Firewall > Service Policy Rules Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
  33. 33. Tune the ASA TCP Normalizer CLI Configuration access-list BGP-PEERING-ACL permit tcp host 10.3.3.3 host 10.4.4.4 eq 179 1 access-list BGP-PEERING-ACL permit tcp host 10.4.4.4 host 10.3.3.3 eq 179 ! 2 class-map BGP-PEERING match access-group BGP-PEERING-ACL ! access-list STATE-BYPASS-ACL permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 access-list STATE-BYPASS-ACL permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0 3 ! class-map STATE-BYPASS match access-group STATE-BYPASS-ACL ! tcp-map TCP-BGP-AUTH-MAP 1 tcp-options range 19 19 allow ! policy-map global_policy 3 class STATE-BYPASS set connection advanced-options tcp-state-bypass class BGP-PEERING 1 set connection advanced-options TCP-BGP-AUTH-MAP 2 set connection random-sequence-number disable Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
  34. 34. Tune the ASA TCP Normalizer Guidelines Consider the following implementation guidelines: Exercise extreme care if you are relaxing TCP normalizer parameters – this may cause unreliable application-layer filtering For application-layer inspection, add TCP checksum verification and retransmission checks to your flow policy, at the expense of lower performance Make only minimal required changes between specific hosts or networks Use TCP bypass only when absolutely necessary (to support trusted asymmetric flows, or TCP stack quirks of critical hosts) Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
  35. 35. Configure Support for Dynamic Protocols Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
  36. 36. Configure Support for Dynamic Protocols Dynamic Protocols and Stateful Filtering Dynamic protocols are those that negotiate additional sessions on negotiated transport-layer ports The ASA will by default snoop on many dynamic protocols to automatically permit these sessions In ACLs, you only need to permit the initial session Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
  37. 37. Configure Support for Dynamic Protocols Default Ports in the Default Inspection Class The ASA assigns a set of well-known ports used by dynamic applications into the default inspection class Not all ports are by default inspected Additional ports are present for NAT and application-layer inspection Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
  38. 38. Configure Support for Dynamic Protocols Default Inspectors in the Default Inspection Class Inspector Function FTP Allows FTP data connections H.323 (H.225) Allows negotiated RTP flows H.323 (RAS) Allows negotiated RTP flows RSH Allows RSH stderr connections RTSP Allows negotiated RTP flows SCCP Allows negotiated RTP flows SIP Allows negotiated RTP flows Oracle SQL*Net (TNS) Allows dynamic database connections UNIX RPC (SUNRPC) Allows all available UNIX RPC applications via the RPC portmapper TFTP Allows TFTP data connections XDCMP Allows dynamic XWindows display sessions Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
  39. 39. Configure Support for Dynamic Protocols Inactive Inspectors in the Default Inspection Class Inspector Function CTIQBE Allows negotiated RTP flows DCERPC Allows dynamic Microsoft DCOM and DCE RPC connections MMP Allows negotiated RTP flows MGCP Allows negotiated RTP flows Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
  40. 40. Configure Support for Dynamic Protocols WAAS Inspector The ASA also supports WAAS-enabled ISR a non-default WAAS inspector WAAS is not a dynamic WAAS-optimized application, but changes TCP sessions TCP behavior Enabling the inspector WAAS-aware ASA allows WAAS sessions to work through the ASA WAAS-enabled ISR Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
  41. 41. Configure Support for Dynamic Protocols Configuration Steps 1. (Optionally) Configure support for non-default dynamic applications 2. (Optionally) Configure support for dynamic applications on non-standard ports 3. (Optionally) Configure support for custom dynamic applications Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
  42. 42. Configure Support for Dynamic Protocols Configuration Scenario Enable non-default Enable support CTIQBE and for FTP on TCP DCERPC inspectors port 2121 U D P 7 7 7 7 3000 TC P Support the custom dynamic application Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
  43. 43. Configure Support for Dynamic Protocols Step 1: (Optionally) Configure support for non-default dynamic applications Enable additional dynamic protocol inspectors Modify the default inspection class Configuration > Firewall > Service Policy Rules Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
  44. 44. Configure Support for Dynamic Protocols Step 2: (Optionally) Configure support for dynamic applications on non-standard ports Create a new destination-port- Enable the dynamic based class application inspector for this class Specify static ports or port ranges of the dynamic application Configuration > Firewall > Service Policy Rules Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
  45. 45. Configure Support for Dynamic Protocols Step 3: (Optionally) Configure support for custom dynamic applications ASA(config)# established protocol dest_port [ source_port ] [ permitto protocol port [ -port ]] [ permitfrom protocol port [ -port ] ] This command allows you to describe a dynamic application to the ASA Based on an established authorized connection, it will allow additional connections between the same two hosts This is a better approach compared to permanently permitting these dynamic sessions using ACLs established tcp 3000 permitto 7777 ! access-list INSIDE permit tcp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0 eq 3000 ! access-group INSIDE in interface inside Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
  46. 46. Configure Support for Dynamic Protocols CLI Configuration 2 class-map NON-STANDARD-FTP match port tcp eq 2121 ! policy-map global_policy class inspection_default 1 inspect ctiqbe inspect dcerpc class NON-STANDARD-FTP inspect ftp 2 Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
  47. 47. Configure Support for Dynamic Protocols Guidelines Consider the following implementation guidelines If you do not use a particular dynamic protocol, it is generally better to globally disable its inspection function inside the default class Use the established command instead of static ACLs to support minimal connectivity of custom dynamic applications Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
  48. 48. Configuring Application-Layer Policies Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
  49. 49. Application-Layer Access Control Overview Overview Application-layer access control can Provide defense in depth by protecting exposed client and server applications Prevent malicious content from being delivered to endpoints Prevent covert tunneling Protect the client application CRM Protect the server application Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
  50. 50. Application-Layer Access Control Overview Application-layer Controls Control Description Protocol Allows a minimal required set of protocol features through the Minimization ASA Increases protection by hiding unnecessary features Can prevent both known and unknown attacks Payload Allows transport of minimally required payloads over the Minimization application session Increases protection by only allowing expected content types and values Can prevent both known and unknown attacks Application- Detect and drop known malicious payloads in application-layer layer sessions Signatures Can generally only prevent known attacks Can be manually configured in ASA native AIC, or you can use full IPS functionality of the AIP SSM or SSC Protocol Detects and/or drops anomalous application-layer protocol units Verification Can prevent both known and unknown attacks Can prevent covert tunneling Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
  51. 51. Application-Layer Access Control Overview Input Parameters Input Description Application protocols used Required to determine the level of AIC support on the ASA Applications used Required to determine basic application behavior Local application Required to determine detailed customization application behavior Hardening and patching Required to determine application policies; known application vulnerability and the need for network vulnerabilities protection Cryptographic protection Required to determine implementation used feasibility and the possible need for decryption Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
  52. 52. Application-Layer Access Control Overview Guidelines Consider the following general deployment guidelines: Deploy application-layer access control as the primary line of defense, if your applications are known to be vulnerable to application-layer attacks Otherwise, consider application-layer access control for defense in depth Analyze application behavior in detail, and cooperate with endpoint and application administrators before attempting to create network application-layer access controls Decrypt application-layer traffic before inspecting it (and possibly re-encrypt it afterwards) Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
  53. 53. Configure Cisco ASA HTTP Inspection Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
  54. 54. Configure HTTP Inspection HTTP Inspector Overview H T T P GET /go/asa HTTP/1.1 Accept: image/jpeg, image/gif, application/x- shockwave-flash, */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; ... HTTP/1.1 200 OK Date: Mon, 22 Mar 2010 12:30:50 GMT Server: Apache/2.2 Last-Modified: Sat, 20 Mar 2010 00:39:56 GMT ... <!DOCTYPE html PUBLIC ... The ASA HTTP inspector can granularly parse HTTP requests and responses and allow specific value and regular expression matching inside these containers Additionally, the inspector can verify adherence to the HTTP protocol, and log accessed URIs Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
  55. 55. Configure HTTP Inspection HTTP Request and Response GET /go/asa HTTP/1.1 Accept: image/jpeg, image/gif, application/x-shockwave-flash, */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) Request Accept-Encoding: gzip, deflate headers Host: www.cisco.com Connection: Keep-Alive Cookie: CP_... HTTP/1.1 200 OK Date: Mon, 22 Mar 2010 12:30:50 GMT Server: Apache/2.2 Last-Modified: Sat, 20 Mar 2010 00:39:56 GMT Response Accept-Ranges: bytes headers Content-Type: text/html Content-Length: 24316 Connection: keep-alive <!DOCTYPE html PUBLIC ... Data Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
  56. 56. Configure HTTP Inspection HTTP Request and Response Details HTTP method HTTP arguments GET /scripts/myapp?username=joe&sessionid=12 HTTP/1.1 Virtual server HTTP URI HTTP version Host: www.cisco.com Hostname Type of returned content Content-Type: text/html HTML content Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
  57. 57. Configure HTTP Inspection Request Inspection Options HTTP Request Field Type of match Request Method Specific values Request URI Regular expression(s) Request Length Numeric (greater than) Request Arguments Regular expression(s) Request Header Field Specific values or regular (names and values) expression(s) Request Header Field Count Numeric (greater than) Request Header Field Length Numeric (greater than) Request Header Count Numeric (greater than) Request Header Length Numeric (greater than) Request Header Non-ASCII Boolean (true or false) Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
  58. 58. Configure HTTP Inspection Response Inspection Options HTTP Request Field Type of match Response Status Line Regular expression(s) Response Body Regular expression(s) Response Body Length Numeric (greater than) Response Header Field Specific values or regular (names and values) expression(s) Response Header Field Count Numeric (greater than) Response Header Field Length Numeric (greater than) Response Header Count Numeric (greater than) Response Header Length Numeric (greater than) Response Header Non-ASCII Boolean (true or false) Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
  59. 59. Configure HTTP Inspection Configuration Steps 1. Create a HTTP inspection policy map 2. (Optionally) Configure HTTP protocol minimization 3. (Optionally) Configure HTTP payload minimization 4. (Optionally) Configure HTTP signatures 5. (Optionally) Configure HTTP protocol verification 6. Apply the HTTP inspection policy map Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
  60. 60. Configure HTTP Inspection Configuration Scenario Drop requests that contain basic SQL injection Only allow the HTTP GET method (“SELECT FROM”) in HTTP Only allow URIs starting with “/myapp” arguments H T T P 10.10.10.1 Verify adherence to HTTP protocol Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
  61. 61. Configure HTTP Inspection Step 1: Create a HTTP Inspection Policy Map OR Choose a pre- Use the “Details” configured policy view to create custom inspections Configuration > Firewall > Objects > Inspect Maps > HTTP Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
  62. 62. Configure HTTP Inspection Step 1: Create a HTTP Inspection Policy Map (Cont.) In each You can Add inspection, you multiple inspections; can match on a any matching single or multiple inspection will conditions trigger an action Configuration > Firewall > Objects > Inspect Maps > HTTP Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
  63. 63. Configure HTTP Inspection Step 2: (Optionally) Configure HTTP Protocol Minimization To minimize protocol features, use the “No Match” criterion, and specify all valid protocol features Specify the actions taken when protocol feature is not on the “white list” Configuration > Firewall > Objects > Inspect Maps > HTTP Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
  64. 64. Configure HTTP Inspection Step 3: (Optionally) Configure HTTP Payload Minimization To minimize payloads, use the “No Match” criterion, and specify all valid payloads Specify valid payloads using regex or specific values Specify the actions taken when payload is not on the “white Create and test a list” regex in the ASDM interface Configuration > Firewall > Objects > Inspect Maps > HTTP Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
  65. 65. Configure HTTP Inspection Step 4: (Optionally) Configure HTTP Signatures To create signatures, use the “Match” criterion, and specify individual malicious payloads Specify malicious payloads using regex or specific values Specify the actions taken when payload is on the “blacklist” Configuration > Firewall > Objects > Inspect Maps > HTTP Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
  66. 66. Configure HTTP Inspection Step 5: (Optionally) Configure HTTP Protocol Verification Enable protocol verification Specify the actions taken for non-compliant sessions Configuration > Firewall > Objects > Inspect Maps > HTTP Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
  67. 67. Configure HTTP Inspection Step 6: Apply the HTTP Inspection Policy Map Crate a new ACL-based class Enable HTTP that matches inspection and specific web apply the custom traffic HTTP inspect map Configuration > Firewall > Service Policy Rules Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
  68. 68. Configure HTTP Inspection CLI Configuraton 4 regex BASIC-SQL-INJECTION "[Ss][Ee][Ll][Ee][Cc][Tt].+[Ff][Rr][Oo][Mm]" 3 regex MY-URI "^/myapp“ ! 1 policy-map type inspect http MY-HTTP-POLICY 5 parameters protocol-violation action drop-connection log match not request method get 2 drop-connection log match not request uri regex MY-URI 3 drop-connection log 4 match request args regex BASIC-SQL-INJECTION drop-connection log Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
  69. 69. Configure HTTP Inspection CLI Configuraton (Cont.) access-list WEB-SERVER-ACL permit tcp any host 10.10.10.1 eq http ! class-map WEB-SERVER-PROTECTION match access-list WEB-SERVER-ACL 6 ! policy-map global_policy class WEB-SERVER-PROTECTION inspect http MY-HTTP-POLICY Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
  70. 70. Configure HTTP Inspection Verify the Policy Map Verify that all needed inspections are configured in the HTTP inspect map Configuration > Firewall > Objects > Inspect Maps > HTTP Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
  71. 71. Configure HTTP Inspection Guidelines Consider the following implementation guidelines: Analyze application behavior well (using traffic captures, and detection policies) before implementing aggressive actions The ASA regular expression engine does not support the $ (end-of-line) metacharacters, therefore you can only match on prefixes Consider implementing length-based restrictions in addition to pattern-based filtering Using minimization (i.e. “least-privilege”) is often more effective than signatures, but is almost always much more challenging to implement Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
  72. 72. Summary Exercise extreme care when configuring lower inspection layers, to ensure reliability of more advanced inspection Consider improving your own controls based on the effectiveness criteria outlined in this session Use various ASA configuration tools to ensure that your policy is accurately implemented Deploying application-layer inspection is challenging, but can provide excellent defense-in- depth Presentation_ID © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72

×