Thứ Hai, 29 tháng 7, 2013
Cisco ASA Management
General keys
Cisco ASA
provides the remote access management protocol such as Telnet, HTTPS and SSH. Each
access management protocol allows up to 5 concurrent connections per context
and 100 total connections across all security contexts.
By default,
Cisco ASA doesn’t allow management access, so it must be configured to accept
management access from specific source IP ranges.
Telnet is a
clear-test access protocol that authenticates access to ASA based on IP address
of the session source. Hence, Telnet protocol should never be used over
untrusted networks, in that case you should use SSH instead.
SSH
protocol authenticates the ASA using public-key. SSH protocol can be used over
untrusted networks.
HTTPS
protocol allows access to ASA using ASDM and authenticates ASA to the
administrator using public key in the form of X.509 certificate. HTTPS protocol
can be used over untrusted network, it’s similar to SSH.
A note when
you configure an interface as a management-only. Cisco ASA just only accept and
response to traffic where the ASA itself is the destination. It means that ASA
cannot pass any transit traffic through ASA or from another interface. You can configure an ASA interface as a
management-only by command “ciscoasa(config-if)# management-only”. This command
is different from the command “management-access inside” in globally, which is
used if the administrator wants management access from another interface
instead of the ASA interface which is specified to allow a protocol management access
to, a typical example for this case is VPN where the administrator wants remote
management access from a vpn client (using the same range IP allowed in
interface inside) through the interface outside whereas allowing management
access is in the interface inside.
Understand HTTPS & SSH
Both HTTPS
and SSH protocol use RSA key pair for secure remote management of the ASA.
To know
about this RSA key pair in detail, we are going to the questions “what’s an
asymmetric algorithm” and “what’s a symmetric algorithm”.
The
symmetric encryption algorithm uses the same key to encrypt the data and
decrypt the data. Common examples of symmetric encryption algorithms such as
DES, 3DES, AES, IDEA… Symmetric encryption algorithms are used in VPN today.
The advantage of the symmetric encryption algorithms is much faster to encrypt
the bulk of the data, and it takes less CPU than an asymmetric algorithm.
The asymmetric
key cryptography, this is also called public
key cryptography, is that one key is published and available to anyone. The
other key in key pair is private key which is known only to the device that
owns the public-private key pair. For the reason, there is a very high CPU cost
when using key pairs to lock and unlock data, we use asymmetric algorithms for
authenticating instead of using them to encrypt our bulk data.
Hash & HMAC: A method is used to verify data integrity that is a cryptography hash function which is used in HTTPS, SSL or VPN. It takes a block of data and creates a small fixed-sized hash value, meaning that if two different computers take the same data and run the same hash function they should get the same fixed-size hash value such as MD5, SHA. The sender runs a hash algorithm on each packet and attaches that hash to the packet. The receiver runs the same hash against the packet and compares the receiver’s result against the results the sender had. If the hash generated matches the hash that was sent, we know that the entire packet is intact. Another method is more secure than hash is Hashed Message Authentication Code (HMAC), because the disadvantage of the Hash is that anyone can calculate, so HMAC includes in its calculate a secret key. When this mechanism is used, an attacker cannot inject or remove data from those packets without being noticed because the attacker cannot recalculate the correct hash without the key for the calculation.
Digital Signatures: when two devices want to establish a connection to each other, and to do so they want to use digital signatures to verify each other to make sure they are talking to the right device. The sender takes a packet and generates a hash, then encrypts this small hash using the receiver’s private key. This encrypted hash is called a digital signature. The receiver looks at the encrypted hash that was sent and decrypts it using the sender’s public key. Next of this process is that the receiver runs the same hash algorithm. If calculated hash matches the hash in the packet that was received, that data integrity on the packet is intact. This process is called authentication using digital signatures. Because the public key is published to anyone, so both the sender and receiver have been given digital certificates from a CA server. We would find the sender and receiver’s public key in the name of the entity in digital certificates; public key gave to the CA when two devices applied for their digital certificate. Two devices don’t trust any certificates, but they do trust certificates that are signed by a CA (the CA’s digital signature). Two devices also exchange digital certificate, which contain each other’s public key.
HTTPS is an association between HTTP and SSL/ TLS, SSL/TLS help secure information exchanged on the internet. Transmitting information over a public network needs to be secured through encryption to prevent unauthorized access to that data. HTTPS is usually used in online banking. When a client tries to access to a banking account through a web browser, the web browser on client sends a request to web server to identify itself. Then, the server sends a copy of its digital certificate, which may also be called an SSL certificate. When the web browser on client receives the certificate, it checks whether it trusts the certificate by looking at digital signature of the CA that is on the certificate. If the signature is invalid, a pop-up is usually presented to the client asking whether the client wants to proceed. The server doesn’t require the browser on client to prove who it is. Instead, the web server uses some types of user authentication such as a username or password. When the user authenticates successfully, several additional exchanges occur between the browser on the client and the server.
Rewriter: Vigorous.nguyen
Reference: CCNA Security & CCNP Security official guide
Reference: CCNA Security & CCNP Security official guide
Đăng ký:
Đăng Nhận xét (Atom)
Không có nhận xét nào:
Đăng nhận xét