NCET 2014 Conference

NC School Connectivity Initiative – Firewall Best Practices

Session Presenters

n  Chris Rose, MCNC – Client Network Engineer

n  Dianne Dunlap, MCNC – Client Network Engineer

2 3/21/14

Agenda

1.  ITS/ASA  Firewall  Service  Descrip5on  

2.  Firewall  Configura5on  Best  Prac5ces  

3.  ASA  Monitoring  and  Troubleshoo5ng  

4.  Where  to  go  for  informa5on;  MCNC  Support  

5.  Q&A  

3 3/21/14

State Firewall Service Summary

4 3/21/14

Additional information: https://www.mcnc.org/our-community/k12/services/firewall

n  Cisco ASA platform with site-to-site VPN and SSL VPN functionality

n  Offered as ITS fully managed or customer managed

n  LEA Adoption - 30 ITS fully managed/33 customer managed

n  Charter School Adoption - 42 ITS fully managed/8 customer managed

State Firewall Service Summary

5 3/21/14

Additional information: https://www.mcnc.org/our-community/k12/services/firewall

Service Implementation and Support ITS Fully Managed

Customer Management

Consultation regarding service options and security configurations

Y Y

All required activities to complete service installation Y Y

All hardware and software components required to deliver the security service

Y Y

Ongoing operating system release and patch management Y On request by customer

Ongoing configuration management Y N

Configuration backup Y Y

24x7 Device Monitoring Y N

24x7 Support Y Y

Real-time view of security policy Optional Optional

Log retention at customer location Available Available

6 3/21/14

Current LEA ASA Map

7 3/21/14

Current Charter ASA Map

n  Be as speci!c as possible - avoid any/any.

n  Allow only essential services in (ingress !ltering).

n  Use DMZ if possible for public servers (web, FTP)

n  Allow only essential services out (egress !ltering).

n  Log traffic as necessary.

n  Use good naming conventions and comments

n  Group network objects, ports

n  Remove unneeded ACLs

n  Use AnyConnect where possible in lieu of broad outside access

8 3/21/14

Firewall Best Practices

Avoid any/any

access-list outside_access_in permit ip any 152.26.1.20 access-list outside_access_in permit tcp any 152.26.1.20 eq http access-list outside_access_in permit tcp any 152.26.1.20 eq https (or destination 10.26.1.20 in later ASA versions)

10 3/21/14

Use a DMZ

access-list outside_access_in permit tcp any 152.26.1.20 eq http access-list outside_access_in permit tcp any 152.26.1.20 eq https access-list dmz_access_inside deny ip any any access-list inside_access_dmz permit tcp any 10.46.1.20 eq http access-list inside_access_dmz permit tcp any 10.46.1.20 eq https

n  No access-list on inside interface or access-list with ‘permit ip any any’ permits all outbound traffic.

n  Blacklisting is possible if outbound traffic becomes malicious due to viruses, malware, or malcontents.

n  Good Internet citizenship limits or prevents:

BitTorrent

Viruses/malware (Iloveyou, Stuxnet, Cutwail)

Web proxies (Ultrasurf, Tor)

11 3/21/14

Allow Only Essential Services Out

ITS Standard Service Groups (outbound):

object-group service School-standard-tcp tcp

port-object eq https

port-object eq www

port-object eq 9443

object-group service School-standard-udp udp

port-object eq domain

12 3/21/14

Allow only Essential Services Out

13 3/21/14

Log Traffic – syslog levels

Category Numeric Code Emergency 0

Alert 1

Critical 2

Error 3

Warning 4

Noti!cation 5

Informational 6

Debug 7

ASA-3-305006 portmap translation ASA-6-302014 Teardown TCP connection

n  ITS Logging is at “Warning” level for ITS-managed. This is also Cisco recommended best practice.

n  ASA log messages should be sent to a local syslog server for customer-managed !rewalls.

n  Free syslog servers:

- rsyslogd (Linux)

- syslog-ng (Linux)

- The Dude (Windows)

14 3/21/14

Log Traffic

Use of name command:

access-list inside_in remark for Libby Smith

name 72.22.90.231 PowerWeb description Website host

access-list inside_in extended permit tcp any4 object PowerWeb eq 8443

Use of remark:

access-list outside_acl remark Employee Portal

Creation of a network-object and its description:

object network XYZ_Elementary

subnet 10.25.0.0 255.255.0.0

description XYZ Elementary School

15 3/21/14

Use good naming conventions and comments

Example of Grouped Network Objects, Ports:

name 10.9.5.5 informer description for Jane

object-group service informer_ports tcp-udp

port-object eq 90

port-object eq 9090

object-group INSIDE_NETWORK_2

network-object host 198.6.112.110

network-object host 63.148.144.242

access-list inside_in extended permit object-group TCPUDP object informer object-group INSIDE_NETWORK_2 object-group informer_ports

16 3/21/14

Group Network Objects, Ports

Example of Un-Grouped Network Objects, Ports:

access-list inside_in extended permit tcp host 10.9.5.5 host 198.6.112.110 eq 90

access-list inside_in extended permit tcp host 10.9.5.5 host 198.6.112.110 eq 9090

access-list inside_in extended permit udp host 10.9.5.5 host 198.6.112.110 eq 90

access-list inside_in extended permit udp host 10.9.5.5 host 198.6.112.110 eq 9090

access-list inside_in extended permit tcp host 10.9.5.5 host 63.148.144.242 eq 90

access-list inside_in extended permit tcp host 10.9.5.5 host 63.148.144.242 eq 9090

access-list inside_in extended permit udp host 10.9.5.5 host 63.148.144.242 eq 90

access-list inside_in extended permit udp host 10.9.5.5 host 63.148.144.242 eq 9090

17 3/21/14

Group Network Objects, Ports

name 10.8.1.51 Room-X

static (inside,outside) 152.26.1.2 Room-X netmask 255.255.255.255

access-list outside_acl extended permit ip any host 152.26.1.2

access-list outside_acl extended permit tcp any host 152.26.1.2

access-list outside_acl extended permit udp any host 152.26.1.2

access-list outside_acl extended permit ip any host 152.26.1.3

access-list outside_acl extended permit object-group DM_INLINE_SERVICE any host 152.26.1.3

access-list outside_acl extended permit object-group xyz host AS400 range ftp telnet

access-list outside_acl extended permit tcp host x.x.x.x host AS400 gt ftp

access-list outside_acl extended permit tcp any host AS400 eq ftp

18 3/21/14

Remove Unneeded Access-lists

Why Use AnyConnect for Remote Administration?

access-list outside_in permit tcp any host 152.26.1.11 eq 3389

20 3/21/14

Use AnyConnect

21 3/21/14

Use AnyConnect

Require users to AnyConnect authenticate at the ASA prior to accessing internal resources. - Authentication may be via usernames on ASA or tied to AD - Access can be audit-trailed if on AD - Access-lists can be applied at ASA-level and tied to local users or AD groups

n  Microsoft (XP, Vista, 7, 8)

n  Mac OSX

n  Linux (Red Hat, Ubuntu)

n  iOS (iPhone, iPod, iPad) mobile client*

n  Android client*

* Requires ASA mobile license

22 3/21/14

AnyConnect Platforms

n  ITS can provide read-only access for ITS-managed !rewall

n  Access via ASDM (GUI) or SSH (command-line)

n  Request account through MCNC

n  User credentials are in ITS-managed TACACS+ server

n  Read-only access prevents accidents!

23 3/21/14

ASA Monitoring and Troubleshooting- ASA Read-only Access

§  “show” commands

§  “Top 10” services, sources, destinations

§  Interface traffic (kb/connections)

§  Memory and CPU utilization

§  Packet tracer utility

§  Packet capture wizard

§  Logs

24 3/21/14

ASA Monitoring and Troubleshooting

Command Arguments dir disk0:/dap.xml enable exit logout more more system:running-con!g packet-tracer quit read threat-detection Statistics*

25 3/21/14

ASA Monitoring and Troubleshooting– “show” commands

*Not on all models/versions

26 3/21/14

ASA Monitoring and Troubleshooting – “show” commands

* Not on all models/versions

Command Arguments show access-list

activation-key detail

asdm sessions

blocks

cluster info*

con!guration

conn

cpu core all*

crypto ca certi!cate

curpriv

!rewall

interface

27 3/21/14

ASA Monitoring and Troubleshooting – “show” commands

* Not on all models/versions

Command Arguments show ips

mode*

module

nat

pager

pdm logging*

pdm sessions*

route

running-con!g

service-policy-user*

startup-con!g

version

28 3/21/14

ASA Monitoring and Troubleshooting – Interface Traffic

Top 10 access-rules

29 3/21/14

ASA Monitoring and Troubleshooting – “Top 10”

30 3/21/14

ASA Monitoring and Troubleshooting – “Top 10”

Top 10 sources: #1 108.175.34.244=Netflix #2 216.177.128.42=Alentus Internet (hosting)

31 3/21/14

ASA Monitoring and Troubleshooting – Memory and CPU

32 3/21/14

ASA Monitoring and Troubleshooting – Traffic

33 3/21/14

ASA Monitoring and Troubleshooting – Syn Attacks

200.165.244.186=user.velox.com.br

34 3/21/14

ASA Monitoring and Troubleshooting – Connections/Drops

n  Packet Tracer allows the administrator to simulate packet #ow through the !rewall to test connectivity.

n  Packet Tracer should be the !rst step to troubleshooting connectivity through the !rewall.

35 3/21/14

ASA Monitoring and Troubleshooting – Packet Tracer

n  Packet Capture Wizard is used to examine actual traffic in detail.

n  Usually used as the second step when Packet Tracer indicates traffic is allowed, but connectivity problems persist.

36 3/21/14

ASA Monitoring and Troubleshooting – Packet Capture Wizard

n  ASDM Real Time Log Viewer allows an administrator to view the log !le as it is being generated in real time.

n  Allows !ltering based on expressions or search criteria.

n  Logging level can be set independently from syslog logging level for the length of the session.

n  Limited to buffer size. Maximum buffer size is 2000.

37 3/21/14

ASA Monitoring and Troubleshooting – Logs

Support

Service Inquiries and Requests

n  Reach DPI team by contacting Network Analysts listed at: http://www.ncpublicschools.org/connectivity/directory/

Post-deployment Support

n  For network related issues, please continue to call Network Operations Center Support at 877-GO-NCREN (877-466-2736) or 919-248-1111.

n  For issues related to your web security or !rewall service, please contact the SysOps Team by calling 919-248-4111 or by sending an email to support@mcnc.org.

n  For questions related to !rewall “Best Practices”, please contact the CNE Team by sending an email to cne@mcnc.org

38 3/21/14