TacAck – My security journey!

Hello all!
I’m really excited! ‘coz i’m finally doing the bootcamps that i purchased a couple of months back . I started the bootcamp yesterday and i went through Day 1 and i took notes on WAVE.I must say, i was pleasantly surprised by the content covered on the first day. I expected it to be very basic, but Marvin did dive into some advanced stuff ( but no configuration ).

Here are the notes and i hope you find them useful :

ASA

• Make sure you don’t block traffic flows as we configure tasks ( don’t screw up earlier tasks )
• Marvin’s of the opinion that it’ll mostly be 8.0 running on the ASA on the lab
• It’s a good idea to read through the lab once before we start configuring ( helpful in changing firewall modes, contexts ,etc )
• Add a “description” on the catalysts if necessary ( to identify the interfaces connected to the switch ). Make this a habit. ( helps )
• Redundant interfaces
  • Multiple interfaces grouped together
  • order of configuration determines preference
• We can use both Subinterfaces and the real interface on the ASA. In case of the sub-interfaces ( e 0/1.100 VLAN 100 ), the ASA would send the packets with a dot1q tag on, in case of the interface with the actual interface ( ex : e 0/1 ), it would send it untagged.
  • So we have to program the switch to accept untagged packets in the trunk link. This can be done using native-vlans.
• Addresses, protocols and ports can be found under the “references section” of any Configuration guide for 8.X . This is cool!
• Draw out network flows for protocols running in the network to visualize what needs to be allowed.
• Routing protocols
  • ASA supports the following routing protocols :
    • static
    • Rip v1/v2
    • OSPF
    • EIGRP
  • Different OSPF areas in a firewall, can be configured under a signle process or multiple processes
  • Configuring them under one process will alow routing information to pass from one OSPF area to the other freely
  • configuring them as 2 separate processes, will logically isolate the areas. To exchange routes, we need to explicitly redistribute.
  • So be careful when you configure them under 1/separate OSPF processes.
  • Having an exact OSPF match, can be a good thing to check if we have configured the addresses correctly.
• NAT
  • Nat 0 -> Nat exemption
  • Options in NAT configuration
    • TCP/UDP maximum connection limits
    • TCP Half-open connections
    • DNS rewrite
    • Disable randomizing sequence numbers
  • By default, NAT-control is disabled.
  • NAT-control only applies for traffic between 2 interfaces of “different” security levels.
• In transparent firewall, TCP , UDP traffic is inspected by default
• “allocate-interface redundant1.3 int1 ”
• There are sample ASA configurations under the “references”section in the ASA configuration guides! -> AWESOME!
• Good practice is to save the config in a notepad file before we start Failover configuration.

IOS F/w

• The log-input command in ACL logging , logs the following info
  • list name/number
  • permit/deny
  • protocol name/number
  • source/destination IP
  • port numbers
  • MAC addresses
  • Input VC
• The first 5 are also logged when you do the “log” option instead of log-input
• The routing protocols use a “distribute-list” to filter routes
• The autocommand for Dynamic ACL’s configured on the LINE VTY 0 4 lines, blocks also legitimate management traffic
• By using the “host” keyword, the “any” in the source address portion of the ACL is replaced by the host that underwent the authentication.
  
• Thing to remember is “reflexive” ACL’s don’t wory for locally generated trarffic
• So we need to statically permit required traffic back in
• or configure local policy-routing
• we can use the “router-traffic” keyword in the CBAC inspect commands, to inspect locally generated traffic

I’m going to be starting Day 2 of the bootcamp in about 30 mins . Surf with me on the WAVE

Cheers,

TacACK