Practical Firewall Security

http://www.perihel.at/sec/docs/secfw.html

Author:	Herbert Haas
Address:	herbert AT perihel DOT at http://www.perihel.at/sec/
Revision:	0.1
Date:	2007-08-20
Copyright:	Copyright (c) 2007 Herbert Haas.

Abstract

This document summarizes important facts about modern firewall features with a strong focus on the Cisco Adaptive Security Appliance (ASA). This is not a tutorial. The reader should already be familiar with security fundamentals. Besides theory, practial issues are exemplified on the basis of Cisco firewall products. If you find any mistakes please send me an E-Mail, thanks!

Contents

• 1   Basic Configuration Issues
  • 1.1   aaa
  • 1.2   access-list
  • 1.3   icmp
  • 1.4   nat
  • 1.5   route
• 2   Modular Policy Framework
  • 2.1   Policy processing order
• 3   VPN
  • 3.1   Other important things
  • 3.2   WebVPN
    • 3.2.1   Disadvantages
    • 3.2.2   Proxy servers
    • 3.2.3   Configuration
    • 3.2.4   WebVPN on Routers
  • 3.3   AnyConnect Client
• 4   Transparent Firewall
  • 4.1   General rules
  • 4.2   Not supported
  • 4.3   Configuration
    • 4.3.1   ARP Inspection
    • 4.3.2   Recommendations:
    • 4.3.3   ACLs
    • 4.3.4   Note
• 5   Failover
• 6   Product Comparison
  • 6.1   Models
  • 6.2   LEDs
  • 6.3   Service Modules
• 7   ASA IP services
  • 7.1   DHCP
• 8   Interesting Commands
  • 8.1   Avoid Identity NAT
  • 8.2   Track your ISP next hops
  • 8.3   Specify a default tunnel route
  • 8.4   Use OSPF authentication
  • 8.5   Use Logging options
  • 8.6   Context Mode
  • 8.7   Failover Scenarios
  • 8.8   Redundant interfaces
  • 8.9   Multicast

Lecture stuff

This will be the place of my security repository for my customers and students. Here are some first files...

• An enjoyable(?) introductory chapter about milestones in cryptography and important modern security issues. Targeted for students.
• Diffie-Hellman and RSA (a not too serious approach)
• A short Introduction into Fields and Elliptic Curve Cryptography
• Insertion and Evasion Attacks through the Network Layer. Important techniques to bypass or attack Intrusion Detection Systems (IDS) are explained here.

Be patient, new stuff will arrive soon.

Wireless Security

I am very interested in wireless security especially WLAN security. Besides Cisco WLAN courses I also offer a WLAN Security Workshop (WLSW). The WLSW is targeted for people who are really interested in many technical details, practical attacks, and the many security holes a misconfigured WLAN could have. Contact Fast Lane or me if you want to book one of these courses.
Here are some updated docs:

• WLAN Encryption: WEP, TKIP, MIC, AES
• Actual WLAN security issues

Much more WLAN docs can be found here.

Cisco Firewall Addenda

Long time ago I listed the most interesting issues regarding Cisco's PIX firewall as addendum to the SNPA course (the Cisco Firewall course). I did not maintain this document for some years (the date on the slides only reflects the version of the powerpoint master) but almost all things are still valid and important. If you are new to the PIX (now ASA) then this document might give you an overview.
An overview about interesting ASA features (and how and when to use them) can be found in here. I will occasionally update that document.

Switch Security

Recently I wrote a summary about of how to harden your switched network, in case you have Cisco switches. Note that this is not comprehensive, there are some more issues involved. I must emphasize that it is also important to understand the particular attack scenarios and when which design is appropriate.
I will occasionally update this document.