Not limited to CCIE Security Lab only, of course, here is the list of books I find really useful in preparing for the Lab .
Amazon Listmania list
Not limited to CCIE Security Lab only, of course, here is the list of books I find really useful in preparing for the Lab .
Amazon Listmania list
While the reason for me getting involved with this ASA 5510 module is of less interest (client was getting notification message ” LogServer has recently stopped on InterScan for CSC SSM” , more about that at the end of the post) , the module itself looks cute , so I bring here some output to give you a taste what it is.
– General status of the module from ASA CLI prompt.
See that some traffic actually gets redirected to the module.
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class global-class
csc fail-open
Class-map: global-class
CSC: packet sent 324010194
CSC: packet received 359600712
Getting details from the Service Module, please wait…
ASA 5500 Series Content Security Services Module-10
Model: ASA-SSM-CSC-10-K9
Hardware version: 1.0
Serial Number: JAF777777
Firmware version: 1.0(11)5
Software version: CSC SSM 6.3.1172.4
MAC Address Range: c333.7333.b333 to c333.7333.b333
App. name: CSC SSM
App. Status: Up
App. Status Desc: CSC SSM scan services are available
App. version: 6.3.1172.4
Data plane Status: Up
Status: Up
HTTP Service: Up
Mail Service: Up
FTP Service: Up
Activated: Yes
Mgmt IP addr: 192.168.21.119
Mgmt web port: 8443
Mod Card Type Model Serial No.
— ——————————————– —————— ———–
0 ASA 5510 Adaptive Security Appliance ASA5510 JMX333333
1 ASA 5500 Series Content Security Services Mo ASA-SSM-CSC-10-K9 JAF333333
Mod MAC Address Range Hw Version Fw Version Sw Version
— ——————————— ———— ———— —————
0 3333.3333.3333 to 3333.3333.3333 2.0 1.0(11)5 8.2(3)
1 3333.3333.3333 to 3333.3333.3333 1.0 1.0(11)5 CSC SSM 6.3.1172.4
Mod SSM Application Name Status SSM Application Version
— —————————— —————- ————————–
1 CSC SSM Up 6.3.1172.4
Mod Status Data Plane Status Compatibility
— —————— ——————— ————-
0 Up Sys Not Applicable
1 Up Up
– Now let’s enter the module itself
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is ‘CTRL-^X’.
login: cisco
Password:
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Trend Micro InterScan for Cisco CSC SSM Setup Main Menu
———————————————————————
1. Network Settings
2. Date/Time Settings
3. Product Information
4. Service Status
5. Password Management
6. Restore Factory Default Settings
7. Troubleshooting Tools
8. Reset Management Port Access Control List
9. Ping
10. Exit …
Enter a number from [1-10]:
– Are all services are actually running ?
Enter a number from [1-10]: 4
Service Status
———————————————————————
The CSC SSM RegServer service is running
The CSC SSM URLFD service is running
The CSC SSM ScanServer service is running
The CSC SSM HTTP service is running
The CSC SSM FTP service is running
The CSC SSM Notification service is running
The CSC SSM Mail service is running
The CSC SSM GUI service is running
The CSC SSM SysMonitor service is running
The CSC SSM Failoverd service is running
The CSC SSM LogServer service is running
The CSC SSM SyslogAdaptor service is running
The CSC SSM Syslog-ng service is running
The CSC SSM TMCM-Agent service is not enabled
– Troubleshooting information is rather overwhelming
Enter a number from [1-7]: 2
Troubleshooting Tools – Show System Information
———————————————————————
1. Show System Information on Screen
2. Upload System Information
3. Return to Troubleshooting Tools Menu
Enter a number [1-3]: 1
++++++++++++++++++++++
Thu Feb 17 08:04:17 IST 2011 (2)
System is : Up
#@ Product Information
Trend Micro InterScan for Cisco CSC SSM
Version: 6.3.1172.4
Upgrade History: 6.3.1172.4
Engineering Build:
SSM Model: SSM-10
SSM S/N: JAF7777777
#@ Scan Engine and Pattern Information
Virus Scan Engine: 9.2.1012 (Updated: 2010-10-14 07:51:11)
Virus Pattern: 7.841.00 (Updated: 2011-02-17 05:51:23)
Spyware/Grayware Pattern: 1.151.00 (Updated: 2011-02-17 06:51:20)
AntiSpam Engine: 6.5.1024 (Updated: 2010-10-14 07:51:54)
AntiSpam Rule: 17960 (Updated: 2011-02-16 16:53:55)
IntelliTrap Pattern: 0.151.00 (Updated: 2011-02-01 09:07:20)
IntelliTrap Exception Pattern: 0.631.00 (Updated: 2011-02-15 08:51:15)
#@ License Information
Product:Base License
License profile host info check OK.
Version:Standard
Activation Code:PX-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Seats:000100
Status:Activated
Expiration date:10/6/2011
Product:Plus License
License profile host info check OK.
Version:Standard
Activation Code:PX-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Status:Activated
Expiration date:10/6/2011
Daily Node Count: 221
Current Node Count: 85
#@ Kernel Information
Linux ssm 2.6.17.8 #13 PREEMPT Fri Nov 6 06:32:00 PST 2009 i686 unknown
ASDP Driver 1.1(0) is UP:
Total Connection Records: 159623
Connection Records in Use: 156
Free Connection Records: 159467
—— Shared Memory Segments ——–
key shmid owner perms bytes nattch status
0x00003186 4653056 root 666 2621440 1
0x00000000 4456449 root 600 16 2 dest
0x00000000 4620290 root 600 1000000 1 dest
0x00000000 4685827 root 600 1048576 1 dest
0x00000000 4718596 root 600 1048576 1 dest
0x00000000 4325381 isvw 600 24632 22 dest
Group locking, as Cisco call it, has been available since ancient IOS 12.2(13)T (circa 2003) and still – most of the set ups I see of clients’ VPN servers at most use different VPN groups for different privilege access requirements and blissfully ignore the fact that all it takes to get more enabled access is to know the pre-shared key of the other VPN group. And believe me – it is not that hard when group pre-share key (PSK) is known to half of the company. So if you happen to stumble on this post bear with me and let’s fast forward from accepted practices of 90’s to 2010.
Below are possible ways to lock users connecting to Cisco device (IOS router and ASA to be precise) to predefined VPN groups and do it forcefully so that even if the end user knows the PSK of other VPN group(s) she won’t be able to connect with it.
Case 1. Cisco IOS router acting as Ezvpn server , users are authenticated locally by the router. Let’s name it – group is JUNIPER , and the local user is John.Chambers and we want to confine this user to this group for ever.
Enable group locking for specific group (don’t forget to do the same for all VPN groups)
Now restrict user to be able to use this group only. For that you have to reconfigure user to look like username followed by delimeter (that can be any of @, %, /, \) and then group name , to be concrete
from now on user John.Chambers will be able to authenticate with Cisco only using John.Chambers@JUNIPER . It overrides any user for VPN connection that already exists, that is if there is already user John.Chambers it will not be able to connect with the group JUNIPER . On the other hand anyone getting PSK of the VPN group JUNIPER will fail authentication if the user is not explicitly reconfigured in the new format.
Case 2 . Cisco IOS router users are authenticated using external Radius server. Unlike local authentication, with Radius you create the user as usual – John.Chambers but then assign it in the Settings cisco-av-pair attribute called user-vpn-group, like this:
ipsec:user-vpn-group=JUNIPER
Case 3.ASA Local username authentication.
No fancy username/group configuration here, you just lock username to a group under general attributes of the user.
Case 4. ASA Radius authentication .
Here also the VPn group is forced for the user settings using the following attribute:
[3076\085] Tunnel-Group-Lock JUNIPER
I don’t know who to blame – me for not being attentive or Cisco documentation for being vague, but when I read about snmp-map inspection that allows you to block selectively by SNMP version I decided it was the way to protect ASA itself from such queries. And only with the help of Netpro forum at Cisco.com did I learn that this feature is designed to inspect the SNMP traffic that passes THROUGH the ASA and not destined to the ASA itself.
So if you want to limit what version of SNMP ASA will use to answer queries , use usual snmp-server host …
For those who do want to block passing through the ASA SNMP of say version 1 and 2c , here is how:
Now define with access-list what traffic to inspect, you may use specific IPs or just general SNMP ports – udp 161 and 162:
Bind ACL to class-map:
Use the class-map in policy map with enabling snmp-map inspection :
And finally apply the policy map on some interface
ASA 8.2 speaks SNMP v3 decently
This article is all about SNMP in ASA. ASA has much less configuration options than IOS does, and this is good. Starting version 8.2 ASA supports version 3 of the SNMP protocol which adds new security model to the whole SNMP stack. But first we will start with old fashioned SNMP v2c (c is for ‘community’) . It takes about 15 secs to do it:
As you already know this setup will exchange community strings in clear text and also no packet is cryptographically authenticated/verified. What a shame for “Adaptive Security Appliance” . The fix is on the way. It is called SNMP v3 and has 3 security levels to choose from:
noAuthNoPriv – packets are neither authenticated nor encrypted . Basically the model used so far by SNMP v1 and v2c – everything clear text.
authNoPriv – packets are authenticated , that is user is sent in clear text but its password is not , (configurable) MD5 or SHA algorithm.
authPriv – the highest level, all SNMP packets are both authenticated using MD5 or SHA and their content is encrypted with DES/3DES/AES (128,196,256) algorithm.
Using the list above let’s configure our ASA for each level .
General steps:
noAuthNoPriv.
Querying the ASA:
authNoPriv.
Querying the ASA:
authPriv.
Here everything will be encrypted.
N.B. To my surprise there is no such thing as debug snmp . Actually it does exist, but entering this command gives no error and produces no debug either.
Noticed by the way. In logs you can see all the passwords you entered while configuring SNMP, not very secure I would rather say .
SLA monitoring is finally here. What is it useful for ? To add/remove dynamically routes in ASA depending on results of the SLA status.
Below is configuration steps but while there are many words in the command itself there are not much options there , so the command is long but pretty uniform.
Now create tracking process to be later applied to the static route:
And finally we create static route and attach to it the created track :
Now let’s see some statistics on the track:
The final configuration looks like
And by the way it really works – when track is down the route to which it is attached magically disappeared
from the routing table as should.
© 2016 yurisk.info
Theme by Anders Noren — Up ↑