Plugging the Cisco ASA Security Hole

Email Print Digg This Add to del.icio.us

Cisco dominates the networking hardware market, and with its Adaptive Security Appliance (ASA) it is looking to extend its reach into network security. The ASA, however, can introduce a security issue. The appliance supports both Simple Network Management Protocol (SNMP) and Flexible NetFlow, both of which can provide essential information on security threats. However, most NetFlow monitoring vendors support only earlier versions of NetFlow, not Flexible NetFlow, and thus they are blind as to the source of threatening packets.

NetFlow, originally released as part of Cisco's Internetwork Operating System (IOS) and now also used by other switch and router vendors, provides certain information on the packets flowing through a port. The network device gathers the data and exports it to a server running software to collect and report on the NetFlow data (i.e., the Collector).

Flexible NetFlow — an extension of NetFlow v.9 — allows administrators to specify the fields they want to gather on the packet flows. It provides enhanced optimization, reduces costs, and improves capacity planing and security detection beyond traditional flow technologies. For the ASA appliances, it solves the problem of Network Address Translation (NAT), which makes it appear that all the traffic is coming from a single host — the firewall.

"Flexible NetFlow from the ASA allows admins to see which flows were allowed or denied, which can be very helpful when trying to understand why traffic can't get through the firewall," said Mike Patterson, product manager for Plixer's Scrutinizer Flexible NetFlow collector. "Without Flexible NetFlow on the firewall, you may be operating blind."

NetFlow Security

A year ago, with the launch of the Cisco ASA 5580 products, Cisco also released a Flexible NetFlow security logging implementation called NetFlow Security Event Logging (NSEL), which is designed to scale better than syslog without sacrificing granularity. The ASA 5580 tracks the state changes that a flow undergoes, including the flow creation, when the flow is denied by an ACL (Access Control List), and flow teardown.

An NSEL record includes:

• Connection ID Field — An identifier of a unique flow for the device
• Flow ID Fields — The source and destination IP addresses, source and destination ports, the ICMP type value, ICMP code value, ICMP IPv6 type value, ICMP IPv6 code value, Ingress IFC SNMP IF index and Egress IFC SNMP IF index
• Mapped Flow ID Fields — Mapped source IPv4 address, Mapped destination IPv4 address, Mapped source port and Mapped destination port
• Status or Event Fields — Whether the flow was created, deleted or denied and the reason. (e.g., a flow was denied by an ingress or egress ACL, an SNMP request from an unauthorized SNMP management station or the first packet on the TCP was not a TCP SYN packet.)
• Event Time Field — Default is in milliseconds, though microseconds and nanoseconds are options.
• Time Flow was Created
• Number of Bytes in Flow
• ACL ID — the ID of the input or output ACL that permitted or denied the flow.
• AAA User Name

With NSEL, flow change events trigger the creation of a NetFlow record. The ASA can send syslog messages, but since the NSEL packages contain the same information, administrators can shut off redundant syslog messages to save resources. The flows can also be filtered so only certain types of events are reported and, using Modular Policy Framework, NSEL records detailing particular types of events or types of traffic can be sent to separate collectors.

Activating NSEL

NSEL gives network and security administrators greater visibility into what is happening on the firewall, but only if the collector is capable of correctly reading and storing the Flexible NetFlow data.

"Most collectors today were built expecting a very deterministic pattern of data," said Patterson. "Flexible NetFlow can send anything, and the collector must be ready to save the data in the correct format."

While traditional NetFlow uses a single template, NSEL alone can send any of 17 different templates, depending on the type of event being reported. In addition, one may want to see other data such as MAC addresses or VLAN IDs, giving rise to even more templates. So it is important to select a collector that is flexible enough to use all the features available with Flexible NetFlow. Some vendors will claim their collectors will work with Flexible NetFlow or NSEL simply because Flexible NetFlow is backward compatible with NetFlow v5 and v9. Make sure to get one that is designed to collect, analyze and store Flexible NetFlow templates and data.

"Flexible NetFlow is a different beast than traditional NetFlow," said Patterson.

Drew Robb is a freelance writer specializing in technology and engineering. Currently living in California, he was originally from Scotland where he received a degree in Geology/Geography from the University of Strathcyle. He is the author of Server Disk Management in a Windows Environment (CRC Press).

Email Print Digg This Add to del.icio.us

Enterpriseitplanet Forum Topic By Replies Updated Wireless lan hardware for school davetrainor 3 2-10-2010 06:47 AM Beginner seeking help with network design - namely switches darrenlight85 2 1-29-2010 01:18 AM Enterprise Networking problem with 802.11n PMitchell 1 1-12-2010 03:55 PM redirecting Skype output speech to TCP socket and receiving in other app johnyjj2 1 12-10-2009 08:35 AM DNS Issue with test network davis 9 12-9-2009 02:53 PM