nc school connectivity initiative – firewall best … school connectivity initiative – firewall...
TRANSCRIPT
![Page 1: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/1.jpg)
NCET 2014 Conference
NC School Connectivity Initiative – Firewall Best Practices
![Page 2: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/2.jpg)
Session Presenters
n Chris Rose, MCNC – Client Network Engineer
n Dianne Dunlap, MCNC – Client Network Engineer
2 3/21/14
![Page 3: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/3.jpg)
Agenda
1. ITS/ASA Firewall Service Descrip5on
2. Firewall Configura5on Best Prac5ces
3. ASA Monitoring and Troubleshoo5ng
4. Where to go for informa5on; MCNC Support
5. Q&A
3 3/21/14
![Page 4: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/4.jpg)
State Firewall Service Summary
4 3/21/14
Additional information: https://www.mcnc.org/our-community/k12/services/firewall
n Cisco ASA platform with site-to-site VPN and SSL VPN functionality
n Offered as ITS fully managed or customer managed
n LEA Adoption - 30 ITS fully managed/33 customer managed
n Charter School Adoption - 42 ITS fully managed/8 customer managed
![Page 5: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/5.jpg)
State Firewall Service Summary
5 3/21/14
Additional information: https://www.mcnc.org/our-community/k12/services/firewall
Service Implementation and Support ITS Fully Managed
Customer Management
Consultation regarding service options and security configurations
Y Y
All required activities to complete service installation Y Y
All hardware and software components required to deliver the security service
Y Y
Ongoing operating system release and patch management Y On request by customer
Ongoing configuration management Y N
Configuration backup Y Y
24x7 Device Monitoring Y N
24x7 Support Y Y
Real-time view of security policy Optional Optional
Log retention at customer location Available Available
![Page 6: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/6.jpg)
6 3/21/14
Current LEA ASA Map
![Page 7: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/7.jpg)
7 3/21/14
Current Charter ASA Map
![Page 8: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/8.jpg)
n Be as speci!c as possible - avoid any/any.
n Allow only essential services in (ingress !ltering).
n Use DMZ if possible for public servers (web, FTP)
n Allow only essential services out (egress !ltering).
n Log traffic as necessary.
n Use good naming conventions and comments
n Group network objects, ports
n Remove unneeded ACLs
n Use AnyConnect where possible in lieu of broad outside access
8 3/21/14
Firewall Best Practices
![Page 9: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/9.jpg)
Avoid any/any
access-list outside_access_in permit ip any 152.26.1.20 access-list outside_access_in permit tcp any 152.26.1.20 eq http access-list outside_access_in permit tcp any 152.26.1.20 eq https (or destination 10.26.1.20 in later ASA versions)
![Page 10: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/10.jpg)
10 3/21/14
Use a DMZ
access-list outside_access_in permit tcp any 152.26.1.20 eq http access-list outside_access_in permit tcp any 152.26.1.20 eq https access-list dmz_access_inside deny ip any any access-list inside_access_dmz permit tcp any 10.46.1.20 eq http access-list inside_access_dmz permit tcp any 10.46.1.20 eq https
![Page 11: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/11.jpg)
n No access-list on inside interface or access-list with ‘permit ip any any’ permits all outbound traffic.
n Blacklisting is possible if outbound traffic becomes malicious due to viruses, malware, or malcontents.
n Good Internet citizenship limits or prevents:
BitTorrent
Viruses/malware (Iloveyou, Stuxnet, Cutwail)
Web proxies (Ultrasurf, Tor)
11 3/21/14
Allow Only Essential Services Out
![Page 12: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/12.jpg)
ITS Standard Service Groups (outbound):
object-group service School-standard-tcp tcp
port-object eq https
port-object eq www
port-object eq 9443
object-group service School-standard-udp udp
port-object eq domain
12 3/21/14
Allow only Essential Services Out
![Page 13: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/13.jpg)
13 3/21/14
Log Traffic – syslog levels
Category Numeric Code Emergency 0
Alert 1
Critical 2
Error 3
Warning 4
Noti!cation 5
Informational 6
Debug 7
ASA-3-305006 portmap translation ASA-6-302014 Teardown TCP connection
![Page 14: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/14.jpg)
n ITS Logging is at “Warning” level for ITS-managed. This is also Cisco recommended best practice.
n ASA log messages should be sent to a local syslog server for customer-managed !rewalls.
n Free syslog servers:
- rsyslogd (Linux)
- syslog-ng (Linux)
- The Dude (Windows)
14 3/21/14
Log Traffic
![Page 15: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/15.jpg)
Use of name command:
access-list inside_in remark for Libby Smith
name 72.22.90.231 PowerWeb description Website host
access-list inside_in extended permit tcp any4 object PowerWeb eq 8443
Use of remark:
access-list outside_acl remark Employee Portal
Creation of a network-object and its description:
object network XYZ_Elementary
subnet 10.25.0.0 255.255.0.0
description XYZ Elementary School
15 3/21/14
Use good naming conventions and comments
![Page 16: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/16.jpg)
Example of Grouped Network Objects, Ports:
name 10.9.5.5 informer description for Jane
object-group service informer_ports tcp-udp
port-object eq 90
port-object eq 9090
object-group INSIDE_NETWORK_2
network-object host 198.6.112.110
network-object host 63.148.144.242
access-list inside_in extended permit object-group TCPUDP object informer object-group INSIDE_NETWORK_2 object-group informer_ports
16 3/21/14
Group Network Objects, Ports
![Page 17: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/17.jpg)
Example of Un-Grouped Network Objects, Ports:
access-list inside_in extended permit tcp host 10.9.5.5 host 198.6.112.110 eq 90
access-list inside_in extended permit tcp host 10.9.5.5 host 198.6.112.110 eq 9090
access-list inside_in extended permit udp host 10.9.5.5 host 198.6.112.110 eq 90
access-list inside_in extended permit udp host 10.9.5.5 host 198.6.112.110 eq 9090
access-list inside_in extended permit tcp host 10.9.5.5 host 63.148.144.242 eq 90
access-list inside_in extended permit tcp host 10.9.5.5 host 63.148.144.242 eq 9090
access-list inside_in extended permit udp host 10.9.5.5 host 63.148.144.242 eq 90
access-list inside_in extended permit udp host 10.9.5.5 host 63.148.144.242 eq 9090
17 3/21/14
Group Network Objects, Ports
![Page 18: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/18.jpg)
name 10.8.1.51 Room-X
static (inside,outside) 152.26.1.2 Room-X netmask 255.255.255.255
access-list outside_acl extended permit ip any host 152.26.1.2
access-list outside_acl extended permit tcp any host 152.26.1.2
access-list outside_acl extended permit udp any host 152.26.1.2
access-list outside_acl extended permit ip any host 152.26.1.3
access-list outside_acl extended permit object-group DM_INLINE_SERVICE any host 152.26.1.3
access-list outside_acl extended permit object-group xyz host AS400 range ftp telnet
access-list outside_acl extended permit tcp host x.x.x.x host AS400 gt ftp
access-list outside_acl extended permit tcp any host AS400 eq ftp
18 3/21/14
Remove Unneeded Access-lists
![Page 19: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/19.jpg)
Why Use AnyConnect for Remote Administration?
access-list outside_in permit tcp any host 152.26.1.11 eq 3389
![Page 20: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/20.jpg)
20 3/21/14
Use AnyConnect
![Page 21: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/21.jpg)
21 3/21/14
Use AnyConnect
Require users to AnyConnect authenticate at the ASA prior to accessing internal resources. - Authentication may be via usernames on ASA or tied to AD - Access can be audit-trailed if on AD - Access-lists can be applied at ASA-level and tied to local users or AD groups
![Page 22: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/22.jpg)
n Microsoft (XP, Vista, 7, 8)
n Mac OSX
n Linux (Red Hat, Ubuntu)
n iOS (iPhone, iPod, iPad) mobile client*
n Android client*
* Requires ASA mobile license
22 3/21/14
AnyConnect Platforms
![Page 23: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/23.jpg)
n ITS can provide read-only access for ITS-managed !rewall
n Access via ASDM (GUI) or SSH (command-line)
n Request account through MCNC
n User credentials are in ITS-managed TACACS+ server
n Read-only access prevents accidents!
23 3/21/14
ASA Monitoring and Troubleshooting- ASA Read-only Access
![Page 24: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/24.jpg)
§ “show” commands
§ “Top 10” services, sources, destinations
§ Interface traffic (kb/connections)
§ Memory and CPU utilization
§ Packet tracer utility
§ Packet capture wizard
§ Logs
24 3/21/14
ASA Monitoring and Troubleshooting
![Page 25: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/25.jpg)
Command Arguments dir disk0:/dap.xml enable exit logout more more system:running-con!g packet-tracer quit read threat-detection Statistics*
25 3/21/14
ASA Monitoring and Troubleshooting– “show” commands
*Not on all models/versions
![Page 26: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/26.jpg)
26 3/21/14
ASA Monitoring and Troubleshooting – “show” commands
* Not on all models/versions
Command Arguments show access-list
activation-key detail
asdm sessions
blocks
cluster info*
con!guration
conn
cpu core all*
crypto ca certi!cate
curpriv
!rewall
interface
![Page 27: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/27.jpg)
27 3/21/14
ASA Monitoring and Troubleshooting – “show” commands
* Not on all models/versions
Command Arguments show ips
mode*
module
nat
pager
pdm logging*
pdm sessions*
route
running-con!g
service-policy-user*
startup-con!g
version
![Page 28: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/28.jpg)
28 3/21/14
ASA Monitoring and Troubleshooting – Interface Traffic
Top 10 access-rules
![Page 29: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/29.jpg)
29 3/21/14
ASA Monitoring and Troubleshooting – “Top 10”
![Page 30: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/30.jpg)
30 3/21/14
ASA Monitoring and Troubleshooting – “Top 10”
Top 10 sources: #1 108.175.34.244=Netflix #2 216.177.128.42=Alentus Internet (hosting)
![Page 31: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/31.jpg)
31 3/21/14
ASA Monitoring and Troubleshooting – Memory and CPU
![Page 32: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/32.jpg)
32 3/21/14
ASA Monitoring and Troubleshooting – Traffic
![Page 33: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/33.jpg)
33 3/21/14
ASA Monitoring and Troubleshooting – Syn Attacks
200.165.244.186=user.velox.com.br
![Page 34: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/34.jpg)
34 3/21/14
ASA Monitoring and Troubleshooting – Connections/Drops
![Page 35: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/35.jpg)
n Packet Tracer allows the administrator to simulate packet #ow through the !rewall to test connectivity.
n Packet Tracer should be the !rst step to troubleshooting connectivity through the !rewall.
35 3/21/14
ASA Monitoring and Troubleshooting – Packet Tracer
![Page 36: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/36.jpg)
n Packet Capture Wizard is used to examine actual traffic in detail.
n Usually used as the second step when Packet Tracer indicates traffic is allowed, but connectivity problems persist.
36 3/21/14
ASA Monitoring and Troubleshooting – Packet Capture Wizard
![Page 37: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/37.jpg)
n ASDM Real Time Log Viewer allows an administrator to view the log !le as it is being generated in real time.
n Allows !ltering based on expressions or search criteria.
n Logging level can be set independently from syslog logging level for the length of the session.
n Limited to buffer size. Maximum buffer size is 2000.
37 3/21/14
ASA Monitoring and Troubleshooting – Logs
![Page 38: NC School Connectivity Initiative – Firewall Best … School Connectivity Initiative – Firewall Best Practices Session Presenters ! Chris Rose, MCNC – Client Network Engineer](https://reader030.vdocuments.us/reader030/viewer/2022021505/5addbda77f8b9a9a768d4cc5/html5/thumbnails/38.jpg)
Support
Service Inquiries and Requests
n Reach DPI team by contacting Network Analysts listed at: http://www.ncpublicschools.org/connectivity/directory/
Post-deployment Support
n For network related issues, please continue to call Network Operations Center Support at 877-GO-NCREN (877-466-2736) or 919-248-1111.
n For issues related to your web security or !rewall service, please contact the SysOps Team by calling 919-248-4111 or by sending an email to [email protected].
n For questions related to !rewall “Best Practices”, please contact the CNE Team by sending an email to [email protected]
38 3/21/14