Case Study 2: Large Enterprise Firewall, VPN, and IPS Deployment

Case Study 2 Large Enterprise Firewall, VPN, and IPS Deployment

This section demonstrates how Cisco ASA can provide multifunction solutions for large enterprise networks. Figure 22-4 shows how different Cisco ASAs are deployed within SecureMe's headquarters offices.

Figure 22-4. Network Topology for Regional Site Offices

The Cisco ASA appliances are deployed as follows:

  1. The Cisco ASA 5540s at the Internet edge provide internal users connectivity to Internet services and provide external users access to information on public servers in a demilitarized zone (DMZ) network. These appliances are configured in failover mode. An AIP-SSM module is installed on each appliance to provide IPS services.
  2. A cluster of Cisco ASA 5520s is configured to provide remote-access VPN services to telecommuters and remote users.
  3. Two Cisco ASA 5520s (in failover mode) provide security services to servers at SecureMe's data center.

Internet Edge and DMZ

The Cisco ASA 5540s (5540-1 and 5540-2) at the Internet edge of SecureMe's main office network are configured in failover mode and are connected to two Catalyst switches on their outside (public) interface, as illustrated in Figure 22-5.

Figure 22-5. Regional Site Offices: Cisco ASA Deployment at the Internet Edge and DMZ

These two switches are connected to Cisco IOS routers (ISP-Router-1 and ISP-Router-2) connected to two different ISPs. These routers are configured with the Hot Standby Router Protocol (HSRP) to provide redundant links to the Internet.

The LAN switches are connected to each other via 100BASE-T trunk ports, and each LAN switch is, in turn, connected to the routers and the Cisco ASA 5540s (subnet 209.165.201.0/27). The HSRP virtual address of the routers is 209.165.201.5/27. The default gateway configuration at each of the Cisco ASA 5540s is set to the virtual address of the routers.

There are two web servers in a DMZ network (192.168.232.100 and 192.168.232.101). These servers are statically translated to two public IP addresses (209.165.201.25 and 209.165.201.26, respectively). Only HTTP and HTTPS communication is allowed to these servers from Internet users. These servers retrieve information from an internal database hosted at the 10.20.3.80 server running MySQL (an open-source database). The web servers use TCP port 3306 to communicate to the internal database. This is the only communication allowed from these servers to the internal network.

Example 22-4 includes the commands to configure Washington ASA 5540-1 to achieve these goals. The site-to-site tunnel configuration to the New York branch office and Partner-A is also included in Example 22-4. A crypto map called Washington_map is configured with two separate instances.

Example 22-4. Washington ASA 5540-1 Configuration

!Configuration of public interface facing the Internet routers interface GigabitEthernet0/0 description outside interface nameif outside security-level 0 ip address 209.165.201.1 255.255.255.224 ! !Configuration of the inside interface interface GigabitEthernet0/1 description inside interface nameif inside security-level 100 ip address 10.10.1.1 255.255.255.0 ! !DMZ Interface with security level 50 interface GigabitEthernet0/2 description DMZ interface nameif DMZ security-level 50 ip address 192.168.232.1 255.255.255.0 ! ! Interface used for failover communication interface GigabitEthernet0/3 description Failover Interface no nameif no security-level no ip address ! !Management interface configuration ASA and AIP-SSM management interfaces are in the !10.10.220.0/24 management network. interface Management0/0 nameif mgmt security-level 70 ip address 10.10.220.1 255.255.255.0 management-only ! ! hostname Washington5540-1 ! !Access control list to bypass NAT for the IPSec communication to the New York branch !office and Partner-A networks. access-list nonat extended permit ip host 10.20.2.70 192.168.144.0 255.255.255.0 access-list nonat extended permit ip 10.20.4.0 255.255.255.0 10.165.200.0 255.255.255.0 access-list nonat extended permit ip 10.20.1.0 255.255.255.0 10.165.200.0 255.255.255.0 access-list nonat extended permit ip 10.10.220.0 255.255.255.0 10.165.200.0 255.255.255.0 ! !Access control list to classify what traffic will be encrypted to the IPSec ! site-to-site tunnel to Partner-A access-list encryptPartA extended permit ip 10.20.2.0 255.255.255.0 192.168.144.0 255.255.255.0! !Access control list to classify what traffic will be encrypted to the IPSec site-to-site !tunnel to the New York branch office. access-list encryptNY extended permit ip 10.10.1.0 255.255.255.0 10.165.200.0 255.255.255.0 access-list encryptNY extended permit ip 10.20.2.0 255.255.255.0 10.165.200.0 255.255.255.0 access-list encryptNY extended permit ip 10.10.220.0 255.255.255.0 10.165.200.0 255.255.255.0 ! !Access control list applied to the DMZ interface to allow only communication from the !web servers to the 10.20.3.80 MySQL server over TCP port 3306 access-list dmzACL extended permit tcp host 192.168.232.100 host 10.20.3.80 eq 3306 access-list dmzACL extended permit tcp host 192.168.232.101 host 10.20.3.80 eq 3306 ! !NAT configuration a global pool of addresses (209.165.201.10 to 209.165.201.15) is !configured. After these addresses are allocated all connections will be port !address translated to 209.165.201.16. global (outside) 1 209.165.201.10-209.165.201.15 global (outside) 1 209.165.201.16 nat (inside) 0 access-list nonat nat (inside) 1 10.0.0.0 255.0.0.0 ! !Static NAT configuration for the web servers in the DMZ network. static (DMZ,outside) 209.165.201.25 192.168.232.100 netmask 255.255.255.255 static (DMZ,outside) 209.165.201.26 192.168.232.101 netmask 255.255.255.255 ! !Access group for dmzACL access-group dmzACL in interface DMZ ! !IPSec site-to-site tunnel configuration two crypto maps are configured (one for the !tunnel to the branch office in New York and a second for the tunnel to Partner-A). crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac crypto map Washington_map 10 match address encryptPartA crypto map Washington_map 10 set peer 209.165.202.129 crypto map Washington_map 10 set transform-set myset crypto map Washington_map 20 match address encryptNY crypto map Washington_map 20 set peer 209.165.200.231 crypto map Washington_map 20 set transform-set myset crypto map Washington_map interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 !

 

Filtering Websites

There is a Websense server for URL filtering (10.10.1.43) in the inside interface of the Internet edge firewalls. The security administrator configures Cisco ASA to send all the user web requests to the 10.10.1.43 filtering server, except requests to the two web servers located in SecureMe's DMZ network (192.168.232.100 and 192.168.232.101). The goal is that, after an internal user accesses a site, the Cisco ASA will cache the address (if permitted by the Websense server).

The cache size configured is 64 KB. Therefore, when the same or another user accesses the cached website, the Cisco ASA will not query the Websense server again, increasing performance. The URL memory pool size is configured with 10 KB. An additional requirement the security administrator dictates is for Cisco ASA to allow long URLs of 4 KB in size. To increase performance, 128 blocks are kept in the Cisco ASA buffer. Example 22-5 includes the command the security administrator enters in Cisco ASA 5540-1 to achieve these goals.

Example 22-5. URL Filtering

!Specifying the Websense server url-server (inside) vendor websense host 10.10.1.43 ! !Filtering all URLs except for the two servers in the DMZ filter url except 0.0.0.0 0.0.0.0 192.168.232.101 255.255.255.255 filter url except 0.0.0.0 0.0.0.0 192.168.232.100 255.255.255.255 filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ! !URL block memory pool is configured to 10KB url-block url-mempool 10 ! !Support for long URLs of up to 4KB in size url-block url-size 4 ! !The following command enables 128 blocks to be buffered in the Cisco ASA. url-block block 128 ! !URL cache size of 64KB based on both the source address initiating the URL request, as !well as the URL destination address url-cache src_dst 64

Note

For more information about Websense filtering server, go to http://www.websense.com.

 

Remote Access VPN Cluster

SecureMe has two Cisco ASA 5520s configured in a cluster for remote access VPN support. Figure 22-6 illustrates the design, including corresponding IP addresses.

Figure 22-6. Remote-Access VPN Cluster

The two Cisco ASA 5520s are labeled VPN-5520-1 and VPN-5520-2. The goal is to have the VPN-5520-1 configured as the cluster master (with priority 10) and VPN-5520-2 as the cluster secondary (with priority 5). Load-balancing communication between both Cisco ASA 5520s must be encrypted. Example 22-6 shows the configuration of the cluster master (VPN-5520-1).

Example 22-6. Remote-Access VPN Cluster Master ASA Configuration

!Public/outside interface configuration interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.201.6 255.255.255.224 ! !Private/inside interface configuration interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.10.1.6 255.255.255.0 ! hostname VPN-5520-1 ! !IP Pool for remote access VPN clients ip local pool vpnpool 10.10.253.1-10.10.253.254 !Static Routing configuration. Default gateway is pointing to the Internet router HSRP !address and tunnel default gateway is pointing to the primary ASA 5540 Internet Firewall !IP address. route outside 0.0.0.0 0.0.0.0 209.165.201.5 1 route inside 10.20.0.0 255.255.0.0 10.10.1.12 1 route inside 10.10.0.0 255.255.0.0 10.10.1.12 1 route inside 0.0.0.0 0.0.0.0 10.10.1.1 tunneled ! !RADIUS Server configuration. The RADIUS server is located in SecureMe's Data Center. aaa-server Radius protocol radius aaa-server Radius host 10.20.1.40 key cisco123 ! !A VPN group called SecureMeGrp is configured. group-policy SecureMeGrp internal group-policy SecureMeGrp attributes banner value You have connected to VPN-5520-1. This is a restricted VPN system. dns-server value 10.20.4.98 10.20.4.99 vpn-simultaneous-logins 1 vpn-tunnel-protocol IPSec ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelall default-domain value securemeinc.com ! !IPSec transform-set configuration crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! !A dynamic crypto map is configured for the remote access VPN clients. crypto dynamic-map secureme_dyn_map 10 set transform-set ESP-3DES-SHA crypto map outside_map 100 ipsec-isakmp dynamic secureme_dyn_map crypto map outside_map interface outside ! ! isakmp configurationEnabled on the outside interface isakmp enable outside ! isakmp configurationEnabled on the inside interface for VPN LB isakmp enable inside ! !ISAKMP policy configuration for VPN Clients isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 ! !Tunnel Group configuration for Remote Access VPN tunnel-group securemevpn type ipsec-ra ! !Tunnel group general attributes. The VPN Address pool vpnpool is mapped, the default !VPN group is SecureMeGrp, and authentication is set to RADIUS. tunnel-group securemevpn general-attributes address-pool vpnpool authentication-server-group Radius authentication-server-group (inside) Radius default-group-policy SecureMeGrp ! !Tunnel Group IPSec attributes tunnel-group securemevpn ipsec-attributes pre-shared-key * ! !Load-balancing configuration. Encryption for VPN load-balancing communication is !configured. The priority 10 will force this appliance to be the master. vpn load-balancing priority 10 cluster key cisco123 cluster ip address 209.165.201.8 cluster encryption participate

The master Cisco ASA (VPN-5520-1) is configured to assign IP addresses to VPN clients from a pool of addresses in the range of 10.10.253.1 through 10.10.253.254. A different IP address pool must be configured in the cluster secondary appliance (VPN-5520-2). The IP address pool range is 10.10.254.1 through 10.10.254.254. Example 22-7 shows the cluster secondary Cisco ASA configuration.

Example 22-7. Remote-Access VPN Cluster Secondary ASA Configuration

!Public/outside interface configuration interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.201.7 255.255.255.224 ! !Private/inside interface configuration interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.10.1.7 255.255.255.0 ! hostname VPN-5520-2 ! !IP Pool for remote access VPN clients ip local pool vpnpool 10.10.254.1-10.10.254.254 !Static Routing configuration. Default gateway is pointing to the Internet router HSRP !address and tunnel default gateway is pointing to the primary ASA 5540 Internet Firewall !IP address. route outside 0.0.0.0 0.0.0.0 209.165.201.5 1 route inside 10.20.0.0 255.255.0.0 10.10.1.12 1 route inside 10.10.0.0 255.255.0.0 10.10.1.12 1 route inside 0.0.0.0 0.0.0.0 10.10.1.1 tunneled ! ! RADIUS Server configuration. The RADIUS server is located in SecureMe's Data Center. aaa-server Radius protocol radius aaa-server Radius host 10.20.1.40 key cisco123 ! !A VPN group called SecureMeGrp is configured. group-policy SecureMeGrp internal group-policy SecureMeGrp attributes banner value You have connected to VPN-5520-2. This is a restricted VPN system. dns-server value 10.20.4.98 10.20.4.99 vpn-simultaneous-logins 1 vpn-tunnel-protocol IPSec ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelall default-domain value securemeinc.com ! !IPSec transform-set configuration crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! !A dynamic crypto map is configured for the remote access VPN clients. crypto dynamic-map secureme_dyn_map 10 set transform-set ESP-3DES-SHA crypto map outside_map 100 ipsec-isakmp dynamic secureme_dyn_map crypto map outside_map interface outside ! ! isakmp configuration Enabled on the outside interface isakmp enable outside ! isakmp configuration Enabled on the inside interface for VPN LB isakmp enable inside ! !ISAKMP policy configuration for VPN Clients isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 ! !Tunnel Group configuration for Remote Access VPN tunnel-group securemevpn type ipsec-ra ! !Tunnel group general attributes. The VPN Address pool vpnpool is mapped, the default !VPN group is SecureMeGrp, and authentication is set to RADIUS. tunnel-group securemevpn general-attributes address-pool vpnpool authentication-server-group Radius authentication-server-group (inside) Radius default-group-policy SecureMeGrp ! !Tunnel Group IPSec attributes tunnel-group securemevpn ipsec-attributes pre-shared-key * ! !Load-balancing configuration. Encryption for VPN load-balancing communication is !configured. The priority 10 will force this appliance to be the master. vpn load-balancing priority 5 cluster key cisco123 cluster ip address 209.165.201.8 cluster encryption participate

Notice that the configuration is almost identical to the cluster master appliance with the exception of the IP addressing, IP address pool, and VPN load-balancing priority.

Application Inspection

The Washington security administrator received calls from many users complaining that they can't access streaming video with applications using the Real-Time Streaming Protocol (RTSP) (for example, Apple QuickTime 4, RealPlayer, and Cisco IP/TV). After researching the issue, the security administrator notices that RTSP inspection is not enabled on the Internet edge Cisco ASA. The configuration commands in Example 22-8 are appended to the Internet edge appliances.

Example 22-8. RTSP Inspection

!An ACL defining the RTSP traffic over the default TCP ports (554 and 8554) access-list rtsp_acl permit tcp any any eq 554 access-list rtsp_acl permit tcp any any eq 8554 ! !A class-map named rtsp_traffic is configured matching the previously configured ACL class-map rtsp_traffic match access-list rtsp_acl ! !A policy map called inbound_policy is configured to inspect all RTSP traffic and applied !to the inside interface policy-map inbound_policy class rtsp_traffic inspect rtsp service-policy inbound_policy interface inside

 

IPS

The Cisco ASA 5540s at the Internet edge are running IPS services in AIP-SSM modules. Each AIP-SSM is configured in promiscuous mode. The AIP-SSM inspects all packets that enter through the outside interface and are destined for the inside and DMZ networks. The configuration in Example 22-9 is appended to each Cisco ASA 5540.

Example 22-9. ASA IPS Redirection

!A class-map is configured to capture/match all traffic class-map IPSclass match any ! !A policy map is created associating the previously created class map. IPS is configured !in promiscuous mode and to for the Cisco ASA to continue to pass traffic if the AIP-SSM fails policy-map IPSpolicy class IPSclass ips promiscuous fail-open ! !IPS service policy is applied globally. service-policy IPSpolicy global

If the AIP-SSM fails, the Cisco ASA 5540 will continue to pass traffic normally. This is referred to as fail-open. In inline mode, if the security appliance is configured to fail-close, Cisco ASA will stop all traffic to be transmitted from and to any of its interfaces. However, in promiscuous mode the AIP-SSM will not cause the traffic passing through the Cisco ASA to stop. The fail-open or fail-close configuration only applies to inline mode.

The security administrator notices several events/alarms generated by signature 223344. After detailed analysis, the security administrator discovers that these are false positives. The goal is to disable signature 223344. It will still be processed by the AIP-SSM without generating any logs or events. Example 22-10 shows the AIP-SSM configuration to disable signature 223344.

Example 22-10. Disabling Signature 223344

WashingtonSSM-1# configure terminal WashingtonSSM-1(config)# service signature-definition sig0 WashingtonSSM-1(config-sig)# signatures 223344 0 WashingtonSSM-1(config-sig-sig)# status WashingtonSSM-1(config-sig-sig-sta)# enabled false WashingtonSSM-1(config-sig-sig-sta)# show settings status ----------------------------------------------- enabled: false default: false retired: false ----------------------------------------------- WashingtonSSM-1(config-sig-sig-sta)# exit WashingtonSSM-1(config-sig-sig)# exit WashingtonSSM-1(config-sig)# exit Apply Changes:?[yes]:yes

The tuning process is crucial for IPS management. After disabling signatures that generate false positives and making sure that the correct signatures are enabled, the security administrator can now determine threat origins and targets, and use this information to prevent attacks, protect resources, and reduce network downtime.

Note

The Cisco Security Monitoring, Analysis and Response System (CS-MARS) can collect IPS event information from the AIP-SSM. CS-MARS provides intelligent and sophisticated features that can help you during the IPS tuning process. You can get more information about CS-MARS at http://www.cisco.com/go/mars.

Категории