640 554 ccna security

NNNNoooo tttt eeee bbbbooooooookkkk:::: CCNA Security

CCCCrrrreeee aaaatttt eeee dddd :::: 9/27/2012 5:43 AM UUUUppppddddaaaatttt eeee dddd:::: 10/7/2012 8:44 PM

TTTT aaaaggggssss:::: ccna security

01 Networking Security Concepts

Understanding Network and Information Security Basics

About: Knowing the basics of security.

Main Ideas:

CIA

Confidentiality allows only authorized users to view sensitive data. Unauthorized users will not have

any access to the data. For data in motion, it must be encrypted. Integrity means only authorized

users can modify the data. Unauthorized modification is a result of corrupt data and loss of

integrity. Resources must be available to authorized users. Loss of availability could be loss of

revenue.

Cost-Benefit Analysis of Security

Risk management is used to determine principles and concepts related to asset protection and

security management. Includes assets (valuable items to org), vulnerabilities (weaknesses), threats

(dangers to asset), and countermeasure (action to mitigate risk).

Classifying Assets

Why is data classified? To take specific action on data in a given class. What are the different asset

classifications?

Governmental

Unclassified

Sensitive but unclassified

Confidential

Secret

Top Secret

Private sector

Public

Sensitive

Private

Confidential

Classification critera

Value

Age

Replacement cost

Useful lifetime

Classification roles

Owner

Custodian

User

Classifying Vulnerabilities

Why are vulnerabilities classified? To use an appropriate countermeasure to mitigate the threat

against those vulnerabilities. Where do vulnerabilities come from?

Policy flaws

Design errors

Protocol weaknesses

Misconfiguration

Software vulnerabilities

Human factors

Malicious software

Hardware vulnerabilities

Physical access to network resources

Vulnerabilities can be found online from the Common Vulnerabilities and Exposures and National

Vulnerability Database.

Classifying Countermeasures

Countermeasures are introduced after identifying the asset and its risks. Countermeasures are

placed in the following categories:

Administrative: Such as a written policy.

Physical: Such as a locked door or key fob entry.

Logical: Such as a firewall or password.

What to do with risk

Many options to deal with risk such as eliminating or mitigating it as much as possible.

Summary: Understanding Network and Information Security Basics

Basic network and information security begins with the CIA model. Beyond the CIA model is a cost-

benefit analysis of assets to determine its threats and risks. These assets, threats, and risks are

placed in various classifications which result in a determined countermeasure to mitigate or

eliminate threats and risks.

Recognizing Current Network Threats

About: Network Threats and strategies to stay ahead of those threats.

Main Ideas:

Potential Attackers

Types of adversaries behind attacks are:

Terrorists

Criminals

Government agencies

Nation-states

Hackers

Disgruntled employees

Competitors

Anyone with access to a computing device

Reasons for attacks could be for the sole purpose of attention, financial gain, or recreational.

Attack Methods

Methods which attackers use to gain access to a network or to information:

Reconnaissance - discovery process. Gathering more information on the target such as

finding IP addresses and vulnerabilities.

Social engineering - exposing the user into leaking out information. Tricking the user into

giving information.

Privilege escalation - the act of gaining higher privileges which result in greater access to

resources.

Back doors - method for attacker to easily regain entry into the system.

Attack Vectors

Attackers can come from outside the network and from within. Implement security policies and

mitigate risk at different levels.

Man-in-the-Middle Attacks

An attacker places themselves in between two devices communicating and intercepts data in

transit. The attacker can perform reconnaissance or manipulate the data and forward it on. Ways

to mitigate this is encrypting the data in transit. For management data, use SSH instead of Telnet

or HTTPS instead of HTTP.

Other Attack Methods

Not an end all list but some other attack methods include:

Covert channel - the act of using a protocol in an illegitimate manner. Hiding traffic or data

within another protocol.

Trust exploitation - using one attack vector to attack the real target by going through a

trusted source of the target.

Password attacks

Botnet

DoS and DDoS

Summary: There are various types of attackers with different reasons for attacking targets.

Different attack methods are used to gather information on the target such as gathering IP

addresses and vulnerabilities and using social engineering to get information out of employees.

Once an attacker exploits vulnerabilities they can escalate their privileges to get access to more

resources then leave a way for the attacker to regain entry without notice. Other attack methods

include sniffing data as it is in transit. Encryption must and should be used instead of clear text

communication.

Applying Fundamental Security Principles to Network Design

About: Improving security posture

Main Ideas:

Guidelines

Some guidelines to follow to improve your security posture overall:

Rule of least privilege - Minimal access required for users or services.

Defense in depth - Implement security at every point in your network.

Separation of duties - Individuals with specific roles for checks and balances.

Auditing - Keeping record of what happens on the network.




02 Understanding Security Policies Using a Lifecycle Approach

About: Risk analysis and security policies

Main Ideas:

Risk Analysis and Management

Secure Network Lifecycle

Security is a continuation which is never ending. There are five phases in the security lifecycle:

Initiation - Start of risk assessments, categorizing risks into low, medium and high.

Acquisition and development - Detailed risk assessment and beginning of testing to verify

correct implementation.

Implementation - Applying countermeasures to production.

Operations and maintenance - Active monitoring of the network.

Disposition - Disposing network gear properly.

Risk Analysis Methods

Finding the impact or risk of an asset before it is compromised. Educated guesses using methods:

Qualitative - Data is gathered by a subject matter expert to determine asset's value,

vulnerabilities, threats, and impact/risk based on those factors.

Quantitative - Use of raw numbers and statistics to determine risk.

Both methods can be used to determine a risk score (risk value). This helps to determine the cost

of the mitigating techniques.

Security Posture Assessment

Activities that are done to document the current security posture of a network:

General security posture assessment - A high-level idea of the security posture looked at

from different perspectives.

Internal assessment - Determines how well protected you are from inside attacks.

External assessment - Assess the security risk of attacks from external devices on the

network (devices from the Internet).

Wireless assessment - Assess security posture for potential threats from wireless devices.

Analysis and documentation - Combination of all assessments into a thorough document

listing countermeasures and recommended solutions.

Approach to Risk Management

Things that should be considered with assets:

Value

Vulnerabilities

Potential threats

Compliance issues

Business requirements

Checklist for new assets where risk has not been calculated:

Qualitative/quantitative analysis of risk

Action regarding risk - transferring risk, accepting risk, or reducing risk using

countermeasures.

Monitor risk

Compliance

Consider impact of not complying. Implement whatever regulatory compliance is required.

Security Policies

WWW (Who, What, Why)

Who creates the security policies? Senior management team is responsible for creating the

overall security policy. This is the overall goals or the high-level security policy (governing

policy).

What is in a security policy? Incorporates many aspects of risk management. Should have a

general overview of why the policy was written and what it covers and what it doesn't

cover.

Why do we have security policies? It is used to educate workers and become a baseline for

security.

Types of Policies

Guideline - AUP, password policy, etc.

Email - forwarding policies, spam, etc.

Telephony - AUP of telephony services.

Application - security requirements, etc.

Network - AUP, etc.

Standards, Procedures, and Guidelines

Standards - use of specific tech as a countermeasure.

Procedures - detailed doc about standards and guidelines that help implement security for

the network.

Guidelines - suggestions but not mandatory.

Policies - high level policies set forth by senior management.

Testing the Security Architecture

Testing security can be done by using techniques such as:

network scanning

vulnerability scanning

password cracking

penetration testing

social engineering

Responding to an Incident

If an attack succeeds there needs to be a policy that documents how to handle this incident. An

incident policy should:

Help in recovery of business operations.

Document details of the incident.

Prevent further incidents from happening.

Collecting Evidence

If attacker is detected then preserving evidence is important such as taking a snapshot of data,

having logs correlated, pictures of the equipment and a chain of evidence.

Reasons for Not Being an Attacker

You can be punished. Don't be an attacker.

Liability

Company may have a liability if revenue is lost, if company data is stolen, if customer data is stolen

or lost, etc. Money is spent on security to minimize the risk to lower their liability.

DR and BCP

Many companies require minimal downtime. Factors into Business Continuity are:

Maximum tolerable downtime (MTD)

Recovery time objective (RTO) - number of hours or days set as the objective for resuming

the business process in the event of a disaster.

Recovery point objective (RPO) - state at which the data is being restored.


CCCCrrrreeee aaaatttt eeee dddd :::: 10/4/2012 12:28 PM UUUUppppddddaaaatttt eeee dddd:::: 10/4/2012 1:50 PM


03 Building a Security Strategy

Securing Borderless Networks

About: Goes over the current strategies for securing borderless networks.

Main Ideas:

The Changing Nature of Networks

Borderless networks is a term to describe access without any physical borders. There is no starting

from one location and ending at another. It is uninterrupted access. Users are not aware of where

the data is. They use any device to gain access to that data. The concept is similar to cloud

services. Although, access and physical location of data may change, the security concepts do not.

Logical Boundaries

Traditional infrastructure is made up of switch blocks. Users connect to access layer switches

which are Layer 2. The access layer connects to distribution switches which is Layer 2 and 3.

Multiple blocks can be connected by core switches.

Borderless Network Components:

Borderless end zone - where devices connect to the network.

Borderless data center - represents where the services are provided.

Borderless Internet - which is.. the Internet.

Policy management point - the enforcement of policies and secure management.

SecureX and Context-Aware Security

SecureX is an architecture strategy. Core elements are:

Context awareness - being aware of context. Tools to implement include ISE, NAC and AAA.

AnyConnect Client - can establish SSL or IPsec VPNs for confidentiality and integrity of data.

TrustSec - access policy enforcement to provide and control end-to-end security based on

who, what, where and how users are connected to the network.

Security Intelligence Operations - SIO. A cloud-based solution from Cisco that identifies

threats on the Internet to help protect you before you're infected.

Summary: The traditional network architecture is changing. Users now access data anywhere.

The security concepts stay the same. New terms are introduced to describe the security domain

which is borderless networks and SecureX from Cisco.

Controlling and Containing Data Loss

About: Tools used to implement and maintain the CIA model.

Main Ideas:

An Ounce of Prevention

ASA firewalls - provides perimeter security such as packet filtering, stateful filtering, and

VPN.

Integrated Services Routers (ISR) - building additional security into routers.

Intrusion prevention systems (IPS) - performs signature matching to identify malicious traffic

and prevents attacks.

IronPort Email Security Appliances and IronPort Web Security Appliances (WSA) - enforcing

security over email and web traffic.

ScanSafe - Filtering web traffic.

Secure Connectivity Using VPNs

Increase security of SSH, HTTPS, HTTP, and Telnet with a VPN tunnel. Offers confidentiality by

encrypting data. Additionally, can configure site-to-site VPN to encrypt data moving between sites.

Secure Management

When managing devices, should use SSH or HTTPS for secure management. GUIs include: ASDM,

CCP, IDM (IPS Device Manager), and IDM Express (IME).




04 Network Foundation Protection

Using Network Foundation Protection to Secure Networks

About: Approaches to hardening the network.

Main Ideas:

The Network Foundation Protection (NFP) Framework

Framework is broken down into three basic areas:

Management plane - the protocols and traffic used to manage network devices.

Control Plane - protocols and traffic the router uses without direct interaction from an

administrator. An example is a routing protocol.

Data Plane - traffic going through the network. An example is a user communicating with a

web server.

Interdependence

Interdependence exists between planes. Such as a control plane failure will impact the data plane

as users' traffic will not be forwarded to its destination.

Implementing NFP

Components of a threat control and mitigation strategy:

Plane Security Measures Protection Objectives

Management AAA, NTP, SSH, SSL, syslog,

SNMP, parser views.

Authenticate and authorized administrators. Use

encrypted protocols, limit what an individual can

see on a network device.

Control Control plane policing (CoPP),

Control plane protection

(CPPr), authenticated routing

protocol updates.

Control plane tools used to limit damaged caused

by an attacker. Routing protocol updates are

authenticated to mitigate an attacker manipulating

the routing updates.

Data ACL, private VLANs, STP, IOS

IPS, Zone-based firewall

Filtering traffic, protecting network from rogue

switch affecting data plane, firewall filtering.

NFP is built on three components to protect a network. Command line auto secure implements

security measures from each plane.

Understanding the Management Plane

About: What can be done to protect management access and protocols.

Main ideas:

Best Practices for Securing the Management Plane

Implement a password policy

Implement RBAC

Utilize AAA services for central management

Use secure NTP

Use encrypted versions of SNMP

Lock down the IP addresses allowed to initiate management

Lock down syslog

Understanding the Control Plane

About: Protecting network devices involving nontransit traffic directed to the network device.

Main ideas:

Best Practices for Securing the Control Plane

CoPP - Control plane policing. The act of rate limiting management traffic. Like applying QoS

to the logical control plane interface of the device.

CPPr - Control plane protection. Detailed classification of traffic. Can rate limit and filter

traffic more finely than CoPP.

Routing protocol authentication - Used to protect network from a rogue router that may be

used to modify routing traffic.

Understanding the Data Plane

About: Implementing policy to transit traffic going through network devices

Main ideas:

Protecting the Data Plane

ACLs used for filtering - Can configure ACL to filter certain traffic.

IOS firewall support - Can apply Zone-Based Firewall.

IOS IPS - Applied over the existing routing platform. Uses signature matches to find

malicious traffic.

TCP Intercept - Helps protect from Syn-flood attacks.

Unicast Reverse Path Forwarding - Limits IP spoofing.

Best Practices for Protecting the Data Plane

Block unwanted traffic at the router.

Reduce DoS attacks with TCP Intercept and firewall services.

Reduce spoofing attacks.

Provide bandwidth management by rate-limiting certain types of traffic.

Implement an IPS.

Additional Data Plane Protection Mechanisms

Enable port security to mitigate MAC address flooding and CAM overflow attacks.

Implement DHCP snooping to prevent a rogue DHCP server from handing out incorrect

default gateways and to protect DHCP starvation attacks.

Implement Dynamic ARP Inspection (DAI) to protect against ARP spoofing. ARP spoofing is

advertising the incorrect IP-to-MAC address mapping.

Implement IP source guard to prevent IP spoofing.


CCCCrrrreeee aaaatttt eeee dddd :::: 10/7/2012 8:45 PM UUUUppppddddaaaatttt eeee dddd:::: 10/8/2012 5:51 AM


05 Using Cisco Configuration Professional to Protect the NetworkInfrastructure

Introducing Cisco Configuration Professional

Can be located locally on the computer or on the router. Used to configure routing, firewalls, IPS,

VPNs, UC, and other features on an IOS router using a GUI. Can monitor a group of routers using a

device community.

Understanding CCP Features and the GUI

The Menu Bar

Contains two options, Application and Help.

Application - Manage Community, Setup New Device, Create User Profile, Import User

Profile, Options, Template, Work Offline, Exit.

Help - Help Contents, Feedback, About.

The Toolbar

Home button - Clicking goes to the Community View page.

Configure button - Make a change to the configuration or view an existing configuration of a

router.

Monitor button - Shows router and security features that can be monitored.

Manage community icon - View, edit or add new communities.

Refresh icon - Gets current running configs from specified device.

Provide feedback to Cisco icon - Feedback for Cisco.

Help icon - Looks like a question mark, click to get help.

Search icon - Opens a browser window to search the help documents.

Left Navigation Pane

Can select an item you want to create or manage on the IOS router.

Content Pane

Right of the navigation pane, where parameters are entered or changed.

Status Bar

Located at the bottom and displays info about CCP. A router preinstalled with Cisco Configuration

Profession Express can be browsed to 10.10.10.1 (default IP of CCP Express).

Required for CCP:

Supports HTTP or HTTPS.

Authentication for HTTPS set to local database.

Username with privilege 15.

How to prepare the router for http/https connections:

R1(config)# ip http server

R1(config)# ip http secure-server

R1(config)# username admin priv 15 secret cisco

R1(cofnig)# ip http authentication local

Setting Up New Devices

About: Required basic configuration to allow CCP to communicate with a router.

CCP Building Blocks

About: Tools used for security policy deployment and configuration.

Main Ideas:

Communities

A community must be created before administering a router using CCP. A community is a group of

routers that share something in common.

The max number of routers in a community is 10.

To create a community and add devices:

1. Use the Manage Community dialog box to create the community.

Click Manage Community in the toolbar.

From the menu bar, click Application | Manage Community.

2. In the Manage Community dialog box, enter the IP address or hostname of the router,

including the username and password.

3. To connect securely to the router, check the Connect Securely check box.

4. To change the default port information, click the down arrow to the right of the device.

5. To discover all the devices in the community, check the Discover All Devices check box.

6. Click OK and the Community View page opens.

Templates

Templates are used to copy configuration to another router or device. Certain parameters will be

changed, such as the hostname.

To create and apply a template:

1. Select Application from the menu bar, and from the drop-down select Template, and then

Create.

2. You can then select a discovered router or select a file from your local computer.

3. Highlight the items that need to be replaced before applying the configuration to another

router. After highlighting each item, click the Parameterize button. This identifies each item

as a variable that would be replaced before applying the configuration to another router.

Click Finish.

4. Save the file.

5. Apply the configuration to another router by selecting Application from the menu bar, and

from the drop-down select Template, then Apply.

6. Browse for the previously saved template file and click Next. Click the Find Parameterized

Attribute button to search for and identify the variables to replace them with the new values.

Then click Next.

7. From the drop-down list select a discovered router that you want to apply the configuration

to. Click Next to continue, followed by Finish.

User Profiles

You can restrict which features are shown as available by using user profiles. User profiles only

restrict information from CCP and not SSH. To create and implement a user profile:

1. Select Applications then select Create User Profile.

2. Click Next.

3. Select the routers that the user profile will have an effect on then click Next.

4. Expand each content by clicking on the triangle to the left of each item. Select the

permissions by clicking on the icon and selecting what level of permissions to this item you

want to give to the user. When done, click Next.

Green = Full Permissions, Blue = View Only, Red = Not Available

5. Click Save User Profile, then click Finish.

6. On the computer using the user profile, click Application menu and select Import User

Profile.

7. Click Browse, select the previously saved user template, and click Next. Confirm the settings

for the template and click Next then Finish.

CCP Audit Features

About: How to use the Security Audit feature in CCP.

Based on the command line auto secure, The Security Audit feature will evaluate the

configuration and make recommendations on how to make the router more secure.

To perform a security audit:

1. On the toolbar click Configure then go to Security > Security Audit

2. Click Perform Security Audit and then click Next.

3. For each interface listed, check either the Inside or Outside check box to indicate where the

interface connects then click Next.

4. Security Audit Wizard checks the configuration to find any security problems.

5. Check the Fix It boxes next to any problems you want CCP to fix then click Next.

6. Enter any information required and click Next

7. On the summary page, click Finish to deliver the changes to the router.

One-Step Lockdown

Addresses several features that do not require an administrator to provide input. Provides a subset

of security measures that the interactive Security Audit feature can perform.




06 Securing the Management Plane on Cisco IOS Devices

Securing Management Traffic

About: Classifying and describing management traffic, their vulnerabilities and how to protect it.

Main ideas:

What is Management Traffic and the Management Plane?

The management plane includes the method of managing a device, the credentials to log into the

device, configuring the device, etc. Everything involved with management of a system. That traffic

to the administrator is management traffic.

Beyond the Blue Rollover Cable

A console cable gives you physical access into a device. Without it, you would use IP to connect to

the device. This increases the risk because unauthorized users may attempt to gain access.

Management Plane Best Practices

Strong passwords - make password complex and difficult to guess.

User authentication and AAA - make admins connect using usernames and passwords. Then

authorize them with what they can do on the device and keep an audit trail.

Role-based access control (RBAC) - give junior admins a custom privilege level account

and/or put them in a special group with specific permissions to devices.

Encrypted management protocols - use SSH and HTTPS to manage devices.

Logging - used as an audit trail and also to receive messages from devices.

Network Time Protocol - synchronize time across all devices so logs can be correlated.

Secure system files - make it difficult to delete or modify the startup config and the IOS

images.

Password Recommendations

Use a minimum of eight characters. Longer the better.

Use alphanumeric characters, symbols, phrases, etc.

Change passwords regularly.

Using AAA to Verify Users

AAA identifies the user before giving network resources, then give them access based on what they

are authorized to use, and then create an audit trail of what they did and when they did it.

AAA Components

Authentication - proving who users claim to be. Specify authentication with a

"method list" that says how to authenticate a user.

Authorization - after authentication, authorization is used to determine which

resources an individual has and what they can do to the resource. Authorization

method lists are created to specify how to authorize an individual.

Accounting and auditing - once a user is authenticated and authorized, an audit trail

keeps track of what resources were accessed and what was performed on those

resources.

Options for Storing Usernames, Passwords, and Access Rules

Cisco Secure ACS Solution Engine

Cisco Secure ACS for Windows Server

Current flavors of ACS functionality

Self-contained AAA

Authorizing VPN Users - authenticate the user and determine what access they have by the

authorization method list.

Router Access Authentication - must use authentication first before using authorization.

AAA Method List - can specify individual lists of ways we want to authenticate, authorize,

and account for users. A default list applies to the whole router or switch. A custom list can

be created.

Syntax: aaa type {default | list-name} method-1 [method-2 method-3 method-4]type = identifies the type of list being created. Either authentication, authorization, or accounting.

default = specifies the default list of methods to be used based on the methods that

follow this argument.

list-name = Used to create a custom method list.

method = at least one method must be specified. To use the local database you can

use the local keyword. Other methods include:

enable - the enable password is used.

krb5 - kerberos 5 is used.

krb5-telnet - kerberos 5 telnet is used when using telnet to connect.

line - the line password is used.

local - the local username database is used.

local-case - requires a case-sensitive local username.

none - no authentication is used.

group radius - a radius server is used.

group tacacs+ - a tacacs server is used.

group group-name - Uses either a subset of radius or tacacs+ servers

Role-Based Access Control

RBAC concept is to create a set of permissions and assign it to users or groups.

Custom Privilege Levels - user mode is privilege 1. Privileged mode is level 15. Can create

custom privilege levels with assigned commands associated with that custom level.

Limiting the Administrator by Assigning a View - by creating parser views. Can create a view

with associated commands. User logs into CLI and is restricted by the commands that are

associated with the view.

Encrypted Management Protocols

Most common option for remote access is Telnet. Telnet is not secure because it transmits data in

plain text. SSH gives the same functionality but data in transit is encrypted. For GUI management

applications HTTPS should be used instead of HTTP.

Using Logging Files

Console - log messages that are sent to the terminal window.

vty lines - virtual tty connections receiving log messages at the terminal.

Buffer - router memory that can store messages up to a configured memory size.

SNMP server - generated log messages from SNMP traps that are sent to the SNMP server.

Syslog server - stores large volumes of logs. Syslog severities:

0 - emergencies - system is unusable.

1 - alerts - immediate action needed.

2 - critical - critical conditions.

3 - errors - error conditions.

4 - warnings - warning conditions.

5 - notifications - normal, but significant conditions.

6 - informational - informational messages.

7 - debugging - highly detailed info based on current debugging enabled.

Understanding NTP

Network time protocol uses UDP port 123. Used to synchronize time between devices. Network

devices should connect to a trusted time server using NTP version 3 to support cryptographic

authentication.

Protecting Cisco IOS Files

Cisco operating system is called the IOS. To protect the IOS and startup configuration, secure boot

set is enabled so that a secured working copy of the IOS image and startup config is accessible at

all times.

Implement Security Measures to Protect the Management Plane

About: Implementing best practices to protect the management plane.

Main Ideas:

Implementing Strong Passwords

Use the secret keyword when configuring user passwords:username admin secret ci$co!619

Configure login and passwords for access to the lines:

line console 0

password $ecr3t

login

exit

line vty 0 4

password $secr3t$

login

Encrypt all plain text passwords:

service password-encryption

User Authentication with AAA

Enable AAA:

aaa new-model

Configure the AAA server being used. This example uses TACACS+

tacacs-server host 10.10.10.5

tacacs-server key P@ssword01

A default method list is created

aaa authentication login default local enable

A custom method list is created

aaa authentication login CUSTOM_LOGIN group tacacs+ local enable

Custom authorization method lists are created

aaa authorization commands 1 AUTHZ_PRIV1 group tacacs+ local

aaa authorization commands 15 AUTHZ_PRIV15 group tacacs+ local

Custom accounting method lists are created

aaa accounting commands 1 ACCT_PRIV1 start-stop group tacacs+

aaa accounting commands 15 ACCT_PRIV15 start-stop group tacacs+

Create a backup local privilege 15 user account in case tacacs server cannot be contacted

username admin priv 15 secret S3cretS@uce

Apply the method lists to the VTY lines

line vty 0 4

login authentication CUSTOM_LOGIN

authorization commands 1 AUTHZ_PRIV1

authorization commands 15 AUTHZ_PRIV15

accounting commands 1 ACCT_PRIV1

accounting commands 15 ACCT_PRIV15

How to view AAA using CCP:

Click on Configure | Router | AAA | AAA Summary

How to add, edit, or modify the authentication policies:

Configure | Router | AAA | Authentication Policies | Login

To see the method lists applied to the vty lines:

Configure | Router | Router Access | VTY

Using the CLI to Troubleshoot AAA for Cisco Routers

debug aaa authentication

debug aaa authorization

debug aaa accounting

RBAC Privilege Level/Parser View

Creating a custom privilege level:

conf t

! This assigns the command 'configure terminal' to privilege level 8

privilege exec level 8 configure terminal

enable secret level 8 0 P@ssword01

Can assign custom privilege level to a user account in the local database:

username rowell privilege 8 secret CiscoS@uce

line vty 0 4

! login local requires a username and password for access if the "aaa new-model" command isn't

present.

login local

Implementing Parser Views

Requirements to create a view

enable secret password must be configured

AAA must be enabled

Creating a view:

conf t

enable secret Cisco

aaa new-model

enable view

password:

%PASER-VIEW_SWI: successfulyse view 'root'.

conf t

! Creating the new view

parser view New_VIEW

! Setting the password for the view

secret New_VIEW_PW

! Specify commands included in the view

commands exec include ping

commands exec include all show

commands exec include configure

commands configure include access-list

exit

exit

To use the view:

R1> enable view New_VIEW

Password: New_VIEW_PW

To associate a user with a parser view:

username tsadmin view New_VIEW secret Cisco123

SSH and HTTPS

Requirements for SSH:

Hostname configured

Domain name

Generating public/private key pair

Requiring user login via the vty lines, instead of just a password

User account to log in with

Configuring SSH:

hostname R1

ip domain-name rcdlab.net

crypto key generate rsa modulus 1024

username admin secret Cisco

line vty 0 4

login local

Enabling secure HTTPS:

ip http secure-server

ip http authentication local

Implementing Logging Features

Configuring Syslog Support

Configure timestamps on log messages:

service timestamps log datetime

To configure syslog from CCP:

Configure | Router | Logging

Configure syslog in CLI:

logging 10.10.10.5

logging trap debugging

logging buffered 8192 informational

SNMP Features

Components

SNMP manager - runs the management application. Called the Network Management Server

(NMS).

SNMP agent - software that runs on a managed device.

Management Information Base - collection of unique numbers associated with each of the

individual components of a router. Information about the device's resources and activity is

defined by a series of objects.

Categories of SNMP message types

GET - used to retrieve info from a managed device.

SET - used to set a variable in a managed device or to trigger an action.

Trap - an unsolicited message sent from a managed device to the SNMP manager.

Security models and security levels:

Security Model Security Level Authentication Strategy Encryption Type

SNMPv1 noAuthNoPriv Community string None

SNMPv2c noAuthNoPriv Community string None

SNMPv3 noAuthNoPriv

authNoPriv

authPriv

Username

MD5 or SHA

MD5 or SHA

None

None

CBC-DES (DES-56)

Configure SNMP using CCP:

Configure | Router | SNMP

CLI to configure SNMPv1

snmp-server location 10.1.10.26

snmp-server contact Admin

snmp-server community super-secret RW

snmp-server host 10.1.10.26 trap Cisco

Configuring NTP

To configure using CCP:

Configure | Router | Time | NTP and SNTP then click ADD

To configure using CLI:

ntp update-calendar

ntp authentication-key 1 md5 S3cret!

ntp authenticate

ntp trusted-key 1

ntp server 55.1.2.3 key 1 source FastEthernet0/0 prefer

Verify NTP:

show ntp status

show ntp association

Securing the Cisco IOS Image and Configuration Files

Create a secure bootset:

! Secure the IOS image

conf t

secure boot-image

! Secure the startup config

secure boot-config

! edify the boot set

do show secure bootset




07 Implementing AAA Using IOS and the ACS Server

Cisco Secure ACS, RADIUS, and TACACS

About: How to use ACS for centralized authentication of clients.

Main Ideas:

Why Use Cisco ACS?

Centrally manage users and control what access they have to routers and switches (authorize).

Useful for creating user accounts one time when authenticating to multiple devices.

What Platform Does ACS Run On?

Can be installed on a Windows server, a physical Cisco appliance or installed in a virtual

environment.

What is ISE?

Identity Services Engine (ISE) is an identity and access control policy platform. Used to do posturing

and policy-compliance checking for hosts.

Protocols Used Between the ACS and the Router

Two main protocols used between ACS and the client: TACACS+ and RADIUS.

TACACS+

Terminal Access Control Access Control Server.

Cisco proprietary.

RADIUS

Remote Authentication Dial-In User Service.

Open standard.

Only encrypts passwords.

Protocol Choices Between the ACS Server and the Client (the Router)

TACACS+ versus RADIUS

TACACS+ RADIUS

Functionality Separates AAA functions into distinct

elements. Authentication is separate

from authorization, and both are

separate from accounting.

Combines many of the functions of

authentication and authorization together.

Has detailed accounting capability when

accounting is configured for use.

Standard Cisco proprietary. Open standard.

L4 protocol TCP UDP

Replacement

coming

None officially planned. Possibly Diameter

Confidentiality All packets encrypted between ACS

and router

Only password is encrypted between ACS

and router

Granular

command by

command

authorization

Supported No explicit command authorization checking

rules can be implemented

Accounting Supported Supported

Configuring Routers to Interoperate with an ACS Server

About: Configuring ACS

Main Ideas:

Using the CLI to configure client with ACS

! enable aaa

conf t

aaa new-model

! configure tacacs and local method list

aaa authentication login AUTHEN_via_TACACS group tacacs+ local

! configure the authorization method list

aaa authorization exec Author-Exec_via_TACACS group tacacs+ local

! create a local user account as a backup

username admin priv 15 secret cisco

! specify the ACS server used for tacacs

tacacs-server host 192.168.1.252 key cisco123

! apply authentication and authorization method lists to the vty lines

line vty 0 4

authorization exec Author-Exec_via_TACACS

login authentication AUTHEN_via_TACACS

To troubleshoot TACACS use command:

debug tacacs

debug aaa authentication

debug aaa authorization

Task list for configuring router to use ACS via TACACS+

Decide what the policy should be - part of the planning process for developing concept for

authentication and authorization.

Enable AAA - use command aaa new-model.

Specify the ACS server to use - use the tacacs-server host command.

Create a method list for authentication and authorization - each method list is created in

global configuration mode.

Apply the method lists to the location that should use those methods.

Using CCP to configure the client with ACS

Enable AAA with in CLI with command aaa new-model

In CCP configure AAA:

Configure | Router | AAA | AAA Servers and Groups | Servers | Click ADD to add the

ACS server.

Create the method lists:

Configure | Router | AAA | Authentication Policies | Login | Click ADD to specify the

authentication method list details.

Create the authorization method list:

Configure | Router | AAA | Authorization Policies | EXEC Command Mode | Click ADD to

create a similar process as the authentication method list.

Apply the method lists to the vty lines:

Configure | Router | Router Access | VTY | click Edit and use the drop down to select the

method lists to be used.

Create a local user account:

Configure | Router | Router Access | User Accounts/View | click ADD

Configuring the ACS Server to Interoperate with a Router

About: Configuring the ACS using the GUI interface.

Main Ideas:

Configuring the ACS

Key Components for Configuring ACS:

Network device groups - Used to group network devices with similar functions managed by

the same administrators.

Network devices - Individual network devices that go into device groups.

Identity groups - Groups of admins.

User accounts - Individual admins which are placed into identity groups.

Authorization profiles - Controls what rights are permitted.

Create device groups:

Network Resources | Network Device Groups | Device Type | click Create

Add a single router and add to a device group:

Network Resources | Network Devices and AAA Clients | click Create

Create a user group:

Users and Identity Stores | Identity Groups | click Create

Create individual users:

Users and Identity Stores | Internal Identity Stores | Users | Click Create

Create authorization policies:

Access Policies | Access Services | Default Device Admin | Authorization | click Create

Verifying and Troubleshooting Router-to-ACS Server Interactions

About: Commands that can be used to troubleshoot and verify AAA when using ACS.

Main Ideas:

Verification

Verify ping, make sure device is powered on, in the correct VLAN, has correct switchport

configuration, etc.

Testing AAA between router and the ACS use command:

test aaa group tacacs+ admin cisco123 legacy

On the ACS server, view the reports:

Monitoring & Reports | Reports | Favorites | select Authentications - TACACS - Today




08 Securing Layer 2 Technologies

VLAN and Trunking Fundamentals

About: The basics of how VLANs and trunking operate.

Main Ideas:

What is a VLAN?

A VLAN is a virtual LAN where devices on the same VLAN have the same layer 3 IP address and are

on the same layer 2 broadcast domain. From the switch, a switchport is assigned to a VLAN.

Creating a new VLAN:

conf t

vlan 10

int f0/1

switchport mode access

switchport access vlan 10

Trunking with 802.1Q

By default, separate, physical, switches are not trunked to communicate 802.1Q tags between

physical switches. 802.1Q is the standard for VLAN trunking and tagging of a packet. If SW1

needed to tell SW2 that a frame is destined for VLAN 10, it would need to go through a trunk port.

To allow proper communication between the physical switches, a trunk needs to be configured on

both switches.

Configuring trunk ports:

conf t

int range f0/23-24

switchport trunk encapsulation dot1q

switchport mode trunk

Following the Frame, Step by Step

When SW1 forwards a frame over the trunk tagged as VLAN 10 to SW2, SW2 sees the tag, knows

its for VLAN 10, removes the tag, and forwards the frame to all interfaces associated with VLAN 10

(for a broadcast) or directly to the interface associated with VLAN 10 (unicast).

The Native VLAN on a Trunk

By default, the native VLAN is VLAN 1. The native VLAN is not tagged across a trunk port. If a

device connects to the switch and is placed on the native VLAN, it can send a broadcast which

would be transmitted to the other switches on the native VLAN.

So, What Do You Want to Be? (Says the Port)

Trunks can be automatically negotiated between two switches, or between a switch and a device

that supports trunking. This determines if a port is a trunk or an access port.

Inter-VLAN Routing

Devices can communicate with each other on the same VLAN. If two devices wanted to

communicate from different VLANs, a default gateway needs to be configured for both VLANs for

routing the packets to the destination VLAN.

The Challenge of Using Physical Interfaces Only

When creating 50 VLANs it is not feasible to have 50 physical interfaces. One solution is to create a

router on a stick.

Using Virtual "Sub" Interfaces

To use one interface, trunk the switchport to the router. From the router create subinterfaces for

the additional VLANs. This allows the router to route the packets to its destination.

Configuring Router on a Stick:

sw1(config)# int f0/3

sw1(config-if)# switchport trunk encap dot1q

sw1(config-if)# switchport mode trunk

! Go to router

r3(config)# int f0/0

r3(config-if)# no shut

r3(config-if)# int f0/0.1

r3(config-subif)# encap dot1q 10 ! we tag the frames with VLAN 10

r3(config-subif)# ip address 10.0.0.1 255.255.255.0

Spanning-Tree Fundamentals

About: How STP avoids loops at layer 2 and how STP works.

Main Ideas:

Loops in Networks Are Usually Bad

Whenever there are parallel connections between layer 2 devices there will be layer 2 loops. STP

solves that problem.

The Life of a Loop

A pc on sw1 sends a frame belonging to vlan10. The switch forwards the frame to all ports in

vlan10, including the two trunk ports to sw2, interface 23 and 24. Sw2 receives this frame and

sends the frame to all ports on vlan10. Interface 5, on vlan10, receives the frame. Sw2 also sends

the frame out it's own trunk interface, interface 24, back to sw1. Sw1 does the same process and

sends the frame out its trunk interfaces. A loop occurs in both directions. Additionally, there is MAC

address flapping in the dynamically learned MAC address table.

The Solution to the Layer 2 Loop

802.1D STP identifies parallel layer 2 paths and blocks one of the paths so a loop does not occur. A

single switch becomes a root bridge if it has the lowest bridge ID. All other nonroot bridges identify

any redundant layer 2 paths it has to the root and blocks all but one of the paths.

STP communicates using bridge protocol data units (BPDU) to accomplish negotiation and loop

detection.

STP is Wary of New Ports

STP is cautious about allowing other devices to connect because of the possibility of loops. When a

device is connected, STP will wait 30 seconds before letting frames go through the interface; 15

seconds of that is the listening state to see if BPDUs are coming in. During the 15 seconds it does

not record the MAC address in the dynamic table.

The second half of the 30 seconds is still looking for BPDUs but STP will begin to record the source

MAC address to the dynamic MAC address table. This is the learning state. After the 30 seconds

(listening and learning), the switch can begin forwarding the frames.

If the port was at first in a blocking state, there is an additional 20 second delay as the port

determines that the parallel path is gone before moving to the listening and learning state.

Improving the Time Until Forwarding

802.1w (Rapid Spanning Tree) introduced features for faster convergence.

Configuring portfast and rapid spanning tree:

conf t

int f0/2

spanning-tree portfast

spanning-tree mode rapid-pvst

Common Layer 2 Threats and How to Mitigate Them

About: Security threats at Layer 2 and mitigation.

Main Ideas:

Disrupt the Bottom of the Wall, and the Top Is Disrupted, Too

If an attacker can disrupt the layer 2 forwarding of data then they can attack the upper layer

protocols.

Layer 2 Best Practices

Change the native VLAN to an unused VLAN for all your trunks.

Avoid using VLAN 1.

Administratively configure access ports so users cannot negotiate a trunk.

Limit the number of mac addresses learned on a port with port security.

Use BPDU guard and root guard to control spanning tree.

Turn off CDP on untrusted ports.

On a new switch, shut down all unused ports and assign them to a parking lot VLAN.

Locking down switch ports:

int f0/2

switchport mode access

switchport access vlan 10

switchport nonegotiate

int f0/23

switchport trunk encap dot1q

switchport mode trunk

switchport trunk native vlan 3

switchport nonegotiate

Layer 2 Security Toolkit

Port security - Limits number of MAC addresses learned on an access switch.

BPDU guard - Switch protects itself if BPDUs are identified where they should not be

allowed.

Root guard - Control which ports are not allowed to become root ports to remote root

switches.

Dynamic ARP inspection - Prevents spoofing of layer 2 information by hosts.

IP source guard - Prevents spoofing of layer 3 information by hosts.

802.1x - Authenticates users before allowing frames on the network.

DHCP snooping - Prevents rogue DHCP servers from impacting network.

Storm control - Limits the amount of broadcast or multicast traffic.

Access control lists - Traffic control to enforce policy.

Specific Layer 2 Mitigation for CCNA Security

BPDU Guard

When enabled switch port is disabled when BPDU is seen inbound on the interface.

conf t

int f0/2

spanning-tree bpduguard enable

If a port has been disabled because of a violation will show a status of: err-disabled.

To bring interface back up:

shutdown

no shutdown

Can enable interface to reset automatically:

conf t

errdisable recovery cause bpduguard

errdisable recovery interval 30

Root Guard

Helps prevent switch from learning about a new root switch.

conf t

int f0/24

spanning-tree guard root

Port Security

Used to control how many MAC addresses can be learned on a switch port. Implemented on a

port-by-port basis. Also prevents a client from depleting DHCP server resources. Can configure

three violation options:

shutdown the port

protect the port - will not shut down but will deny any frames from new MAC addresses.

restrict the port - same as protect but generates a syslog message as well.

conf t

int f0/2

switchport port-security

switchport port-security maximum 5

switchport port-security violation protect

switchport port-security mac-address sticky




09 Securing the Data Plane in IPv6

Understanding and Configuring IPv6

About: Reviews IPv6 basics and how to configure it.

Main Ideas:

Why IPv6?

Move to IPv6 because:

More address space available

Running out of public IPv4 addresses

Differences between IPv4 vs IPv6

IPv4 IPv6

32-bit address; supports 232,4,294,967,296

addresses

128-bit address; supports 3.4 x 1038 addresses

Can use NAT to extended space limitations Doesn't support NAT by design

Uses DHCP or static configuration to assign

IP addresses to hosts

Hosts can use stateless address autoconfiguration to

assign an IP address to themselves but can also use

DHCP

IPsec support is optional IPsec support is supposed to be required

Multiple pieces in an IPv4 header Simplified IPv6 header

Uses broadcast for several functions Doesn't use broadcasts and doesn't use ARP. Uses

NDP.

Supports common Layer 4 protocols Supports common Layer 4 protocols

Supports common application protocols Supports common application protocols

Supports common Layer 2 technologies Supports common Layer 2 technologies

Contains two parts in an IP address:

network and host

Contains two parts in an IP address: network and

host

Uses a network mask to identify which part

of the address is the network and which is

the host

Uses a network mask to identify which part of the

address is the network and which is the host

Format of an IPv6 Address

Lengh: 128 bits long.

Groupings: Segmented into eight groups of four hex characters.

Separation of groups: Each group is separated by a colon (:).

Length of mask: Usually 50% (64 bits) for a network ID, 50% (64 bits) for interface ID (using a 64

bit mask).

Number of networks: 2^64 (1.8 x 1019).

Understanding the Shortcuts

Leading 0's can be omitted in the IPv6 address.

Consecutive groups of all 0s can be represented as a double colon (::).

Did We Get an Extra Address?

System automatically configures a link local address beginning with FE80. Link local addresses are

used to communicate with other IPv6 devices on the same local network (local broadcast domain).

IPv6 Address Types

Link local address - dynamically configured beginning with FE80. Last 64 bits are the host ID

(interface ID), and the device uses a modified EUI-64 format to create it. EUI-64 uses the

MAC address and inserts four hexadecimal characters of FFFE into the middle of the MAC

address. Also looks at 7th bit from the left and inverts it.

Loopback address - ::1 which is the same as 127.0.0.1

All-nodes multicast address - Multicasts begin with FFxx:. 02 designates a multicast address

that is link local in scope. IPv6 multicast group that all IPv6 devices join is FF02::1.

All-routers multicast address - FF02::2.

Unicast and anycast addresses (configured automatically or manually) - Global IPv6 unicast

addresses begin with range: 2000 to 3FFF. Anycast address can be a route or an IP address

that appears more than one time in a network. The network decides the best way to reach

that IP.

Solicited-node multicast address for each of its unicast and anycast addresses - Devices that

have global and link local addresses join FF02::1:FFxx:xxxx - x characters represent last 24

bits of the host ID being used for the addresses. This method is used to avoid broadcasts.

Multicast addresses of all other groups to which the host belongs - Routers w/ IPv6 routing

enabled join FF02::2 (all routers) and join their multicast group depending on the routing

protocol enabled.

Configuring IPv6 Routing

About: Configuring IPv6

Main Ideas:

Configuring IPv6 Routing

! Enable IPv6 routing:

conf t

ipv6 unicast-routing

! Enable routing protocols on interface

int f0/1

ipv6 rip MYRIP enable

ipv6 ospf 1 area 0

ipv6 eigrp 1

exit

! Do no shutdown on eigrp

ipv6 router eigrp 1

no shutdown

Moving to IPv6

Moving to IPv6 will be a transition. Support for IPv6 and IPv4 coexistence is necessary. Router or

device can run both IPv4 and IPv6 or tunneling can be used.

Developing a Security Plan for IPv6

About: Security threats common to both IPv4 and IPv6 (some specific to IPv6) and how to address

them.

Main Ideas:

Best Practices Common to Both IPv4 and IPv6

Physical security

Device hardening

Control access between zones

Routing protocol security

Authentication, authorization, and accounting (AAA)

Mitigating DoS attacks

Have and update a security policy

Threats Common to both IPv4 and IPv6

Application layer attacks

Unauthorized access

Main-in-the-middle attacks

Sniffing or eavesdropping

Denial-of-Service (DoS) attacks

Spoofed packets

Attacks against routers and other network devices

New Potential Risks with IPv6

Network Discovery Protocol

DHCPv6

Hop-by-hop extension headers

Packet amplification attacks

ICMPv6

Tunneling options

Autoconfiguration

Dual stacks

Bugs in code

IPv6 Best Practices

Filter bogus addresses

Filter non-local multicast addresses

Filter ICMPv6 traffic that is not needed on your specific networks

Drop routing header type 0 packets

Use manual tunnels rather than automatic tunnels

Protect against rogue IPv6 devices




10 Planning A Threat Control Strategy

Designing Threat Mitigation and Containment

About: Guiding principals to follow and implement to mitigate threats.

Main Ideas:

Where Do We Go from Here?

Threat Control and Mitigation Strategy Components

Formal process for policy creation, implementation, and review

Sr management is responsible for policy. Network admin implements and enforces

policy.

Mitigation policies and techniques

Policies should be in place specifying course of action in response to an attack or

threat.

End-user education and awareness.

Have end-user policy, educate end-users, and review periodically.

Defense in depth.

Take the layered security approach.

Centralized monitoring and analysis.

Centrally manage multiple devices. Use logging to correlate events.

Application layer visibility.

Verify whether protocol abuse is occurring.

Incident response.

Policy should be written to specify what will happen and how it will happen when an

incident occurs.

Securing a Network via Hardware/Software/Services

About: High level look into how to achieve network security.

Main Ideas:

Switches

Security features on switches:

Port security.

Limit number of MAC addresses learned on a port. This protects against CAM

overflow.

DHCP snooping.

Allow only server responses from specifically trusted ports.

Dynamic Address Resolution Protocol (ARP) inspection.

Protecting against an attacker from performing layer 2 spoofing by confirming that

traffic includes accurate MAC address.

IP source guard.

Verifies the client on port is not doing Layer 3 spoofing.

Root guard, BPDU guard, BGDU filtering.

Control spanning-tree topology by resisting a rogue switch's attempt to become root.

Storm control.

Clamps down on traffic at configurable levels.

Additional modules.

The additional of additional modules such as IPS, VPN, firewall..

Routers

Router security features:

Reflexive access lists.

Allow traffic from the outside unless if it is initiated from the inside. Not used much

anymore.

Context-based access control (CBAC).

To support stateful filtering without creating reflexive access lists.

Zone-Based Firewall.

Replaced CBAC. Uses class maps to identify traffic, policy maps to specify actions on

that traffic, and a service policy to put policy in place.

Packet-filtering ACLs.

Uses standard and extended ACLs, can implement policy of what traffic is allowed or

denied.

AAA.

Authentication, authorization, and accounting.

VPNs.

Remote access using SSL or IPsec VPNs.

IPS.

Intrusion prevention system.

Routing protocol authentication.

Prevents unauthorized router from being trusted.

Control plane protection and control plane policing.

Sets thresholds and limits for traffic that is directed to the router.

Secure management protocols.

SSH and SSL.

ASA Firewall

Security features:

Stateful filtering.

ASA remembers state of a connection and dynamically allows the return traffic.

Modular policy framework (MPF).

Used via class maps, policy maps, and service policy rules to perform simple protocol

and application layer inspection and policy enforcement.

URL filtering.

Control which URLs are allowed to be accessed through the firewall.

Packet-filtering ACLs.

Using standard and extended ACLs to allow or deny traffic.

AAA.

Authentication, authorization, and accounting.

VPNs.

SSL or IPsec VPN remote access.

IPS.

Intrusion prevention system.

Routing protocol authentication.

Prevents unauthorized rogue router from being trusted.

Secure management protocols.

SSH and SSL.

Other Systems and Services

IPS.

Analyzes network traffic.

Cisco Security Manager (CSM).

Enterprise-level configuration tool used to manage most security devices.

Cisco Security Intelligence Operations (SIO) Service.

SIO researches and analyzes threats to profile real time updates and best practices

regarding these threats.


CCCCrrrreeee aaaatttt eeee dddd :::: 10/23/2012 3:12 AM UUUUppppddddaaaatttt eeee dddd:::: 10/23/2012 4:16 AM


11 Using Access Control Lists for Threat Mitigation

Access Control List Fundamentals and Benefits

About: Use of ACLs focusing on the function of filtering.

Main Ideas:

Access Lists Aren't Just for Breakfast Anymore

Features that can use an ACL:

IOS Inspect class map

Used w/ Zone-Based Firewall. Can refer to an ACL to identify traffic that matches and

is permitted in the ACL. Traffic permitted is considered a match for the purposes of

the class map.

IOS class map

Typical class map could be used for features such as policy-based routing. Ability to

refer to ACL for classification (identification) of specific types of traffic.

Routing protocols

Can be used to control behavior of various aspects of the routing protocol.

Quality of Service (QoS)

High-priority traffic can be assigned to specific traffic that is classified by an ACL.

VPN

Can identify which traffic is "interesting" that will be part of a VPN config. Traffic not

matched by a permit statement in the ACL would be forwarded normally instead of

through the VPN tunnel.

ASA Firewall Modular Policy Framework

Class maps can refer to ACL to identify traffic.

NAT/PAT

Using policy-based NAT, ACL can identify devices that require translation.

Packet filtering

ACLs used as a filter on an interface to control which traffic is allowed through that

interface.

What Can We Protect Against?

IP address spoofing

Can deny spoofed packets going out an Interface using an ACL.

TCP Syn-flood attacks

Use of Zone-Based Firewall or ASA firewall to mitigate attack.

Reconnaissance attacks

Deny ICMP or UDP traffic used by an attacker to learn details behind the router.

General vulnerabilities

Applying least permissions

The Logic in a Packet-Filtering ACL

ACLs are processed in order. Once there is a match it does not continue down the list. If there is at

least one entry in the ACL there is an implicit deny at the end. An empty ACL does not deny any

traffic, there has to be at least one Access Control Entry. If the ACL is applied outbound on an

interface, the rules in the ACL apply only to outbound traffic that is being routed through the router

and doesn't have any effect on traffic generated by the router itself, such as a routing prate, that is

exiting that same interface.

Standard and Extended Access Lists

Standard ACLs

Can only match packets based on source IP address.

Extended ACLs

Can match source or destination and most of the content that is contained in the

Layer 4 protocol.

Standard ACL Extended ACL

Numeric

Range

1 - 99, 1300 - 1999 100 - 199, 2000 - 2699

Options

for using

names

for the

ACL

instead

of

numbers

Yes Yes

What

they can

match on

Source IP only of the packet

compared to the list

Source or destination IP, plus most Layer 4 protocols,

including items in the Layer 4 header of the packet being

compared

Where to

place

Relatively close to the

destination. Applying too

close to the source may limit

that source from reaching

other destinations that were

not intended to be limited.

Because of the granularity of the matching on specific

source and destination, you can place these very close to

the source of the host who is generating the packet,

because it will only deny the traffic to the specific

destination and will not cause a loss of service to other

destinations that are still being permitted.

Line Numbers Inside an Access List

An ACL is a collection of entries called access control entries (ACE). Adding a new line is placed at

the bottom of the list. By default, router automatically assigns sequence numbers to each line. They

usually begin with 10 and increment by 10 for each new line. You can specify a new sequence

number in front of the entry.

Wildcard Masks

A wildcard mask is a binary representation that says wherever there is a bit on in the wildcard

mask, the corresponding bit from the IP address being looked at does not have to match.

IP address that is 32 bits long and has a wildcard mask of 0.0.0.255 means that the last 8 bits of

the IP address being checked are not being compared.

Object Groups

Can be created to include various devices, even if they are all on different subnets. An example is

grouping 15 different servers to allow 2 protocols to those servers.

Implementing IPv4 ACLs as Packet Filters

About: How to implement ACLs using CCP and CLI.

Main Ideas:

Putting the Policy in Place

To create an apply an ACL using CCP:

Configure | Router | ACL | ACL Editor | Click Add

Create a new rule. Specify the name or number of the rule, whether it is standard or extended.

Click Add to insert details for the first entry. Then click OK.

Using the CLI to Implement an Access List

config t

access-list 5 remark Block Server1's subnet from reaching Server 3

access-list 5 deny 11.11.11.0 0.0.0.255 log

access-list 5 permit 0.0.0.0 255.255.255.255

Apply the Access List to an Interface

Within CCP:

While editing the Rule, click on Associate and select an interface specifying the direction we want

to apply.

Another CCP method:

Configure | Interface Management | Interface and Connections | edit properties of an

interface, then select the ACL from a drop-down menu

Using CLI:

conf t

int g3/0

ip access-group 5 out

Create a Network Object Group

Using CCP:

Configure | Router | ACL | Object Groups | Network Object Groups

Using CLI:

conf t

object-group network A_Couple_Servers

description Server2 and Server3's host addresses

host 33.33.33.33

host 22.22.22.22

Using Object Groups as Part of the ACL

CLI:

conf t

ip access-list extended IINS_Extended_ACL_Example

remark This ACL uses object groups

permit tcp 44.44.1.0 0.0.0.255 object-group A_Couple_Servers eq www

deny ip 44.44.0.0 0.0.255.255 object-group A_Couple_Servers

permit ip any any

exit

int g1/0

ip access-group IINS_Extended_ACL_Example in

Verifying the Details of the ACLs

In CCP, visit the ACL Editor to view the created ACLs.

Monitoring the Access Lists

To display details about the access lists:

show access-lists

To view IP related info on an interface, including whether filtering is applied:

sh ip int g3/0

To Log or Not to Log

Adding the log keyword generates a syslog message when the line is matched.

Implementing IPv6 ACLs as Packet Filters

About: Implementing IPv6 access lists.

Main Ideas:

Creating an IPv6 Access List and Applying it as a Filter

IPv6 packet-filtering:

Can filter based on source and destination addresses.

Can filter based on source and destination ports.

Can filter based on the presence of a next header.

Implicit deny at the end of the ACL w/ exception to the NS and NA packets.

Empty ACL doesn't deny traffic.

Reflexive and time-based ACLs are supported.

Can filter on IPv6 extension headers.

Creating the IPv6 ACL:

conf t

ipv6 access-list BOGUS_SOURCE_FILTER

deny 2001:12::/64 any

permit any any

int g0/3

! different syntax for applying than IPv4

ipv6 traffic-filter BOGUS_SOURCE_FILTER in

Verify:

sh ipv6 int g0/3

sh ipv6 access-list




12 Understanding Firewall Fundamentals

Firewall Concepts and Technologies

About: Concept of firewalls, their strengths and weaknesses, and why they are used.

Main Ideas:

Firewall Technologies

Function is to primarily deny unwanted traffic. Could be implemented by the following:

A router or other layer 3 forwarding device that has access lists or other method to filter

traffic.

Switch that has two VLANs w/o any routing between them to keep traffic from the two

networks separated.

Hosts/servers running software that prevents certain types of received traffic from being

processed.

Objectives of a Good Firewall

It must be resistant to attacks

Should not be brought down due to vulnerabilities in the firewall or DoS.

Traffic between networks must be forced through the firewall

Shouldn't be any alternative path going around the firewall.

The firewall enforces the access control policy of the organization

Policy should be created first to identify what traffic is required and allowed through

the firewall. Then deploy the firewall, not the other way around.

Firewall Justifications

Protective Measures Provided by a Firewall

Exposure of sensitive systems to untrusted individuals

Permitting certain individuals/traffic to services.

Exploitation of protocol flaws

Inspection of protocols.

Unauthorized users

Using authentication methods.

Malicious data

Detect and block.

Potential Firewall Limitations

Having a firewall is a mitigation step to reduce risks but doesn't completely eliminate the risk.

Configuration mistakes have serious consequences

Not all network applications were written to survive going through the firewall

Individuals who are forced to go through a firewall might try to engineer a way around it

Latency being added by the firewall

Defense-in-Depth Approach

Don't rely on a single firewall to provide security. Take a layered approach to security. Utilize

security at all levels of the network including routers, switches, and servers.

Five Basic Firewall Methodologies

Static packet filtering

Proxy server

Stateful packet filtering

Application inspection

Transparent firewall

Static Packet Filtering

Based on layer 3 and layer 4 of the OSI model.

Advantages and Disadvantages of Packet Filters

Advantages Disadvantages

Based on simple set of permit or deny entries Susceptible to IP spoofing.

Have a minimal impact on network performance Doesn't filter fragmented packets w/ the same

accuracy as nonfragmented packets

Are simple to implement Extremely long access control lists are difficult to

maintain

Configurable on most routers Stateless

Can perform many basic filtering needs w/o

requiring expense of high-end firewall

Some applications jump around and use many

ports, some of which are dynamic

Application Layer Gateway

Sometimes called proxy firewalls or application gateways. Operates at Layer 3 and higher in the

OSI model. Acts as an intermediary between the original client and the server. It takes the client's

requests, puts the client on hold for a moment, then makes the request on its own behalf for the

client.

Advantages and Disadvantages of Application Layer Gateways


Very tight control is possible Is processor intensive

More difficult to implement an attack against an

end device

Not all applications are supported

Can provide very detailed logging Special client software may be needed

May be implemented on common hardware Memory and disk intensive. Could be single

point of failure

Stateful Packet Filtering

Most important firewall technologies being used. It remembers the state of the sessions going

through the firewall.

Advantages and Disadvantages of Stateful Packet Filtering Devices


Can be used as a primary means of

defense

Might not be able to identify or prevent an application

layer attack

Can be implemented on routers and

dedicated firewalls

Not all protocols contain tightly controlled state

information

Dynamic in nature compared to static

packet filtering

Some applications may dynamically open up new

ports from the server

Provides a defense against spoofing and

DoS attacks

Doesn't support user authentication

Application Inspection

Can analyze and verify protocols up to Layer 7 of the OSI model. But doesn't act as a proxy

between the client and server.

Advantages of an Application Inspection Firewall

Feature Explanation

Can see deeper into

conversations

Could analyze the conversation and dynamically allow

connection from server to allow it through firewall and to the

client

Awareness of the details at the

application layer

If there is a protocol anomaly, application layer firewall could

identify and either correct or deny packet

Can prevent more kinds of attacks

than stateful filtering on its own

Transparent Firewalls

More about how we inject the firewall into the network. Implemented at Layer 2. Traditional

firewalls are implemented as a Layer 3 hop in the network. Interfaces of the transparent firewall

do not have IP addresses and act more like a bridge.

Using Network Address Translation

About: Look at options that exist for NAT

Main Ideas:

NAT Is About Hiding or Changing the Truth About Source Addresses

Primary device that does NAT is a router or a firewall. It translates private IP addresses to globally

reachable IP addresses.

Inside, Outside, Local, Global

Translation of a packet coming from an inside host is referred to as inside NAT.

Translation of the source IP address of a device on the outside as the packets come into the local

network is referred to as outside NAT.

It is either inside our network and control or it is not. In reference to inside and outside.

Local and global have to do with the appearance of the address and may be pre- or post-NAT

manipulation.

NAT Terminology

NAT

Term

Description

Inside

local

Real IP of an inside host

Inside

global

Mapped/global address that router is

swapping out for the inside host during

NAT. Outside world sees device coming

from this mapped/global address.

Outside

local

If performing NAT on outside devices,

this is the mapped address of the

outside device. If not doing outside NAT

on the router, this appears as the

normal outside device's IP address to

the inside devices.

Outside

global

The real IP configured on an outside

host, such as the IP on Server A

Port Address Translation

PAT still swaps out the source IP address as traffic goes through the NAT/PAT device except with

PAT not everyone gets their own translated IP address. PAT will keep track of each session based

on the port numbers and forwards all packets using a single shared source IP address. This is NAT

with overload.

NAT Options

Static NAT

One-to-one permanent mapping.

Dynamic NAT

Pool of global addresses, and only mapping those global addresses to inside devices

when those inside devices need to go out to the Internet.

Dynamic PAT (NAT w/ overload)

Used for most users who access the Internet. Dynamically assigning global addresses

only when needed, uses overload so thousands of inside devices use the same global

IP address by tracking all ports and IP addresses in use.

Policy NAT/PAT

Based on a set of rules.

Creating and Deploying Firewalls

About: Best practices for implementing a firewall.

Main Ideas:

Firewall Design Considerations

Firewalls should be placed at security boundaries.

Firewalls should be a primary security device, but not the only security device or security

measure on the network.

Start with "deny all" attitude and specifically permit traffic.

Leverage the firewall feature that best suits the need.

Make sure physical security controls and management access to the firewall devices are

secure.

Have regularly review process looking at the firewall logs.

Practice change management for any configuration modification on the firewalls.

Firewall Access Rules

Rules based on service control

Are based on the types of services that may be accessed through the firewall.

Rules based on address control

Based on the source/destination addresses involved.

Rules based on direction control

Specifies where the initial traffic can flow.

Rules based on user control

Based on knowing who the user is and what that user is authorized to do.

Rules based on behavior control

How a particular service is used.

Packet-Filtering Access Rule Structure

An ACL is applied to an interface either inbound or outbound. In an inbound ACL, packets coming

through the interface must be permitted by the ACE. ACE are processed from the top-down. Once

a firewall identifies a match, it implements the action of permit or deny and moves on to the next

packet. It at least starts from the top until a match occurs and if there is no match, the packet-

filtering function denies the packet.

Firewall Rule Design Guidelines

Use a restrictive approach

Presume that internal users' machines may be part of the security problem

Be as specific as possible in permit statements

Recognize the necessity of a balance between functionality and security

Filter bogus traffic, and perform logging on that traffic

Periodically review the policies that are implemented on the firewall to verify that they are

current and correct

Rule Implementation Consistency

Results of inconsistent or ill-considered rule implementation

Rules that are too promiscuous

Allows more access than necessary.

Redundant rules

ACLs are processed from top to bottom.

Shadowed rules

Incorrect order placement in the access list.

Orphaned rules

Configuration error that is referencing incorrect IPs.

Incorrectly planned rules

Error made as the business requirements are being translated to the technical and

logical controls that the firewall will implement.

Incorrectly implemented rules

Administrator implementing the incorrect port, protocol, or IP information on the

firewall.




13 Implementing Cisco IOS Zone-Based Firewalls

Cisco IOS Zone-Based Firewall

About: Logic and structural components of the IOS-based Zone-Based Firewall (ZBF).

Main Ideas:

How Zone-Based Firewall Operates

Interfaces are placed into zones.

Administrator creates zones such as Inside, Outside, and DMZ.

Policies are specified as to what user traffic is allowed to be initiated and what action the firewall

will take.

Stateful packet inspection allows traffic back inbound.

Policies are implemented in a single direction making them unidirectional. Two policies need to be

created to allow inspection from inside to outside and from outside to inside.

Specific Features of Zone-Based Firewalls

Major features:

Stateful inspection

Application inspection

Packet filtering

URL filtering

Transparent firewall (implementation method)

Support for virtual routing and forwarding (VRF) - virtual routing tables used to

compartmentalize the routing tables on the router instead of keeping them in the global

(primary) routing table.

Access control lists (ACL) are not required as a filtering method to implement a policy

Zones and Why We Need Pairs of Them

Zone is created and then interfaces are assigned to zones.

An interface can only belong to one zone.

Default zone = self zone (logical) - packets directed to the router directly is entering the self zone.

Any traffic initiated by the router is leaving the self zone.

No traffic is allowed between interfaces in different zones.

Interfaces in the same zone can pass traffic to each other.

To allow traffic between zones, a policy must be created - zone pair comes into play.

Zone pair - configuration that identifies traffic sourced from one zone and destined for another

zone. Rules are associated with the zone pair.

Putting the Pieces Together

Cisco Common Classification Policy Language (C3PL) for implementation of the policy. Three

components:

Class maps - Used to identify traffic based on Layer 3 - 7. Class maps can refer to ACLs or

even other class maps. Within class maps are match statements. Class maps can specify if

all match statements have to match (match-all condition) or can specify any of the entries

as a match (match-any condition)

Policy maps - Specifies actions taken on the traffic. Policy maps call on class maps for

classification of traffic. When multiple sections exist, policy maps processes them in order.

Primary actions include: inspect (stateful inspection), permit (traffic is permitted but not

inspected), drop, or log.

Service policies - Where policies are applied, identified from a policy map, to a zone pair.

Policy Map Actions

Policy

Action

Description When to Use it

Inspect Permit and

statefully

inspect the

traffic

Should be used on transit traffic initiated by users

who expect to get replies from devices on the other

side of the firewall.

Pass Permits/allows

traffic but

doesn't create

an entry in the

stateful

database

Traffic that doesn't need a reply. Also in the case of

protocols that do not support inspections, this policy

could be applied to the zone pair for specific

outbound traffic, and be applied to the second zone

pair for inbound traffic.

Drop Deny the packet Traffic you don't want to allow between the zones

where this policy map is applied.

Log Log the packets If you want to see log info about packets that were

dropped because of policy, add this option.

Service Policies

Service policies are applied to a zone pair. Only one service policy can be assigned to a zone pair.

Ingress = packets going into an interface of the router.

Egress = packets being sent out of an interface of the router.

Traffic Interaction Between Zones

Ingress

Interface

Member

of Zone

Egress

Interface

Member

of Zone

Zone Pair

Exists,

w/

Applied

Policy

Result

No No Doesn't Traffic is forwarded

matter

No Yes (any

zone)

Doesn't

matter

Traffic is dropped.

Yes (Zone

A)

Yes (Zone

A)

Doesn't

matter

Traffic is forwarded.

Yes (Zone

A)

Yes (Zone

B)

No Traffic is dropped.

Yes (Zone

A)

Yes (Zone

B)

Yes Policy is applied. If policy

inspects or pass, the initial traffic

is forwarded. If policy is drop,

initial traffic is dropped.

Components That Make Up the ZBF! class map "classifies" the traffic. Example class map will match on either telnet traffic or any type

of icmp traffic

conf t

class-map type inspect match-any MY-CLASS-MAP

match protocol telnet

match protocol icmp

exit

! policy map calls the class map that it wants to use, then specifies policy action. This action is to

inspect the traffic

policy-map type inspect MY-POLICY-MAP

class type inspect MY-CLASS-MAP

inspect

exit

exit

! create security zones

zone security inside

exit

zone security outside

exit

! create the zone-pair and specify direction

zone-pair security in-to-out source inside destination outside

! implement service policy in zone-pair config mode to apply the policy map you want to use

service-policy type inspect MY-POLICY-MAP

exit

! configure interfaces for zones

int g3/0

description Belongs to outside zone

zone-member security outside

exit

int g1/0

description Belongs to inside zone

zone-member security inside

exit

The Self Zone

Traffic directed or initiated to or by the router is from the self zone.

Self Zone Traffic Behavior

Source Traffic

Member of

Zone

Destination

Traffic Member of

Zone

Zone Pair Exists,

w/ Policy Applied

Result

Self Zone A No Traffic

is

passed

Zone A Self No Traffic

is

passed

Self Zone A Yes Policy is

applied

Zone A Self Yes Policy is

applied

Configuring and Verifying Cisco IOS Zone-Based Firewall

About: Configuring IOS ZBF from CCP and CLI

Main Ideas:

Using CCP to Configure the Firewall

1. Navigate to Configure | Security | Firewall | Firewall

Basic firewall involves two interfaces, which are different zones.

Advaned firewall enables you to apply predefined rules and allow configuration of a third zone such

as a DMZ.

2. Click Launch of the Selected Task for Basic Firewall

3. Click Next

4. Specify the interface that is inside and the interface that is outside. Warning comes up because

interfaces are not part of a zone. Click Yes to continue and configure.

A level of security needs to be selected.

Three security levels when configuring the ZBF Wizard

High Security - Firewall identifies and drops IM and peer-to-peer traffic. Performs

application inspection for web and email traffic and drops noncompliant traffic. Does generic

inspection of TCP and UDP applications.

Medium Security - Similar to High Security but does not check web and email traffic for

protocol compliance.

Low Security - Doesn't perform any application layer inspection. Does generic TCP and UDP

inspection.

5. Configure DNS if needed.

6. Finish configuration wizard.

Verifying the Firewall

Can verify the firewall from CCP and CLI.

To verify policy within CCP:

Configure | Security | Firewall | Firewall | Edit

To view the Firewall status:

Monitor | Security | Firewall Status

Verifying the Configuration from the Command Line

Commands used to verify the ZBF

show class-map type inspect

show policy-map type inspect zone-pair ccp-zp-in-out sessions

Implementing NAT in Addition to ZBF

To configure NAT:

Configure | Router | NAT | Launch Basic NAT or Advanced NAT

! Basic NAT translates user traffic. Advanced NAT should be used if configuring DMZ.

Select Basic NAT | Launch the Selected Task

Click Next

Select the interface connected to the Internet. Then select the networks that are internal which will

be permitted to be translated.

Click Next then Finish

Implement NAT from CLI:

! Use ACL to classify traffic to be translated

access-list 2 permit 10.0.0.0 0.0.0.255

! Label inside and outside interfaces

int g3/0

ip nat outside

exit

int g1/0

ip nat inside

exit

! Create NAT statement matching access list 2

ip nat inside source list 2 interface g3/0 overload

Verifying Whether NAT Is Working

To verify in CCP:

Configure | Router | NAT | Edit NAT Configuration

View existing translations in CLI:

show ip nat translations




14 Configuring Basic Firewall Policies on Cisco ASA

The ASA Appliance Family and Features

About: Various models and offerings of the ASA.

Main Ideas:

Meet the ASA Family

ASA comes in different sizes, smaller the number of the model represents a smaller capacity for

throughput.

ASA Features and Services

ASA provides the following features:

Packet filtering - supports both standard and extended access lists. Never uses a wildcard

mask. To represent a mask related to a permit or deny statement, it uses the real mask in

the ACL.

Stateful filtering - used by default.

Application inspection/awareness - can pay attention to application layer information.

Network Address Translation (NAT) - supports NAT and PAT. Policy that indicates traffic

should not be translated is referred to as NAT zero.

DHCP - can be server or client.

Routing - supports most interior gateway routing protocols and static routing.

Layer 3 or Layer 2 implementation - can be implemented as a Layer 3 firewall or

transparent firewall (Layer 2).

VPN support - can be head-end or remote-end device for VPN tunnels. Can support remote-

access VPN users, site-to-site, clientless SSL VPN, and the full AnyConnect SSL VPN.

Object groups - configuration item on the ASA that refers to one or more items.

Botnet traffic filtering - works w/ an external Cisco system that updates info about the

Botnet Traffic Filtering Database.

High availability - using two firewalls in a high-availability failover combination to protect

against a single system failure.

AAA support - use of AAA locally or from an external server.

ASA Firewall Fundamentals

About: Logic used by the ASA, ways to manage the firewall, and components used to implement

policy.

Main Ideas:

ASA Security Levels

Uses security levels associated with each routable interface.

Security level is between 0 and 100. Bigger number = more trust.

Must assign a name to the interface

Inside - connects to your trusted inside network

Outside - interface that connects to the internet.

Three things to make an ASA operational:

Assign a security level to the interface.

Assign a name to the interface.

Bring up the interface with the no shutdown command.

Default Flow of Traffic

By default, ASA forwards traffic coming from a high-security interface (inside security level 100) to

a destination being routed out of an interface that has a lower security level.

By default, traffic is not allowed between two interfaces with the same security level. Also, ASA

doesn't like to receive a packet on an interface and route the same packet out of the exact same

interface.

Tools to Manage the ASA

Several tools:

CLI

ASA Security Device Manager (ASDM)

Cisco Security Manager (CSM)

Packet Filtering on the ASA

By default, we have to create ACLs to permit traffic from lower to higher security levels. Access

lists need to be implemented on the interfaces and can be applied inbound or outbound.

From firewall perspective:

Inbound (interface perspective) - Traffic going into an interface, referred to ingress traffic.

Inbound (security level perspective) - Traffic going from a lower-security interface to a

higher-security interface.

Outbound (to an interface) - Traffic exiting an interface, referred to as egress traffic.

Outbound (security level perspective) - Traffic going from a high-security interface to a

lower-security interface.

Implementing a Packet-Filtering ACL

Initial traffic flow is controlled by entries in an access list, processed from top to bottom; and the

stateful inspection allows return traffic to come back through the firewall regardless of any access

lists in place related to the return traffic.

Modular Policy Framework

Can use class maps to identify traffic, policy maps to identify actions on that traffic, and service

policy commands to implement the policy.

Can allow ASA to use MPF to perform application layer inspection, listen in and dynamically allow

the data connection to commence from the server. Another option is to forward the traffic destined

to your servers to the IPS module.

Class maps identify traffic on Layer 3 and Layer 4. They identify traffic:

Referring to an ACL

Looking at differentiated services codepoint (DSCP) and/or IP Precedence fields of the

packet

TCP or UDP ports

IP Precedence

Real-time Transport Protocol (RTP) port numbers

VPN tunnel groups

The policy maps use the services of the class maps to identify traffic and perform actions on each

class of traffic:

Reroute the traffic

Perform inspection

Give priority treatment

Rate-limit or police that traffic

Perform advanced handling of the traffic

Where to Apply Policy

Can apply policy to an interface but only one policy can be applied.

Can apply policy globally to apply to all interfaces.

Configuring the ASA

About: Using the ASDM GUI to implement and verify a security policy on the ASA.

Main Ideas:

Beginning the Configuration

Connect the console cable to the firewall and boot it up. Use setup to configure ASDM access.

Getting to the ASDM GUI

Once ASDM is set up, browsing to the IP address will display a certificate error. Accept certificate

since PKI is not set up.

Configuring the Interfaces

To configure interfaces:

Click on Configuration then navigate to Configuration | Device Setup | Interfaces

To create new switched virtual interfaces, click Add and enter information. VLAN information can

be configured in the Advanced tab.

Implementing Additional Firewall Interfaces

configure terminal

! Configure svi VLAN 1

interface vlan1

no shutdown

description Connect to the dmz

nameif dmz

! Assign a security level

security-level 50

ip address 192.168.1.254 255.255.255.0

exit

! Repeat process for other interfaces

interface vlan2

no shut

description Connects to my private network

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

exit

int vlan4

no shut

description Connects to the Internet

nameif outside

security-level 0

ip address 21.1.2.3 255.255.255.240

exit

! Assign ports to the VLANs

int e0/1

switchport acc vlan 4

exit

int e0/2


exit

int e0/3


exit

int e0/4


exit

int e0/5


exit

! Verify

show run interface

IP Addresses for Clients

Assign DHCP addresses to clients:

Configuration | Device Management | DHCP | DHCP Server

Edit the properties of the inside interface. Enable DHCP server. Then apply pool of the addresses to

be handed out.

Within CLI:

configure terminal

dhcpd address 10.0.0.101-10.0.0.132 inside

dhcpd enable inside

dhcpd dns 8.8.8.8 interface inside

dhcpd domain iins.com interface inside

Basic Routing to the Internet

ASA needs to know where to forward traffic. It can learn routes via IGRP, directly connected

networks or default routes.

To look up or modify the routing table:

Configuration | Device Setup | Routing

Configuring static route using CLI:

configure terminal

route outside 0.0.0.0 0.0.0.0 23.1.2.7

NAT and PAT

To implement NAT/PAT:

Configuration | Firewall | NAT Rules and click Add

Configuring in CLI:

configure terminal

object network Inside_Hosts

subnet 10.0.0.0 255.255.255.0

description Inside_Hosts

exit

! Create NAT rule

nat (inside,outside) 1 source dynamic Inside_Hosts interface outside

Permitting Additional Access Through the Firewall

Configuring access rules:

Configuration | Firewall | Access Rules

Creating and applying an ACL at the CLI:

configure terminal

access-list inside_access_in deny tcp any any eq telnet

access-list inside_access_in permit ip any any

access-group inside_access_in in interface inside

Using Packet Tracer to Verify Which Packets are Allowed

Packet tracer is a built-in tool used to identify whether traffic is forwarded or dropped by the ASA.

Using Packet Tracer at the CLI:

packet-tracer input inside tcp 10.0.0.101 1065 22.33.44.55 80




15 Cisco IPS/IDS Fundamentals

IPS Versus IDS

About: Platforms used for intrusion detection/prevention and explains the differences between IPS

and IDS.

Main Ideas:

What Sensors Do

A sensor is a device that looks at traffic on the network and makes a decision based on a set of

rules.

Difference between IPS and IDS

An IPS is meant to be placed inline where all traffic is routed through the device. If traffic is

characterized as malicious, the IPS prevents that traffic from reaching its destination.

An IDS is a device that analyzes traffic, just the same as an IPS, except it is not placed inline.

Traffic arrive at the IDS on a promiscuous port which can see all traffic. The IDS detects the attack

but doesn't prevent it.

IDS IPS

Position in the network

flow

Off to the side IDS is

sent copies of the

original packets.

Directly inline.

Also known as Promiscuous mode, out

of band.

Inline mode.

Latency or delay None added. Small amount added.

Ability to prevent malicious

traffic from going into the

network

By itself, cannot stop the

original packet.

IPS can drop the packet

on its own because it is

inline.

Normalization ability Cannot manipulate any

original inline traffic.

Can normalize

(manipulate or modify)

traffic inline.

Sensor Platforms

Options included for implementing an IPS/IDS sensor:

Dedicated IPS appliance.

Software running on IOS.

Module in an IOS router, such as the AIM-IPS or NME-IPS modules.

Module on an ASA.

Blade that works in a 6500 switch.

True/False Negatives/Positives

It is desired to receive accurate information from an IPS/IDS. If information from the IPS/IDS is

false, that is not the desired outcome.

Positive/Negative Terminology

Terms for IPS/IDS:

False positive

False negative

True positive

True negative

False positive is an alert generated by the IPS/IDS for traffic that is not malicious.

False negative is when malicious traffic is on the network but the IPS/IDS failed to trigger an alert.

True positive is when malicious traffic was picked up by the IPS/IDS.

True negative is when non-malicious traffic is not picked up by the IPS/IDS.

Identifying Malicious Traffic on the Network

About: Techniques used by IPS and IDS sensors.

Main Ideas:

Methods

There are different methods sensors can be configured to identify malicious traffic:

Signature-based

Policy-based

Anomaly-based

Reputation-based

Signature-Based IPS/IDS

A set of rules looking for a specific patterns or characteristics within packets.

Policy-Based IPS/IDS

Can be configured according to a network policy such as no telnet traffic should be used.

Anomaly-Based IPS/IDS

Used to catch instances that are not normal or do not align with a baseline.

Reputation-Based IPS/IDS

Information collected all over the world that a local sensor can use.

IPS/IDS Method Advantages & Distadvantages


Signature

based

Easy to configure, simple to

implement

Doesn't detect attacks outside of

the rules.

Policy

based

Simple and reliable, very

customizable, allows only

policy-based traffic.

Policy must be manually created.

Anomaly

based

Self-configuring baselines Difficult to accurately profile

extremely large networks

Reputation

based

Leverages enterprise & global

correlation.

Requires timely updates, and

requires participation in the

correlation process.

When Sensors Detect Malicious Traffic

Based on how sensors are configured, the sensor can implement an action.

Controlling Which Actions the Sensors Should Take

A risk rating is used to allow an IPS/IDS sensor to take appropriate countermeasure actions

without user intervention.

There are three primary influencers of the final risk rating value:

1. Signature Fidelity Rating (SFR) - is an accuracy rating.

2. Attack Severity Rating (ASR)

3. Target Value Rating (TVR)

Risk Rating (RR) Calculation Factors

Factor

influencing

risk rating

Description

Target

value rating

(TVR)

Value that the administrator has

assigned

Signature

fidelity

rating

(SFR)

Accuracy of the signature by the

person who created that signature

Attack

severity

rating

(ASR)

How critical the attack is as

determined by the person who

created the signature

Attack

relevancy

(AR)

A minor contributor to the risk

rating.

Global

correlation

Sensor participating in global

correlation and receives

information about specific source

addresses

Circumventing an IPS/IDS

IPS/IDS evasion techniques

Evasion

Method

Description Cisco Anti-

Evasion

Techniques

Traffic

fragmentation

Attacker splits malicious traffic

into multiple parts to avoid

detection

Complete session

reassembly

Traffic

substitution &

insertion

Attacker substitutes characters

in the data using different

formats to have the same final

meaning

Data

normalization &

de-obfuscation

techniques

Protocol level

misinterpretation

Attacker attempts to cause a

sensor to misinterpret the end-

to-end meaning of a network

protocol

IP TTL analysis,

TCP checksum

validation

Timing attacks Sending packets at a low rate

to not trigger a signature

Configurable

intervals and use

of third-party

correlationEncryption and

tunneling

Attacking through encryption Encrypted traffic

cannot be

inspected.

Resource

exhaustion

Disguising attack within

thousands of alerts

Dynamic and

configurable

event

summarization

Managing Signatures

About: How signatures are manipulated and managed.

Main Ideas:

Micro-Engines (Groupings of Signatures)

Signature

Micro-

Engine

Signatures in this grouping

Atomic Signatures that can match on a

single packet, as compared to a

string of packets

Service Signatures that examine application

layer services

String or

multistring

Supports flexible pattern matching,

and can be identified in a single

packet or group of packets, such as

a session

Other Miscellaneous signatures that may

not specifically fit into other

categories

Monitoring and Managing Alarms and Alerts

About: Options for working with sensor-generated alarms and alerts

Main Ideas:

Alarms and Alerts

Three main protocols are used to deliver alerts:

Security Device Event Exchange (SDEE)

Syslog

SNMP

Security Intelligence

Having multiple sensors into various parts of the network will provide a clear understanding to an

attack through correlation.

Cisco offers Security Intelligence Operations (SIO) service, which facilitates global threat

information, reputation-based services, and sophisticated analysis.

IPS/IDS Best Practices

Implement an IPS to analyze traffic going to critical servers and mission-critical devices.

If you cannot afford a dedicated appliance, use modules or IOS IPS/IDS.

Take advantage of global correlation to improve resistance against attacks. Use correlation

internally across all sensors.

Use a risk-based approach, where countermeasures occur based on the calculated risk

rating as opposed to manually assigning countermeasures to individual signatures.

Use automated signature updates when possible to keep signatures current.

Continue to tune IPS/IDS infrastructure as traffic flows and network devices and topologies

change.




16 Implementing IOS-Based IPS

Understanding and Installing an IOS-Based IPS

About: Features of Cisco IPS included in IOS implementation of IPS.

Main Ideas:

What can IOS IPS Do?

IPS supports the following detection technologies:

Profile based

Signature based

Protocol analysis based

Benefits of IOS IPS:

Dynamic update of signatures

Integrates easily with network

Compatible to work alongside ZBF, VPN, ACL, AAA, and others

Can be managed by CCP, IME, CSM, and CLI

Supports attack signatures from the same signature database that is used by the IPS

appliance

IOS IPS Features

IOS IPS

Signature

Features

Description

Regular

expression

string pattern

matching

Enables creation of string

patterns using variables

Response

actions

Enables sensor to take

action in response to a

triggered event

Alarm

summarization

Helps prevent resource

exhaustion by summarizing

events that are all the

same

Threshold

configuration

Identifies thresholds, which

if exceeded may trigger

events

Anti-evasive

techniques

Designed to interpret actual

data regardless if it is

fragmented or using a

combination of character

sets

Risk ratings Calculated between 0-100

associated with an alert.

Higher the number, the

more risk is presumed

Installing the IOS IPS Feature

First make sure version of IOS supports IPS. Then obtain signature files from Cisco for the router.

Getting To The IPS Wizard

Configure | Security | Intrusion Prevention

Depending on platform it may be:

Configure | Security | Advanced Security | Intrusion Prevention

Then launch the wizard: Launch IPS Rule Wizard

Welcome to IPS Policies Wizard window displays. Click Next to continue where you specify the

interface you want to apply the IPS policy to.

After selecting the interface, click Next to view a dialog box asking for the signature file. Upload

the signature file then click OK.

Then the public key needs to be configured. This is to verify the authenticity of Cisco's signature

files to prevent an attacker from pretending to be Cisco and installing false rules. Then click Next

to specify the location of the configuration files the router will use to maintain any configurations

related to signatures.

Signature files are not maintained in the running config. They can be stored locally in the file

system. Then click OK.

Then the category must be specified, either Advanced or Basic. Then click Next and Finish.

Working with Signatures in an IOS-Based IPS

About: Enabling and tuning a signature and cause it to trigger using CCP.

Main Ideas:

Viewing/Modifying Signatures

To view/modify signatures in CCP:

Configure | Security | Intrusion Prevention and click the Edit IPS tab.

Then click Signatures option to view all the signatures.

Matrix for Retired/Unretired/Enabled/Disabled

Compiling/Allowing

Action

Enabled Disabled

Retired No memory

consumption

No memory

consumption

Unretired Consumes

memory, is

considered

during

packet

analysis

Consumes

memory, no

action

related to

signature

during

packet

analysis

A signature is enabled once you click on Enable, and also Unretire, then click on Apply Changes. A

green checkmark appears on the signature rule.

Actions That May Be Taken

Deny attacker inline

Deny connection inline

Deny packet inline

Produce alert

Reset TCP connection

To modify the actions, right click on the signature and select Actions. Place a check mark in the

boxes next to the actions you want to take against the attacker.

Click OK and then Apply Changes to implement any changes made.

CLI commands for Configuring IPS

! Enable SDEE

config t

ip ips notify SDEE

! Create an IPS rule

ip ips name sdm_ips_rule

! Disables the advanced, and basic categories included in "all"

ip ips signature-category

category all

retired true

exit

! Enables the basic signature category

category ios_ips basic

retired false

exit

exit

! apply the IPS rule inbound on the interface

int f1/0

ip ips sdm_ips_rule in

exit

! specify location of custom or tuned signatures

ip ips config location ftp://10.0.0.2/ips5

! enable signature 2004 to ensure it is both enabled and not retired

ip ips signature-definition

signature 2004

status

enabled true

retired false

exit

exit

exit

! verify configuration

show ip ips configuration

! verify signature

show ip ips signatures sigid 2004 subid 0

! view the number of active signatures

show ip ips signatures count

Best Practices When Tuning IPS

Begin with basic signature category

Schedule downtime for installation and updates

Retire irrelevant signatures

Monitor available memory

Be careful before unretiring and enabling the All category of signatures

Managing and Monitoring IPS Alarms

About: Options for viewing alerts and alarms and demonstrating how to do it via CCP and CLI.




17 Fundamentals of VPN Technology

Understanding VPNs and Why We Use Them

About: Why VPNs are important and what types of VPNs are available.

Main Ideas:

What is a VPN?

A VPN is a virtual private network connecting two endpoints together to provide a secure and

confidential connection between the two.

Types of VPNs

IPsec

Can be used for site-to-site VPNs or remote-access VPNs.

Implements security of IP packets at Layer 3.

SSL

Implements security of TCP sessions at Layer 4.

Can be used for remote-access.

MPLS

Multiprotocol Label Switching and MPLS Layer 3 VPNs provided by a service provider.

No encryption by default.

IPsec can be used on top of MPLS to add confidentiality.

Two Main Types of VPNs

Remote-access VPNs

A VPN connection from a computer to HQ.

Site-to-Site VPNs

Connecting two or more sites in a secure fashion.

Main Benefits of VPNs

Confidentiality

Data integrity

Authentication

Antireplay

Confidentiality

Only the intended parties can understand the data this is sent.

Accomplished using encryption.

Data Integrity

Ensuring the data is accurate from end to end.

Authentication

Verifying the other end of the connection using pre-shared keys, public and private key pairs, or

user authentication.

Antireplay

Attacker capturing traffic with the intent of replaying it back to fool one of the VPN peers into

believing that the peer trying to connect is a legitimate peer.

Cryptography Basic Components

About: Basic components of cryptography, algorithms for hashing, encryption, and key

management.

Main Ideas:

Confidentiality is a function of encryption.

Data integrity is a function of hashing.

Authentication is the process of proving the identity of the other side of the tunnel.

Ciphers

A cipher is a set of rules, which is also an algorithm, about how to perform encryption and

decryption.

Common methods that ciphers include:

Substitution - substituting one character for another.

Polyalphabetic - similar to substitution but instead of using a single alphabet, could use

multiple alphabets.

Trasposition - uses many different options, including the rearrangement of letters.

Keys

An example of a key is a one-time pad which can only be used once.

Block Ciphers

A symmetric key (same key to encrypt and decrypt) that operates on a group of bits called a block.

May take a 64bit block of plain text and generate a 64bit block of cipher text.

Examples of symmetrical block cipher algorithms:

Advanced Encryption Standard (AES)

Triple Digital Encryption Standard (3DES)

Blowfish

Digital Encryption Standard (DES)

International Data Encryption Algorithm (IDEA)

Stream Ciphers

A symmetric key cipher where each bit of plaintext data to be encrypted is done 1 bit at a time

against the bits of the key stream, also called a cipher digit stream.

Symmetric Algorithm

Uses the same key to encrypt the data and decrypt the data.

Common examples:

DES

3DES

AES

IDEA

RC2, RC4, RC5, RC6

Blowfish

Much faster to use as it takes less CPU.

Asymmetric Algorithm

Example is public key algorithms. Instead of using the same key for encrypting and decrypting, two

different keys mathematically work together as a pair.

Uses a private key and a public key. Together they are a key pair.

High CPU cost when using key pairs to lock and unlock data.

Hashes

Hashing is a method used to verify data integrity.

A cryptographic hash function takes a block of data and creates a small fixed-sized hash value. This

is a one-way function.

The result is a fixed-length string of data referred to a digest, message digest, or hash.

Most popular types of hashes:

Message digest 5 (MD5): Creates 128-bit digest.

Secure Hash Algorithm 1 (SHA-1): Creates a 160-bit digest.

Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.

Hashed Message Authentication Code (HMAC)

Uses the mechanism of hashing but also includes a secret key.

Digital Signatures

A way of proving that you are who you say you are. Three core benefits:

Authentication

Data integrity

Nonrepudiation

IPsec

A collection of protocols and algorithms used to protect packets at Layer 3. Core benefits of

confidentiality through encryption, data integrity through hashing and HMAC, authentication using

digital signatures or pre-shared key (PSK).

ESP and AH

Two primary methods for implementing IPsec. Encapsulating Security Payload and

Authentication Header.

Encryption algorithms for confidentiality

DES

3DES

AES

Hashing algorithms for integrity

MD5

SHA

Authentication algorithms

PSK

RSA digital certificates

Key management

Diffie-Hellman (DH)

Internet Key Exchange (IKE)

SSL

Secure Sockets Layer. Encryption and authentication.

VPN Components

Component Function Examples

of Use

Symmetrical

encryption

algorithms

Uses the same key

for encrypting and

decrypting data

DES,

3DES,

AES, IDEA

Asymmetrical

encryption

Uses a public and

private key. One key

encrypts the data,

and the other key in

the pair is used to

decrypt.

RSA,

Diffie-

Hellman

Digital

signature

Encryption of hash

using private key,

and decryption of

hash with the

sender's public key.

RSA

Signatures

Diffie-Hellman

key exchange

Uses a public-private

key pair

asymmetrical

algorithm, but

creates final shared

secrets (keys) that

are then used by

symmetrical

algorithms.

Used as

one of the

many

services of

IPsec

Confidentiality Encryption

algorithms provide

this by turning clear

text into cipher text.

DES,

3DES,

AES, RSA,

IDEA

Data integrity Validates data by

comparing hash

values.

MD5,

SHA-1

Authentication Verifies the peer's

identity to the other

peer.

PSKs, RSA

signatures




18 Fundamentals of the Public Key Infrastructure

Public Key Infrastructure

About: Moving parts and pieces involved with the PKI.

Main Ideas:

Public and Private Key Pairs

A key pair is a set of two keys that work together. There is a public key and a private key. The

private key is not shared. A public key can be used to encrypt data and the private key can decrypt

that data and vice versa.

Asymmetrical algorithms:

RSA

Named after Rivest, Shamir, and Adleman. PKCS #1 with a key length from 512 -

2048.

DH

Allows two devices to negotiate and establish shared secret keys. Can be used with

3DES and AES.

ElGamal

Asymmetrical encryption based on DH exchange.

DSA

Digital Signature Algorithm developed by the US National Security Agency.

ECC

Elliptic Curve Cryptography.

RSA Algorithm, the Keys, and Digital Certificates

Who Has Keys and a Digital Certificate?

With RSA digital signatures, both parties have a public-private key pair. They are also both enrolled

with a CA.

How Two Parties Exchange Public Keys

When two parties want to authenticate, they send a copy of their digital certificates. Both will verify

the authenticity of the certificate.

Certificate Authorities

A CA is a computer or entity that creates and issues digital certificates. Inside a digital certificate is

information about the identity of a device such as its IP address, FQDN, and the public key of the

device. The CA takes all the information and generates a digital certificate, assigns a serial number

and signs the certificate with its own digital signature.

Root and Identity Certificates

Root Certificate

A root certificate contains the public key and details of the CA server.

Relevant parts of the certificate:

Serial number

Issued and tracked by the CA that issued the certificate.

Issuer

The CA that issued the certificate.

Validity dates

Time window during which the certificate may be considered valid.

Subject of the certificate

Includes the Organizational Unit (OU), Organization (O), Country (C), and other

details found in an X.500 structured directory. The subject of the root certificate is

the CA itself.

Public key

Contents of the public key and the length.

Thumbprint algorithm and thumbprint

Hash for the certificate.

Identity Certificate

Similar to a root certificate but describes the client and contains the public key of the client.

X.500 and X.509v3 Certificates

X.500 is a series of standards focused on directory services and how those directories are

organized.

Digital certificates contain the following info:

Serial number

Assigned by the CA

Subject

Person or entity that is being identified

Signature algorithm

Specific algorithm that was used for signing the digital certificate

Signature

Digital signature from the certificate authority

Issuer

Entity or CA that created and issued the digital certificate

Valid from

Date the certificate became valid

Valid to

Expiration date of the certificate

Key usage

Functions for which the public key in the certificate may be used

Public key

Public portion of the public and private key pair

Thumbprint algorithm

Hash algorithm used for data integrity

Thumbprint

The actual hash

Certificate revocation list location

URL used to see whether the serial number of any certificates issued by the CA have

been revoked

Authenticating and Enrolling with the CA

1. Step 1

1. Authenticate the CA server. Download and verify the root certificate.

2. Step 2

1. Request your own identity certificate. Involves generating a public-private key pair

and including the public key portion in any requests for your own identity certificate.

Public Key Cryptography Standards (PKCS)

These standards control the format and use of certificates, including requests to a CA for new

certificates, the format for a file that is going to be the new identity certificate, and the file format

and usage access for certificates.

PKCS #10

Format of a certificate request sent to a CA who wants to receive their identity

certificate.

PKCS #7

Format used by a CA as a response to a PKCS#10 request.

PKCS #1

RSA Cryptography Standard.

PKCS #12

Format for storing both public and private keys using a symmetric password-based

key to "unlock" the data whenever the key needs to be used or accessed.

PKCS #3

Diffie-Hellman key exchange.

Simple Certificate Enrollment Protocol

Simple Certificate Enrollment Protocol (SCEP) can automate most of the process for requesting and

installing an identity certificate. Not an open standard but supported by most Cisco devices.

Revoked Certificates

To check if a certificate has been revoked due to security concern. Device checks a URL that has a

list of revoked certificates.

Three basic ways to check:

Certificate Revocation List (CRL)

List of certificates, based on serial numbers, that had initially been issued by a CA but

have since been revoked and as a result should not be trusted.

Online Certificate Status Protocol (OSCP)

Alternative to CRLs. Client sends a request to find the status of a certificate and gets

a response.

Authentication, authorization, and accounting (AAA)

Cisco AAA services provide support for validating digital certificates.

PKI Topologies

Single Root CA

One trusted CA to service requests.

Hierarchical CA with Subordinate CAs

Supporting fault tolerance and increased capacity by using intermediate or subordinate CAs to

assist the root CA.

Cross-Certifying CAs

A CA with a horizontal trust relationship over to a second CA so that clients of either CA could trust

the signatures of the other CA.

Putting the Pieces of PKI to Work

About: How to implement components

Main Ideas:

Default of the ASA

ASA uses self-signed digital certificate by default. If you don't want to use self-signed, must install

root certificate and request an identity certificate from the root CA.

Viewing the Certificates in ASDM

Under Device Management section, there are options for configuring and viewing both identity

certificates and root certificates which is under the Certificate Management section.

Adding a New Root Certificate

To add a root certificate, click Add, and options to install a root certificate from a file or paste in

the information or use SCEP.

When adding the new root certificate, you can click More Options to answer questions about the

CRL and other details about which protocols to be used for certificate verification for the firewall.

Easier Method for Installing Both Root and Identity certificates

Easier option than manually installing the root certificate is to use SCEP and install root cert,

generate new key pair, and request your identity certificate.. all using SCEP.

Begin in Identity Certificate area in ASDM. Click Add, assign a name, then click Add a New

Identity Certificate radio button. Click New and assign the key pair a name and the size of the

key to use, then click Generate Now.

After you click Generate Now, a public-private key pair is generated and public key portion is sent

to the CA as part of the SCEP cert request process.

Generating a New Key Pair

crypto key generate rsa label My-Key-Pair modulus 2048 noconfirm

Authenticating and Enrolling with a New CA via SCEP

! Create the name that you want the ASA to reference the CA by

config t

crypto ca trustpoint New-CA-to-Use

! Specify which key-pair will be used for the public portion that will go into the digital cert. New key

pair created will be used.

keypair New-Key-Pair

! Specify what cert may be used for (SSL and IPsec)

id-usage ssl-ipsec

! Specify if fqdn will be required

no fqdn

! Specify the x.500 CN

subject-name CN=ciscoasa

! Specify where CA server can be reached

enrollment url http://192.168.1.105

exit

! Retrieve and install the root cert.

crypto ca authenticate New-CA-to-Use noninteractive

! Request and install identity cert from CA

crypto ca enroll New-CA-to-Use noconfirm

Key PKI Components

Component Description

RSA digital

signatures

Using its private

key to encrypt a

generated hash, a

digital signature is

created.

Digital

signature

File that contains

the public key of

the entity, serial

number, and the

signature of the CA

that issued the

cert.

Public and

private keys

Used as a pair to

encrypt and

decrypt data in an

asymmetrical

fashion.

Certificate

authority

CA's job is to fulfill

certificate requests

and generate

digital certificates

for its clients to

use. Maintain valid

certs that have

been issued and a

CRL list.

X.509v3 Common certificate

format used today

Subordinate

CA/RA

Assistant to the CA,

can issue certs to

clients. Used in

hierarchal PKI

topology.

PKCS Public Key

Cryptography

Standards.




19 Fundamentals of IP Security

IPsec Concepts, Components, and Operations

About: Moving parts and pieces of IPsec.

Main Ideas:

The Goal of IPsec

Confidentiality

Provided through encryption changing clear text to cipher text.

Data integrity

Provided through hashing or Hashed Message Authentication Code (HMAC).

Authentication

Provided through PSK or digital certificates.

Antireplay support

Packets are sequentially labeled.

The Play by Play for IPsec

Step 1: Negotiate the IKE Phase 1 Tunnel

To initiate the VPN tunnel, one of the devices first negotiates an Internet Key Exchange (IKE) Phase

1 tunnel.

It is done in either two modes:

Main mode

Uses more packets for the process

Considered more secure

Most devices use as default

Aggressive mode

The IKE Phase 1 tunnel is used to protect the management traffic related to the VPN between the

two devices.

The initiator sends all its configured/default parameters that it will use for IKE Phase 1 tunnel.

For the IKE Phase 1 to be successful, five items need to be agreed upon:

Hash algorithm

MD5 or SHA

Encryption algorithm

DES

3DES

AES

Diffie-Hellman group to use

Refers to the modulus size (length of the key) to use for the DH key exchange.

Group 1 = 768 bits

Group 2 = 1024 bits

Group 5 = 1536 bits

Purpose is to generate a shared secret keying material (symmetric keys)

Authentication method

Used to verify the identity of the VPN peer on the other side

PSK or RSA signatures

Lifetime

How long until IKE Phase 1 tunnel is torn down.

Default is 1 day (in seconds).

Only parameter that doesn't have to match.

How to remember the five items to negotiate IKE Phase 1

HAGLE

H - Hash

A - Authentication method

G - DH group

L - lifetime

E - Encryption algorithm

Step 2: Run the DH Key Exchange

After agreeing to the IKE Phase 1 policy of the peer, both devices run the DH key exchange. The DH

group agreed upon is used.

Step 3: Authenticate the Peer

Authentication is used from the agreed upon item. After authentication, the tunnel is now

bidirectional.

What About the User's Original Packet?

IKE Phase 1 tunnel is only used for management. After IKE Phase 1 tunnel is built, another tunnel is

used for encrypting the end-user packets which is an IKE Phase 2 tunnel.

Leveraging What They Have Already Built

With the IKE Phase 1 tunnel built, the two devices negotiate and establish an IPsec or IKE Phase 2

tunnel. A different set of configuration is used to specify the IKE Phase 2 tunnels, separate from IKE

Phase 1.

Mode used to build the IKE Phase 2 tunnel is Quick mode.

Now IPsec Can Protect the User's Packets

With the IKE Phase 2 tunnel built, the devices can encrypt the user's traffic directly between each

other. The payload of the packets is encrypted and contains the original IP addresses and contents

of the user forwarding a packet.

Traffic Before IPsec

Packets sniffed can see the payload within the packet.

Traffic After IPsec

The same packet being sent through the untrusted Internet will be encrypted by IKE Phase 2 and

encapsulated in a new IP header. The Layer 4 protocol would show as being Encapsulating Security

Payload (ESP).

Summary of IPsec

VPN peers negotiate an IKE Phase 1 tunnel using Aggressive or Main mode, then use Quick mode

to establish an IKE Phase 2 tunnel. The IKE Phase 2 tunnel is used to encrypt and decrypt user

traffic. IKE Phase 2 really creates two one-way tunnels: one from Device A to Device B, and one

from Device B to Device A.

These tunnels are referred to as security agreements between two VPN peers or security

associations (SA). Each SA is assigned a unique number for tracking.

Configuring and Verifying IPsec

About: Applying theory.

Main Ideas:

Start with a Plan

First thing to do is decide what protocols to use for IKE Phase 1 and IKE Phase 2 and to identify

which traffic should be encrypted.

Applying the Configuration

Within CCP navigate to:

Configure | Security | VPN | Site-to-Site VPN

Then verify that the Create a Site-to-site VPN option is selected. Then click Launch the

Selected Task

Select Step by Step Wizard and click Next

Select the interface facing the Internet (interface facing toward its peer), configure the IP address

of the peer, select an option for authentication using PSK and configure the key.

Then click Next.

Then select the IKE Phase 1 proposals to be used

Click Add to create a new IKE Phase 1 policy, enter desired IKE Phase 1 policies and then click OK.

After creating the new IKE Phase 1 policy, select it and then click Next.

Now select the transform set used for encryption and hashing for the IKE Phase 2 tunnels.

Click Add and specify the IKE Phase 2 policies and click OK. Verify the new transform set is

selected and click Next.

Now specify the traffic that should be encrypted. Packets not matched for IPsec protection will be

forwarded as normal packets.

Viewing the CLI Equivalent at the Router

! Implement IKE Phase 1

config t

crypto isakmp policy 2

authentication pre-share

encr aes 128

hash md5

group 2

lifetime 600

exit

! Configure the PSK for IKE Phase 1

crypto isakmp key cisco123 address 43.0.0.2

! Specify ACL for interesting traffic

access-list 100 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255

! Implement IKE Phase 2 transform set

crypto ipsec transform-set MY-SET esp-sha-hmac esp-aes 256

! Specify user traffic as tunnel mode

mode tunnel

exit

! Configure the crypto map. ipsec-isakmp means the router will automatically negotiate IKE Phase 2

tunnel using isakmp (Internet security association key management protocol). "1" represents

sequence number 1.

crypto map SDM_CMAP_1 1 ipsec-isakmp

! Tells crypto map to pay attention to ACL 100

match address 100

! If traffic matches ACL, device should use transform-set named MY-SET to negotiate IKE Phase 2

tunnel with peer.

set transform-set My-SET

set peer 43.0.0.2

exit

! Apply crypto map to the interface

int g1/0

crypto map SDM_CMAP_1

exit

Completing and Verifying IPsec

When finishing the configuration of the tunnels, configuration needs to be done on the other peer

as well.

To configure peer device from CCP, select Generate Mirror from Edit Site to Site VPN tab.

Verifying the IPsec VPN from CLI

! Verify the IKE Phase 1 policies on the device

show crypto isakmp policy

! Show details of the crypto map

show crypto map

! See details for the IKE Phase 1 tunnel

show crypto isakmp sa detail

! See details of the IKE Phase 2 tunnels

show crypto ipsec sa

! Verifying encryption and decryption is working

show crypto engine connections active




20 Implementing IPsec Site-to-Site VPNs

Planning and Preparing an IPsec Site-to-Site VPN

About: Identifying a customer's need for VPN services and plan the details to implement the VPN.

Main Ideas:

Protocols That May Be Required for IPsec

Protocol/Port Who

Uses

it

How it is used

UDP port 500 IKE

Phase

1

For negotiation

UDP port 4500 NAT-

T

Negotiating to put a fake UDP 4500

header on each IPsec packet to survive

a NAT device

Layer 4

protocol 50

ESP IPsec packets have the layer 4 protocol

of ESP, which is encapsulated by the

sender and de-encapsulated by the

receiver for each IPsec packet

Layer 4

protocol 51

AH Have the Layer 4 protocol of AH.

Planning IKE Phase 1

After confirming connectivity, first step is to choose the components to use for IKE Phase 1 tunnel.

Function Strong

Method

Stronger Method

Hashing MD5, 128 bit SHA1, 160 bit

Authentication Pre-shared Key

(PSK)

RSA-sigs (digital

signatures)

Group # for DH key

exchange

1,2 5

Lifetime 86400 seconds Shorter than 1 day,

3600

Encryption 3DES AES-128 (or 192, or

256)

These parameters are used for the IKE Phase 1 policy, specified using the command crypto

isakmp policy

Planning IKE Phase 2

This is the actual tunnel to protect the user traffic

Item to

Plan

Implemented

by

Notes

Peer IP

addresses

Crypto map Reachable IP for VPN peer is

needed to negotiate and establish

site-to-site VPN

Traffic to

encrypt

Crypto ACL,

referred to in

the crypto map

Extended ACL not applied to an

interface but is referenced in the

crypto map. Should only

reference outbound traffic, which

should be protected by IPsec.

Encryption

method

Transform set,

referred to in

crypto map

DES, 3DES, AES are options.

Hashing

(HMAC)

method

Transform set MD5 and SHA HMACs may be

used and need to match the

Phase 2 policy of the peer.

Lifetime Global config

command:

crypto ipsec

security-

association

lifetime ...

Should match between peers.

Perfect

Forward

Secrecy

(PFS) (run

DH again

or not)

Crypto map DH is run during IKE Phase 1, and

Phase 2 reuses that same keying

material that was generated.

Which

interface

used to

peer with

the other

VPN device

Crypto map

applied to the

outbound

interface

Interface of a VPN peer that is

closest to the other peer.

Implementing and Verifying an IPsec Site-to-Site VPN

About: Implementing, verifying, and troubleshooting the VPN using a combination of CCP and CLI.

Main Ideas:

Verifying NTP Status

Configure in CCP:

Configure | Router | Time | NTP and SNTP | Add

From CLI:

show ntp status

Preparing for and Obtaining Digital Certificates

From CLI:

! Specify the domain name

config t

ip domain-name cisco.com

crypto key generate rya modulus 1024

! Specify the CA to use

crypto pki trustpoint CA

enrollment URL http://3.3.3.3

exit

! Request the root cert

crypto pki authenticate CA

! Request identity certificate

crypto pki enroll CA

Configure IKE Phase 1 policy on CCP:

Configure | Security | VPN | Site-to-Site VPN | click Launch the selected task

Choose the Step-by-Step Wizard | then click Next

Select PSK or Digital Certificates then click Next

Add a new policy, click Add

After adding the new policy, click OK and then Next

Add the IKE Phase 2 policy by clicking on Add then OK

Confirm the ACL info by clicking OK

Select the policy and click Next

CLI Implementation of the Crypto Policy

Config t

crypto isakmp policy 1

encr aes 256

group 5

lifetime 3600

authentication rsa-sig

hash sha

! Verify the config:


! Create the transform-set, crypto ACL

crypto ipsec transform-set MYSET esp-aes esp-sha-hmac

exit

access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255

! Crypto map contains if/then statement to decide to encrypt or not to encrypt traffic

crypto map MYMAP 1 ipsec-isakmp

match address 100

set peer 23.0.0.2

set transform-set MYSET

! Configure PFS

set pfs group2

exit

! Apply crypto map to interface

int g1/0

crypto map MYMAP

exit

Mirrored configuration is then placed on the peer device.

Troubleshoot IPsec Site-to-Site VPNs

First verify the configuration

! Verify the IKE phase 1 policy


! Verify crypto maps

show crypto map

! debug the IKE phase 1 process

debug crypto isakmp

If no debug output is shown for debug crypto isakmp it may mean the IKE Phase 1 process is

already up or it is not currently up because there is not interesting traffic triggering it.

! Verify IKE Phase 1 tunnel already in place:

show crypto isakmp sa

! Verify the IPsec (IKE Phase 2) tunnel:

show crypto ipsec sa

! Bird's eye view of the cryptography:

show crypto engine connections active




21 Implementing SSL VPNs Using Cisco ASA

Functions and Use of SSL for VPNs

About: Alternative to IPsec for implementing secure VPN tunnels.

Main Ideas:

Is IPsec Out of the Picture?

SSL VPNs are easy to deploy. SSL is installed on most devices because it is utilized on web

browsers. If a user needs quick access, they can log in using the clientless SSL vpn without having

to install software on the computer or kiosk they are using.

Comparison of IPsec Versus SSL

SSL IPsec

Applications Web-based apps, file

sharing, email. W/ full

AnyConnect client, all

IP-based apps are

available.

All IP-based apps are

available. Experience is

like being on the

network.

Encryption Moderate range of key

lengths

Stronger range of

longer key length

Authentication Moderate, one-way or

two-way authentication

Strong, two-way

authentication using

shared secrets or

digital certificates.

Ease of use Very High Moderate. Can be

challenging for

nontechnical users,

and deployment is

more time consuming.

Overall

security

Moderate. Any device

can initially connect.

Strong. Only specific

devices with specific

configurations can

connect.

SSL and TLS Protocol Framework

Operating at the session layer and higher, can use PKI and digital certificates for authentication of

VPN endpoints and for establishing encryption keys.

Comparison Between SSL and TLS

SSL TLS

Developed by

Netscape

Standard developed by IETF

Starts w/ a secured

channel & continues

directly to security

negations on a

dedicated port.

Can start w/ unsecured

communications &

dynamically switch to a

secured channel based on

negotiation w/ the other side.

Widely supported on

client-side apps

Supported & implemented

more on servers.

More weaknesses

identified in older SSL

versions

Stronger implementation

because of the standards

process.

The Play by Play of SSL for VPNs

Client initiates connection using destination TCP port 443.

Three-way handshake occurs.

Server responds, providing digital certificate containing public key.

Client uses PKI to validate the certificate.

Client generates a shared secret to use for encryption between itself and the server. Client

uses public key of the server to encrypt the shared secret and send the encrypted shared

secret to the server.

Server decrypts sent symmetric key using its own private key and now both devices know

and can use the shared secret key.

Key is used to encrypt the SSL session.

SSL VPN Flavors

Options for SSL VPN Implementation

Clientless SSL

VPN

Clientless SSL VPN w/

Plug-Ins for Some Port

Forwarding

Full AnyConnect SSL VPN

Client

Other names Web VPN Thin client. Full SSL client.

Installed

software on

client

None required Small applets and/or

configuration required

Full install of AnyConnect

User experience Feels like accessing

resources through

a web browser

Some applications can run

locally with output

redirected through the

VPN

Full access to the corporate

network. Local computer feels

like part of the network.

Servers that can

be used

IOS w/ correct

software, ASA w/

correct license.

IOS w/ correct software,

ASA w/ correct license

IOS w/ correct software, ASA

w/ correct license

How the user

looks from the

corporate

network

Traffic is proxied by

SSL server

Traffic is proxied by SSL

server

Clients are assigned their own

virtual IP address while

accessing corporate network

Clients

supported

Most SSL-capable

computers

Computers that support

SSL and Java

Most computers that support

SSL

Configuring SSL Clientless VPNs on ASA

About: Using the ASDM to configure clientless SSL VPN

Main Ideas:

High level tasks used to implement the SSL clientless VPN:

Launch wizard for SSL VPN inside ASDM.

Configure SSL VPN url and interface.

Configure user authentication.

Configure user group policy.

Configure bookmark lists.

Verify that the config is what was intended, and verify it works.

Using the SSL VPN Wizard

Within ASDM:

Click the Wizards menu bar option | Select VPN Wizards | from drop-down list, select Clientless

SSL VPN Wizard

Click Next to continue to specify a connection profile to be associated with the users connecting to

the clientless SSL VPN and interface that will be initially connecting to

Digital Certificates

By default, ASA uses self-signed digital certificate.

Authenticating Users

We specify how we're going to authenticate individuals using two general options, AAA or local

database.

When clicking Next to continue, you are asked what group profile you want to use for these users.

By default all users belong to a default group. Specific groups inherit policies from the default

group.

When clicking Next you are prompted as to whether you want to provide these authenticated SSL

VPN users with a convenient list of links that go to specific services on the corporate network.

After you have confirmed using the Add, OK, and or Edit buttons the bookmarks that you want to

provide to users, and click Next to continue to view a summary of what is about to be deployed.

Implementing a Clientless SSL VPN using CLI

! Specify creation of a local group

configure term

group-policy SSL_Group internal

! Specify self signed certs and enable SSL VPN on outside interface

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

! Specifies attributes for local group, including bookmarks

group-policy SSL_Group attributes

vpn-tunnel-protocol ssl-clientless

webvpn

url-list value MyList

exit

exit

! Specify tunnel group for remote access

tunnel-group Connection_Profile_IINS type remote-access

! Define attributes for the connection profile, including the group policy to be used

tunnel-group Connection_Profile_IINS general-attributes

default-group-policy SSL_Group

! Define the URL the profile will use and what grow profile should be applied

tunnel-group Connection_Profile_IINS webvpn-attributes

group-alias SSL_VPN enable

group-url https://73.143.61.175/SSL_VPN enable

Logging In

Users browse to the configured URL and log in with their username and password.

Seeing the VPN Activity from the Server

Within ASDM:

Monitoring | VPN | VPN Statistics | Sessions

Configuring the Full SSL AnyConnect VPN on the ASA

About: Implementing a full-tunnel VPN using AnyConnect and the SSL Functionality

Main Ideas:

Configuring Server to Support the AnyConnect Client

Click on Wizards option on the Menu bar, select VPN Wizards from the drop-down, select

AnyConnect Wizard.

Click Next to proceed to the Connection Profile screen. Specify a connection profile name and

associate the VPN access interface.

Click Next to specify the protocols to support and which digital certificate to use on the server.

Click Next to proceed to identify the AnyConnect software package to deploy to users from the

server.

After specifying the images, click Next to determine how users will authenticate - either AAA or

local database.

Click Next to answer questions about what IP address pool to use to assign internal addresses to

the VPN clients.

Click OK to confirm the DHCP pool. Then click Next to continue to specify which DNS entries are

handed to the clients and any NetBIOS, WINS, and a domain name.

Click Next to confirm that you want to avoid NAT between subnets directly connected to the inside

interface of the ASA.

Click Next to indicate the AnyConnect client can either be preinstalled on a pc or the user can

connect using SSL basic connectivity and then install the client from the server.

Click Next to read the summary of changes then click Finish.

Configuring an SSL AnyConnect Client VPN on CLI:

Object network NETWORK_OBJ_10.0.0.0 _25

subnet 10.0.0.0 255.255.255.128

! Create DHCP pool for VPN users

ip local pool POOLS-for-AnyConnect 10.0.0.51-10.0.0.100 mask 255.255.255.0

! Create an internal group on the name below

group-policy GroupPolicy_SSL_AnyConnect internal

! Specify attributes of this group

group-policy GroupPolicy_SSL_AnyConnect attributes

vpn-tunnel-protocol ssl-client

dns-server value 8.8.8.8

wins-server none

default-domain value cisco.com

exit

! Specify that SSL is enabled, and which packages from flash are available for client images

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

! Enable AnyConnect, provided group list (so users can select their group)

anyconnect enable

tunnel-group-list enable

! Create a tunnel group and specify the type of tunnel group

tunnel-group SSL_AnyConnect type remote-access

! Specify what group policy is used by this tunnel group and what DHCP pool is used

tunnel-group SSL_AnyConnect general-attributes

default-group-policy GroupPolicy_SSL_AnyConnect

address-pool POOLS-for-AnyConnect

! Enable the URL used to access the server

tunnel-group SSL_AnyConnect webvpn-attributes

group-alias SSL_AnyConnect enable

! Provide exception for NAT for VPN traffic from the inside network if it is going to the address

range used by the AnyConnect clients

nat (inside,outside) 3 source static inside interface destination static

NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup

One Item with Three Different Names

From user's perspective, the drop-down list is called a Group. On ASDM, the created connection

profile is called SSL_AnyConnect. At the CLI it is referred to a tunnel group. They are all the same.

Split Tunneling

Split-tunneling is the act of tunneling only if the packets are destined to a specific subnetwork at

the internal site.

To enable split tunneling on the ASA:

Configuration | Remote Access VPN | Network(Client) Access | Group Policies

Edit the group policy by going to Advanced | Split Tunneling

Specify the networks for which you want to tunnel traffic.

To monitor VPN sessions:

Monitoring | VPN | VPN Statistics | Sessions

Click on Details to see more information.

640 554 ccna security

Documents

data classified

security management

sensitive data

basics of security

threats dangers

result of corrupt data

current network threatsabout

vulnerabilities weaknesses