Differences
This shows you the differences between two versions of the page.
|
sred:labextraftd [2021/11/26 18:04] horia.stoenescu [Exercises] |
sred:labextraftd [2022/11/11 13:52] (current) horia.stoenescu Updated exercises |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ========== Lab extra FTD ========== | + | ========== Lab 5. Dedicated firewall security (part 3) - FTD ========== |
| ==== Story ==== | ==== Story ==== | ||
| + | Our company is still using the FTD for connecting and protecting the 2 branches (with client1 and client2) to the Internet. Also, it wants to implement the full pipeline of security policies, starting with ssl decryption (for inspecting traffic using custom CAs), then continuing with security intelligence (for blocking IPs and URLs before reaching the access rules), and in the end the access rules for IPS on balanced level, different applications to be blocked, and URL categories that have any repudiation level. | ||
| + | ==== Local host prerequisites ==== | ||
| + | If you have a Windows/MacOS machine, you need to install on it [[https://www.realvnc.com/en/connect/download/viewer/windows/|vnc viewer]] to access the Linux/Firewall machines and [[https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html|putty]] for Cisco routers/switches. | ||
| + | You can also check this client side pack from Eve-ng for [[https://www.eve-ng.net/index.php/download/#DL-WIN|Windows]] and [[https://www.eve-ng.net/index.php/download/#DL-OSX|MacOS]]. | ||
| + | |||
| + | For Linux OS, you can use Remmina or Remote Desktop Viewer (both should be already installed). Check this link also: [[https://remmina.org/how-to-install-remmina/|Remmina install]]. | ||
| ==== Topology ==== | ==== Topology ==== | ||
| - | ==== Exercises ==== | + | We are going to use the same topology as last time: 3 interfaces, 1 connected to outside area and 2 to internal networks (where endpoints client1 and client2 are found). You should firstly remove all policy rules, with the exception of NAT rules (for inside and inside2 zones) and access rules for permitting any traffic from inside and inside2 to outside. The rest of configured objects can be kept. |
| - | === Exercise 1 - MITM decryption in depth [4p] === | + | {{:sred:lab5_ftd_topology.png?700|}} |
| - | Remember that last time we created an SSL decryption rule based on an already existing CA certificate generated on the machine. In order for clients to not be affected by this inspection, we required to import the certificate on browser's trust store (Mozilla in our case). There are 2 ways of providing a custom certificate: | ||
| - | - generate via WebUI (you are just required to add a name and complete the fields of distinguished name or DN - the private key is generated directly by the firewall) | + | ==== Exercises ==== |
| - | + | ||
| - | - generate using openssl package (you will need to generate the certificate in pem format and the private key) | + | |
| - | + | ||
| - | == a) Generate cert on WebUI [2p] == | + | |
| - | This time we want to create a new one (from Objects > Certificates), with a different CN (you can use ‘student’) on DN. The rest of the fields (like organization), can be left blank here. | + | |
| - | + | ||
| - | You need to delete the old SSL decryption rules (added on the last lab for TLS obsolete blocking and decryption) and add the new certificate generated above. Firstly, we do not want to inspect sensitive data (like medical or financial URL categories), then to decrypt and analyze https traffic. Add these 2 rules and deploy. | + | |
| - | + | ||
| - | You need to also import the CA certificate (again using [[https://privnote.com/|privnote]]) on the trust store from client1's machine (hint: [[https://manpages.ubuntu.com/manpages/xenial/man8/update-ca-certificates.8.html|update-ca-certificates]]). | + | |
| - | + | ||
| - | Then, check using openssl s_client (hint: --showcerts) if the traffic is decrypted or not. Check firstly google.com or facebook.com and see if the CA certificate used in key chain is the one configured above and then check with brd.ro - finance and reginamaria.ro - health (or identify new ones using [[https://talosintelligence.com/|Talos]]). | + | |
| - | + | ||
| - | Example 1 - checking google.com (custom cert should be used): | + | |
| - | + | ||
| - | {{:sred:ca1_decrypt.png?300|}} | + | |
| - | + | ||
| - | See the CN of the first certificate, the continuing with the server's one. | + | |
| - | + | ||
| - | Example 2 - checking raiffeisen.ro (original cert path should not be affected - you should see CAs and sub CAs for other websites like DigiCert): | + | |
| - | + | ||
| - | {{:sred:ca2_decrypt.png?600|}} | + | |
| - | + | ||
| - | + | ||
| - | == b) Generate cert using openssl [2p] == | + | |
| - | Using openssl client on the eve-ng machine generate a new certificate in pem format with just the subject 'student2' in the DN, with 365 days of availability, private key with 4096b, and with no encryption of private key (do not protect it). | + | |
| - | + | ||
| - | Then, add this second cert and the corresponding private key to FTD's trust store (Objects > Certificates > Add Internal CA > upload cert and key). Upload the CA to the second client (kali), add to trust store and update it. Also, change the CA from SSL decryption policies and deploy. | + | |
| - | Check again the 2 scenarios (with google and raiffeisen or any other sites). | + | === e1. [2p] Traffic analysis === |
| + | Remember the [[https://ocw.cs.pub.ro/courses/sred/lab3#e3_1p_no_more_social_media|last]] exercise from the 3rd Cisco lab. A client sends GET requests to facebook server and traffic is blocked no matter the traffic is encrypted or not. Using Wireshark on client machine (from **inside** zone) try to identify how this process is done by the firewall. | ||
| - | Example 3: | + | === e2. [5p] Send some logs === |
| - | {{:sred:ca3_decrypt.png?600|}} | + | {{:sred:lab4_syslog.png?800|}} |
| + | As logging is limited on our FTD device, we can use an external device for log collection. This can be a syslog server, that we will configure firstly on our linux router VM. | ||
| - | === Exercise 2 - Security intelligence [3p] === | + | To configure it, do the following: |
| - | Talos is keeping an internal database of feeds that represents categories of IPs and URLs that are maintained by Cisco. We can block before inspecting traffic using access rules, the IPs or URLs that are retrieved from Talos feeds or directly added by the sysadmin (can be internal IPs that I want to block for some clients or the endpoints that need to be blocked). | + | <code> |
| + | sudo apt-get update | ||
| + | sudo apt-get install syslog-ng | ||
| + | sudo mv /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.bkup # same the default one | ||
| + | sudo vim /etc/syslog-ng/syslog-ng.conf | ||
| - | Firstly, we need to configure the Security Intelligence Feeds (from Device > Updates): | + | # add here: |
| + | @version: 3.5 | ||
| + | @include "scl.conf" | ||
| + | @include "`scl-root`/system/tty10.conf" | ||
| + | options { | ||
| + | time-reap(30); | ||
| + | mark-freq(10); | ||
| + | keep-hostname(yes); | ||
| + | }; | ||
| + | source s_local { system(); internal(); }; | ||
| + | source s_network { | ||
| + | syslog(transport(udp) port(1025)); | ||
| + | }; | ||
| + | destination d_local { | ||
| + | file("/var/log/syslog-ng/messages_${HOST}"); }; | ||
| + | destination d_logs { | ||
| + | file( | ||
| + | "/var/log/syslog-ng/logs.txt" | ||
| + | owner("root") | ||
| + | group("root") | ||
| + | perm(0777) | ||
| + | ); }; | ||
| + | log { source(s_local); source(s_network); destination(d_logs); }; | ||
| - | - leave recurring for 1 hour (the lists are pulled from server and updated on the local FTD without a deployment) | + | # create the log dir and restart the server |
| + | sudo mkdir /var/log/syslog-ng | ||
| + | sudo touch /var/log/syslog-ng/logs.txt | ||
| + | sudo service syslog-ng restart | ||
| - | - press 'update from cloud' to get the lists from the cloud for the first time | + | # check the service if it is LISTENING on port 1025 |
| + | sudo netstat -atupn | grep 1025 | ||
| + | </code> | ||
| - | == a) Security intelligence only == | + | After this, go to another terminal on Router VM and test the syslog server: |
| + | <code> | ||
| + | # get the ip address of linux router VM | ||
| + | ifconfig eth0 | ||
| + | # then use it below - mine was 10.3.0.84 | ||
| + | logger -n 10.3.0.84 -P 1025 "testing my new syslog server" | ||
| + | </code> | ||
| - | Then, blacklist the URL category **cryptomining** (or any other category for which you can find websites to test later) and leave only the access control rules: allow any from inside and inside2 to outside. Check if the traffic to binance.com is blocked. | + | And from another terminal, check the logs.txt file: |
| + | <code> | ||
| + | tail -f /var/log/syslog-ng/logs.txt | ||
| + | Nov 10 10:00:00 ubuntu eve: testing my new syslog server | ||
| + | </code> | ||
| - | **Example binance.com** - on Talos we can see that this website is added to BLOCK LISTS with CLASSIFICATION Cryptomining. | + | Do the same thing from FTD expert mode and check with tail logs.txt: |
| + | <code> | ||
| + | > expert | ||
| + | admin@ciscoasa:~$ logger -n 10.3.0.84 -P 1025 "testing syslog from ftd" | ||
| + | </code> | ||
| - | Test also with another website, like coinmarketcap.com. Is it blocked? Why/why not? | + | Next, go to FDM and configure syslog for client. There are 3 important parts here: |
| - | == b) Add an access rule == | + | 1. create the syslog server object |
| - | The purpose of this exercise is to understand how we must be very sure about the configuration when chaining different policy types. | + | 2. enable logging for remote device and select severity level as informational |
| - | Create a new URL object for twitter.com and add it to 'Do not block (Permit)', then create also a new access rule to deny access to URL category 'Social Networking' from inside/inside2 to outside. | + | 3. create a new access policy rule with: |
| + | |||
| + | - in: inside and inside2 | ||
| + | - out: outside | ||
| + | - application: ICMP | ||
| + | - action: ALLOW | ||
| + | - logging: at the end of connection and send connection events to syslog server (configured at step 1). Note that all these events are informational and can also be seen locally on FTD : Monitoring > Events | ||
| - | Try to access from client1/client2 this website. Does it work? | + | <note> |
| + | For more info about syslog-ng, see [[https://www.techrepublic.com/article/how-to-use-syslog-ng-to-collect-logs-from-remote-linux-machines/|here]]. | ||
| + | </note> | ||
| - | === Exercise 3 - Teamviewer not allowed [3p] === | + | === e3. [3p] Teamviewer not allowed === |
| - | We decided to block teamviewer application on our local networks using a new access rule. Moreover, using the syslog server configured last time (see [[https://ocw.cs.pub.ro/courses/sred/laborator_3._dedicated_firewall_security#e7_2p_send_some_logs|here]] the exercise if you did not resolve it) we will send to the server (Linux Router VM) the connection logs when an user tries to access the website/application. | + | We decided to block teamviewer application on our local networks using a new access rule. Moreover, using the syslog server configured above, we will send to the server (Linux Router VM) the connection logs when an user tries to access the website/application. |
| In the same time, we need a way of real time analysis of this logs (the infosec team from the company might want to see which employees are not behaving correctly and may enforce other rules for them). | In the same time, we need a way of real time analysis of this logs (the infosec team from the company might want to see which employees are not behaving correctly and may enforce other rules for them). | ||
