Friday, September 7, 2018

Cisco ASA 5506W-X Software Image Upgrade

It's been a while since I've configured a Small Office/Home Office (SOHO) firewall such as the Cisco ASA 5505. I had a nice online deal for a Cisco ASA 5506W-X for my home lab and made sure the appliance Version ID (VID) wasn't affected by the clock signal issue, otherwise it might get "bricked" sometime in the future. I considered getting a Cisco ASA 5506W-X and paid extra for the built-in wireless AP since my home users got wifi on their smart phones and tablets.

Here's a nice link for some tips in choosing a Next-Generation Firewall (NGFW). Below are photos of the good old Cisco ASA 5505 firewall.



Below are the photos of the Cisco ASA 5506W-X. It has a metallic chassis with lots of holes (for heat ventilation). You can find the LED status lights on top.


This is the front panel.


This the back panel with all the ports. You can also view the LED light status in here.


This is the power adapter (ASA5506-PWR-AC).


Compared to the old Cisco ASA 5505 firewall, the Cisco ASA 5506 has 8x Layer 3 only (routed) gig ports (no PoE) and 1x Management port (for FirePower only), it has the FirePOWER module (SSD drive) installed, it supports ASDM to manage the "classic firewall" and the FirePOWER module (starting on 6.0).

Below is the image and ASDM when it was shipped and the configuration after I did a write erase and reload on the appliance.


ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.9(1)
Firepower Extensible Operating System Version 2.3(1.54)
Device Manager Version 7.5(1)

Compiled on Thu 30-Nov-17 20:18 PST by builders
System image file is "disk0:/asa991-lfbff-k8.SPA"
Config file at boot was "startup-config"

ciscoasa up 1 min 28 secs

Hardware:   ASA5506W, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Number of accelerators: 1

 1: Ext: GigabitEthernet1/1  : address is 0078.884b.bf63, irq 255
 2: Ext: GigabitEthernet1/2  : address is 0078.884b.bf64, irq 255
 3: Ext: GigabitEthernet1/3  : address is 0078.884b.bf65, irq 255
 4: Ext: GigabitEthernet1/4  : address is 0078.884b.bf66, irq 255
 5: Ext: GigabitEthernet1/5  : address is 0078.884b.bf67, irq 255
 6: Ext: GigabitEthernet1/6  : address is 0078.884b.bf68, irq 255
 7: Ext: GigabitEthernet1/7  : address is 0078.884b.bf69, irq 255
 8: Ext: GigabitEthernet1/8  : address is 0078.884b.bf6a, irq 255
 9: Ext: GigabitEthernet1/9  : address is 0078.884b.bf6b, irq 255
10: Int: Internal-Data1/1    : address is 0078.884b.bf62, irq 255
11: Int: Internal-Data1/2    : address is 0000.0001.0002, irq 0
12: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
13: Int: Internal-Data1/3    : address is 0000.0001.0003, irq 0
14: Ext: Management1/1       : address is 0078.884b.bf62, irq 0
15: Int: Internal-Data1/4    : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 5              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

Serial Number: JAD20081234
Running Permanent Activation Key: 0xf319c753 0x9c0e6651 0xbc534174 0x87548123 0x04191456
Configuration register is 0x1
Image type                : Release
Key Version               : A
Configuration has not been modified since last system restart.


ciscoasa# show inventory
Name: "Chassis", DESCR: "ASA 5506-X with FirePOWER services, WiFi, 8GE, AC, DES"
PID: ASA5506W          , VID: V06     , SN: JMX20091234

Name: "module 2", DESCR: "WLAN AP"
PID: N/A               , VID: N/A     , SN: N/A

Name: "Storage Device 1", DESCR: "ASA 5506-X SSD"
PID: ASA5506-SSD       , VID: N/A     , SN: MSA19375678       // FIREPOWER


ciscoasa# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   0 ASA 5506-X with FirePOWER services, WiFi, 8G ASA5506W           JAD20081234
 sfr FirePOWER Services Software Module           ASA5506W           JAD20084567
wlan WLAN AP                                      N/A                N/A       

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version    
---- --------------------------------- ------------ ------------ ---------------
   0 0078.884b.bf62 to 0078.884b.bf6b  2.0          1.1.8        9.9(1)
 sfr 0078.884b.bf61 to 0078.884b.bf61  N/A          N/A          5.4.1-211
wlan none                              N/A          N/A         

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               5.4.1-211

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   0 Up Sys             Not Applicable       
 sfr Up                 Up                   
wlan Up                 Up                   


ciscoasa# more system:running-config
: Saved

:
: Serial Number: JAD20081234
: Hardware:   ASA5506W, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 03:02:39.479 UTC Mon Aug 20 2018
!
ASA Version 9.9(1)
!
hostname ciscoasa
enable password $sha512$5000$nYeqAl4RK8yIfEnDFfDodg==$ywhiHnhKr/tRvokNka/oLA== pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names

!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/9
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!            
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
 parameters  
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end        


Whenever deploying any Cisco appliance in production, it's best practice to upgrade using the TAC recommended software. As of this writing, these are ASA 9.8.2 and ASDM 7.9(2). You'll also need to check for the ASA software and ASDM compatibility matrix.



Check the ASA flash memory and the hard coded ASA image and ASDM.


ciscoasa# dir

Directory of disk0:/

99     -rwx  74369568     16:05:36 Nov 08 2017  asa951-lfbff-k8.SPA
100    -rwx  25025404     16:06:04 Nov 08 2017  asdm-751.bin
101    -rwx  60           07:57:26 Jul 31 2018  .boot_string
11     drwx  4096         16:09:06 Nov 08 2017  log
20     drwx  4096         16:09:58 Nov 08 2017  crypto_archive
21     drwx  4096         16:10:00 Nov 08 2017  coredumpinfo
102    -rwx  109776224    14:55:34 Mar 21 2018  asa991-lfbff-k8.SPA
103    -rwx  3474         14:55:42 Mar 21 2018  oldconfig_2018Mar21_2241.cfg
104    -rwx  29197944     14:56:12 Mar 21 2018  asdm-791.bin

6 file(s) total size: 238372674 bytes
7934787584 bytes total (4473110528 bytes free/56% free)

ciscoasa#
ciscoasa# show run boot
ciscoasa#
ciscoasa# show run asdm
no asdm history enable

ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)# interface g1/2
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)#
ciscoasa(config-if)# ping 192.168.1.10       // TEST PING TO TFTP SERVER/PC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ciscoasa# copy tftp://192.168.1.10/asa982-38-lfbff-k8.SPA disk0:

Address or name of remote host [192.168.1.10]?

Source filename [asa982-38-lfbff-k8.SPA]?

Destination filename [asa982-38-lfbff-k8.SPA]?

Accessing tftp://192.168.1.10/asa982-38-lfbff-k8.SPA...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asa982-38-lfbff-k8.SPA...
Computed Hash   SHA2: ce1c9b84adefaf7f5d075ac2457c0dd2
                      9cc524bb6f47ffc3ae1c8566076acf9a
                      d62912e75cdbde19ef82a459f3de432d
                      4d2ef6da51ddd462960b65fce33ec8a2
                     
Embedded Hash   SHA2: ce1c9b84adefaf7f5d075ac2457c0dd2
                      9cc524bb6f47ffc3ae1c8566076acf9a
                      d62912e75cdbde19ef82a459f3de432d
                      4d2ef6da51ddd462960b65fce33ec8a2
                     

Digital signature successfully validated

Writing file disk0:/asa982-38-lfbff-k8.SPA...

108648864 bytes copied in 103.820 secs (1054843 bytes/sec)
ciscoasa#
ciscoasa# copy tftp://192.168.1.10/asdm-792-152.bin disk0:     

Address or name of remote host [192.168.1.10]?

Source filename [asdm-792-152.bin]?

Destination filename [asdm-792-152.bin]?

Accessing tftp://192.168.1.10/asdm-792-152.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asdm-792-152.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asdm-792-152.bin...

INFO: No digital signature found
32738244 bytes copied in 30.960 secs (1091274 bytes/sec)


ciscoasa# configure terminal
ciscoasa(config)# boot system ?

configure mode commands/options:
  disk0:  Path and filename on disk0:
  disk1:  Path and filename on disk1:
  flash:  Path and filename on flash:
  tftp:   A URL beginning with this prefix.
ciscoasa(config)# boot system disk0:?

configure mode commands/options:
  disk0:/.boot_string           disk0:/asa951-lfbff-k8.SPA
  disk0:/asa982-38-lfbff-k8.SPA  disk0:/asa991-lfbff-k8.SPA
  disk0:/asdm-751.bin           disk0:/asdm-791.bin
  disk0:/asdm-792-152.bin       disk0:/coredumpinfo
  disk0:/crypto_archive         disk0:/log
  disk0:/oldconfig_2018Mar21_2241.cfg
ciscoasa(config)# boot system disk0:/asa982-38-lfbff-k8.SPA
ciscoasa(config)# asdm image disk0:/asdm-792-152.bin
ciscoasa(config)#    
ciscoasa(config)# http server enable       // ENABLE ASDM
ciscoasa(config)# http 192.168.1.0 255.255.255.0 inside
ciscoasa(config)# username admin password cisco privilege 15
ciscoasa(config)# end
ciscoasa# write memory
Building configuration...
Cryptochecksum: 62692db5 16e8df84 0f3a0f8f 5b747c24

4380 bytes copied in 0.330 secs
[OK]
ciscoasa# reload       // RELOAD THE ASA FOR THE NEW CODE TO TAKE EFFECT
Proceed with reload? [confirm]
ciscoasa#


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down sw-module


<OUTPUT TRUNCATED>

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.8(2)38
Firepower Extensible Operating System Version 2.2(2.90)
Device Manager Version 7.9(2)152

Compiled on Tue 12-Jun-18 13:31 PDT by builders
System image file is "disk0:/asa982-38-lfbff-k8.SPA"
Config file at boot was "startup-config"

ciscoasa up 12 secs

Hardware:   ASA5506W, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Number of accelerators: 1

 1: Ext: GigabitEthernet1/1  : address is 0078.884b.bf63, irq 255
 2: Ext: GigabitEthernet1/2  : address is 0078.884b.bf64, irq 255
 3: Ext: GigabitEthernet1/3  : address is 0078.884b.bf65, irq 255
 4: Ext: GigabitEthernet1/4  : address is 0078.884b.bf66, irq 255
 5: Ext: GigabitEthernet1/5  : address is 0078.884b.bf67, irq 255
 6: Ext: GigabitEthernet1/6  : address is 0078.884b.bf68, irq 255
 7: Ext: GigabitEthernet1/7  : address is 0078.884b.bf69, irq 255
 8: Ext: GigabitEthernet1/8  : address is 0078.884b.bf6a, irq 255
 9: Ext: GigabitEthernet1/9  : address is 0078.884b.bf6b, irq 255
10: Int: Internal-Data1/1    : address is 0078.884b.bf62, irq 255
11: Int: Internal-Data1/2    : address is 0000.0001.0002, irq 0
12: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
13: Int: Internal-Data1/3    : address is 0000.0001.0003, irq 0
14: Ext: Management1/1       : address is 0078.884b.bf62, irq 0
15: Int: Internal-Data1/4    : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 5              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

Serial Number: JAD20081234
Running Permanent Activation Key: 0xf319c753 0x9c0e6651 0xbc534174 0x87548123 0x04191456
Configuration register is 0x1
Image type                : Release
Key Version               : A
Configuration has not been modified since last system restart.


Connect via HTTPS and accept the self-signed certificate generated by the ASA firewall.


Save and install ASDM. You'll need Java installed on your PC to run ASDM.




Type the IP address and your login.



Skip the Cisco Smart Call Home setup.



Saturday, September 1, 2018

Malware types

Malicious software, also called malware, is any software that is designed to perform
malicious acts. The following are the four classes of malware you should understand:

* Virus: Any malware that attaches itself to another application to replicate or distribute itself

* Worm: Any malware that replicates itself, meaning that it does not need another application or human interaction to propagate

* Trojan horse: Any malware that disguises itself as a needed application while carrying out malicious actions

* Spyware: Any malware that collects private user data, including browsing history or keyboard input

The best defense against malicious software is to implement antivirus and anti-malware software. Today most vendors package these two types of software in the same package. Keeping antivirus and anti-malware software up to date is vital. It includes ensuring that the latest virus and malware definitions are installed.


There are many free online malware scanner and one of them is Virus Total (a Google owned company). I tried to upload a sample malware (Vawtrak) for analysis and gave me the result below.


Another great online tool for checking the latest CVE and various exploits is the Exploit Database.