SOP Devices[1]

Standard Operating Procedure for Network Devices


Prepared by Bhuvan Systems and Networking Team

Geo-porta and !eb G"S Services Group Data Processing# Products# $rchiva and !eb $ppications $rea %DPP$ & !$$' Nationa (emote Sensing )entre "ndian Space (esearch (esearch Organisation *yderabad-+,, ,. /ebruary 0,1.

1


Document )ontro Sheet

1

Security )assi2cati on

(estricted

0

Distributio n

B*34$N5 G&!GSG



Document %a' "ssue6

"ssue-

7

(eport Type Type

%b' (evision6

,

SOP Document

+

(eport No

8

Tite ite

Sta Standar ndard d Oper Operat atin ing g Proce ocedur dure for Networ twork king ing Devices ices

)oation

Pages

/igures

Tabes

. 9

Pro:ect

B*34$N

;

$uthor%s' %s'

Bhuvan Systems and Networking Team

1,

$<iation of authors

N(S)

Security =echanism

(eviewed and $pproved by

11

GD# G&!GSG 10

Originating unit

N(S)

Sponsor%s' 1

Name6

Ni

Type6 Type6 17

Date of "nitiation

>>>

1+

Date of Pubication

>>>

0


$bstract %with ?eywords'6 This document e@pains e@pains the standard standard operating procedure procedure foowed foowed for Bhuvan Systems and Networking Devices

Tabe T abe of )ontents )ontents 1. Firewalls

1>1> Purpose and Scope 1>0>=ake 1>0>1> "ntroduction "ntroducti on to /irewas /irewas 1>0>0> Bene2ts and (isk using /irewas /irewas 1>>=ode 1>7> Steps to )onnect 1>+>$ow 1>+>$ ow or Deny commands for outside "P restriction 1>8>N$T commands 1>.>$dditiona Guideines and Aimitations 1>9>Other 3sefu commands and Scenarios 1>;>Troubeshooting connectivity through /irewa 2. Routers

List of Figures




SOP for operating Network devices

1. Firewall 1.1. Purpose: This standard de2nes the essentia rues regarding the management and maintenance of 2rewas at Bhuvan ce and it appies to a 2rewas controed by Bhuvan Networking Team> 1.2. Scope: These standards cover the con2guration con2guration of Bhuvan ce network 2rewas>

1.3.

ake:

/irewas are an essentia component of information systems security infrastructure> /irewas are de2ned as security systems that contro and restrict both network connectivity and network services> /irewas /irewas estabish a perimeter where access contros are enforced and subseuenty de2ne how a network service is utiiCed> @ampes of services incude /TP %2e transfer protoco' and *TTP %web browsing'> 1>>1> Bene2ts6 •

Bocks many types of outside attacks from reaching your interna network>

•

=ay bock many types of maicious attacks from your interna network to the campus network and5or the "nternet community> community> =onitors and ogs apparent source and origination of such attacks>

•

(educes the amount of vauabe data ost to assauts>

•

$ows for reguation of network tra

•

1>>0> (isks6 •

•

•

•

$ 2rewa can be a singe point of faiure in connectivity con nectivity between the departmenta computing resources and those outside the 2rewa> $ 2rewa can become a performance botteneck between departmenta computing resources and the outside> "nstaing# maintaining# and operating a 2rewa reuires speci2c technica knowedge $nd ski# and may reuire speciaiCed training> /irewa operation imposes organiCationa considerations incuding after hours support# vacation coverage# timeiness and priority of response to probems# and change management>

1>7> odel: !"S!O #S# $$

%$7


/ig%1'6 )"S)O $S$ +++,

2g%0'>*ardware description of ports The detais of each port individuay given beow 1>=anagement port 9 >Power indicator AD 0 >@terna )ompact /ash sot ;>Status indicator AD  >Seria )onsoe port 1,>$ctive AD 7>Power switch 11>4PN AD + >AD Power indicators 10>/ash AD 8>3SB 0>, interfaces 1>$u@ Port . >Network interfaces %copper Gigabit thernet' 17>Power connector

1>+> "P address6

E > E >E >E

1>8> Steps to connect: Before going to software con2guration# we need to make a Physica hardware con2guration that consist of foowing steps •

To To connect to )isco $S$ 2rewa# and setup initia con2guration# use a &lue serial console ca&le # that came in the package with Four device> )onnect the seria port of consoe cabe to your RS232 '() serial port on your P) and the other end of the cabe %(7+' connect to the console port on the $S$>

+


•

•

Open termina emuation program ike *yperTermina# TerraTerm or Putty# and connect to )O= seria port on P) %port shoud be created automaticay from the driver'6

On succesfu connection Fou Fou shoud see $S$ command ine CLI prompt> CLI prompt> On the P) connected to th th $S$# aunch a web browser> browser> "n the $ddress $ddress 2ed# 2ed# enter the foowing %defaut' 3(A6 https6551;0>189>1>15admin and (un start up !iCard

The con2guration consist of foowing commands

1> )on2 )on2gur gure e the the intern interna a interfa interface ce van $n inside 4A$N 1 interface that incudes the thernet ,51 through ,5. switch ports> "f you did not set the "P address in the con*gure factor+,default command# then the 4A$N 1 "P address and mask are 1;0>189>1>1 and 0++>0++>0++>,> $S$+++,%con2g'H interface 4an 1 $S$+++,%con2g-if'H nameif inside $S$+++,%con2g-if'H security-eve 1,,

8

Standard Operating Procedure for Network Devices $S$+++,%con2g-if'H ip address 1;0>189>1>1 0++>0++>0++>, $S$+++,%con2g-if'H no shut

Detaied Step6 S.N O.

Ste p1

!o--and

interface vlan number

Purpose

$dds a 4A$N interface# i nterface# where the number is is between 1 and 7,;,>

hostname%con2g'H To To remove this 4A$N interface and a a associated interface van 1,, con2guration# enter the no interface vlan command> Because this interface aso incudes the interface name con2guration# and the name is used in other commands# those commands are aso removed> Ste p0

%Optiona for the Base icense' no forward interface vlan number

hostname%con2gif'H no forward interface van 1,1

$ows this interface to be the third 4A$N by imiting it from initiating contact to one other 4A$N> The number speci2es speci2es the 4A$N "D to which this 4A$N interface cannot initiate tra!ith the Base icense# you can ony con2gure a third 4A$N if you use this command to imit it> "f you aready have two 4A$N interfaces con2gured with a command# be sure to enter the no forward na-eif command# command on the interface command before the na-eif command third interfaceI the $S$ does not aow three fuy functioning 4A$N interfaces with the Base icense on the $S$ ++,+>

0> )on2g )on2gur ure e the e@terna e@terna interface interface van %connecte %connected d to "nternet' "nternet' $n outside 4A$N 0 interface that incudes the thernet ,5, switch port> 4A $N 0 derives its "P address using D*)P> The defaut route is aso derived from D*)P> $ inside "P addresses are transated when accessing the outside using interface P$T> By defaut# inside users can access the outside# and outside users are prevented from accessing the inside> The D*)P server is enabed on the $S$# so a P) connecting to the 4A$N 1 interface receives an address between 1;0>189>1>0 and 1;0>189>1>0+7> The *TTP server is enabed for $SD= and is accessibe to users on the 1;0>189>1>, network> $S$+++,%con2g'H $S$+++,%con2g'H interface 4an 0 $S$+++,%con2g-if'H $S$+++,%con2g-if'H nameif outside $S$+++,%con2g-if'H $S$+++,%con2g-if'H security-eve , $S$+++,%con2g-if'H $S$+++,%con2g-if'H ip address 0,,>0,,>0,,>1 0++>0++>0++>, $S$+++,%con2g-if'H $S$+++,%con2g-if'H no shut

.


> $ss $ssign ign th ther ernet net ,5, to 4an 4an 0 $S$+++,%con2g'H interface thernet,5, $S$+++,%con2g-if'H switchport access van 0 $S$+++,%con2g-if'H no shut

Detaied Step6 S.N o.

!o--and

Purpose

Ste interface Speci2es the switch port you want to con2gure# where port where port is is , p 1 eternet%/ port through .> hostname%con2g 'H interface ethernet,51> Ste To To assign 4A$Ns to this trunk# do one or more of the foowing6 p 0 i> switcport "denti2es one or more 4A$Ns that you can assign to the trunk trunk allowed port# where the vlan_range %with 4A$Ns between 1 and 7,;,' vlan vlan_range can be identi2ed in one of the foowing ways6 hostname%con2g 'H switchport trunk aowed van 1,,-0,,

•

$ singe number %n'

•

$ range %n-@'

•

Separate numbers and ranges by commas# for e@ampe6

+#.-1,#1#7+-1,,Fou +#.-1,#1#7+-1,,Fou can enter spaces instead of commas# but the command is saved to the con2guration with commas> Fou Fou can incude the native 4A$N in this command# but it is not reuiredI the native 4A$N is passed whether it is incuded in this command or not> ii> switcport trunk native vlan vlan_id

$ssigns a native 4A$N to the trunk# where the vlan_id is vlan_id is a singe 4A$N "D between 1 and 7,;,>

Packets Packets on the native 4A$N are not modi2ed when sent over the hostname%con2g trunk> /or e@ampe# if a port has 4A$Ns 0#  and 7 assigned to it# -if'H switchport and 4A$N 0 is the native 4A$N# 4A $N# then packets on 4A$N 0 that trunk native egress the port are not modi2ed with an 9,0>1J header> header> /rames van 1, which ingress %enter' this port and have no 9,0>1J header are put into 4A$N 0> ach port can ony have one native 4A$N# b ut every port can have either the same or a diKerent native 4A$N>

9

Standard Operating Procedure for Network Devices Ste switcport p  -ode trunk

=akes this switch port a trunk port> To restore this port to access mode# enter the switcport -ode access command>

hostname%con2g -if'H switchport mode trunk Ste %Optional' Optional' p7 switcport protected

Prevents the switch port from communicating with other protected switch ports on the same 4A$N>

Ste (Optional) p+ speed M auto  1%  1%% 

Sets the speed> The auto setting is the defaut> "f you set the speed to anything other than auto on Po ports thernet ,58 or ,5.# then )isco "P phones and )isco wireess access points that do not support " 9,0>af wi not be detected and suppied with power>

Fou Fou might want to prevent switch ports from from communicating with each other if the devices on those switch ports are primariy intra-4A$N hostname%con2g accessed from other 4A$Ns# you do not need to aow intra-4A$N -if'H switchport access# and you want to isoate the devices from each other in case of infection or other security breach> /or e@ampe# if you protected have a D=L that hosts three web servers# you can isoate the web servers from each other if you appy the switcport protected command to each switch port> The inside and o utside networks can both communicate with a three web servers# and vice versa# but the web servers cannot communicate with each other>

hostname%con2g -if'H speed 1,, Ste (Optional) p8 duple0 M auto   full  alf 

Sets the dupe@> The auto setting is the defaut> "f you set the dupe@ to anything other than auto on Po ports thernet ,58 or ,5.# then )isco "P phones and )isco wireess access points that do not support " 9,0>af wi not be detected and suppied with power>

hostname%con2g -if'H dupe@ fu Ste no sutdown nabes the switch port> To To disabe the switch port# por t# enter the p. sutdown command> hostname%con2g -if'H no shutdown

;


7> nab nabe e the re rest st interf interfaces aces with no shut shut $S$+++,%con2g'H interface thernet,51 $S$+++,%con2g-if'H no shut %Note6 Do the same for thernet,51 to ,5.>'

+> )on2 )on2gur gure e P$ P$T on the outsi outside de interfac interface e ASA5550(config)# global (outside) 1 interface ASA5550(config)# nat (inside) 1 0.0.0.0 0.0.0.0

8> )on )on2gu 2gure re de defau faut t rout route e Defaut route towards the "SP %assume defaut gateway is 0,,>0,,>0,,>0' $S$+++,%con2g'H route outside ,>,>,>, ,>,>,>, 0,,>0,,>0,,>0 1 The above steps are the absoutey necessary steps steps you need to con2gure for making the appiance operationa>

1>.> #llow/den+ co--ands for outside "P restriction: To To monitor permitting permitting or denying network network access perform one of the foowing foowing tasks given beow 1> Show running-con2g running-con2g access-gr access-group oup the interfaces

 dispays dispays the current current access access ist bound to

0> hostname%c hostname%con2g' on2g'H H access-ist access-ist O3TS"DO3TS"D-$)A $)A e@tended e@tended permit permit tcp any host 0,;>18+>0,1>10 e www > hostname%c hostname%con2g' on2g'H H access-gr access-group oup O3TS"D-$ O3TS"D-$)A )A in interface interface outside outside 7> The foowing foowing e@ampe e@ampe aows aows a a hosts hosts to communic communicate ate betwee between n the inside inside and and hr networks but ony speci2c hosts to access the outside network hostname%con2g'H hostname%con2g'H hostname%con2g'H hostname%con2g'H hostname%con2g'H hostname%con2g'H hostname%con2g'H hostname%con2g'H hostname%con2g'H hostname%con2g'H hostname%con2g'H hostname%con2g'H

+>

access-ist $NF e@tended e@tended permit ip any any any access-ist O3T e@tended e@tended permit ip host 0,;>189>0,,> 0,;>189>0,,> any access-ist O3T e@tended e@tended permit ip host 0,;>189>0,,>7 0,;>189>0,,>7 any access-group access-group $NF in interface inside access-group access-group $NF in interface interface hr access-group access-group O3T out interface outside

The foowing foowing sampe sampe access ist ist aows common common therTypes originati originating ng on the inside interface6 hostname%con2g'H hostname%con2g'H access-ist T*( ethertype permit ip@ hostname%con2g'H hostname%con2g'H access-ist T*( ethertype permit mps-unicast hostname%con2g'H access-group T*( in interface inside

8> The foowing foowing e@ampe e@ampe aows aows some therT therTypes through through the $S$# but it denies denies a others6 hostname%con2g'H hostname%con2g'H access-ist T*( ethertype permit ,@107 hostname%con2g'H hostname%con2g'H access-ist T*( ethertype permit mps-unicast

1,

Standard Operating Procedure for Network Devices hostname%con2g'H access-group T*( in interface inside hostname%con2g'H hostname%con2g'H access-group T*( in interface outside

.> The The fo foow owin ing g e@a e@amp mpe e denies tra
9> The foowing foowing e@ampe e@ampe uses uses ob:ect ob:ect groups to to permit speci2 speci2c c tra
1>9> N# co--ands: hostname%con2g )# access-list OUTSID OUTSID e!tended permit tcp "ost $$$ "ost $$$ e% &&& •

hostname%con2g'H access-group access-group O3TS"D out o ut interface outside either the hardware hardware interface or the interface : The interface command identi2es either Switch 4irtua "nterface "nterface %4A$N interface' that wi be con2gured> Once in interface con2guration mode# you can assign physica interfaces to switch ports and enabe them %turn them on' or you can assign names and security eves to 4A$N interfaces>

•

security na-eif: The nameif command gives the interface a name and assigns a security eve> Typica names are are outside# inside# or D=L> D=L>

•

•

eves used by appiances appiances to contro trathese Securit+,level6 security eves are numeric vaues ranging from ,-1,,> The ,-1,,> The defaut security eve for an outside outside interface is ,> /or an inside interface# interface# the defaut security eve eve is 1,,> e>g> ciscoasa%con2g-if'H security-eve security-eve +,

"P address: ip address command is used to assign an ip address to 4A$N interface e>g> ciscoasa%con2g-if'H interface van 1 ciscoasa%con2g-if'H ip address 1;0>189>1,8>1

11

Standard Operating Procedure for Network Devices Switc port access: This command assigns a physica interface interface to a ogica %4A$N' interface> This command is not used on the $S$ ++@, appiances> e>g6

•

ciscoasa%con2g-if'H ciscoasa%con2g-if'H interface ethernet ,5, ciscoasa%con2g-if'H ciscoasa%con2g-if'H switchport access van 0 ciscoasa%con2g-if'H ciscoasa%con2g-if'H no shutdown ciscoasa%con2g-if'H ciscoasa%con2g-if'H interface ethernet ,51 ciscoasa%con2g-if'H ciscoasa%con2g-if'H switchport access van 1 ciscoasa%con2g-if'H ciscoasa%con2g-if'H no shutdown

particuar ob:ect wi be based on "P addresses> addresses> The O&ect network : it states that this particuar subnet 1;0>189>1,8>, 0++>0++>0++>, 0++>0++>0++>, command states that net-1;0>189>1,8 net-1;0>189>1,8 wi aKect any "P address beginning with 1;0>189>1,8> ciscoasa%con2g-if'Hob:ect ciscoasa%con2g-if'Hob:ect network net-1;8>189>1,8 net-1;8>189>1,8 ciscoasa%con2g-network-ob:ect'Hsu ciscoasa%con2g-network-ob:ect'Hsubnet bnet 1;0>189>1,8>, 1;0>189>1,8>, 0++>0++>0++>, 0++>0++>0++>,

1>;> $dditiona Guideines and Aimitations6 The foowing guideines and imitations appy to permitting permitting or denying denying network access6 •

•

•

•

•

•

•

•

•

•

/or the $S$ +++, $S$# for ma@imum throughput# be sure to baance your tra "f you are using faiover# do not use this procedure to name interfaces that you are reserving for faiover and Statefu /aiover /aiover communications> "n routed 2rewa mode# set the "P address for a interfaces> "n transparent 2rewa mode# do not set the "P address for each interface# but rather set it for the whoe $S$ or conte@t> The e@ception is for the =anagement ,5, or ,51 management-ony interface# which does not pass through tra By defaut# a "P tra $ccess ists enabe you to either aow tra Fou Fou use access lists to contro network access in both routed and transparent 2rewa modes

/or connectionless protocols# you need to appy the access ist to the source and destination interfaces if you want tra $ways use the access-ist command with the access-group command> To To show the running con*g access,group command dispays the current access ist bound to the interfaces> The clear con*gure access,group command removes a the access ists from the interfaces>

10


1>1,> Other usefu commands and scenarios6 *ere are some usefu commands that hep track the packet Row detais at diKerent stages in the process6 •

write -e-or+ 6 Saves the running con2guration to the startup con2guration >

0a-ple:

Saves the running con2guration to the startup con2guration>

hostnameH Note The cop+ running,con*g startup,con*g command is euivaent write to the write -e-or+ command> memory

•

)opying the Startup )on2guration to the (unning )on2guration

!o--and

Purpose

cop+ startup, con*g running, con*g

=erges the startup con2guration with the running con2guration>

reload

(eoads the $S$# which oads the startup con2guration and discards the running con2guration>

clear con*gure all cop+ startup, con*g running, con*g

Aoads the startup con2guration and discards the running con2guration without reuiring a reoad>

4iewing te !on*guration : The foowing commands et you view the running and startup con2gurations> con2gurations> •

!o--and sow running, con*g

Purpose

4iews the running con2guration>

sow running, 4iews the running con2guration of a speci2c command> con*g co--and sow startup, con*g

4iews the startup con2guration>

onitoring interface co--ands :

To To monitor interfaces# enter one of the foowing commands6 !o--and

Purpose

1


sow interface

Dispays interface statistics>

sow interface ip &rief

Dispays interface "P addresses and status>

/or ther)hanne# dispays A$)P information such as sow lacp Mc"annel_group_number Mc"annel_group_number  tra  s+s,id

sow port,cannel c"annel_group_number  &rief   detail  port  protocol  su--ar+

/or ther)hanne# dispays ther)hanne information in a detaied and one-ine summary form> This command aso dispays the port and portchanne information>

sow port,cannel c"annel_group_number load, &alance as,result Mip  ipv5  l6port  -ac  -i0ed  vlan, onl+ parameters parameters

/or ther)hanne# dispays port-channe oadbaance information aong with the hash resut and member interface seected for a given set of parameters>

show run static

Dispays the running status

show arp Dispays the address routing protocos

Show @ta

Dispays the transation>

17


1.11. Troubleshooting Connecting through the firewall

/ig%7'> Troubeshooti T roubeshooting ng )onnectivity Through

the /irewa

Router ake: odel: )isco .0,, 4U( Series (outer

1+


Software version:

s

"P6 address6 Steps to connect6 1> @@ 0> @@@ 3sefu commands and use case scenarios

"'S/"PS ake: odel: Software version:

18


"P6 address6 Steps to connect6 1> @@ 0> @@@ 3sefu commands and use case scenarios

Load &alancer ake: odel: !"S!O #S 671% Software version:

"P6 address6 1.


Steps to connect6 1> @@ 0> @@@ 3sefu commands and use case scenarios

Storage con*guration con*guration

19


Network diagra-:

1;

SOP Devices[1]

Recommend Documents