Defense-in-Depth Implementation Details

The ASA/PIX Security Appliance is a multifunctional device that includes the following:

• Stateful firewall services

• Network intrusion prevention

• Encryption services (VPN/IPSec)

• Auditing and reporting functions

• Authentication capabilities

• Application firewalling (protocol compliance enforcement)

These services make the Cisco ASA/PIX Security Appliance an excellent solution for defense-in-depth deployment in any network environment.

Authentication, Authorization, and Accounting

For simplicity within this book, you use the ASA/PIX Security Appliance local database to implement authentication. Because the local database is used, this type of username password verification is called local authentication.

Although not used in this book, the ASA/PIX Security Appliance is capable of an authentication method called authentication, authorization, and accounting (AAA). The security appliance, used in conjunction with the Cisco ACS, performs AAA. The ASA/PIX Security Appliance forwards username password requests to the ACS server to be accepted or rejected. If a request is accepted by the authentication server, the user is granted the request. If a request is rejected, the user is denied access to the command or access to the device.

Authentication is the process of confirming (before allowing access) usernames and passwords to ensure that the person who is logging on to a network device has the correct credentials. The common methods that the ASA/PIX Security Appliance supports for authentication are as follows:

• Simple username and password authentication using the local device database

• One-time password authentication (use with smart cards)

• Username and password authentication using credentials from domain controllers

• Username and password authentication using credentials from Lightweight Directory Access Protocol servers

Authorization is a method of controlling what users can do after they have been authenticated. Authorization can control specific events, including commands that are entered or services that are requested by a user.

Accounting is reporting provided by the ACS server and tracks user logins to the ASA/PIX Security Appliance or other devices protected by the ACS server. Accounting records include fields such as the time a user logs on, the username and the IP address from which the user logged on, and the command a user executed (or attempted) while on a device.

Two main protocols are used within AAA: RADIUS and TACACS+. Both protocols are excellent for simple username and password authentication. TACACS+ is the protocol of choice if you plan to use authorization. It enables an administrator to control down to a command level what a user can do when logged on to a device protected by an AAA server.

Perimeter Security

The perimeter of the ASA/PIX Security Appliance is the outside interface. The outside interface is the side of the security appliance that is connected to the Internet, and it is considered insecure because you have no control over traffic or events on the outside. The inside of the security appliance is the side connected to your network and is considered the secure interface.

Perimeter security entails four main functions:

• Filters traffic so that only wanted traffic is let into the inside of the network. The goal is to allow only desired traffic into the network.

• Controls denial-of-service (DoS) attacks. DoS attacks try to use up all the bandwidth of a network or a network device. The ASA/PIX Security Appliance has defenses built in to it to limit the number of connections that can use the security appliance resources.

• Ensures that the outside interface cannot be exploited to gain access to the security appliance itself (access that might allow an a hacker to make changes to the security appliance configuration).

• Allows exposure of Internet services to the outside world.

• Ensures against attacks that misuse HTTP for malicious purposes.

NOTE

You will deploy all of these perimeter defenses when you configure the ASA/PIX Security Appliance with ASDM.

Traffic Filtering

Traffic filtering on the ASA/PIX Security Appliance is done using access control lists.

NOTE

ASDM combines access control lists and the associated interface and calls them access rules.

These lists are applied to the security appliance network interfaces and define what traffic is allowed to traverse the security appliance. By default, all traffic is allowed from the inside of the security appliance to all the other interfaces. The security appliance recognizes a flow originated by an inside host and lets return traffic back through; the concept is sometime referred to as stateful firewalling. If a new connection is attempted from the outside of your security appliance to the inside, however, two things must happen:

• The traffic must be destined to an address advertised by the security appliance as a public Internet service.

• An access list must be applied defining exactly what traffic will be allowed to and from that public address.

Denial-of-Service Mitigation

DoS or distributed denial-of-service (DDoS) attacks at one time were the most popular and easiest attacks to launch on the Internet. DoS attacks overload a network to a point where the network becomes unusable. Recently, the number of DoS attacks has subsided, partly because more effective technology now stops these attacks but also partly because hackers now consider DoS attacks as being poor form and only done by those who cannot do something more sophisticated. However, DoS attacks can still be crippling. The ASA/PIX Security Appliance mitigates against various types of DoS attacks by deploying different technologies:

• DNSGuard Protects against DoS attacks aimed at DNS servers. Allows only a single response to multiple DNS queries, preventing DNS storms.

• FloodGuard Prevents DoS attacks caused by multiple AAA authentication attempts.

• FragGuard Prevents a class of attacks based on sending parts of the attack in fragmented packets to try to circumvent the security of the ASA/PIX Security Appliance.

• IPVerify Most DoS attacks use invalid or spoofed addresses so that the attack cannot be traced back to the attacker. IPVerify ensures that the source traffic is valid before the security appliance will respond to the request, effectively mitigating spoofing DoS attacks.

• TCP Intercept Protects against the most popular DoS attack, called a TCP SYN flood. In this attack, a hacker sends thousands of requests to open a connection through the security appliance. TCP Intercept recognizes these packets as being an attack and cleans up the resources, allowing only valid traffic to go through the security appliance.

In general, these technologies use various techniques to recognize whether traffic is valid and silently drop invalid traffic to free up internal resources before the attack traffic can bring the network down. You use these techniques later in the step-by-step portion of this book.

Security Appliance Device Access Protection

If attackers obtain management access to your security appliance, they can do several things to weaken your protection:

• Configure the security appliance to allow themselves access to the inside of your network

• View the configuration of your network, making it easier for them to exploit network devices

• View traffic going through the security appliance and steal critical information such as usernames and passwords

Locking down your security appliance from attackers is a critical part of securing your network. You use ASDM to perform the following lockdown steps:

• Turn off all services where the username and password might be passed in the clear

• Disallow management access to the outside interface of the security appliance

• Configure IP addresses that are allowed to manage the security appliance

Limit Access to Network Devices

One of the fundamental and most valuable uses of a security appliance is to ensure that traffic sourced from the outside is allowed only to the devices that you've defined for public access. These services are defined on the ASA/PIX Security Appliance using a combination of functions called static network access translation (NAT) and access control.

NAT defines a link between a device on the inside of your network and an Internet address that you advertise on the outside of your security appliance. You should use NAT in combination with an access list defining what traffic is allowed to this public address. Some services that you might want to advertise are as follows:

• Web server

• DNS server

• Mail server

In Chapter 5, "Deploying Secure Internet Connectivity," you configure web and mail servers to be exposed on the Internet and filter appropriate traffic using access rules.

Note that these devices with public addresses are the network assets that attackers will scan and attack. Generally, attacks launched from the outside can target only Internet devices such as those described previously. However, after hackers have control of one of your public servers, they've established a presence on your network. Their next step is to try to exploit other nonpublic devices inside your network. It is considered best practice to place your public servers on an interface other than your inside interface. This ensures that if hackers compromise a public server, they are not yet on the inside of your network and still have a considerable amount of work to do to get there. These interfaces are often called demilitarized zone (DMZ) interfaces.

CAUTION

If you are exposing resources such as web servers or mail servers from your network, you must not use a security appliance that has only two interfaces. If you do, you must put your public servers on the inside network, which in turn exposes your internal network to an unreasonably high risk of attack.