CCNP SENSS: Implementing ASA object groups

Cisco ASA and IOS devices support object-groups, which can be defined in place of IP addresses, services, security tags (Trustsec SGTs) etc. Object groups simplify configuration, reducing the number of ACEs in an ACL by referencing an object group consisting of multiple hosts/services etc. Configurations become easier to maintain, as you can modify the object group and this will be reflected in other sections of the configuration referencing it. Without object groups the parameters of the configuration may have to modified in multiple locations instead of just once.

Cisco ASA version 9.x supports 6 types of object group:

  • ICMP-type – consist of ICMP messages types.
  • Network – consist of group-objects which allow nesting of other network object groups and network-object which contain 1 or more host entries. Network object-groups can be used in the SRC and/or DST fields in an ACL.
    Continue reading “CCNP SENSS: Implementing ASA object groups”

CCNP SENSS: Block a TTL Expiry Attack

When a Cisco IOS device receives a packet with a TTL value of less or equal to 1 an ICMP Type 11, Code 0 (Time to Live exceeded) message is sent by the device, this subsequently has an impact on CPU. Greater CPU processing is required to respond with TTL exceed message than to forward a packet. Under normal conditions a default TTL of either 128 or 255 are used in most operating systems and network devices, when originating outbound packets, on that basis it is unlikely that an edge router should receive a packet with a low TTL value.

Cisco recommends filtering incoming packets on untrusted network boundaries (edge routers). Filtering low TTLs will eliminate a DoS attack vector and also prevent remote users from tracerouting into the network. To implement a TTL Expiry Attack the attacker would send packets with a low TTL causing the router to return ICMP Type, Code 0 TTL Exceeded messages eventually potentially overwhelming the router and causing a DoS.

Continue reading “CCNP SENSS: Block a TTL Expiry Attack”

CCNP SENSS: ASA Botnet Filtering

In a botnet attack computers can become infected with malware, the infected hosts will attempt to contact the botnet command and control servers. When configured the Botnet filter on the Cisco ASA firewall can be leveraged to check incoming and outgoing connections against a dynamic SensorBase database (downloaded from cisco) which contains information of known bad domain names and IP addresses, and then logs/blocks any suspicious activity. In addition to the dynamic database you can define a static blacklist of domain names/IP addresses. You can make use of a whitelist to allow blacklisted addresses defined in the dynamic database downloaded from Cisco.

Continue reading “CCNP SENSS: ASA Botnet Filtering”

CCNP SENSS: Prevent TCP attacks on a Cisco ASA

An attacker can launch a DOS attack by flooding a host with thousands of TCP SYN packets, the source address would be spoofed with no way for the host server to respond, this would create half-open TCP connections on the host consuming resources until the host is overwhelmed and packets are dropped.

On the Cisco ASA you can configure the Modular Policy Framework (MPF) to restrict the number of TCP half-open connections (embryonic-conn-max). When enabled, the MPF policy will intercept the tcp SYN and only forward the connection once the 3-way handshake is complete.

This blog post describes the steps use in order to limit half-open connections and to demonstrate this in action using hping3 tool, to simulate an attack.
Continue reading “CCNP SENSS: Prevent TCP attacks on a Cisco ASA”