Cisco ASA FireWall

	342 Chapter 12: Case Studies
	Figure 12-1 Raleigh Office of Company-A
	Г Internet j
	Because this is a simple topology, all security policies are enforced in the Cisco ASA. The goal is to protect the internal and DMZ hosts from external threats, while allowing the following: • Client workstations must be able to access the web server at the DMZ (10.10.20.10) over HTTP and HTTPS. Clients should also be able to put and get files via FTP to the same server at 10.10.20.10. • Client workstations must be able to access the Internet over HTTP and HTTPS. No other protocol access is allowed to the Internet. • Client workstations must be able to check their e-mail on the e-mail server at the DMZ (10.10.20.20). • The web server should be reachable from outside Internet clients over HTTP and HTTPS only. The Cisco ASA should do static Network Address Translation (NAT) for the web server to be reachable via a public IP address from the Internet.

	Case Study of a Small Business 343
	The e-mail server should be able to receive e-mail from external hosts over the Simple Mail Transfer Protocol (SMTP). The Cisco ASA should do static NAT for the e-mail server to be reachable via a public IP address from the Internet. The client workstations will be translated to the external public IP address of the Cisco ASA using Port Address Translation (PAT).
	Raleigh Office Cisco ASA Configuration The following sections cover the steps necessary to complete the goals listed earlier.
	Configuring IP Addressing and Routing This section demonstrates how to configure the interfaces and default gateway on the Cisco ASA using the Adaptive Security Device Manager (ASDM). The following are the configuration steps: Step 1 Working with a new Cisco ASA installation, the administrator logs in via the command-line interface (CLI) and sets the management interface IP address (10.10.30.1) and other interface configuration with the following commands. Co-A-ASA1# configure terminal Co-A-ASA1(config)# interface Management0/0 Co-A-ASA1(config-if)# nameif management CoAASA1(configif)# security-level 80 CoAASA1(configif)# ip address 10.10.30.1 255.255.255.0 CoAASA1(configif)# no shutdown Co-A-ASA1(config-if)# exit Co-A-ASA1(config)# Step 2 The administrator enables ASDM access only from machines on the management network with the following commands: CoAASA1(config)# http server enable CoAASA1(config)# http 10.10.30.0 255.255.255.0 management CoAASA1(config)# asdm location 10.10.30.0 255.255.255.0 management Step 3 The next step is to configure the outside, inside, and DMZ interfaces. The administrator connects to the Cisco ASA via ASDM and clicks Configuration > Device Setup > Interfaces, as illustrated on Figure 12-2. Step 4 The administrator selects the GigabitEthernet0/0 interface and clicks the Edit button. The screen illustrated in Figure 12-3 is shown. The administrator enters the interface name (outside), the IP address configuration (209.165.200.225), subnet mask (255.255.255.0), and a description for the outside interface.

	344 Chapter 12: Case Studies
	Figure 12-2 Configuring the Cisco ASA Interfaces on ASDM
	Figure 12-3 Outside Interface Configuration

	Case Study of a Small Business 345
	Step 5 Similarly, the GigabitEthernet0/1 interface is configured as the inside interface, as shown in Figure 12-4. The security level for the inside interface is set to 100. Figure 12-4 Inside Interface Configuration
	Step 6 The GigabitEthernet0/2 interface is configured as the dmz interface, as shown in Figure 12-5. The security level of the dmz interface is set to 50. Step 7 The next step is to configure the default route of the Cisco ASA to point to the ISP router (209.165.200.226). To configure the default route, navigate to Configuration > Device Setup > Routing > Static Routes and click Add. The screen shown in Figure 12-6 is displayed. Choose the outside interface from the drop-down menu, and enter 0.0.0.0 for the IP address and 0.0.0.0 for the Mask. The Gateway IP is 209.165.200.226, and the metric is 1. Leave all the other options with their default value.

	346 Chapter 12: Case Studies
	Figure 12-5 DMZ Interface Configuration
	Figure 12-6 Inside Interface Configuration

	Case Study of a Small Business 347
	Configuring PAT on the Cisco ASA The next step is to configure PAT for internal users to be able to communicate to the Internet. Complete the following steps to configure PAT on the Cisco ASA. Step 1 To configure PAT, go to Configuration > Firewall > NAT Rules, click Add, and choose Add Dynamic NAT Rule from the drop-down menu, as illustrated in Figure 12-7.
	Figure 12-7 Configuring PAT for Internal Users
	Step 2 The screen shown in Figure 12-8 is displayed. Under the Original section, choose the inside interface from the drop-down menu. Step 3 Expand the Source option to select the inside source address space. This is illustrated in Figure 12-9. Select the inside network (10.10.10.0/24) and click OK.

	348 Chapter 12: Case Studies
	Figure 12-8 Adding a Dynamic NAT Rule
	Figure 12-9 Selecting the Source

	Case Study of a Small Business 349
	Step 4 Under the Translated section, click the Manage button to add a global address pool. Step 5 The screen shown in Figure 12-10 is displayed. Under the IP Addresses to Add section, click Port Address Translation (PAT) using IP Address of the interface and click the Add button to include it under the Address pools, as shown in Figure 12-10. Figure 12-10 Configuring PAT to Use the Outside Interface Address
	rf: Add Global Address Pool E Interface: | outside Pool ID: |l IP Addresses to Add О Range Starting IP Address: | Eoding IP Address: | Addresses Pud Netmask (optiooal): Q | >> jj О Port Address Translation (PAT) | ^ ов\^в j IP Address: Netmask (optional): | л Port Address Translation (PAT) using IP ^ Address of the Interface I 1 OK 1 Cancel Help
	Step 6 Click OK and apply your changes to the Cisco ASA. Configuring Static NAT for the DMZ Servers The DMZ servers must be statically translated with a public IP address. Table 12-1 lists the IP address mapping of the DMZ servers. Table 12-1 IP Address Mapping of DMZ Servers
	Server Inside IP Address Translated Address Web server 10.10.20.10 209.165.200.227 E-mail server 10.10.20.20 209.165.200.228
	Complete the following steps to configure static NAT for the DMZ web and e-mail servers. Step 1 Navigate to Configuration > Firewall > NAT Rules, click Add, and choose Add Static NAT Rule from the drop-down menu, as illustrated in Figure 12-11.

	350 Chapter 12: Case Studies
	Figure 12-11 Adding a Static NAT Rule
	Step 2 The screen shown in Figure 12-12 is displayed. First configure static NAT for the web server. Under the Original section, choose the dmz interface from the drop-down menu, and enter the web server physical IP address (10.10.20.10) as the source.
	Figure 12-12 Adding a Static NAT Rule

	Case Study of a Small Business 351
	Step 3 Under the Translated section, choose the outside interface from the drop-down menu. Step 4 Click the Use IP address option, and enter the public address to which the web server will be translated (209.165.200.227). Step 5 Click OK. Step 6 Repeat the same procedure for the e-mail server.
	Configuring Identity NAT for Inside Users The inside users must be able to communicate with the DMZ servers. The goal is to configure identity NAT for inside users when communicating to the DMZ servers. Complete the following steps to configure identity NAT for inside users. Step 1 Navigate to Configuration > Firewall > NAT Rules, click Add, as illustrated in Figure 12-13. Figure 12-13 Configuring Identity NAT for the Inside Network on the DMZ a
	Step 2 Under the Original section, choose the inside interface from the dropdown menu, and the inside network as the source (10.10.10.0/24). Step 3 Under the Translated section, choose the dmz interface from the drop-down menu, and select the same inside network (10.10.10.0/24) as the translated IP address, as shown in Figure 12-13.

	352 Chapter 12: Case Studies
	Step 4 Click OK. Step 5 Apply the changes to the Cisco ASA.
	Controlling Access Next, you need to configure policies on the Cisco ASA to control access and achieve the following goals. • The web server should be reachable from outside Internet clients over the HTTP and HTTPS protocols only. • The e-mail server should be able to receive e-mail from external hosts over the SMTP only. Complete the following steps to configure access rules on the Cisco ASA. Step 1 Navigate to Configuration > Firewall > Access Rules, click Add. In Figure 12-14 the Access Rule configuration is displayed. Figure 12-14 Configuring Access Rules
	Step 2 First, the access rule to allow Internet users to reach the web server at the DMZ is configured. Under Action, click Permit. Step 3 Under source, select any.

	Case Study of a Small Business 353
	Step 4 Under destination, enter the IP address of the web server 209.165.200.227. Step 5 Select HTTP (TCP/HTTP) under the service. Step 6 Optionally, you can enter a description for this access rule, as illustrated in Figure 12-14. Step 7 Click OK. Step 8 Repeat the same steps to allow HTTPS (TCP port 443) access to the web server and SMTP (TCP port 25) access to the e-mail server.
	Cisco ASA Antispoofing Configuration The Company-A security administrator wants to protect the infrastructure from spoofed sources. The administrator enables Unicast Reverse Path Forwarding (Unicast RPF) to protect against IP spoofing attacks by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table. To enable Unicast RPF, navigate to Configuration > Firewall > Advanced > Anti-spoofing. Select the desired interface, and click Enable, as illustrated in Figure 12-15.
	Figure 12-15 Configuring Unicast RPF

	354 Chapter 12: Case Studies
	Blocking Instant Messaging
	The security administrator is now tasked by his management to come up with a solution to prevent internal users from using Yahoo! and MSN instant messaging (IM) programs. The solution is to configure the Cisco ASA to block this traffic and log it. The security administrator completes the following steps to achieve this goal. Step 1 The first step is to configure an inspect map on the Cisco ASA. To do this, navigate to Configuration > Firewall > Objects > Inspect Maps > Instant Messaging (IM). Step 2 ClickAdd. Step 3 The Add Instant Messaging (IM) Inspect screen is displayed. Step 4 Enter a name and an optional description for the new inspect map configuration. In this example, the inspect map name is IM. Step 5 Click Add to add a new inspection criterion. Step 6 The screen is shown in Figure 12-16 is displayed.
	Figure 12-16 Adding	an Instant Messaging Inspect Map
	Step 7	Under Match Criteria, click Single Match.
	Step 8	Under Match Type, click Match.
	Step 9	Under Criterion, select Protocol.
	Step 10 Check both protocols (Yahoo! Messenger and MSN Messenger).

	Case Study of a Small Business 355
	Step 11 Under the Actions sections, leave the default of Drop Connection and Log enabled. Step 12 Click OK. Step 13 Navigate to Configuration > Firewall > Service Policy Rules and click Add. The first screen of the Configuration Wizard is displayed, as illustrated in Figure 12-17. Figure 12-17 Adding a New Service Policy Rule
		16
	Step 14 In this example, the service policy will be applied only to the inside interface. To do this, click Interface under the Create a Service Policy and Apply To section. Step 15 Select the inside interface, and enter a name, as shown in Figure 12-17. Step 16 Click Next. Step 17 The Traffic Classification Criteria screen is displayed, as shown in Figure 12-18. Click Use class-default as the traffic class.
	Step 18 Click Next.

	356 Chapter 12: Case Studies
	Figure 12-18 Traffic Classification Criteria Screen
	Step 19 The Rule Actions screen is shown, as illustrated in Figure 12-19. Figure 12-19 Rule Actions Screen

	Case Study of a Small Business 357
	Step 20 Under the Protocol Inspection tab, check IM and click Configure. Step 21 Select the previously configured inspection map (IM). Step 22 Click OK on the Select IM Inspect Map screen. Step 23 Click Finish to end the wizard. Step 24 Apply the configuration to the Cisco ASA. Example 12-1 shows the Cisco ASA CLI configuration for Company-A. Example 12-1 CLI Configuration of the Cisco ASA at the Raleigh Office Co-A-ASA1# show running-config : Saved ASA Version 8.0(1) ! hostname Co-A-ASA1 enable password 8Ry2YjIyt7RRXU24 encrypted names ! !outside interface configuration interface GigabitEthernet0/0 description outside interface connected to the Internet nameif outside security-level 0 ip address 209.165.200.225 255.255.255.0 ! !inside interface configuration interface GigabitEthernet0/1 description inside interface connected to corporate network nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 ! !dmz interface configuration interface GigabitEthernet0/2 description dmz interface where web, email, and FTP servers reside nameif dmz security-level 50 ip address 10.10.20.1 255.255.255.0 ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! !management interface configuration interface Management0/0 nameif management security-level 80 continues

	358 Chapter 12: Case Studies
	Example 12-1 CLI Configuration of the Cisco ASA at the Raleigh Office (Continued) ip address 10.10.30.1 255.255.255.0 ! !ACL controlling access to the web and e-mail server access-list outside_access_in extended permit tcp any host 209.165.200.228 eq smtp access-list outside_access_in_ remark Allowing HTTP to the webserver access-list outside_access_in_ extended permit tcp any host 209.165.200.227 eq www access-list outside_access_in_ remark Allowing HTTPS to the webserver access-list outside_access_in_ extended permit tcp any host 209.165.200.227 eq https access-list outside_access_in_ remark Allowing SMTP to the email server access-list outside_access_in_1 extended permit tcp any host 209.165.200.228 eq smtp ! pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu management 1500 ! !Unicast RPF Configuration ip verify reverse-path interface outside ip verify reverse-path interface inside ip verify reverse-path interface dmz ! no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 ! !PAT Configuration for inside users nat-control global (outside) 1 interface nat (inside) 1 10.10.10.0 255.255.255.0 ! 'Static NAT configuration for web and e-mail servers static (dmz,outside) 209.165.200.227 10.10.20.10 netmask 255.255.255.255 static (dmz,outside) 209.165.200.228 10.10.20.20 netmask 255.255.255.255 ! 'Static identity NAT configuration for inside network at the DMZ static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 ! !ACL is applied to the outside interface access-group outside_access_in_1 in interface outside route outside 0.0.0.0 0.0.0.0 209.165.200.226 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 10.10.30.0 255.255.255.0 management no snmp-server location no snmp-server contact

	Case Study of a Small Business 359
	Example 12-1 CLI Configuration of the Cisco ASA at the Raleigh Office (Continued) snmp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet timeout 5 ssh 10.10.30.0 255.255.255.0 management ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 ! 'policy map to block Yahoo! and MSN IM. policy-map type inspect im IM description Blocking Instant Messanging parameters match protocol msn-im yahoo-im drop-connection log policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! 'Service policy map to block IM policy-map inside-policy description Service Policy to block IM for Inside Users class class-default inspect im IM ! 'global service policy service-policy global_policy global 'service policy for IM applied to the inside interface only service-policy inside-policy interface inside

	360 Chapter 12: Case Studies
	Atlanta Office Cisco IOS Configuration Company-A opened a small branch office in Atlanta, Georgia. This new office has only 4 salesmen and 12 web developers. The Atlanta office network topology is simple. A Cisco IOS Software router with the IOS Firewall features set is configured to protect the internal network. This is illustrated in Figure 12-20. Figure 12-20 Atlanta Office Network Topology
	The router has only two interfaces enabled. The inside interface resides on the 10.100.10.0/ 24 network, and the outside interface faces the Internet.
	Locking Down the Cisco IOS Router The security administrator at Company-A must configure the router appropriately to increase the security of the Atlanta office network. The administrator uses the Security Device Manager (SDM) to configure the router and perform a security audit. Using SDM, the administrator can configure the router quickly using the best practices recommended in Chapter 2, "Preparation Phase."

	Case Study of a Small Business 361
	You can complete the following steps to perform a security audit and fix any discrepancies found on the Cisco IOS router. Step 1 Log in to the Cisco IOS router using SDM. Step 2 Navigate to Configure > Security Audit, and click the Perform security audit button, as illustrated in Figure 12-21. Alternatively, you can perform a one-step lockdown to configure default recommendations by clicking the One-step lockdown button. In this example, the step-by-step option is selected, which allows you to customize your configuration. Figure 12-21 Performing a Security Audit with SDM
		34
	Step 3 The Security Audit Wizard welcome screen shown in Figure 12-22 is displayed. Step 4 Click Next. Step 5 The Security Audit Interface Configuration screen shown in Figure 12-23 is displayed. In this example, a Cisco 871 router is used. The outside interface is FastEthernet4, and the inside interface is Vlan 1.

	362 Chapter 12: Case Studies
	Figure 12-22 Security Audit Wizard Welcome Screen Security Audit
	Figure 12-23 Security Audit Wizard Interface Configuration Screen Security Audit

	Case Study of a Small Business 363
	Step 6 Click Next. Step 7 SDM performs the audit to make sure that the recommended settings are configured on the router. As illustrated in Figure 12-24, the router fails on numerous items. Figure 12-24 Security Audit Wizard Interface Configuration Screen
		Security Audit
	Please wait while Security Audit checks if the recommended security settings are configured on the router.
	No Item Nama Status 1 Disable Finger Service *S Passed 2 Disable PAD Service *S Passed a Disable TCP small servers Service *S Passed 4 Disable UDP small servers Service *S Passed 5 Disable IP bootp server Service X Not Passed Б Disable CDP X Not Passed 7 Disable IP source mute X Not Passed 8 Enable Password encryption Service X Not Passed S Enable TCP Keepalives for inbound telnet sessions X Not Passed 1D Enable TCP Keepalives for outbound telnet sessions X Not Passed 11 Enable Sequence Numbers and Time Stamps on Debugs X Not Passed 12 Enable IP CEF *S Passed 13 Disable IP Gratuitous Arps *S Passed 1 + Set Scheduler Interval X Not Passed 15 Set TCP Synwalttlme X Not Passed
	Click "Close" to continue fixing the identified security problems or undoing the configured security configurations in the router.
	Close Save Report
	SDM allows you to save a report that lists all the configuration checks that have passed or failed. The report is illustrated in Figure 12-25.

	364 Chapter 12: Case Studies
	Figure 12-25 Security Audit Report I Hosmame |con^any-A-io5-fw
	Report Saiuruary
	No Item Name Status 1 Disable Finger Service Passed 2 Disable PAD Service V Passed 3 Disable TCP small servers Service ^ Passed -1 Disable LDP small servers Service V Passed 5 Disable ГР bootp server Service " Not Passed 6 Disable CDP * Not Passed 7 Disable ГР source route " Not Passed S Enable Password encryption Service * Not Passed 9 Enable TCP Keepalives for inbound telnet sessions " Not Passed 10 Enable TCP Keepalives for outbound telnet sessions * Not Passed 11 Enable Sequence Numbers and Time Stamps on Debugs " Not Passed 12 Enable IP CEF V Passed 13 Disable IP Gratuitous Arps Passed 14 Set Scheduler Interval * Not Passed 15 Set TCP Synwait time ^ Not Passed 16 Set Banner * Not Passed 17 Enable Logging ^ Not Passed 1S Set Enable Secret Password * Not Passed 19 Disable SNMP ч/ Passed 20 Set Scheduler Allocate * Not Passed 21 Set Users " Not Passed Enable Telnet settings * Not Passed 23 Enable NetFlow Monitoring " Not Passed 2-1 Disable TP Redirects. * Not Passed Disable TP Proxy Arp " Not Passed 26 Disable TP Directed Broadcast V Passed Disable TP Unreachables ^ Not Passed 2S Disable IP Mask Reply V Passed 29 Disable ГР Unreachables on Null interface " Xot Passed 30 enable Unicast RPF on all outside interfaces * Not Passed. 31 Enable Firewall on all outside interfaces ^ Not Passed 32 Set Access class on Hi'IP server service x Not Passed 33 Set Access class on VTY lines X Not Passed 34 Enable SSH for access to the router " Xot Passed 35 enable AAA * Not Passed
	Step 8 SDM asks you to enter a new enable secret password and to configure a login banner, as illustrated in Figure 12-26. Step 9 After you enter the new enable secret password and login banner, click Next. Step 10 SDM allows you to configure an administrative account, as shown in Figure 12-27. To configure a new account, click Add.

	Case Study of a Small Business 365

	366 Chapter 12: Case Studies
	Step 11 Enter the username and password, as shown in Figure 12-27. In this example, a user named companyAadmin is created. Step 12 Click OK after entering the username and password. Step 13 Click Next to continue with the Security Audit Wizard. Step 14 In the next screen, SDM allows you to enable logging and configure a system log (SYSLOG) server, as illustrated in Figure 12-28.
	Figure 12-28 Configuring Logging
	Step 15 In this example, the logging level is set to informational (level 6), and the SYSLOG server IP address is 10.100.10.222. Step 16 Click Next. Step 17 The Advanced Firewall Configuration Wizard welcome screen is displayed, as shown in Figure 12-29. Step 18 Click Next. Step 19 Check the inside and outside interfaces. In this example, FastEthernet4 is the outside interface, and Vlan1 is the inside interface. This is illustrated in Figure 12-30.

	Case Study of a Small Business 367
	Figure 12-29 Advanced Firewall Configuration Wizard Welcome Screen
	Figure 12-30 IOS Firewall Inside and Outside Interface Selection
	Step 20 Click Next.

	368 Chapter 12: Case Studies
	Step 21 The screen shown in Figure 12-31 is displayed. In this screen, SDM allows you to enable predefined application security policies. You can use the slider to select the security level. In this example, the security level is set to High. Figure 12-31 Application Security Policies
	Step 22 Click Next. Step 23 The SDM Wizard allows you enter the primary and secondary DNS servers for name resolution, as illustrated in Figure 12-32. In this example, the primary DNS server is 10.100.10.21, and the secondary DNS server is 10.100.10.22. Step 24 Click Next after entering the DNS server information. Step 25 A summary screen lists the configuration changes, as illustrated in Figure 12-33. Click Finish to send the configuration changes to the Cisco IOS router.

	Case Study of a Small Business 369

	370 Chapter 12: Case Studies
	Example 12-2 shows the CLI configuration of the router at the Atlanta office after completing the previous steps. Example 12-2 CLI Configuration of the Cisco IOS Router at the Atlanta Office company-A-ios-fw#show running-config Building configuration... Current configuration : 8080 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname company-A-ios-fw ! boot-start-marker boot-end-marker ! no logging buffered logging console critical enable secret 5 $1$XlSV$Pa0oIYeuSY5CZOGXXOJjF/ ! aaa new-model ! aaa authentication login local_authen local aaa authorization exec local_author local ! aaa session-id common no ip source-route ip cef ! ! ip tcp synwait-time 10 no ip bootp server ip name-server 10.100.10.21 ip name-server 10.100.10.22 ip ssh time-out 60 ip ssh authentication-retries 2 ! parameter-map type protocol-info msn-servers server name messenger.hotmail.com server name gateway.messenger.hotmail.com server name webmessenger.msn.com ! parameter-map type protocol-info aol-servers server name login.oscar.aol.com server name toc.oscar.aol.com server name oam-d09a.blue.aol.com !

	Case Study of a Small Business 371
	Example 12-2 CLI Configuration of the Cisco IOS Router at the Atlanta Office (Continued) I parameter-map type protocol-info yahoo-servers
	server name scs.msg.yahoo.com server name scsa.msg.yahoo.com server name scsb.msg.yahoo.com server name scsc.msg.yahoo.com server name scsd.msg.yahoo.com server name cs16.msg.dcn.yahoo.com server name cs19.msg.dcn.yahoo.com server name cs42.msg.dcn.yahoo.com server name cs53.msg.dcn.yahoo.com server name cs54.msg.dcn.yahoo.com server name ads1.vip.scd.yahoo.com server name radio1.launch.vip.dal.yahoo.com server name in1.msg.vip.re2.yahoo.com server name data1.my.vip.sc5.yahoo.com server name address1.pim.vip.mud.yahoo.com server name edit.messenger.yahoo.com server name messenger.yahoo.com server name http.pager.yahoo.com server name privacy.yahoo.com server name csa.yahoo.com server name csb.yahoo.com server name csc.yahoo.com
	! parameter-map type regex sdm-regex-nonascii pattern ["\x00-\x80] username companyAadmin password 7 02050D4808095E731F ! ! class-map type inspect smtp match-any sdm-app-smtp match data-length gt 5000000 class-map type inspect http match-any sdm-app-nonascii match req-resp header regex sdm-regex-nonascii class-map type inspect imap match-any sdm-app-imap match invalid-command class-map type inspect match-any sdm-cls-insp-traffic match protocol dns match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol tcp match protocol udp class-map type inspect match-all sdm-insp-traffic match class-map sdm-cls-insp-traffic class-map type inspect match-all sdm-protocol-pop3 match protocol pop3 continues

	372 Chapter 12: Case Studies
	Example 12-2 CLI Configuration of the Cisco IOS Router at the Atlanta Office (Continued) class-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any sdm-cls-protocol-im match protocol ymsgr yahoo-servers match protocol msnmsgr msn-servers match protocol aol aol-servers class-map type inspect pop3 match-any sdm-app-pop3 match invalid-command class-map type inspect http match-any sdm-http-blockparam match request port-misuse im match request port-misuse p2p match request port-misuse tunneling match req-resp protocol-violation class-map type inspect match-all sdm-protocol-im match class-map sdm-cls-protocol-im class-map type inspect match-all sdm-icmp-access match class-map sdm-cls-icmp-access class-map type inspect match-all sdm-invalid-src match access-group 100
	class-map type inspect http match-any sdm-app-httpmethods match request method bcopy match request method bdelete match request method bmove match request method bpropfind match request method bproppatch match request method connect match request method copy match request method delete match request method edit match request method getattribute match request method getattributenames match request method getproperties match request method index match request method lock match request method mkcol match request method mkdir match request method move match request method notify match request method options match request method poll match request method post match request method propfind match request method proppatch match request method put match request method revadd match request method revlabel match request method revlog match request method revnum match request method save match request method search

	Case Study of a Small Business 373
	Example 12-2 CLI Configuration of the Cisco IOS Router at the Atlanta Office (Continued)
	match request method setattribute match request method startrev match request method stoprev match request method subscribe match request method trace match request method unedit match request method unlock match request method unsubscribe class-map type inspect match-all sdm-protocol-http match protocol http
	class-map type inspect match-all sdm-protocol-smtp match protocol smtp class-map type inspect match-all sdm-protocol-imap match protocol imap ! ! policy-map type inspect sdm-permit-icmpreply class type inspect sdm-icmp-access inspect class class-default pass policy-map type inspect http sdm-action-app-http class type inspect http sdm-http-blockparam log reset class type inspect http sdm-app-httpmethods log reset class type inspect http sdm-app-nonascii log reset class class-default policy-map type inspect smtp sdm-action-smtp class type inspect smtp sdm-app-smtp reset class class-default policy-map type inspect imap sdm-action-imap class type inspect imap sdm-app-imap log reset class class-default policy-map type inspect pop3 sdm-action-pop3 class type inspect pop3 sdm-app-pop3 log reset class class-default policy-map type inspect sdm-inspect class type inspect sdm-invalid-src drop log class type inspect sdm-protocol-http inspect service-policy http sdm-action-app-http continues

	374 Chapter 12: Case Studies
	Example 12-2 CLI Configuration of the Cisco IOS Router at the Atlanta Office (Continued) class type inspect sdm-protocol-smtp inspect service-policy smtp sdm-action-smtp class type inspect sdm-protocol-imap inspect service-policy imap sdm-action-imap class type inspect sdm-protocol-pop3 inspect service-policy pop3 sdm-action-pop3 class type inspect sdm-protocol-im drop log class type inspect sdm-insp-traffic inspect class class-default policy-map type inspect sdm-permit class class-default ! zone security out-zone zone security in-zone zone-pair security sdm-zp-self-out source self destination out-zone service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect interface Null0 no ip unreachables ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $FW_OUTSIDE$ ip address 209.165.200.231 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp zone-member security out-zone ip route-cache flow duplex auto

	Case Study of a Small Business 375
	Example 12-2 CLI Configuration of the Cisco IOS Router at the Atlanta Office (Continued) speed auto ! interface Vlan1 description $FW_INSIDE$ ip address 10.100.10.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp zone-member security in-zone ip route-cache flow ! ip route 0.0.0.0 0.0.0.0 209.165.200.225 ! ip http server no ip http secure-server ! logging trap informational logging 10.100.10.222 access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip 209.165.200.0 0.0.0.255 any access-list 101 remark VTY Access-class list access-list 101 remark SDM_ACL Category=1 access-list 101 permit ip 10.100.10.0 0.0.0.255 any access-list 101 deny ip any any no cdp run control-plane ! banner login "C*** THIS IS A RESTRICTED SYSTEM, UNAUTHORIZED ACCESS"C ! line con 0 login authentication local_authen no modem enable transport output telnet line aux 0 login authentication local_authen transport output telnet line vty 0 4 access-class 101 in authorization exec local_author login authentication local_authen transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end

	376 Chapter 12: Case Studies
	Configuring Basic Network Address Translation (NAT) The router administrator needs to configure basic NAT for internal users to access the Internet. The following steps are completed to enable basic NAT on the Cisco IOS router. Step 1 Log in to the router using SDM. Step 2 Navigate to Configure > NAT and click Basic NAT, as illustrated in Figure 12-34. Figure 12-34 Configuring Basic NAT
		34
	Step 3 Click the Launch the selected task button to start the NAT Configuration Wizard. Step 4 The NAT Configuration Wizard welcome screen appears. Click Next. Step 5 The screen shown in Figure 12-35 is displayed.

	Case Study of a Small Business 377
	Figure 12-35 Basic NAT Configuration Wizard
	Step 6 Choose the interface that connects to the Internet from the drop-down menu. FastEthernet4 is selected in this example. Step 7 In this example, the inside network will be translated to the public IP address of the outside interface. Step 8 Click Next. Step 9 The wizard displays a summary screen listing the configuration changes. Click Finish.
	Configuring Site-to-Site VPN Users at the office in Atlanta need to securely access resources in the Raleigh office. The security administrator configures a site-to-site IPsec tunnel between the Cisco ASA in Raleigh and the Cisco IOS router in Atlanta. The following are the steps that need to be completed to configure the Cisco IOS router in Atlanta to terminate a site-to-site IPsec tunnel with the Cisco ASA in Raleigh. Step 1 Log in to the router using SDM. Step 2 Navigate to Configure > VPN and choose Site-to-Site VPN, as illustrated in Figure 12-36.

	378 Chapter 12: Case Studies
	Figure 12-36 Configuring a Site-to-Site VPN Using SDM
		34
	Step 3 Click Create a Site to Site VPN and click the Launch the selected task button. Step 4 The Site-to-Site VPN Wizard welcome screen is displayed, as illustrated in Figure 12-37. The Quick setup option allows you to easily configure a site-to-site VPN tunnel to another Cisco router with minimal interaction. In this case, the router will be creating a site-to-site VPN tunnel to a Cisco ASA, then the Step by step wizard is selected. This option lets you customize the configuration. Step 5 Click Next. Step 6 The screen shown in Figure 12-38 is displayed. Select the interface that will terminate the VPN tunnel. In this example, FastEthernet4 (the outside interface of the router) is selected.

	Case Study of a Small Business 379
	Figure 12-37 SDM Site-to-Site VPN Wizard Welcome Screen
	Figure 12-38 Configuring the VPN Interface, Remote Peer, and Preshared Keys

	380 Chapter 12: Case Studies
	Step 7 In this case, the VPN peer (Cisco ASA) is configured with a static IP address. Choose Peer with static IP address from the drop-down menu and enter the IP address of the peer (209.165.200.225). Preshared keys are used in this example for tunnel authentication. Step 8 Click Next. Step 9 The next screen allows you to configure an Internet Key Exchange (IKE) (as illustrated in Figure 12-39). This policy must match the IKE policy on the Cisco ASA. Click Add to enter a new IKE policy.
	Figure 12-39 Configuring the IKE Policy with SDM
	Step 10 In this case, a new policy is configured to use preshared keys for authentication. The selected encryption protocol is Advanced Encryption Standard AES_256. Diffie-Hellman (DH) Group 2 is used. The IKE hashing algorithm is Secure Hash Algorithm SHA_1. The default 24-hour lifetime for IKE is selected. Step 11 Click Next. Step 12 The next screen enables you to configure the IPsec policies. Click Add to add a new transform-set (IPsec phase two policies). Step 13 The dialog box illustrated in Figure 12-40 appears allowing you to configure the IPsec policies.

	Case Study of a Small Business 381
	Figure 12-40 Configuring the IPsec Phase Two Policies with SDM
	Step 14 Enter a name for the new transform set. In this case, the name is tunnel-to-asa. Step 15 The Encapsulatation Security Payload (ESP) protocol is used in this example. The integrity algorithm used in this example is ESP_SHA_HMAC, and the encryption algorithm is ESP_AES_256. The Cisco ASA configuration must match these settings to establish the site-to-site IPsec VPN tunnel. Step 16 Tunnel mode is used in this example to encrypt both the payload (data) and IP header. Step 17 Click OK to add the new transform-set. Step 18 Click Next. Step 19 The screen shown in Figure 12-41 is displayed. It allows you to select the traffic you would like to protect. Step 20 Click Protect all traffic between the following subnets. Step 21 Configure the local and remote networks (the networks that will be able to communicate over the VPN tunnel). In this case, the local network is 10.100.10.0/24, and the remote network is 10.10.10.0/24. Step 22 Click Next.

	382 Chapter 12: Case Studies
	Figure 12-41 Traffic to Protect
	Step 23 A summary screen listing the configuration changes is displayed. Click Finish to apply the changes. Step 24 Because NAT/PAT was configured on the router, SDM shows a warning message asking you if you would like to bypass NAT for the traffic over the VPN tunnel. The warning screen is shown in Figure 12-42.
	Figure 12-42 SDM Warning Screen
	Step 25 Click Yes to bypass NAT for the tunnel traffic.

	Case Study of a Small Business 383
	Example 12-3 shows the CLI VPN configuration of the router. Example 12-3 CLI VPN Configuration of the Router !Phase 1 IKE policy crypto isakmp policy 2 encr aes 256 authentication pre-share group 2 crypto isakmp key cisco123 address 209.165.200.225 ! !Phase 2 policy crypto ipsec transform-set tunnel-to-asa esp-aes 256 esp-sha-hmac ! !crypto-map configuration for the Tunnel to the Cisco ASA crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to209.165.200.225 set peer 209.165.200.225 set transform-set tunnel-to-asa match address 102 ! !ACL defining tunnel traffic access-list 102 remark SDM_ACL Category=4 access-list 102 remark IPSec Rule access-list 102 permit ip 10.100.10.0 0.0.0.255 10.10.10.0 0.0.0.255 ! !Outside Interface Configuration interface FastEthernet4 description $FW_OUTSIDE$ ip address 209.165.200.231 255.255.255.0 ip nat outside crypto map SDM_CMAP_1 ! !NAT Configuration - bypassing NAT for tunnel traffic ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload ! route-map SDM_RMAP_1 permit 1 match ip address 105 access-list 105 remark SDM_ACL Category=2 access-list 105 remark IPSec Rule access-list 105 deny ip 10.100.10.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 105 permit ip 10.100.10.0 0.0.0.255 any
	The next task is to configure the Cisco ASA in the Raleigh office to terminate the site-to-site VPN tunnel. Complete the following steps to complete this task. Step 1 Log in to the Cisco ASA using ASDM. Step 2 From the main ASDM menu, choose Wizards > IPsec VPN Wizard, as shown in Figure 12-43. Step 3 The VPN Wizard starts by allowing you to select the tunnel type, as illustrated in Figure 12-44. Click Site-to-Site.

	384 Chapter 12: Case Studies
	Step 4 Choose the outside interface as the VPN tunnel interface from the drop-down menu. Figure 12-43 Launching the ASDM IPsec VPN Wizard
	Figure 12-44 ASDM VPN Wizard—VPN Tunnel Type

	Case Study of a Small Business 385
	Step 5 In this example, the Cisco ASA will be configured to allow inbound IPsec sessions to bypass all configured access control lists (ACL). Step 6 Click Next. Step 7 The screen shown in Figure 12-45 is displayed. Here you can enter the remote site peer information. Figure 12-45 ASDM VPN Wizard—Remote Peer Information
	Step 8 Enter the peer IP address (209.165.200.231 in this example). Step 9 Under Authentication Method, click Pre-shared key and enter the preshared key. In this example, the preshared key is 1qazXSW2. Step 10 By default, the IP address of the remote peer is used as the tunnel group name. Leave the default configuration. Step 11 Click Next. Step 12 The screen shown in Figure 12-46 is displayed. Here you can enter the IKE policy information. Step 13 The IKE policy parameters must match those configured in the router. In this case, the same encryption protocol, authentication hashing algorithm, and DH group are configured. Step 14 Click Next.

	386 Chapter 12: Case Studies
	Figure 12-46 ASDM VPN Wizard—IKE Policy
	Step 15 The screen shown in Figure 12-47 is displayed. Here you can enter the IPsec phase 2 information.
	Figure 12-47 ASDM VPN Wizard—IPsec Encryption and Authentication

	Case Study of a Small Business 387
	Step 16 The IPsec encryption and authentication protocol parameters must match those configured in the router, as shown in Figure 12-47. Step 17 Click Next. Step 18 The screen shown in Figure 12-48 is displayed. This screen allows you to enter the local and remote networks that will communicate over the IPsec site-to-site VPN tunnel. Figure 12-48 ASDM VPN Wizard—Hosts and Networks
	Step 19 Under Action, click Protect. Step 20 Enter the local network information. In this case, the inside-network/24 is selected. Step 21 Enter the remote network information. The 10.100.10.0/24, atlanta-office remote network is selected in this example. Step 22 Check the Exempt ASA side host/network from address translation option and choose the inside interface from the drop-down menu to bypass NAT for tunnel traffic. Step 23 Click Next. Step 24 The summary screen shown in Figure 12-49 is displayed. Step 25 Click Finish to apply the changes to the Cisco ASA.

	388 Chapter 12: Case Studies
	Figure 12-49 ASDM VPN Wizard—Summary Screen
	Example 12-4 shows the Cisco ASA CLI site-to-site VPN configuration. Example 12-4 Cisco ASA CLI Site-to-Site VPN Configuration !IKE Enabled on the outside interface crypto isakmp enable outside ! !IKE Policy (phase one policy) crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 ! !Phase 2 policy and crypto map configuration crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set peer 209.165.200.231 crypto map outside_map 20 set transform-set ESP-AES-256-SHA ! !Crypto map is applied to the outside interface crypto map outside_map interface outside

	Case Study of a Medium-Sized Enterprise 389
	Example 12-4 Cisco ASA CLI Site-to-Site VPN Configuration (Continued) ! !ACL used by the crypto map to define the traffic that will be encrypted access-list outside_20_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object-group atlanta-office ! !Tunnel group configuration for the site-to-site tunnel tunnel-group 209.165.200.231 type ipsec-l2l tunnel-group 209.165.200.231 ipsec-attributes pre-shared-key * ! 'Bypassing NAT for the VPN tunnel traffic nat (inside) 0 access-list inside_nat0_outbound access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 object-group atlanta-office ! 'Object Group defining the Atlanta office remote network object-group network atlanta-office network-object 10.100.10.0 255.255.255.0
	Case Study of a Medium-Sized Enterprise Company-B is a medium-sized software development company based in Chicago, Illinois. This organization has 1200 employees and 75 contractors at a call center in a partner office (Partner-A). Figure 12-50 illustrates a high-level overview of the Chicago office for Company-B. Two routers (R1 and R2) reside at the Internet Edge followed by two Cisco ASAs with the Advanced Inspection and Prevention Security Services Module (AIP-SSM). The AIP-SSM provides intrusion prevention system (IPS) functionality. Web, e-mail, and DNS servers reside at a DMZ network. A Cisco Secure Monitoring, Analysis, and Response System (CS-MARS), a Cisco Secure Access Control Server (ACS), and a Simple Network Management Protocol (SNMP) server reside in the management network. Company-B has three major user groups in the Chicago office: • Sales • Engineering • Finance Company-B's security manager has learned the techniques and methodologies discussed earlier on this book. The security manager develops a strategic plan to implement best practices to increase the security of their network infrastructure. The following sections include several tasks that the security manager of Company-B completes to increase the security of the network and its components.

	390 Chapter 12: Case Studies
	Figure 12-50 High-Level Overview of Company-B Chicago Office

	Case Study of a Medium-Sized Enterprise 391
	Protecting the Internet Edge Routers On the Internet edge routers (R1 and R2), the administrator configures an ACL to deny packets from illegal sources (RFC 1918 and RFC 3330 addresses). In addition, this ACL denies traffic with source addresses belonging within the internal address space of Company-B (that is, 209.165.201.0/24) that is entering from an external source. Example 12-5 shows the ACL configuration. Example 12-5 Antispoofing ACL access-list 100 deny ip host 0.0.0.0 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip 192.0.2.0 0.0.0.255 any access-list 100 deny ip 224.0.0.0 31.255.255.255 any access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 172.16.0.0 0.15.255.255 any access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 deny ip any 209.165.201.0 0.0.0.255 access-list 100 permit ip any any
	NOTE In addition, the administrator performs a security audit using SDM and makes the necessary changes, as the Company-A administrator.
	Configuring the AIP-SSM on the Cisco ASA Two Cisco ASAs protect the Chicago office internal network. The IP address configuration of both Cisco ASAs is illustrated in Figure 12-51. Figure 12-51 Cisco ASAs at the Chicago Office
		SSM Management 10.200.30.3			SSM Management 10.200.30.4
		ASA-2		Outside 209.165.201.2
		Management 10.200.30.2		AIP-SSM
		DMZ 10.200.20.2
			Inside 10.200.10.2

	392 Chapter 12: Case Studies
	The following are the IP addresses of each of the interfaces of the primary Cisco ASA (ASA-1): • Outside: 209.165.201.1 • Inside: 10.200.10.1 • DMZ: 10.200.20.1 • Management: 10.200.30.1 • AIP-SSM Management interface: 10.200.30.3 The following are the IP addresses of each of the interfaces of the secondary Cisco ASA (ASA-2): • Outside: 209.165.201.2 • Inside: 10.200.10.2 • DMZ: 10.200.20.2 • Management: 10.200.30.2 • AIP-SSM management interface: 10.200.30.4 The administrator configures the necessary access and address translation for internal services in a procedure that is similar to the steps you learned previously in this chapter. After performing these basic configuration steps, the security administrator initializes the AIP-SSM. To verify that the ASA-1 recognizes the AIP-SSM, the administrator uses the show module command, as shown in Example 12-6. Example 12-6 Output of the show module Command
	companyB-ASA1# show module Mod Card Type			Model	Serial No.
	0	ASA 5520 Adaptive Security Appliance ASA5520-K8 ASA 5500 Series Security Services Module-10 ASA-SSM-10			JMX1113L0Y4 JAB101502D9
	Mod MAC Address Range		Hw Version Fw Version Sw Version
	0	001a.6d7c.8c95 to 001a.6d7c.8c99 2.0 0016.c79f.78c1 to 0016.c79f.78c1 1.0 SSM Application Name Status		1.0(11)2 8.0(2) 1.0(10)0 6.0(2)E1 SSM Application Version
	Mod
	1 IPS Mod Status		Up Data Plane Status	6.0(2)E1 Compatibility
	Up Sys Up		Not Applicable Up
	The highlighted lines show that the module is running IPS Software Version 6.0(2)E1 and that it is operational. The administrator logs into ASA-1 via the CLI and connects to the AIP-SSM using the session 1 command. This puts him on the AIP-SSM CLI. To initialize the AIP-SSM, the administrator uses the setup command, as demonstrated in Example 12-7.

	Case Study of a Medium-Sized Enterprise 393
	Example 12-7 Initializing ASA-1 AIP-SSM sensor# setup — System Configuration Dialog — At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Current Configuration: service host network-settings host-ip 10.1.9.201/24,10.1.9.1 host-name sensor telnet-option disabled ftp-timeout 300 login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 443 exit Current time: Mon May 14 18:26:51 2007 Setup Configuration last modified: Mon May 14 17:45:30 2007 Continue with configuration dialog?[yes]: yes Enter host name[sensor]: companyB-AIP-SSMI Enter IP interface[10.1.9.201/24,10.1.9.1]: 10.200.30.3/24,10.200.30.1 Enter telnet-server status[disabled]: Enter web-server port[443]: Modify current access list?[no]: yes Current access list entries: No entries Permit: 10.200.30.0/24 Permit: Modify system clock settings?[no]: no Modify virtual sensor "vs0" configuration?[no]: yes Current interface configuration Command control: GigabitEthernet0/0 Unused: GigabitEthernet0/1 Monitored: None Add Monitored interfaces?[no]: yes Interface[]: GigabitEthernet0/1 Interface[]: The following configuration was entered. service host network-settings continues

	394 Chapter 12: Case Studies
	Example 12-7 Initializing ASA-1 AIP-SSM (Continued) host-ip 10.200.30.3/24,10.200.30.1 host-name companyB-AIP-SSM1 telnet-option disabled access-list 10.200.30.0/24 ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 443 exit service analysis-engine virtual-sensor vs0 physical-interface GigabitEthernet0/1 exit exit [0] Go to the command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration and exit setup. Enter your selection[2]: 2 Configuration Saved.
	In Example 12-7, the administrator configures the AIP-SSM hostname, IP address, and subnet mask of the management interface, in addition to the default gateway. The administrator allows management access only from machines in the 10.200.30.0/24 management network. Also, the GigabitEthernet0/1 interface is enabled for traffic inspection. Finally, the administrator saves the configuration and exits the interactive setup session. Configuring Active-Standby Failover on the Cisco ASA Maintaining appropriate redundancy mechanisms within infrastructure devices is extremely important for any organization. The Cisco ASA supports active-active and active-standby failover.
	NOTE When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active takes ownership of the IP addresses and MAC addresses of the failed unit. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC-to-IP address pairing, no ARP entries change or time out anywhere on the network.

	Case Study of a Medium-Sized Enterprise 395
	When a pair of Cisco ASAs is configured in active-active failover mode, both appliances are actively passing traffic at the same time. In contrast, when configured in active-standby mode, the primary appliance is the active one and the secondary appliance is in standby and does not pass traffic. After the primary fails, the secondary takes over and begins to pass traffic. The network security team of Company-B evaluates both options. They decide to implement active-standby failover because, for active-active to work, the appliances must be configured in multicontext mode. Active-active requires a minimum of two security contexts on each appliance. Company-B has a site-to-site VPN tunnel to a business partner (Partner-A). The Cisco ASA does not support VPN when configured in multicontext mode. The following are the steps taken to configure active-standby failover on the Cisco ASAs. Step 1 Log in to the Cisco ASA using ASDM. Step 2 On the main toolbar, click Wizards and choose High Availability and Scalability Wizard, as illustrated in Figure 12-52.
	Figure 12-52 Launching the High Availability and Scalability Wizard
	16
	Step 3 The screen shown in Figure 12-53 is displayed. Click Configure Active/Standby failover.

	396 Chapter 12: Case Studies
	Step 4 Click Next. Step 5 Enter the IP address of the secondary appliance, as shown in Figure 12-54. The IP address of the secondary appliance management interface is 10.200.30.2 in this case. ASDM completes several compatibility and connectivity checks on the secondary appliance. These steps are listed within the ASDM screen shown in Figure 12-54. If successful, ASDM allows you to proceed to the next step. However, if issues exist, ASDM marks each check that failed. You must fix any errors before proceeding further. Step 6 Click Next. Step 7 The screen shown in Figure 12-55 is displayed. This screen allows you to configure a dedicated interface for failover communication between the two appliances. Choose an available interface from the drop-down menu. In this case, the interface selected is GigabitEthernet0/3. Step 8 Enter a name for the failover interface. In this example, the interface is called failover for simplicity. This is an arbitrarily name.

	Case Study of a Medium-Sized Enterprise 397
	Figure 12-54 Failover Peer Connectivity and Compatibility Check

	398 Chapter 12: Case Studies
	Step 9 Assign an IP address for this interface, in addition to a standby IP address, as shown in Figure 12-55. In this example, the active IP address is 10.200.40.1, and the secondary is 10.200.40.2. Step 10 Configure a subnet mask for this interface. A 30-bit (255.255.255.252) subnet mask is configured in this example. Step 11 You can optionally encrypt the failover communication data exchanged by both appliances. To enable encryption, select the Use 32 hexadecimal character key option under Communication Encryption. Step 12 Enter a 32 hexadecimal character key. Step 13 Click Next. Step 14 You can configure stateful failover to maintain connection status, translation, and other information on the standby appliance to avoid interruption of services when a failover occurs. You can configure a dedicated interface or use the previously configured failover interface for this communication. On busy networks where numerous connections are built and torn down at a fast pace, a dedicated interface is suggested. In this case, all other interfaces on the Cisco ASAs are used for other purposes, and the stateful failover traffic of Company-B does not present an oversubscription risk based on tests that the administrator performed in the lab prior to deployment. The administrator configures the failover LAN link interface as the stateful failover link, as shown in Figure 12-56. Figure 12-56 Configuring the Stateful Failover Link

	Case Study of a Medium-Sized Enterprise 399
	Step 15 You must configure a standby IP address for each interface that is enabled on the Cisco ASA. The standby appliance uses these IP addresses. The screen shown in Figure 12-57 allows you to configure the standby IP address for each interface.
	Figure 12-57 Configuring the Standby IP Addresses
	Step 16 Click Next. Step 17 A summary screen showing the configuration items to be sent to the security appliance is displayed. Click Finish to apply the changes. Example 12-8 includes the CLI commands sent to the primary appliance. Example 12-8 Failover Configuration on the Primary ASA failover failover lan unit primary failover lan interface failover GigabitEthernet0/3 failover key ***** failover link failover GigabitEthernet0/3 failover interface ip failover 10.200.40.1 255.255.255.252 standby 10.200.40.2 interface GigabitEthernet0/3 description LAN/STATE Failover Interface monitor-interface dmz monitor-interface inside monitor-interface outside monitor-interface management

	400 Chapter 12: Case Studies
	Example 12-9 includes the CLI commands sent to the secondary appliance. Example 12-9 Failover Configuration on the Secondary ASA failover failover lan unit secondary failover lan interface failover GigabitEthernet0/3 failover key ***** failover interface ip failover 10.200.40.1 255.255.255.252 standby 10.200.40.2 interface GigabitEthernet0/3 no shutdown
	You will see the message shown in Example 12-10 after the secondary appliance is configured and the configuration replication is performed. Example 12-10 Failover Configuration Replication Confirmation companyB-ASA1#.. Detected an Active mate Beginning configuration replication from mate. companyB-ASA1# End configuration replication from mate.
	Configuring AAA on the Infrastructure Devices The network administrator configures authentication, authorization, and accounting (AAA) for administrative access to all routers within the network. The network administrator uses command authorization to enforce which commands users can invoke and execute in the routers. Example 12-11 shows a AAA configuration template used for all routers within the organization: Example 12-11 AAA Configuration on Routers aaa new-model aaa authentication login default group tacacs+ local tacacs-server host 172.18.85.181 tacacs-server key 1qaz2wsx
	The aaa new-model command enables the AAA security services. The aaa authentication command defines the default method list. Incoming logins on all interfaces (by default) use TACACS+ for authentication. If no TACACS+ server responds, the network access server uses the information contained in the local username database for authentication. The tacacs-server host command identifies the TACACS+ server as having an IP address of 172.18.85.181. The tacacs-server key command defines the shared encryption key to be 1qaz2wsx. The administrator also configures AAA on the Cisco ASAs for Telnet, Secure Shell (SSH), HTTPS, and serial console access. The commands used are shown in Example 12-12.

	Case Study of a Large Enterprise 401
	In this example, authentication is performed using an external TACACS+ server (that is, Cisco Secure ACS). Example 12-12 Cisco ASA AAA Configuration !The following commands define a TACACS+ server and limit the number of failed attempts to 4.The server group name is svrgrp ! aaa-server svrgrp protocol tacacs+ max-failed-attempts 4 ! !The TACACS+ server (172.18.85.101) and a shared secret (1qaz2wsx) are defined. The timeout is set to 5 seconds. aaa-server svrgrp host 172.18.85.101 1qaz2wsx timeout 5 ! !Telnet authentication aaa authentication telnet console svrgrp ! !Serial console port authentication aaa authentication serial console svrgrp ! !HTTPS authentication for ASDM connections aaa authentication secure-http-client
	Cisco Secure ACS is used as the TACACS+ server. The following steps are taken to add the routers and the Cisco ASAs as authentication clients on Cisco Secure ACS: Step 1 Log in to the Cisco Secure ACS web admin console. Step 2 Choose Network Configuration on the left, and click Add Entry to add an entry for the Cisco ASAs or routers in either the TACACS+ or RADIUS server database. Step 3 Choose the server database according to the routers and Cisco ASA configurations. Because TACACS+ is used in this example, choose TACACS+ (Cisco IOS) under the Authenticate Using drop-down menu. Step 4 Configure the shared key. This key is used for authentication between the authentication client (router or Cisco ASA) and Cisco Secure ACS.
	Case Study of a Large Enterprise Company-C is a large enterprise that offers numerous information technology products and services. Over the past few years, this company has been growing at a fast pace. Recently, Company-C acquired Company-A and Company-B. The Raleigh and Atlanta offices of Company-A became branch offices, and the Chicago office of Company-B became a regional office, as illustrated in Figure 12-58. The headquarters is located in New York City.

	Call Center

	Case Study of a Large Enterprise 403
	The following is a high-level explanation of the New York office topology: • At the Internet edge, a pair of Cisco Catalyst 6500 switches is deployed with FWSMs. • A cluster of Cisco ASAs is configured for IPsec- and SSL-based remote access VPN. • Cisco routers are configured to terminate IPsec site-to-site VPN tunnels to the branch offices and the regional office. • The user population includes the following: — A call center of more than 100 customer service representatives — The executive floor — Sales representatives — Engineering — Finance • A large data center is also located at the New York office. With the dramatic growth, Company-C staff members initiate several corporate initiatives and projects to increase the security of the network. The following sections include information about different techniques and methodologies that Company-C staff members use.
	Creating a New Computer Security Incident Response Team (CSIRT) Company-C management starts the process to create a Computer Security Incident Response Team (CSIRT). The CSIRT will comprise staff members from different departments within an organization: • Global information technology (IT) • Information Security (InfoSec) • Operation Security (OpSec) • Business analysis team
	TIP In some large organizations, the CSIRT may be a full-time staff. Deciding whether the staff members should be full-time or not depends on your organizational needs and budget. What is important is to clearly identify who needs to be involved at each level of the CSIRT planning, implementation, and operation. For instance, one of the most challenging tasks is the process of identifying the staff members who will be performing security incident response functions. In addition, you must identify which internal and external organizations will interface with the CSIRT. Evangelize and communicate the CSIRT responsibilities accordingly with these entities.

	404 Chapter 12: Case Studies
	The new CSIRT team develops and documents roles and responsibilities for all CSIRT members and their functions. Each member has a different background and qualifications. These roles and responsibilities are assigned based on the experience and strengths of each member.
	Creating New Security Policies The executive team of Company-C also delegates the tasks of creating new security policies within the organization. Since Company-C acquired Company-A and Company-B new policies need to be defined and followed. The following are the new policies that are created: • Physical security • Perimeter security • Device security • Remote access VPN • Patch management • Change management • Internet access policy
	Physical Security Policy The physical security policy is created to protect and preserve information, physical assets, and human assets by reducing the exposure to various physical threats. A new employee badge system is deployed to deny unauthorized access and to track authorized entry. Card access and monitoring devices will be used to ensure that sensitive information is not compromised and access to control office work areas is monitored. The building facility manager will ensure that appropriate monitoring devices allow monitoring of primary accesses and that each individual is screened for access. In addition, a video surveillance system must be implanted and appropriately managed. This video system should function with an existing Ethernet switched environment, and it should reduce the complexity while lowering the cost of deploying video surveillance. It also provides video surveillance system owners with the flexibility to design solutions tailored to their unique requirements.
	Perimeter Security Policy The company already has perimeter configuration guidelines that are implemented within the organization. However, these guidelines were never documented in an organized fashion. The staff members at Company-C create a detailed perimeter security policy.

	Case Study of a Large Enterprise 405
	Device Security Policy Just as with perimeter security, the company already has device configuration guidelines that are implemented within the organization. However, these guidelines were never documented in an organized fashion. The staff members at Company-C create a detailed device security policy. These devices include infrastructure devices such as routers, switches, and other equipment. Remote Access VPN Policy The remote access VPN policy defines the appropriate use of remote access VPN (including IPsec and SSL-based remote access VPNs). The policies include the process of how employees request remote access VPN and how administrators create, modify, and delete remote access accounts. In this case, Company-C uses generic token cards with one-time passwords (OTP) for remote access. When Company-C staff members start developing the remote access VPN policy, they are trying to clarify answers to the following questions: • Does a remote access security policy exist? • Is the security policy frequently reviewed and revised to reflect technology changes, outmoded approaches, or new product or service offerings affecting company/ customer relationships and system interaction? • Does the remote access policy specify guidelines for the selection and implementation mechanisms that control access among authorized users and corporate computers and networks? • Does the remote access policy conform to all existing corporate communications guidelines? • Does the remote access policy address the physical protection of the communications medium, devices, computers, and data storage at the remote site? • Does the security policy require the classification of the functions, applications, and data to determine the levels of security needed to protect the asset? • Does a policy exist to obtain access to important proprietary information at remote sites? • Does a policy exist for reporting unauthorized activity? • Does a policy exist that defines appropriate personal use of company equipment? • Do remote access users have to sign a form stating they know and understand the remote access policies? • Is there a formal, complete, and tested disaster recovery plan in place for the remote sites?

	406 Chapter 12: Case Studies
	Patch Management Policy The patch management policy establishes requirements for a secure patch management program for all Company-C networks to prevent disruption of service and unauthorized use because of vulnerabilities in unpatched systems. The patch management program shall be used to create a consistently configured environment that ensures security against known vulnerabilities in operating systems and application software. A key component of patch management is the intake and selection of information regarding both security issues and patch release. The patch cycle shall be used to facilitate the application of standard patch releases and updates. This cycle can be time or event based. For example, the schedule can mandate that system updates occur quarterly, or a cycle may be driven by the release of service packs or maintenance releases. Testing of software patches is crucial. Company-C creates a patch test process within this policy. After a patch has been determined valid, it shall be placed in a test environment that closely mirrors the production environment. Critical applications and supported operating platforms must be fully accounted for while testing the patch infrastructure.
	Change Management Policy Change management practices are applied to the patch management process and any other configuration or system changes within the whole infrastructure. After a configuration or a system has been identified for change, a request-for-change must be submitted, and the configuration should be modified according to the procedures that the change management process has established.
	Internet Usage Policy The Internet usage policy allows for reasonable use of the Internet by outlining the permitted and prohibited behaviors and defining violations. This policy should apply to all Internet users who access the Internet through the computing or networking resources. This includes permanent, full-time, and part-time employees; contract workers; temporary agency workers; business partners; and vendors. The Internet users of your organization are expected to be familiar with and to comply with this policy, which should also require the use of common sense and good judgment while using Internet services.
	Deploying IPsec Remote Access VPN Company-C deploys a cluster of Cisco ASAs to provide IPsec remote access VPN services. Figure 12-59 illustrates the topology listing the Cisco ASAs and their corresponding IP addresses.

	Case Study of a Large Enterprise 407
	Figure 12-59 Remote Access VPN Cisco ASAs
	Remote Access VPN ASA Cluster Virtual IP 209.165.202.131
	ASA-1	ASA-2 d Management IP: 10.250.30.2 Outside: 209.165.202.130 Inside: 10.250.10.2
	Management IP: 10.250.30.1 Outside: 209.165.202.129 Inside: 10.250.10.1
	Corporate
	The following are the IP addresses of each interface on the first Cisco ASA (ASA-1): • Management interface: 10.250.30.1 • Inside interface: 10.250.10.1 • Outside interface: 209.165.202.129 The following are the IP addresses of each interface on the second Cisco ASA (ASA-2): • Management interface: 10.250.30.2 • Inside interface: 10.250.10.2
	Outside interface: 209.165.202.130

	408 Chapter 12: Case Studies
	The following sections demonstrate how the Cisco ASAs are configured for IPsec and SSL remote access VPN.
	Configuring IPsec Remote Access VPN The administrator completes the following steps to configure IPsec remote access VPN on the Cisco ASAs: Step 1 Log in to the Cisco ASA using ASDM. Step 2 On the main menu, choose Wizards. Step 3 Select the IPsec VPN Wizard. Step 4 The IPsec VPN Wizard starts. Specify the tunnel type as shown in Figure 12-60. Figure 12-60 Configuring the Tunnel Type
	Step 5 All remote access VPN clients will be connecting to the outside interface. Choose the outside interface from the VPN Tunnel Interface drop-down menu, as shown in Figure 12-60. Step 6 Enable inbound IPsec sessions to bypass all configured ACLs, as shown in Figure 12-60.

	Case Study of a Large Enterprise 409
	Step 7 Click Next. Step 8 The screen shown in Figure 12-61 is displayed. Under VPN Client Type, click Cisco VPN Client, Release 3.x or higher, or other Easy VPN Remote product. Figure 12-61 Remote Access VPN Client Type
	i'J'JU'JISi'li Ш Щ REmote access users of various types can open VPN tunnels to this ASA, Select the type of VPN client for this tunnel. '------" W VPN Client Type: - \ (+) Cisco: VPN Client, Release З.к or hlaher,| or other Easy VPN Remote product 0 Microsoft Windows client using L2TP over IPsec Specify the PPP authentication protocol. If a protocol is not specified on the remote client, do not specify it. ? PAP 0 CHAP R7] MS-CHAP-V1 ? M5-CHAP-V2 ? EAP-PROXY Specify if the client will send tunnel group name a? - usernarne@tunnelgroup. r~J Client will send tunnel group name as username@tunnelgroup. If рге-shared authentication is used with this option then DefaultRAGroup's pre-shared key and ppp authentication are also modified. | <Back || Nnnts ]| Finish | [ Cancel | | Help |
	Step 9 Click Next. Step 10 The screen shown in Figure 12-62 is displayed. Configure a preshared key and a VPN tunnel group, as shown in Figure 12-62. In this example, the preshared key is 1qaz2wsx, and the tunnel group is IPSEC-RA-GROUP. Step 11 Click Next. Step 12 The screen shown in Figure 12-63 is displayed. In this example, the Cisco ASAs are configured for external authentication to a RADIUS server. The AAA server group name is RADIUS-Server, as shown in Figure 12-63.

	410 Chapter 12: Case Studies
	Figure 12-62 VPN Client Authentication Method and Tunnel Group Name
	Figure 12-63 Client Authentication

	Case Study of a Large Enterprise 411
	Step 13 Click Next.
	Step 14 The screen shown in Figure 12-64 is displayed. This screen allows you to configure an IP address pool used for remote access VPN connections. Click New to add a new pool. Figure 12-64 IPsec Remote Access VPN IP Address Pool
	Step 15 Specify a name for the IP address pool. In this example, the name of the pool is IPSec-Pool. Step 16 Configure the starting and ending IP addresses, in addition to a subnet mask. In this example, the address range in the pool is from 10.250.50.1 to 10.250.50.254, with a 24-bit subnet mask (255.255.255.0). Step 17 Click Next. Step 18 The screen shown in Figure 12-65 is displayed. This screen allows you to configure the primary and secondary DNS and WINS servers, in addition to the domain name. In this example, the primary DNS server is 172.18.124.12; the secondary DNS server is 172.18.124.13; the primary WINS server is 172.18.124.14; and the secondary WINS server is 172.18.124.15. The domain name is companyc.com.

	412 Chapter 12: Case Studies
	Figure 12-65 DNS and WINS Server Configuration
	Step 19 Click Next. Step 20 The screen shown in Figure 12-66 is displayed. This screen allows you to configure the IKE policy used by remote access VPN connections. In this example, the encryption algorithm used is AES-256. SHA is used for authentication, and the Diffie-Hellman (DH) group used is 5. Step 21 Click Next. Step 22 The screen shown in Figure 12-67 is displayed. This screen allows you to configure the IPsec encryption and authentication parameters. In this example, the encryption protocol used is AES-256, and SHA is used for IPsec Phase 2 authentication.

	Case Study of a Large Enterprise 413

	414 Chapter 12: Case Studies
	Step 23 Click Next. Step 24 The screen shown in Figure 12-68 is displayed. This screen allows you to configure the Cisco ASA to bypass NAT for remote access VPN connections. In this case, the inside network is selected (10.250.10.0/24). The inside 10.250.10.0/24 network will not be translated when communicating with remote access VPN clients. Figure 12-68 Bypassing NAT and Configuring Split Tunneling
	Step 25 The screen shown in Figure 12-68 also allows you to configure split tunneling for remote access VPN connections. To enable split tunneling, select Enable split tunneling to let remote users have simultaneous encrypted access to the resources defined earlier, and unencrypted access to the Internet option. Step 26 Click Next. Step 27 A summary screen appears. Click Finish to apply the changes to the Cisco ASA.

	Case Study of a Large Enterprise 415
	Configuring Load-Balancing The administrator configures load-balancing on each security appliance. The following are the steps to configure load-balancing for remote access VPN. Step 1 Log in to the Cisco ASA using ASDM. Step 2 On the main menu, choose Wizards. Step 3 Choose the High Availability and Scalability Wizard. Step 4 The High Availability and Scalability Wizard starts. The screen shown in Figure 12-69 is displayed. Click Configure VPN Cluster Load Balancing, as shown in Figure 12-69. Figure 12-69 High Availability and Scalability Wizard
	Step 5 Click Next. Step 6 The screen shown in Figure 12-70 is displayed. Enter the cluster IP address. The cluster IP address is the virtual address that VPN clients will use to connect to the cluster. In this example, the cluster IP address is 209.165.202.131.

	416 Chapter 12: Case Studies
	Figure 12-70 VPN Cluster Load-Balancing Configuration
	Step 7 Enter a UDP port for load-balancing communication between all Cisco ASAs within the cluster. In this example, the default UDP port (9023) is used. Step 8 Optionally, you can encrypt all VPN load-balancing traffic. Check the Enable IPsec encryption option to enable encryption. Step 9 Configure a preshared secret. In this example, the preshared secret is 2wsx1qaz. Step 10 The priority is set to 5. The higher the priority, the more commonly that this ASA will become the master of the cluster. Step 11 The public interface is the outside interface in this example. The private interface is the inside interface, as shown in Figure 12-70. Step 12 Click Next. Step 13 A summary screen is displayed. Step 14 Click Finish to apply the configuration to the Cisco ASA.

	Case Study of a Large Enterprise 417
	Example 12-13 shows the Cisco ASA remote access VPN and load-balancing CLI configuration. Example 12-13 Cisco ASA Remote Access VPN and Load-Balancing Configuration hostname asa-1 ! interface GigabitEthernet0/0 description Outside interface connected to the Internet nameif outside security-level 0 ip address 209.165.202.129 255.255.255.0 ! interface GigabitEthernet0/1 description Inside interface connected to corporate network nameif inside security-level 100 ip address 10.250.10.1 255.255.255.0 ! interface Management0/0 nameif management security-level 0 ip address 10.250.30.1 255.255.255.0 management-only ! !Split tunneling ACL access-list IPSEC-RA-GROUP_splitTunnelAcl standard permit 10.250.10.0 255.255.255.0 !ACL to bypass NAT for remote access VPN connections access-list inside_nat0_outbound extended permit ip 10.250.10.0 255.255.255.0 10.250.50.0 255.255.255.0 ! !IP address pool for remote access VPN clients ip local pool IPSec-Pool 10.250.50.1-10.250.50.254 mask 255.255.255.0 ! !NAT configuration nat (inside) 0 access-list inside_nat0_outbound ! !RADIUS Configuration for remote access VPN authentication aaa-server RADIUS-Server protocol radius aaa-server RADIUS-Server (management) host 172.18.85.181 timeout 5 key cisco123 ! !Crypto map configuration crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256- SHA crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside continues

	418 Chapter 12: Case Studies
	Example 12-13 Cisco ASA Remote Access VPN and Load-Balancing Configuration (Continued) ! !ISAKMP enabled on the outside interface crypto isakmp enable outside !ISAKMP policy for Remote Access VPN crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 ! !Load-balancing Configuration vpn load-balancing cluster key 2wsx1qaz cluster ip address 209.165.202.131 cluster encryption participate ! !Remote Access Group Configuration group-policy IPSEC-RA-GROUP internal group-policy IPSEC-RA-GROUP attributes wins-server value 172.18.124.14 172.18.124.15 dns-server value 172.18.124.12 172.18.124.13 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value IPSEC-RA-GROUP_splitTunnelAcl default-domain value companyc.com tunnel-group IPSEC-RA-GROUP type remote-access tunnel-group IPSEC-RA-GROUP general-attributes address-pool IPSec-Pool authentication-server-group RADIUS-Server default-group-policy IPSEC-RA-GROUP tunnel-group IPSEC-RA-GROUP ipsec-attributes pre-shared-key *
	Reacting to a Security Incident It is 4:00 a.m. (0400) on Christmas day, and the CSIRT team hotline rings with a call from one of the database administrators. The network is congested, and no transactions are possible to the most critical application in the organization from different sections of the organization. The CSIRT collects all available information from the database administrator and completes the steps described in the following sections.

	Case Study of a Large Enterprise 419
	Identifying, Classifying, and Tracking the Security Incident or Attack One of the members of the CSIRT collects NetFlow data from the data center distribution switch and correlates this data with CS-MARS. He notices that most of the traffic is HTTP (TCP port 80). This traffic is originating from known sources in the sales department (floor) in the New York office and from unknown sources. The CSIRT team works with a network administrator and discovers that the unknown sources are IP addresses belonging to the Atlanta branch office network. However, this process took almost an hour. Reacting to the Incident The CSIRT team works with the network administrators in the Atlanta and New York offices to configure an ACL on the router in the Atlanta office and a VACL on the access switch in the sales floor. This ACL only blocks HTTP traffic from the offending machines. The malicious traffic has been contained, but it is possible that other machines have been infected. The CSIRT team works with the desktop support group and server administrators. After doing research and forensics on the traffic, they discover that the traffic pattern is similar to a published vulnerability on security intelligence sites such as Cisco Security Center and US-CERT. However, their network IPS and other mechanisms were not able to detect the threat because the necessary signatures were not installed. The server administrators and desktop support representatives download a security patch from the operating system vendor. Subsequently, they install this operating system patch on the affected machines. They also push this update via their patch management system to all machines within the organization. In addition, the correct signatures are installed on the IPS systems within the organization.
	Postmortem The	CSIRT creates a postmortem including the following information: Total amount of labor spent working on the incident Elapsed time from the beginning of the incident to its resolution Elapsed time for each stage of the incident-handling process Time it took the incident response team to respond to the initial report of the incident Estimated monetary damage from the incident Lessons learned Action plan

	420 Chapter 12: Case Studies
	The lessons learned section in the postmortem is documented, including all items that will improve the incident response process and the proactive preparation of resources and processes to better defend against new threats. In this example, the following are areas that should be improved and are taken into an action plan: • The incident identification process was successful because the correct tools and mechanisms were in place. However, the identification of the Atlanta office IP address space was not obvious, and the process was delayed for more than an hour. Better documentation and diagrams should be prepared to avoid this in the future. The CSIRT team, in addition to network administrators, should have this information accessible when responding to an attack. • IPS signatures were not upgraded because of a bad tuning and update process. A new process is developed to address this caveat. • ACLs were deployed manually to contain and mitigate the attack. The network engineering teams will evaluate and create other tools and technologies, such as remotely triggered black holes (RTBH) or more appropriate mechanisms, to quarantine infected sources in a more effective fashion. Each item on this action plan is assigned an owner and a due date.
	Summary This chapter covered three case studies: a small business, a medium-sized enterprise, and a large enterprise. It demonstrated some of the most common applications and procedures discussed within this book. However, each of the previous chapters presented detailed instructions on how to proactively and reactively defend against security threats. Various configuration examples were included in this chapter. The examples included infrastructure protection mechanisms and practices, basic firewall configuration, site-to-site and remote access VPNs, and a basic example of a CSIRT responding to a security incident. Security threats such as distributed denial of service (DDoS) attacks, worms, and others can result in significant loss of time and money for many organizations. It is highly recommended that you consider the extent to which the organization could afford a significant service outage and take steps commensurate with the risk.

Tags: anomalies, gaps, incident response team, infrastructure, plug and play, security incident, security policy

This entry was posted on Monday, March 15th, 2010 at 10:24 am and is filed under Cisco ASA. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.

---

	Summary 421
	The network security lifecycle requires specialized support and a commitment to best practice standards. In this book, you learned best practices drawn upon disciplined processes, frameworks, expert advice, and proven technologies that will help you protect your infrastructure and organization. You learned the complete security lifecycle of a network, from strategy development to operations and optimization. You must take a proactive approach to security, an approach that starts with an assessment to identify and categorize your risks. In addition, you need to understand the network security technical details relating to security policy and incident response procedures. This book covered numerous best practices that will help you orchestrate a long-term strategy for your organization.