- System Monitoring
- Similar to IOS level commands. The instructions did ask to deny snmp version 1 via a 'snmp-map'. If you look, there is a default global-policy. You just create the snmp-map and then reference it in the global policy.
snmp-map TST
deny version 1
!
!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect snmp TST
- You could also do this without creating a new map with 'snmp deny version 1'
- DHCP Server
- Nothing outside of the normal when compared to IOS, it's just dhcpd commands instead of ip dhcp-server
- Interesting, but I couldn't get to work in my lab. I saw the DHCP Discover come into my ASA interface, but it never went anywhere from there
- HTTP Inspection with MPF
- Similar to IOS MQC but with additional class-maps and policy-maps for granular filtering.
- Very easy to get confused but easy once you see it in action. Create access-list and class-map just like IOS. From there, you can create 'type inspect http' policy-maps. Inside the inspect policy-map, under 'parameters' you can do things like reset on protocol violations and spoof the server header.
- You can now apply this to a regular policy-map with the 'inspect' keyword.
- Under the policy map, within the class, you can also 'set' connection options like max connections, max half open, etc.
- Finally, you attach to the interface with 'service-policy'. Only difference from IOS is this is not completed from the interface context, but from the global.
- Advanced FTP Inspection using Regex
- You can define regex with 'regex NAME regex_string'
- You can then reference these with 'class-type regex'. This is namely used to match FTP file names.
- You can create a policy-map type inspect ftp - similar to HTTP above and reference in a parent policy-map. Lots of nesting here
class-map FTP
match port tcp eq ftp
class-map type inspect ftp match-any DENIED_COMMANDS
match request-command dele
match request-command site
match request-command rmd
class-map type regex match-any DENIED_FILES
match regex REG_26XX
match regex REG_28XX
match regex REG_36XX
policy-map OUTSIDE
class FTP
inspect ftp strict FTP_INSPECT
policy-map type inspect ftp FTP_INSPECT
parameters
mask-banner
mask-syst-reply
match filename regex class DENIED_FILES
reset
class DENIED_COMMANDS
reset
- Authenticating BGP through Firewall
- TCP Protocol Option 19 is used for BGP authentication. You need to create a custom TCP-Map allowing option 19. You then create a class that matches BGP, reference in the global policy, disable TCP random sequencing (which doesn't work with BGP) and apply your custom TCP Map.
- Validate with 'show connection detail'
- Again, i see this as another simple task, but if you don't pay attention you could lose the points!
- TCP Normalization
- Creating a custom TCP Map - you have several options.
- check-retransmission
- checksum-verification
- default
- exceed-mss
- no
- queue-limit
- reserved-bits
- syn-data
- tcp-options
- ttl-evasion-protection
- urgent-flag
- window-variation
- Radius Account Inspection
- Must remember to use the right class types and policy types. I find that if a certain option isn't there for what you are trying to configure, you probably have specified a wrong class-map type or policy-map type - or no type at all.
- ICMP Inspection
- Will enable ICMP across the FW interfaces without an access-list being defined
Not sure if anyone out there is reading my blog. In short, I originally created this to keep my own notes and help out other CCIE candidates. I will continue to do this on the security track.
No comments:
Post a Comment