Saturday, June 30, 2018

ASA Interface Configuration

Cisco Adaptive Security Appliance 8.4 Basic Interface Configuration.



Agenda for this blog is as below:

# Setting up the privilege mode password.
# Naming the appliance
# Configuring the interfaces

Topology on which we will work is as below:






Requirement 1.


Privilege mode password:
Cisco ASA appliance comes with no privilege mode password. We are prompt for password but we can just enter the mode without any.


So here the privilege mode password has to be set as “secret@123” to restrict any one to get access in. 

Configuration:

ciscoasa> enable
(To get in the privilege mode)
ciscoasa# configuration terminal
(To get in the global config mode)
ciscoasa(config)#enable password Secret@123
(Enables the privilege mode password as Secret@123)
ciscoasa(config)#exit
(To exit the mode)
ciscoasa#wr
(To save the config)
ciscoasa#exit
ciscoasa>

Now to test this, we will try to enter the privilege mode without the password as we did earlier.

ciscoasa> enable (To get in the privilege mode)


We are not allowed to make in the privilege mode as we are not specifying the password which we just configured.

Now lets try with the password.

ciscoasa> enable
Password: **********

And we are now allowed to make in the privilege mode.

Now let's move towards next requirement.

Requirement 2.

Naming the device:
Cisco ASA appliance comes with a default host name as ciscoasa.
We have to change the host name to “ASA”.

Configuration:

Ciscoasa>enable
Password: ********
ciscoasa#configure terminal
ciscoasa(config)#hostname ASA
(To specify host name is ASA)

As we executive the command the host name changes immediately.



Now let's move towards the last requirement for this tutorial.

Requirement 3.

Interface configuration:
We have to configure the cisco ASA interfaces as below
Interface  gigabitEthernet 1
Ip address 192.168.1.254/24
Name it Inside
Security level 100

Configuration:

ASA>enable
Password: ********
ASA#configure terminal
ASA (config)#interface gig 1
(To enter the interface config mode)
ASA (config-if)#ip address 192.168.1.254 255.255.255.0
(Specifying the IP address and netmask)
ASA (config-if)#no shut
(Enabling the interface)

As per our L3 switches and routers this is the minimum config required to enable a interface. But in ASA this doesn't works.

The proof is as below.




The interface is up but the IP address is still missing and which mean the interface is not yet in working state.

Naming the interface is very important in ASA.
Now the question arises on security level. Is it important ?
Yes, it is also the important factor in interface configuration but as per the default Cisco design, security level of 100 is given to the interface, when we configure the interface with name as Inside and 0 to all other Interfaces.

So if we fail to configure it, the default 100 or 0 will be assigned but if we want to define our own levels, then we have to do that manually.

ASA (config-if)#nameif Inside
(Naming the Interface)
ASA (config-if)#security level 100
(Configuring the security level)
ASA (config)#exit
ASA (config)#exit

Let's verify the interface status

ASA #show interface if brief
(Getting the brief interface status)


Similarly we have too configure the second Interfaces as well.

Interface  gigabitEthernet 2
Ip address 192.168.2.254/24
Name it DMZ
Security level 75

Configuration:

ASA #configure terminal
ASA (config)#interface gi 2
ASA (config-if)#ip address 192.168.2.254 255.255.255.0
ASA (config-if)#nameif DMZ
ASA (config-if)#no shut
ASA (config-if)#security level 75
ASA (config-if)#exit
ASA (config)#exit

The sequencing of the commands doesn't matters.

Verification:

ASA#show interface if brief



And the third Interfaces.

Interface  gigabitEthernet 0
Ip address 192.168.3.254/24
Name it Outside
Security level 0

Configuration:

ASA #configure terminal
ASA (config)#interface gig 0
ASA (config-if)#ip address 192.168.3.254 255.255.255.0
ASA (config-if)#nameif Outside
ASA (config-if)#no shut

And as we said Outside the pre-designed security level gets configured.



ASA (config)#exit
ASA (config)#exit


Verification
ASA#show interface if brief


ASA#show nameif


Friends, we have successfully configured all the basic requirements which were the part of agenda.

To get better clarification for the concepts, please watch the video tutorial linked above.

Also subscribe our YouTube channel and join our Facebook group for further updates and also like and comment your suggestions.

YouTube        Fan Page       FaceBook Group

 

Posted by at No comments:
Labels:

Tuesday, June 26, 2018

SIEM

Security Information and Event Management

 

 

Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization’s information technology.

It and practice of collecting, monitoring, analyzing and co-relating security logs from security devices for event management. 

Logs can be collected from sources like Antivirus, IPS-IDS,
Firewalls, AD, Routers, Switches, Mail & Web gateways,
Proxy's etc.


What SIEM is ?

 

SIEM generally is an software agent running on the security
devices that are to be monitored. The agent then sends security logs to centralized server which is an log collector from where the logs are been monitored by SOC team for log co-relation and incident management.

The SIEM shows a typical console which can include reports,
charts and also real-time information.


How SIEM works ? 

 

Devices and computer applications generally creates events
which can be application events, security events or even
hardware events. These are kept in event logs.
They are the list which says all the happening one by one in
line.

SIEM agent uses protocols like Syslog or SNMP to transport
this events to the SIEM log collector. 



The logs are then stored on the SIEM log collector.


 



The SOC/SIEM team sitting behind the log collector than analyses and co-relate the logs with the help of Event manager which is an device having its own intelligence.

The event created must have few bullet points such as:

1. Event ID.
2. Brief summary of the event.
3. Priority of the event (High/Medium/Low).
4. Time the event hit.
5. Source IP/ Mail ID/ Hash etc.
6. Destination IP/ Mail ID/ System.
7. Action/ Recommendation on the event.



Important features of SIEM:


 Data Aggregation:
SIEM aggregates security events in form a log from various security and non security devices for data monitoring and event management purpose.

 Co-relation:
SIEM looks for common links between events to make a meaningful event. Logs from different sources are co-related for making a single event.

 Alerting:
Alerting is the main feature of SIEM, once the collected logs are co-related to create a security event, alerting is the next step. The operations team has to be alerted for the incoming threat.

 Dashboards:
SIEM also provides with informational charts and diagrams in a dashboard manner which makes things easy to understand.

YouTube        Fan Page       FaceBook Group

 

 

Posted by at No comments:
Labels:

ASDM & SSH

Hello and welcome to the tutorial on building up the Cisco ASA step by step.

 



 

Today we are heading forward in our journey where we will configure our Cisco ASA to get accessed from the firewall admin's local system via ASDM & SSH.

Topology




In this setup we will configure the ASA in such a manner that the management system of the Firewall admin will be able to access the ASA with SSH by putty or via ASDM.

ASDM Access :


The first thing we need in this config is to have a "ASDM .bin" file which is the image file and a TFTP application by which we need to upload the ".bin" file in the flash memory of the ASA.

*I am using the tftpd32 application in this demonstration.

Install the application and copy the .bin file in the folder where the application is installed. 


 Commands to execute on ASA console:


Mountain# configure terminal
(To get in the global config mode)

Mountain(config)#copy tftp: flash:
(To copy TFTP files to Flash memory)

*interactive config starts*

Address or name of remote host []? 192.168.1.100
(Specify the TFTP servers IP address when asked "192.168.1.100")

Source filename []? asdm-649-103.bin
(Specify the file name when asked "asdm-649-103.bin")

Destination filename?(Hit enter)
(Its preferred to keep the same file name so hit enter)

And then copying starts
Accessing tftp://192.168.1.100/asdm-649-103.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!19706880 bytes copied in 73.890 secs (269957 bytes/sec)

Now we have copied our .bin image file in the flash of the ASA. Now time to tell the ASA to use that .bin file as ASDM image file.

Mountain(config)# asdm image flash:/asdm-649-103.bin
(ASDM file is in flash and which is "asdm-649-103.bin")

Verification:

 



We have uploaded the ASDM image in flash and specified ASA to use that.  lets access the ASA from the Mgmt system to get the copy of the same.




What happened, why we are not able to connect ?

?
?

The reason is access,  How we are connecting ?
Https righ, so do we have the required access ?
Is the https service enabled ?
No the answers is no, so lets do that.

Commands:


Mountain(config)# configure terminal
(To get in the global config mode)

Mountain(config)# http server enable
(To enable http & https service on ASA)

Mountain(config)# http 192.168.1.100 255.255.255.255 Inside
(Says provide http & https access to "192.168.1.100/32" when coming from "Inside" interface)

Now lets try. 



*The certificate notification as the certificate used by the ASA is self signed and our browser will never accept it.*

Lets continue as we know its still secure to proceed.
Now we are given a link to either Install the ASDM launcher on our system or to run the java based ASDM.

lets download the launcher.

Not, we are asked for user name and password which is not mandatory but will be later.

After download is complete, install the application and open it.




*Still we can proceed without username and password but why to keep the ASA vulnerable. To counter this we have to ask our ASA to authenticate every http session terminating on it.*

Commands:

Mountain(config)# aaa authentication http console LOCAL
(Authenticate the http sessions via local user database)

Now we also have to create a user ID and password.

Mountain(config)# username sai password sai@12345
(User name is "sai" where as the password is "sai@12345")

Lets try to login now.
 



 Continue to process further.




 
The Home tab of the ASDM with various details which involve  health, interface status, traffic log etc. 
 



 The configuration tab where we can configure the appliance.




The monitor tab for monitoring the appliance.

 


Now let's try to enable SSH access.

Lets first try to access the ASA via putty from the management system.




No we are not allowed to, think what might be the issue.

?
?
?
 
Yes, the RSA keys.


We needs the Asymmetric RSA keys so that we can build a secure tunnel to share our symmetric key(our password) so that traffic then gets encrypted by it.

Mountain(config)# domain-name Madness.com
(Domain name for keys)

Mountain(config)# crypto key generate rsa modulus 1048
(Create a crypto key 1024 bits strong)

Output:

Mountain(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>

Keypair generation process begin. Please wait...

Lets try again.

Still the same.





What is missing now ? how we are accessing the appliance. Do we have the required access ?

No, we have not allowed any one to access the ASA on port 22 yet.

Commands:

Mountain(config)# ssh 192.168.1.100 255.255.255.255 Inside
(Says provide ssh access to "192.168.1.100/32" when coming from "Inside" interface)

Also ask the ASA to authenticate every SSH connection.

Mountain(config)# aaa authentication ssh console LOCAL
(Authenticate the ssh sessions via local user database)

Now we can access.





Friends, i have successfully demonstrated how to configure the ASA to enable the firewall admin to access the ASA from his management system via ASDM or SSH.

To get better clarification for the concepts, please watch the video tutorial linked above.

Subscribe my YouTube channel for further updates, like and comment your suggestions and also click the bell icon for update notification.

Thank You. 

YouTube     Fan Page      FaceBook Group

Posted by at No comments:
Labels:

CIA

Confidentiality  Integrity  Availability

 


 


Confidentiality, Integrity and Availability, also known as  the CIA triad.

Its an model design which guides the organization to design its security policies.
It is these three principles that often get exploited through varying degrees of exploits/attacks.

Confidentiality

Its an measures undertaken to ensure confidentiality by
preventing sensitive information from reaching the wrong
people, while making sure that the right people can in fact
get it.

If we are bank and our user wants to access the account via banks web, how can we provide confidentiality to his data. 





The answer will be via User name and password, he has to ensure the privacy of the password so that his data remains confidential.






Other confidentiality options can also be data encryption, sending OTP, Bio-metric verification or use of RSA tokens. 




Integrity



Integrity involves maintaining the consistency, accuracy,
and trustworthiness of data.
Data must not be changed in transit, and steps must be
taken to ensure that data cannot be altered by unauthorized people.

 



Use of Checksum is an best example of Integrity check.
Certain value “ADG45SD78L” is been calculated by applying some algorithm on the file and then sent to the recipient along with the file.




The recipient on receiving the file again runs the same algorithm and verifies the output “ADG45SD78L” with the senders output to identify the Integrity of the File.


Availability
 
Availability concept is to make sure that the services of an
organization are available.

The data is always available to legitimate users and not blocked my any means. It may happen that we provided confidentiality, we maintained the integrity but the data only is not available.





So there can be a case where our server gets under DDOS attack.





DDOS is an sophisticated attack where attackers attack in group resulting into full utilization of the resources. In such cases if our legitimate user tries to access the server, he will be shown server down.

We have to take all the necessary actions to make sure the resource or data which we are sharing is always available.

Thank you friends for reading the blog post, if you have any questions/suggestions than please post in the comment area and subscribe for updates. 

YouTube        Fan Page        FaceBook Group

Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)