Clear Established Connection before Implemeting new Restrictive Rule to Firewall

A firewall doesnt check rule set for a connection which is already established.This means that if two devices have established connection through firewall and you add Deny rule afterward it wouldnt terminate the session already in progress. To become rule effective this connection needs to be terminated or use following command with different vairst to clear pre-established connections. Normally Servers and PCs terminate and initiate connections as soon as data transfer is done but some application can keep connection live for longer time and might never termiate unless system is restarted.

ASA5520# clear local-host ?

  Hostname or A.B.C.D     Clear local host information corresponding to this ip
                          address
  Hostname or X:X:X:X::X  Clear local host information corresponding to an IPv6
                          address
  all                     Clear local host information including to-the-box and
                          from-the-box

Traceroute through Cisco ASA Firewall

To allow traceroute through firewall needs configuration depending on the source of traceroute command.
Microsoft uses tracert command and  ICMP message types for traceroute (unreachable, time-exceeded, echo-reply). You will use following ACL entries to allow trace traffic to pass through the firewall. In the following example the inside interface is allow to reach hosts but outside hosts needs to specically allowed on outside interface due to security level differences.

To allow inside hosts to be visible to outside hosts use following
access-list acl-outside line 2 extended permit icmp any any echo

Following lines will make inside hosts visible to outside using taceroute
access-list acl-outside line 2 extended permit icmp any any echo-reply
access-list acl-outside line 2 extended permit icmp any any source-quench
access-list acl-outside line 2 extended permit icmp any any time-exceeded

Service policy on the firewall also needs to be updated to inspect ICMP traffic
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error

This is the default policy and should be already enabled if not then use following
service-policy global_policy global

Cisco uses traceroute command and uses UDP Port 33434 for trace to start with and then for every hop it adds 3 to port number. So the port range to allow Cisco Traceroute with max 30 hops the port range will be 33434+3*30=33524.

access-list acl-outside line 2 extended permit udp any any range 33434 33523

Now, the other issue you can face is tracert succeeding for firewalls doesn't list its own IP in tracert. For firewall IP address to appear in the tracert output use the following

class-map claass-ttl
class-map inspection_default
match default-inspection-traffic
class-map class-ttl
match any

policy-map global_policy

 class class-ttl

  set connection decrement-ttl

Tracking Malicious Activity with Passive DNS Query Monitoring

Ask anyone in the information security field they will tell you:

Security is not fair. There is essentially an unlimited supply of attackers that can test your defenses with impunity until they eventually succeed.

As a member of the Cisco Computer Security Incident Response Team  (CSIRT) I’ve seen this asymmetry up close, so I can tell you that good  security is really hard. Besides the normal security practices like deploying firewalls, IDS sensors, antivirus (AV), and Web Security Appliances, CSIRT is increasingly looking to the network as a data  source. We have been collecting NetFlow for years but we have always wanted additional context for the flow data. While it is true that the Internet is built on TCP/IP, Internet services—both good and bad—are found by name using the Domain Name System (DNS). For years infosec has been network-address-centric and the attackers have adapted. Today it is very common to see malware command and control (C&C) use domain generation algorithms (DGAs), Peer-to-Peer (P2P), or even fast-flux to evade IP address-based detection and blocking. It has become absolutely clear that to keep up with the latest attacks and attackers you must have a view into the DNS activity on your network.

CSIRT has been struggling with limited DNS information for a while  now, so I am pleased to say we finally have comprehensive visibility into the DNS activity on our network. Before I dive into how we tackled  this problem I should back up and explain a bit more about DNS…

When a client wants to access a service by name, it must resolve that name into a usable address (an IP address). To do this, the client sends a request for the name to a  recursive name server and that server will retrieve the information and send it back to the client. From a security perspective, there are two  interesting aspects to this activity. The first is the names clients are  requesting and the second are the Internet hosts that are providing the  services for any given name. Put another way, you want to know who is looking up a service (DNS queries) and you also want to know who is  providing a service (DNS answers). The DNS answers portion of the problem has been solved by ISC’s Passive DNS Replication Project (and  the corresponding ISC DNS Database).  ISC’s DNSDB is very good at answering questions like “What DNS names have pointed at this IP?” as well as “What IPs have provided services  for this name?”

Historically, to get at the DNS-questions side of the problem required logging to be enabled on all of your organization’s recursive resolvers and searching through those logs. This is an imperfect solution for a number of reasons that include:

• Most organizations have a wide variety of nameservers (BIND, Active Directory, etc) with varying logging abilities and formats
• Clients (and malware) can send DNS requests to external services like Google’s Public DNS or OpenDNS
• Clients generate a huge volume of DNS queries and it is difficult (or costly) to quickly search such a high volume of logs

To side-step these problems as well as have complete coverage of our DNS query activity we have gone with passively capturing all DNS  activity on the wire at all of our major network choke-points.  To the best of our knowledge there is no security-focused product specifically built for handling DNS questions so we had to build a  complete solution in-house. In many cases, passively capturing DNS activity off the wire allows us to see the query both pre and  post-recursor as well as give us visibility into DNS queries to external nameservers. For complete coverage we have deployed capture sensors globally, focusing on each major node on the network. The data is stored locally on each sensor in a compress packet capture format.

To search the data, we leverage many sensors that store the data  locally by mapping out the query to each sensor in parallel and then  reducing the search results into a presentable format at the search  head. This gives us a built-in parallelism that scales as we add more sensors. To further speed up searches we have built filter indexes (using Bloom filters) to allow us to skip searching a file if it doesn’t  contain any information we are looking for. In all, our Passive DNS  Query Database (PDNSQDB) is just a few thousand lines of Python code and most of the heavy lifting is done by off-the-shelf tools like ncaptool and libbind.

Armed with fast and easy access to all client’s DNS query activity, CSIRT investigators like myself have been able to track malicious activity like never before. Not only have we been able to find compromised clients based on known-bad domain names, we have been finding previously unknown malicious names by mining the data for interesting patterns. Our Passive DNS Query Database has already proven invaluable in several investigations and as we develop new tricks and  techniques we fully expect to improve our ability to detect and track malicious activity using the DNS Query data.

One of the best things about giving security engineers a new data source is seeing all of the creative ways it is used. For example, one of our engineers has been identifying new C&C domains by looking at the intersection in DNS queries between two different hosts compromised with the same malware (as reported by AV logs). Other engineers have taken a graph-theoretic approach. By combining our PDNSQDB view into queries with ISC’s DNSDB view into answers it is possible to identify related malicious domains and IPs when given just a single domain or  IP—essentially the transitive-closure of malicious activity.

Now when CSIRT responds to a new incident, one of the first steps we take is to query our PDNSQDB. The data is proving to be an invaluable  supplement to other data sources like NetFlow and web logs. The amount of effort we put into developing the tool has already paled in comparison to the value we’ve pulled out of it. If your organization doesn’t have fast and comprehensive visibility into the DNS activity on the network you should think about getting it. Now that we’ve had a taste of what the data can do for us we can’t live without it.

ASA 9.0 - What's new in VPN

Introduction

ASA 9.0 has now been published on CCO and available for dowload.

As every release it contains lots of new and long awaited features.

This blog entry is going to give an overview of what's available in VPN technologies.

Features like trustsec, scansafe integration, routing in multi-context mode (and many others) will not be discussed here.

Please note that this document is intended as a summary only - for deatils of support and configuration please check release notes and configuration guide.

Configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/asa_90_cli_config.html

New features:

http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93103

Full release notes:

http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html

About 9.0

9.0 release (code name Arsenal) is first release to support all currently available ASA hardware - ASA, ASA CX, ASA SM, etc

General VPN new features

• NSA's Suite-B cryptographic support.

Complicate with NSA'a Next Generation Encryption Suite.

• Custom Policy attributes:

Ability for ASA to deliver attributes to endpoints that are custom/new - i.e these attributes are opaque to ASA and handed to client(s).

New IPsec VPN features

Here's a brief look at the most important IPsec-related feature:

• Static LAN-to-LAN support in multi-conext mode.

This long awaited feature allows you to create LAN to LAN tunnel in security context, no support for remote access at this point.

• IPsec tunnel establishment with Anyconnect 3.1 client using IPv6, note that with IKEv2 there's a limitation for IPv6 inner traffic.

New SSL VPN features

Here's a brief summarry for SSL VPN features.

Clientless

New features specific to Clientless SSLVPN access:

• HTML5 rewriter support

before 9.0 ASA's rewriter engine didn't support HTML5 tags, this is finally changed.

• Auto signon enahcements

ASA will come with built in SSO templates and POST form capturing tool to allow troubleshooting & deployment.

• Citrix reciver module

This feature provides secure remote access for Citrix Receiver application running on mobile devices to XenApp/XenDesktop VDI servers through ASA, eliminating the need for Citrix Access Gateway.

• IPv6 clientless access

Ability to access clientless VPN portal over IPv6

• Server certificate verification

Previously ASA didn't fully verify server certificate when it was connecting to server on behalf of clientless user. This feature allows this to be more configurable.

• Microsoft Sharepoint 2010 support natively.
• Extended browser and operating system support.

Anyconnect client

New features specific to SSL client access:

• SSLVPN tunnel establishment with Anyconnect 3.1 using IPv6, including IPv6 attributes (assigned IPv6 address, DNS server etc)

Basic Network Attack

Network Attacks - Part 1

Before going to attacks you need to understand difference between Hacker and a Cracker?

Hacker: Eric Raymond, compiler of The New Hacker's Dictionary, defines a hacker as a clever programmer. A "good hack" is a clever solution to a programming problem and "hacking" is the act of doing it. Raymond lists five possible characteristics that qualify one as a hacker, which we paraphrase here:

 A person who enjoys learning details of a programming language or system

• A person who enjoys actually doing the programming rather than just theorizing about it
• A person capable of appreciating someone else's hacking
• A person who picks up programming quickly
• A person who is an expert at a particular programming language or system, as in "UNIX hacker"

Cracker: A cracker is someone who breaks into someone else's computer system, often on a network; bypasses passwords or licenses in computer programs; or in other ways intentionally breaches computer security.

Introduction:

A network attack occurs when an attacker or cracker uses certain methods or technologies to maliciously attempt to compromise the security of a network. Crackers attack corporate networks to use data for financial gain or for industrial espionage, to illegally use user accounts and privileges, to run code to damage and corrupt data, to steal data and software, to prevent legitimate authorized users from accessing network services, and for a number of other reasons.

External attacks are performed by individuals who are external to the target network or organization. External threats are usually performed by using a predefined plan and the skills of the attacker(s). One of the main characteristics of external threats is that they usually involve scanning and gathering information.

Three Generalized category of Attacks on basis of origin:

Structured external threats originate from crackers and are usually initiated by attackers that have a premeditated thought on the actual damages and losses which they want to cause. Possible motives for structured external threats include greed, politics, terrorism, racism and criminal payoffs. Criminal hackers are highly skilled on network design, the methods on avoiding security measures, Intrusion Detection Systems (IDSs), access procedures, and hacking tools.

Unstructured external threats originate from an inexperienced attacker, typically from a script kiddie. A script kiddie is an inexperienced attacker who uses cracking or scripted tools readily available on the Internet, to perform a network attack.

Remote external attacks are usually aimed at the services which an organization offers to the public. Remote external attacks can also be aimed at the services available for internal users, aimed at locating modems to access the corporate network, and attempts to brute force password authenticated systems. Local external attacks originate from situations where computing facilities are shared, and access to the system can be obtained.

Internal threats originate from dissatisfied or unhappy internal employees or contractors. Internal attackers have some form of access to the system and usually try to hide their attack as a normal process.

Basic steps used by a cracker (Pre-Attack):

Footprinting: It is the initial step in hacking a corporate network. The purpose of footprinting is to create a map of the network to determine what operating systems, applications and address ranges are being utilized.

Port scanning: It is done when a cracker collects information on the network services on a target network. The cracker attempts to find open ports on the target system.

Enumeration: A cracker might use Enumeration to collect information on applications and hosts on the network, and on the user accounts utilized on the network. Enumeration is particularly successful in networks that contain unprotected network resources and services. A network attacker can launch an Access attack to exploit a security weakness in order to gain access to a system or the network. The programs generally used are:

a.) Trojan horses: capable of creating backdoors. For e.g.. Trojan program named as "Beast"

b.) Password hacking programs: Typically used to obtain system access. When access is obtained, the intruder is able to modify or delete data and add, modify or remove network resources. Unauthorized privilege escalation is another common type of attack. For e.g.. tools like "John the ripper", Cain and Abel"

Privilege escalation: It occurs when an intruder attempts to obtain a higher level of access such as administrative privileges to gain control of the network system. A cracker can also implement a mechanism such as some form of access granting code with the intent of using it at some future stage. Backdoors are installed by attackers so that they can easily access the system at some later date. After a system is compromised, you can remove any installed backdoors by reinstalling the system from a backup which is secure.This step is a post-attack activity.

Common types of network attacks initiated by Crackers are listed here:

Eavesdropping attack: It occurs when an attacker monitors or listens to network traffic in transit, and then interprets all unprotected data. Hackers only need a sniffer technology to eavesdrop on a Internet Protocol (IP) based network to capture traffic in transit.

IP address spoofing: It occurs when an attacker assumes the source IP address of IP packets to make it appear as though the packet originated from a valid IP address. The aim of an IP address spoofing attack is to identify computers on a network.

Sniffing: It occurs when attackers capture and analyze network traffic. The tools used for sniffing are called sniffers or protocol analyzers. A Sniffer attack occurs when hackers use Sniffers to monitor, capture and obtain specific network information, such as passwords and valuable customer information.

Password attacks: It are aimed at guessing the password for a system until the correct password is determined. Network attackers can obtain user ID and password information and can then pose as authorized users and attack the corporate network. Attackers can utilize attacks such as dictionary attacks or brute force attacks to obtain access to resources with the same rights as the authorized user.

Brute force attack: attacker attempts to decode a cipher by attempting each possible key to find the correct one. This type of network attack systematically utilizes all possible alpha, numeric, and special character key combinations to discover a password that is valid for a user account. Brute force attacks are also typically used to compromise networks that utilize Simple Mail Transfer Protocol (SNMP).

Denial of Service (DoS) attack: It is aimed at preventing authorized, legitimate users from accessing services on the network. A DoS attack can be initiated by sending invalid data to applications or network services until the server hangs or simply crashes. The most common form of a DoS attack is TCP attacks.

A network attacker can increase the enormity of a DoS attack by initiating the attack against a single network from multiple computers or systems. This type of attack is known as a distributed denial of service (DDoS) attack. Network administrators can experience great difficulty in fending off DDoS attacks, simply because blocking all the attacking computers, can also result in blocking authorized users.

Man-in-the-middle (MITM) attack: It occurs when a cracker eavesdrops on a secure communication session and monitors, captures and controls the data being sent between the two parties communicating. The attacker attempts to obtain information so that he/she can impersonate the receiver and sender.

Distributed Denial of Service (DDoS) attack: It is also a form of DoS attack but in this scenario attacker is not one individual, Multiple attackers launch DoS simultaneously at a common victim.

Network Attacks - Part 2

INTRODUCTION:

This is the second part to the network attacks. Here i will be talking about a technique named as "Scanning" which is very important for attacker as the result obtained by conducting scans he/she decides the way to attack on the network.

Port scanning is the process of connecting to TCP and UDP ports for the purpose of finding what services and applications are open on the target device. Once open, applications or services can be discovered. At this point, further information is typically gathered to determine how best to target any vulnerabilities and weaknesses in the system.

Port Scanning is one of the most popular reconnaisance techniques crackers use to discover services they can break into. A potential victim computer runs many 'services' that listen at well-known 'ports'. By scanning which ports are available on the victim, the hacker finds potential weaknesses that can be exploited.

PORT SCANNING TYPES:

1.) TCP Connect/ Full Open Scan:

•TCP Connect is the most reliable form of TCP Scans. TCP Connect will check whether a Port is open or closed by using TCP protocol flags.

•If the port is open then the connect() command will work whereas, if the port is closed then the connect will be unreachable.

Note: The Operating System provides the connect system call which is used by TCP Connect method to check whether the port is open or closed.

2.) SYN Stealth/ Half Open Scan:

•SYN/Stealth scan is also known as half open scan because it does not establish a full connection with the Target system.

•During this Scan, The Attacked will first send the SYN packet to a particular port of the Target as a Request to Create a New Connection and then wait for a reply.

•If that port replies back with a SYN/ACK flag set, this would confirm that the Port is open and being used.

•However, if we receive a RST Flag Set then this would mean that the port is closed.

•One Advantage of this Particular Scan is that, in many Services and Systems, Unsuccessful Connections are not Logged, which means that the scan would go un-detected.

3.) FIN Stealth Scan:

•During a FIN Stealth scan, The Attacker will send a FIN flag set Data Packet.

•If that port is open it would not send any data packet back, while if it is closed it will reply you back with Fin Packet.

•Advantage: It is also seen that some application or services do not reply to SYN request during TCP connect( ) Scan, So during this Scenario, It will be beneficial to use FIN Stealth Scan.

4.) FTP Bounce Scan:

•This type of port scanning is only possible when there is a Bounce Attack vulnerability on the FTP Server.

•Bounce Attack Vulnerability allows the attacker to use the FTP Server to Port Scan the Target System acting as a sort of Proxy in between. This type of scan provides anonymity to the attacker and is hard to trace back comparatively.

5.) SYN/FIN Scanning - IP fragments

•During a SYN/FIN scan the TCP headers are split into various fragments.

•SYN/Fin is type of scan which is not a new but instead it is a combination of SYN stealth scan and FIN stealth Scan.

6.) UDP Scanning:

•This scanning process simply uses the UDP protocol instead of the TCP protocol which has been mentioned in the previous examples.

•The scanning process is much more complicated then TCP Scanning, since UDP is a connection less protocol.

Note: During UDP scans. open ports do not send any acknowledgement in reply to our request, while, closed ports send a ICMP_PORT_UNREACH error when we send a request to a closed UDP port.

7.) ICMP Scanning:

•ICMP scanning is a type of scanning methods which sends ICMP packets to all machines on the network to determine active hosts on the network.

•In order to quickly complete the process, ICMP Packets are sent to multiple nodes at the same time.

•Time can be further reduced by altering the timeout value of the Scan.

8.) Reverse Ident Scanning:

•Reverse Ident scans help attacker in identifying the user who own the process i.e. it determines the username of the owner of any process connected via TCP.

•Please note that it can work in the reverse manner as well. The Server can also run a Ident query on the user connecting to it.

9.) Idle Scan:

Idle scan is a blind port scanning technique. The Attacker can create a botnet of zombies which in turn Scan the ports of the target machines. Intrusion Detection Systems, if they are installed on the target machines, will point to the innocent zombies as Attackers. So, basically attackers scan a large target network without sending a single packet to the target network, themselves. This provides high degree of Stealth.

10.) OS Fingerprinting:

OS fingerprinting is a technique of scanning which is used to determine the Operating System on the Target System. There are various methods by which one can detect the underlying operating system. Banner grabbing the ftp, ssh, http server, by evaluation the TTL value in the ICMP packets, or even by TCP and UDP response behavior. OS fingerprinting can be classified as:

1. Passive Fingerprinting:

In Passive Fingerprinting, Attacker do not directly scan the ports of the target machine, instead of that attacker sniff the data packets being transferred to and from target the machine. During passive fingerprinting all attacker need to do is, capture the data packets and then analyze them to determine the operating system of the target machine.

In Passive fingerprinting , attacker analyze and identify operating System’s captured data for IP stack Analysis to identify the operating system of the target.

2. Active Fingerprinting:

Active fingerprinting is based on the usage of a Intelligent Database of General Operating System Reponses to particular Malformed Data Packets. During Active OS Fingerprinting, attacker will send malformed packets to the target machine and predict the operating system after analyzing the Responses to determine the type of Operating System on the target machine.

11.) Ping Sweep:

•Ping sweep is a process which is used to enlist live hosts in the network. It consists of ICMP ECHO requests sent to multiple hosts. If a system is live, it will send back a ICMP ECHO reply.

•Ping utility is often used to check if a network device is functioning or not.

•To disable ping sweeps on a network, administrators can block ICMP ECHO requests using firewalls.

12.) Wardialing:

•Wardialing is a technique of using a modem to automatically scan a list of telephone numbers, segregating between Telephone numbers which are connected to a Computer and Regular Phone connections which are being answered by Humans and Answering Machines.

•Once a List of Active Computer System (on the Phone Network) is obtained, Attackers can use many techniques to hack into the System.

These are the some scanning method used by attacker to scan the network for gathering the information about the network.