Archive

Archive for the ‘Security’ Category

ASA – Botnet Configuration

December 10th, 2010 No comments

Documentation
This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_botnet.htm
Overview
Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious activity.
Prerequisite
The ASA must be running minimum 8.2 code to be able to configure botnet feature.
ASA-5505# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(5)
…….
Botnet license must be installed on the ASA

ASA-5505# sh ver
 
Cisco Adaptive Security Appliance Software Version 8.2(1) 
Device Manager Version 6.2(5)
.......
Botnet Traffic Filter        : Enabled
 

 

Once license expires filtering will not work until license is renewed.
Limitations
Botnet Traffic Filter does not share any information between Failover pairs.
Failovers or Reboots require a re-download of the Dynamic Database.
Currently there is no support for IPV6.
Step by Step Configuration

1. Enable DNS client on ASA
This steps is required to allow it to resolve the address of CSIO’s updater service, so the dynamic filter update client to fetch updates.

 
ASA(config)# dns domain-lookup outside
ASA(config)#dns server-group DefaultDNS
ASA(config-dns-server-group)#name-server 4.2.2.2

 

2. Enable dynamic traffic filtering (Botnet Traffic Filter).

ASA(config)#dynamic-filter updater-client enable

 

3. Enable the Botnet Traffic Filter database update.

ASA(config)#dynamic-filter use-database

 

4. Classify the traffic that will be exempted and subjected.

ASA(config)#access-list botnet-exclude extended deny ip any 192.168.0.0 255.255.0.0  ---> exempted traffic
ASA(config)#access-list botnet-exclude extended permit ip any any  ---> subjected traffic

 

5. Enable dynamic-filter classification on outside interface

ASA(config)#dynamic-filter enable interface outside classify-list botnet-exclude

 

6. Configure a class map and only match dns traffic

ASA(config)#class-map botnet-DNS
ASA(config-cmap)# match port udp eq domain

 

7. Enable DNS snooping on the external interface

ASA(config)# policy-map botnet-policy
ASA(config-pmap)# class botnet-DNS
ASA(config-pmap-c)# inspect dns dynamic-filter-snoop
ASA(config)# service-policy botnet-policy interface outside

 

Alternatively, you can also choose to apply this to the existing global policy that is already configured on the ASA.

class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
  inspect dns dynamic-filter-snoop
  ...
service-policy global_policy global
 

 

8. Define local whitelists and/or blacklists if needed.
Never block addresses:
This is traffic to or from an IP address that is considered to be good. It is part of administrator configured lists.

 
ASA(config)# dynamic-filter whitelist
ASA(config-llist)# name www.google.com
ASA(config-llist)# name www.cisco.com

 

Manual Black List:
This is traffic to or from an IP address that is considered to be malicious. This IP address can be either an IP address/network entry in the dynamic blacklist or administrator configured blacklist, or it can be a snooped IP address that was found in a DNS reply for a blacklisted domain.

ASA(config)# dynamic-filter blacklist
ASA(config-llist)# name www.crackhell.com
ASA(config-llist)# name www.megaport.hu
ASA(config-llist)# address 164.109.48.46 255.255.255.255

 

Final Configuration Section:

dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
!
dynamic-filter updater-client enable
dynamic-filter use-database
!
access-list botnet-exclude extended deny ip any 192.168.0.0 255.255.0.0 
access-list botnet-exclude extended permit ip any any
!
dynamic-filter enable interface outside classify-list botnet-exclude
!
class-map botnet-DNS
match port udp eq domain
!
policy-map botnet-policy
class botnet-DNS
  inspect dns dynamic-filter-snoop 
!
service-policy botnet-policy interface outside
 

 

Logging

338001 – 338004
338101 – 338104
338201 – 338204
338301 – 338310

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp5787165
Show commands

show dynamic-filter data
dynamic-filter database find <string>
show dynamic-filter reports top botnet-sites
show dynamic-filter reports top infected-hosts
show dynamic-filter reports top botnet-ports

 

clear dynamic-filter statistics
The dynamic filter statistics can be cleared at any time with this command. To clear the statistics for a certain interface use the optional interface nameif keyword for the command.

clear dynamic-filter reports top [botnet-sites | botnet-ports | infected-hosts]
This command will reset all statistics back to 0 and remove all entries from the reports.

clear dynamic-filter dns-snoop
This command deletes all of the entries from the DNSRC. DNS reverse Cache Information.

Categories: Networking, Security Tags:

Cisco ASA 5510 running config 8.2(5)

June 2nd, 2007 No comments

It is useful to see what the default configuration is on an ASA. The default password is no password. When prompted for a password, hit enter for access.

ciscoasa# show run
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:804031d1aeddcd0b07051e5ac29dec2e
: end
ciscoasa#
Categories: IT, Networking, Security Tags: , ,

Enabling ssh on a Cisco ASA

August 20th, 2005 No comments

Created a local user name and password and enable ssh:

username romeo password Cisco123!
ssh 10.10.1.0 255.255.255.0 outside

 

Enabled ssh debugging with the command “debug ssh” and received the following debug

ASA# Device ssh opened successfully.
SSH0: SSH client: IP = '10.10.1.27'  interface # = 1
SSH: unable to retrieve default host public key.  Please create a defauth RSA key pair before using SSH
SSH0: Session disconnected by SSH server - error 0x00 "Internal error"
ASA#

 

Issued the following command to generate a key:

ASA(config)# crypto key generate rsa
INFO: The name for the keys will be: &amp;lt;Default-RSA-Key&amp;gt;
Keypair generation process begin. Please wait...
ASA(config)#

 

Got a connection with the following debugging lines:

Device ssh opened successfully.
SSH0: SSH client: IP = '10.10.1.27'  interface # = 1
SSH: host key initialised
SSH: license supports 3DES: 2
SSH: license supports DES: 2
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.99-Cisco-1.25
SSH0: send SSH message: outdata is NULL
server version string:SSH-1.99-Cisco-1.25SSH0: receive SSH message: 83 (83)
SSH0: client version is - SSH-2.0-PuTTY_Release_0.60
client version string:SSH-2.0-PuTTY_Release_0.60SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 3030 ms
SSH2 0: SSH2_MSG_KEXINIT sent
SSH2 0: SSH2_MSG_KEXINIT received
SSH2: kex: client-&gt;server aes256-cbc hmac-sha1 none
SSH2: kex: server-&gt;client aes256-cbc hmac-sha1 none
SSH2 0: expecting SSH2_MSG_KEXDH_INIT
SSH2 0: SSH2_MSG_KEXDH_INIT received
SSH2 0: signature length 143
SSH2: kex_derive_keys complete
SSH2 0: newkeys: mode 1
SSH2 0: SSH2_MSG_NEWKEYS sent
SSH2 0: waiting for SSH2_MSG_NEWKEYS
SSH2 0: newkeys: mode 0
SSH2 0: SSH2_MSG_NEWKEYS received

 

Typed in an existing username / password that is on the ASA already, got access denied. Debugging shows:

SSH(romeo): user authen method is 'no AAA', aaa server group ID = 0
SSH2 0: authentication failed for romeo

 

AAA method setup

ASA(config)# aaa authentication ssh console LOCAL

 

Login successfully. Here is the debug log for a successful connection:

SSH(romeo): user authen method is 'use AAA', aaa server group ID = 1
SSH2 0: authentication successful for romeo
SSH2 0: channel open request
SSH2 0: pty-req request
SSH2 0: requested tty: xterm, height 24, width 80
SSH2 0: shell request
SSH2 0: shell message received

 

Enabling SSH on Cisco PIX 6.3

February 15th, 2005 No comments

To enable SSH on Cisco PIX 6.3;

Clear all RSA keys. Remove any existing keys from the database with the command:

ca zeroize rsa

 

Assign a host name

hostname CISCOTALK-AUS-PIX

 

Assigning a domain name

domain testlab.local

 

Generate the RSA key

ca generate rsa key 512

 

Save the RSA key

ca save all

 

Enable SSH

ssh 8.8.8.0 255.255.255.0 outside