connect AD to ISE

1- Verify basic functionality and DNS

2- Join ISE to AD

3- Make an Identity Source Sequences

go to Administration > External Identity Sources and add active directory. Click on Add and then enter information of AD, you probably get the prompt for Username and Password. So, Enter your AD administrator in the prompt.

Then, if everything goes well, your ISE successfully join the Active Directory.

You can prove your connection by going to Active Directory again and check  the Computers section. As it is shown in the picture, ISE computer should be shown.

Now, we can tell the ISE to authenticate first from AD then if you can’t find the user go to local database. So, you have to make a Identity Source Sequence to change the order.

In the Name box select the optional Name then in the selected section first select AD then Internal Users. Finally select “Treat as if the user was not found and proceed to the next store in the sequence” option and save.

Now, go to Policy > Authentication Policy > Use  select your previous Identity “first_AD_then_local”.

To test, you can make new a user in AD

As you can see, user logs shows successful login.

 

 

 

802.1X Mac Authentication Bypass (MAB)

First, configure the interface which is connected to the endpoint, previously we configured the interface as below:

SW(config)#int gi1/0/2

SW(config-if)#switchport mode access
SW(config-if)#authentication host-mode multi-auth
SW(config-if)#authentication open
SW(config-if)#dot1x pae authenticator
SW(config-if)#dot1x timeout tx-period 10
SW(config-if)#authentication port-control auto
SW(config-if)#authentication periodic
SW(config-if)#authentication timer reauthenticate server

Now, add this configuration for the interface:

SW(config-if)#mab
SW(config-if)#authentication order mab dot1x
SW(config-if)#authentication priority dot1x mab

so the result:

SW#sh authentication sessions int gi1/0/2

Interface MAC Address Method Domain Status Fg Session ID
———————————————————————-
Gi1/0/2 b8ca.3a7e.0f5a N/A UNKNOWN Unauth C0A80AFC00000FB4034126C2

Key to Session Events Blocked Status Flags:

A – Applying Policy (multi-line status for details)
D – Awaiting Deletion
F – Final Removal in progress
I – Awaiting IIF ID allocation
N – Waiting for AAA to come up
P – Pushed Session
R – Removing User Profile (multi-line status for details)
U – Applying User Profile (multi-line status for details)
X – Unknown Blocker

Runnable methods list:
Handle Priority Name
16 5 dot1x
18 10 mab
21 15 webauth
–More–

 

And if you check on the ISE:

802.1x wired authentication

SWTEST(config)#aaa authentication dot1x default group radius
SWTEST(config)#aaa accounting dot1x default start-stop group radius
SWTEST(config)#aaa authorization network default group radius
SWTEST(config)#radius-server attribute 8 include-in-access-req
SWTEST(config)#! enable D dot1x
SWTEST(config)#dot1x system-auth-control
SWTEST(config)#int gi1/0/2
SWTEST(config-if)#shut
SWTEST(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled

SWTEST(config-if)#authentication host-mode multi-auth
SWTEST(config-if)#authentication open
SWTEST(config-if)#authentication periodic
SWTEST(config-if)#authentication timer reauthenticate server
SWTEST(config-if)#dot1x pae authenticator
SWTEST(config-if)#dot1x timeout tx-period 10
SWTEST(config-if)#authentication port-control auto
SWTEST(config-if)#no shut
SWTEST(config-if)#
SWTEST(config-if)#
SWTEST(config-if)#exit
SWTEST(config)#do sh dot1x all
Sysauthcontrol Enabled
Dot1x Protocol Version 3

Dot1x Info for GigabitEthernet1/0/2
———————————–
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 10

How to Connect ISE to Switch

SW1(config)#enable secret YourPassword
SW1(config)#aaa new-model
SW1(config)#aaa authentication login default enable

SW1(config)#radius server ISE
SW1(config-radius-server)#address ipv4 192.168.10.6 auth port 1812 acct-port 1813
SW1(config-radius-server)# key …..

SW1(config)#aaa group server radius ISE-group
SW1(config-sg-radius)#server name ISE

SW1(config)#radius-server vsa send authentication

SW1#test aaa group ISE-group hamid YourPassword new-code

 

Cisco ASA troubleshooting commands

AAA

debug radius
debug tacacs
show aaa-server protocol PROTOCOL_NAME
test aaa-server

Access Control Lists

show access-list
show run | include ACCESS_LIST_NAME
show run object-group
show run time-range

Application Inspection

show conn state STATE_TYPE detail
show service-policy

Configuring Interfaces

show firewall
show int
show int ip brief
show ip
show mode
show nameif
show run interface INTERFACE_NAME
show version

Connections and Translations

clear xlate
show conn
show conn detail
show local-host all
clear local-host all (clears all connections)
show log
show run | begin policy-map
show run global
show run nat
show xlate
test regex

Failover

debug fo rxip
debug fo txip
show failover
show ip

IP Routing

deug ospf event
debug rip
show ospf database
show ospf interface
show ospf neighbor
show ospf PROCESS_ID
show ospf virtual-links
show route

Multicast

show igmp interface
show mroute
show pim interface
show pim neighbor

PKI

debug crypto ca messages
debug crypto ca transactions
show crypto ca certificates
show crypto ca crls
show crypto key mypubkey rsa

Quality of Service

show priority-queue statistics
show run class-map
show run policy-map
show service-policy global
show service-policy interface INTERFACE_NAME
show service-policy priority
show service-policy shape

Security Contexts

show admin-context
show context
show mode

System Management

show clock
show crypto key mypubkey rsa
show logging
show ntp status
show running-config
show snmp-server statistics
show ssh sessions
show startup-config

Transparent Firewall

debug arp-inspection
debug l2-indication
debug mac-address-table
show access-list
show arp-inspection
show conn
show firewall
show mac-address-table

VPNs

debug crypto ipsec
debug crypto isakmp
show crypto ipsec sa
show crypto isakmp sa detail
show route

WebVPN

debug menu wbvpn
debug ssl cipher
show vpn-sessiondb summary
show vpn-sessiondb webvpn

 

Useful Commands

(config)#more system:running-config| inc pre-shared
(config)# vpnsetup

Zone-Based Firewall

Introduction

The Cisco IOS Zone Based Firewall is one of the most advanced form of Stateful firewall used in the Cisco IOS devices. The zone based firewall (ZBFW) is the successor of Classic IOS firewall or CBAC (Context-Based Access Control). Cisco first implemented the router-based stateful firewall in CBAC where it used ip inspect command to inspect the traffic in layer 4 and layer 7.

Even though ASA devices are considered as the dedicated firewall devices, Cisco integrated the firewall functionality in the router which in fact will make the firewall a cost effective device. The zone based firewall came up with many more features that is not available in CBAC. The ZBFW mainly deals with the security zones, where we can assign the router interfaces to various security zones and control the traffic between the zones. Also the traffic will be dynamically inspected as it passes through the zones. In addition to all the features which is available in classic IOS firewall, Zone based firewall will support Application inspection and control for HTTP, POP3, Sun RPC, IM Applications and P2P File sharing.

For advanced configuration of IOS Zone Based Firewall refer http://yadhutony.blogspot.in/2013/08/zone-based-firewall-advanced_4036.html

Zone Based Firewall Vs CBAC

CBAC Zone Based Firewall
Interface Based Configuration Zone Based Configuration
Controls Inbound and Outbound access on an interface Controls Bidirectional access between zones.
Uses inspect statements and stateful ACLs Uses Class-Based Policy language
-Not supported- Support Application Inspection and Control
Support from IOS Release 11.2 Support from IOS Release 12.4 (6) T
  • This document will guide you to configure a basic Zone Based Policy Firewall in an IOS router. Here I am going to divide the entire configuration into logical sets and finally will combine them to the get the full configuration.

ZBFW Configuration Procedure

The below are the configuration tasks that you need to follow:

  1. Configure Zones
  2. Assign Router Interfaces to zones
  3. Create Zone Pairs
  4. Configure Interzone Access Policy (Class Maps & Policy Maps)
  5. Apply Policy Maps to Zone Pairs

Configuration Scenario

Figure 1.

zbf_ntwrk_dgm.jpg

In this example we have three zones.

  • Inside Zone – Private LAN
  • DMZ Zone – DMZ hosts
  • Outside Zone – Internet

Here I am defining a rule set for our ZBFW:

1. From Inside to Outside –http,icmp and pop3 is allowed

2. From Outside to Inside –icmp is allowed

3. From Inside to DMZ –http and icmp is allowed

4. From Outside to DMZ –http is allowed

Default Rules of Zone Based Firewall

  1. Interzone communication is Denied, traffic will be denied among the interfaces that are in the different zones unless we specify a firewall policy.
  2. Intrazone communication is Allowed, traffic will flow implicitly among the interfaces that are in the same zone.
  3. All traffic to Self zone is Allowed

Self Zone is created automatically by the router while we create the other zones in a Zone Based Firewall.

Task 1 : Configure Zones

In this example (refer Figure 1) we have three zones. Inside ,Outside, DMZ.

To configure zones in a router, connect the router via putty or console, switch to the global configuration mode and type the command as below:

Router(config)#zone security INSIDE

Router(config)#zone security OUTSIDE

Router(config)#zone security DMZ

zbf1.JPG

Task 2 : Assign Router Interfaces to Zones

We have to assign the router interface to a particular zone. Here I am going to assign Gigabyte Ethernet 0/0 to INSIDE zone , Ge0/1 to OUTSIDE zone and Ge0/2 to DMZ zone.

To achieve this we have to go to the particular interface and attach that interface to the zone.Type the command as below:

Router(config)#interface gigabitEthernet 0/0

Router(config-if)#zone-member security INSIDE

Router(config)#interface gigabitEthernet 0/1

Router(config-if)#zone-member security OUTSIDE

Router(config)#interface gigabitEthernet 0/2

Router(config-if)#zone-member security DMZ

zbf2.JPG

Now if you try to ping a zone from another zone the traffic will be denied because of the default firewall policy.

Task 3 : Create Zone Pairs

Zone pairs are created to connect the zones. If you want to make two zones to communicate you have to create Zone pairs. DO NOT create zone pairs for non-communicating zones. In our scenario the traffic flows between :

  • INSIDE to OUTSIDE
  • OUTSIDE to INSIDE
  • OUTSIDE to DMZ
  • INSIDE to DMZ

So we need to create four zone pairs. To create zone pairs the command is as follows.

Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE

Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE

Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ

Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ

zbf3.JPG

Task 4 : Configure Interzone Access Policy

Interzone Access policy is the key part of a Zone based firewall where we classify the traffic and apply the firewall policies. Class map and Policy map configurations are carried out during this task.

Class Maps : This will classify the traffic

Policy Maps : This will decide the ‘fate’ of the traffic

Class Map Configuration

Class map sort the traffic based on the following criteria 1.) Access-group 2.) Protocol 3.) A subordinate class map. In our scenario I am sorting the traffic based on access group. So first we need to create an ACL and associate it with the class map.

a.) Class Map for INSIDE-TO-OUTSIDE

Router(config)#ip access-list extended INSIDE-TO-OUTSIDE

Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 any eq www

Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 any eq pop3

Router(config-ext-nacl)#permit icmp 172.17.0.0 0.0.255.255 any

Router(config)#class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS

Router(config-cmap)#match access-group name INSIDE-TO-OUTSIDE

or

[ you can group the protocols as below:

class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS

description Allowed_Protocol_From_INSIDE_to_OUTSIDE

match protocol https

match protocol dns

match protocol udp

match protocol tcp

match protocol pop3

match protocol smtp

match protocol icmp ]

b.) Class Map for OUTSIDE-TO-INSIDE

Router(config)ip access-list extended OUTSIDE-TO-INSIDE

Router(config-ext-nacl)#permit icmp any 172.17.0.0 0.0.255.255

Router(config)#class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS

Router(config)#match access-group name OUTSIDE-TO-INSIDE

c.) Class Map for OUTSIDE-TO-DMZ

Router(config)#ip access-list extended OUTSIDE-TO-DMZ

Router(config-ext-nacl)#permit tcp any 192.168.1.0 0.0.0.255 eq www

Router(config)#class-map type inspect match-all OUTSIDE-TO-DMZ-CLASS

Router(config)#match access-group name OUTSIDE-TO-DMZ

d.) Class Map for INSIDE-TO-DMZ

Router(config)#ip access-list extended INSIDE-TO-DMZ

Router(config-ext-nacl)#permit tcp 172.17.0.0 0.0.255.255 192.168.1.0 0.0.0.255 eq www

Router(config-ext-nacl)#permit icmp 172.17.0.0 0.0.255.255 192.168.1.0 0.0.0.255

Router(config)#class-map type inspect match-all INSIDE-TO-DMZ-CLASS

Router(config-cmap)#match access-group name INSIDE-TO-DMZ

zbf4.JPG

zbf5.JPG

Policy-Map Configuration

Policy-Maps will apply the firewall policy to the class map that is configured previously. Three actions can be taken aganist the traffic with the policy-map configuration:

  • Inspect : Dynamically inspect the traffic.
  • Drop : Drop the traffic
  • Pass : Simply forward the traffic.

There will be a drop policy, by default, at the end of all policy maps.

a.) Policy-map for INSIDE-TO-OUTSIDE

Router(config)#policy-map type inspect INSIDE-TO-OUTSIDE-POLICY

Router(config-pmap)#class type inspect INSIDE-TO-OUTSIDE-CLASS

Router(config-pmap)#inspect

Router(config-pmap)#class class-default

Router(config-pmap)#drop log

b.) Policy-map for OUTSIDE-TO-INSIDE

Router(config)#policy-map type inspect OUTSIDE-TO-INSIDE-POLICY

Router(config-pmap)#class type inspect OUTSIDE-TO-INSIDE-CLASS

Router(config-pmap)#pass

Router(config-pmap)#class class-default

Router(config-pmap)#drop log

c.) Policy-map for OUTSIDE-TO-DMZ

Router(config)#policy-map type inspect OUTSIDE-TO-DMZ-POLICY

Router(config-pmap)#class type inspect OUTSIDE-TO-DMZ-CLASS

Router(config-pmap)#inspect

Router(config-pmap)#class class-default

Router(config-pmap)#drop log

d.) Policy-map for INSIDE-TO-DMZ

Router(config)#policy-map type inspect INSIDE-TO-DMZ-POLICY

Router(config-pmap)#class type inspect INDISE-TO-DMZ-CLASS

Router(config-pmap)#pass

Router(config-pmap)#class class-default

Router(config-pmap)#drop log

zbf6.JPG

Task 5 : Apply policy maps to zone pairs

Now we have to attach the policy maps to the zone pairs that we have already created. The command is as follows:

Router(config)#zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE

Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

Router(config)#zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE

Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-INSIDE-POLICY

Router(config)#zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ

Router(config-sec-zone-pair)#service-policy type inspect OUTSIDE-TO-DMZ-POLICY

Router(config)#zone-pair security IN-TO-DMZ source INSIDE destination DMZ

Router(config-sec-zone-pair)#service-policy type inspect INSIDE-TO-DMZ-POLICY

zbf7.JPG

There we finish the basic configuration of a zone based firewall.

Troubleshooting

You can use the below commands to perform some basic troubleshooting and verification.

a.) Show commands

show class-map type inspect

show policy-map type inspect

show zone-pair security

b.) Debug Commands

debug policy-firewall detail

debug policy-firewall events

debug policy-firewall protocol tcp

debug policy-firewall protocol udp

Advanced Zone Based Firewall Configuration

Here you can find some examples of advanced Zone Based Firewall configuration.

1. Advanced Zone Based Firewall Configuration : http://yadhutony.blogspot.in/2013/08/zone-based-firewall-advanced_4036.html

2. IOS Content Filtering : http://yadhutony.blogspot.in/2013/02/cisco-ios-local-content-filtering.html

3. P2P and IM Application control : http://yadhutony.blogspot.in/2012/11/how-to-block-p2p-traffic-on-cisco-router.html

You can visit http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-1s/sec-zone-pol-fw.html for more details.

Thank you for viewing this document.

Firewall DDOS Policy

Incoming interface

The interface to which this security policy applies. It will be the that the traffic is coming into the firewall on.

Source address

This will be the address that the traffic is coming from and must be a address listed in the Address section of the Firewall Objects. This can include the predefined “all” address which covers any address coming in on any interface. Multiple addresses or address groups can be chosen

Destination address

This will be the address that the traffic is addressed to. In this case it must be an address that is associated with the firewall itself. For instance it could be one of the interface address of the firewall, a secondary IP address or the interface address assigned to a Virtual IP address. Just like with the Source Address this address must be already configured before being used in the DoS policy.Multiple addresses, virtual IPs or virtual IP groups can be chosen.

Service

While the Service field allows for the use of the ALL service some administrators prefer to optimize the resources of the firewall and only check on the services that will be answered on an interface. Multiple services or service groups can be chosen.

Anomalies

The anomalies can not be configured by the user. They are predefined sensors set up for specific patterns of anomalous traffic

The anomalies that have been predefined for use in the DoS Policies are:

Anomaly Name Description Recommended Threshold
tcp_syn_flood If the SYN packet rate of new TCP connections, including retransmission, to one destination IP address exceeds the configured threshold value, the action is executed. 2000 packets per second.
tcp_port_scan If the SYN packet rate of new TCP connections, including retransmission, from one source IP address exceeds the configured threshold value, the action is executed. 1000 packets per second.
tcp_src_session If the number of concurrent TCP connections from one source IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions.
tcp_dst_session If the number of concurrent TCP connections to one destination IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions.
udp_flood If the UDP traffic to one destination IP address exceeds the configured threshold value, the action is executed. 2000 packets per second.
udp_scan If the number of UDP sessions originating from one source IP address exceeds the configured threshold value, the action is executed. 2000 packets per second.
udp_src_session If the number of concurrent UDP connections from one source IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions.
udp_dst_session If the number of concurrent UDP connections to one destination IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions.
icmp_flood If the number of ICMP packets sent to one destination IP address exceeds the configured threshold value, the action is executed. 250 packets per second.
icmp_sweep If the number of ICMP packets originating from one source IP address exceeds the configured threshold value, the action is executed. 100 packets per second.
icmp_src_session If the number of concurrent ICMP connections from one source IP address exceeds the configured threshold value, the action is executed. 300 concurrent sessions
icmp_dst_session If the number of concurrent ICMP connections to one destination IP address exceeds the configured threshold value, the action is executed. 3000 concurrent sessions
ip_src_session If the number of concurrent IP connections from one source IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions.
ip_dst_session If the number of concurrent IP connections to one destination IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions.
sctp_flood If the number of SCTP packets sent to one destination IP address exceeds the configured threshold value, the action is executed. 2000 packets per second
sctp_scan If the number of SCTP sessions originating from one source IP address exceeds the configured threshold value, the action is executed. 1000 packets per second
sctp_src_session If the number of concurrent SCTP connections from one source IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions
sctp_dst_session If the number of concurrent SCTP connections to one destination IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions
Status

The status field is enabled to enable the sensor for the associated anomaly. In terms of actions performed there is no difference between disabling a sensor and having the action as “Pass” but by disabling sensors that are not being used for blocking or logging you can save some resources of the firewall that can be better used elsewhere.

Logging

Regardless of whether the traffic is blocked or passed through the anomalous traffic will be logged.

Pass

Allows the anomalous traffic to pass through unimpeded.

Block

For Thresholds based on the number of concurrent sessions blocking the anomaly will not allow more than the number of concurrent sessions set as the threshold.

For rate based thresholds where the threshold is measured in packets per second, the Action setting “Block” prevents the overwhelming of the firewall by anomalous traffic in one of 2 ways. Setting which of those 2 ways will be issued is determined in the CLI.

  • continuous – blocks any packets that match the anomaly criteria once the threshold has been reached
  • periodical – allows matching anomalous traffic up to the rate set by the threshold.

Cisco WebSecurity

Linux vulnerability could lead to DDoS attacks

A Linux kernel vulnerability affecting version 4.9 and up could allow an attacker to carry out denial-of-service attacks on a system with an available open port, according to an Aug 6 security advisory from the CERT Coordination Center at Carnegie Mellon University’s Software Engineering Institute.

“Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service,” the report states. “An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions.”

Malicious actors could maintain the attack by using a continuous two-way TCP session to a reachable open port. Researchers noted that because of this, the attacks can’t be performed using spoofed IP addresses.

Patches for the vulnerability have been released, and users are recommended to update their systems as soon as possible.

 

source: https://www.scmagazine.com/linux-vulnerability-could-lead-to-ddos-attacks/article/786713/

Hamidreza Talebi, linux

Add shared folder Ubuntu to Virtual Box

I have seen some people want to make shared folder between VirtualBox and ubuntu but it is sometimes tricky for them to make a shared folder:

1- First install “Insert guest Additional CD” from Devices. In ubuntu VM, you may install those sh files first.

2- restart the system

3- Make a Shared Folder from Settings> Shared Folder

4- Add your ubuntu user to vboxsf group

sudo adduser $USER vboxsf

Private Vlan

Sometimes it is necessary to have policy and separate your Vlan like below diagram. In this diagram, WWW and FTP server have communication together, so we put in community. On the other hand, SQL server shouldn’t be seen by FTP or WWW server, so, we put on isolated. In fact, there are three types of sub Vlan in Private Vlan:

  • Promiscuous: can be reached by sub Vlan

  • Isolated : can not be seen by other Vlans

  • Community: only can see community member

Enter a caption for this image (optional)

Imagine we want to make primary vlan for these sub Vlan. We make a Vlan “100” as a primary:

SW# conf t
SW(config)#vtp mode transparent
SW(config)#vlan 100
SW(config-vlan)# private-vlan primary

Then, make sub Vlan for www and FTP as 101 and SQL as 102

SW(config)#vlan 101
SW(config-vlan)# private-vlan community
SW(config)#vlan 102
SW(config-vlan)# private-vlan isolated

After that, we put www, FTP and SQL in primary Vlan:

SW(config)#vlan 100
SW(config-vlan)#private-vlan association 101,102

Next, we assign interface to each Vlan

SW(config)#int fa0/1
SW(config-if)# switchport mode private-vlan host
SW(config-if)# switchport private-vlan host-association 100 101
SW(config)#int fa0/2
SW(config-if)# switchport mode private-vlan host
SW(config-if)# switchport private-vlan host-association 100 101
SW(config)#int fa0/3
SW(config-if)# switchport mode private-vlan host
SW(config-if)# switchport private-vlan host-association 100 102
SW(config)#int fa0/10
SW(config-if)# switchport mode private-vlan promiscuous
SW(config-if)# switchport private-vlan mapping 100 101,102

To use show command:

SW# show vlan private-vlan