Forskel mellem versioner af "SNAF 642-524"

Versionen fra 8. jun 2010, 08:55 (vis wikikode) Freesoft (diskussion | bidrag) m (→‎Configure and verify NAT globals, statics, NAT exemption, and Identity NAT using ASDM: Dyn nat) ← Gå til forrige ændring		Versionen fra 8. jun 2010, 09:07 (vis wikikode) Freesoft (diskussion | bidrag) (→‎Configure and verify access-lists with or without object groups using ASDM) Gå til næste ændring →
Linje 110:		Linje 110:
	==== Configure and verify access-lists with or without object groups using ASDM ====		==== Configure and verify access-lists with or without object groups using ASDM ====
−	Billeder og forklaring af acl regler	+	Conf -> Firewall -> Objects
		+
		+	Network Object Groups
		+	*Kan indeholde en eller flere netværk eller IP adresser
		+
		+	IP Names
		+	*Navngiv IP adresser så de er nemmere at huske, fx en web server med ip 10.10.10.10, er det måske nemmere at huske ved at kalde den web-server
		+	name 10.10.10.10 web-server description En Web Server
		+
		+	Service groups:
		+	*Service
		+	*TCP
		+	*UDP
		+	*TCP-UDP
		+	*ICMP
		+	*Protocol
		+
		+	Global Pools
		+	*Bliver brugt til NAT/PAT
		+
		+	Time Ranges
		+	*Lav tidsintervaller fx til acl'er eller login tid.
		+
		+
		+	Billeder og forklaring af ACL regler
	=== Configure and verify routing and switching on Security Appliances ===		=== Configure and verify routing and switching on Security Appliances ===

---

Versionen fra 8. jun 2010, 09:07

SNAF - 642-524 - Securing Networks with ASA Foundation

Tager udgangs punkt i denne cisco test, da den er rigtig god og man kommer rundt om rigtig mange ting hvad en ASA kan.

Du kan nok næppe bestå ved kun at have læst dette, men jeg bruger selv siden som note til SNAF testen. Husk også at tage et kig på links.

Exam Topics

ASA version: 8.0.2

ASDM Version: 6.0.2

Configure Security Appliances for secured network connectivity

Configure and verify network and interface settings using ASDM and CLI

Configuration -> Device Setup -> Interfaces -> Tryk Add knap.

Interface Ethernet0/2
no shutdown
nameif DMZ
security-level 50
ip address  10.10.5.1 255.255.255.0

Sub interface

Fjern nameif fra "over" interface, for fjerne IP kontakt på denne.

Interface Ethernet0/2
no nameif

Interface Ethernet0/2.50
vlan 50
no shutdown
description Interface for vlan 50
nameif Vlan50
security-level 50
ip address  10.10.50.1 255.255.255.0

DHCP

ASDM: Configuration -> Device Management -> DHCP -> DHCP Server

CLI:

dhcpd address 10.10.10.10-10.10.10.20 inside
dhcpd enable inside
dhcpd dns 8.8.8.8  interface inside

---

Show

sh run nameif

interface Ethernet0/0
 nameif outside
 security-level 0

sh inter ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.200.101 YES DHCP   up                    up

Configure and verify NAT globals, statics, NAT exemption, and Identity NAT using ASDM

Fra høj sec-level til lav sec-level er tilladt, men ikke fra lav til høj.
Inside -> Outside = OK, men Outside -> Inside = Ikke OK, uden tilladelse.

nat-control

Som billedet viser, der skal være lavet en NAT regel for at trafikken bliver tilladt, hvis nat-control er sat til, som det ikke er her.

Static (høj, lav) lav høj netmask tcp [sim. tcp conn] [embryonic connections] udp [sim. udp conn]

Billeder af forskellige nat regler

static (inside,management)  192.168.1.20 10.10.10.10 netmask 255.255.255.255

ASDM:

Denne oversætter 192.168.1.20 på management til 10.10.10.10 på inside, så 10.10.10.10 server kan tilgås fra management via 192.168.1.20.

Dynamisk NAT/PAT

Alt fra management kommer ud på outside via PAT, da der ikke er lavet NAT pools, som ellers ville blive brugt først.

NAT rækkefølge:

• 1. Check Access Rules
• 2. Check routing table for exit interface
• 3. Look in current translation table
• 4. Checks for NAT Exemptions
• 5. Static NAT and PAT (regular and policy)
• 6. Policy dynamic NAT
• 7. regular dynamic NAT
• 8. If NAT control enabled, and no match through above, drop packet.

Configure and verify access-lists with or without object groups using ASDM

Conf -> Firewall -> Objects

Network Object Groups

• Kan indeholde en eller flere netværk eller IP adresser

IP Names

• Navngiv IP adresser så de er nemmere at huske, fx en web server med ip 10.10.10.10, er det måske nemmere at huske ved at kalde den web-server

name 10.10.10.10 web-server description En Web Server

Service groups:

• Service
• TCP
• UDP
• TCP-UDP
• ICMP
• Protocol

Global Pools

• Bliver brugt til NAT/PAT

Time Ranges

• Lav tidsintervaller fx til acl'er eller login tid.

Billeder og forklaring af ACL regler

Configure and verify routing and switching on Security Appliances

Describe the routing capabilities of the Security Appliance

ASDM: Conf -> Device Setup -> Routing

• Static
• RIP
• OSPF
• EIRGP

Use ASDM to configure VLANs on a Security Appliance interface

Se subinterface.

Hvis der ikke er nameif på "over" interfacet så er der IP kontakt på den og, med flere sub interfaces der automatisk en .1q trunk. Fra "Cisco Security Appliance Command Line Configuration Guide" : "For each VLAN to pass traffic, you need to configure an interface name (the nameif command), and for routed mode, an IP address."

Use ASDM to configure the passive RIP routing functionality of the Security Appliance

RIP version 2

ASDM:

router rip
 version 2
 passive-interface default

Configure and verify Authentication, Authorization, & Accounting services for Security Appliances

Configure ACS for Security Appliance support

ACS -> Network Conf -> AAA Clients -> Add Entry

AAA Client Hostname: ASA

AAA Client IP Address: 10.10.10.1

ACS -> User Setup Opret brugere

ACS -> Downloadale ACL ?

Use ASDM to configure the Security Appliance AAA features

Conf -> Device Management -> Users/AAA -> AAA Server Groups

Under AAA Server Groups opret en ny gruppe af servere.

Marker gruppen og vælg Add under Servers in the Selected Group.

RADIUS TACACS+

Configure and verify Auth-Proxy (cut-through proxy) using ASDM

Understøtter:

• TCP port 21, FTP
• TCP port 23, telnet
• TCP port 80, HTTP
• TCP port 443, HTTPS

Opsætning:

• Opret AAA server gruppe
• Tilføj AAA server
• Tilføj AAA regel i Configuration -> Firewall -> AAA Rules

Se brugere logget på: ASDM: Monitoring -> Properties -> Device Access -> Authenticated Users

CLI: show uauth

Slette brugere der er logget ind: clear uauth

Configuration -> Firewall -> AAA Rules -> Tryk på Advanced knappen, her kan du vælge om login skal sendes videre til (web) serveren i den anden ende.

Hvis serveren i den anden ende også kræver et login, men det forskelligt fra det AAA serveren kender, skal der bruges Virtual HTTP server.

ASDM: Configuration -> Firewall -> Advanced -> Virtual Access

Husk at web browsere kan cache login, så hvis Telnet og FTP ser ud til at virke normalt, men HTTP/S ikke timer ud, så kan det være det.

Authentication Prompt

Configuration -> Device Management -> Users/AAA -> Authentication Prompt

Authentication Timeouts

Configuration -> Firewall -> Advanced -> Global Timeouts

Downloadable ACLs

• Henter ACL fra AAA server for brugeren
• Understøttes kun af RADIUS
• For et navn der starter med #ACSACL#-

ACS:

Interface Configuration -> Advanced Options -> Advanced Options -> User/Group-Level Downloadable ACLs

Shared Profile Components -> Vælg Downloadable IP ACLs -> Klik Add

show access-list

Viser alle access lister, også downloadable.

show uauth

Viser også ACL'en for brugeren

Per-User Override

Overskriv ACL'er for brugeren, fx hvis en ACL tillader noget, men en bestemt bruger må ikke tilgå den server, kan man bruge per-user override.

ASDM: Configuration -> Firewall -> Access Rules -> Tryk på Advanced, og sæt hak i Per User Override, ud for den ACL det tillades på.

Configure and verify Layer 3 & 4 protocol inspection, Modular Policy Framework, and threat detection for Security Appliances

Configure and verify Layer 3 and Layer 4 protocol inspection using ASDM

" You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one. (An interface policy overrides the global policy for a particular feature.)"

Rækkefølge: CBT Nuggets:

• 1. TCP normalization, connection limit and timeout, and seq # randomization
• 2. CSC
• 3. Application Inspection
• 4. IPS
• 5. QoS input policing
• 6. QoS output policing
• 7. QoS priority queuing

ASA Guide: Modular Policy Framework supports the following features:

• QoS input policing
• TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number randomization
• CSC
• Application inspection (multiple types)
• IPS
• QoS output policing
• QoS standard priority queue
• QoS traffic shaping, hierarchical priority queue

Configure and verify Modular Policy Framework using ASDM

1. Service Policy (interface/global)
2. Match
3. Action

Use ASDM to configure and verify threat detection

Conf -> Firewall -> Threat Detection

Basic er stanard. Scanning kan sættes til.

Stats for: Top 10 / 200, Access rules, Port, Protocol, TCP Intercept

Configure and verify secure connectivity using VPNs

Configure and verify remote access VPNs using ASDM

Wizards -> IPsec VPN Wizard -> Remote Access

Configure and verify IPsec VPN clients with preshared keys using ASDM

Host: VPN Interface IP (Public)

Name: IPsec Connection Profile

Password: Pre Shared Key

Configure and verify site-to-site VPNs with preshared keys using ASDM

Wizards -> IPsec VPN Wizard -> Site to Site

Monitoring -> VPN -> Sessions

Verify IKE and IPsec using ASDM and CLI

show crypto isakmp

show crypto ipsec sa

show crypto ca certificates Show certificates

show crypto ca crls Show Certificate Revocation Lists

show run crypto map

Configure and verify clientless SSL VPN using ASDM

" The security appliance recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users. "

" Limit Internet access for users of Clientless SSL VPN. One way to do this is to clear the Enable URL entry check box on the Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic Access Policies > Add or Edit > Functions tab. Then configure links to specific targets within the private network (Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic Access Policies > Add or Edit > URL Lists tab). "

" Clientless SSL VPN—VPN via SSL/TLS. Uses a web browser to establish a secure remote-access tunnel to a VPN Concentrator; requires neither a software nor hardware client. Clientless SSL VPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites. "

Configure and verify active/standby and active/active failover features on Security Appliances

Configure and verify active/standby failover using ASDM

failover reset

Configure and verify active/active failover using ASDM

Configure and verify redundant Interface using ASDM

Conf -> Device Setup -> Interfaces

Add Redundant Interface

Interface redundant1
 member-interface Ethernet0/2
 member-interface Ethernet0/3
 no shutdown
 description Redundant Interface 1
 nameif Redu1
 security-level 100
 ip address 10.10.5.1 255.255.255.0

Configure transparent firewall and virtual firewall features on a Security Appliance

Explain the purpose of virtual & transparent firewalls

Context: Virtuel firewall Understøtter ikke:

• Dynamisk routing
• VPN
• Multicast routing, bridging er understøttet.
• Threat Detection

Transparent firewall: Ingen IP på interfaces, kun mgmt ip Vlan på forskellige vlan, men samme netværk Ingen router hop, bump in the wire Kan forware ting som router mode ikke kan, EtherTypes

Configure and verify the transparent firewall feature of the Security Appliance using CLI

ASA(config)# firewall transparent

Alt conf bliver slettet, så husk at gemme

show mode

Configure and verify the virtual firewall feature of the Security Appliance using ASDM

Monitor and manage installed Security Appliances

Update, backup, and restore configurations and software images using ASDM and CLI

Blank conf, åbne for ASDM:

• Name: inside, give IP og netmask
• Sæt tid, hostname, og domæne
• Starte http service
• Tillade hosts ind på http
• Opt: Vælge asdm image

interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0

hostname ASA
domain-name domain.local
clock set hh:mm:ss DAY MONTH Year

http server enable
http 192.168.1.0 255.255.255.0 management

asdm image disk0:/asdm-602.bin

Boot image:

boot system disk0:/asa802-k8.bin

Install and verify Licensing using ASDM

ASDM: Configuration > Device Management > System Image/Configuration > Activation Key

1. Få key fra cisco.com ud fra serial no med show version kommando
2. Genstart ASA, for at sikre image i flash er det samme som kørende.
3. Gå til Configuration > Device Management > System Image/Configuration > Activation Key, skriv key ind med 4 eller 5 blokke med mellemrum i mellem.
4. Tryk på Update Activation Key
5. Genstart ASA for at aktivere key.

Configure and verify Console and SSH/Telnet access

ASDM: Conf -> Device Management -> Management Access -> Command Line (CLI) -> Secure Shell (SSH)

SSH kræver:

• Hostname
• Domain name
• Bruger oprettet
• RSA key

ASDM: Conf -> Device Management -> Users/AAA -> AAA Access -> Authentication

Ud for SSH, sæt hak og vælg LOCAL.

username AdminUser password AdminPass
aaa authentication ssh console LOCAL
crypto key generate rsa modulus 1024

ssh 192.168.1.0 255.255.255.0 management

ASDM: Conf -> Device Management -> Management Access -> Command Line (CLI) -> Telnet

telnet 192.168.1.0 255.255.255.0 management

Configure and utilize Logging using ASDM

ASDM: Conf -> Device Management -> Logging

-> Event Lists

-> Logging Filters

-> Syslog Servers

Diverse

The SAST keys can be seen via the show crypto key mypubkey rsa command.

" Note: If you remove a static command, current connections that use the translation are not affected. In order to remove these connections, enter the clear local-host command. You cannot clear static translations from the translation table with the clear xlate command; you must remove the static command instead. Only dynamic translations created by the nat and global commands can be removed with the clear xlate command. "

" NOTE If you don’t configure the nat-control command, then address translation is optional. The appliance will use any address translation policies you’ve configured, and if a packet doesn’t match a translation policy, it isn’t translated, but forwarded as is. "

ASA Links

ASDM 6.0 User Guide

ASA CLI Configuration Guide 8.0

https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b1ee95.shtml

http://www.wr-mem.com/

http://www.wr-mem.com/?p=4

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

https://supportforums.cisco.com/docs/DOC-1268

http://www.networkstraining.com/ciscoasaebook.php

http://www.networkworld.com/community/node/58537

http://www.iflipr.com/deck/search?query=snaf

https://learningnetwork.cisco.com/docs/DOC-2800

http://blog.ine.com/

https://learningnetwork.cisco.com/message/11409#11409

http://blog.ine.com/2009/04/19/understanding-modular-policy-framework/

http://oav.net/mirrors/cidr.html

http://www.quia.com/quiz/497859.html?AP_rand=334332925

http://www.ciscopress.com/articles/article.asp?p=24833&seqNum=6

http://www.subnet-calculator.com/