Interface Security Levels on the Black Gate of Mordor

So. Let’s say our Cisco ASA is the Black Gate of Mordor.

ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# hostname BlackGateOfMordor
BlackGateOfMordor(config)#

Around the time of the War of the Ring, Sauron has taken over Mordor and the local real estate is fair teeming with orcs and Nazgûl. One does not simply walk into Mordor, as Boromir would say. (One does not simply rock into Mordor either, but that is a whole ‘nother meme.) So, pretty much the highest security neighborhood in the local school district. Security level 100.

BlackGateOfMordor(config)# int GigabitEthernet0/0
BlackGateOfMordor(config-if)# nameif Mordor
INFO: Security level for "Mordor" set to 0 by default.
BlackGateOfMordor(config-if)# security-level 100
BlackGateOfMordor(config-if)# ip add 5.5.5.1 255.255.255.0
BlackGateOfMordor(config-if)# no shut

Outside the Black Gate, we have Gondor. Full of pesky men, dwarves, elves and hobbity things. Not to be allowed in to Mordor by default. Security level 0. And not a moment too soon. The Army of the West just strolled up to the Black Gate, the wankers.

BlackGateOfMordor(config)# int GigabitEthernet0/1
BlackGateOfMordor(config-if)# nameif Gondor
INFO: Security level for "Gondor" set to 0 by default.
BlackGateOfMordor(config-if)# ip add 11.11.11.1 255.255.255.0
BlackGateOfMordor(config-if)# no shut

Cirith Ungol is a pass in the western mountains of Mordor. Difficult to traverse, so let’s give it security level 100 as well. I mean, we’ve got two watchers and a big spider guarding that interface. Not even a hobbit could get through. (Note to self: configure AIP-SSM card.)

BlackGateOfMordor(config-if)# int GigabitEthernet0/2
BlackGateOfMordor(config-if)# nameif Cirith_Ungol
INFO: Security level for "Cirith_Ungol" set to 0 by default.
BlackGateOfMordor(config-if)# ip add 10.10.10.100 255.255.255.0
BlackGateOfMordor(config-if)# security-level 100
BlackGateOfMordor(config-if)# no shut

So this is what we have:

Security Levels On The Black Gate of Mordor

Security Levels On The Black Gate of Mordor

As it stands, the Nazgûl can travel to Gondor and beyond because they originate from the interface with the highest security level. By default, any traffic originating from Mordor to any lower-security interface is permitted. (I hear Gondor is lovely this time of year. Fancy a mini-break?) And when our Nazgûl return from Gondor, they are allowed back in to Mordor even though the Gondor interface is at security level 0 (and therefore has an implicit deny on all traffic coming into the Black Gate.) This is because the Nazgûl are returning traffic.The outgoing leg of their trip was placed in the state table of the ASA (cough, Black Gate) and now the returning Ringwraithalicious packets are a continuation of the traffic.

The Army of the West are outside the Gondor interface. With security level 0 on that interface, they aren’t going in unless the gate cracks open (e.g. ACL permitting inbound traffic), or they disguise themselves as Nazgûl returning home (e.g. packet spoofing, man-in-the-middle attack). Unfortunately, the Nazgûl have a secret knock (randomized sequence numbers), so a disguise is not gonna work.

Frodo and Sam and Gollum are trying to get into Mordor via Cirith Ungol, which has a security level of 100. The Cirith_Ungol interface and the Mordor interface have the same security level, but traffic between interfaces with the same security level is not permitted by default. After Sam and Frodo defeat the security at Cirith Ungol, there is nothing to stop them from going into Mordor. This is the equivalent of running a same-security-traffic permit inter-interface command.

BlackGateOfMordor(config)# same-security-traffic permit inter-interface

Now traffic can flow freely between Mordor and Cirith_Ungol. No ACLs needed. Of course the Eye of Sauron is a pretty sensitive IPS, tuned to the hobbit signature. All the Army of the West can hope to do is distract the IPS by increasing the amount of traffic and thus increasing the noise-to-signal ratio. There might also be a bit of a SYN flood effect there. Sam and Frodo, disguised as orcs, may be able to fly under the radar long enough to get their payload to their target, Mount Doom.

End

That was fun 🙂 And probably full of plot holes.

Although this was meant to be a bit of procrastination, and not intended to be educational, I accidentally learned something. While attempting to set the clock to 9 March 3019, (the date when Frodo and Sam and Gollum get to the Morgul road), I learned that the Cisco ASA clock can be set to a year of 2035 and no later.

The little Lord of the Rings pixel figures of the characters were snaffled from: Luke Sedgeman and Aegyptian.

Additional Information:

nameif command in the Cisco ASA 8.4 and 8.5 Command Reference.

ip address command in the Cisco ASA 8.4 and 8.5 Command Reference.

shutdown command in the Cisco ASA 8.4 and 8.5 Command Reference.

same-security-traffic command in the Cisco ASA 8.4 and 8.5 Command Reference.

This entry was posted in geek, mecha, v4vendetta and tagged , , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

2 Comments

  1. Posted October 2, 2017 at 7:08 am | Permalink

    Good blog nothing to say, I agree!

  2. Posted October 4, 2017 at 6:33 am | Permalink

    Thank you for this comment!!

Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*
*