Cisco

You are currently browsing articles tagged Cisco.

Cisco ASA Interface Configuration

December 14, 2009 in Article, Vendor Specific, firewall | No comments

The Cisco ASA Firewall provides us with flexible and scalable choices for connecting our appliance into the network.  This post will provide elements of the ASA configuration specific to the interfaces for an ASA operating in Routed / Single Mode with no failover commands.

Cisco ASA5520

Cisco ASA5520

The number and speed of the interfaces installed in your ASA is dependent on the model and license.  They are as follows:

ASA5505
8 x 10/100 switchports (two of which provide PoE).
ASA5510
Base License – 5x 10/100 Ports
Security Plus License – 2x 10/100/100 & 3x 10/100 Ports
ASA5520 & ASA5540
4x 10/100/1000 & 1x 10/100 Ports
ASA5550
8x 10/100/1000, 4x SFP & 1x 10/100
ASA5580
The ASA5580 interfaces are dependant on the modules purchased for it.
www.syn-ack.co.uk
Additional Interfaces
The 5510, 5520 & 5540 support the 4GE SSM which hosts four additional copper or SFP interfaces
For basic interface connectivity we must enter interface configuration mode:
ASA (config)# interface gi0/1
*we are now working under interface configuration mode and can configure our IP Address, Nameif, Security Level, Speed & Duplex.
www.syn-ack.co.uk
ASA (config-if)# ip address 10.0.0.1 255.255.255.0
ASA (config-if)# nameif SERVER_DMZ
ASA (config-if)# security-level 50
ASA (config-if)# speed 1000
ASA (config-if)# duplex full
ASA (config-if)# no shut (physical ports shutdown by default)
www.syn-ack.co.uk
 
IP Addressing
The IP Address can be assigned statically (as above) or it can be assigned dynamically via DHCP:
ASA (config-if)# ip address dhcp
If you wanted the default route for the ASA to be provided by the DHCP server you would configure:
ASA (config-if)# ip address dhcp setroute
www.syn-ack.co.uk
 
Nameif Command
The nameif command allocates the ASA a friendly name that is thereafter used in the configuration instead of the interface type and ID such as Gi0/1.  Be careful when renaming an interface making sure to overwrite it by simply typing “nameif new-name” and allowing the ASA to correct all related configuration elements.  If you do “no nameif” followed by ”nameif new-name” you may find a lot of your configuration relating to the old interface name has disappeared!  *Your ASA will not pass traffic on an interface until the nameif command has been configured.
www.syn-ack.co.uk
Security Levels
Security Levels allow us to define how trusted an interface is.  The higher the number, the more trusted an interface is classed.  If no access lists are applied to an interface the ASA will permit traffic travelling from an interface with a higher security level to a lower security level.  i.e. If the INSIDE is set to 100 and the OUTSIDE set to 0 then users connected to the inside interface could access hosts on the outside.  Users on the outside however would not be able to access resources on the inside interface.  The ASA would allow return traffic to hosts on the inside by tracking connections in the state table.  Usually, the INSIDE interface has a security level of 100 and the OUTSIDE a security level of 0.
www.syn-ack.co.uk
If two interfaces have the same security level configured and you want traffic to flow between them or you want traffic to exit the same interface it entered, you must enter the following commands under global configuration:
www.syn-ack.co.uk
same-security-traffic permit inter-interface (for traffic traversing physical interfaces).
same-security-traffic permit intra-interface (for traffic traversing logical interfaces on the same physical interface).
www.syn-ack.co.uk
The “intra-interface” switch is also used when routing on a stick.   ie, VPN traffic that terminates on the outside interface but then goes back out that interface to get to the internet would need the “same-security-traffic permit intra-interface” command.
www.syn-ack.co.uk
Speed & Duplex
The speed and duplex settings are alywas configured on the physical interface even when sub-interfaces are defined.  The interfaces on an ASA are set by default to auto-negotiate speed and duplex settings.  In this mode the interface will also be capable of auto-MDI/MDIX eliminating the need for a crossover cable.    As long as either the speed or duplex is set to auto-negotiate then the interface will be capable of Auto-MDI/MDIX.  Gigabit Ethernet will always auto-negotiate when set to auto or 1000/full.
www.syn-ack.co.uk
ICMP Control Lists for ASA
ICMP for traffic that terminates on the ASA interfaces can be turned on and off using the ICMP command, ICMP permit any echo OUTSIDE (for example)

The ASA interface will respond to ICMP requests by default but once you begin using the ICMP control list you have to make sure all required traffic is permitted explicitly.  It is recommended that if you are restricting ICMP traffic with a control list that you enable the ICMP unreachable message type (type 3) so as not to interfere with MTU path discovery as this may cause problems with IPsec and PPtP traffic.

  • Redundant Interfaces
Redundant interfaces can be used to group physical interfaces into one logical interface for resiliency.  Redundant interfaces operate in active/standby mode.  To enable this feature both interfaces must be of the same physical specification.  The MAC address listed first in the config is the one used for the logical redundant interface.  When the ASA fails over to the standby interface the same MAC address is used.  It is however possible to define a MAC address statically.
interface redundant 1
(config-if) member-interface gi 0/1
(config-if) member-interface gi 0/2
www.syn-ack.co.uk
You just manually define the redundant interface for failover (similar to VLAN sub-interfaces).
monitor-interface redundant 1
www.syn-ack.co.uk
  • VLAN Sub-interfaces
VLAN sub-interfaces allows us to divide a physical interface into multiple logical interfaces tp provide us with more interfaces on the firewall.  The physical link automatically becomes a trunk when VLAN interfaces are used and the switchport that the firewall interface connects to must be configured as an 802.1q trunk and allow all vlans or specifically allow all VLAN’s used by sub-interfaces on that physical interface.
www.syn-ack.co.uk
To prevent the physical interface passing untagged traffic ensure that “no nameif” is configured on the physical interface.  A VLAN ID must be assigned to sub-interfaces and until it is the interface will not pass traffic.  Spanning-tree portfast may be used on the switchport to allow the switchport to move to the forwarding state quicker.  The Speed and Duplex settings are configured on the physical link.
www.syn-ack.co.uk
The different ASA models support varying levels of VLANs
www.syn-ack.co.uk
ASA5505
Base License – 3 VLANs (trunking is disabled)
Security Plus License – 20 VLANs (trunking enabled)
ASA5510
Base License – 50 VLANs
Security Plus License – 100 VLANs
ASA5520
150 VLANs
ASA5540
200 VLANs
ASA5550
250 VLANs
ASA5580
250 VLANs
www.syn-ack.co.uk
To configure a VLAN sub-interface do the following:
(config)#interface gi 0/1.100
(config-subif)#vlan 100 *I prefer to make the sub-interface number the same as the vlan-id for simplicity.
-carry out interface configuration the sub interface such as nameif, ip address, security level, no shut, description.
*remember to perform a “no shut” on the physical interface and leave it blank with no nameif configured to prevent it passing traffic.
www.syn-ack.co.uk
VLAN Sub-interfaces can also be configured on redundant interfaces in a similar manner:
(config)#interface redundant 1.100
www.syn-ack.co.uk
www.syn-ack.co.uk

Performance versus TCO – Cisco dominate security market

November 18, 2008 in Article, News, Vendor Specific | No comments

I thought I’d post up a reference to an interesting article posted on Network World about Cisco’s place in the security market.  It seems that customers now care less about appliance performance and more about overall strategy and product integration.  The data gathered by the IDC shows that customers do not rate Cisco as a “best of breed” vendor” but that they are keen to use Cisco products because of the manner in which they integrate into their network.

If security is of the utmost concern then in my opinion the best solution to the problem should be applied – end of story.  However, with overworked staff and a lack of multi-vendor skills it is easy to see why companies choose Cisco with the similar looking administration GUI’s, CLI’s and the ability to expand appliance capability by using software modules. 

I believe that Cisco are making huge strides in the security market and feel that that although some products may not offer the same performance as others in a certain environment, their products for the most part integrate well into organisations with less administrative overhead if the customer is already a Cisco customer.  I’m trying to stay neutral here and not show a preference either way but I will say that I think Cisco’s layered approach to security is very good.  It is because they have such a wide range of products that slot together well that customers are keen to choose Cisco, in my opinion.  UTM solutions are good for the SMB market but offer little in way of tiered defence.  That said, if I was recommending an appliance for a customer who specified strong security was the priority then performance has to be the deciding factor regardless of vendor.

Anyway, here’s the article -> http://www.networkworld.com/news/2008/111708-cisco-sec.html

CS-MARS attacks!

October 15, 2008 in Article, Management & Reporting, Vendor Specific | No comments

Cisco’s new(ish) flagship security event management platform is beginning to make its mark but I wanted to know what it brought to the table that made it different from the rest of the solutions available.

Security Information Management (SIM) platforms are used to provide a central repository for security devices to send any events generated to.  Most SIM offerings have a web front end that allows network security staff access to view all of the logs generated by devices on their network.  SIMs offer excellent benefits to an organization by allowing security events to be viewed from a single source, the SIM will have the necessary disk space to store these events while making them available for analysis and reporting.  Another benefit to us that SIMs provide is that they can correlate event data to show any events received that share certain variables allowing us to recognize trends in the network between reporting devices.  The SIM can be configured to alert administrators if certain events are triggered however it is then up to the administrator to find a way of mitigating whatever is triggering the alerts.

The previous SIMs available before CS-MARS provided some excellent features that enabled network security staff to store, analyse and archive any events generated by devices configured to report to the SIM.  An added benefit is that SIMs can help organizations comply with legislation set out to ensure that companies secure data that is confidential such as in the healthcare sector or online stores that retain personal data of customers.

As you can see SIMs offer us a great deal of functionality but they were lacking in areas that hadn’t been ventured into before by other vendors.  CS-MARS (Cisco Security – Monitoring Analysis Response System) brought us the features that are other vendors lacked.  CS-MARS came about when Cisco purchased Protego Networks for $65M to extend the capability of Cisco’s self-defending network. Protego had embraced the concept of SIM but enhanced this by adding in STM (Security Threat Management) to the MARS product which Cisco has developed much further since acquiring it.  STM brings us new features to the SIM market allowing us to do things such as timely attack mitigation through mitigation advisories.  Also, because of the STM orientated design, MARS has better overall topology awareness which makes other things possible such as end-to-end network awareness to provide session awareness and date reduction by reducing millions of events down to hundreds.  MARS mitigation strategies employ the use of TCP resets, shuns, editing ACLs and rulebases.

In short, CS-MARS demonstrates an impressive range of new and innovative features in one solution that nothing else on the market can compare to.  Security event management, correlation and normalization of events combined with the option for attack mitigation advisories and immediate single click mitigation deployments places MARS in a class of it’s own.

I miss my security stuff!

July 23, 2008 in Certification, Routing & Switching | No comments

Learning the routing and switching stuff for CCNP has been fun ( honest :-/ ) and I’m glad I chose to do it as it’s made me more complete as far as networking goes. I’m a great believer that to be truly good at your profession you have to be proficient in any areas that it relies upon. Obviously, security products sit on top of our infrastructures so being more aware of that will help me in the future – actually, it’s helped me already as I recently had to use a 3750 as a media convertor for the IPS 4260 (fibre to copper and then from copper back to fibre) where I had to use private VLANs to get it working. I wouldn’t have been aware of that previously and therefore would have been limited in that situation if I hadn’t been aware of private VLANs and their uses.

I’m trying to not look past the ISCW exam as the CCNP isn’t over quite yet but I am looking forward to getting my head back into security full time. I’m going to do a bit of Checkpoint NGX next to bolster my checkpoint skills (I’m currently a CCSA on Checkpoint NG) and then I am going to go for the CCIE Security written exam. After QoS I am sure it will be a joy to read up on! Haha

Ian

Cisco Security Manager

July 23, 2008 in Article, Management & Reporting | No comments

I recently installed Cisco Security Manager for a client and up until then I had pretty limited experience with it as it’s still relatively fresh on the market. The install itself is very easy.  Next, next, next… almost. After a few teething problems with McAfee AV hanging the server it was all up and running and ready for devices to be added in. McAfee, by the way, was trying to scan the CSM database and couldn’t and that was what hung the machine. The only way around it was to exclude the folder where the database is and it worked fine after that.

For those of you who don’t know what Cisco Security Manager does it’s basically a replacement for the old Cisco VMS Works, in my opinion anyway – I’m not sure if Cisco market it as that. It has some pretty good features built into it that allow you to manage your security policies in a more uniform fashion across your network. The ability to copy policies from one device to another is a great way of adding extra layers of security throughout your network. I installed a Cisco 4260 IPS after the CSM server and I especially liked the benefit of copying signature polices between IPS’s as it saves a lot of time wasted on ensuring devices have the same signature set when inspecting segments that should have the same inspection policies applied.

I also added in a live Cisco ASA5540 to the device repository but it threw a lot of errors up so I have deleted it out for the time being as the customer is not looking to use CSM with his firewalls at the moment. We’ll also be installing CS-MARS in the near future and that can tie in with CSM so I’ll report back on how that goes.

Ian

CCNP… almost there!

July 23, 2008 in Certification | No comments

Almost there!!

It’s been a while since my debut post so I reckon my blog is due a wee update now. The CCNP is going well so far, I’ve passed BSCI, BCMSN and ONT. I’m working my way through the ISCW coursework at present and it’s going well. My CCSP has helped a bit so far with all the VPN stuff that’s included so I’m hoping the exam will be a bit easier for this one. Out of the three exams passed, I’d have to say BSCI was the hardest, BCMSN was the easiest but that was mainly due to the fact that I enjoyed learning what I deem to be the fundamentals of networking. ONT was pretty boring to be honest and it was a struggle reading the book as it was so dry and I wasn’t all that interested in Quality of Service to be honest. So fingers crossed for me people, three down and one to go!!

I’ve ended up mainly using Cisco Press books and Jeremy Cioara’s CBT Nuggets as the Cisco Network Academy wasn’t up to much, in my opinion. The slides they provide online didn’t go into enough detail to pass the exam but instead left links to lots of Cisco technology papers at the bottom which there was far too many to read in one lifetime.

The best and most time efficient way I’ve found for studying is to watch the CBT Nuggets ( Jeremy Cioara is a legend! ) and then read the Cisco Press book afterwards while working through the NIL labs. One without the other would be less than half effective I believe. The CBT Nuggets give an excellent visual aid and help you to understand what sentences can’t explain but you really need to read the Cisco Press books to get all the details you need for the exam.

Ian

Currently studying for the CCNP

July 23, 2008 in Certification | 1 comment

As a consultant with strong Cisco experience I need to make sure my skills and certifications are sharp.  The ultimate goal is to earn the coveted Cisco CCIE certification.  I am currently a Cisco CCSP and will, hopefully, soon be a Cisco CCNP. Once I finish the CCNP, and I will finish it despite my past procrastination, I will hopefully make a start on the CCIE track and keep record of that on here too.  My interest lies in the security field but as a freelance consultant I need to aim towards the most lucrative market so I may slip the CISSP in before the CCIE depending on my situation and work commitments.  The security market is “about to boom”… or so I’ve been told for the last five years. If only I’d chosen to follow the voice route… Ok, maybe not, voice isn’t really my bag baby.

I started my studies next in August 07 when I started to tackle the Cisco BSCI course. I’ve been using various study methods to get through the CCNP. The Cisco Network Academy was my main port of call as I signed up to the CCNP track which is being run from my local University. I’ve also be using online labs, courtesy of www.nil.si For those of you who have never used them these are excllent study aides. They provide excellent lab scenarios with pratical goals and helpful study guides. CBT Nuggets have some excellet videos that can be purchased for a reasonable amount so I’ll be using these and last but not least good old Cisco Press books, these are great for stacking up in the spare room and impressing all your friends with your knowledge of all things technical. Just hope they don’t ask you a question about what’s in them. :-P

I’ll do my best to keep the posts in my blog frequent and I’ll try not to be toooo boring when I rabbit on about how I’m getting on. Hopefully, if you’re reading this I’ll provide you with some “what not to do’s” so that you don’t make the same mistakes that I am inevitably about to make! If I can be bothered I may even try to write a few ‘white paper’ type posts that are aimed at routing and switching. Firstly, to get me up off my ass and do a bit of research in something that will no doubt help me understand my trade. Secondly, to help whoever is reading my blog understand certain areas of the CCNP track. I often find that some authors make things easier to read than others who can often over complicate things, so hopefully if a simpleton like my good self can understand something then I may be able to put this down in a format that most of you can understand and perhaps help.

Oh, and feel free to add your comments. :-)

Stay tuned..

Ian