Guest

Identification of Security Exploits with Cisco ASA, Cisco ASASM, and Cisco FWSM Firewalls

Introduction

The Cisco Adaptive Security Appliance (ASA), Adaptive Security Appliance Services Module (ASASM), and Firewall Services Module (FWSM) are network devices that provide the capability to identify threats to the network. They offer best-in-class speed and best-of-breed Layer 2 through 7 security protections for Cisco routers and switches to protect an enterprise network. The following white paper provides examples of identifications for various mitigations for common security exceptions that may occur on a given network. Each technology is introduced and the relevant network and mitigation details are provided along with command-line examples that show attempts to bypass these protections and exploit vulnerabilities.

This document covers the following technologies:

Transit Access Control Lists

A transit access control list (tACL) is a network layer mitigation used to protect the network from traffic that enters the network at ingress access points, which may include Internet connection points, partner and supplier connection points, or VPN connection points. Administrators are advised to deploy transit access control lists (tACLs) to perform policy enforcement. Administrators can construct a tACL by explicitly permitting only authorized traffic to enter the network at ingress access points or permitting authorized traffic to transit the network in accordance with existing security policies and configurations. More information on tACLs is in the blog Access Control: Understanding iACL vs tACL. The following example shows how to identify Session Initiation Protocol (SIP) traffic that has violated a previously established tACL called tACL-policy.

After a tACL has been applied to an interface, administrators can use the show access-list command to identify the number of SIP and SIP-TLS IP version 4 (IPv4) and IP version 6 (IPv6) packets on TCP ports 5060 and 5061 and UDP ports 5060 and 5061 that have been filtered. Administrators are advised to investigate filtered packets to determine whether they are attempts to exploit these vulnerabilities. Example output for show access-list tACL-Policy and show access-list IPv6-tACL-Policy follows:

firewall#show access-list tACL-Policy
access-list tACL-Policy; 9 elements; name hash: 0x3452703d
access-list tACL-Policy line 1 extended permit tcp host 192.168.100.1 
     192.168.60.0 255.255.255.0 eq sip (hitcnt=31)
access-list tACL-Policy line 2 extended permit tcp host 192.168.100.1 
     192.168.60.0 255.255.255.0 eq 5061 (hitcnt=61)
access-list tACL-Policy line 3 extended permit udp host 192.168.100.1 
     192.168.60.0 255.255.255.0 eq sip (hitcnt=131)
access-list tACL-Policy line 4 extended permit udp host 192.168.100.1 
     192.168.60.0 255.255.255.0 eq 5061 (hitcnt=57)
access-list tACL-Policy line 5 extended deny tcp any 192.168.60.0 
     255.255.255.0 eq sip (hitcnt=8)
access-list tACL-Policy line 6 extended deny tcp any 192.168.60.0 
     255.255.255.0 eq 5061 (hitcnt=14)
access-list tACL-Policy line 7 extended deny udp any 192.168.60.0 
     255.255.255.0 eq sip (hitcnt=30)
access-list tACL-Policy line 8 extended deny udp any 192.168.60.0 
     255.255.255.0 eq 5061 (hitcnt=13) 
access-list tACL-Policy line 9 extended deny ip any any (hitcnt=8)

In the preceding example, access list tACL-Policy has dropped the following packets received from an untrusted host or network:

  • 8 SIP packets on TCP port 5060 for ACE line 5
  • 14 packets on TCP port 5061 for ACE line 6
  • 30 SIP packets on UDP port 5060 for ACE line 7
  • 13 packets on UDP port 5061 for ACE line 8
firewall#show access-list IPv6-tACL-Policy                 
ipv6 access-list IPv6-tACL-Policy; 9 elements; name hash: 0x566a4229
ipv6 access-list IPv6-tACL-Policy line 1 permit tcp host 2001:db8:1:100::1 
     2001:db8:1:60::/64 eq sip (hitcnt=59) 
ipv6 access-list IPv6-tACL-Policy line 2 permit tcp host 2001:db8:1:100::1 
     2001:db8:1:60::/64 eq 5061 (hitcnt=28) 
ipv6 access-list IPv6-tACL-Policy line 3 permit udp host 2001:db8:1:100::1 
     2001:db8:1:60::/64 eq sip (hitcnt=124) 
ipv6 access-list IPv6-tACL-Policy line 4 permit udp host 2001:db8:1:100::1 
     2001:db8:1:60::/64 eq 5061 (hitcnt=81) 
ipv6 access-list IPv6-tACL-Policy line 5 deny tcp any 
     2001:db8:1:60::/64 eq sip (hitcnt=47) 
ipv6 access-list IPv6-tACL-Policy line 6 deny tcp any 
     2001:db8:1:60::/64 eq 5061 (hitcnt=33) 
ipv6 access-list IPv6-tACL-Policy line 7 deny udp any 
     2001:db8:1:60::/64 eq sip (hitcnt=216) 
ipv6 access-list IPv6-tACL-Policy line 8 deny udp any 
     2001:db8:1:60::/64 eq 5061 (hitcnt=137) 
ipv6 access-list IPv6-tACL-Policy line 9 deny ip any any (hitcnt=27)

In the preceding example, access list IPv6-tACL-Policy has dropped the following packets received from an untrusted host or network:

  • 47 SIP packets on TCP port 5060 for ACE line 5
  • 33 packets on TCP port 5061 for ACE line 6
  • 216 SIP packets on UDP port 5060 for ACE line 7
  • 137 packets on UDP port 5061 for ACE line 8

In addition, syslog message 106023 can provide valuable information, which includes the source and destination IP address, the source and destination port numbers, and the IP protocol for the denied packet.

Firewall Access List Syslog Messages

Syslog messages from transit network devices can provide insight into and context for security events that may not be available from other sources. This insight aids in determining the validity and extent of an incident. Within the context of a security incident, administrators can use syslog messages to understand communication relationships, timing, and, in some cases, the attacker's motives and/or tools. These events should be considered complementary and should be used in conjunction with other forms of network monitoring that may already be in place.

Firewall syslog message 106023 will be generated for packets denied by an access control entry (ACE) that does not have the logkeyword present. Additional information about this syslog message is in Cisco ASA 5500 Series System Log Message, 8.2 - 106023.

Information about configuring syslog for the Cisco ASA 5500 Series Adaptive Security Appliance is in Monitoring - Configuring Logging. Information about configuring syslog on the Cisco Catalyst 6500 Series ASA Services Module is in Configuring Logging. Information about configuring syslog on the FWSM for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is in Monitoring the Firewall Services Module.

In the following example, the show logging | grep regex command extracts syslog messages from the logging buffer on the firewall. These messages provide additional information about denied packets that could indicate potential attempts to exploit security vulnerabilities. It is possible to use different regular expressions with the grep keyword to search for specific data in the logged messages.

Additional information about regular expression syntax is in Creating a Regular Expression.

firewall#show logging | grep 106023
  Sep 24 2013 00:15:13: %ASA-4-106023: Deny udp src outside:192.0.2.18/2944 
         dst inside:192.168.60.191/161 by access-group "tACL-Policy"
  Sep 24 2013 00:15:13: %ASA-4-106023: Deny udp src outside:192.0.2.200/2945 
         dst inside:192.168.60.33/161 by access-group "tACL-Policy"
  Sep 24 2013 00:15:13: %ASA-4-106023: Deny udp src outside:2001:db8:2::2:172/2951
         dst inside:2001:db8:1:60::23/161 by access-group "IPv6-tACL-Policy"
firewall#

In the preceding example, the messages logged for the tACL tACL-Policy and IPv6-tACL-Policy show potentially spoofed Simple Network Management Protocol (SNMP) packets for UDP port 161 sent to the address block assigned to affected devices.

Additional information about syslog messages for Cisco ASA Series Adaptive Security Appliances is in Cisco ASA 5500 Series System Log Messages, 8.2. Additional information about syslog messages for Cisco Catalyst 6500 Series ASA Services Module is in the Analyzing Syslog Messages section of the Cisco ASASM CLI Configuration Guide. Additional information about syslog messages for the Cisco FWSM is in Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Logging System Log Messages.

For additional information about investigating incidents using syslog events, see the Identifying Incidents Using Firewall and IOS Router Syslog Events Cisco Security Intelligence Operations white paper.

Application Layer Protocol Inspection

Application layer protocol inspection (ALPI) is a technology built into the Cisco ASA that provides deep packet inspection (DPI) of protocols that contain embedded data or that open secondary ports (such as FTP). It provides more comprehensive security coverage than simple stateful inspection for protocols that are more complex at a possible cost of network throughput.

For additional information about Cisco ASA ALPI, see Getting Started With Application Layer Protocol Inspection.

Although the Cisco ASA provides ALPI for many different application layer protocols, only HTTP, Domain Name System (DNS), and SNMP are discussed in this paper. For a more comprehensive list, see Configuring Application Inspection.

HTTP Application Layer Protocol Inspection

Firewall syslog message 415006 will be generated when the URI matches a user-defined regular expression. The syslog message will identify the corresponding HTTP class and HTTP policy and indicate the action applied to the HTTP connection. Additional information about this syslog message is in Cisco ASA 5500 Series System Log Message, 8.2 - 415006.

Firewall syslog message 415007 will be generated when an HTTP message body matches a user-defined regular expression. The syslog message will identify the corresponding HTTP class and HTTP policy and indicate the action applied to the HTTP connection. Additional information about this syslog message is in Cisco ASA 5500 Series System Log Message, 8.2 - 415007.

Information about configuring syslog for the Cisco ASA 5500 Series Adaptive Security Appliance is in Monitoring - Configuring Logging. Information about configuring syslog for the Cisco Catalyst 6500 Series ASA Services Module is in Configuring Logging. Information about configuring syslog on the FWSM for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is in Monitoring the Firewall Services Module.

In the following example, the show logging | grep regex command extracts syslog messages from the logging buffer on the firewall. These messages provide additional information about denied packets that could indicate attempts to exploit security vulnerabilities. Administrators can use different regular expressions with the grep keyword to search for specific data in the logged messages.

Additional information about regular expression syntax is in Creating a Regular Expression.

The following example of HTTP inspection shows matching on the HTML body and dropping connections that contain the regex patterns that match a vulnerable ActiveX control.

HTTP Application Inspection

firewall#show logging | grep 415006
  Sep 24 2013 14:36:20: %ASA-5-415006: HTTP - matched Class 23: 
         MS11-001_regex_class in policy-map http_Policy, URI matched - 
         Dropping connection from inside:192.168.60.88/2135 to 
         outside:192.0.2.63/80
  Sep 24 2013 14:37:02: %ASA-5-415006: HTTP - matched Class 26: 
         MS11-001_regex_class in policy-map http_Policy, URI matched - 
         Dropping connection from inside:192.168.60.71/1830 to 
         outside:192.0.2..63/80
firewall#show logging | grep 415007
  Sep 24 2013 14:35:54: %ASA-5-415007: HTTP - matched Class 22: 
         vulnerable-activeX-Class in policy-map http_Policy, Body matched - 
         Dropping connection from inside:192.168.60.85/2130 to 
         outside:192.0.2.63/80
  Sep 24 2013 14:35:55: %ASA-5-415007: HTTP - matched Class 20: 
         vulnerable-activeX-Class in policy-map http_Policy, Body matched - 
         Dropping connection from inside:192.168.60.86/2133 to 
         outside:192.0.2.63/80
  Sep 24 2013 14:36:03: %ASA-5-415007: HTTP - matched Class 24:
         vulnerable-activeX-Class in policy-map http_Policy, Body matched - 
         Dropping connection from inside:192.168.60.87/2129 to 
         outside:192.0.2.63/80

With HTTP application inspection enabled, the show service-policy inspect protocol command will identify the number of HTTP packets that are inspected and dropped by this feature. The following example shows output for show service-policy inspect http:

firewall# show service-policy inspect http
Global policy: 
  Service-policy: global_policy
    Class-map: inspection_default
    Class-map: Webports_Class
      Inspect: http http_Policy, packet 5025, drop 20, reset-drop 0
       protocol violations
          packet 0        
       match response body regex class vulnerable_activeX_class
         drop-connection log, packet 13
       match response body regex class MS11-001_regex_class
         drop-connection log, packet 7

In the preceding example, 5025 HTTP packets have been inspected and 20 HTTP packets have been dropped.

Additional information about HTTP ALPI is in the HTTP Inspection section of the ALPI paper.

DNS Application Layer Protocol Inspection

Firewall syslog message 410003 will be generated when a DNS message matches a user-defined regular expression. The syslog message will identify the corresponding DNS class and indicate the action that is applied to the DNS message. Additional information about this syslog message is in Cisco ASA 5500 Series System Log Message, 8.2 - 410003.

Information about configuring syslog for the Cisco ASA 5500 Series Adaptive Security Appliance is in Monitoring - Configuring Logging. Information about configuring syslog for the Cisco Catalyst 6500 Series ASA Services Module is in Configuring Logging. Information about configuring syslog on the FWSM for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is in Monitoring the Firewall Services Module.

In the following example, the show logging | grep regex command extracts syslog messages from the logging buffer on the firewall. These messages provide additional information about denied packets that could indicate attempts to exploit these vulnerabilities. Administrators can use different regular expressions with the grep keyword to search for specific data in the logged messages.

Additional information about regular expression syntax is in Creating a Regular Expression.

The following example shows DNS inspection that blocks DNS queries that are asking for IP addresses of known malicious domains.

DNS Application Inspection

firewall# show logging | grep 410003
  Sep 24 2013 20:27:43: %ASA-4-410003: DNS Classification:
         Dropped DNS request (id 13650) from 
         inside:192.168.60.70/1027 to outside:192.0.2.56/53;
         matched Class 27: match domain-name regex class 
         malicious-Domains
  Sep 24 2013 20:27:48: %ASA-4-410003: DNS Classification:
         Dropped DNS request (id 13650) from 
         inside:192.168.60.70/1027 to outside:191.0.2.120/53;
         matched Class 27: match domain-name regex class 
         malicious-Domains

With DNS application inspection enabled, the show service-policy inspect protocol command will identify the number of DNS packets that are inspected and dropped by this feature. The following example shows output for show service-policy inspect dns:

firewall# show service-policy inspect dns
Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns malicious-Drop, packet 239, drop 3, reset-drop 0 message-length maximum 512, drop 0 dns-guard, count 114 protocol-enforcement, drop 0 nat-rewrite, count 0 match not header-flag QR match question match domain-name regex class malicious-Domains drop log, packet 3

In the preceding example, 239 DNS packets have been inspected and 3 DNS packets have been dropped.

Additional information about DNS ALPI is in the DNS Inspection section of the ALPI paper.

SNMP Application Layer Protocol Inspection

Firewall syslog message 416001 will be generated when an SNMP packet is dropped. The syslog message will identify the SNMP version of the dropped packet. Additional information about this syslog message is in Cisco ASA 5500 Series System Log Message, 8.2 - 416001.

Information about configuring syslog for the Cisco ASA 5500 Series Adaptive Security Appliance is in Monitoring - Configuring Logging. Information about configuring syslog on the FWSM for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is in Monitoring the Firewall Services Module.

In the following example, the show logging | grep regex command extracts syslog messages from the logging buffer on the firewall. These messages provide additional information about denied packets that could indicate attempts to exploit security vulnerabilities. Administrators can use different regular expressions with the grep keyword to search for specific data in the logged messages.

The following example of SNMP inspection drops version 3 packets.

SNMP Application Inspection

firewall# show logging | grep 416001
  Sep 24 2013 22:03:49: %ASA-4-416001: Dropped UDP SNMP packet
         from outside:192.168.60.63/32769 to inside:192.168.60.42/161;
         version (3) is not allowed thru the firewall
  Sep 24 2013 22:03:50: %ASA-4-416001: Dropped UDP SNMP packet 
         from outside:192.168.60.63/32769 to inside:192.168.60.42/161; 
         version (3) is not allowed thru the firewall
  Sep 24 2013 22:03:51: %ASA-4-416001: Dropped UDP SNMP packet 
         from outside:192.168.60.63/32769 to inside:192.168.60.42/161;
         version (3) is not allowed thru the firewall
  Sep 24 2013 22:03:52: %ASA-4-416001: Dropped UDP SNMP packet 
         from outside:192.168.60.63/32769 to inside:192.168.60.42/161;
         version (3) is not allowed thru the firewall

With SNMP inspection enabled, the show service-policy command will identify the number of SNMP packets inspected and dropped by this feature. The following example shows output for show service-policy:

firewall# show service-policy | include snmp             
     Inspect: snmp deny_SNMPv3, packet 236, drop 6, reset-drop 0
firewall#

In the preceding example, 236 SNMP packets have been inspected and 6 SNMP packets have been dropped.

Additional information about SNMP ALPI is in the SNMP Inspection section of the ALPI paper.

Threat Detection

Cisco Adaptive Security Appliance supports the threat detection feature in software releases 8.0 and later. Using basic threat detection, the security appliance monitors the rate of dropped packets and security events with the following reasons:

  • Denial by access lists
  • Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length)
  • Connection limits exceeded (both system-wide resource limits and limits set in the configuration)
  • DoS attack detected (such as an invalid stateful packet inspection (SPI), Stateful Firewall check failure)
  • Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet drops in this bulleted list. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.)
  • Suspicious ICMP packets detected
  • Packets failed application inspection
  • Interface overload
  • Scanning attack detected (This option monitors scanning attacks; for example, the first TCP packet is not a SYN packet, or the TCP connection failed the three-way handshake. Full scanning threat detection [see Configuring Scanning Threat Detection for more information] takes this scanning attack rate information and acts on it by classifying hosts as attackers and automatically shunning them, for example.)
  • Incomplete session detection such as TCP SYN attack detected or no data UDP session attack detected

Because basic threat detection will gather statistics for various threats, it is important to note that a syslog message (733100) will be generated when the Cisco ASA or Cisco ASASM detects these threats. Adjust the threat-detection rate scanning-threat rate-intervalcommand to increase or reduce these syslog messages according to the established security policy in your network. Advanced threat detection records statistics for threats on an access-list, host, protocol, or port basis and can be configured with the threat-detection statistics command.

Caution: Configuring advanced threat detection statistics can have a significant impact on the device's CPU.

More information about configuring threat detection for the Cisco ASA 5500 Series Adaptive Security Appliance is in Configuring Threat Detection. Information about configuring threat detection for the Cisco Catalyst 6500 Series ASA Services Module is in Configuring Threat Detection

To enable threat detection, enter the threat-detection basic-threat command.

With basic threat detection properly configured, administrators can use the  show threat-detection rate conn-limit-drop command to show the threat events the Cisco ASA or Cisco ASASM has detected. The following example shows 20 SYN attack-related events per second and 223 SYN Trigger events occurring within the burst interval, and 30 Scanning attack-related events and 451 Scanning Trigger events occurring within the burst interval and 28471 Connection Limit events in the burst interval, which could be an indication of an ongoing SYN flood.

firewall# show threat-detection rate
                          Average(eps)    Current(eps) Trigger      Total events
  10-min ACL  drop:                  1              10       0               983
  1-hour ACL  drop:                  0               0       0               983
  10-min SYN attck:                  2              20     223              1982
  1-hour SYN attck:                  0               0      87              1982
  10-min  Scanning:                  3              30     451              2269
  1-hour  Scanning:                  0               0     154              2269
  10-min Conn limt:              37923           28471     141          22754052
  1-hour Conn limt:              12132           31485      58          43677273
 10-min Bad pkts: 0 0 0 4 1-hour Bad pkts: 0 0 0 4 10-min Firewall: 1 10 0 987 1-hour Firewall: 0 0 0 987 10-min Interface: 1 0 0 851 1-hour Interface: 0 0 0 851 firewall#

Spoofing Protection Using Unicast Reverse Path Forwarding

Unicast Reverse Path Forwarding (uRPF) is a technology used to help limit the malicious traffic on an enterprise network. It works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network.

uRPF is configured at the interface level and can detect and drop packets that lack a verifiable source IP address. Administrators should not rely on uRPF to provide complete spoofing protection because spoofed packets may enter the network through a uRPF-enabled interface if an appropriate return route to the source IP address exists. In an enterprise environment, uRPF may be enabled at the Internet edge and at the internal access layer on the user-supporting Layer 3 interfaces.

For additional information about the configuration and use of uRPF, see the Cisco Security Appliance Command Reference for ip verify reverse-path and the Understanding Unicast Reverse Path Forwarding Cisco Security Intelligence Operations white paper.

Unicast Reverse Path Forwarding

Firewall syslog message 106021 will be generated for packets denied by uRPF. Additional information about this syslog message is in Cisco ASA 5500 Series System Log Message, 8.2 - 106021.

Information about configuring syslog for the Cisco ASA 5500 Series Adaptive Security Appliance is in Monitoring - Configuring Logging. Information about configuring syslog for the Cisco Catalyst 6500 Series ASA Services Module is in Configuring Logging. Information about configuring syslog on the FWSM for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is in Monitoring the Firewall Services Module.

In the following example, the show logging | grep regex command extracts syslog messages from the logging buffer on the firewall. These messages provide additional information about denied packets that could indicate potential attempts to exploit security vulnerabilities. It is possible to use different regular expressions with the grep keyword to search for specific data in the logged messages.

Additional information about regular expression syntax is in Creating a Regular Expression.

The following example shows packets failing a uRPF check and being dropped.

firewall#show logging | grep 106021
  Sep 24 2013 00:15:13: %ASA-1-106021: Deny UDP reverse path check from
         192.168.60.1 to 192.168.60.100 on interface outside
  Sep 24 2013 00:15:13: %ASA-1-106021: Deny UDP reverse path check from
         192.168.60.1 to 192.168.60.100 on interface outside
  Sep 24 2013 00:15:13: %ASA-1-106021: Deny TCP reverse path check from
         192.168.60.1 to 192.168.60.100 on interface outside

The show asp drop command can also identify the number of packets that the uRPF feature has dropped, as shown in the following example:

firewall#show asp drop frame rpf-violated
  Reverse-path verify failed 11
firewall#

In the preceding example, uRPF has dropped 11 IP packets received on interfaces with uRPF configured. Absence of output indicates that the uRPF feature on the firewall has not dropped packets.

For additional information about debugging accelerated security path dropped packets or connections, see the Cisco Security Appliance Command Reference for show asp drop.

TCP Normalization

TCP normalization is an ASA feature that identifies abnormal TCP packets that can be acted upon when they are detected. Packets can be allowed, cleared, or altogether dropped. It is enabled by default on the ASA but can be tuned and tweaked.

For additional information, see TCP Normalization Overview.

For the Cisco ASA 5500 Series Adaptive Security Appliance and Cisco Catalyst 6500 Series ASA Services Module, the show asp dropcommand can identify the number of packets that the TCP normalization feature has dropped, as shown in the following example:

firewall# show asp drop frame 
tcp-rstfin-ooo
  TCP RST/FIN out of order (tcp-rstfin-ooo)             11
firewall#

In the preceding example, TCP normalization has dropped 11 RST or FIN packets with the incorrect TCP sequence number. Absence ofTCP RST/FIN out of order (tcp-rstfin-ooo) output indicates that TCP normalization on the firewall has not dropped any RST or FIN packets with incorrect TCP sequence numbers.

Due to architectural differences, show asp drop output is not available for the Cisco Firewall Services Module.

For additional information about debugging accelerated security path dropped packets or connections, see the Cisco Security Appliance Command Reference for show asp drop.

Conclusion

This white paper covered mitigation identifications for the Cisco ASA, ASASM, and FWSM. It explained how to display attempts to bypass protections and exploit vulnerabilities. It is up to the administrator's discretion to modify the show commands used in this document for specific needs to identify whether firewall policies deployed to mitigate certain vulnerabilities or threats have blocked exploit attempts for these vulnerabilities or threats.

Resources


This document is part of Cisco Security Research & Operations.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top