Mapping Results There are countless other freeware and commercial utility applications available that can help you map your networks. At this stage, we have introduced several tools and techniques that allow you to gather intelligence and build a picture of how your network operates. The security professionals at Hot Cash Corporation have gathered a full cable database and significant intelligence about the constitution of the network, using the tools and techniques just described. Drawing on this information, the next section describes the techniques that can be used to improve security. Improving Accountability with Identity Management Management at Hot Cash Corporation has voiced their concern about the com- pany’s ability to comply with both internal and external security standards and requirements. Keeping their concerns in mind, let’s examine the current firewall configuration (see Figure 9.10). Figure 9.10 Original Hot Cash Corporation Firewall Configuration ! PIX Version 6.3(5) ! set speed and duplex on interfaces interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto ! assign names and security levels to the interfaces nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 outside security50 ! assign access passwords enable password ********** encrypted passwd ********** encrypted ! set the system name hostname hcc-PIX 430 Chapter 9 • Medium Business (<2000 People) 398_FW_Policy_09.qxd 8/25/06 4:52 PM Page 430 domain-name hotcash.com ! default protocol ‘fixup’s (helps NAT compatability etc.) fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 ! define names of objects used in access-lists names name 10.10.15.20 administratorPC name 172.16.100.101 mailserver-dmz name 172.16.100.100 webserver-dmz name 87.65.43.100 webserver-public name 87.65.43.101 mailserver-public name 10.10.1.100 mailserver-inside name 10.10.2.100 database1-inside name 10.10.2.101 database2-inside name 10.10.1.1 HQ-DC-01 name 9.8.7.0 ISP-dns name 1.2.3.0 www.ft.com name 2.3.4.0 www.antiviruscorp.com name 3.4.5.0 www.financialtimes.com name 4.5.6.0 www.hcc-remotepartner.com ! define groups of objects to be used in access-lists object-group network database-servers description Database servers network-object host database1-inside network-object host database2-inside Medium Business (<2000 People) • Chapter 9 431 398_FW_Policy_09.qxd 8/25/06 4:52 PM Page 431 object-group network approved-sites description Approved Internet websites network-object www.ft.com 255.255.255.0 network-object www.antiviruscorp.com 255.255.255.0 network-object www.financialtimes.com 255.255.255.0 network-object www.hcc-remotepartner.com 255.255.255.0 ! define rules for traffic coming from the Internet (see remarks) access-list FromInternet permit tcp any host webserver-public eq https access-list FromInternet remark – allow only SSL access our web server from Internet access-list FromInternet permit tcp any host mailserver-public eq smtp access-list FromInternet remark – allow public to send us mail access-list FromInternet permit icmp any interface outside echo-reply access-list FromInternet permit icmp any interface outside unreachable access-list FromInternet permit icmp any interface outside redirect access-list FromInternet permit icmp any interface outside time-exceeded access-list FromInternet permit icmp any interface outside information-reply access-list FromInternet permit icmp any interface outside timestamp-reply access-list FromInternet remark – allow replies to traceroute and ping access-list FromInternet remark – implied deny all at end of list ! define rules for traffic originating in the DMZ (see remarks) access-list FromDMZ permit udp host webserver-dmz ISP-dns 255.255.255.0 eq domain access-list FromDMZ permit udp host mailserver-dmz ISP-dns 255.255.255.0 eq domain access-list FromDMZ permit tcp host webserver-dmz ISP-dns 255.255.255.0 eq domain access-list FromDMZ permit tcp host mailserver-dmz ISP-dns 255.255.255.0 eq domain access-list FromDMZ remark allow DMZ based servers to query ISP DNS servers access-list FromDMZ permit tcp host mailserver-dmz any eq smtp access-list FromDMZ remark allow our mail server to send mail to the Internet access-list FromDMZ permit tcp host webserver-dmz object-group database- servers eq sqlnet access-list FromDMZ remark allow our web server to query the internal databases access-list FromDMZ permit tcp host webserver-dmz any eq 143 432 Chapter 9 • Medium Business (<2000 People) 398_FW_Policy_09.qxd 8/25/06 4:52 PM Page 432 access-list FromDMZ remark allow our web server to access internal mail with IMAP access-list FromDMZ remark this is for external access to email without using O.W.A. access-list FromDMZ permit icmp any any access-list FromDMZ remark – permit ping and ping replies access-list FromDMZ remark – implied deny all at end of list ! define rules for traffic originating on the internal LAN (see remarks) access-list FromInside permit ip host administratorPC any access-list FromInside remark allow admin PC unrestricted access to DMZ & Internet access-list FromInside permit tcp host HQ-DC-01 ISP-dns 255.255.255.0 eq domain access-list FromInside permit udp host HQ-DC-01 ISP-dns 255.255.255.0 eq domain access-list FromInside remark allow internal DNS servers to query ISP DNS servers access-list FromInside permit tcp any object-group approved-sites eq www access-list FromInside permit tcp any object-group approved-sites eq https access-list FromInside remark allow internal hosts access to 'approved' sites access-list FromInside permit icmp any any access-list FromInside remark – permit ping and ping replies access-list FromInside remark – implied deny all at end of list ! set interface IP addresses ip address outside 87.65.43.21 255.255.255.0 ip address inside 172.16.1.254 255.255.255.0 ip address dmz 172.16.100.254 255.255.255.0 ! default Intrusion detection/prevention settings ip audit info action alarm ip audit attack action alarm ! default failover (none – ignore this) no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside Medium Business (<2000 People) • Chapter 9 433 398_FW_Policy_09.qxd 8/25/06 4:52 PM Page 433 no failover ip address inside no failover ip address dmz ! default arp timeout arp timeout 14400 ! activate access-list rules on respective interfaces access-group FromInside in interface inside access-group FromDMZ in interface dmz access-group FromOutside in interface Outside ! set a default gateway to the Internet route outside 0.0.0.0 0.0.0.0 87.65.43.20 1 ! set a static route for WAN traffic route inside 10.0.0.0 255.0.0.0 172.16.1.254 1 ! default session table and address translation table timeouts timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 ! default user authorization timeout (every 5 minutes) timeout uauth 0:05:00 absolute ! default AAA settings (no AAA defined) aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local ! set snmp details snmp-server location cabinet G24-3, HCC-HQ, Seattle no snmp-server contact snmp-server community hcc-RO-$tring 434 Chapter 9 • Medium Business (<2000 People) 398_FW_Policy_09.qxd 8/25/06 4:52 PM Page 434 snmp-server host inside 10.10.2.50 trap snmp-server host inside 10.10.2.51 poll snmp-server enable traps ! default floodguard (on) floodguard enable ! define an access-list to allow ssh based administration ONLY from the administratorPC ssh administratorPC 255.255.255.255 inside ! define an idle timeout for ssh access (3 minutes) ! this low timeout will help ensure that the ! administrator does not accidentally stay logged in ssh timeout 3 ! define an idle timeout for the console (3 minutes) console timeout 3 Note that although the firewall rules are relatively well-defined, there are a number of options that are still at their default settings (e.g., default connection table timeout settings on Private Internet Exchange [PIX] are geared towards application compatibility rather than security). Most implementations will benefit from lowering the timeouts associated with connections (timeout conn) and net- work address translations (timeout xlate).There may be other improvement in the following areas: ■ Authentication, Authorization, Accounting (AAA) ■ Time synchronization ■ Content filtering ■ Timeout settings ■ Failover (high availability) ■ Intrusion detection Medium Business (<2000 People) • Chapter 9 435 398_FW_Policy_09.qxd 8/25/06 4:52 PM Page 435 AAA Using Cisco ACS A number of criticisms can be made of the current firewall configuration, the most notable being the lack of AAA. Specifically, there is no way of knowing which users accessed any of the approved sites, and what time they accessed those sites. The intelligence gathering exercise revealed that call center users require access to an application that is hosted outside your organization. Management at Hot Cash Corporation wants to limit and track the users that access this application. After a visit to the Cisco documentation site (www.cisco.com/univercd) and a few quick configuration tests, you discover that your firewall appliance is not opti- mally equipped to handle this task on its own.You determine that a dedicated AAA server is desirable, so you allocate some time and budget towards a pilot project. You consider using either Lightweight Directory Access Protocol (LDAP) or Remote Authentication Dial-In User Server (RADIUS) protocols directly with Active Directory. RADIUS is compatible with Cisco PIX firewall, but the manage- ment interface for Internet Authentication Service (IAS), the RADIUS component of Windows server, does not provide all of the options required. Instead, you opt to try an evaluation of Cisco Access Control Server (ACS) software, which supports RADIUS and Terminal Access Controller Access Control System Plus (TACACS+) protocols. It allows you to define both user groups and Network Device Groups (NDG). It is possible, and in this case desirable, to allow specific groups of users to authenticate to specific resources such as the firewall. Even though you can still use Active Directory as a downstream authentication database, the ACSs ability to map user group policies to device groups will allow you to control users’ traffic more efficiently, by enforcing per-user access restrictions at devices such as the PIX.This is not the same as restricting the source of a user’s login attempt. Instead, destination restrictions are enforced. In addition, authenticated administrative users of devices such as the firewall, switches, or routers can use ACS to authorize specific commands and configuration options. Start by installing Cisco ACS software default options on a server that meets the minimum hardware and OS requirements. A 90-day fully functional trial of Cisco ACS software is available from www.cisco.com. Network Access Restrictions Cisco ACS uses the Network Access Restrictions (NAR) feature to control who can log on at a particular access point, such as the firewall. NAR is an optional configu- ration component; therefore, ACS may require you to enable the display of NAR settings in the ACS Web interface before you can access the appropriate settings.To 436 Chapter 9 • Medium Business (<2000 People) 398_FW_Policy_09.qxd 8/25/06 4:52 PM Page 436 enable NAR, login to the Web user interface, which can be accessed directly from the server at http://localhost:2002/. Once connected to the ACS user interface, select the Interface button located to the left of the screen, and select the Advanced Options link. Now you can enable either “User-Level Network Access Restrictions” or “Group-Level Network Access Restrictions.” Group-level NAR is preferable, because it becomes easier to manage as user numbers increase. Finally, click Submit to apply any changes (see Figure 9.11). When NAR is enabled at either the user or group level, you will see NAR set- tings listed on the configuration screens for user or group properties, respectively. Figure 9.11 Configuring Group-level NAR with Cisco ACS Defining NAR rules allows configuration under two similar headings in the ACS interface: Define IP-based access restrictions and Define CLI/DNIS-based access restrictions.You will use the IP-based option for PIX that the Caller-ID (CLI) and Dialed Number Identification Service (DNIS) refers to, both of which are used in dial-up situations to identify the telephone number the user is coming from and the telephone number they have dialed. For IP-based restrictions, the “Address” option refers to the user’s source IP address. If you want to allow users in this group to authenticate to the firewall from all IP addresses, you can enter an asterisk (*) in the address field and in the port field. Medium Business (<2000 People) • Chapter 9 437 398_FW_Policy_09.qxd 8/25/06 4:52 PM Page 437 This NAR configuration is a type of ACL, and as such, it allows a “permit of deny” action to be applied to all entries on the list.You can pick either permit or deny for the entire list.This limitation is likely to affect the way you define the group’s NAR list. External Authentication Databases Now you can start challenging users for their login credentials when they want to access external content. When configuring users or groups in ACS, they can be set to authenticate using a variety of methods. At its most basic,ACS offers a per-user password mechanism, where usernames and passwords are stored together in the ACS database. If you have invested considerable effort setting up users in another authen- tication database (e.g., Active Directory) or on a token server (e.g., RSA SecurID or Safeword from Secure Computing), you can allow ACS usernames to reference those databases.This allows user’s to use the same login credentials that they use on other systems, while ACS transparently adds authorization attributes specific to where user’s want to login.You want users to authenticate using their Active Directory username and password, and you want ACS to decide the type of access they are allowed. Before a user or group can reference an external authentication database, you have to inform ACS of those external databases (see Figure 9.12). From the ACS Web interface, click External User Databases. Figure 9.12 External User Databases Options 438 Chapter 9 • Medium Business (<2000 People) 398_FW_Policy_09.qxd 8/25/06 4:52 PM Page 438 Clicking on Database Configuration allows you to select the type of external database you want to make available to ACS. Multiple external databases may be included in the ACS. Support external sources include: ■ Network Admission Control (NAC) ■ Windows Database ■ Novell Novell Directory Services (NDS) ■ Generic LDAP ■ External Open Database Connectivity (ODBC) Database ■ LEAP Proxy ■ RADIUS Server ■ RADIUS Token Server ■ RSA SecurID Token Server The “Windows Database” option usually works best for Active Directory, and is used for Hot Cash Corporation. In cases where the Windows environment is hard- ened, the “Generic LDAP” or “RADIUS Server” options may be suitable alterna- tives.After selecting Windows Database, click Configure and add the Active Directory domains you want to query into the Domain List of the Configure Domain List section. Click Submit to apply any changes. Once you have an external database set up in the ACS, you can direct the user’s authentication to look for Active Directory. Configure this referral under the user’s properties as follows: 1. From the ACS Web interface, click User Setup. 2. Next, enter the username and click Add/Edit. 3. Change the Password Authentication drop down box to the required external database (configured in the previous step), and click Submit. Now when this user logs in their password will be compared against Active Directory, but their authorization and other settings will be determined by ACS. If you have a lot of users and don’t want to input all of the usernames into ACS, use the External User Databases configuration button to set up an “Unknown User Policy.” If you opt to use this feature, your ACS server will query its internal database for the username first. If ACS cannot find a username, the unknown user policy refers to the list of configured external databases to try to find the username. External databases are queried in an order of preference set by you. If a user is not Medium Business (<2000 People) • Chapter 9 439 398_FW_Policy_09.qxd 8/25/06 4:52 PM Page 439 [...]... & Managers Internet DMZ Inside of firewall Outside of firewall (ISP) WAN DMZ Security Servers VLAN 172.16 .101 .0/24 Seattle Web Application DMZ 10. 20.1.0/24 10. 20.3.0/24 10. 20.4.0/24 10. 20.15.0/24 10. 20 .101 .0/24 10. 20 .102 .0/24 10. 30.1.0/24 10. 30.3.0/24 10. 30.4.0/24 10. 30.15.0/24 10. 30 .101 .0/24 10. 30 .102 .0/24 New York New York New York New York New York New York Dallas Dallas Dallas Dallas Dallas Dallas... Chapter 9 Table 9.4 IP Subnet Allocations Subnet Location Intended Use 10. 10.1.0/24 10. 10.2.0/24 10. 10.3.0/24 10. 10.4.0/24 10. 10.5.0/24 10. 10.6.0/24 10. 10.7.0/24 10. 10.15.0/24 10. 10 .101 .0/24 Seattle Seattle Seattle Seattle Seattle Seattle Seattle Seattle Seattle 10. 10 .102 .0/24 172.16 .100 .0/24 172.16.1.0/24 87.65.43.0/24 172.16.2.0/24 192.168.1.0/24 Seattle Seattle Seattle Seattle Seattle Seattle Servers... authentication and other vpn client parameters ip local pool myPool 10. 1.1.1 -10. 1.1.254 vpngroup hotcash-IT address-pool myPool vpngroup hotcash-IT default-domain hotcashcorp.com vpngroup hotcash-IT idle-time 600 vpngroup hotcash-IT dns-server 10. 10.1.144 vpngroup hotcash-IT password mySharedKey crypto map Internet-VPNs client authentication myACS ! activate IPSEC policies crypto dynamic-map VPN- clients 10 set... define a command that is explicitly permitted or denied by authorization, type the command in the text box above the Add Command button and click Add Command The command you added appears in the list box on the left Click on the command that you just entered so that it is highlighted (see Figure 9.16) Now click in the right-hand box directly above the Remove Command button and enter Permit and Deny statements... browsers and a lot of their computers need to have proxy settings configured (see Table 9.4) Rather than doing this manually, it is recommended that you use a group policy or login script to change this setting 398_FW_Policy_09.qxd 8/25/06 4:52 PM Page 453 Medium Business ( . access-lists names name 10. 10.15.20 administratorPC name 172.16 .100 .101 mailserver-dmz name 172.16 .100 .100 webserver-dmz name 87.65.43 .100 webserver-public name 87.65.43 .101 mailserver-public name 10. 10.1 .100 mailserver-inside name. 87.65.43 .101 mailserver-public name 10. 10.1 .100 mailserver-inside name 10. 10.2 .100 database1-inside name 10. 10.2 .101 database2-inside name 10. 10.1.1 HQ-DC-01 name 9.8.7.0 ISP-dns name 1.2.3.0 www.ft.com name. “PIX Command Authorization Sets” feature and use “Shell Command Authorization Sets” for PIX and for IOS devices. PIX supports command authorization and enables authoriza- tion. Command authorization