SNAF Securing Networks with ASA Fundamentals Volume 2 Version 1.0 Student Guide er: 97-2684-01[DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN |CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF I hts CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED. WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON.INERINGEMENT AND FITNESS FOR A PARTICULAR [PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE, ‘This lating product muy contain caly rks content and while Cisco believes it wo be accurate, falls subject to he dseaimer above Printes in CanadaTable of Contents Volume 2 Configuring AAA for Cut-Through Proxy 9-4 Overview 94 Objectives a4 Introduction to AAA 9-2 ‘Authentication 93 Authorization 4 Accounting 96 Configuring the Local User Database o7 Installation of Cisco Secure ACS for Windows 2000 914 Cut-Through Proxy Authentication Configuration 9.20 ‘Authentication for Access to Resources Example 921 Authentication Prompts and Timeouts 951 Authorization Configuration 9-57 ‘Accounting Configuration 9-69 ‘Summary 9-74 Configuring the Cisco Modular Policy Framework 10-1 Overview 10-4 Objectives 10-1 Modular Policy Framework Overview 10-2 Class Map Overview 10-6 Policy Map Overview 10-10 Configuring Modular Policies with Cisco ASOM 10-15 Configuring a Policy for Management Traffic 10-43 Displaying Modular Policy Framework Components 10-49 Summary 10-62 Configuring Advanced Protocol Handling 14-1 Overview 44-4 Objectives 11-4 ‘Advanced Protocol Handling 11-2 Protocol Application Inspection 14-44 Multimedia Support 11-45 Summary 11-60 Configuring Threat Detection 12-4 Overview 124 Objectives 124 Threat Detection Overview 122 Basic Threat Detection 125 ‘Scanning Threat Detection 12.15 Configuring and Viewing Threat Detection Statistics 12.22 Summary 12.37 Configuring Site-to-Site VPNs Using Pre-Shared Keys 13-1 Overview 13-4 Objectives 13-4 Secure VPNs 13:2 How IPsec Works 137 Preparing to Configure an IPsec VPN 13-21 Create IKE Policies for a Purpose 13-22 Define IKE Policy Parameters 13-22 Configuring a Site-to-Site VPN Using Pre-Shared Keys 13-25 Modifying the Site-to-Site VPN Configuration 13-40 Test and Verify VPN Configuration 13-49 ‘Summary 13-60Configuring Security Appliance Remote-Access VPNs 14-4 Overview 144 Objectives 14-1 Introduction to Cisco Easy VPN 14-2 Overview of Cisco VPN Client 14-16 Transparent Tunneling 14-25 Allowing Local LAN Access 14-26 ‘Adjusting the Peer Response Timeout Value 14-26 Configuring Remote-Access VPNs 14-34 Configuring Users and Groups 14-54 Summary 14-68 Conti L VPN. Overview 184 Objectives 151 SSL VPN Overview 15-2 Using the SSL VPN Wizard to Configure Clientless SSL VPN 15-16 Verifying Clientiess SSL VPN Operations 15.34 Summary 15-36 Configuring Transparent Firewall Mode 16-4 Overview 16-1 Objectives 16-1 Transparent Firewall Mode Overview 16-2 How Data Traverses a Security Appliance in Transparent Mode 16-11 Configuring Transparent Firewall Mode 16-13 Monitoring and Maintaining Transparent Firewall Mode 16-29 ‘Summary 16-37 7 Securing Networks wit ASA Fundamentals (SNAF) v1.0 {© 2008 Giese Syetoms, neLesson 9 Configuring AAA for Cut- Through Proxy Overview This lesson introduces security appliance authentication, authorization, and accounting (AAA), The lesson also explains how to configure each component—authentication, authorization, and aceounting—on a Cisco security appliance. Objectives Upon completing this lesson, you will be able to define, configure, and monitor AAA in Cisco security appliances. This ability includes being able to meet these objectives: = Define AAA functions = Configure the local user database Install and configure Cisco Secure ACS = Define and configure cut-through proxy authentication, Define and configure user authorization using downloadable ACLs = Define and configure accountingIntroduction to AAA ntroduces the concepts of AAA and how Cisco security appliances support them. Authentication, Authorization, and Accounting AAA is used to tell the security appliance who the user is (authentication), what the user ean do (authorization), and what the user did (accounting). Authentication is valid without authorization, but authorization is never valid without authentication, In the figure, a Cisco Secure Access Control Server (ACS) works with the security appliance to provide AAA Suppose you have 100 users and you want only 6 of these users to be able to access intemal network resources from the outside using FTP, Telnet, HTTP, or HTTPS. You can configure the security appliance to authenticate inbound traffic and give each of the six users their own identification on the AAA server. With simple authentication, these six users are authenticated with a username and password. When any of the users attempt to access the internal network, the security appliance prompts them for their usemame and password, and then passes their username and password to the AAA server. Depending on the server response, the security appliance permits or denies the connection. The 6 users will be permitted ac network, but the 94 users without authentication will be denied access. ess to the internal ‘Suppose you want to allow one of these users, BADUSER, to use only HTTP, but not Tel to connect to the internal network resources. This means you must add authorization—in addition to authenticating who the users are, you must authorize what they can do. When you add authorization to the security appliance, it first sends the username and password to the AAA server, then sends an authorization request telling the AAA server which command BADUSER is trying to use. With the server set up properly, BADUSER is allowed to use HTTP but is not allowed to use Telnet. ©2 Securing Networks with ASA Fundamentals (SNAF) vt 0 © 2008 Cisco Systems. ne.Types of Authentication SoautyApiance » Accessto the swcetyrpence FP Sande recas security appliance wag. = Access through the security appliance Cut-through ad Cut Thraoh VPN tunnel omy oe access » ay y Sento ay ‘utente ation Authentication There are three types of authentication: security appliance console access, cut-through proxy, and tunnel access Security Appliance Console Access Sccurity appliance console access authentication enables you to requite authentication verification for users wishing to access the security appliance. In the top example in the figure, ‘remote administrator is attempting to access the security appliance via Secure Shell (SSH) Protocol from the home office of the user while a local administrator is attempting to access the security appliance via Telnet. Both users must be authenticated before they are permitted to access the security appliance. Cut-Through Proxy For cut-through proxy authentication, which is the focus of this lesson, the security appliane can be configured to require user authentication for a session through the security applian specified in the aaa authentication command. A user ata given IP address needs to authenticate only one time, until the authentication session expires. For example, if you configure the security appliance to authenticate Telnet and FTP, and a user first successfully authenticates for Telnet, as long as the authentication session exists, the user does not have to also authenticate for FTP. The security appliance can be configured to directly authenticate HTTP, HTTPS, Telnet, and FTP cut-through sessions, In the second example in the figure, a remote user is attempting an HTTP session with the web server. Because the user is authenticated by the security appliance, the HTTP session to the web server is connected via cut-through proxy authemtication, Once the security appliance successfully authenticates the user, the security appliance then shifts the session flow, and all traffic flows direetly between the server and the client while the security appliance maintains the session state information © 2008 Cisco Systems, Inc Configuring AAA for GuLTINough Proxy 9.3Tunnel Access For virtual private network (VPN) tunnel access authentication, the security appliance can be tured to require a remote tunnel user to authenticate before full tunnel establishment. In the second example in the figure, a remote user establishes a VPN tunnel with the corporate office to gain access to the corporate web server. Before the tunnel is fully established, the security appliance will prompt the remote user for a username and password. Once the credentials are verified, the remote user tunnel is fully established and the remote user is, allowed to access the comporate web server Types of Authorization * Console access: Specifies whether ‘command execution is subjectto ‘authorization Cut-through. Proxy: Specifies what “tough services are subjectto authorization Tunnelaccess: Specifies what “une!” services are authorized Authorization There are also three types of authorization: security appli proxy, and tunnel access SocuyApeiance | Go curtaign ey ro ® Security Appliance Console Access Conede hecwns wr s, cut-through Security appliance console access authorization allows you to facilitate and control admi istration access (such as serial, 1H. ind Telnet access including who ess the sceurity appliance and which commands they can execute. The administrator assigns commands to a privilege level. The administrator then creates user accounts and links a privilege level to each user. When console users attempt to access the security appliance console, tht users au granted the access level privileges are prompted for a username and password. Once they are auther signed to their respective user a icated, console counts. Ifthe administrator wants to allow all authenticated users to perform all HTTP, HTTPS, FTP, and Telnet operations through the security appliance, authentication is sufficient and authoriza ion is not needed. However, if there is reason (o allow only some subset of users, or to limit users to certain sites and protocols, authorization is needed, o4 ‘Securing Networks with ASA Fundamentals (SNAF) vi.0 {© 2008 Cisco Systems, ne.Cut-Through Proxy ‘The security appliance supports two basic methods of user authorization for cut-through proxy: |= The security appliance is configured with rules specifying which connections need to be authorized by the AAA server. When the first packet of a traffic flow matches a predefined rule, the AAA server is consulted by the security appliance for access rights. The AAA server retums a “permit” or “deny” authorization message. ‘The security appliance is configured with rules that specify which connections need to be authenticated by the AAA server. The AAA server is configured with authorization rules that are assigned to the authenticating user. The authorization rules come in the form of access control lists (ACLs). An ACL is attached to the user or group protile on the AAA server. When the first packet of a traffic flow matches a predefined rule, the AAA server is consulted by the security appliance for access rights, which is either permitted or denied During the authentication process, if the end user is authenticated, the Cisco Secure ACS, downloads an ACL to the security appliance. The ACL. is applied to the traffic flow. The Cisco Secure ACS has the ability to store ACLs and download them to the security appliance. Tunnel Access: ‘When remote users attempt to establish a tunnel to the security appliance, the administrator can force the tunnel users to authenticate before granting them access to the security appliance. ‘When a tunnel user authenticates, the security appliance retrieves tunnel authorization information for the defined user or group. Tunnel authorization information ude such information as VPN access houts, simultaneous logins, client block rules, personal computer firewall type, idle timeout, and so on. The tunnel user or group information is applied to the tunnel before the tunnel is fully established. (© 2008 Cisco Systems, Inc CContiguing AAA for CuTIvough Proxy 8-5Types of Accounting Seanty Apion * Seourity appliance console access * Access through the security appliance Cutthrough oe Proxy ~~ * Tunnel “ connections Lig 5 ‘Aurenteaon IPsec 7 SSLVPN 17 Peg a Accounting ‘An administrator can configure the security appliance to enable accounting for specific network services. Accounting records are generated to track the initiation and termination of predefined sessions. The security appliance also can be contigured to generate accounting records for configuration changes. For example, accounting records can track when a Telnet user logged in to the security appliance, at what privilege level, what configuration commands were entered, ‘and when the session was terminated, It can track the beginning and end of a web session between a remote user and the corporate demilitarized zone (DMZ) web server. It can also be used to track remote tunnel access, when it started and finished. These records are kept on the designated AAA server or servers. Accounting can be enabled for security appliance console access, cut-through proxy, and IP Security (IPsec) and Secure Sockets Layer (SSL) VPN tunnel conneetions. 9-6 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systoms, ne.Configuring the Local User Database This topic explains how to configure local user accounts on the Cisco ASA security appliance. You can configure a local database in the Cisco ASA security appliance if you are not using an external AAA server, such as an ACS server, or if you want to use the local database in the Cisco ASA security appliance as a backup if the AAA server is down. You can create user accounts with passwords in the Cisco ASA security appliance local database, or you can create user accounts with no password. You can use the local database for command-line interface (CLI) access authentication, privileged mode authentication, command authorization, network access authentication, and VPN authentication and authorization, You cannot use the local database for network access authorization. The local database does not support accounting, Note CLI access authentication and command authorization are covered later in this course, VPN ‘authentication and authorization are covered in the Securing Networks with ASA Advanced (SNAA) course, To create user accounts in the local database, complete the following steps: Step1 Click Configuration in the Cisco Adaptive Security Device Manager (ASDM) tool bar. Step2 Choose Device Management fiom the navigation pane Step3 Expand the Users/AAA menu, {© 2008 Cisoo Systems, Inc ‘Contiguring AAA for Cu-Through Proxy OTStep 4 Choose User Accounts. The User Accounts panel is displayed. From this panel, you ‘can access the Add User Account window to add a user account. You can also change the enable password from this panel by changing the password for the enable_15 user. The enable_15 user is always present in this panel and represents the default username. Step5 Click Add. The Add User Account window opens ‘Securing Networks wih ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, neAdding Users to the Local Database (Cont) Step 6 Enter the username for the account in Username field, In the figure, the username “admin!” is entered. Stop7 _Enter a password in the Password field. The minimum password length is 4 characters, and the maximum is 32 characters. A password length of at least 8 characters is recommended. Passwords are case-sensitive, When you enter a assword, the Password field displays only asterisks. In the figure, the password ‘cisco123” is entered. Step8 Enter the password again in the Ci password, the Confirm Password password cisco! 23 is entered again irm Password field. When you e 1d displays only asterisks. In the figure, Step9 Click OK. Step 10 Click Apply in the User Accounts panel, ‘You can use the Edit User Account window to change the password for a user account. To access this window, sclect the account in the User Accounts panel and click Edi Note ‘The default privilege levol is 2. Privilege levels are discussed later in this course. {© 2008 Cisco Systems, Ine (Contiguing AAA for CutTivough Proxy 9-9