Shulou(Shulou.com)06/01 Report--

1. Introduction of ASA (stateful firewall) security devices:

Application fields of Cisco hardware firewall technology:

PIX 500 Series Security Appliance. ASA 5500 Series Adaptive Security Appliance. Firewall service module for Catalyst 6500 series switches and Cisco 7600 series routers.

The Cisco ASA 5500 Series Adaptive Security Appliance provides integrated firewall, intrusion protection system (IPS), and advanced adaptive threat defense services, including V P N services for application security and simplified network security solutions.

Second, the security algorithm of ASA stateful firewall:

Stateful firewalls maintain a connection table about user information, called the Conn table

The key information in the Conn table is as follows:

Source IP address destination IP address IP protocol (e.g. TCP or UDP) IP protocol information (e.g. TCP/ UDP port number, TCP serial number, TCP control bit)

In the figure above, when PC accesses the web server, the stateful firewall process is as follows:

1. PC initiates a HTTP request to the web server

2. The HTTP request arrives at the firewall, and the firewall adds link information (such as source IP address and destination IP address, TCP protocol used, TCP port number of source IP address and destination IP address) to the conn table

3. The firewall forwards HTTP requests to the web server

When traffic returns, the process of stateful firewall processing is as follows:

1. The web server responds to the HTTP request and returns the corresponding data traffic

2. The firewall intercepts the traffic and checks its connection information.

If matching connection information is found in the conn table, traffic is allowed. If no matching connection information is found in the conn table, the traffic is discarded.

ASA uses a security algorithm to perform the following three basic operations:

1. Access control list: controls network access based on specific networks, hosts, and services (TCP/UDP port numbers).

2. Connection table: maintain the status information of each connection. The security algorithm uses this information to effectively forward traffic in established connections. (personally understood as: ASA allows the private network client to actively establish a connection to the public network, but the external network is not allowed to actively establish a connection to the private network, that is to say, in order to achieve traffic communication, the connection must be initiated by the private network user. )

3. Detection engine: execute state detection and application layer detection. The detection rule set is predefined to verify that the application complies with each RFC and other standards.

The process of the data message traversing the ASA is as follows:

1. A new TCP SYN message arrives at ASA in an attempt to establish a new connection

2. ASA checks the access control list to determine whether connections are allowed

3. ASA executes the routing query. If the route is correct, ASA uses the necessary session information to create a new entry in the connection table (XLATE and CONN).

4. ASA checks a set of predefined rules in the detection engine, and if it is a known application, it further performs application layer detection.

5. ASA determines whether to forward or discard the message according to the detection engine, and if forwarding is allowed, it forwards the message to the destination host.

6. The destination host responds to the message

7. ASA receives the return message and detects it, and queries the connection database to determine whether the session information matches the existing connection.

8. ASA forwards messages belonging to established existing sessions

The application layer detection of ASA performs deep detection on the application layer protocol traffic by checking the contents of the IP header and payload of the message, and checks whether the application layer protocol complies with the RFC standard, so as to detect the malicious behavior in the application layer data.

Third, the concept of ASA interface:

1. An API of ASA usually has two names:

① physical name: similar to the name of a router interface, for example, Ethernet0/0 can be abbreviated to E0Universe 0, which is usually used to configure the rate, duplex and IP address of the interface.

②, logical names: logical names are used in most configuration commands, such as configuring ACL, routers, and so on. Logical names are used to describe security zones, such as inside for the internal zone of the ASA connection (high security level) and outside for the external zone of the ASA connection (low security level).

2. Security level of the interface:

Each interface has a security level that ranges from 0 to 100, and the higher the value, the higher the security level. Generally, when the API is configured as inside (private network interface), its security level is set to 100. when it is outside (public network interface), the security level is set to 0, and when it is DMZ (quarantine zone), the security level is between inside and outside.

The following default rules are followed when interfaces with different security levels access each other:

① allows outbound connections: it allows traffic from a high security level interface to a low security level. For example, access to outside from inside is allowed.

② forbids inbound connections: traffic from low security level interfaces to high security level interfaces is prohibited. For example, access to inside from outside is prohibited.

③ prohibits communication between interfaces with the same level of security.

Fourth, the concept and function of DMZ:

The DMZ, called a quarantine, is a network area located between the internal and external networks of the enterprise. Some servers that must be exposed, such as web servers, FTP servers and forums, can be placed in this network area. The schematic diagram is as follows:

There are some common servers in the DMZ that do not contain confidential information, so that visitors from the external network can also access the services in the DMZ, but can not access the company confidential information on the intranet. Even if the server in the DMZ is attacked, it will not affect the confidential information of the intranet, so the intranet environment can be effectively protected through the DMZ area.

When a DMZ zone exists, the default access rules are as follows:

The following access rules are followed by default in the figure above:

Inside can access DMZ and outside;DMZ can access outside but does not allow access to inside;outside cannot access DMZ and inside, but usually configure ACL so that outside can access DMZ, otherwise, DMZ is meaningless.

5. Basic configuration of ASA:

Configure hostname:

Ciscoasa > enPassword: # the default privileged password is empty, so you can enter directly. Ciscoasa# conf tciscoasa (config) # hostname asa

Configure the privileged password:

Asa (config) # enable password 123.com # configure the privileged password to 123.com

Configure the Telnet password (the password you need to enter when using Telnet or SSH):

Asa (config) # passwd 2019.com # set the password for remote connection to 2019.com

Configure the interface name and interface security level:

Asa (config) # in e0ram 0 # enter the e0 interface asa (config-if) # nameif inside # define the e0 interface as insideINFO: Security level for "inside" set to 100 by default. # system prompt, configure the security level of the inside interface to 100asa (config-if) # security-level 100 # configure the security level of the inside interface to 100

If the model of ASA is 5505, the above configuration is not supported directly on the physical interface, but must be configured through the VLAN virtual interface, as shown below:

Asa (config) # int vlan 1asa (config-if) # nameif insideasa (config-if) # security-level 100asa (config-if) # ip add 10.1.1.254 255.255.255.0asa (config-if) # no shut

View the conn table:

Asa#show conn detail

Configure ACL:

Configuring ACL on ASA has two functions: one is to allow inbound connections, and the other is to control the traffic of outbound connections.

It should be noted that the ACL on the router uses the inverse code, while the ACL on the ASA uses the normal mask. In addition, the standard ACL cannot be applied to the interface when filtering traffic, and it is used in other situations, such as the configuration of detached tunnels in remote access V P N.

Instances that allow inbound connections:

Asa (config) # access-list out_to_in permit ip host 172.16.1.1 host 10.1.1.1 # allows the external network host 172.16.1.1 to access the internal network host 10.1.1.1 department outbound toggin is the ACL group name. Asa (config) # access-group out_to_in in int outside # apply the group ACL named out_to_in to the outside interface

Control the flow of outbound connections:

Asa (config) # access-list in_to_out deny ip 10.0.0.0 255.0.0.0 any # denies private network segment 10.0.0.0 access to all public network segments. Asa (config) # access-list in_to_out permit ip any any # and allow all other traffic to pass, because ACL has an implicit reject statement, so when configuring ACL, it is generally necessary to allow all traffic asa (config) # access-group in_to_out in int inside # to be applied to the private network interface.

Configure static routes:

Asa (config) # route outside 172.16.0.0 255.255.0.0 10.0.0.1 # the next hop of traffic to the 172.16.0.0 network segment is 10.0.0.1asa (config) # route inside 192.168.1.0 255.255.255.0 192.168.2.1 # the traffic to the 192.168.1.0 network segment next hop is 192.168.2.1

Other configuration

1. ICMP protocol:

By default, prohibiting ICMP packets from traversing ASA is based on security considerations. Sometimes, for ease of debugging, you can configure to temporarily allow ICMP reply messages to traverse ASA.

Ciscoasa (config) # access-list 111permit icmp any any # define ACLciscoasa (config) # access-group 111in int outside # apply to outside interface

2. Other configuration commands:

Written in front, everything can be no, that is, when a command is misconfigured, you can delete the misconfigured command by adding no to the original configuration command.

Ciscoasa# write memory # Save running configuration configuration to startup configuration or ciscoasa# copy running-config startup-config # Save running configuration configuration to startup configurationciscoasa (config) # clear configure all # clear all configuration ciscoasa (config) # clear configure access-list # clear configuration ciscoasa (config) # clear configure access-list in_ for all acces-list commands To_out # clear only access-list in_to_out configuration ciscoasa# write erase # Delete startup-config configuration file

6. Remote management ASA:

ASA supports three main remote management access modes: Telnet, ssh and ASDM.

1. Telnet configuration example:

Because it is not secure to use Telnet for remote management, it is generally forbidden to use Telnet access from external interfaces, but only Telnet is allowed on the internal network.

1). Configure to allow telnet access from the 192.168.0.0swap 24 network segment in the inside area, as follows:

Ciscoasa (config-if) # telnet 192.168.0.0 255.255.255.0 inside

Or allow a single host Telnet firewall (the two can choose one of the two as needed):

Ciscoasa (config) # telnet 192.168.0.1 255.255.255.255 inside

2) configure the idle timeout to be 30 minutes. The command is as follows:

Ciscoasa (config) # telnet timeout 30

At this point, Telnet remote management can be realized.

2. Configure SSH access:

1), configure the host name and domain name, because the host name and domain name need to be used in the process of generating the RSA key pair (the configuration of the host name can be omitted)

Ciscoasa (config-if) # host aaa # configure hostname aaa (config) # domain-name abc.com # configuration domain aaa (config) # crypto key generate rsa modulus 1024 # specifies that the size of the modulus is 1024 bits, which can be 512bit, 768bit, 1024 bit or 2048 bit Indicates the length of the generated RSA key aaa (config) # ssh 192.168.1.0255.255.255.255.0 inside # allow the SSH segment of the intranet 1.0 to access aaa (config) # ssh 0 0 outside # allow any host on the external network to access aaa (config) # ssh timeout 30 # configure a timeout of 30 minutes Clock aaa (config) # ssh version 2 # version 2 with SSH enabled This command is optional, there are version 1 and version 2, as for the difference. But the security mechanism is different.

After configuring SSH access, you can log in to ASA's outside interface using tools such as SecureCRT or putty on hosts in the outside area. Note that ASA defaults to the user name pix and the password set by using the password command.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.