Connecting the world…


Cisco ASA: DNS reply filtering

Today I was asked to block access to multiple websites and the only device capable of doing this was the firewall. This customer is using a Cisco ASA firewall, which supports basic URL filtering. This customers wanted to block HTTP and HTTPS websites. HTTPS websites use a SSL tunnel from the end device to the end server, so the firewall isn’t capable of inspecting the SSL traffic. Instead of using URL inspection, I configured DNS inspection.

The ASA inspects the DNS request from the internal DNS server or end device to the external DNS server. I use regular expressions to match the FQDN of a website. Below is an example configuration of blocking access to the website (and applications using a DNS entry to this website)

regex “\.logmein\.com”
class-map type regex match-any DomainBlockList
description Blocked Domains
match regex
policy-map type inspect dns PM-DNS-inspect
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
policy-map global_policy
class inspection_default
inspect dns PM-DNS-inspect
service-policy global_policy global

A problem with this approach could be the DNS cache on the internal DNS server. This is domain name is queried before configuring the inspection, the domain will be available until the DNS cache from the DNS server expires. In urgent situation you can maybe clear the DNS cache yourself.

If a DNS reply is matched the ASA generates a syslog message, like shown below.

08-28-2009 15:33:31 Local4.Warning %ASA-4-410003: DNS Classification: Dropped DNS request (id 22251) from inside:DNS-SERVER/59256 to outside:UPSTREAM-DNS/53; matched Class 23: match domain-name regex class DomainBlockList

Cygwin with OpenSSL for CSR generation

A lot of services, which are published to the Internet, are secured with SSL certificates. A lot of times we use SSL certificates to secure communications when implementing ISA reverse proxy servers, Citrix Secure Gateway servers and/or Cisco WebVPN portals.

When you want to secure a connection with a SSL certificate you have to create a Certificate Signing Request (CSR) and get the CSR signed by a Certificate Authority (CA). This can be done by a “real” CA, like GeoTrust or Verisign, or you can configure your own CA and sign your own CSR.

There are a lot of ways for generating CSR’s. In first I always used what the customers could offer me. This could be the Cisco ASA firewall, a Windows server with IIS or the Juniper SA appliance. Sometimes could take a couple of hours before I could finally generate a CSR. While generating a CSR, a private key is also generated. When using customer equipment for generating the CSR, it could happen that the customer deletes the private key, which makes the CSR useless.

A colleague of mine often has the same problems and he started using Cygwin with OpenSSL under Windows. I have to say, GREAT. I started using it myself. A great advantage is that I can use my own laptop and I don’t have to depend on the customers equipments. Furthermore, and maybe the most important, I know what I am doing during the generation and signing of certificates, so I will never delete the wrong files.

Normally I generate a new private key per certificate and I use the following commands for generating the private key, CSR and the actual certificate.

1. Generate a private key
openssl.exe genrsa -out private-www-booches-nl.key 2048

2. Generate the CSR, fill in the required information (common name is the most important)
openssl.exe req -sha256 -new -key private-www-booches-nl.key -out csr-www-booches-nl.csr

3. The CSR is uploaded to the CA. The CA sends you the SSL certificate, which I save as www-booches-nl.crt

4. Create the actual SSL certificate
openssl.exe pkcs12 -export -out www-booches-nl.pfx -inkey private-www-booches-nl.key -in www-booches-nl.crt

When using an Open Source web server you have to use a certificate with a DER format. The first 3 steps, as shown above, are still the same. You can use the following steps to create a DER file.

4. Put the key file code at the end of the crt file
cat private-www-booches-nl.key >> www-booches-nl.crt

5. Create the DER file
openssl.exe x509 -in www-booches-nl.crt -inform PEM -out www-booches-nl.der -outform DER

It is also possible that you need a PEM certificate instead of a PFX certificate. Below you see the command to create a PEM certificate from a PFX certificate.

6. Create the PEM file
openssl.exe pkcs12 -in www-booches-nl.pfx -out www-booches-nl.pem -nodes

7. Check the CSR content
openssl.exe req -text -noout -in

Using Cygwin with OpenSSL really makes it easier when working with CSR’s and certificates. A very usefull website with “The Most Common OpenSSL Commands” can be found here (in Dutch).