08 Aug

Cisco Firepower NGIPSv on ESXi

Secure Your Network

Cisco Firepower NGIPS is available on multiple platforms. One of deployment option you have is virtual appliance running on top of ESXi hypervisor. This product is called NGIPSv in Cisco documentation.

Using a single physical machine with ESXi hypervisor in an isolated network is one of the best ways to perform Proof of Concept (PoC) labs for IPS solution. You cannot evaluate the product without testing it in a sandbox where you can try to hack it, infect it or do any other nasty things. This way, you can in single ESXi run NGIPSv, Firepower Management Center (FMCv) and one or more VMs in the back.

Here is a quick step-by-step guide how to deploy NGIPSv in transparent mode on single ESXi host. What we want to accomplish is having NGIPSv in front of other virtual machines. In this scenario, there is no firewall, just NGIPSv sensor. It is of course not the safest, the best practice and the most flexible way to deploy sensor. You should not use it just like that in your production network. I use this setup only for quick demo purposes when I want to show how Cisco Firepower NGIPS solution is working, get network discovery working, some IPS policy and get the end host infected by malware.

Read More

18 May

Upgrading SourceFire module from 5.x to 6.x and recovery procedure

SFR Firmware packages download

Hardware failures happens. If you have active service contract you’ll get new device from Cisco with same hardware parameters. One thing you don’t know is which version of software will be installed. In almost all cases it’s not the one you are using. Installing new firewall firmware on ASA is not a problem but what if you’re running SourceFire Management Center version 6.2 but your device came with 5.x or 6.0 firmware on SFR module? Well, prepare for process that will take few hours – you need to perform recovery procedure which is one of the ways of upgrading SourceFire.

Most common cases when we have to use recovery procedure for SFR are:

  • Problems with booting the SFP module after upgrade performed from Firesight Management Center
  • First software installation on SFR (in example when we just put SSD drives in our ASA to get benefits from Sourcefire NGIPS)
  • Need to upgrade firmware but our module cannot be registered in Firesight Management Center due to firmware mismatch

Last case is the one usually happening when we get new device during RMA process. Each Firesight Management Center have list of compatible firmwares that are supported on modules and unfortunatelly backward compatibility is not full. If you run one of the most common version 6.1 or 6.2 you need to have your modules in at least 6.1 version. Recovery process require that whole memory is erased and new firmware installed.

Read More

12 May

Interfaces are important in ASAv failover on VIRL

Failover link on ASAv must be created using interface GigabitEthernet0/8

One reader asked me few days ago following question when he had problem establishing the failover in his lab: “I’ve tried to create ASA failover pair on VIRL and it was not working. I’ve looked through manual and VIRL forum for the solution. I believe that failover is supported configuration on VIRL. I think my configuration is correct, nodes can ping each other but I still cannot establish failover relationship”. Configuration he made was correct except he forgot about one thing – interfaces numbers are important when you setup failover using ASAv.

Cisco VIRL uses ASAv image for virtual firewalls. This is same image that you use in production on ESXi. That means all restrictions applies also to virtual firewall if you run it on VIRL. In this image we must configure failover link using interfaces GigabitEthernet0/8. It’s clearly stated in documentation. If we use any other interface the configuration will be accepted but failover never established.

failover lan unit primary
failover lan interface Fail-link GigabitEthernet0/8
failover replication http
failover link State-link GigabitEthernet0/7
failover interface ip Fail-link standby
failover interface ip State-link standby
failover ipsec pre-shared-key 0 FailoverKey

We also need to remember we can’t configure Active-Active failover. This mode is not supported so we have to stick to Active-Standby model. It’s direct result of lack of support for virtual contexts so remember about it as well.

13 Apr

Microsoft Operations Management Suite – powerful log analyzer in Azure (in 10 minutes for free)

Collecting and processing logs from all systems and network devices can be a nightmare for any systems admin. Searching through them and performing security audits can be a nightmare for security team if collector engine is not powerful enough to process queries in efficient time. Microsoft Operations Management Suite is interesting solution to answer both those problems and add much more analysis giving administrators visibility and control across on-premise and cloud installations.

Microsoft Operations Management Suite runs in Azure which means it’s extremely fast in processing the data. Millions of records are not problem for OMS so we can get Insights and Analytics of what is happening on our servers or workstations, detect and respond to threads or apply proper protection or even put in place some automation in controlling. It’s quick to setup and for many users it can be for free!

Read More

05 Mar

ASAv on Amazon Web Services – login issues

Have you ever tried to run ASAv image on Amazon Web Services (AWS)? Yes, in Marketplace you will find supported image of this firewall (which is actually great thing because you can run it in BYOB model where you use unlicensed mode for testing the features. Same way as you can do on your ESXi.

Deployment is easy with the creator of EC2 instance, just few clicks and there it is. Except small problem – on latest release of I was not able to connect to management interface via SSH. It should be possible by using key assigned to instance during creation but no matter what I’ve done it always asked for password.

There is small but nice workaround of this problem that also enables HTTPS access to ASAv. During the instance deployment we should put zero-day configuration that will be implemented on ASA. In documentation we even have proposal on such config which we further modify by adding HTTP/HTTPS access, additional user account, enable password and aaa local authentication.

The final zero-day configuration should look as below

interface management0/0
nameif management
security-level 100
ip address dhcp setroute
no shut
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
crypto key generate rsa modulus 2048
http server enable
http management
ssh 0 0 management
ssh timeout 30
username admin nopassword privilege 15
username admin attributes
username cisco password cisco privilege 15
enable password cisco
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
service-type admin 

This way we will be able to connect to ASAv instance via ssh/http using local accounts.

23 Jan

How to act as your own local CA and sign certificate request from ASA

There are several ways to operate on certificates. The widest spread method is by openssl library and associated command line tools. Library was not and probably is still not free of bugs. But it’s widely spread  among many operating systems which makes it a tool that easily can be used on most popular operating systems. If you are running Windows Server you can install Certificate Services component, Mac users can use Keychain Access which is core component of macOS.

While working with certificates and those tool remember about best practices. Points below are valid as of the end of 2016.

  • Use at least 2048-Bit Private Keys
  • Try to avoid wildcard certificates but remember to cover all FQDN’s in certificates
  • Use strong certificate signature algorithms – SHA256 is standard now,  SHA-1 has been deprecated
  • Use strong encryption for your connection – not really certificate related but worh notifying that TLSv1.2 is now a standard supporting strong cryptographic algorithms
  • Use complete certificate chains
  • Use strong key exchange and forward secrecy

If you want to know more about best practices you may refer to this short manual.

Read More

24 Oct

Cisco ASA REST API – Part I: Getting started

First published: 24/Oct/2016
Last update: 31/Oct/2016
ASA REST API version: 1.3.2

REST is an acronym of Representational State Transfer (REST) API. This API provide administrators an option to perform CRUD operations which is Create, Read, Update, Delete. It fully rely on HTTPS as transport protocol and requires programming skills from administrators. But if you gain some experience its a good way of learning and getting familiar with whole new world when you more program devices than configure it.

Read More

20 Apr

ASA SSH internal error and misleading messages

We all know that error messages may be misleading. Also Internet boards or vendor documentation may not be accurate or helpful, sometimes can even move troubleshooting in wrong area. Simple example from Cisco ASA showing following error message:

%ASA-6-315011: SSH session from on interface Management for user "root" disconnected by SSH server, reason: "Internal error" (0x00)

One would think that there is problem with SSH subsystem. Quick search at Google can confirm suspicious as this error happening when no RSA key is present on system. But if regenerating RSA key over and over using different modulus or changing SSH setting is not helping you doubt that’s correct reason. Truth is that on out-of-the-box ASA this is also a symptom of lack of local AAA authentication. To solve the problem you have to add:

aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL

So error message was not really related nor giving correct clue what real reason of problem was. Vendors should really work on better and more detailed error messages.

03 Jul

Cisco IPS and packet capturing

I had to perform troubleshooting of management traffic exchanged between IPS module in ASA5525-X and management station. I had some communication problems resulting in denied traffic on firewall placed in between (and it’s not the ASA itself). The best option is always sniffing packet headers on either end, as I had no possibility to do it on management station IPS was the next option.
Read More