Categories
Firewall rrdtool SonicWALL

SonicWALL Memory Leak?

My SonicWALL NSA security appliance seems to have a memory leak.  I noticed this a few days ago when I was reviewing long-term usage in my RRDTool (compliments of Cacti) graphs.

The daily and weekly graphs looked normal. . .

I restarted the SonicWALL a couple weeks ago at which time the memory utilization reset and looks like it’s climbing a little since then.

But when I looked at the memory usage for the past nine months or so it was pretty obvious the usage has climbed steadily over that time, resetting twice when it was restarted.

This definitely shows the usefulness of gathering long-term stats.  But I am concerned that the firewall has a memory leak so I’ll have to figure that out.

I took a look at a couple other, older SonicWALL’s which aren’t exhibiting this behavior.

Categories
Anti-Spyware Encryption Firewall Internet Linux Passwords Security Spyware SSL Virus Scan WEP wifi Windows Windows Update WPA

Internet Safety: How to keep your computer safe on the Internet

Here are some things you can, and should, do to stay safe.

  • Stay Up-To-Date – Most virus infections don’t have to happen. Software vulnerabilities that the viruses exploit usually already have patches available by the time the virus reaches a computer. The problem? The user simply failed to install the latest patches and updates that would have prevented the infection in the first place. The solution is simple: enable automatic updates, and visit Windows Update periodically. Keeping Windows and other software up-to-date is the most important (and easiest) thing you can do to protect your computer.
  • Get Educated – To be blunt, all the protection in the world won’t save you from yourself. Don’t open attachments that you aren’t positive are okay. Don’t fall for phishing scams. Don’t click on links in email that you aren’t positive are safe. Don’t install “free” software without checking it out first – many “free” packages are free because they come loaded with spyware, adware and worse. When visiting a web site, did you get a pop-up asking if it’s ok to install some software you’re not sure of because you’ve never heard of it? Don’t say “OK”. Not sure about some security warning you’ve been given? Don’t ignore it. Choose strong passwords, and don’t share them with others.
  • Use a Firewall – A firewall is a piece of software or hardware that sits between your computer and the Internet and only allows certain types of traffic to crossl. For example, a firewall may allow checking email and browsing the web, but disallow things that are commonly not as useful such as RPC or “Remote Procedure Calls”.
  • Virus Scan – Sometimes, typically via email, virii are able to cross the firewall and get to your computer anyway. A virus scanner will locate and remove them from your hard disk. A real time virus scanner will notice them as they arrive, even before they hit the disk, but at the cost of slowing down your machine a little. Important: because new virii are arriving every day, it’s important to keep your virus definitions up-to-date. Be sure to enable the scanning software’s automatic-update feature and have it do so every day.
  • Kill Spyware – Spyware is similar to virii in that they arrive unexpected and unannounced and proceed to do something undesired. Normally spyware is relatively benign from a safety perspective, but it can violate your privacy by tracking the web sites you visit, or add “features” to your system that you didn’t ask for. The worst offenders are spyware that hijack normal functions for themselves. For example, some like to redirect your web searches to other sites to try and sell you something. Of course some spyware is so poorly written that it might as well be a virus, given how unstable it can make your system. The good news is that, like virus scanners, there are spyware scanners that will locate and remove the offending software. 
  • Secure Your Mobile Connection – if you’re traveling and using internet hot spots, free Wifi or internet cafes, you must take extra precautions. Make sure that your web email access is via secure (https) connections, or that your regular mail is over an encrypted connection as well. Don’t let people “shoulder surf” and steal your password by watching you type it in a public place. Make sure your home Wifi has WEP or, preferably WPA security enabled if anyone can drive or walk within range.
  • Don’t forget the physical – an old computer adage is that “if it’s not physically secure, it’s not secure.” All of the precautions I’ve listed above are pointless if other people can get at your computer. They may not follow the safety rules I’ve laid out. A thief can easily get at all the unencrypted data on your computer if they can physically get to it. The common scenario is a laptop being stolen, but there are many reports of people who’ve been burned because a family member or roommate accessed their computer without their knowledge. 

It all might seem overwhelming, but it’s not nearly as overwhelming as an actual security problem if and when it happens to you. While we might want it to be otherwise, the practical reality of the internet, and computing today, is that we each must take responsibility for our own security online.

Categories
Cisco Encryption Firewall Linux Networking Passwords SSH SSL VPN Windows Windows 2000

Creating Client SSL VPN on Cisco ASAs

Introduction

This document how to allow remote access VPN connections to the ASA from the Cisco AnyConnect 2.0 client.
Prerequisites
Requirements

Ensure that you meet these requirements before you attempt this configuration:

*

Basic ASA configuration that runs software version 8.0
*

ASDM 6.0(2)

Components Used

The information in this document is based on these software and hardware versions:

* Cisco ASA 8.0(2), ASDM 6.0 (2)
* Cisco AnyConnect 2.0
Background Information

The Cisco AnyConnect 2.0 client is an SSL-based VPN client. The AnyConnect client can be utilized and installed on a variety of operating systems, such as Windows 2000, XP, Vista, Linux (Multiple Distros) and MAC OS X. The AnyConnect client can be installed manually on the remote PC by the system administrator. It can also be loaded onto the security appliance and made ready for download to remote users. After the application is downloaded, it can automatically uninstall itself after the connection terminates, or it can remain on the remote PC for future SSL VPN connections. This example makes the AnyConnect client ready to download upon successful browser-based SSL authentication.

For more information on the AnyConnect 2.0 client, refer to AnyConnect 2.0 Release Notes.

Note: MS Terminal Services is not supported in conjunction with the AnyConnect client. You cannot RDP to a computer and then initiate an AnyConnect session. You cannot RDP to a client that is connected via AnyConnect.

Note: The first installation of AnyConnect requires the user to have admin rights (whether you use the standalone AnyConnect msi package or push the pkg file from the ASA). If the user does not have admin rights, a dialog box appears that states this requirement. Subsequent upgrades will not require the user that installed AnyConnect previously to have admin rights.

Configure
Step 1. Configure a Self-Issued Certificate

By default, the security appliance has a self-signed certificate that is regenerated every time the device is rebooted. You can purchase your own certificate from vendors, such as Verisign or EnTrust, or you can configure the ASA to issue an identity certificate to itself. This certificate remains the same even when the device is rebooted. Complete this step in order to generate a self-issued certificate that persists when the device is rebooted.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Certificate Management, and then choose Identity Certificates.
3.

Click Add, and then click the Add a new identity certificate radio button.
4.

Click New.
5.

In the Add Key Pair dialog box, click the Enter new key pair name radio button.
6.

Enter a name to identify the keypair.

This example uses sslvpnkeypair.
7.

Click Generate Now.
8.

In the Add Identity Certificate dialog box, ensure the newly created key pair is selected.
9.

For Certificate Subject DN, enter the fully qualified domain name (FQDN) that will be used to connect to the VPN terminating interface.

CN=sslvpn.cisco.com
10.

Click Advanced, and enter the FQDN used for the Certificate Subject DN field.

For example, FQDN: sslvpn.cisco.com
11.

Click OK.
12.

Check the Generate Self Signed Certificate check box, and click Add Certificate.
13.

Click OK.
14.

Click Configuration, and then click Remote Access VPN.
15.

Expand Advanced, and choose SSL Settings.
16.

In the Certificates area, choose the interface that will be used to terminate the SSL VPN (outside), and click Edit.
17.

In the Certificate drop-down list, choose the self-signed certificate that you generated earlier.
18.

Click OK, and then click Apply.

Step 2. Upload and Identify the SSL VPN Client Image

This document uses the AnyConnect SSL 2.0 client. You can obtain this client at the Cisco Software Download Website. A separate Anyconnect image is required for each operating system that remote users plan to use. For more information, refer to Cisco AnyConnect 2.0 Release Notes.

Once you obtain the AnyConnect client, complete these steps:

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then expand Advanced.
3.

Expand SSL VPN, and choose Client Settings.
4.

In the SSL VPN Client Images area, click Add, and then click Upload.
5.

Browse to the location where you downloaded the AnyConnect client.
6.

Select the file, and click Upload File.

Once the client uploads, you receive a message that states the file was uploaded to flash successully.
7.

Click OK.

A dialog box appears to confirm that you want to use the newly uploaded image as the current SSL VPN client image.
8.

Click OK.
9.

Click OK, and then click Apply.
10.

Repeat the steps in this section for each operating system-specific Anyconnect package that you want to use.

Step 3. Enable Anyconnect Access

In order to allow the AnyConnect client to connect to the ASA, you must enable access on the interface that terminates SSL VPN connections. This example uses the outside interface in order to terminate Anyconnect connections.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then choose SSL VPN Connection Profiles.
3.

Check the Enable Cisco AnyConnect VPN Client check box.
4.

Check the Allow Access check box for the outside interface, and click Apply.

Step 4. Create a new Group Policy

A group policy specifies the configuration parameters that should be applied to clients when they connect. This example creates a group policy named SSLClientPolicy.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and choose Group Policies.
3.

Click Add.
4.

Choose General, and enter SSLClientPolicy in the Name field.
5.

Uncheck the Address Pools Inherit check box.
6.

Click Select, and then click Add.

The Add IP Pool dialog box appears.
7.

Configure the address pool from an IP range that is not currently in use on your network.

This example uses these values:
*

Name: SSLClientPool
*

Starting IP Address: 192.168.25.1
*

Ending IP Address: 192.168.25.50
*

Subnet Mask: 255.255.255.0
8.

Click OK.
9.

Choose the newly created pool, and click Assign.
10.

Click OK, and then click More Options.
11.

Uncheck the Tunneling Protocols Inherit check box.
12.

Check SSL VPN Client.
13.

In the left pane, choose Servers.
14.

Uncheck the DNS Servers Inherit check box, and enter the IP address of the internal DNS server that the AnyConnect clients will use.

This example uses 192.168.50.5.
15.

Click More Options.
16.

Uncheck the Default Domain Inherit check box.
17.

Enter the domain used by your internal network. For example, tsweb.local .
18.

Click OK, and then click Apply.

Configure Access List Bypass for VPN Connections

When you enable this option, you allow the SSL/IPsec clients to bypass the interface access list.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then expand Advanced.
3.

Expand SSL VPN, and choose Bypass Interface Access List.
4.

Ensure the Enable inbound SSL VPN and IPSEC Sessions to bypass interface access lists check box is checked, and click Apply.

Step 6. Create a Connection Profile and Tunnel Group for the AnyConnect Client Connections

When VPN clients connect to the ASA, they connect to a connection profile or tunnel group. The tunnel group is used to define connection parameters for specific types of VPN connections, such as IPsec L2L, IPsec remote access, clientless SSL, and client SSL.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand Network (Client) Access, and then expand SSL VPN.
3.

Choose Connection Profiles, and click Add.
4.

Choose Basic, and enter these values:
*

Name: SSLClientProfile
*

Authentication: LOCAL
*

Default Group Policy: SSLClientPolicy
5.

Ensure the SSL VPN Client Protocol check box is checked.
6.

In the left pane, expand Advanced, and choose SSL VPN.
7.

Under Connection Aliases, click Add, and enter a name to which users can associate their VPN connections. For example, SSLVPNClient.
8.

Click OK, and then click OK again.
9.

At the bottom of the ASDM window, check the Allow user to select connection, identified by alias in the table above at login page check box, and click Apply.

Step 7. Configure NAT Exemption for AnyConnect Clients

NAT exemption should be configured for any IP addresses or ranges you want to allow the SSL VPN clients to access. In this example, the SSL VPN clients need access to the internal IP 192.168.50.5 only.

Note: If NAT-control is not enabled, this step is not required. Use the show run nat-control command to verify. In order to verify through ASDM, click Configuration, click Firewall, and choose Nat Rules. If the Enable traffic through the firewall without address translation check box is checked, you can skip this step.

ASDM Procedure

1.

Click Configuration, and then click Firewall.
2.

Choose Nat Rules, and click Add.
3.

Choose Add NAT Exempt Rule, and enter these values:
*

Action: Exempt
*

Interface: inside
*

Source: 192.168.50.5
*

Destination: 192.168.25.0/24
*

NAT Exempt Direction: NAT Exempt outbound traffic from interface ‘inside’ to lower security interfaces (Default)
4.

Click OK, and then click Apply.

Step 8. Add Users to the Local Database

If you use local authentication (the default), you must define user names and passwords in the local database for user authentication.

ASDM Procedure

1.

Click Configuration, and then click Remote Access VPN.
2.

Expand AAA Setup, and choose Local Users.
3.

Click Add, and enter these values:
*

Username: matthewp
*

Password: p@ssw0rd
*

Confirm Password: p@ssw0rd
4.

Select the No ASDM, SSH, Telnet or Console Access radio button.
5.

Click OK, and then click Apply.
6.

Repeat this step for additional users, and then click Save.

Verify SSL VPN Client Connections

Use the show vpn-sessiondb svc command in order to verify connected SSL VPN clients.

ciscoasa(config-group-policy)#show vpn-sessiondb svc

Session Type: SVC

Username : matthewp Index : 6
Assigned IP : 192.168.25.1 Public IP : 172.18.12.111
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
Encryption : RC4 AES128 Hashing : SHA1
Bytes Tx : 35466 Bytes Rx : 27543
Group Policy : SSLClientPolicy Tunnel Group : SSLClientProfile
Login Time : 20:06:59 UTC Tue Oct 16 2007
Duration : 0h:00m:12s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

ciscoasa(config-group-policy)#

The vpn-sessiondb logoff name username command logs off users by user name. An Administrator Reset message is sent to the user when disconnected.

ciscoasa(config)#vpn-sessiondb logoff name matthewp
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions with name “matthewp” logged off : 1

ciscoasa(config)#

Categories
Cisco Firewall Linux Networking Windows

ASA 5510 IOS 8.x ASDM firewall dashboard IOS commands

As of 8.x, the ASDM has some excellent features to allow you to track down top talkers and get a better view into your traffic flows, but each of these features (especially the Top 10 Services) uses a good bit of RAM. If you are running a 5510 or smaller, that can cause you to run out of RAM. While the ASDM gives you the option to enable these features, you need to disable them via command line.

Use the ‘no’ keyword in front of any the commands below to disable those functions:

Top 10 Access-Lists
======================================
enable
threat-detection statistics access-list
disable
no threat-detection statistics access-list

Top 10 Services (Very Memory Intensive – use only when troubleshooting)
======================================
enable
threat-detection statistics port
threat-detection statistics protocol
disable
threat-detection statistics port
threat-detection statistics protocol

Top 10 Sources / Top 10 Destinations (same command)
======================================
enable
threat-detection statistics host
disable
threat-detection statistics host

Categories
Cisco Firewall FTP Linux Networking Windows

Enable DOS FTP client through ASA

This configuration allows both active mode and pseudo-passive mode connections from the DOS FTP client provided with windows on a cisco ASA firewall. It has been tested with ASA code 7.2(3)

!–Enable FTP Passive mode
ftp mode passive

!–Create inspection_default class-map to match the ASA’s default inspection traffic
class-map inspection_default
match default-inspection-traffic

!–Add the ‘inspection_default’ class to the global_policy w/ inspect ftp directive
policy-map global_policy
class inspection_default
inspect ftp

!–Apply the policy globally to all interfaces
service-policy global_policy global

Essentially this enables passive FTP while simultaneously turning on advanced application inspection and what was once known as ‘protocol fixup’ for active FTP.

Categories
Cisco Firewall Linux Security Windows

Cisco PIX/ASA Restrict Foreign & RFC1918 IP Ranges

object-group network APNIC
network-object 43.0.0.0 255.0.0.0
network-object 58.0.0.0 254.0.0.0
network-object 60.0.0.0 254.0.0.0
network-object 114.0.0.0 254.0.0.0
network-object 116.0.0.0 252.0.0.0
network-object 120.0.0.0 252.0.0.0
network-object 124.0.0.0 254.0.0.0
network-object 126.0.0.0 255.0.0.0
network-object 169.208.0.0 255.240.0.0
network-object 202.0.0.0 254.0.0.0
network-object 210.0.0.0 254.0.0.0
network-object 218.0.0.0 254.0.0.0
network-object 220.0.0.0 254.0.0.0
network-object 222.0.0.0 254.0.0.0

object-group network AFRINIC
network-object 41.0.0.0 255.0.0.0
network-object 196.0.0.0 255.0.0.0
network-object 168.142.0.0 255.255.0.0

object-group network LACNIC
network-object 189.0.0.0 255.0.0.0
network-object 190.0.0.0 255.0.0.0
network-object 200.0.0.0 254.0.0.0

object-group network RIPE
network-object 81.0.0.0 255.0.0.0
network-object 91.0.0.0 255.0.0.0

object-group network RFC_1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object 224.0.0.0 240.0.0.0
network-object 240.0.0.0 240.0.0.0

object-group network DISALLOWED_IP
group-object APNIC
group-object LACNIC
group-object AFRINIC
group-object RFC_1918
group-object RIPE

access-list OAI remark OAI stands for Outside Access In
access-list OAI line 1 remark DENY ALL FOREIGN IP RANGES
access-list OAI line 2 extended deny ip object-group DISALLOWED_IP any

Categories
Cisco Firewall Linux Networking Security VPN Windows

Cisco PIX ASA VPN integration Active Directory IAS

Using AD to authenticate VPN users via a PIX or ASA device

aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host timeout 10

crypto map IPSEC client authentication RADIUS

  • Create a Client matching the inside IP of the PIX w/ shared secret above
  • Modify the policy to match a security group
  • Events for IAS appear in the System Event log
Categories
Cisco Firewall Linux Networking Windows WireShark

Cisco ASA or PIX Packet Capture for Wireshark with PCAP

The administrator needs to create an access-list that defines what traffic the ASA needs to capture. After the access-list is defined, the capture command incorporates the access-list and applies it to an interface.

ciscoasa(config)#access-list inside_test permit icmp any host 192.168.1.1
ciscoasa(config)#access-list inside_test permit icmp host 192.168.1.1 any
ciscoasa(config)#capture inside_interface access-list inside_test interface inside

The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed.

ciscoasa#show capture inside_interface
1: 13:04:06.284897 192.168.1.50 > 192.168.1.1: icmp: echo request

!— The user IP address is 192.168.1.50.

Note: In order to download the capture file to a system such as ethereal, you can do it as this output shows.

!— Open an Internet Explorer and browse with this https link format:

https://[/]/capture//pcap