In the past, the most prevalent types of hacking attacks were “server side”. There were lots of vulnerabilities and security weaknesses in software (IIS, Apache, Windows vulnerabilities etc) that could be easily exploited by hackers to gain remote access to public servers from the Internet without much effort.

The big players in the software industry and in the security protection area had made vast advancements in protecting their products (secure coding) and in developing advanced mechanisms to protect I.T systems and the perimeter of networks. Thus, “server side” attacks are kind of rare nowadays.

Hackers, who are usually one step ahead of security professionals most of the time, have therefore found alternative ways to attack systems and gain access to sensitive data. “Client Side” is now the most frequent attack channel which gives access to internal networks for malicious attackers.

Client-Side Attacks go after weaknesses in Desktop applications such as browsers, office applications, media players, email clients etc. Some critical recent client-side vulnerabilities were found in Java, Adobe Flash Player, Internet Explorer, Adobe Reader etc.

Websites that distribute malware, emails that contain phishing links, downloaded pirated software, attachments in emails, links placed in social networks etc are some of the methods used by hackers to deliver their “client side attacks” and are usually very successful in gaining access to client’s machines and hence inside protected networks.

One simple and effective way to protect enterprise and home users from client-side attacks is OpenDNS. Taken from their website:

“…OpenDNS is obsessed with inventing new methodologies to eradicate malware, botnets and phishing through DNS, and use the system to intelligently route our users around it. Not to mention speed up the Internet and move the state of the art for the Domain Name System forward.”

I know that there is no 100% security, but using OpenDNS will enhance protection of users a lot. Basically users need to change their DNS settings on computers (or on their Internet router) and use the OpenDNS IP addresses which are:

208.67.222.222

208.67.220.220

If a user is tricked into going to a phishing site or browses accidentally to a malicious website, OpenDNS will block the connection when a DNS request is made from the user to resolve the IP address of the malicious site. With a database of millions of harmful domains and websites and with phishing intelligence from around the world, OpenDNS will block access to such malicious content before even starting the network communication.

Cisco ASA VPN Hairpinning

EDIT:

My Book “Cisco ASA Firewall Fundamentals-3rd Edition” is now available on Amazon as Paperback physical book. MORE INFORMATION HERE

Some time ago a visitor of my website asked me to help him on a special Cisco ASA VPN configuration and thought about sharing it here to help other people as well.

The specific network scenario was the following:

The requirements of the network setup are:

  • Two sites connected with IPSEC Site-to-Site VPN over the Internet. Both sites using Cisco ASA firewalls (version 9.x or 8.4).
  • Site1 is the main headquarters site and Site2 is a remote branch site.
  • The LAN networks on each site communicate between them over the IPSEC VPN tunnel.
  • Hosts in Site1 (network 192.168.1.0/24) can access the Internet via the local Internet connection through ASA1.
  • Hosts in Site2 (network 192.168.2.0/24) can access the Internet ONLY through Site1 via the VPN tunnel. Although there is a local Internet connection on Site2, hosts are not allowed to access the Internet directly. They must come to Site1 (ASA1) over the VPN tunnel and then exit the same ASA1 firewall for accessing the Internet.
  • The situation of having VPN traffic entering and exiting the same ASA interface is called VPN Hairpinning (or “VPN on a stick”).

Scenarios like the above are useful in situations where you want to have centralized control of all Internet access (for hosts in the main site and for hosts in remote branch sites as well). You can implement content filtering, caching, virus protection etc on the central main site and have all the other sites use these centralized resources.

Some key points to have in mind in order to implement the scenario above are the following:

  • Since Site2 hosts (private IP addresses) are not allowed to access the Internet locally, you must not configure NAT on ASA2 for translating the private addresses to public. This will prevent them from accessing the Internet.
  • On ASA1, you will have traffic from Site2 entering and exiting the same interface (outside interface of firewall). To implement this you must enable “intra-interface” traffic on ASA1, so that traffic can enter and exit the same interface simultaneously. You can do this using the command “same-security-traffic permit intra-interface”.
  • On ASA1 you must perform PAT on traffic coming from Site2 so that it can access the internet via its outside interface.
  • The ACL used for VPN Interesting Traffic on ASA2 must allow 192.168.2.0 towards “any IP”. This is required so that Site2 can access Internet hosts through the VPN tunnel.
  • The ACL used for VPN Interesting Traffic on ASA1 must allow “any IP” towards 192.168.2.0. This is required so that returning traffic from Internet hosts can flow through the VPN tunnel towards Site2.

Let’s now see the configuration on both ASA1 and ASA2.

Note: Only relevant configuration is shown.

ASA1

interface GigabitEthernet0
nameif outside
security-level 0
ip address 20.20.20.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

!Allow intra-interface traffic (to enter and exit same interface)

same-security-traffic permit intra-interface

!Configure required network objects

object network obj-local
subnet 192.168.1.0 255.255.255.0
object network obj-remote
subnet 192.168.2.0 255.255.255.0
object network internal-lan
subnet 192.168.1.0 255.255.255.0

!ACL for VPN Interesting Traffic. We allow any IP towards Site2

access-list VPN-ACL extended permit ip any 192.168.2.0 255.255.255.0

!NAT Exemption for VPN traffic between Site1 – Site2

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote

!Configure PAT for local LAN to access the Internet using ASA1 outside interface

object network internal-lan
nat (inside,outside) dynamic interface

!Configure PAT for remote Site2 LAN to access the Internet via ASA1 outside interface

object network obj-remote
nat (outside,outside) dynamic interface

!Configure Site-to-Site IPSEC VPN

crypto ipsec ikev1 transform-set TRSET esp-aes esp-md5-hmac
crypto map VPNMAP 10 match address VPN-ACL
crypto map VPNMAP 10 set peer 30.30.30.1
crypto map VPNMAP 10 set ikev1 transform-set TRSET
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 30.30.30.1 type ipsec-l2l
tunnel-group 30.30.30.1 ipsec-attributes
ikev1 pre-shared-key cisco123

ASA2

interface GigabitEthernet0
nameif outside
security-level 0
ip address 30.30.30.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0

!Configure required network objects

object network obj-local
subnet 192.168.2.0 255.255.255.0
object network obj-remote
subnet 192.168.1.0 255.255.255.0

!ACL for VPN Interesting Traffic. We allow Site2 towards any IP.

access-list VPN-ACL extended permit ip 192.168.2.0 255.255.255.0 any

!NAT Exemption for VPN traffic between Site2 – Site1

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote

!Configure Site-to-Site IPSEC VPN

crypto ipsec ikev1 transform-set TRSET esp-aes esp-md5-hmac
crypto map VPNMAP 10 match address VPN-ACL
crypto map VPNMAP 10 set peer 20.20.20.1
crypto map VPNMAP 10 set ikev1 transform-set TRSET
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 20.20.20.1 type ipsec-l2l
tunnel-group 20.20.20.1 ipsec-attributes
ikev1 pre-shared-key cisco123

EDIT:

My Book “Cisco ASA Firewall Fundamentals-3rd Edition” is now available on Amazon as Paperback physical book. MORE INFORMATION HERE

Configuring NAT on Cisco Routers

For the following scenarios we will be using the following simple network:

NAT on Cisco Router

Scenario 1:

Assume we have an internal Web server with IP address 192.168.1.10 connected on the LAN. We want to configure static NAT on the border Cisco router in order to translate the private IP of the Web Server to a public IP. That is, IP 192.168.1.10 should be translated to 20.20.20.10 (assuming that we own the public IP range 20.20.20.0/24).

Here is how to do it:

interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source static 192.168.1.10 20.20.20.10

With the above configuration, our web server will be visible on the public Internet as IP 20.20.20.10.

 

Scenario 2:

Assume now that we have only one public IP address which is the one configured on the outside interface of our border router. We want traffic hitting our router’s public IP 20.20.20.1 on port 80 to be redirected to our internal Web Server at IP 192.168.1.10

interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source static tcp 192.168.1.10 80 20.20.20.1 80

 

Scenario 3:

Here we want to configure dynamic NAT overload (PAT) using the outside interface of the router. This is the most common scenario for simple networks that need to have internet access. All IP addresses of the LAN network (192.168.1.0/24) will be translated using the public IP of the router (20.20.20.1).

interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface FastEthernet0/0 overload

 


A few days ago I have published the updated 3rd edition of “Cisco ASA Firewall Fundamentals” tutorial ebook which covers the latest ASA version 9.x and also is applicable for both the 5500 and 5500-X series of devices. What I have done with the 3rd Edition (in addition to adding a lot of new content) is that I have made sure that all configurations and examples in the book (commands, scenarios etc) will work with the newest ASA v9.x software and also will work on both 5500 and 5500-X devices.

Moreover, I have added extra chapters and I have updated existing chapters with new features and configurations that work on version 9.x. If you have a slightly older version (8.x) the book is still applicable for you. For example, in case of NAT which was completely changed in ASA v8.3 and later, the book includes the commands for pre-8.3 and post-8.3 versions.

As a free bonus with the main ASA Guide, I’m offering also a tutorial with 11 complete configuration examples. In each configuration example I include a network diagram at the beginning with the objectives of the scenario, and then I include the complete ASA configuration commands together with explanations and comments for each command.

The main ASA ebook is full of practical scenarios, examples, troubleshooting information (where necessary), lots of step-by-step configuration commands, some theory where needed, more than 50 colorful networks diagrams and screenshots etc. Currently, this book is the most updated and comprehensive ASA tutorial out there.

Some people are skeptical about buying an electronic PDF ebook and think that a hard-copy book is better. This is wrong in my opinion. With an ebook, you can have it stored on your computer, tablet, smartphone etc and reference it easily when needed. You can search inside and find the content you want without having to keep turning pages of a printed book. Also, the most important advantage of an ebook is that I can update it easily with new features and commands and offer it to existing customers fast.

READ MORE ABOUT “Cisco ASA Firewall Fundamentals 3rd Edition” HERE

The following article describes the proper way to allow BGP sessions between two routers to pass through a Cisco ASA firewall appliance. Especially if the BGP configuration between the two routers uses MD5 authentication (which is a good security practice), you need some special “treatment” on this session in order to pass it successfully through an ASA device.

By default, the Cisco ASA does TCP Sequence Number Randomization to every session passing through it. Also, the ASA will strip TCP option 19 by default. This TCP option (defined by RFC 2385) is a TCP extension to enhance security for BGP when using MD5 authentication. The two actions above will cause problems to a BGP session when passing through the ASA and therefore we need to disable them.

bgp through asa

From diagram above, first we need to match the BGP traffic between R1 and R2 using an Access Control List. Then we must create a TCP Map that allows TCP Option 19 and also disable the TCP Sequence Number Randomization for this specific BGP traffic class.

Step1:

Match the BGP traffic with an ACL:

access-list bgp-traffic extended permit tcp host 10.1.1.1 host 10.2.2.2 eq bgp
access-list bgp-traffic extended permit tcp host 10.2.2.2 host 10.1.1.1 eq bgp

Step2:

Allow TCP option 19 with a TCP Map.

tcp-map ALLOW-TCP-19
   tcp-options range 19 19 allow

Step3:

Create a class map to match the BGP Traffic using the ACL above.

class-map BGP-CLASS
     match access-list bgp-traffic

Step4:

Use the Global Policy to apply all the actions:

policy-map global_policy
class BGP-CLASS
  set connection random-sequence-number disable
  set connection advanced-options ALLOW-TCP-19

It has been over a year now that I have transferred all of my websites from a shared Hostgator account (Baby Plan shared hosting package) to a managed VPS server from wiredtree.com. Specifically I have purchased their Managed VPS1000 option which offers the following specs:

Main WiredTree VPS1000 Specs:

  • 1024 MB Guaranteed RAM
  • 100 GB Disk Space
  • 3000 GB monthly bandwidth
  • SSD Accelerated disks for caching and acceleration (tremendous improvement in website loading time and response).
  • 4 dedicated IP addresses
  • cPanel / WHM for easy management of server
  • Fully Managed solution (you don’t have to install or manage anything).
  • ServerShield security hardening of your VPS server including security protection tools like Advanced Firewall (CSF) for firewall and brute force protection, Spam Prevention and Antivirus, HTTP intrusion and Denial of Service Protection, Security Audits, continuous software updates etc.
  • 24×7 Service Monitoring so you don’t have to worry if your VPS is down.
  • 24×7 Phone and Help Desk support
  • 100% Node Uptime SLA
  • Many more features

Traffic Handling Performance

When I was using shared hosting from Hostgator, there were several occasions that my websites were throwing an “Error 500 Internal Server Error” message which was caused by excessive traffic to the shared server. Especially whenever I was sending an email broadcast to my subscribers asking them to check out an article I have written on my site, the whole website was inaccessible because of the sudden increase in traffic from the email subscribers. Now, with my wiredtree VPS server I never had such an outage problem. It can handle all of my traffic with no problems.

Website Loading Speed

Website loading times have also improved considerably. It seems that the SSD Accelerated disks (SSD = Solid State Drive = much faster than normal disks) make a huge difference in your website speed performance. See this article here from wiretree which explains the benefits of SSD acceleration. As you might know already, Google likes websites which load fast, therefore you will have an SEO benefit from increased website speed performance.

Security

As a security and I.T professional myself, I always take my websites’ security very seriously. I know that a hacker or a malware infiltration in my sites can be devastating. So one of the main factors that I was looking at when evaluating webhosting solutions was the security features offered from the VPS provider. WiredTree ticked all the right boxes regarding security.

A hacker can get into your website either via the webapplication (e.g via wordpress for example) or via the webserver. The security tools and features utilized by Wiredtree will make your VPS webserver as bulletproof as possible.

ServerShield is developed by Wiredtree and is a unique and comprehensive software security and optimization suite that is provided free of charge to all customers. When Wiredtree installs your server for the first time, the server is hardened and several security protection tools are installed, including advanced firewall, spam protection, antivirus protection, Denial of Service protection etc. The last 1 year that I have been with Wiredtree, they have already updated my VPS operating system and other software (kernel, cpanel etc) several times in order to close security holes that were identified in the software. This proactive approach to security makes me sleep at night without worrying that my VPS will be knocked out from some malicious hackers. See more Security Features of Wiredtree here.

My overall Experience with WiredTree

In a few words, I’m EXTREMELY SATISFIED!! Their support team is like never sleeping!!! Whenever I open a support ticket with them, they usually answer back and resolve my issue within 1 hour!! Moreover, I enjoy faster websites with SEO benefits, reliable server, and most importantly a secure environment to host all of my sites.

If you are thinking to move your websites from another hosting provider to WiredTree, You can have a look how I did it here.

Comparison of Cisco ASA5500 Vs ASA5500-X

Although Cisco created a new series of ASA appliances (5500-X series), there are hundreds of thousands of older Cisco ASA 5500 models installed and working in networks all over the world.

If you are one of those professionals who are considering to upgrade your older ASA5500 appliances with the new “X” models, I have prepared a comparison article for you with the most important similarities and differences between the two ASA generations.

First, let’s see what Cisco recommends as replacement models for the older ASA5500:

Older ASA5500 Models

Suggested Replacement 5500-X Model

ASA 5505

ASA 5505 (no new model)

ASA 5510

ASA 5512-X or ASA 5515-X

ASA 5520

ASA 5525-X

ASA 5540

ASA 5545-X

ASA 5550

ASA 5555-X

ASA 5580

ASA 5585-X

 

Next let’s discuss the similarities between the two ASA generations.

Similarities

The major similarity between ASA5500 and ASA5500-X generation is on core firewall functionality and configuration. That is, the major firewall features (NAT, Access Control Lists, VPN configuration, routing, failover configuration, traffic inspection, modular policies, file system management, VLAN and subinterfaces, authentication etc) are configured exactly the same on both ASA5500 and ASA5500-X models. In fact, the new software version 9.X runs on both ASA series.

So, if you have an existing ASA5500 model which works as a regular firewall and you don’t need any new fancy features (called “Next Generation Firewall” features) then you can stay with your current model for now. You should consider though that Cisco has announced the End-of-Sale for the 5500 models which is September 16, 2013. The last date of support for the 5500 generation is September 30, 2018.

Differences

Of course with every new generation of appliances, almost always the new models are improved in terms of both hardware and software capabilities. Let’s see the major differences in bullet form.

  • The new 5500-X models provide around 4 times more firewall throughput than the older 5500 models. Also, they offer 60% higher VPN throughput.
  • The new 5500-X are running on multicore 64-bit processors compared with single core 32-bit processors on older ASA models.
  • The new 5500-X models support Next-Generation Firewall Services either as cloud-based services (such as Cloud Web Security and Web Security Essentials) or as software based modules which do not need additional hardware (only a license to use the software module). You should note however that the “Next-Generation Firewall Services” cost extra money in addition to the core firewall appliance. You will either need to purchase Cloud Subscription or purchase software licenses (for the IPS software module for example).
  • For Intrusion Prevention functionality (IPS) you don’t need an additional hardware module like the older 5500 generation. You can enable an embedded IPS on any 5500-X model by purchasing a software license.
  • More network interfaces available on the 5500-X models (up to 14 Gigabit Ethernet ports).
  • On ASA5500-X models the management interface port is shared between the Firewall and the embedded IPS module. Also, the management port on ASA5500-X cannot be used as a data port. Remember that on the older 5500 models you could use the management port as a data port as well (as a regular interface). This is not supported on 5500-X models. Management port is only for management of the appliance.

 

These are the main differences between the two ASA generations. My new ebook which I’m working on right now (“Cisco ASA Firewall Fundamentals-3rd Edition”) will be applicable for both ASA5500 and ASA5500-X (regarding the core firewall functionality of the appliances), and will cover also the newest ASA version 9.X.

I hope you found my article useful. Talk to you soon.

Harris Andrea

 Page 1 of 34  1  2  3  4  5 » ...  Last »