Active/standby Failover on Cisco ASA

What we have, are two identical ASAs. Both of them are connected to the Internet and LAN.
Do not forget to upload ASDM image to the secondary ASA.

Configuration of primary ASA

Configure Internet interface
ciscoasa(config)# int g1
ip address 172.20.1.5 255.255.255.0 standby 172.20.1.6

Configure LAN interface
ciscoasa(config-if)# int g0
ciscoasa(config-if)# ip address 172.20.2.2 255.255.255.0 standby 172.20.2.3

Configure failover interface
ciscoasa(config)# int g2
ciscoasa(config-if)# no shut
ciscoasa(config-if)# failover lan interface fail-1 g2
ciscoasa(config)# failover interface ip fail-1 1.1.1.1 255.255.255.252 standby  1.1.1.2

Configure stateful interface
ciscoasa(config)# interface g3
ciscoasa(config-if)# no shut

ciscoasa(config-if)# failover link fail-2 g3

ciscoasa(config)#failover interface ip fail-2 2.2.2.1 255.255.255.252 standby 2.2.2.2

Configure shared key

ciscoasa(config)# failover key cisco

Configure HTTP sessions replications

ciscoasa(config-if)# failover replication http

Enable Primary mode

ciscoasa(config)# failover lan unit primary

Change promt to always no what role this ASA is:

ciscoasa(config)# prompt hostname priority state

ciscoasa/pri/actNoFailover(config)#

Turn on failover:

ciscoasa/pri/actNoFailover(config)# failover

Verify

ciscoasa/pri/act(config)# show fail

Save config

ciscoasa/pri/act(config)# wr mem

Configuration of secondary ASA

Configure failover interface
ciscoasa(config)# int g2
ciscoasa(config-if)# no shut
ciscoasa(config-if)# failover lan interface fail-1 g2
ciscoasa(config)# failover interface ip fail-1 1.1.1.1 255.255.255.252 standby  1.1.1.2

Configure shared key
ciscoasa(config)# failover key cisco

Configure mode
ciscoasa(config)# failover lan unit secondary

Enable failover
ciscoasa(config)# failover

Save config

ciscoasa/pri/act(config)# wr mem

Now, if we turn off the primary ASA, secondary will become active. Next, if we turn on primary ASA, it will become primary - standby, to make it active again we can use command:
ciscoasa/pri/stby(config)# failover active

Imitating SYN Flood attack

hping3 -i u1 -S -p 80 10.1.1.1

S - indicates SYN flag
p 80 - Target port 80
i u1 - Wait for 1 micro second between each packet

Video training: My review of CBT Nuggets

Earlier  I used to have a skeptic attitude towards video training. I considered it boring and slow, I preferred studying with books, I could read faster or slower, could skip something or vice versa research more deeply. I had such thoughts before some time ago. I always knew about CBT Nuggets, I heard about them here or there, but never actually tried. However I never took them seriously, until I stumbled across Keith Barker's(instructor on CBT Nuggets) videos on YouTube. I really liked them! I watched a couple of them and understood that I was mistaken about them. I explored the videos available on www.cbtnuggets.com and understood that it is a very powerful tool for self-education. I bought a subscription and jumped in :)
Why I had changed my attitude? Why I liked them? Well, these videos are live, they are interactive, dynamic and presented in a funny, simple way. Narrator does not mumble, all things are described from a practical perspective and accompanied with examples. Moreover, best practices are also described.
My job is connected with computers, so basically I spend all my working time near the computer. As a result, my eyes are very tired by the end of the day. Consequently, studying in the evening becomes a challenge :) That's where videos score, for me it is much easier to watch and listen after a hard day then reading.
Of course, I do not argue that books should be avoided at all. I will certainly keep using books for certifications, videos are not the replacement, they are a good addition :)
Besides certifications I found there a lot of useful courses in the fields which I am interested in and where I have not enough awareness.
In sum, I am very happy that I have found this new source of knowledge. I will keep watching and studying....There are so many areas left to explore.

Cisco ASA tips

Enable SSH access
firewall1(config)#crypto key generate rsa modulus 2048
firewall1(config)#username user password userpass privilege 15
firewall1(config)#ssh 0.0.0.0 0.0.0.0 inside
firewall1(config)#aaa authentication ssh console LOCAL 

Enable ASDM
asdm image disk0:/asdm-752-153.bin
http 10.0.1.0 255.255.255.0 inside
username cisco password cisco privilege 15

Add enable password

firewall1(config)#enable password strongpass

Adding AAA access rules

Before cut-through authentication rule is applied, standard ACL should be configured. For example, if you want to turn on authentication for http traffic, you should first allow http traffic

Cut-through proxy, direct HTTPS authentication example
I would like to describe this configuration relying on example. For instance, we need to allow SSH connections from inside network to Internet server only for authenticated users. Let's jump in :)
Suppose we have already added a user
172.20.1.1 - address of Internet server
172.16.16.100 - address of ASA inside interface
5555 - port on which ASA will listen for authentication

Add access list to allow ssh in general from inside network
access-list inside_access_in extended permit tcp any any eq 22 log disable
access-group inside_access_in in interface inside

Add access list for particular server
access-list ssh permit tcp any host 172.20.1.1 eq 22
access-list ssh permit tcp any host 172.16.16.100 eq 5555
access-group ssh in interface inside

Add aaa rules
aaa authentication match ssh inside LOCAL
aaa authentication listener https inside port 5555 

After this configuration is done, user from the inside network have to go to:
https://172.16.16.100:5555/netaccess/connstatus.html
Enter his name and password, next he will have access to ssh service.

Application L5-7 inspection
Forbid DELE command in FTP traffic
class-map type inspect ftp match-all ftpclass
 match request-command dele

policy-map type inspect ftp ftppolicy

 class ftpclass

  reset log

policy-map global-policy

 class global-class

  inspect ftp strict ftppolicy

service-policy global-policy global

Clear running config
clear config all

Clear startup config
write erase

Cisco IOS CBAC: ACL + inspect command example

This is a short example  on how to configure CBAC(Context Based Access Control) in IOS.
CBAC allows to configure stateful firewalling without using excessive ACLs.

#1 configure protocols, which we want to inspect
ip inspect name outside tcp
ip inspect name outside udp
ip inspect name outside icmp
ip inspect name outside ftp

#2 configure ACL for outside interface to block all traffic from the Internet
ip access-list extended inside
deny ip any any

#3 configure outside interface
int fa0/0
description out
ip access-group inside in
ip inpsect outside out
ip address 1.1.1.1 255.255.255.0
ip nat outside

#4 configure inside interface
int fa0/1
  description inside
  ip address 192.168.0.1 255.255.255.0
  ip nat inside

Open ports in Iptables via sudo

This is a small script which allows ordinary users open and close ports using Iptables:

#!/bin/bash

if [ ! $# == 3 ]; then
    echo "Usage: ports open|close tcp|udp port_number"
    echo "List of open ports:"
    iptables -L
  exit
fi

if [ $1 == 'open' ]; then
d="A"
iptables -$d INPUT -p $2 --dport $3 -j ACCEPT
elif [ $1 == 'close' ]; then
d="D"
iptables -$d INPUT -p $2 --dport $3 -j ACCEPT
else
echo "Port may be open or close only"
fi

DNS server zone transfer and amplification attack

How to test if a DNS server allows zone transfer?

In Windows
nslookup
server TARGET_DNS_SERVER_IP
set type=any
ls -d TARGET_DOMAIN

In Linux
dig @TARGET_DNS_SERVER_IP -t AXFR TARGET_DOMAIN

Many DNS servers allow root(".") zone transfer, this can lead to an amplification attack, when an attacker sends many small(17 bytes) root zone transfer requests and server replies with much bigger reply(500 bytes). More over, the possibility to transfer the root zone will result in FAIL during PCI ASV scan. We can check if it is possible manually with the following commands:

Transfer root zone in Linux
dig @DNS_SERVER_IP axfr

Transfer root zone in Windows

nslookup

> server server_ip

> set q=soa

> .

How can we disable root zone transfer and avoid amplification attack?
In BIND it is required to add a string to options in named.conf file:
additional-from-cache no;

This will influence the cache, so be cautious.


Solution for Windows

Cisco ASA NAT in examples

Example 1
Forward port for a web server from the Internet to internal network using Auto NAT or as it called Network Object NAT

object web_server_in_dmz 

  host 192.168.1.2 
  nat (inside,outside) static 1.1.1.1 service tcp www 8080

Where:

• 192.168.1.2 - IP address of web server in internal network
• inside - name of the interface connected to the internal network
• outside - name of the interface connected to the external network
• static - type of NAT translation
• 1.1.1.1 - external Internet address
• www - real port on a web server
• 8080 - translated port which will be open on external address

The same goal can be accomplished using Manual NAT:

nat (outside, inside) source static any any destination static public_ip web service 8080 www

where:
outside - source interface, where original packet comes in
inside - destination interface, from where translated packet will come out
source - means we are starting configuration of source IP address translation
static - NAT will static, not dynamic
first any - source address of original packet
second any - source address of translated packet, thus source address will be not changed
destination - means we are starting configuration of destination IP address translation
static - destination NAT will be static, not dynamic
public_ip - network object which describes external Internet IP address
web - network object which describes internal IP address of web server
service - means we are starting specification which services will be translated
8080 - service object which describes port 8080 TCP, translated port which will be open on external address
www - service object which describes port 80 TCP, real port on a web server

However, it will not work if 1.1.1.1 - is the IP address of the outside interface. 1.1.1.1 maybe the secondary outside address, but not the primary one. By secondary I mean that it will appear only in NAT configuration, it will be enough for ASA start replying on this address. It is impossible to configure explicitly the secondary address on ASA.
So, how to configure port forwarding using the IP address of the outside interface? Here is the example:

nat (outside, inside) source static any any destination static interface web service 8080 www

The only thing changed here is public_ip > interface, which means as I comprehend, that identification by interface is used instead of IP.

Example 2
Configure PAT for internal network that users can access the Internet
Using Auto NAT

object network lan
  subnet 172.16.16.0 255.255.255.0
  nat (any,any) dynamic public_ip

where public_ip is a network object containing external IP address, but not the address of outside interface of course :)

Using Manual NAT with IP address of outside interface
object network lan
  subnet 172.16.16.0 255.255.255.0
nat (inside,outside) source dynamic lan interface

Example 3
NAT exemption
For instance you need to exclude the server from the PAT because this server needs to communicate with another server via IPSec VPN. To accomplish it we just need to create a NAT rule which changes nothing and set its order number to one
nat (any,any) 1 source static server1 server1 destination remote_server remote_server

Troubleshooting

Show all translations

Show xlate
show nat

Sender Policy Framework example

In BIND zone configuration file

IN TXT "v=spf1 ip4:1.1.1.1 ip4:2.2.2.2 -all"

where IP addresses are the addresses of our mail server

Cisco IOS policy static NAT with IPSec

Imagine that you have a classic IPSec tunnel and you need to NAT the source address of host in your internal network before the packets from it will be transferred via the tunnel. Moreover, you also have a NAT overload from your internal network for your hosts to have access to the Internet. Ok, here is the example how to configure it on Cisco IOS router.

• IP address of the host in your internal network - 192.168.1.2
• IP address of the host in remote network - 10.10.0.1
• IP address you need to NAT your internal host to - 172.16.16.1

Define access list for static NAT

ip access-list extended ipsec_nat
  permit ip host 192.168.1.2 host 10.10.0.1

Define route map based on this access-list

route-map ipsec_nat permit 10
  match ip address ipsec_nat

Enable NAT

ip nat inside source static 192.168.1.2 172.16.16.1 route-map ipsec_nat

Configure access list for encrypted traffic

access-list 151 permit ip host 172.16.16.1 host 10.10.0.1

Configure access list for exception from NAT overload

ip access-list extended nonat
  deny  ip host 192.168.1.2 host 10.10.0.1
  permit ip host 192.168.1.2 any

Configure route map based on this list

route-map nonat permit 10
  match ip address nonat

Reconfigure NAT overload

ip nat inside source route-map nonat interface FastEthernet4 overload

Auditd in Linux for PCI DSS compliance

In this post I am going to describe how I was configuring auditd service in Ubuntu Linux 12.04 server and the challenges I faced during this process.
Auditd was the most difficult part of preparing server for PCI DSS. I hope this information will help other administrators :)
Although, this is not a comprehensive guide and it does not consider many details, I suppose, it can serve as a good start.
Caution: this configuration is excessive and is able to cause a lot of log data.
Auditd allows us to monitor two types of staff: system calls and files. With files everything is pretty much clear. However the syscalls are the main challenge.
General description of auditd can be found in man pages and Google. Here I will post just my configuration with some comments.
Section 10.2 of PCI DSS standard and its subsections define what events should be logged.

Here is my /etc/audit/audit.rules file:
-a exclude,always -F msgtype=CWD
This rule exclude excessive messages

10.2.2
All actions taken by any individual with root or administrative privileges

-a exit,always -S all -F euid=0 -F perm=wxa -k root

What we have here is all system calls made by root or via sudo and connected with writing, appending or executing will be logged. If you use auid instead of euid, syscalls run via sudo will not be logged. In order to test it you just need to make any action under root user.

10.2.3
Access to all audit trails -a always,exit -S all -F dir=/logarchive -F perm=wra -k logs-archive
-a always,exit -S all -F dir=/var/log/audit -F perm=wra -k audit-logs
-w /var/log/auth.log -p wra -k logs
-w /var/log/syslog -p wra -k logs

All access to logs, including reading, should be watched. For monitoring a whole directory it is better to use syscals and dir filter instead of -w option, because variant with syscalls will show the name of affected file and -w variant will not.

10.2.4
Invalid logical access attempts
-a always,exit -F arch=b64 -S all -F exit=-13 -k access

How auditors test it: for example: read /etc/shadow from standard user login, write to /etc/passwd, create a file in a folder with restrictions, all these events produce exit status -13 when permission is denied and consequently logged.

10.2.7
Creation and deletion of system level objects.
According to Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations and Acronyms System-level object has the following definition:

Anything on a system component that is required for its operation, including but not limited to application executable and configuration files, system configuration files, static and shared libraries & DLL‹s, system executables, device drivers and device coniguration files, and added third-party components.

-a always,exit -S all -F dir=/etc -F perm=wa -k system
-a always,exit -S all -F dir=/boot -F perm=wa -k system
-a always,exit -S all -F dir=/usr/lib -F perm=wa -k system
-a always,exit -S all -F dir=/bin -F perm=wa -k system
-a always,exit -S all -F dir=/lib -F perm=wa -k system
-a always,exit -S all -F dir=/lib64 -F perm=wa -k system
-a always,exit -S all -F dir=/sbin -F perm=wa -k system
-a always,exit -S all -F dir=/usr/bin -F perm=wa -k system
-a always,exit -S all -F dir=/usr/sbin -F perm=wa -k system

Thus, any append or write operations to system level objects will be logged.

Encrypt many files simultaneously on windows with GPG public key

For instance, you need to encrypt all files in a folder, here is the short script which may accomplish this task:

for %%i in (C:\folder\*.bak) do gpg --encrypt --batch -r backup@localhost "%%i"

Where backup@localhost is an identifier of public key.

Ubuntu: DNS configuration + multiple IP addresses on one interface

/etc/network/interfaces:

auto eth0
 iface eth0 inet static
 address 192.168.47.15
 netmask 255.255.255.0
 gateway 192.168.47.1
 dns-nameservers 8.8.8.8

auto eth0:1
 iface eth0:1 inet static
 address 192.168.47.14
 netmask 255.255.255.0

auto eth0:2
 iface eth0:2 inet static
 address 192.168.47.16
 netmask 255.255.255.0

How to check if there are upgrades for your Cisco IOS

It is a good practice to check periodically for new versions of Cisco IOS because of security vulnerabilities. To do it you can use
 Cisco IOS Software Checker
On this page you just need to choose your IOS version,  based on the output of the command:

show version

For instance: 15.2(4)M1

After this the wizard will show you the list of possible updates for your IOS. Next step is to get these updates. It is not so easy as with Microsoft or Linux, you can't just download them. The easiest way is to ask  your Cisco supplier, they usually have access to all Cisco downloads.