yurisk.info » ASA/PIX Cisco

SMTP inspection with policy-map in ASA

Yuri — Wed, 26 May 2010 18:14:26 +0000

This is the first time I was disappointed by the cisco.com or Checkopint:ASA 1:0. I have had a simple task at hand – configure SMTP inspection in ASA 8.0(3) and cisco.com documentation didn’t help me at all. But first the task:Secure internal mail server by preventing it from sending spam outbound. It comes to mind two very simple but largely effective measures – block mails with From: field set to any domain but ours, and block attempts to relay Through the internal mail server mails destined to any domain but ours. In Checkpoint I can do it quite simply with SMTP Resource. Unfortunately in ASA it is not the case. Let’s look at final SMTP inspection I configured in ASA.
Input :
Internal server having outside IP address of 199.202.2.3 serves two domains apple.com and microsoft.com
Task:
- block mails with From: field set to any domain but apple.com or microsoft.com
- block mail relying for any domain but microsoft.com or apple.com
NOTE. Here I did this config on the production client so had no room for experimenting with all “what ifs” Identify mails direction from inside server outbound. I did it as didn’t find reliable info about sender-address match condition – does it match in any direction if applied globally on all traffic ? I mean , if it just looks at Mail from: field and acts on mails in both directions then it would block mails coming in from any domain but client’s own.
To prevent even checking this on client I did this ACL that will apply this SMTP inspection to outgoing mails
anyway.

BigInJapan(config)#access-list Mail-server permit tcp host 199.202.2.3 any eq 25

To block mails with From filed other than client’s domains I use regex that matches client’s domains and the use negation with NOT.

BigInJapan(config)# regex PermittedSenders “@microsoft.com|@apple.com “

Create policy-map where all the tweaked parameters are set (as of ASA 8.2 there is still no class-map type inspect esmtp) .

BigInJapan (config)# policy-map type inspect esmtp NoSpamOutside

Match all mails that Mail from field is anything but *@microsoft.com or *@apple.com. Action is reset and log.
It is more secure I guess to drop instead of reset as in drop malware would have to wait until some timeout, but I didn’t care here anyway.

BigInJapan(config-pmap)# match not sender-address regex PermittedSenders
BigInJapan(config-pmap-c)# reset log
BigInJapan(config-pmap-c)# exit

Various parameters. Here you set internal domain the mail server is serving, so trying to deliver mails to any other domain would be seen as illegal relaying and dropped. But also I was surprised to know here that policy-map mail-relay parameter can be used only once, leaving you without this protection if you have multiple domains served from the same server. So below is theoretical configuration if my client had just one domain on his server.

BigInJapan(config-pmap)# parameters
BigInJapan(config-pmap-p)# mail-relay apple.com action drop-connection log
BigInJapan(config-pmap-p)# exit
BigInJapan(config-pmap)# exit

Now create general policy-map to tie it all together.

BigInJapan(config)# policy-map NoSpamFromUs
BigInJapan(config-pmap)# class Mail-server
BigInJapan(config-pmap-c)# inspect esmtp NoSpamOutside
BigInJapan(config-pmap-c)# exit
BigInJapan(config-pmap)# exit

And apply it on some interface.

Important: according to Hucaby’s ASA handbook application protocol inspection is applied AFTER the NAT rules are done, so you need to use in your class-map/ACL IPs that are after the translation. Internal IP of the mail server is 192.168.3.3 that is statically NATed to 199.202.2.3, so I used 199.202.2.3 in class-map’s ACL.

On which interface to apply the policy-map I guess doesn’t matter but to be sure I did it on the outside.

BigInJapan(config)# service-policy NoSpamFromUs interface outside

Link to Inspection page in ASA 8.
Applying Application Layer Protocol Inspection

IP Options are evil – drop them , drop them on Cisco Asa/IOS Microsoft ISA Juniper or Checkpoint

Yuri — Sat, 23 Jan 2010 19:51:22 +0000

As you probably noticed IP header has variable length placeholder for the IP Options field. It has been there since the beginning , once a good idea for debug now turned into trouble. RFC 791 states that hosts/routers supporting IP protocol must implement Ip Options filed . It is up to the vendor to decide what to do with this optional field, but it must understand it. Still, wouldn’t be a problem if not modern architecture of the routing equipment that was designed to do most efficiently Routing , i.e. pass from interface to interface gigabytes of traffic. Therefore routing functions are highly optimized and most of the time are implemented in hardware . All other types of traffic unfortunately are not, and in most of the cases processing , lets call it Control traffic, is being left to poor router CPU and done in software. That brought the troubles into the IP world – relatively small amounts of control traffic (including Ip Options packets) may bring down otherwise
powerful router in just minutes.
To prevent this attack vendors implemented protection measures to drop entirely or selectively IP packets that has Ip Options filed set. Below is quick cheat sheet how to do it in some gear :

Checkpoint firewall NG/NGX – packets with Ip Options are dropped by default except for the “Router Alert” option (0×94) for the IGMPv2 and PIM protocols [or so CP claim, will have to verify later] and not even logged. To start logging dropped packets go to Policy -> Global Properties -> Log and Alerts -> check Ip dropped packets : Log

There is a value related to it that is on by default : Global Properties -> SmartDashboard customization -> Advanced Configuration -> Configure -> Firewall 1 -> Stateful inspection -> enable_ip_options (check/uncheck) but unchecking it removes from firewall VM chain module that inspects these Options at all and all Ip Options packets are dropped . So all packets bearing Ip Options are happily dropped even before security rules , here:

[Expert@splat60]# fw ctl chain
in chain (9):
0: -7f800000 (9095dd60) (ffffffff) IP Options Strip (ipopt_strip)
1: – 1fffff6 (9095ee80) (00000001) Stateless verifications (asm)

Also Checkpoint say you can decide which Ip Options will be allowed later BUT only when installing the firewall: “The set of permitted options must be configured during installation … the enable_ip_options setting in SmartDashboard is then used to enable or disable this functionality. Contact Check Point support for instructions on configuring the set of allowed IP options.”

Microsoft ISA 2000 server:
– If Enable Packet Filtering is not checked then do it in IP Packet Filters -> Properties – > General tab. On the Packet Filters tab check Enable Filtering IP Options .
Microsoft ISA 2004 Server:
- IP options filtering is enabled by default
- Go to Configuration node of the server in question in Management console -> General -> Additional Security Policy
Define IP Preferences . Here you will have 3 options to deal with Ip Options packets:
a) Deny packets with any IP options;
b) Deny packets with selected IP options;
c) Deny packets with all except selected IP options
The same options are available in ISA 2006 , click on Configure IP Protection link – > IP Preference settings

IOS Cisco router :
see my other blog – to be filled later
Cisco ASA :
see my other blog – to be filled later

Juniper router:
You just add ip-options term to the filter and apply it to the interface of interest. In the example below I block only Route Record type of Ip Options, if you use any then it will block any type:

[edit firewall family inet filter NOICMP term 3]

firewall {
    family inet {
        filter NOICMP {
            term 1 {
                from {
                    address {
                        192.168.2.100/32;
                    }
                }
                then {
                    reject;
                }
            }
            term 2 {
                from {
                    ip-options route-record;
                }
                then {
                    reject;
                }
            }
            term 3 {
                from {
                    address {
                        192.168.2.0/24;
                    }
                }
                then accept;
            }
        }
    }
}

Apply to the interface:

interfaces {
    em0 {
        unit 0 {
            enable;
            family inet {
                filter {
                    input NOICMP;
                }
                address 192.168.2.133/24;
            }
        }
    }

Other possible arguments to ip-options clause:

set term 3 from ip-options ?

Possible completions:

              Range of values
  [                    Open a set of values
  any                  Any IP option
  loose-source-route   Loose source route
  route-record         Route record
  router-alert         Router alert
  security             Security
  stream-id            Stream ID
  strict-source-route  Strict source route
  timestamp            Timestamp

Windows 2008.
By default it doesnt allow/forward packets with Source Routing set, and that's good. For completeness
here is how to enable (or check whether it is enabled) source-routed forwarding:
BillG> netsh interface ipv4 set global sourceroutingbehavior=drop| forward| dontforward
- or-
Registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameter
Key: DisableIPSourceRouting
DWORD value: 0

Verify:
In Security any measure/protection/method is as good as the proof you can present that it actually works.
Windows:
- Ping with Record Route field set:
BillG> ping –r 9 192.2.2.1
- Ping with Strict Routing field set:
BillG> ping –k <1st_hop_router_IP> <2nd_hop_router_IP…>
- Ping with Loose Routing field set:
BillG> ping -j <1st_hop_router_IP> <2nd_hop_router_IP…>
- Ping with Timestamp option set:
BillG> ping –s 3 8.8.8.8
Linux:
- Ping with Record Route field set:
root@darktstar:~/nmap# ping -R 8.8.8.8
- Ping with Timestamp option set:
root@darkstar:~/nmap# ping -T tsonly 8.8.8.8
Linux,BSD,Unix :
This handy utility sends bunch of packets to the target to test what Ip Options the target supports:
freebsd# fragtest ip-opt 192.168.2.133
ip-opt: sec lsrr ts esec cipso satid ssrr
I run fragroute above against Juniper (8.3) that was configured in the example earlier to block only Record Route option, as you can see it is indeed missing in the output list that enumerates what Ip Options the target supports [ see Reference for fragroute details]

References for further details:
Juniper: JUNOS Enterprise Routing, 1st Edition, By Doug Marschke; Harry Reynolds, 2008
Microsoft ISA : Microsoft® ISA Server 2006 Unleashed ,By Michael Noel, 2007
Fragroute http://monkey.org/~dugsong/fragroute/
Windows 2008: Windows® Server 2008 TCP/IP Protocols and Services,By Joseph Davies, 2008

Cisco ASA privilege separation for a local user or read only user on ASA

Yuri — Mon, 18 Jan 2010 15:52:24 +0000

Today I had the need to create a user in ASA that would have read-only permissions and also could issue
only 2 commands: show run and show conn. Here is how to do it.
We talk here about user with local authentication (with TACACS it is much easier).
Just as in Cisco routers you assign specific command to some privilege level different from its default level , then create user with this privilege level :

1) Assign command to specific privilege level ( I pick here level 3 , but it may be any but 15):

(config)# privilege show level 3 mode exec command running-config
(config)# privilege show level 3 mode exec command conn

2) create username with privilege of the command you want him to give
(config)# username Joedoe password asdlgfuwe privilege 3

Now you have 2 options – create general enable password for this given level (3 here) ,so
any user after successful login can enter > enable 3 and enter it to get to level 3 enable
mode. Or , as I did here, not creating enable level 3 password at all and the user will have to enter its
privilege level using login command.
3) now user can connect by ssh (if allowed by Ip of course) :
#ssh Joedoe@10.10.10.7
Joedoe@10.10.10.7password:
ASA> login
Username: Joedoe
Password: **********
# sh curpriv
Username : Joedoe
Current privilege level : 3
Current Mode/s : P_PRIV

Reference:
Cisco ASA Configuration Guide 8.0

Finding the station/IP using/abusing most of the bandwidth – PIX/ASA

Yuri — Sat, 06 Dec 2008 09:13:12 +0000

Here is a short how-to I wrote some (well ,long) time ago for the newcomers to our department. It was written for the PIX , but applies to ASA as well in most cases,see for ASA notes for differences.
Usually it starts with client complaining about slow internet, or users that already work in net are ok but new ones can’t connect, sometimes PIX crashes periodically (depends on case – every few hours), seldom but client directly asks what station in LAN is bombing the PIX with connections.
Here are the steps to try to see what is going on:

1) Always worth knowing the current state of the PIX, lots of connections consume lots of memory
and this after all causes crash/slowness of processing/

Mambo# show memory
Free memory:        42557840 bytes
Used memory:        24551024 bytes
————-     —————-
Total memory:       67108864 bytes

2) as you may know PIX is a NAT machine – every connection (outbound/inbound)
should pass NAT translation, which creates (every connection) xlate entry (in IOS it is called
NAT table) (ASA note:you may disabel NAT ,not to say it may work in Transparent mode)

Mambo# show xlate count
1613 in use, 5246 most used
; In abused PIX you would see dozens of thousands of xlate entries, e.g. 55550

; beyond xlate entry, every connection creates conn entry in PIX memory to enable stateful
;inspection, to see their count use :

Mambo# show conn count
5271 in use, 34824 most used

; next command will show on which interface there is more traffic – to know what side of the PIX is being attacked

Mambo# show traffic
outside:
        received (in 980818.730 secs):
                1113941822 packets      498552059 bytes
                1004 pkts/sec   0 bytes/sec
        transmitted (in 980818.730 secs):
                1170564303 packets      2054434346 bytes
                1000 pkts/sec   2002 bytes/sec
inside:
        received (in 980818.730 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 980818.730 secs):
                76 packets      4560 bytes
                0 pkts/sec      0 bytes/sec
dmz:
        received (in 980818.730 secs):
                186616723 packets       3287127501 bytes
                1 pkts/sec      3001 bytes/sec
        transmitted (in 980818.730 secs):
                196403614 packets       1465915834 bytes

Now the main part – how to find out which IP is abusing the resources:

Mambo# show local-host | incl host|count|embryonic

local host: <10.10.1.142>, conn(s)/limit = 0/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.53>, conn(s)/limit = 106/0
            embryonic(s)/limit = 106/0, incomplete(s) = 0
local host: <10.10.1.205>, conn(s)/limit = 14/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.191>, conn(s)/limit = 4/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.193>, conn(s)/limit = 4/0
            embryonic(s)/limit = 1/0, incomplete(s) = 0
………………………………………………………………………..
local host: <10.10.1.36>, conn(s)/limit = 22/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0
local host: <10.10.1.180>, conn(s)/limit = 1/0
            embryonic(s)/limit = 0/0, incomplete(s) = 0

Legend:

local host     : Local IP of station in LAN
conn(s)/limit :   number of conn entries (connections) and their possible limit for this IP
embryonic(s)/limit : number of embryonic (half-open) connections to this IP and their limit

Looking at this output we could easily find station with most connections.

Next, to get more info (if needed)

Mambo# sh local-host 10.10.1.19
Interface Inside: 73 active, 96 maximum active, 0 denied
local host: <10.10.1.19>, conn(s)/limit = 105/0
            embryonic(s)/limit = 45/0, incomplete(s) = 0
AAA:
Xlate(s):
    PAT Global 216.163.137.3(40901) Local 10.10.1.19(3653)
    PAT Global 216.163.137.3(30938) Local 10.10.1.19(1439)
    PAT Global 216.163.137.3(61195) Local 10.10.1.19(3815)
    PAT Global 216.163.137.3(39325) Local 10.10.1.19(2387)
    PAT Global 216.163.137.3(12515) Local 10.10.1.19(1043)
    PAT Global 216.163.137.3(21891) Local 10.10.1.19(2368)
    ……………………………………………….

    PAT Global 216.163.137.3(64086) Local 10.10.1.19(4928)
;NOTE – here 216.163.137.3 is IP of outside interface of PIX

To temporary block some station – it will not be able to create new connections
and exsiting ones will be deleted. This block is active until next reboot.
Mambo# shun 10.10.1.19
To see active shuns:
Mambo# show shun
To disable shun
Mambo# no shun 10.10.1.19
Personal NOTE: Such call is a sure sign of unordered/amateurish network administration . And it always starts with the key phrase – “Your line is down, we have no Internet”. On my answer, after I look at MRTG
graphs of the client line and see 100% usage, that “Of course , you are using up all your bandwidth” they reply “It is impossible, can you tell me who is abusing the line ?” While I may spend 10 mins
explaing this ’sysadmin’ that PIX/ASA/etc is not a statistics/monitoring device and other solutions exist for that and MRTG is free etc., I usually give up on them and save myself 10
mins of my time and just give them what they want . In the next post I will write about doing the same in Cisco router.