Sunday, July 1, 2018

Network Firewall and Access Control List (ACL)

Routers and firewalls perform an important security function because access control lists (ACL) are typically configured on them. ACLs are ordered sets of rules that control the traffic that is permitted or denied to use a path through a router. These rules can operate at Layer 3, making these decisions on the basis of IP addresses, or at Layer 4,when only certain types of traffic are allowed. When this is done, the ACL typically references a port number of the service or application that is allowed or denied.

Access lists operate as a series of if/then statements: If a given condition is met, then a given action is taken. If the condition isn’t met, nothing happens, and the next statement is evaluated. Once the lists are built, they can be applied to either inbound or outbound traffic on any interface. Applying an access list causes the router/firewall to analyze every packet crossing that interface in the specified direction and to take the appropriate action.

Several categories of firewalls are available on the market today, and they vary in both price and functionality:

* Packet filtering firewalls simply check the characteristics of each packet against the firewall rules without any additional intelligence. Packet filtering firewall capabilities are typically found in routers and other network devices and are very rudimentary firewalls.

* Stateful inspection firewalls go beyond packet filters and maintain information about the state of each connection passing through the firewall. These are the most basic firewalls sold as stand-alone products.

* Next-generation firewalls (NGFWs) incorporate even more information into their decision-making process, including contextual information about users, applications, and business processes. They are the current state-of-the-art in network firewall protection and are quite expensive compared to stateful inspection devices.

* Web application firewalls (WAFs) are specialized firewalls designed to protect against web application attacks, such as SQL injection and cross-site scripting.


I've initially allowed ICMP or ping from "any" IP address on the Cisco ASA firewall "outside" interface towards the "inside" IP address of 192.168.1.0/24. The network traffic from higher security level (100) towards a lower security level (0) is allowed by default if there are no ACL applied on the "inside" interface.

ciscoasa# show run access-list
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 echo
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 time-exceeded
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 unreachable

ciscoasa# show run access-group
access-group OUTSIDE-IN in interface outside

ciscoasa# show nameif
Interface                Name                     Security
GigabitEthernet0         outside                    0
GigabitEthernet1         inside                   100


R1#ping 192.168.1.3     
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/257/628 ms

R1#ping 192.168.1.50
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/392/620 ms

R1#telnet 192.168.1.50 80
Trying 192.168.1.50, 80 ...
% Connection timed out; remote host not responding

R1#telnet 192.168.1.50 3389
Trying 192.168.1.50, 3389 ...
% Connection timed out; remote host not responding


I need to configure the Cisco ASA firewall to allow network traffic from R1 (200.1.1.1) towards 192.168.1.50 using TCP port 80 (HTTP) and TCP port 3389 (RDP).

ciscoasa# configure terminal
ciscoasa(config)# access-list ?

configure mode commands/options:
  WORD < 241 char  Access list identifier
  alert-interval   Specify the alert interval for generating syslog message
                   106001 which alerts that the system has reached a deny flow
                   maximum. If not specified, the default value is 300 sec
  deny-flow-max    Specify the maximum number of concurrent deny flows that can
                   be created. If not specified, the default value is 4096
ciscoasa(config)# access-list OUTSIDE-IN ?

configure mode commands/options:
  deny      Specify packets to reject
  extended  Configure access policy for IP traffic through the system
  line      Use this to specify line number at which ACE should be entered
  permit    Specify packets to forward
  remark    Specify a comment (remark) for the access-list after this keyword
  rename    rename an existing access-list
  standard  Use this to configure policy having destination host or network
            only
  webtype   Use this to configure WebVPN related policy
ciscoasa(config)# access-list OUTSIDE-IN extended ?

configure mode commands/options:
  deny    Specify packets to reject
  permit  Specify packets to forward
ciscoasa(config)# access-list OUTSIDE-IN extended permit ?

configure mode commands/options:
  <0-255>       Enter protocol number (0 - 255)
  ah           
  eigrp        
  esp          
  gre          
  icmp         
  icmp6        
  igmp         
  igrp         
  ip           
  ipinip       
  ipsec        
  nos          
  object        Specify a service object after this keyword
  object-group  Specify a service or protocol object-group after this keyword
  ospf         
  pcp          
  pim          
  pptp         
  snp          
  tcp          
  udp          
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp ?

configure mode commands/options:
  A.B.C.D            Source IP address
  any                Abbreviation for source address and mask of 0.0.0.0
                     0.0.0.0
  host               Use this keyword to configure source host
  interface          Use interface address as source address
  object             Keyword to enter source object name
  object-group       Network object-group for source address
  object-group-user  User object-group for source address
  user               User for source address [<domain_nickname>\]<user_name>
  user-group         User-group for source address
                     [<domain_nickname>\\]<user_group_name>
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host ?

configure mode commands/options:
  A.B.C.D  Source host IP address

ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 ?

configure mode commands/options:
  A.B.C.D       Destination IP address
  any           Abbreviation for destination address and mask of 0.0.0.0
                0.0.0.0
  eq            Port equal to operator
  gt            Port greater than operator
  host          Use this keyword to configure destination host
  interface     Use interface address as destination address
  lt            Port less than operator
  neq           Port not equal to operator
  object        Keyword to enter destination object name
  object-group  Optional service object-group name for source port or network
                object-group for destination address
  range         Port range operator
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 ?         

configure mode commands/options:
  eq            Port equal to operator
  gt            Port greater than operator
  inactive      Keyword for disabling an ACL element
  log           Keyword for enabling log option on this ACL element
  lt            Port less than operator
  neq           Port not equal to operator
  object-group  Optional service object-group for destination port
  range         Port range operator
  time-range    Keyword for attaching time-range option to this ACL element
  <cr>
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 eq ?

configure mode commands/options:
  <1-65535>        Enter port number (1 - 65535)
  aol             
  bgp             
  chargen         
  cifs            
  citrix-ica      
  cmd             
  ctiqbe          
  daytime         
  discard         
  domain          
  echo            
  exec            
  finger          
  ftp             
  ftp-data        
  gopher          
  h323            
  hostname        
  http            
  https           
  ident           
  imap4           
  irc             
  kerberos        
  klogin          
  kshell          
  ldap            
  ldaps           
  login           
  lotusnotes      
  lpd             
  netbios-ssn     
  nfs             
  nntp            
  pcanywhere-data 
  pim-auto-rp     
  pop2            
  pop3            
  pptp            
  rsh             
  rtsp            
  sip             
  smtp            
  sqlnet          
  ssh             
  sunrpc          
  tacacs          
  talk            
  telnet          
  uucp            
  whois           
  www            
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 eq 80
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 eq 3389
ciscoasa(config)# show run access-list
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 echo
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 time-exceeded
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 unreachable
access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 eq www
access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 eq 3389



R1#telnet 192.168.1.50 80
Trying 192.168.1.50, 80 ... Open
^ZHTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 19 Mar 2018 06:07:54 GMT
Connection: close
Content-Length: 326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Verb</h2>
<hr><p>HTTP Error 400. The request verb is invalid.</p>
</BODY></HTML>

[Connection to 192.168.1.50 closed by foreign host]


R1#telnet 192.168.1.50 3389
Trying 192.168.1.50, 3389 ... Open


You can issue a show access-list command on the Cisco ASA firewall to verify the ACL network traffic hit count.

ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list OUTSIDE-IN; 6 elements; name hash: 0x9ccc1a31
access-list OUTSIDE-IN line 1 extended permit icmp any 192.168.1.0 255.255.255.0 echo (hitcnt=10) 0xa036473d
access-list OUTSIDE-IN line 2 extended permit icmp any 192.168.1.0 255.255.255.0 time-exceeded (hitcnt=0) 0x1b7b2c90
access-list OUTSIDE-IN line 3 extended permit icmp any 192.168.1.0 255.255.255.0 unreachable (hitcnt=0) 0x6ded0a34
access-list OUTSIDE-IN line 4 extended permit tcp host 200.1.1.1 host 192.168.1.50 eq www (hitcnt=1) 0x0f6be67a
access-list OUTSIDE-IN line 5 extended permit tcp host 200.1.1.1 host 192.168.1.50 eq 3389 (hitcnt=2) 0x3c3ca9ab