Solved: Re: hotspot filtering list

lcaruso · ‎02-05-2011

Hi,

I'm configuring a hotspot port on an ASA and was wondering if anyone had a outbound acl handy that would cover most of the stuff likely related to hacking. Just thought if you already had the list, why reinvent it? Thanks if you can share.

m.kafka · ‎02-06-2011

I'm a fraid that question is too dynamic in nature. Hijacking is highly dynamic thing, hostnames, IP adresses, attack vectors etc. change often and fast.

If you have the budget some content security like CSC-SSM or the Iromport Solution will help you stay current with protection against threats from the Internet including but not limited to phising sites etc...

Other mitigation techniques against hijacking can be implemented through IPS, depends on what exactly your threat scenario is.

Again other mitigation techniques could be implemented with very little effort, like anti-spoofing acls, DHCP Snooping and Dynamic ARP Inspection etc, depending on the platform you have available. Also the Cisco WLAN controllers have some built-in IPS functionality, some of them could be helpful to prevent some types of hijacking. But again the field is too wide for a few simple copy&paste lines for your config.

Hijacking is a very broad field, including many different techniques and attack vectors on virtually every layer of the ISO-model. To work out a functioning and working protection against hijacking you will need a thorough analysis of your threat scenario and your available equipment. In most cases a simple acl is not sufficient.

Regards,

MiKa

View solution in original post

sean_evershed · ‎02-07-2011

If the wireless hotspot is to be used by guests and /or visitors on your network I would look at the following:

- Assign the wireless clients a subnet that is not advertised to other routers in your internal network. That way they can only route out the Internet.

- Police the amount of Internet traffic that the guests can consume. This is to prevent them impacting on the production network.

- If the wireless AP is connected to a switch you can configure DHCP snooping and dynamic ARP inspection there. Also consider using VRF lite to separate out the wireless traffic from your internal network.

- Don't assign the guests your internal DNS server. Rather assign them one of the public DNS servers like Google's. This will prevent them from being able to resolve the IP addresses of your internal servers from their DNS names.

- Depending on your infrastructure you could enable Netflow to monitor the sites that these guests are visiting.

- If you don't have the budget you could enable HTTP inspection to block access to peer to peer file sharing, instant messaging and tunneling applications on your ASA.

Cheers

Sean

View solution in original post

m.kafka · ‎02-07-2011

Hi Icaruso,

CSC (A Trend Micro License) and Ironport are both in the high pricerange and rather focus on "hijacks" on the application layer like phishing, spoofed webpages and several browser related attacks. This would be the upper end of mitigating hijacking on the ISO Layers. Both Solutions have a quite high focus on E-Mail security and protection, both are working with databases of "bad sites" - honestly, I perceive the two solutions quite similar, although details in the implemetation are different. I haven't used Ironport myself, I have just experience with CSC. The CSC is not available for 5505, only for 5510 and above. The Ironport is a standalone appliance.

(Maybe not what you are focusing on with hotspots)

DHCP Snooping and Dynamic ARP Inspection are features of catalyst switches, most Layer 2 and all Layer2/3 Switches support it. Best would be to use the feature navigator on cisco.com (support->tools->feature nnavigatoor) to fnd asuitable Switch model. These two features work together, DHCP Snooping monitors legitimate DHCP Offers from a server and block all ARP replies which try to intercept ARP request/response. It makes mostly sense in a wired environment but will mitigate the risk that wireless clients are spoofing the router or a local server such as DNS.

Other recommendations for hot-spots:

Turn of client-client broadcast/multicast, this will mitigate ARP-Spoofing on the air.

Filter (deny) client-client IP on the Uplink Router

The ASA indeed has good price/value ratio but it's designed to protec an inside from threats on the outside, mainly through access-control. It is not designed to mitigate client to client threats if both are on the inside.

Well so much for now,

Rgds

MiKa

View solution in original post

m.kafka · ‎02-06-2011

I'm a fraid that question is too dynamic in nature. Hijacking is highly dynamic thing, hostnames, IP adresses, attack vectors etc. change often and fast.

If you have the budget some content security like CSC-SSM or the Iromport Solution will help you stay current with protection against threats from the Internet including but not limited to phising sites etc...

Other mitigation techniques against hijacking can be implemented through IPS, depends on what exactly your threat scenario is.

Again other mitigation techniques could be implemented with very little effort, like anti-spoofing acls, DHCP Snooping and Dynamic ARP Inspection etc, depending on the platform you have available. Also the Cisco WLAN controllers have some built-in IPS functionality, some of them could be helpful to prevent some types of hijacking. But again the field is too wide for a few simple copy&paste lines for your config.

Hijacking is a very broad field, including many different techniques and attack vectors on virtually every layer of the ISO-model. To work out a functioning and working protection against hijacking you will need a thorough analysis of your threat scenario and your available equipment. In most cases a simple acl is not sufficient.

Regards,

MiKa

lcaruso · ‎02-07-2011

Thanks for your reply--well thought out and informative. I agree the quesiton attempts to relegate a subject worthy of its own library down to a simplistic, non-existent solution.

Can you easily summarize the difference between CSC-SSM and Ironport?

This site will be using an ASA5505. Are DHCP Snooping and Dynamic ARP Inspection etc only available on higher platforms?

It's hard to know in advance what people who take advantage of hotspots for nefarious activities might do, so I would attempt to rely on others who have already had experience sufficent to enumerate typical examples, but again, that's the subject of at least one book.

I have the all of obvious stuff in place that the 5505 offers, and it offers a lot for the price.

sean_evershed · ‎02-07-2011

If the wireless hotspot is to be used by guests and /or visitors on your network I would look at the following:

- Assign the wireless clients a subnet that is not advertised to other routers in your internal network. That way they can only route out the Internet.

- Police the amount of Internet traffic that the guests can consume. This is to prevent them impacting on the production network.

- If the wireless AP is connected to a switch you can configure DHCP snooping and dynamic ARP inspection there. Also consider using VRF lite to separate out the wireless traffic from your internal network.

- Don't assign the guests your internal DNS server. Rather assign them one of the public DNS servers like Google's. This will prevent them from being able to resolve the IP addresses of your internal servers from their DNS names.

- Depending on your infrastructure you could enable Netflow to monitor the sites that these guests are visiting.

- If you don't have the budget you could enable HTTP inspection to block access to peer to peer file sharing, instant messaging and tunneling applications on your ASA.

Cheers

Sean

lcaruso · ‎02-07-2011

sean--really nice post--thank you for taking the time to write that up and sharing it.

sean_evershed · ‎02-07-2011

Thanks Icaruso for the kind words and for the rating.

In some organisations that I have worked for hotspots have been setup on a separate Internet connection to the corporate Internet.

Furthermore there was an air gap between the hotspot and the corporate network, ie it had no physical connectivity to the corporate network.

m.kafka · ‎02-07-2011

Hi Icaruso,

CSC (A Trend Micro License) and Ironport are both in the high pricerange and rather focus on "hijacks" on the application layer like phishing, spoofed webpages and several browser related attacks. This would be the upper end of mitigating hijacking on the ISO Layers. Both Solutions have a quite high focus on E-Mail security and protection, both are working with databases of "bad sites" - honestly, I perceive the two solutions quite similar, although details in the implemetation are different. I haven't used Ironport myself, I have just experience with CSC. The CSC is not available for 5505, only for 5510 and above. The Ironport is a standalone appliance.

(Maybe not what you are focusing on with hotspots)

DHCP Snooping and Dynamic ARP Inspection are features of catalyst switches, most Layer 2 and all Layer2/3 Switches support it. Best would be to use the feature navigator on cisco.com (support->tools->feature nnavigatoor) to fnd asuitable Switch model. These two features work together, DHCP Snooping monitors legitimate DHCP Offers from a server and block all ARP replies which try to intercept ARP request/response. It makes mostly sense in a wired environment but will mitigate the risk that wireless clients are spoofing the router or a local server such as DNS.

Other recommendations for hot-spots:

Turn of client-client broadcast/multicast, this will mitigate ARP-Spoofing on the air.

Filter (deny) client-client IP on the Uplink Router

The ASA indeed has good price/value ratio but it's designed to protec an inside from threats on the outside, mainly through access-control. It is not designed to mitigate client to client threats if both are on the inside.

Well so much for now,

Rgds

MiKa

lcaruso · ‎02-07-2011

MiKa, thank you for sharing your knowledge and experience. I appreciate your input and find it very helpful.