Shulou(Shulou.com)06/01 Report--

In most current security solutions, the implementation of firewall is the most important requirement, and it is a necessary and inseparable part of each network infrastructure. This blog mainly introduces the principle and basic configuration of firewall security algorithm and several ways to manage firewall remotely.

Hardware and software firewall

1. Software firewall

The software firewall uses the software system alone to complete the firewall function, and when the software is deployed to the system host, its security is worse than that of the hardware firewall, and it occupies system resources, which affects the performance of the system to a certain extent. It is generally used in stand-alone systems or personal computers, rarely used in computer networks, such as rising, Skynet, 360 and so on.

two。 Hardware firewall

Hardware firewalls have advantages over software firewalls for two reasons

* hardware firewalls are powerful and clearly designed to defend against threats

* hardware firewalls have fewer vulnerabilities than software firewalls

Cisco hardware firewall technology is applied in the following three areas

* PIX 500 Series Security Appliances

* ASA 5500 Series Adaptive Security Appliance

* Firewall service module for Catalyst 6500 series switches and Cisco 7600 series routers

ASA Security Appliance

The Cisco ASA 5500 Series Adaptive Security Appliance is the latest Cisco firewall technology product that provides integrated firewall, * protection systems, and advanced adaptive threat defense services, including services for application security and simplified network security solutions.

Currently, there are six models for the Cisco ASA 5500 series, as shown in the following table:

Model

Price

Number of concurrent connections

Network throughput

Description

ASA 5505

2600-15700

25000

150MB

Suitable for small busin

ASA 5510

12000,94200

130000

300MB

Suitable for medium-sized enterprises

ASA 5520

28000 million 84000

280000

450MB

Suitable for medium-sized enterprises

ASA 5540

68000 to 70000

400000

650MB

Suitable for medium-sized enterprises

ASA 5550

80000 to 85000

650000

1200MB

Suitable for large enterprises and telecom operators

ASA 5580

200000 to 530000

1000000-2000000

5000MB~10000MB

Suitable for large enterprises and telecom operators

Security algorithm of ASA

ASA is first of all a stateful firewall, which maintains a connection table about user information, called the Conn table. The key information in the table is as follows:

* Source IP address

* destination IP address

* IP protocol

* IP protocol information

By default, ASA provides stateful connections to the TCP and UDP protocols, but the ICMP protocol is non-stateful.

The process of stateful firewall stateful processing is shown in the figure:

(1) PC initiates a HTTP request to the Web server

(2) the HTTP request reaches the firewall, and the firewall adds the connection information to the Conn table

(3) the firewall forwards HTTP requests to the Web server

When traffic returns, the process of stateful firewall processing is as follows:

(4) Web server responds to HTTP request and returns corresponding data traffic

(5) the firewall intercepts the traffic and checks its connection information.

* if matching connection information is found in the Conn table, traffic is allowed

* if no matching connection information is found in the Conn table, the traffic is discarded

The principle of security algorithm

ASA uses a security algorithm to perform the following three basic operations

* access control list: controls network access based on specific network, host and service (TCP/UDP port number).

* connection table: maintains the status information of each connection. Security algorithms use this information to effectively forward traffic in established connections

* Detection engine: performs status detection and application layer detection. The detection rule set is predefined to verify that the application complies with each RFC and other standards.

The process of data packets traversing ASA is shown in the following figure:

(1) A new TCP SYN message arrives at ASA to try to establish a new connection.

(2) ASA checks the access list to determine whether connections are allowed.

(3) ASA performs a routing query, and if the route is correct, ASA uses the necessary session information to create a new entry in the connection table (XLATE and Conn).

(4) ASA checks a predefined set of rules in the detection engine and, if it is a known application, further performs the application layer detection.

(5) ASA determines whether to forward or discard messages according to the detection engine. If forwarding is allowed, the message is forwarded to the destination host.

(6) the destination host responds to the message.

(7) ASA receives the return message and detects it, and queries the connection database to determine whether the session information matches the existing connection.

(8) ASA forwards messages belonging to an established existing session.

The reference layer detection of ASA is to detect the malicious behavior in the application layer data by checking the IP header of the message and the content of the payload, deeply detecting the application layer protocol traffic and checking whether the application layer protocol complies with the RFC standard.

Basic configuration of ASA

Configure Hostnam

After the initial startup of ASA, the default hostname is ciscoasa, and you can configure the hostname to asa with the following command.

Ciscoasa# config terminalciscoasa (config) # hostname asaasa (config) #

Configure password

You can configure privileged passwords and remote login passwords

1. Configure privileged password

The following command will configure the privileged password to 123456

Asa (config) # enable password 123456

two。 Configure Telnet password

The Telnet password is the password that you need to enter when using Telnet or SSH. The following command will configure the remote login password to ysf, which is different from the router configuration.

Asa (config) # password ysf

The concept and configuration of Interface

ASA interfaces usually have two names, physical name and logical name

1. Physical name

The physical name is similar to the router name, such as Ethernet0/0, Ethernet0/1, and can be abbreviated to E0max 0, E0ap1. It is usually used to configure the rate of the interface, duplex, IP address, etc.

ASA 5510 and above models also have dedicated management interfaces for management purposes, such as management0/0

two。 Logical name

Logical names are used in most configuration commands, such as configuring ACL, configuring routing, and so on. Logical names are used to describe security zones, such as inside for the internal area of the ASA connection (high security) and outside for the outer area of the ASA connection (low security).

The firewall is essentially different from the router, the firewall is used for security purposes, so its interfaces represent different security areas, and there is a wall between the security areas.

Security level of the interfac

Each interface of ASA has a security level, ranging from 0 to 100. the higher the value, the higher the security level. When the name of the configured interface is inside, its security level is automatically set to 100. When configuring other interface names such as outside, the security level is automatically set to 0. 0.

When interfaces with different security levels access each other, follow the following default rules.

* allow outbound (outbound) connections, that is, allow traffic from a high security level interface to a low security level interface.

* inbound (inbound) connections are prohibited, that is, traffic from low security level interfaces to high security level interfaces is prohibited.

* prohibit communication between interfaces with the same security level.

Configuration of Interfac

The configuration command syntax is as follows:

Asa (config-if) # nameif name / / configure interface name asa (config-if) # security-level number / / configure interface security level

The range of number is 0-100.

Example: as shown in the figure, using routers R1 and R2 to simulate PC, you are required to configure the interface of ASA and verify communication between interfaces.

The ASA interface is configured as follows:

Asa (config) # int e0/1asa (config-if) # namaif insideasa (config-if) # security-level 100asa (config-if) # ip add 10.1.1.254 255.255.255.0asa (config-if) # no shasa (config) # int e0/0asa (config-if) # nameif outsideasa (config-if) # security-level 0asa (config-if) # ip add 172.16.1.254 255.255.255.0asa (config-if) # no sh

If the model of ASA is 5505, the above configuration is not supported directly on the physical interface, but must be configured through the VLAN virtual interface, as shown below:

Asa (config) # int vlan 1asa (config-if) # nameif insideasa (config-if) # security-level 100asa (config-if) # ip add 10.1.1.254 255.255.255.0asa (config-if) # no shasa (config-if) # int e0/1asa (config-if) # no shasa (config-if) # switchport access vlan 1asa (config) # int vlan 2asa (config-if) # nameif outsideasa (config-if) # security-level 0asa (config-if) # ip add 172.16 .1.254 255.255.255.0asa (config-if) # no shasa (config-if) # int e0/0asa (config-if) # no shasa (config-if) # switchport access vlan 2

View the Conn table

Asa# show conn dateil

Through verification, you can Telnet to R2 on R1, but you can Telnet to R1 on R2.

Configure ACL

Configuring ACL on ASA has two functions: one is to allow inbound connections, and the other is to control the traffic of outbound connections

* the configuration of standard ACL is as follows:

Asa (config) # access-list acl_name [standrad] {permit | deny} ip_addr mask

* the configuration of extended ACL is as follows:

Asa (config) # access-list acl_name [extended] {permit | deny} protocol src_ip_addr src_mask dst_ip_addr dst_mask [operator port]

* apply ACL to the interface and configure it as follows:

Asa (config) # access-group acl_name {in | out} interface interface_name

It is important to note that ACL on the router uses an inverse code, while ACL on ASA uses a normal mask. In addition, standard ACL cannot be applied to interfaces when filtering traffic. It can be applied to other situations, such as remote access configuration of detached tunnels.

Allow inbound connections

The default rule for ASA is to disable inbound connections, and if you want to allow inbound connections, you need to configure ACL.

For example, in the last case, to Telnet to R1 on R2, you could do the following configuration on ASA

Asa (config) # access-list out_to_in permit ip host 172.16.1.1 host 10.1.1.1asa (config) # access-group out_to_in in int outside

Control the flow of outbound connections

For example, in the previous case, if there are multiple subnets in the inside area. For example, 10.1.1.0 Compact 24, 10.1.2.0 Universe 24, etc., to prohibit outbound traffic from the subnet 10.1.1.0 Universe 24, you can configure the following on ASA

Asa (config) # access-list in_to_out deny ip 10.1.1.0 255.255.255.0 anyasa (config) # access-list in_to_out permit ip any anyasa (config) # access-group in_to_out in int inside

Configure static rout

ASA supports static and default routes, dynamic routes (such as OSPF, etc.)

The command syntax for configuring static routes is as follows

Asa (config) # route interface-name network mask next-hop-address

ICMP protocol

By default, prohibiting ICMP packets from traversing ASA is based on security considerations. To facilitate debugging, you can configure to temporarily allow ICMP reply messages to traverse ASA

Asa (config) # access-list 111permit icmp any anyasa (config) # access-group 111in int outside

After debugging, it is usually recommended to prohibit ICMP packets from traversing ASA

Other configuration commands

(1) to save the running-configuration configuration to startup configuration, you can use the following two commands:

Asa (config) # write memory / / first asa (config) # copy running-config startup-config / / second

(2) to clear all configurations of running configuration, you can use the following command

Asa (config) # clear configure all

(3) to clear the configuration of the specified command in running configuration, you can use the following command

Asa (config) # clear configure configurationcommand [leve12configurationcommand]

For example: to clear the configuration of all access-list commands, you can use the following command

Asa (config) # clear configure access-list

To clear only the configuration of access-list in_to_out, you can use the following command

Asa (config) # clear configure access-list in_to_out

Remote management ASA

ASA supports three main remote management access methods: Telnet, SSH and ASDM

1. Configure Telnet access

Because it is not secure to use Telnet for remote management, it is generally forbidden to use Telnet access from external interfaces, but only Telnet is allowed on the internal network.

(1) configure to allow Telnet access

Asa (config) # telnet {network | ip-address} mask interface_name

For example: configure to allow Telnet access from 192.168.0 inside 24 in the Telnet area, with the following command

Asa (config) # telnet 192.168.0.0 255.255.255.0 inside

It can be configured to allow only host 192.168.0.1 Compact 24 to use Telnet access, with the following command

Asa (config) # telnet 192.168.0.1 255.255.255.255 inside

(2) (optional) configure idle timeout

Asa (config) # telnet timeout minutes

The value of parameter minutes ranges from 1 to 1440 minutes, and the default value is 5 minutes.

two。 Configure SSH access

Using SSH, you can securely manage ASA remotely. Configuring SSH access is divided into four steps.

(1) configure host name and domain name

The hostname and domain name are needed in the process of generating the RSA key pair. The following command configures the hostname to asa802 and the domain name to asadomain.com for ASA

Asa (config) # host asa802asa802 (config) # domain-name asadomain.com

(2) generate RSA key pairs

Asa802 (config) # crypto key generate rsa modulus 1024

You can specify the size of the modulus as 512,768, 1024, or 2048 bits, and the default is 1024, which represents the length of the generated RSA key.

(3) configure to allow SSH access

The command syntax for configuring SSH is similar to configuring Telnet, but SSH can be configured to access from the outside interface, as follows

Asa802 (config) # ssh 192.168.0.0 255.255.255.0 insideasa802 (config) # ssh 0 0 outside

(4) other optional configurations

Configure the idle timeout. Similar to configuring Telnet, for example, set to 30 minutes, the command is as follows

Asa802 (config) # ssh timeout 30

Configure the version of SSH. Version 1 and version 2 are supported by default. To limit which version to use, you can use the following command

Asa802 (config) # ssh version 2

Once configured, you can use Putty to log in to ASA's Oouside interface on a host in the Outside zone. Note that ASA uses the user name pix by default, and the password is the password set by using the passwd command to log in successfully.

3. Configure ASDM access

In addition to using the command line, ASA also supports GUI remote management, namely Adaptive Security device Manager (ASDM)

To use ASDM, first make sure that there is an ASDM image in the Flash of ASA, which can be viewed through the dir command

Asa# dir Directory of disk0:/ 55-rwx 6889764 14:16:34 Dec 09 2017 asdm-602.bin

(1) enable the HTTPS server function with the following command

Asa (config) # http server enable [port] / / default port is 443

(2) configure to allow HTTPS access, as follows:

Asa (config) # http {network | ip-address} mask interface-name

(3) specify the location of the ASDM image. The command is as follows:

Asa (config) # asdm p_w_picpath disk0:/asdm-602.bin

(4) configure the user name and password used for client login. The command is as follows:

Asa (config) # username user password password privilege 15

If you do not configure a username and password, ASDM defaults to the username admin, and the password is the password set using the enable password command.

For example: the following is a configuration example of ASA

Asa (config) # http server enableasa (config) # http 192.168.0.0 255.255.255.0 insideasa (config) # asdm p_w_picpath disk0:/asdm-602.binasa (config) # username ysf password 123456 privilege 15

For the client host to use ASDM, you need to install Java Runtiime Environment (JRE) first, then launch a browser on the host and enter the IP address of the https://192.168.0.254(inside interface) for access.

Multiple security zones (configure DMZ)

The basic configuration of ASA is described above, in which only two security zones, inside and outside, are used. in fact, ASA can be configured with multiple security zones, and DMZ is more commonly used.

DMZ is a network area between the internal and external networks of an enterprise and is usually used to place servers that must be exposed, such as Web servers, FTP servers, forums, and so on. As shown in the following figure

Default access rules for DMZ

The security level of DMZ is between inside and outside. In the case of DMZ, the default access rules are shown in the following figure:

* allow traffic from a high security level interface to a low security level interface

* prohibit traffic from low security level interfaces to high security level interfaces

In practical applications, it is usually necessary to configure access rules and address translation to allow outside to access DMZ

Basic configuration of DMZ

Asa (config) # int e0/1asa (config-if) # namaif dmzasa (config-if) # security-level 50asa (config-if) # ip add 192.168.1.1 255.255.255.0asa (config-if) # no sh

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.