Agenda
n
Review the security implications of remote access.
n
Discuss how Remote Access VPN fits into an overall organization IT security
strategy.
n
Review what Cisco AnyConnect SSL Remote Access VPN connections are.
n
Explore the benefits of using authentication servers instead of local
accounts on the ASA.
Security implications of Remote
Access
n The Target Store Hack is a prime example of why you should care about remote access security
and proper firewall zoning of information assets.
• Hackers broke in through improperly secured remote access given to an HVAC vendor.
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
• Payment systems were not properly zoned on the firewall and remote access permissions
Security Sensitive Applications
Exposed Directly off the Firewall
n Security Cameras.
n RDP access to server and desktop resources.
• Finance Directors Desktop.
• AD/DNS/DHCP Server.
n Wireless Administration Systems.
Exposing applications directly off the firewall welcomes brute force dictionary attacks.
n How good is your password policy?
n When was the last time you checked the audit log?
Who is knocking on the door?
We configured an ASA in our lab with AnyConnect VPN and a syslog server. ASA
traffic and authentication attempts were logged <6 days.
2,732 attempts to hack in
And some on non-standard ports:
n
19838
n
30989
n
31518
n
5893
Who is knocking on the door?
Most Common Usernames Used
Who is knocking at the door?
Who is knocking on the door?
n
The most persistent hacker was:
whois 217.27.159.2…?
person: Oleksandr Yermolenko
address: 4v, Patrisa Lumumbi str., Kiev, Ukraine phone: +380 44 2061978
How does an SSL VPN fits into
overall security strategy?
n Why configure an SSL VPN?
• To allow access to internal assets without exposing them publicly on the outside of the firewall. This is part of good firewall zoning and security policy.
n Advantages of SSL VPN
• No exposure of internal assets to the Internet at large for brute force attacks or DoS.
n Disadvantages of SSL VPN
• Some public facing assets may already have secure logins and are used by large numbers of
users. Requiring two logins would be inconvenient. An example would be a web application with very good security or Citrix server applications.
n Typically SSL VPN in an LEA environment is best used for:
• Remote access for network management (Network or Application Administrators).
• Locally hosted applications used by small numbers of internal users (Finance, Payroll). • RDP access to internal desktops by end users.
• Access by vendors for support (Such as AC/HVAC, Industrial monitoring, or applications support).
Protecting Remote Access Against
Dictionary and Hacking Attacks.
n
Don’t expose sensitive systems directly off the firewall unless
absolutely necessary. Use a secure remote access VPN.
n
IPS/SIEM systems
n
Use two factor authentication for remote access
n
If neither of these solutions are options consider improving
password policy:
•
Adding password complexity
What is Cisco AnyConnect SSL VPN
and what can it do?
n The Cisco AnyConnect SSL VPN is a remote access VPN client from Cisco that uses port 443 only to make secure VPN connections.
n AnyConnect clients are available for many popular devices and Operating Systems. These include Windows, Mac, Linux, Android, IOS, and Kindle systems.
n Client installs from a webpage or application store. Much easier to administer. User profiles can be controlled from the ASA. Usually only a link needs to be sent to the user to give them access. Less configuration than the old IP-Sec client.
n Supports enhanced features such as IKE V2 for security, DTLS for QOS (VoIP), AD and Kerberos Authentication.
n Has very good client side logging for debugging purposes.
Why should we use Active Directory
for VPN authentication?
n
Local account databases have issues:
•
Usernames and passwords go in, but they don’t
come back out.
•
Usually are not configured with complexity or
password change policies.
•
Usually are not audited or logged.
•
Password changes can not be initiated from the
ITS managed ASA Firewall
AnyConnect VPN presents additional problems if you
use the ITS managed firewall service from the state:
n
Have to put in a ticket to change passwords.
n
Have to put in a ticket to delete user accounts.
n
Have to put in a ticket to change access policy.
n
Have to put in a ticket to get auditing configured
Using Active Directory For VPN
Authentication Has Benefits
n
All remote access user accounts and permissions can be
administered from the AD server. Including password resets.
n
AD logs will show logins and attempted logins.
n
The only tickets required to ITS are to configure any new security
group to DAP policy mappings.
n
Password change and complexity policy can be the same as your AD
domain policy.
n
Users are happy because they can use their network username and
Preparing to implement AD
Authentication with an ASA
n
Create a bind account that the ASA can use to query
the Active Directory.
n
Make sure Microsoft Certificate Services have been
properly configured and set up on the domain to
enable Secure LDAP.
n
Create remote access groups with the network
Demonstration AD Setup
n
Add ASA bind account name and password of
Bindup123# to demo AD domain.
n
Create AD user groups for Administrative and HVAC
users to map to DAP policies.
n
Create two user accounts. One for Tom the network
administrator , and one for Bob who is the HVAC
system manager. Both are members of the
Things to remember about DAP
policy.
n DAP policy has priority numbers. Priority is determined from highest number to lowest. (25 is higher than 1)
n DAP policy has two main configurable items we are concerned with. An action, and Network ACL filters.
n Your default DAP group policy should be configured in action to terminate. This is the policy used when no other policies match. Basically if you are not in a matching VPN group we care about you get terminated.
n Network ACLs for DAP policy are a bit counterintuitive. Only access lists with all permits or all deny are allowed to be attached to DAP policy. If multiple ACLS are listed in a DAP policy the ASA does not process them in order but orders them according to blacklist types first. (I.E. Deny ACLs go first)
n If a user tests conditionally positive for more than one DAP policy , then higher priority DAP rules get precedence.
n Network ACLS get processed by the ASA as follows:
• Each DAP rule has its network ACLs retrieved.
• The ACLs are merged and ordered by DAP priority first. If ACLs have the same DAP priority then ACLS with blacklists come first, white lists next.
Demonstration ASA Configuration
n
Add the local AD server to the ASA Authentication
settings as an LDAP source.
n
Create DAP policy to match AD groups
n
Create default DAP policy
n
Test Authentication and DAP policy in ASDM
DAP Policy Configuration
Demonstration
n
ASDM provides a test mechanism where you can
input your LDAP conditions and it will show you the
resultant DAP policy.
Wrapping Things Up
n Proper design decisions in firewall zoning and configuration can improve remote access security.
n Use secure VPN to your security advantage by not exposing critical or unsecure applications directly on the firewall for remote access.
n Use AD authentication for VPN if possible. Benefits include single sign on, more robust password policy and enforcement, better auditing, less support calls for managed firewalls, and more efficiency in VPN administration.
n For Gold Standard Security plan to implement two factor authentication in combination with AD authentication. This is the most effective way to defeat dictionary and brute force attacks.
Additional References
n DAP Policy Reference
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html
n Configuring Cisco AnyConnect https://www.mcnc.org/events/training/cne-summer-webinars2015/archive
n Managing DAP Policy on ASA Firewalls
