SlideShare une entreprise Scribd logo

Packet Inspection on ASA

P
Pratik Bhide
1  sur  14
Télécharger pour lire hors ligne
HTTP Deep Packet Inspection on ASA Configure http policy, to block site which are Temporary Redirected (307), use proxy(305) & moved permently (301) Can Redirection pose security threat ? If you try to login any websites or forums with your social accounts, it has to be redirected back to the original website once after completing the authentication, but this bug allows hackers to redirect (mislead) users to other malicious websites so that they can also have your credentials, indirectly. Example how the status-line looks: HTTP/1.x 300 OK ciscoasa(config)#regex REDIRECTION_BLOCK "^3.." ciscoasa(config)#class-map type inspect http BLOCK_REDIRECTION ciscoasa(config-cmap)# match response status-line regex class REDIRECTION_BLOCK ciscoasa(config-cmap)# exit ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# class BLOCK_REDIRECTION ciscoasa(config-pmap-c)# drop-connection ciscoasa(config-pmap-c)# exit Configure http policy, to block java applet What is Java Applet?? Java Applets are mini applications. They are developed using Java and have a structured security environment in which the developer can implement specific security rules for the Applets to follow once they are downloaded to a user’s computer. Applets are downloaded into the user’s computer RAM. Therefore, once the computer is shutdown, or restarted, the Applet goes away. However, only the Applet is gone, the actions taken by the Applet while it is in RAM are not undone. ciscoasa(config)#access-list 1 extended permit tcp 0.0.0.0 0.0.0.0 eq 80 ciscoasa(config)#class-map type inspect http match-all BLOCK_JAVA_APPLET_CLASS ciscoasa(config-cmap)# match access-list 1 ciscoasa(config-cmap)# match response body java-applet ciscoasa(config-cmap)# exit ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# class BLOCK_JAVA_APPLET_CLASS ciscoasa(config-pmap-c)# drop-connection
ciscoasa(config-pmap-c)# exit Configure http policy, to block activex What is ActiveX?? Once the ActiveX control is installed on a user’s computer, it can do anything the user can do. For example, ActiveX controls can insert harmful code into the user’s operating system, surf company’s secure intranet, change a user’s password(s), or retrieve documents off the user’s hard disk or network drives and then mail ciscoasa(config)#access-list 1 extended permit tcp 0.0.0.0 0.0.0.0 eq 80 ciscoasa(config)#class-map type inspect http match-all BLOCK_ACTIVEX_CLASS ciscoasa(config-cmap)# match access-list 1 ciscoasa(config-cmap)# match response body active-x ciscoasa(config-cmap)# exit ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# class BLOCK_ACTIVEX_CLASS ciscoasa(config-pmap-c)# drop-connection ciscoasa(config-pmap-c)# exit Configure http policy, to block .exe file extention How does .exe file extension pose security threat ? In Windows, executable programs have file extensions like “exe”, “vbs”, “com”, “bat”, etc. Some actual trojan filenames include: “dmsetup.exe” and “LOVE-LETTER-FOR-YOU.TXT.vbs”. Which can harm you computer & steal all you personal data. regex BLOCK_FILE_EXTENSION ".*.([Ee][Xx][Ee])" regex CONTENT_TYPE "Content-Type" ciscoasa(config)#class-map type inspect http match-all BLOCK_FILE_EXTENSION_CLASS ciscoasa(config-cmap)#match response header regex CONTENT_TYPE regex BLOCK_FILE_EXTENSION ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# class BLOCK_FILE_EXTENSION_CLASS ciscoasa(config-pmap-c)# drop-connection ciscoasa(config-pmap-c)# exit OR
regex BLOCK_FILE_EXTENSION ".*.([Vv][Bb][Ss])" regex Content-Disposition "Content-Disposition" ciscoasa(config)#class-map type inspect http match-all BLOCK_FILE_EXTENSION_CLASS ciscoasa(config-cmap)#match response header regex Content-Disposition regex BLOCK_FILE_EXTENSION ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# class BLOCK_FILE_EXTENSION_CLASS ciscoasa(config-pmap-c)# reset log ciscoasa(config-pmap-c)# exit Configure http policy, to block any http/https sites with "host" option What does host field in http header specify ? The Host request-header field specifies the Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource (generally an HTTP URL.) Example how http header looks like: POST /index.html HTTP/1.1 -- Status Line Host: www.example.com -- Header ciscoasa(config)# regex BLOCK_ANY_HTTP/HTTPS_SITE1 ".facebook.com" ciscoasa(config)# regex BLOCK_ANY_HTTP/HTTPS_SITE2 ".gmail.com" ciscoasa(config)# class-map type regex match-any BLOCK_SITES ciscoasa(config-cmap)# match BLOCK_ANY_HTTP/HTTPS_SITE1 ciscoasa(config-cmap)# match BLOCK_ANY_HTTP/HTTPS_SITE2 ciscoasa(config-cmap)# exit ciscoasa(config)# class-map type inspect http match-all BLOCK_SITES_CLASS ciscoasa(config-cmap)# match request header host regex class BLOCK_SITES ciscoasa(config)# class-map type regex match-any URLBlockList ciscoasa(config)# class-map type inspect http match-all BlockURLsClass ciscoasa(config-cmap)#match request uri regex class URLBlockList ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# protocol-violation action drop-connection ciscoasa(config-pmap-p)# class URLBlockList ciscoasa(config-pmap-c)# reset log ciscoasa(config-pmap-p)# class BlockURLsClass ciscoasa(config-pmap-c)# reset log
ciscoasa(config-pmap-c)# exit Configure http policy, to support only English language ciscoasa(config)#regex LANGUAGES_USER_EXPECT_THE_PAGE_IN "([Ee][Nn])" ciscoasa(config)#class-map type inspect http LANGUAGES_USER_EXPECT_THE_PAGE_IN_CLASS ciscoasa(config-cmap)# match not request header accept-language regex class LANGUAGES_USER_EXPECT_THE_PAGE_IN ciscoasa(config-cmap)# exit ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# class LANGUAGES_USER_EXPECT_THE_PAGE_IN_CLASS ciscoasa(config-pmap-c)# drop-connection ciscoasa(config-pmap-c)# exit Configure http policy, to support only .zip/.rar compression method ciscoasa(config)#regex COMPRESSION_SUPPORTED_BY_USER ".([Zz][Ii][Pp] | [Rr][Aa][Rr])" ciscoasa(config)#class-map type inspect http COMPRESSION_SUPPORTED_BY_USER_CLASS ciscoasa(config-cmap)# match not request header accept-encoding regex class COMPRESSION_SUPPORTED_BY_USER ciscoasa(config-cmap)# exit ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# class COMPRESSION_SUPPORTED_BY_USER_CLASS ciscoasa(config-pmap-c)# drop-connection ciscoasa(config-pmap-c)# exit Block https site using DNS How can you block https site, when all the packets are encrypted ? Since HTTPS traffic is encrypted, the ASA does not have the functionality to inspect that type of packets. So we have come up with a solution that is, to inspect dns packet instead of http/https packet. ciscoasa(config)# regex BLOCK_HTTPS "facebook.com" ciscoasa(config)# class-map type inspect dns CMAP ciscoasa(config-cmap)# match domain-name REGEX1
ciscoasa(config)# policy-map type inspect dns PMAP ciscoasa(config-pmap)# class CMAP ciscoasa(config-pmap-c)# drop ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# no inspect dns present_dns_map ciscoasa(config-pmap-c)# inspect dns PMAP Block URLs using FQDN objects The Cisco ASA firewall 8.4.2 introduced something called Identity Firewall. The IDFW gives a new level of control to ACLs. You can now configured ACLs to block domain names. A cool thing about this solution is that it doesn’t slow down the firewall at all. It does the DNS look up probably once every few hours for when the TTL expires and then stores the IPs in memory. In other words it does not do a DNS lookup for every packet that comes through the firewall, it does it before hand. Works for both HTTPS and HTTP. The firewall doesn’t inspect domain names or URLs and it doesn’t care if the packet is encrypted or not. The packet has to have a destination IP and that’s what the firewall will check. ciscoasa(config)#dns domain-lookup OUTSIDE ( Public DNS ) ciscoasa(config)#DNS server-group DefaultDNS name-server 4.2.2.2 ciscoasa(config)#object network OBJ-FACEBOOK-COM fqdn facebook.com ciscoasa(config)# access-list ACL_INSIDE extended deny ip any object OBJ-FACEBOOK-COM Configure ASA to inspect http on non-standard port Configure ASA to inspect http on non-standard port ciscoasa(config)# class-map CMAP ciscoasa(config-cmap)# macth port tcp eq 8080 ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class CMAP ciscoasa(config-pmap-c)#inspect http
Configure ASA to block Hotmail Attachments ciscoasa(config)# regex GET_ATTACH ".*([Gg][Ee][Tt][Aa][Tt][Tt][Aa][Cc][Hh][Mm][Ee][Nn][Tt]).([Aa][Ss][Pp][Xx]).*" ciscoasa(config)# regex SCAN_ATTACH ".*([Ss][Cc][Aa][Nn][Aa][Tt][Tt][Aa][Cc][Hh][Mm][Ee][Nn][Tt]).([Aa][Ss][Pp][Xx]).*" ciscoasa(config)# regex HOTMAIL_URL ".*([Mm][Aa][Ii][Ll]).([Ll][Ii][Vv][Ee]).([Cc][Oo][Mm])" ciscoasa(config)# class-map type inspect http match-all HOTMAIL_SMACKDOWN ciscoasa(config-cmap)# match request header host regex HOTMAIL_URL ciscoasa(config-cmap)# match request uri regex SCAN_ATTACH ciscoasa(config)# class-map type inspect http match-all HOTMAIL_SMACKDOWN_THE_SEQUEL ciscoasa(config-cmap)# match request header host regex HOTMAIL_URL ciscoasa(config-cmap)# match request uri regex GET_ATTACH ciscoasa(config)# policy-map type inspect http HOTMAIL_SMACKDOWN ciscoasa(config-pmap)# parameters ciscoasa(config-pmap)# class HOTMAIL_SMACKDOWN_THE_SEQUEL ciscoasa(config-pmap-c)# drop-connection log ciscoasa(config-pmap)# class HOTMAIL_SMACKDOWN ciscoasa(config-pmap-c)# drop-connection log ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# inspect http HOTMAIL_SMACKDOWN Configure ASA to block torrent ciscoasa(config)# object-group service Blocked-UDP-Ports udp description All ports blocked for Bit Torrent UDP DHT (all ephemeral ports except VPN encapsulation) port-object range 10001 65535 port-object range 1024 9999 ciscoasa(config)# object-group service BitTorrent-Tracker tcp description TCP Ports used by Bit Torrent for tracker communication port-object eq 2710 port-object range 6881 6999 ciscoasa(config)# access-list inside_access_in extended deny udp any any object-group Blocked-UDP-Ports log warnings inact ciscoasa(config)# access-list inside_access_in extended deny tcp any any object-group BitTorrent-Tracker log warnings inactiv ciscoasa(config)# access-list inside_access_in extended permit tcp any any Apply the access list in the inside interface it might need modifications depending on your configuration and its just a sample configuration
ciscoasa(config)# regex bit-torrent-tracker ".*[Ii][Nn][Ff][Oo]_[Hh][Aa][Ss][Hh]=.*" ciscoasa(config)# class-map type inspect http match-all bit-torrent-tracker ciscoasa(config-cmap)#description Bit Torrent Tracker communication ciscoasa(config-cmap)#match request args regex bit-torrent-tracker ciscoasa(config-cmap)#match request method get ciscoasa(config)# policy-map type inspect http Drop-P2P ciscoasa(config-pmap)#description Drop protocol violations Bit Torrent Tracker traffic ciscoasa(config-pmap)#parameters protocol-violation action log ciscoasa(config-pmap)#class bit-torrent-tracker drop-connection log ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)#class inspection_default inspect http Drop-P2P
PECT_THE_PAGE_IN RTED_BY_USER
Ss][Pp][Xx]).*" ([Aa][Ss][Pp][Xx]).*" orts log warnings inactive ker log warnings inactive

Recommandé

X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 new
Yiwei Ma
 
Postgresql 12 streaming replication hol
Postgresql 12 streaming replication holPostgresql 12 streaming replication hol
Postgresql 12 streaming replication hol
Vijay Kumar N
 
BlockChain implementation by python
BlockChain implementation by pythonBlockChain implementation by python
BlockChain implementation by python
wonyong hwang
 
Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)
Данил Иванов
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShock
BGA Cyber Security
 
Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)
Deep Datta
 
Containers for sysadmins
Containers for sysadminsContainers for sysadmins
Containers for sysadmins
Carlos de Alfonso Laguna
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANE
Men and Mice
 

Recommandé

X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 new
Yiwei Ma
 
Postgresql 12 streaming replication hol
Postgresql 12 streaming replication holPostgresql 12 streaming replication hol
Postgresql 12 streaming replication hol
Vijay Kumar N
 
BlockChain implementation by python
BlockChain implementation by pythonBlockChain implementation by python
BlockChain implementation by python
wonyong hwang
 
Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)
Данил Иванов
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShock
BGA Cyber Security
 
Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)
Deep Datta
 
Containers for sysadmins
Containers for sysadminsContainers for sysadmins
Containers for sysadmins
Carlos de Alfonso Laguna
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANE
Men and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
Codified PostgreSQL Schema
Codified PostgreSQL SchemaCodified PostgreSQL Schema
Codified PostgreSQL Schema
Sean Chittenden
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
Giuseppe Trotta
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
Xavier Mertens
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
Andrea Cardinale
 
Linux networking commands short
Linux networking commands shortLinux networking commands short
Linux networking commands short
Sayed Ahmed
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
Tiago Cruz
 
linux networking commands short
linux networking commands shortlinux networking commands short
linux networking commands short
Sayed Ahmed
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
Men and Mice
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
ZuzannaKornecka
 
Automating Disaster Recovery PostgreSQL
Automating Disaster Recovery PostgreSQLAutomating Disaster Recovery PostgreSQL
Automating Disaster Recovery PostgreSQL
Nina Kaufman
 
SCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
SCALE 15x Minimizing PostgreSQL Major Version Upgrade DowntimeSCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
SCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
Jeff Frost
 
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and Nagios
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and NagiosNagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and Nagios
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and Nagios
Nagios
 
Kickstat File_Draft_ESXI5.1_Template
Kickstat File_Draft_ESXI5.1_TemplateKickstat File_Draft_ESXI5.1_Template
Kickstat File_Draft_ESXI5.1_Template
Luca Viscomi
 
Passive SSH, a Fast-Lookup Database of SSH Key Materials to Support Incident ...
Passive SSH, a Fast-Lookup Database of SSH Key Materials to Support Incident ...Passive SSH, a Fast-Lookup Database of SSH Key Materials to Support Incident ...
Passive SSH, a Fast-Lookup Database of SSH Key Materials to Support Incident ...
adulau
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
Santiago Bassett
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
Xavier Mertens
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04
Bob Novas
 
TransitCapitalVisionReport_20140514
TransitCapitalVisionReport_20140514TransitCapitalVisionReport_20140514
TransitCapitalVisionReport_20140514
Adam Bejan Parast
 
F08 9543-015 hoja de vida aprendiz dayana arcila osorno
F08 9543-015 hoja de vida aprendiz dayana arcila osornoF08 9543-015 hoja de vida aprendiz dayana arcila osorno
F08 9543-015 hoja de vida aprendiz dayana arcila osorno
lasmaslindas1221
 

Contenu connexe

Tendances

Kickstat File_Draft_ESXI5.1_Template
Kickstat File_Draft_ESXI5.1_TemplateKickstat File_Draft_ESXI5.1_Template
Kickstat File_Draft_ESXI5.1_Template
Luca Viscomi
 

Tendances (20)

DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
Codified PostgreSQL Schema
Codified PostgreSQL SchemaCodified PostgreSQL Schema
Codified PostgreSQL Schema
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
 
Linux networking commands short
Linux networking commands shortLinux networking commands short
Linux networking commands short
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
 
linux networking commands short
linux networking commands shortlinux networking commands short
linux networking commands short
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
 
Automating Disaster Recovery PostgreSQL
Automating Disaster Recovery PostgreSQLAutomating Disaster Recovery PostgreSQL
Automating Disaster Recovery PostgreSQL
 
SCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
SCALE 15x Minimizing PostgreSQL Major Version Upgrade DowntimeSCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
SCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
 
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and Nagios
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and NagiosNagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and Nagios
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and Nagios
 
Kickstat File_Draft_ESXI5.1_Template
Kickstat File_Draft_ESXI5.1_TemplateKickstat File_Draft_ESXI5.1_Template
Kickstat File_Draft_ESXI5.1_Template
 
Passive SSH, a Fast-Lookup Database of SSH Key Materials to Support Incident ...
Passive SSH, a Fast-Lookup Database of SSH Key Materials to Support Incident ...Passive SSH, a Fast-Lookup Database of SSH Key Materials to Support Incident ...
Passive SSH, a Fast-Lookup Database of SSH Key Materials to Support Incident ...
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04
 

En vedette

TransitCapitalVisionReport_20140514
TransitCapitalVisionReport_20140514TransitCapitalVisionReport_20140514
TransitCapitalVisionReport_20140514
Adam Bejan Parast
 
F08 9543-015 hoja de vida aprendiz dayana arcila osorno
F08 9543-015 hoja de vida aprendiz dayana arcila osornoF08 9543-015 hoja de vida aprendiz dayana arcila osorno
F08 9543-015 hoja de vida aprendiz dayana arcila osorno
lasmaslindas1221
 
Your wiki’s settings tutorial (pbworks)
Your wiki’s settings tutorial (pbworks)Your wiki’s settings tutorial (pbworks)
Your wiki’s settings tutorial (pbworks)
Paul L
 
Folder investire in con planimetria ridotto
Folder investire in con planimetria ridottoFolder investire in con planimetria ridotto
Folder investire in con planimetria ridotto
Nexinvest srl
 
Traumatic eye injury hypothetical case presentaion
Traumatic eye injury hypothetical case presentaionTraumatic eye injury hypothetical case presentaion
Traumatic eye injury hypothetical case presentaion
meducationdotnet
 
Chapter 17 Reproduction in Humans Lesson 2 - The Menstrual Cycle
Chapter 17 Reproduction in Humans Lesson 2 - The Menstrual CycleChapter 17 Reproduction in Humans Lesson 2 - The Menstrual Cycle
Chapter 17 Reproduction in Humans Lesson 2 - The Menstrual Cycle
j3di79
 

En vedette (16)

TransitCapitalVisionReport_20140514
TransitCapitalVisionReport_20140514TransitCapitalVisionReport_20140514
TransitCapitalVisionReport_20140514
 
F08 9543-015 hoja de vida aprendiz dayana arcila osorno
F08 9543-015 hoja de vida aprendiz dayana arcila osornoF08 9543-015 hoja de vida aprendiz dayana arcila osorno
F08 9543-015 hoja de vida aprendiz dayana arcila osorno
 
Your wiki’s settings tutorial (pbworks)
Your wiki’s settings tutorial (pbworks)Your wiki’s settings tutorial (pbworks)
Your wiki’s settings tutorial (pbworks)
 
Tribus urbanas
Tribus urbanasTribus urbanas
Tribus urbanas
 
Cheatsheet: Netcat
Cheatsheet: NetcatCheatsheet: Netcat
Cheatsheet: Netcat
 
Folder investire in con planimetria ridotto
Folder investire in con planimetria ridottoFolder investire in con planimetria ridotto
Folder investire in con planimetria ridotto
 
Sistema Aduanero en México
Sistema Aduanero en MéxicoSistema Aduanero en México
Sistema Aduanero en México
 
Traumatic eye injury hypothetical case presentaion
Traumatic eye injury hypothetical case presentaionTraumatic eye injury hypothetical case presentaion
Traumatic eye injury hypothetical case presentaion
 
Chapter 17 Reproduction in Humans Lesson 2 - The Menstrual Cycle
Chapter 17 Reproduction in Humans Lesson 2 - The Menstrual CycleChapter 17 Reproduction in Humans Lesson 2 - The Menstrual Cycle
Chapter 17 Reproduction in Humans Lesson 2 - The Menstrual Cycle
 
De qué me sirve la cultura general
De qué me sirve la cultura generalDe qué me sirve la cultura general
De qué me sirve la cultura general
 
ASA CSC Module
ASA CSC Module ASA CSC Module
ASA CSC Module
 
image processing-spatial resolution
image processing-spatial resolutionimage processing-spatial resolution
image processing-spatial resolution
 
Cheatsheet: Hex file headers and regex
Cheatsheet: Hex file headers and regexCheatsheet: Hex file headers and regex
Cheatsheet: Hex file headers and regex
 
звук и буква е
звук и буква езвук и буква е
звук и буква е
 
trademark issues in cyberspace
trademark issues in cyberspace trademark issues in cyberspace
trademark issues in cyberspace
 
Toscana Residence
Toscana ResidenceToscana Residence
Toscana Residence
 

Similaire à Packet Inspection on ASA

10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 201910 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
Matt Raible
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
Ante Gulam
 
Going live with BommandBox and docker Into The Box 2018
Going live with BommandBox and docker Into The Box 2018Going live with BommandBox and docker Into The Box 2018
Going live with BommandBox and docker Into The Box 2018
Ortus Solutions, Corp
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Matt Raible
 
02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebert
geeksec80
 
KSQL - Stream Processing simplified!
KSQL - Stream Processing simplified!KSQL - Stream Processing simplified!
KSQL - Stream Processing simplified!
Guido Schmutz
 
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакСтек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Positive Hack Days
 

Similaire à Packet Inspection on ASA (20)

10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 201910 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
 
Hollywood mode off: security testing at scale
Hollywood mode off: security testing at scaleHollywood mode off: security testing at scale
Hollywood mode off: security testing at scale
 
Suricata
SuricataSuricata
Suricata
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
 
Percona Live 2017 ­- Sharded cluster tutorial
Percona Live 2017 ­- Sharded cluster tutorialPercona Live 2017 ­- Sharded cluster tutorial
Percona Live 2017 ­- Sharded cluster tutorial
 
Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1
Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1
Cassandra Summit 2014: Lesser Known Features of Cassandra 2.1
 
Osol Pgsql
Osol PgsqlOsol Pgsql
Osol Pgsql
 
Python (Jinja2) Templates for Network Automation
Python (Jinja2) Templates for Network AutomationPython (Jinja2) Templates for Network Automation
Python (Jinja2) Templates for Network Automation
 
Into The Box 2018 Going live with commandbox and docker
Into The Box 2018 Going live with commandbox and dockerInto The Box 2018 Going live with commandbox and docker
Into The Box 2018 Going live with commandbox and docker
 
Going live with BommandBox and docker Into The Box 2018
Going live with BommandBox and docker Into The Box 2018Going live with BommandBox and docker Into The Box 2018
Going live with BommandBox and docker Into The Box 2018
 
ProxySQL - High Performance and HA Proxy for MySQL
ProxySQL - High Performance and HA Proxy for MySQLProxySQL - High Performance and HA Proxy for MySQL
ProxySQL - High Performance and HA Proxy for MySQL
 
Operation outbreak
Operation outbreakOperation outbreak
Operation outbreak
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 202010 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
 
02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebert
 
KSQL - Stream Processing simplified!
KSQL - Stream Processing simplified!KSQL - Stream Processing simplified!
KSQL - Stream Processing simplified!
 
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакСтек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атак
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule Writing
 

Packet Inspection on ASA

  • 1. HTTP Deep Packet Inspection on ASA Configure http policy, to block site which are Temporary Redirected (307), use proxy(305) & moved permently (301) Can Redirection pose security threat ? If you try to login any websites or forums with your social accounts, it has to be redirected back to the original website once after completing the authentication, but this bug allows hackers to redirect (mislead) users to other malicious websites so that they can also have your credentials, indirectly. Example how the status-line looks: HTTP/1.x 300 OK ciscoasa(config)#regex REDIRECTION_BLOCK "^3.." ciscoasa(config)#class-map type inspect http BLOCK_REDIRECTION ciscoasa(config-cmap)# match response status-line regex class REDIRECTION_BLOCK ciscoasa(config-cmap)# exit ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# class BLOCK_REDIRECTION ciscoasa(config-pmap-c)# drop-connection ciscoasa(config-pmap-c)# exit Configure http policy, to block java applet What is Java Applet?? Java Applets are mini applications. They are developed using Java and have a structured security environment in which the developer can implement specific security rules for the Applets to follow once they are downloaded to a user’s computer. Applets are downloaded into the user’s computer RAM. Therefore, once the computer is shutdown, or restarted, the Applet goes away. However, only the Applet is gone, the actions taken by the Applet while it is in RAM are not undone. ciscoasa(config)#access-list 1 extended permit tcp 0.0.0.0 0.0.0.0 eq 80 ciscoasa(config)#class-map type inspect http match-all BLOCK_JAVA_APPLET_CLASS ciscoasa(config-cmap)# match access-list 1 ciscoasa(config-cmap)# match response body java-applet ciscoasa(config-cmap)# exit ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# class BLOCK_JAVA_APPLET_CLASS ciscoasa(config-pmap-c)# drop-connection
  • 2. ciscoasa(config-pmap-c)# exit Configure http policy, to block activex What is ActiveX?? Once the ActiveX control is installed on a user’s computer, it can do anything the user can do. For example, ActiveX controls can insert harmful code into the user’s operating system, surf company’s secure intranet, change a user’s password(s), or retrieve documents off the user’s hard disk or network drives and then mail ciscoasa(config)#access-list 1 extended permit tcp 0.0.0.0 0.0.0.0 eq 80 ciscoasa(config)#class-map type inspect http match-all BLOCK_ACTIVEX_CLASS ciscoasa(config-cmap)# match access-list 1 ciscoasa(config-cmap)# match response body active-x ciscoasa(config-cmap)# exit ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# class BLOCK_ACTIVEX_CLASS ciscoasa(config-pmap-c)# drop-connection ciscoasa(config-pmap-c)# exit Configure http policy, to block .exe file extention How does .exe file extension pose security threat ? In Windows, executable programs have file extensions like “exe”, “vbs”, “com”, “bat”, etc. Some actual trojan filenames include: “dmsetup.exe” and “LOVE-LETTER-FOR-YOU.TXT.vbs”. Which can harm you computer & steal all you personal data. regex BLOCK_FILE_EXTENSION ".*.([Ee][Xx][Ee])" regex CONTENT_TYPE "Content-Type" ciscoasa(config)#class-map type inspect http match-all BLOCK_FILE_EXTENSION_CLASS ciscoasa(config-cmap)#match response header regex CONTENT_TYPE regex BLOCK_FILE_EXTENSION ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# class BLOCK_FILE_EXTENSION_CLASS ciscoasa(config-pmap-c)# drop-connection ciscoasa(config-pmap-c)# exit OR
  • 3. regex BLOCK_FILE_EXTENSION ".*.([Vv][Bb][Ss])" regex Content-Disposition "Content-Disposition" ciscoasa(config)#class-map type inspect http match-all BLOCK_FILE_EXTENSION_CLASS ciscoasa(config-cmap)#match response header regex Content-Disposition regex BLOCK_FILE_EXTENSION ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# class BLOCK_FILE_EXTENSION_CLASS ciscoasa(config-pmap-c)# reset log ciscoasa(config-pmap-c)# exit Configure http policy, to block any http/https sites with "host" option What does host field in http header specify ? The Host request-header field specifies the Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource (generally an HTTP URL.) Example how http header looks like: POST /index.html HTTP/1.1 -- Status Line Host: www.example.com -- Header ciscoasa(config)# regex BLOCK_ANY_HTTP/HTTPS_SITE1 ".facebook.com" ciscoasa(config)# regex BLOCK_ANY_HTTP/HTTPS_SITE2 ".gmail.com" ciscoasa(config)# class-map type regex match-any BLOCK_SITES ciscoasa(config-cmap)# match BLOCK_ANY_HTTP/HTTPS_SITE1 ciscoasa(config-cmap)# match BLOCK_ANY_HTTP/HTTPS_SITE2 ciscoasa(config-cmap)# exit ciscoasa(config)# class-map type inspect http match-all BLOCK_SITES_CLASS ciscoasa(config-cmap)# match request header host regex class BLOCK_SITES ciscoasa(config)# class-map type regex match-any URLBlockList ciscoasa(config)# class-map type inspect http match-all BlockURLsClass ciscoasa(config-cmap)#match request uri regex class URLBlockList ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# parameters ciscoasa(config-pmap-p)# protocol-violation action drop-connection ciscoasa(config-pmap-p)# class URLBlockList ciscoasa(config-pmap-c)# reset log ciscoasa(config-pmap-p)# class BlockURLsClass ciscoasa(config-pmap-c)# reset log
  • 4. ciscoasa(config-pmap-c)# exit Configure http policy, to support only English language ciscoasa(config)#regex LANGUAGES_USER_EXPECT_THE_PAGE_IN "([Ee][Nn])" ciscoasa(config)#class-map type inspect http LANGUAGES_USER_EXPECT_THE_PAGE_IN_CLASS ciscoasa(config-cmap)# match not request header accept-language regex class LANGUAGES_USER_EXPECT_THE_PAGE_IN ciscoasa(config-cmap)# exit ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# class LANGUAGES_USER_EXPECT_THE_PAGE_IN_CLASS ciscoasa(config-pmap-c)# drop-connection ciscoasa(config-pmap-c)# exit Configure http policy, to support only .zip/.rar compression method ciscoasa(config)#regex COMPRESSION_SUPPORTED_BY_USER ".([Zz][Ii][Pp] | [Rr][Aa][Rr])" ciscoasa(config)#class-map type inspect http COMPRESSION_SUPPORTED_BY_USER_CLASS ciscoasa(config-cmap)# match not request header accept-encoding regex class COMPRESSION_SUPPORTED_BY_USER ciscoasa(config-cmap)# exit ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION ciscoasa(config-pmap)# class COMPRESSION_SUPPORTED_BY_USER_CLASS ciscoasa(config-pmap-c)# drop-connection ciscoasa(config-pmap-c)# exit Block https site using DNS How can you block https site, when all the packets are encrypted ? Since HTTPS traffic is encrypted, the ASA does not have the functionality to inspect that type of packets. So we have come up with a solution that is, to inspect dns packet instead of http/https packet. ciscoasa(config)# regex BLOCK_HTTPS "facebook.com" ciscoasa(config)# class-map type inspect dns CMAP ciscoasa(config-cmap)# match domain-name REGEX1
  • 5. ciscoasa(config)# policy-map type inspect dns PMAP ciscoasa(config-pmap)# class CMAP ciscoasa(config-pmap-c)# drop ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# no inspect dns present_dns_map ciscoasa(config-pmap-c)# inspect dns PMAP Block URLs using FQDN objects The Cisco ASA firewall 8.4.2 introduced something called Identity Firewall. The IDFW gives a new level of control to ACLs. You can now configured ACLs to block domain names. A cool thing about this solution is that it doesn’t slow down the firewall at all. It does the DNS look up probably once every few hours for when the TTL expires and then stores the IPs in memory. In other words it does not do a DNS lookup for every packet that comes through the firewall, it does it before hand. Works for both HTTPS and HTTP. The firewall doesn’t inspect domain names or URLs and it doesn’t care if the packet is encrypted or not. The packet has to have a destination IP and that’s what the firewall will check. ciscoasa(config)#dns domain-lookup OUTSIDE ( Public DNS ) ciscoasa(config)#DNS server-group DefaultDNS name-server 4.2.2.2 ciscoasa(config)#object network OBJ-FACEBOOK-COM fqdn facebook.com ciscoasa(config)# access-list ACL_INSIDE extended deny ip any object OBJ-FACEBOOK-COM Configure ASA to inspect http on non-standard port Configure ASA to inspect http on non-standard port ciscoasa(config)# class-map CMAP ciscoasa(config-cmap)# macth port tcp eq 8080 ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class CMAP ciscoasa(config-pmap-c)#inspect http
  • 6. Configure ASA to block Hotmail Attachments ciscoasa(config)# regex GET_ATTACH ".*([Gg][Ee][Tt][Aa][Tt][Tt][Aa][Cc][Hh][Mm][Ee][Nn][Tt]).([Aa][Ss][Pp][Xx]).*" ciscoasa(config)# regex SCAN_ATTACH ".*([Ss][Cc][Aa][Nn][Aa][Tt][Tt][Aa][Cc][Hh][Mm][Ee][Nn][Tt]).([Aa][Ss][Pp][Xx]).*" ciscoasa(config)# regex HOTMAIL_URL ".*([Mm][Aa][Ii][Ll]).([Ll][Ii][Vv][Ee]).([Cc][Oo][Mm])" ciscoasa(config)# class-map type inspect http match-all HOTMAIL_SMACKDOWN ciscoasa(config-cmap)# match request header host regex HOTMAIL_URL ciscoasa(config-cmap)# match request uri regex SCAN_ATTACH ciscoasa(config)# class-map type inspect http match-all HOTMAIL_SMACKDOWN_THE_SEQUEL ciscoasa(config-cmap)# match request header host regex HOTMAIL_URL ciscoasa(config-cmap)# match request uri regex GET_ATTACH ciscoasa(config)# policy-map type inspect http HOTMAIL_SMACKDOWN ciscoasa(config-pmap)# parameters ciscoasa(config-pmap)# class HOTMAIL_SMACKDOWN_THE_SEQUEL ciscoasa(config-pmap-c)# drop-connection log ciscoasa(config-pmap)# class HOTMAIL_SMACKDOWN ciscoasa(config-pmap-c)# drop-connection log ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class inspection_default ciscoasa(config-pmap-c)# inspect http HOTMAIL_SMACKDOWN Configure ASA to block torrent ciscoasa(config)# object-group service Blocked-UDP-Ports udp description All ports blocked for Bit Torrent UDP DHT (all ephemeral ports except VPN encapsulation) port-object range 10001 65535 port-object range 1024 9999 ciscoasa(config)# object-group service BitTorrent-Tracker tcp description TCP Ports used by Bit Torrent for tracker communication port-object eq 2710 port-object range 6881 6999 ciscoasa(config)# access-list inside_access_in extended deny udp any any object-group Blocked-UDP-Ports log warnings inact ciscoasa(config)# access-list inside_access_in extended deny tcp any any object-group BitTorrent-Tracker log warnings inactiv ciscoasa(config)# access-list inside_access_in extended permit tcp any any Apply the access list in the inside interface it might need modifications depending on your configuration and its just a sample configuration
  • 7. ciscoasa(config)# regex bit-torrent-tracker ".*[Ii][Nn][Ff][Oo]_[Hh][Aa][Ss][Hh]=.*" ciscoasa(config)# class-map type inspect http match-all bit-torrent-tracker ciscoasa(config-cmap)#description Bit Torrent Tracker communication ciscoasa(config-cmap)#match request args regex bit-torrent-tracker ciscoasa(config-cmap)#match request method get ciscoasa(config)# policy-map type inspect http Drop-P2P ciscoasa(config-pmap)#description Drop protocol violations Bit Torrent Tracker traffic ciscoasa(config-pmap)#parameters protocol-violation action log ciscoasa(config-pmap)#class bit-torrent-tracker drop-connection log ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)#class inspection_default inspect http Drop-P2P
  • 8.
  • 9.
  • 10.
  • 11.
  • 13.
  • 14. Ss][Pp][Xx]).*" ([Aa][Ss][Pp][Xx]).*" orts log warnings inactive ker log warnings inactive