Paul Stewart, CCIE 26009 (Security)

Author Archives: Paul Stewart, CCIE 26009 (Security)

Firepower Access Control Policies

The Firepower ecosystem is a powerful NGIPS/NGFW solution. At that heart of the configuration construct is what is known as the Access Control Policy. Comparing this to something familiar is possible by thinking about the much simpler filtering feature in the ASA. For comparison, an ASA’s access-list (ACL) has multiple access-control entries (ACE’s). Each of these entries can refer to object-groups, networks, and protocols and can apply a permit or deny action.

The Access Control Policy in Firepower is a similar concept, but there are many additional facets that are pulled together to provide a more comprehensive policy application mechanism. This article only covers the major areas of this policy control construct. There are items which are beyond the scope including variable sets and manipulating the behavior of http response pages.

Specific to the policy application, there are two main areas of the the Access Control Policy. The first area is what is known as Security Intelligence. In the policy, this is found on the second tab from the left and provides a framework for blacklisting. There are many feeds provided directly from Cisco’s Talos organization and are ready for consumption by the security policy.

The action for each feed that is Continue reading

Saving Money with IOT Water Heater

About six months ago I installed an Energy Efficient water heater. This unit is what is known as a heat pump water heater. For those not familiar with refrigeration, this works by moving heat instead of creating heat. By contrast, traditional electric water heaters use resistance coils to heat the water. This new unit also has traditional coils that can be used for high demand or high temperature settings as well.

I guess by now everyone is wondering what this has to do with the topics we discussed at PacketU. To better understand the relationship, you can see that this Water Heater is also Connected to the Internet. The primary reasons I wanted to connect it to the Internet was to schedule the modes around my family’s usage patterns and control vacation mode from a mobile phone. When purchasing this unit I was quite skeptical and was concerned about transitioning from a simple conventional model to a mode that literally has moving parts.

I wanted to follow up and share my experience and why I now believe this was  a good decision. I have been tracking my energy usage since installation and the results are promising. Without changing any other habits Continue reading

Firepower Indications of Compromise

Several days ago I wrote an article about Firepower Sinkhole rules. While I was confirming this in a lab, I temporarily created a custom DNS sinkhole rule. That rule classified requests for temp.packetu.com as Command and Control and returned an IP address of 1.1.1.1. What I later noticed is that this caused my laptop to be classified with an IOC.

Indications of Compromise (IOCs) can be thought of as reasons why Firepower Management Console believes a host cannot be trusted or is otherwise affected by malware. These can be found in multiple places in the UI. I find the Context Explorer to be a good middle ground for most SecOps team members and a good place to notice whether current IOC’s exist.

My network is rather simple and I only currently have one IOC. In any case, I can use the Context Explorer to launch the host information for the impacted host.

IOC Context Explorer

Once the Host Profile screen is launched, I can get a little more about information about the activity that causes Firepower to believe that this is a compromised host.

IOC Host Profile

Also notice that there is a garbage can icon to the right of the Indication of Compromise that was Continue reading

Understanding ‘transport output’ and ‘access-class’

Several years ago I wrote an article called The Elusive “access-class out” CommandMy primary goal was to help CCNA students understand both the behavior of and placement of this command. My friend Anthony Sequeira done a great job in the video that is also shown in my original post. Today, I want to share another command and expand on there behavior.

For all of the demonstrations in this article, the following topology will be used. The router named iosv-2 will be the primary focus and the only place changes will be made.

Topology

Understanding Telnet:SSH Client Restrictions

Backing up for a moment, there are a couple of messages that might be displayed when an IOS device blocks outbound telnet or ssh sessions from the current exec session. These are demonstrated with a quick configuration of an transport output and access-class restriction.

//the first error is unique depending on
//if ssh or telnet is being used
iosv-2(config)line con 0
iosv-2(config-line)#transport output none
iosv-2(config-line)#do telnet 192.168.0.3
% telnet connections not permitted from this terminal
iosv-2(config-line)#do ssh -l cisco 192.168.0.3
% ssh connections not permitted from this terminal

//now we can re-enable all the protocols
//and demonstrate the other error message
iosv-2(config-line)#transport input all
iosv-2(config-line)#access-list  Continue reading

The New Strange Behavior for OSPF ‘Redistribute Subnets’

In older IOS Code, there was a specific requirement for redistributing OSPF Subnets. In almost every case, the keyword “subnets” had to be added to the redistribute command.

Older Code Example–

//notice the warning when 'subnets' is omitted
R1(config)#router ospf 1
R1(config-router)#redistribute eigrp 1
% Only classful networks will be redistributed

//and the configuration is stored exactly as it was typed
R1(config-router)#do show run | sec router
router ospf 1
 log-adjacency-changes
 redistribute eigrp 1

//we can change the behavior by adding 'subnets'
R1(config-router)#redistribute eigrp 1 subnets

//after adding, it is stored as one would expect
R1(config-router)#do show run | sec router
router ospf 1
 log-adjacency-changes
 redistribute eigrp 1 subnets

When I tested this in VIRL running 15.6(1S) running inside of IOS XE 3.17, the warning goes away. The question I had is whether it is still relevant or not.

Current Code Example–

//without the 'subnets' keyword
csr1000v-2(config)#router ospf 1
csr1000v-2(config-router)#redistribute eigrp 1
csr1000v-2(config-router)#do show run | sec router
router ospf 1
 redistribute eigrp 1

//with the 'subnets' keyword
csr1000v-2(config-router)#redistribute eigrp 1 subnets
csr1000v-2(config-router)#do show run | sec router
router ospf 1
 redistribute eigrp 1 subnets

I initially spent some time experimenting with this and thought that ‘subnets‘ had Continue reading

Firepower Threat Defense — DNS Sinkholing

A few days ago I wrote an article that described Firepower DNS Policies. One item that probably warrants a little more discussion is DNS Sinkholing. Although the title of this article indicates Firepower Threat Defense, this will also work with Firepower and Firepower Services.

For this article, I would like to first share some of the challenges around getting security intelligence visibility from DNS requests. A typical enterprise environment will have an internal DNS server. So even though we know we can return “Domain Not Found” with an FTD DNS policy, that might not give us the visibility necessary to remediate a problem.

So if the host in the diagram below makes a DNS request for bad.site.com, what happens? Basically that request is sent to the DNS Resolver. The DNS Resolver will look to the Root Hints and eventually get the request to an Internet based DNS server that has the appropriate domain ownership. The problem with this is that the only request seen by the Firewall (FTD in our example) is the one made by the DNS Resolver. The problem here is that there is no way the Firewall can tell which host needs to be scrubbed by Continue reading

Testing the EIGRP Feasibility Condition (FC)

Last night I was going through some CCIE Routing and Switching VOD’s and found a statement I found interesting. Beyond the fact that I thought the content was far below the expert level (which is fine because a refresher or level-set is typically helpful), I believed it to be incorrect. The statement that was made is as follows:

“A neighbor meets the feasibility condition if the reported distance by the neighbor is the same as or smaller than the feasible distance of the router”

So what are my issues with this statement? First, I thought “feasible distance of the router” is ambiguous and could be assumed to be the advertised distance or the reported distance which is basically the feasible distance of the neighboring router. However, that was not my main problem with the statement. My main concern with this statement is that I have always learned that the feasibility condition is only met if the reported distance (RD) is strictly less than the feasible distance of the local route. So I set out to determine if I had a correct understanding or if the Feasibility Condition (FC) could really be met with a RD equal to the FD.

To test my theory, Continue reading

Understanding Firepower DNS Policies

One cool feature added with Firepower version 6 is probably best described as DNS-based Security Intelligence, Inspection and Sinkholing. The thought is pretty simple. If a host issues a DNS request for a host that is known to be malicious, that response is manipulated. The manipulated response can be host not found, an alternative IP address or no response at all. This allows an administrator to provide another layer of protection by preventing hosts ready access to the IP addresses of known malicious hosts.

So the first question that might come to mind is how are hosts on the Internet classified as bad. The short answer is that Talos maintains lists of known bad fully qualified domain names (fqdn). These are actually categorized and delivered into the Firepower solution as a feed. Each of the following category can be selected into one or multiple DNS Rules.

DNS Feeds and ListsDNS Rule with Categories

  • DNS Attackers
  • DNS Bogons
  • DNS Bots
  • DNS CnC
  • DNS Dga
  • DNS Exploitkit
  • DNS Malware
  • DNS Open_proxy
  • DNS Open_relay
  • DNS Phishing
  • DNS Response
  • DNS Spam
  • DNS Suspicious
  • DNS Tor_exit_node

In addition to the above, there are two built in lists that can be controlled by the UI.

  • Global-Blacklist-for-DNS
  • Global-Whitelist-for-DNS

The final way Continue reading

Meraki MX – URL Filtering

Over the past few days, I’ve spent quite a bit of time looking at some of the advanced capabilities of modern Cisco Firewalls. My most recent testing was done with the Meraki MX 60 cloud managed Firewall product. What I have to say is this is the easiest to configure content filter I’ve ever seen. So I just wanted to take a moment and share what that looks like.Meraki MX Menu

As with all Meraki products, the MX is completely cloud managed. So to manage the device, and administrator must access the Meraki Dashboard. Once authenticated, it is simply necessary to choose Security Appliance then Content Filtering from the menu on the right.

Once on the content filtering page, the policy is self explanatory. The top section is for categories that should be blocked. While the box appears to be a free form entry field, clicking anywhere in the area presents a list of categories to choose from. The bottom section allows for manual whitelisting and blacklisting. To get a better idea on how the match is performed and the format requirements of the block criteria, the “Learn how URL blocking works” link may be selected.

Meraki Content Filtering Page

For those wanting to see the complete category list Continue reading

Be Careful with TCP Syslog and the ASA

I wanted to take just a moment to share a little gotcha that could take you by surprise. To demonstrate, I have a simple topology with an ASA in the middle. I am inspecting ICMP so ping traffic is stateful and flows properly.

TCP Syslog
To confirm connectivity,  I can ping from csr1000v-2 from csr1000v-1

csr1000v-1#ping 10.0.0.10 repeat 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/6/16 ms

Now for the ASA change that can catch an administrator off guard

asav-1(config)#logging on
asav-1(config)#logging trap informational
asav-1(config)#logging host inside 1.1.1.1 tcp/1025

//clear the connection just to make sure the next connection will be new
asav-1(config)#clear conn

Now the connectivity from csr1000v-1 to csr1000v-2 is broken

csr1000v-1#ping 10.0.0.10 repeat 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

So what is wrong? Let’s take one quick look at the logging configuration.

asav-1(config)# show run logging
logging enable
logging trap informational
logging host inside 1.1.1.1 6/1025
asav-1(config)#

Continue reading

Manual URL Filtering in Firepower

A few days ago, someone asked me the following two questions–

  1. Is a URL filtering license required to manually filter sites in Firepower?
  2. Are wildcards supported as filtering criteria?

The short answer to the first question is simply no. There is no requirement for a term-based URL filtering license to do manual filtering. The URL license enables filtering AND logging based on web categories and risks levels. If this license is not installed and attached to a Firepower device, any policy containing those elements cannot be deployed. However, URL filtering rules that contain only manual URLs can be applied and do function properly.

Selected URLs

The second question requires a slightly longer answer. With URL filtering, Firepower considers the protocol, fqdn, path and filename. For example, the following is a URL for the article I wrote last Thursday.

http://www.packetu.com/2016/06/23/accessing-asa-cli-firepower-threat-defence/

For filtering purposes, any substring of the URL will match. So any of the following will block the above page.

packetu
www.packetu.com
6
http
w.packetu.com/2016/06/23/accessing

Obviously, care must be taken to make sure a rule isn’t overly broad. Very few people want to just filter “http” or “6”. Also worth noting, the URLs appear to be case desensitized and logged in lower case. Continue reading

Accessing ASA CLI in Firepower Threat Defence

I’ve recently loaded Firepower Threat Defense on an ASA5525 for my home Internet firewall. For those unfamiliar with FTD, it is basically a combination of critical ASA features and all of the Cisco Firepower features in a single image and execution space. So unlike Firepower Services, which runs separately inside the same ASA sheet metal,  FTD takes over the hardware. Once the image installed onto the hardware, the firewall is attached to and managed by a Firepower Management Console.

For those that still want to (or need to) get under the covers to understand the underpinnings or do some troubleshooting of the ASA features, it is still possible to access the familiar CLI. The process first requires an ssh connection to the management IP of the FTD instance, then access expert mode and enter the lina_cli command.

MacBook:~ paulste$ ssh [email protected]
Password:
Last login: Thu Jun 23 18:16:43 2016 from 192.168.1.48

Copyright 2004-2016, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.0.1 (build 37)
Cisco ASA5525-X Threat Defense v6.0.1  Continue reading

Simple ASA to IOS VPN

Occasionally you just need a cheat sheet to configure something up. This is meant to be exactly that, a quick configuration of lan to lan IPSec between an ASA and IOS based router.

Topology

Host (for testing)

! /// Host is simply here to emulate a
! /// client on one end of the network
!
hostname Host
!
interface GigabitEthernet0/1
 description to iosv-1
 ip address 192.168.1.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1

iosv-1 (IOS IPSec Endpoint)

! /// iosv-1 is terminating one end of an IPSec Tunnel
!
hostname iosv-1
!
! /// phase 1 policy
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
! /// pre shared key
!
crypto isakmp key P@rtn3rNetw0rk address 3.3.3.4
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
 mode tunnel
!
crypto map mymap 10 ipsec-isakmp
 set peer 3.3.3.4
 set transform-set myset
 set reverse-route distance 10
 match address crypto
!
interface GigabitEthernet0/1
 description to Internet
 ip address 2.2.2.2 255.255.255.0
 !
 ! /// recommend to restrict inbound traffic
 ip access-group out-in in
 !
 ! /// probably a good idea to disable ip 
 ! /// unreachables on the outside interface
 no ip unreachables
 !
 ! /// if nat is  Continue reading

Internet Connected Water Heater

So I have to admit that I’m the crusty old curmudgeon who is way behind on things like home automation. After a recent issue with my water heater I opted to replace it with one that utilizes heat pump technology. I know a lot of people are installing tankless models and I strongly considered that path. My challenges were as follows–

  • Relatively High Demand (replacing an 80 Gallon Conventional Electric)
  • Conventional 80 Gallon Electric Models are difficult to purchase (at least in consumer models)
  • Tankless Owners seem to prefer gas over electric models
  • Venting a tankless gas heater would require relocation of plumbing

Given these constraints, I stumbled into the hybrid water heater models. These are big tank models that utilize heat pump technology as a preferred method of moving heat into the water. As demand increases, traditional resistance coils can be invoked to generate heat.

The goal is to be more efficient than tankless models and have the option for rapid recovery. My biggest concern was the added complexity and additional components that could fail. Nonetheless, the energy ratings were very good and there are some rebate programs and tax incentives to offset the cost. I ultimately chose a GE Geospring 80 Continue reading

Syncing IOS Clock from Cellular Provider

I recently had a request to enable time synchronization from a Cellular provider to a 3G model of the Cisco 819. Looking through several documentation sources, I found an example of EEM policy utilizing GPS data in this manner.

LTE GPS Antenna Guide Cisco Integrated Services Router (ISR G2) and Connected Grid Router

After looking at the TCL script outlined in the above document, I thought it would be an easy modification to achieve this result with the cellular network data. After fighting with the script and EEM policy for a couple of hours, I stepped back and looked at the options for creating an EEM Applet. My goal was to achieve similar results but utilizing the time provided by the cellular carrier. This article outlines my process and the final configuration.

The source of the data that I wanted to use was derived from the show cell 0 network command.

CiscoRTR#show cell 0 network
Current Service = 1xEV-DO (Rev A) and 1xRTT
Current Roaming Status(1xRTT) = HOME, (HDR) = HOME
Current Idle Digital Mode = HDR
Current System Identifier (SID) = DDDD
Current Network Identifier (NID) = DDD
Current Call Setup Mode = Mobile IP only
Serving Base Station Longitude =  Continue reading

What’s Wrong With the Internet?

How many times have you received that call or even made the statement that “The Internet is Down?” Or perhaps the “Internet is Slow?” Obviously these statements are very rarely true. As a whole, the Internet is functional and it is FAST. However these statements seem true from the perspective of the individual making them. My frustration is that we never have visibility into the data necessary to assess the health of the Internet from a relevant, holistic perspective over time. As a result, consumers and providers have a limited view of problems that randomly present in this manner.

The Problem

When I think about the impact Internet hiccups have on me, I realize that I could do things much differently if it delivered consistent reliability. Even if it wasn’t as reliable as infrastructures like the PSTN, having some semblance of trust in knowing when and how my connections might fail or degrade would help. The resulting improvements would allow me to use more robust tools like video and voice over the Internet and put my cell phone away. I can’t tell you how many times I’ve spent hours chasing ghosts. These transient issues tend to get resolved when they worsens and the root cause is more easily identifiable. Increasing the trust we have in our services would materially change the way in which we use them. Continue reading

DNC – What does “dropped the firewall” even mean?

In a CNN article that discusses Sander’s access to the Clinton campaign information, I found the following statement–

The breach occurred when the vendor, NGP VAN, which supplies access to the database of voter information for both campaigns dropped the firewall, and at least one Sanders campaign staffer accessed Clinton campaign voter data. The accused staffer, Josh Uretsky, Sanders’ national data director, was fired from the campaign.

I have to ask, what does that even mean. So NGP VAN is using a firewall to isolate data between candidates? Are there no controls in the application? And what does it mean to drop a firewall? 

I have to assume that this would indicate a “permit any” or maybe some other bypass. I’d love to know the technical details around this situation.

Firewalls aren’t magical boxes and this is a “dumbed down” if not inaccurate response.

I’d love to hear from you, so share your experiences by commenting below.
Continue reading

Internet Redundancy with ASA SLA and IPSec

I’ve seen a lot of examples of redundant Internet connections that use SLA to track a primary connection. The logic is that the primary Internet connection is constantly being validated by pinging something on that ISP’s network and routing floats over to a secondary service provider in the event of a failure. I was recently challenged with how this interacted with IPSec. As a result I built out this configuration and performed some fairly extensive testing.

It is worth noting that this is not a substitute for a properly multi-homed Internet connection that utilizes BGP. It is, however, a method for overcoming the challenges often found in the SMB environments where connections are mostly outbound or can alternatively be handled without completely depending on either of the service provider owned address spaces.

In this article, we will start out with a typical ASA redundant Internet connection using IP SLA. Then we will overlay a IPSec Site to Site configuration and test the failover process.

ASA_IPSec_Redundant

The base configuration for this lab is as follows. Continue reading

Black Friday, Technology Glitches and Revenue Lost

This morning my wife was trying to purchase something from BELK.com. She ran into an issue at the point of transaction. The error that was being returned looked like the credit card number was invalid. Since the first attempt was on a mobile device, she attempted the transaction again from a computer. This was met with the same challenge. Ultimately, three different credit cards were attempted and none seemed to work. After reviewing the card account activity, I could see a total of about 5 authorizations against the 3 cards.

My wife contacted BELK by phone and they asked us to call our cc company (which I begrudgingly did). Finally they were able to process the cart transaction manually and admitted that we weren’t the only people experiencing the problem. They went on to say that their systems were very slow and that they were having issues with transactions internally too.
Continue reading