DNS Security Protection Parameters

DNS in my opinion is the cornerstone of Internet communication. Anything from web browsing, email communication, file transfer, multimedia access etc is based on DNS. After the recent discovery of Dan Kaminsky’s DNS major security issue, protection of DNS service is of critical importance. Fortunately, the Cisco ASA firewall provides several dns security features that can be used to enhance DNS security. These security parameters can be configured under the modular policy framework of the ASA as described below:

class-map inspection_default
     match default-inspection-traffic

    !
    policy-map type inspect dns preset_dns_map
     parameters
      dns-guard

      !– Enable dns-guard to verify that DNS query and
      !– response transaction IDs match and only one DNS
      !– response is allowed through the firewall for
      !– each query.
     !

      message-length maximum 512
      !– Enable a maximum message length to help defeat DNS
      !– amplification attacks. Note: This is the default
      !– configuration and value based on RFC 1035.
      !
    
      id-mismatch count 10 duration 2 action log
        exit

      !– Enable id-mismatch to count DNS transaction ID
      !– mismatches within a specified period of time
      !– and generate a syslog when the defined threshold
      !– has been reached.
      !
       match header-flag RD
        drop

      !– Check for DNS query messages with the recursion
      !– desired (RD) flag set in the DNS header and drop
      !– those packets to avoid being used as a recursive
      !– resolver.
      !

      id-randomization
      !– Enable id-randomization to generate unpredictable
      !– DNS transaction IDs in DNS messages and protect
      !– DNS servers and resolvers with poor randomization
      !– of DNS transaction IDs.

    !
    policy-map global_policy
      class inspection_default
        inspect dns preset_dns_map
      –      CLI Output Truncated       –
    !
    service-policy global_policy global

DNS Packet Length Inspection on Cisco ASA

When you host a public DNS server behind a Cisco ASA 5500 firewall, you might be getting an error log message from the firewall about DNS message length mismatch. This is because by default the DNS inspection engine on the ASA allows a maximum DNS message length of 512 bytes only, as shown below:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

This DNS message length parameter is configurable from 512 to 65535, so you can increase this to an appropriate length according to your traffic needs. However, you should take into consideration that the DNS length value of 512 bytes is configured according to RFC 1035, and its not recommended to change it, so that you can avoid DNS amplification attacks.

Cisco ASA 5505 Network Port Interfaces

The figure below (taken from Cisco) illustrates the back panel of the Cisco ASA 5505 appliance, showing the network interfaces and other important hardware points.

Cisco asa 5505 network port interfaces

 

1

Power 48VDC

2

SSC slot

3

Network interface LEDs

4

Network interfaces

5

Console port

6

USB 2.0 interface

7

Reset button

8

Lock slot

 Starting from right to left, we have Ethernet0/0 up to Ethernet0/7. The last two Ports 6 and 7 are also Power over Ethernet Ports (PoE), which means that in addition to normal computers, you can also connect IP Phones which will be powered by the firewall PoE ports. The eight network interfaces of the ASA 5505 work only as Layer 2 ports, which is the difference of the 5505 model from the other ASA models. This means that you can not configure a Layer 3 IP address directly on each interface. Also, port Ethernet0/0 is used as the Outside untrusted interface (connecting to Internet), and the rest interfaces 0/1 to 0/7 are used as the trusted Inside interfaces connecting to internal hosts. By default, Vlan 2 is assigned to Ethernet0/0 and the native Vlan 1 is assigned to the rest of the interfaces. Two Switch Vlan Interfaces (SVI) exist by default (Interface Vlan 1 and Interface Vlan 2) which can be used to assign the Layer 3 IP addresses for the Outside interface (Ethernet 0/0) and for the inside zone (Ethernet0/1 to 0/7).

Implementing security in layers is the recommended network security design for protecting information assets. This approach is achieved by segmenting your network into various security zones with an ASA Firewall and applying access policies between them according to their security levels. By default Cisco ASA firewalls come with at least four 10/100/1000 network interfaces which are sometimes not enough. Considering that we need one physical interface dedicated for failover configuration (if used) and that usually one dedicated interface is used for Internet connectivity, then we are left with only two physical interfaces for further network segmentation.

Cisco 4GE SSM Network Expansion Module

By using the Cisco ASA 4-Port Gigabit Ethernet Security Services Module (4GE SSM) (shown above) you instantly expand your firewall interfaces to a total of three Fast Ethernet and six Gigabit Ethernet ports on the Cisco ASA 5510 Security Plus, and eight Gigabit Ethernet ports and one Fast Ethernet port on Cisco ASA 5520 and 5540 appliances. This gives you plenty of physical interfaces to work with and apply your security design without hardware limitations.

License Upgrade on Cisco ASA 5505 (or 5500)

There are several license options for the Cisco ASA 5505 firewall as shown below:

Description Performance Part Number
Cisco ASA 5505 10 User Firewall Edition Bundle
Includes: 10 users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, Triple Data Encryption Standard/Advanced Encryption Standard (3DES/AES) license
• 150 Mbps Firewall
• 100 Mbps IPsec VPN
ASA5505-BUN-K9
Cisco ASA 5505 10 User Firewall Edition Bundle
Includes: 10 users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, Data Encryption Standard (DES) license
• 150 Mbps Firewall
• 100 Mbps IPsec VPN
ASA5505-K8
Cisco ASA 5505 50 User Firewall Edition Bundle
Includes: 50 users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license
• 150 Mbps Firewall
• 100 Mbps IPsec VPN
ASA5505-50-BUN-K9
Cisco ASA 5505 Unlimited User Firewall Edition Bundle
Includes: Unlimited users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license
• 150 Mbps Firewall
• 100 Mbps IPsec VPN
ASA5505-UL-BUN-K9
Cisco ASA 5505 Security Plus Firewall Edition Bundle
Includes: Unlimited users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 25 IPsec VPN peers, 2 SSL VPN peers, DMZ support, Stateless Active/Standby high availability, Dual ISP support, 3DES/AES license
• 150 Mbps Firewall
• 100 Mbps IPsec VPN
ASA5505-SEC-BUN-K9

A very common scenario for a small business is to initially order a 10 user license and then upgrade to 50 users as the company expands. You need to order via your local Cisco representative a 10-to-50 user license upgrade. The Cisco reseller will request to have the ASA 5505 serial number of your firewall which you can find by executing the “show version” command. After that, the Cisco reseller will provide you with a license key which is a long hexadecimal string (e.g e02888da 4ba7bed6 f1c123ae ffd8624e). To configure the new license key use the following command:

Cisco-ASA(config)# activation-key Hex-activation-key
Cisco-ASA(config)# exit
Cisco-ASA# wr mem
Cisco-ASA# reload

After the firewall reboots, run the “show version” command to verify that the license features have been upgraded. The same procedure works also for the other Cisco ASA models.

How to upgrade the Cisco ASA 5505 software

The newest Cisco ASA firewall 5500 series came out with software version 7.0, following the successful software version 6.x of the older PIX firewall models. The latest ASA software version is 8.x with intermediary versions of 7.1 and 7.2. In this post I will show you how to upgrade a Cisco ASA 5505 firewall from version 7.2(3) to version 8.0(2). The same approach can be used for any 5500 appliance series. To get the latest ASA software version, you must have a valid SMARTnet agreement which is basically a maintenance contract for your Cisco product.

cisco asa 5505 firewall image

Step1:

Connect to the appliance (console or SSH) and verify the current running software version by using the show ver command:

ASA5505# sh ver

Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)


Compiled on Wed 15-Aug-07 16:08 by builders
System image file is “disk0:/asa723-k8.bin
Config file at boot was “startup-config”

ASA5505 up 34 mins 42 secs

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0×0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 001e.7a86.1ea8, irq 11
1: Ext: Ethernet0/0 : address is 001e.7a86.1ea0, irq 255
2: Ext: Ethernet0/1 : address is 001e.7a86.1ea1, irq 255
3: Ext: Ethernet0/2 : address is 001e.7a86.1ea2, irq 255
4: Ext: Ethernet0/3 : address is 001e.7a86.1ea3, irq 255
5: Ext: Ethernet0/4 : address is 001e.7a86.1ea4, irq 255
6: Ext: Ethernet0/5 : address is 001e.7a86.1ea5, irq 255
7: Ext: Ethernet0/6 : address is 001e.7a86.1ea6, irq 255
8: Ext: Ethernet0/7 : address is 001e.7a86.1ea7, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0

This platform has a Base license.

From the above output you can see that we are running Version 7.2(3) which is located in disk0 (disk0:/asa723-k8.bin). Also, the GUI device manager version (ASDM) is 5.2(3). Now, lets upgrade to version 8.0(2).

Step 2:

Assume that our internal network range is 192.168.1.0/24. Configure a TFTP server (you can use the free tftpd32) on an internal PC (e.g 192.168.1.10) and backup the current running software image from the firewall to your TFTP PC.

ASA5505# copy disk0 tftp

Source filename []?asa723-k8.bin
Address or name of remote host []? 192.168.1.10

Also, save the current running configuration. Just issue the show run command and copy all configuration output from your terminal window into a text file.

Step 3:

Now it’s the time to upload the new software image file to the disk system of the firewall. Assume that we have already downloaded the software file asa802-k8.bin and placed that on our TFTP PC.

ASA5505# copy tftp disk0

Address or name of remote host []? 192.168.1.10
Source filename []? asa802-k8.bin
Destination filename [disk0]? disk0:asa802-k8.bin

Accessing tftp://192.168.1.10/asa802-k8.bin…!!!!!! (truncated)
Writing file disk0:/asa802-k8.bin… !!!!! (truncated)
14524416 bytes copied in 118.210 secs (123088 bytes/sec)

Step 4:

Since now we will have two image files on the firewall disk (old 7.2 and new 8.0 image files), we need to tell the firewall explicitly which image file to use when booting.

ASA5505# conf t
ASA5505(config)# boot system disk0:/asa802-k8.bin
ASA5505(config)# wr mem

Step 5:

Reboot the firewall in order to load the new software image file. (use the reload command). If everything works ok with the new image, you can delete the old one from disk0. (delete disk0:/asa723-k8.bin)

Step6 (Optional):

The new ASA version 8.x uses the newest Device Manager (ASDM) version 6.x. You can download the new ASDM software from Cisco and upgrade that as well (using the same steps as above).

 Page 39 of 40  « First  ... « 36  37  38  39  40 »