Cisco Talos | Locky Infection / Scanned file and Enabled micro
In the below scenario we will translate port 3389 which is a well known port use for RDP and it’s also a vulnerable port.
object network SVR-RDP_192.168.1.1
object network PUB-P1_126.96.36.199
II. NAT Rules (Translate Port 3389 to any custom port)
|Original Packet||Transalated Packet|
Nat (dmz,outside) tcp SVR-RDP_192.168.1.1 3389 PUB-P1_188.8.131.52 8389
On user remote via 184.108.40.206:8389
(Conf. not yet verified)
Initial checking phase 1:
Packets arriving at firewall interface are checked for basic integrity.
Integrity of packet source address, use unicast RPF used to inspect the source IP address in each incoming packet and drops spoofed packet.
Note: Not Enabled by default.
XLATE phase 2:
2nd(outgoing) and the fifth(In-coming) phase.
Translation table, Dynamically created and Static created on Xlate entry.
Connection lookup phase 3:
Stateful inspection – ASA examines and documents the state of each connection passing through it.
Connection IDlE timeout period: The timeout period was use whenever there no data thru one of this flow or connection, Once those IDLE timeout are reach, the connection aged-out on the connection table.
When ever connection is allowed thru the firewall it gonna create a flow or a connection entry in it’s connection table, When the return traffic is sent back it’s gonna match that flow in connection table and be immediately permitted to the device.
There’s a Idle timeout period for connections and whenever that timeout is reach
the connection is aged-out out of the connection table.
“set connection idle hh:mm:ss [reset]—The idle timeout period after which an established connection of any protocol closes, between 0:0:1 and 1193:0:0. The default is 1:0:0. For TCP traffic, the reset keyword sends a reset to TCP endpoints when the connection times out.
The default udp idle timeout is 2 minutes. The default icmp idle timeout is 2 seconds. The default esp and ha idle timeout is 30 seconds. For all other protocols, the default idle timeout is 2 minutes.”
ACL lookup phase 4:
A list of permit or deny statement on the firewall. It either ingressing or egressing of the interface of the firewall.
Once the access-list were applied on the firewall interface it’s become vital part of the packet inspection process because that ACL explicitly list the type of traffic can be permitted thru. If it’s not explicitly permitted it’s going to be implicitly denied.
ACL doesn’t inspect connection state, they s simply define what packet’s are permitted or deny in a single direction. By default ACL are not created or applied to any firewall interfaces. Cisco ASA uses the default security policy of security levels in order to filter traffic.
Default Security Policy(Security Levels):
Traffic sourcing to highest security level destined to lower security level is permitted.
Traffic sourcing to a lower security level to a higher security level is denied.
The only situation when traffic going from a lower security level to higher security is permitted is when it’s return traffic from a connection that was originated and initiated by a higher level security interface.
UAUTH Lookup phase 6:
Authentication – Autenticate users
Inspection Engine phase 7:
Inspection connectionles and connection-oriented protocol.
UDP Header example: Source/Destination Port / Lenght / Checksum
TCP Header example: Source/Destination Port / Sequence / ACK/ FLAGS / WINDOWING /Checksum / irgent / Options.
By Default our Cisco ASA doesn’t permit ICMP from inside to outside. Cisco ASA assign a security level to each interface.
Security levels help us to determine how trusted/safe our interfaces. The higher security level, the more trusted interface! Default Security Levels: Inside = 100 , DMZ = 50 and Outside = 0
Based on this scenario we can see that we need to add a ladder so that deadpool can go to inside area.
How to make a ladder?
Using ACL – We need to create ACL (Extended) to permit inside to outside.
Q: What is the difference standard & extended access list?
A: ACL’s are used to make filtering and classification of the traffic. Standard ACL denies/permits all traffic whereas Extended ACL selectively deny/permit some or all traffic depending on your requirement.
#access-list 100 extended permit icmp x.x.x.x x.x.x.x any echo
! We use echo to allow the icmp reply from destination.
#access-list 100 extended permit icmp any x.x.x.x x.x.x.x echo-reply
! Apply the ACL
#access-group 100 in interface outside
Using Modular Policy Framework (MPF).
Create a classmap, policymap and service policy.
Classmap – Used to identify traffic.
Policymap – Used for action, policing, dropping and prioritizing.
Service Policy – Decide where the policymap gonna do the action.
inspect icmp error
#service-policy global_policy global
84 bytes from 220.127.116.11 icmp_seq=1 ttl=45 time=141.607 ms
84 bytes from 18.104.22.168 icmp_seq=2 ttl=45 time=182.624 ms