NC School Connectivity Initiative – Firewall Best School Connectivity Initiative – Firewall Best...

download NC School Connectivity Initiative – Firewall Best School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer ! Dianne

of 38

  • date post

    23-Apr-2018
  • Category

    Documents

  • view

    214
  • download

    2

Embed Size (px)

Transcript of NC School Connectivity Initiative – Firewall Best School Connectivity Initiative – Firewall Best...

  • NCET 2014 Conference

    NC School Connectivity Initiative Firewall Best Practices

  • Session Presenters

    n Chris Rose, MCNC Client Network Engineer

    n Dianne Dunlap, MCNC Client Network Engineer

    2 3/21/14

  • Agenda

    1. ITS/ASA Firewall Service Descrip5on

    2. Firewall Configura5on Best Prac5ces

    3. ASA Monitoring and Troubleshoo5ng

    4. Where to go for informa5on; MCNC Support

    5. Q&A

    3 3/21/14

  • State Firewall Service Summary

    4 3/21/14

    Additional information: https://www.mcnc.org/our-community/k12/services/firewall

    n Cisco ASA platform with site-to-site VPN and SSL VPN functionality

    n Offered as ITS fully managed or customer managed

    n LEA Adoption - 30 ITS fully managed/33 customer managed

    n Charter School Adoption - 42 ITS fully managed/8 customer managed

  • State Firewall Service Summary

    5 3/21/14

    Additional information: https://www.mcnc.org/our-community/k12/services/firewall

    Service Implementation and Support ITS Fully Managed

    Customer Management

    Consultation regarding service options and security configurations

    Y Y

    All required activities to complete service installation Y Y

    All hardware and software components required to deliver the security service

    Y Y

    Ongoing operating system release and patch management Y On request by customer

    Ongoing configuration management Y N

    Configuration backup Y Y

    24x7 Device Monitoring Y N

    24x7 Support Y Y

    Real-time view of security policy Optional Optional

    Log retention at customer location Available Available

  • 6 3/21/14

    Current LEA ASA Map

  • 7 3/21/14

    Current Charter ASA Map

  • n Be as speci!c as possible - avoid any/any.

    n Allow only essential services in (ingress !ltering).

    n Use DMZ if possible for public servers (web, FTP)

    n Allow only essential services out (egress !ltering).

    n Log traffic as necessary.

    n Use good naming conventions and comments

    n Group network objects, ports

    n Remove unneeded ACLs

    n Use AnyConnect where possible in lieu of broad outside access

    8 3/21/14

    Firewall Best Practices

  • Avoid any/any

    access-list outside_access_in permit ip any 152.26.1.20 access-list outside_access_in permit tcp any 152.26.1.20 eq http access-list outside_access_in permit tcp any 152.26.1.20 eq https (or destination 10.26.1.20 in later ASA versions)

  • 10 3/21/14

    Use a DMZ

    access-list outside_access_in permit tcp any 152.26.1.20 eq http access-list outside_access_in permit tcp any 152.26.1.20 eq https access-list dmz_access_inside deny ip any any access-list inside_access_dmz permit tcp any 10.46.1.20 eq http access-list inside_access_dmz permit tcp any 10.46.1.20 eq https

  • n No access-list on inside interface or access-list with permit ip any any permits all outbound traffic.

    n Blacklisting is possible if outbound traffic becomes malicious due to viruses, malware, or malcontents.

    n Good Internet citizenship limits or prevents:

    BitTorrent

    Viruses/malware (Iloveyou, Stuxnet, Cutwail)

    Web proxies (Ultrasurf, Tor)

    11 3/21/14

    Allow Only Essential Services Out

  • ITS Standard Service Groups (outbound):

    object-group service School-standard-tcp tcp

    port-object eq https

    port-object eq www

    port-object eq 9443

    object-group service School-standard-udp udp

    port-object eq domain

    12 3/21/14

    Allow only Essential Services Out

  • 13 3/21/14

    Log Traffic syslog levels

    Category Numeric Code Emergency 0

    Alert 1

    Critical 2

    Error 3

    Warning 4

    Noti!cation 5

    Informational 6

    Debug 7

    ASA-3-305006 portmap translation ASA-6-302014 Teardown TCP connection

  • n ITS Logging is at Warning level for ITS-managed. This is also Cisco recommended best practice.

    n ASA log messages should be sent to a local syslog server for customer-managed !rewalls.

    n Free syslog servers:

    - rsyslogd (Linux)

    - syslog-ng (Linux)

    - The Dude (Windows)

    14 3/21/14

    Log Traffic

  • Use of name command:

    access-list inside_in remark for Libby Smith

    name 72.22.90.231 PowerWeb description Website host

    access-list inside_in extended permit tcp any4 object PowerWeb eq 8443

    Use of remark:

    access-list outside_acl remark Employee Portal

    Creation of a network-object and its description:

    object network XYZ_Elementary

    subnet 10.25.0.0 255.255.0.0

    description XYZ Elementary School

    15 3/21/14

    Use good naming conventions and comments

  • Example of Grouped Network Objects, Ports:

    name 10.9.5.5 informer description for Jane

    object-group service informer_ports tcp-udp

    port-object eq 90

    port-object eq 9090

    object-group INSIDE_NETWORK_2

    network-object host 198.6.112.110

    network-object host 63.148.144.242

    access-list inside_in extended permit object-group TCPUDP object informer object-group INSIDE_NETWORK_2 object-group informer_ports

    16 3/21/14

    Group Network Objects, Ports

  • Example of Un-Grouped Network Objects, Ports:

    access-list inside_in extended permit tcp host 10.9.5.5 host 198.6.112.110 eq 90

    access-list inside_in extended permit tcp host 10.9.5.5 host 198.6.112.110 eq 9090

    access-list inside_in extended permit udp host 10.9.5.5 host 198.6.112.110 eq 90

    access-list inside_in extended permit udp host 10.9.5.5 host 198.6.112.110 eq 9090

    access-list inside_in extended permit tcp host 10.9.5.5 host 63.148.144.242 eq 90

    access-list inside_in extended permit tcp host 10.9.5.5 host 63.148.144.242 eq 9090

    access-list inside_in extended permit udp host 10.9.5.5 host 63.148.144.242 eq 90

    access-list inside_in extended permit udp host 10.9.5.5 host 63.148.144.242 eq 9090

    17 3/21/14

    Group Network Objects, Ports

  • name 10.8.1.51 Room-X

    static (inside,outside) 152.26.1.2 Room-X netmask 255.255.255.255

    access-list outside_acl extended permit ip any host 152.26.1.2

    access-list outside_acl extended permit tcp any host 152.26.1.2

    access-list outside_acl extended permit udp any host 152.26.1.2

    access-list outside_acl extended permit ip any host 152.26.1.3

    access-list outside_acl extended permit object-group DM_INLINE_SERVICE any host 152.26.1.3

    access-list outside_acl extended permit object-group xyz host AS400 range ftp telnet

    access-list outside_acl extended permit tcp host x.x.x.x host AS400 gt ftp

    access-list outside_acl extended permit tcp any host AS400 eq ftp

    18 3/21/14

    Remove Unneeded Access-lists

  • Why Use AnyConnect for Remote Administration?

    access-list outside_in permit tcp any host 152.26.1.11 eq 3389

  • 20 3/21/14

    Use AnyConnect

  • 21 3/21/14

    Use AnyConnect

    Require users to AnyConnect authenticate at the ASA prior to accessing internal resources. -Authentication may be via usernames on ASA or tied to AD -Access can be audit-trailed if on AD -Access-lists can be applied at ASA-level and tied to local users or AD groups

  • n Microsoft (XP, Vista, 7, 8)

    n Mac OSX

    n Linux (Red Hat, Ubuntu)

    n iOS (iPhone, iPod, iPad) mobile client*

    n Android client*

    * Requires ASA mobile license

    22 3/21/14

    AnyConnect Platforms

  • n ITS can provide read-only access for ITS-managed !rewall

    n Access via ASDM (GUI) or SSH (command-line)

    n Request account through MCNC

    n User credentials are in ITS-managed TACACS+ server

    n Read-only access prevents accidents!

    23 3/21/14

    ASA Monitoring and Troubleshooting- ASA Read-only Access

  • show commands

    Top 10 services, sources, destinations

    Interface traffic (kb/connections)

    Memory and CPU utilization

    Packet tracer utility

    Packet capture wizard

    Logs

    24 3/21/14

    ASA Monitoring and Troubleshooting

  • Command Arguments dir disk0:/dap.xml enable exit logout more more system:running-con!g packet-tracer quit read threat-detection Statistics*

    25 3/21/14

    ASA Monitoring and Troubleshooting show commands

    *Not on all models/versions

  • 26 3/21/14

    ASA Monitoring and Troubleshooting show commands

    * Not on all models/versions

    Command Arguments show access-list

    activation-key detail

    asdm sessions

    blocks

    cluster info*

    con!guration

    conn

    cpu core all*

    crypto ca certi!cate

    curpriv

    !rewall

    interface

  • 27 3/21/14

    ASA Monitoring and Troubleshooting show commands

    * Not on all models/versions

    Command Arguments show ips

    mode*

    module

    nat

    pager

    pdm logging*

    pdm sessions*

    route

    running-con!g

    service-policy-user*

    startup-con!g

    version

  • 28 3/21/14

    ASA Monitoring and Troubleshooting Interface Traffic

    Top 10 access-rules

  • 29 3/21/14

    ASA Monitoring and Troubleshooting Top 10

  • 30 3/21/14

    ASA Monitoring and Troubleshooting Top 10

    Top 10 sources: #1 108.175.34.244=Netflix #2 216.177.128.42=Alentus Internet (hosting)

  • 31 3/21/14

    AS