Monday, 5 February 2018

Hand notes-CCNA Security 210-260-Part-2

Hand notes-CCNA Security 210-260-Part-2

Securing Routing Protocols and the Control Plane

Securing the Control Plane

The control plane ensures that the management and data planes are maintained and operational. Control plane packets are network device–generated or received packets that are used for the creation and operation of the network itself. Some examples of control plane functions include routing protocols (for example, BGP, OSPF, EIGRP), as well as protocols like Internet Control Message Protocol (ICMP) and the Resource Reservation Protocol (RSVP). In many cases, you can disable the reception and transmission of certain types of packets on an interface to minimize the amount of CPU load that is required to process unneeded packets.

Process switched traffic falls into two primary categories:
+ Receive adjacency traffic: This traffic contains an entry in the Cisco Express Forwarding (CEF) table whereby the next router hop is the device itself, which is indicated by the term receive in the show ip cef  CLI. Any of the IP addresses/subnets for which “receive” is listed as the Next Hop indicates that packets destined for this address space will end up hitting the control plane and CPU.
+ Data plane traffic requiring special processing by the CPU: The following types of data plane traffic require special processing by the CPU resulting in a performance impact on the CPU:
         + Access control list (ACL) logging:
         + Unicast Reverse Path Forwarding (Unicast RPF)
         + IP options: Any IP packets with options included must be processed by the CPU
         + Fragmentation: Any IP packet that requires fragmentation must be passed to the CPU for processing
         + Time-To-Live (TTL) expiry: Packets that have a TTL value less than or equal to 1 require “Internet Control Message Protocol Time Exceeded
         + ICMP unreachables: Packets that result in ICMP unreachable messages   due to routing, maximum transmission unit (MTU), or filtering are processed by the CPU
         + Traffic requiring an ARP request: Destinations for which an ARP entry does not exist require processing by the CPU
         + Non-IP traffic: All non-IP traffic is processed by the CPU

Control Plane Policing
Control plane policing (CoPP) can be used to identify the type and rate of traffic that reaches the control plane of the Cisco IOS device.

# show policy-map control-plane

CoPP is a Cisco IOS-wide feature designed to allow users to manage the flow of traffic handled by the route processor of their network devices.

In Example 13-2, only BGP and Secure Shell (SSH) traffic from trusted hosts (that is, devices in the 192.168.1.0/24 subnet) is permitted to reach the Cisco IOS device CPU. In addition, certain types of ICMP traffic destined to the network infrastructure (that is, devices with IP addresses in the 10.1.1.0/24 subnet) will be rate-limited to 5000 packets per second (pps).    

!
access-list 101 permit icmp any 10.1.1.0 0.0.0.255 echo
access-list 101 permit icmp any 10.1.1.0 0.0.0.255 echo-reply
access-list 101 permit icmp any 10.1.1.0 0.0.0.255 time-exceeded
access-list 101 permit icmp any 10.1.1.0 0.0.0.255 ttl-exceeded
access-list 123 permit tcp 192.168.1.0 0.0.0.255 any eq 22
access-list 123 permit udp 192.168.1.0 0.0.0.255 any eq bgp
access-list 123 deny   tcp any any eq 22
access-list 123 deny   udp any any eq bgp
access-list 123 deny   ip any any
!
class-map match-all ICMP
 match access-group 101
class-map match-all UNDESIRABLE-TRAFFIC
 match access-group 123
!
policy-map COPP-INPUT-POLICY
 class UNDESIRABLE-TRAFFIC
  drop
 class ICMP
  police 50000 5000 5000 conform-action transmit  exceed-action drop
!
control-plane
 service-policy input COPP-INPUT-POLICY
!    

CCNA-Router-1# show policy-map control-plane

Control Plane Protection
Control plane protection (CPPr) is another feature, similar to control plane policing, that can help to mitigate the effects on the CPU of traffic that requires processing by the CPU.
CPPr can restrict traffic with finer granularity by dividing the aggregate control plane into three separate control plane categories known as subinterfaces:
+ Host subinterface
+ Transit subinterface
+ CEF-Exception subinterface
CPPr feature also additionally provides the following:
+ Port-filtering feature: Enables the policing and dropping of packets that are sent to closed or nonlistening TCP or UDP ports
+ Queue-thresholding feature: Limits the number of packets for a specified protocol that are allowed in the control-plane IP input queue

Securing Routing Protocols

MD5 authentication is still susceptible to brute-force and dictionary attacks if weak passwords are chosen. You are advised to use passwords with sufficient randomization.

Implement Routing Update Authentication on OSPF
MD5 authentication for OSPF requires configuration at both the interface level, that is, for each interface in which OSPF will be used, as well within the router OSPF process itself. Use the ip ospf authentication-key interface command to specify this password.
If you enable MD5 authentication with the message-digest keyword, you must configure a password with the ip ospf message-digest-key interface command.

!
interface GigabitEthernet0/1
  ip address 192.168.10.1 255.255.255.0
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 CCNA
!
router ospf 65000
  router-id 192.168.10.1
  area 0 authentication message-digest
  network 10.1.1.0 0.0.0.255 area 10
  network 192.168.10.0 0.0.0.255 area 0
!

Implement Routing Update Authentication on EIGRP
As with OSPF, MD5 authentication for EIGRP requires configuration at the interface level, there is no specific configuration required within the router EIGRP process itself. EIGRP authentication also makes use of a key chain that is configured in global configuration mode.

!
key chain CCNA
  key 1
    key-string CCNA-SECURITY
!
!
interface Loopback0
  ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/1
  ip address 192.168.10.1 255.255.255.0
  ip authentication mode eigrp 65000 md5
  ip authentication key-chain eigrp 65000 CCNA
!
router eigrp 65000
  network 192.168.10.0
  network 192.168.100.0
!

Implement Routing Update Authentication on RIP
RIP Version 1 (RIPv1) does not support authentication. If you are sending and receiving RIPv2 packets, you can enable RIP authentication on an interface.

!
key chain CCNA
  key 1
    key-string CCNA-SECURITY
!
!
interface Loopback0
  ip address 192.168.100.1 255.255.255.0
!
!
interface GigabitEthernet0/1
  ip address 192.168.10.1 255.255.255.0
  ip rip authentication mode md5
  ip rip authentication key-chain CCNA
!
router rip
  version 2
  network 192.168.10.0
  network 192.168.100.0
!

Implement Routing Update Authentication on BGP
Peer authentication with MD5 creates an MD5 digest of each packet sent as part of a BGP session. Peer authentication with MD5 is configured with the password option to the neighbor BGP router configuration command.

interface Loopback1
  ip address 192.168.15.1 255.255.255.0
!
interface GigabitEthernet0/1
  ip address 192.168.10.1 255.255.255.0
!
router bgp 65000
  bgp log-neighbor-changes
  network 192.168.15.0
  neighbor 192.168.10.2 remote-as 65100
  neighbor 192.168.10.2 password CCNA-SECURITY
CCNA-Router-1#show ip bgp neighbors | include Option Flags – Verifying MD5 authentication between BGP Peers

Understanding Firewall Fundamentals

The word firewall commonly describes systems or devices that are placed between a trusted and an untrusted network. Complete separation means that no network connectivity exists, which does not serve anyone very well. By allowing specific traffic through the firewall, you can implement a balance of the required connectivity and security.

Firewall Technologies
A firewall is a concept that can be implemented by a single device, a group of devices, or even simply software running on a device such as a host or a server. Could be implemented by the following:
+ A router or other Layer 3 forwarding device that has an access list or some other method used to filter traffic that is trying to go between two of its interfaces. Adaptive Security Appliance (ASA) firewall.
+ A switch that has two virtual LANs (VLAN) without any routing in between them, which would absolutely keep traffic from the two different networks separate (by not being able to have inter-VLAN communications).
+ Hosts or servers that are running software that prevents certain types of received traffic from being processed and controls which traffic can be sent. This is an example of a software firewall.

Objectives of a Good Firewall
+ It must be resistant to attacks
+ Traffic between networks must be forced through the firewall
+ The firewall enforces the access control policy of the organization

Protective Measures Provided by a Firewall
+ Exposure of sensitive systems to untrusted individuals: By hiding most of the functionality of a host or network device, and permitting only the minimum required connectivity to that given system
+ Exploitation of protocol flaws: configure a firewall to inspect protocols to ensure compliance with the standards for that protocol at multiple layers of the protocol stack.
+ Unauthorized users: By using authentication methods, a firewall could control which user’s traffic is allowed through the firewall
+ Malicious data: A firewall can detect and block malicious data

Potential Firewall Limitations
+ Configuration mistakes have serious consequences
+ Not all network applications were written to survive going through the firewall
+ Individuals who are forced to go through a firewall might try to engineer a way around it
+ Latency being added by the firewall

The Defense-in-Depth Approach
Having   just one single point of control/security for your entire network is not wise. One solution, which is really more an idea than a solution, is to use a defense-in-depth approach or what is known as a layered approach to security. In short, it cannot be just a single device protecting all of your network; it needs to be a team effort by nearly all the devices.

Firewall Methodologies
Network-based firewalls provide key features used for perimeter security. May include:
+ Simple packet-filtering techniques
+ Proxy servers
+ NAT
+ Stateful inspection firewalls
+ Transparent firewalls
+ Next-generation context and application-aware firewalls

Static Packet Filtering
Static packet filtering is based on Layer 3 and Layer 4 of the OSI model.  ACLs. Stateless (does not maintain session information for current flows of traffic going through the router).

Application Layer Gateway
Application layer firewalls, which are also sometimes called proxy firewalls or application gateways, can operate at Layer 3 and higher in the OSI reference model. Most of these proxy servers include specialized application software that takes requests from a client, puts that client on hold for a moment, and then turns around and makes the requests as if it is its own request out to the final destination. No direct communication occurs between the client and the destination server.

Stateful Packet Filtering
Stateful packet filtering is one of the most important firewall technologies in use today. It is called stateful because it remembers the state of sessions that are going through the firewall. In short, the reply traffic goes back to the users successfully, but attackers on the outside trying to initiate sessions are denied by default.

Application Inspection
An application inspection firewall can analyze and verify protocols all the way up to Layer 7 of the OSI reference model, but does not act as a proxy between the client and the server being accessed by the client.
+ Can see deeper into the conversations
+ Awareness of the details at the application layer
+ Can prevent more kinds of attacks than stateful filtering on its own

Transparent Firewalls
A transparent firewall is more about how we inject the firewall into the network as opposed to what technologies it uses for filtering. A transparent firewall can use packet-based filtering, stateful filtering, application inspection as we discussed earlier, but the big difference with transparent firewalls is that they are implemented at Layer 2.

Next-Generation Firewalls
An example of an NGFW is the Cisco ASA with FirePOWER Services.

Using Network Address Translation

Network Address Translation (NAT) is an important feature that is often implemented on firewalls.

Inside, Outside, Local, Global
+ Inside local: The real IP configured on an inside host
+ Inside global: The mapped/global address that the router is swapping out for the inside host during NAT
+ Outside local: If performing NAT on outside devices (outside NAT), this is the mapped address of the outside device (such as Server A) as it would appear to inside hosts. If not doing outside NAT on the router, this appears as the normal outside device’s IP address to the inside devices
+ Outside global: The real IP configured on an outside host, such as the IP on Server A

NAT is also used to allow communications between two networks that otherwise would have incompatible IP addressing (such as overlapping addresses), and with the use of PAT, we have been able to extend the lifetime of IPv4 for a least a decade longer than it should have been used.

Port Address Translation
PAT device keeps track of individual sessions based on port numbers and other unique identifiers, and then forwards all packets using a single source IP address, which is shared - NAT with overload.

NAT Deployment Options
+ Static NAT: This is a one-to-one permanent mapping
+ Dynamic NAT: Dynamic NAT involves having a pool of global addresses and only mapping those global addresses to inside devices when those inside devices have and need to go out to the Internet.
+ Dynamic PAT (NAT with overload): It combines the benefits of dynamically assigning global addresses only when needed, and it uses overload so that literally thousands of inside devices can be translated to the same global IP address
+ Policy NAT/PAT: Policy-based NAT is based on a set of rules, such as what is the source IP address, what is the destination IP address, and which ports are used that would qualify that packet to have NAT/PAT applied to it.


Creating and Deploying Firewalls

Firewall Technologies
Most commercial firewalls today can do packet filtering, application layer inspection, stateful packet filtering, NAT (in all its flavors), AAA functions, and perform virtual private network (VPN) services.

Firewall Design Considerations
+ Firewalls should be placed at security boundaries
+ Firewalls should be a primary security device, but not the only security device or security measure on the network.
+ A policy that starts with a “deny all” attitude and then specifically only permits traffic that is required is a better security posture than a default “permit all” attitude first and then denying traffic specifically not wanted
+ Leverage the firewall feature that best suits the need
+ Make sure that physical security controls and management access to the firewall devices, and the infrastructure that supports them such as cables and switches, are secure
+ Have a regularly structured review process looking at the firewall logs
+ Practice change management for any configuration modification on the firewalls

Firewall Access Rules
+ Rules based on service control: access to web servers, both HTTP and HTTPS, is allowed while all other types of traffic are denied
+ Rules based on address control: These rules are based on the source/destination addresses involved
+ Rules based on direction control: These rules specify where the initial traffic can flow.
+ Rules based on user control: This can be implemented via AAA services
+ Rules based on behavior control

Packet-Filtering Access Rule Structure
In the context of packet filtering, an ACL is applied to an interface either inbound or outbound on that interface.

Firewall Rule Design Guidelines
+ Use a restrictive approach as opposed to a permissive approach for all interfaces and all directions of traffic.
+ Presume that your internal users’ machines may be part of the security problem
+ Be as specific as possible in your permit statements, such as avoiding the use of the keyword any or all IP protocols if possible
+ Recognize the necessity of a balance between functionality and security
+ Filter bogus traffic, and perform logging on that traffic. Even if you think your service provider will deny the traffic, you should implement the same filtering on your perimeter routers as well
+ Periodically review the policies that are implemented on the firewall to verify that they are current and correct

Rule Implementation Consistency
For any    changes that will be made to a firewall, a change control procedure should identify exactly what is going to be done, why it is going to be done, and the approval of the person in charge of making that authorization for the work to be done.

Results of Inconsistent or Ill-Considered Rule Implementation
+ Rules that are too promiscuous: allow more access than is necessary for the business requirement
+ Redundant rules: If a rule is already in place as allowing a specific flow of traffic, a second rule for that does not need to be added to the control lists
+ Shadowed rules: incorrect placement of ACL. Access control entries are added by default to the bottom of an ACL
+ Orphaned rules: This most likely results from a configuration error that is referencing incorrect IP addresses that would never be seen by the firewall
+ Incorrectly planned rules: This may be due to a lack of understanding what protocols (and/or ports) are really used by the devices in the network with the applications in use.
+ Incorrectly implemented rules: This results from an administrator implementing the incorrect port, protocol, or IP information on the firewall

ACLs can be configured in Cisco IOS and Cisco ASA to permit or deny traffic. An ACL is a sequential list of rules that includes at least one permit statement and may also include one or more deny statements.
IP packets are routed to the egress interface and then processed by the outbound ACL.

Implementing Cisco IOS Zone-Based Firewalls

Cisco has implemented a stateful firewall feature set in Cisco IOS Software called zone-based firewall (ZBF).

How Zone-Based Firewall Operates
With ZBFs, interfaces are placed into zones. Zones are created by the network administrator, using any naming convention that makes sense (although names such as inside, outside, and demilitarized zone [DMZ] are quite common).

Specific Features of Zone-Based Firewalls
+ Stateful inspection
+ Application inspection
+ Packet filtering
+ URL filtering
+ Transparent firewall
+ Support for virtual routing and forwarding (VRF)
+ Access control lists (ACL) are not required as a filtering method to implement the policy

Uniform resource locator (URL) filtering refers to the ability to control what traffic is permitted or denied (mostly denied) based on the URL that is trying to be accessed by the client.
VRFs are virtual routing tables on a Cisco router that can be used to compartmentalize the routing tables on the router instead of keeping all the routes in the global (primary) routing tables.

Zones and Why We Need Pairs of Them
A zone is a logical area where devices with similar trust levels reside. By default, any traffic to or from the self zone (the router itself) is allowed, but you can change this policy. For the rest of the administrator-created zones, no traffic is allowed between interfaces in different zones. For interfaces that are members of the same zone, all traffic is permitted by default.

Putting the Pieces Together
Cisco uses a language called the Cisco Common Classification Policy Language (C3PL) for the implementation of the policy. This process has three primary components:
+ Class maps: These are used to identify traffic, such as traffic that should be inspected. L3 to L7. A class map can specify that all match statements have to match (which is a match-all condition) or can specify that matching any of the entries is considered a match (which is a  match-any condition).
+ Policy maps: These are the actions that should be taken on the traffic. The primary actions that can be implemented by the policy map are inspect (which means that stateful inspection should happen), permit (which means that traffic is permitted but not inspected), drop, or log.
+ Service policies: This is where you apply the policies, identified from a policy map, to a zone pair.

The default policy for traffic that is trying to be initiated between two zones is an implicit deny.

Policy Map Actions
+ Inspect (stateful): This should be used on transit traffic initiated by users who expect to get replies from devices on the other side of the firewall
+ Pass (no stateful): traffic that does not need a reply
+ Drop: Traffic you do not want to allow between the zones
+ Log

Service Policies
A service policy is applied to a zone pair. The zone pair represents a unidirectional flow of traffic between two zones. A specific zone pair can have only a single service policy assigned to it.

Create de class-map to match either telnet or ICMP packets (match-any)
R3(config)# class-map type inspect match-any MY-CLASS-MAP
R3(config-cmap)# match protocol telnet
R3(config-cmap)# match protocol icmp

Create the policy which will use the class-map
R3(config)# policy-map type inspect MY-POLICY-MAP
R3(config-pmap)# class type inspect MY-CLASS-MAP
R3(config-pmap-c)# inspect

Create security zones
R3(config)# zone security inside
R3(config)# zone security outside

Create a zone-pair
R3(config-sec-zone)# zone-pair security in-to-out source inside destination outside

Use the policy-map
R3(config-sec-zone-pair)# service-policy type inspect MY-POLICY-MAP

Put interfaces in zones
R3(config)# interface GigabitEthernet3/0
R3(config-if)# description Belongs to outside zone
R3(config-if)# zone-member security outside
R3(config)# interface GigabitEthernet1/0
R3(config-if)# description  Belongs to inside zone
R3(config-if)# zone-member security inside



The Self Zone
Traffic directed to the router itself (as opposed to traffic going through the router as transit traffic that is not destined directly to the router) involves the self zone. Regarding the self zone, if there is a zone pair but no policy is applied, the default behavior is to forward all traffic.

Configuring and Verifying Cisco IOS Zone-Based Firewalls

First Things First
When configuring the ZBF Wizard, you can choose from three security levels:
+ High Security: With this setting, the firewall identifies and drops instant messaging and peer-to-peer traffic.
+ Medium Security: This is similar to the High Security option, but it does not check web and e-mail traffic for protocol compliance.
+ Low Security: The router does not perform any application layer inspection. It does do generic TCP and UDP inspection.

Verifying the Configuration from the Command Line

R3# show class-map type inspect
R3# show policy-map type inspect zone-pair ccp-zp-in-out sessions

Implementing NAT in Addition to ZBF

R3(config)#  access-list 2 permit 10.0.0.0 0.0.0.255
R3(config)# interface GigabitEthernet3/0
R3(config-if)# ip nat outside
R3(config)# interface GigabitEthernet1/0
R3(config-if)# ip nat inside
R3(config)# ip nat inside source list 2 interface GigabitEthernet3/0 overload

Verifying Whether NAT Is Working

R3# show ip nat translations

Configuring Basic Firewall Policies on Cisco ASA

ASA Features and Services
+ Packet filtering: Simple packet filtering normally represents an access list. The most significant difference between an access-list on an ASA versus an access list on a router is that the ASA never ever uses a wildcard mask.
+ Stateful filtering: by default, the ASA enters stateful tracking information about packets that have been initially allowed through the firewall. Probably the most significant and most used feature on the ASA.
+ Application inspection/awareness: The ASA can listen in on conversations between devices on one side and devices on the other side of the firewall. The benefit of listening in is so that the firewall can pay attention to application layer information. The challenge with this is that the initial packets for this data connection are initiated from the server on the outside sometimes.
+ Network Address Translation (NAT): It supports inside and outside NAT, and both static and dynamic NAT and PAT, including Policy NAT, which is only triggered based on specific matches of IP addresses or ports. Also it supports NAT exemption (certain traffic should not be translated) – NAT zero.
+ DHCP: The ASA can act as a Dynamic Host Configuration Protocol (DHCP) server or client or both.
+ Routing: RIP, EIGRP, OSPF, static.
+ Layer 3 or Layer 2 implementation: The ASA can be implemented as a traditional Layer 3 firewall, which has IP addresses assigned to each of its routable interfaces. The other option is to implement a firewall as a transparent firewall
+ VPN support: The ASA can operate as either the head-end or remote-end device for VPN tunnels.
+ Object groups: An object group is a configuration item on the ASA that refers to one or more items. The benefit of an object group is that a single entry in an ACL could refer to an object group as the source IP or destination IP address in an individual access control entry.
+ Botnet traffic filtering: A botnet is a collection of computers that have been compromised.
+ Advanced malware protection (AMP): The Cisco ASA provides next-generation firewall (NGFW) capabilities
+ High availability: By using two firewalls in a high-availability failover combination, you can implement protection against a single system failure
+ AAA support: locally or external ACS server.

ASA Security Levels
The ASA uses security levels associated with each routable interface. The security level is a number between 0 and 100. The bigger the number, the more trust you have for the network that the interface is connected to. So, you do three things to make interfaces on the ASA operational:
+ Assign a security level to the interface
+ Assign a name to the interface
+ Bring up the interface with the no shutdown command

The best practice for allowing users to access a resource on your network is to avoid placing your server on your internal private network - a common name assigned to this third interface is the demilitarized zone (DMZ).

The Default Flow of Traffic
By default ASA forwards traffic from a high security level host to a lower security level host. By default, if two interfaces are both at the exact same security level, traffic is not allowed between those two interfaces. Also by default the ASA does not like to (meaning it will not) receive a packet on a specific interface and route the same packet out of the exact same interface (hairpin routing).

Packet Filtering on the ASA
To provide access, you can implement packet filtering ACLs on the interfaces.
+ Inbound to an interface: Traffic that is going into an interface (any interface).
+ Inbound from a security level perspective: Traffic that is being routed by the ASA from a lower-security interface to a higher-security interface
+ Outbound to an interface: Traffic that is exiting an interface (any interface) is also referred to as egress traffic (from an interface perspective).
+ Outbound from a security level perspective: Traffic that is being routed by the ASA from a high-security interface to a lower-security interface

Implementing a Packet-Filtering ACL
The big challenge with ACLs comes into play when you apply them inbound on a high-security interface such as the inside interface. So, if you are using ACLs on each interface of the ASA, the security levels no longer control what the initial traffic flows may be.

Modular Policy Framework
For IOS ZBFs, class maps are used to identify traffic, policy maps are used to implement actions on that traffic, and the application of those policies is done with the service policy commands. On the ASA, you also use class maps to identify traffic, policy maps to identify the actions you are going to take on that traffic, and service policy commands to implement the policy you are going to take on that traffic, and service policy commands to implement the policy. The service policies can attach the policy to a specific interface or can be applied globally, which would affect all interfaces on the ASA.
Modular Policy Framework (MPF) is to allow the ASA to perform application layer inspection on FTP traffic, to listen in and dynamically allow the data connection to commence from the server.

Class maps can identify traffic based on Layer 3 and Layer 4:
+ Referring to an ACL
+ Looking at the differentiated services code point (DSCP)/IP Precedence fields of the packet
+ TCP or UDP ports
+ IP Precedence
+ Real-time Transport Protocol (RTP) port numbers
+ VPN tunnel groups

Configuring the ASA

IP Addresses for Clients
Configuration > Device Management > DHCP > DHCP Server in ASDM or CLI:
ASA1(config)# dhcpd address 10.0.0.101-10.0.0.132 inside
ASA1(config)# dhcpd enable inside
ASA1(config)# dhcpd dns 10.8.8.8  interface inside
ASA1(config)# dhcpd domain example.org interface inside

The ASA, by default, assigns itself as the default gateway for the DHCP clients to use.

Basic Routing to the Internet
Configuration > Device Setup > Routing. From this location, you can view or manage static routes and dynamic routing protocols.

ASA1(config)# route outside 0.0.0.0 0.0.0.0 23.1.2.7

NAT and PAT
Configuration > Firewall > NAT Rules

Create an object group to use for translation
ASA1(config)# object network Inside_Hosts
ASA1(config-network-object)# subnet 10.0.0.0 255.255.255.0
ASA1(config-network-object)# description Inside_Hosts

Make the translation
ASA1(config)# nat (inside,outside) 1 source dynamic Inside_Hosts interface

Permitting Additional Access Through the Firewall
Configuration > Firewall > Access Rules

Using Packet Tracer to Verify Which Packets Are Allowed

ASA1# packet-tracer input inside tcp 10.0.0.101 1065 22.33.44.55 80

Cisco IDS/IPS Fundamentals

Cisco intrusion detection systems (IDS) and intrusion prevention systems (IPS) are some of many systems used as part of a defense-in-depth approach to protecting the network against malicious traffic.

IPS Versus IDS

What Sensors Do
A sensor is a device that looks at traffic on the network and then makes a decision based on a set of rules to indicate whether that traffic is okay or whether it is malicious in some way.

Difference between IPS and IDS
You can place a sensor in the network to analyze network traffic in one of two ways. The first option is to put a sensor inline with the traffic, which just means that any traffic going through your network is forced to go in one physical or logical port on the sensor. At the sensor, the traffic is analyzed. That is the concept behind intrusion prevention systems (IPS).
IDS is detecting the attack (hence the term intrusion detection system) but is not preventing the attack.

Sensor Platforms
+ A dedicated IPS appliance, such as the 4200 series
+ Software running on the router in versions of IOS that support it
+ A module in an IOS router, such as the AIM-IPS or NME-IPS modules
+ A module on an ASA firewall in the form of the AIP module for IPS
+ A blade that works in a 6500 series multilayer switch
+ Cisco FirePOWER 8000/7000 series appliances
+ Virtual Next-Generation IPS (NGIPSv) for VMware
+ ASA with FirePOWER services

Positive/Negative Terminology
+ False positive: the sensor generates an alert about traffic and that traffic is not malicious or important as related to the safety of the network
+ False negative: there is malicious traffic on the network, and for whatever reason the IPS/IDS did not trigger an alert
+ True positive: there was malicious traffic and that the sensor saw it and reported on it
+ True negative: there was normal nonmalicious traffic, and the sensor did not generate any type of alert

Identifying Malicious Traffic on the Network

There are several different methods that sensors can be configured to use to identify malicious traffic, including the following:
+ Signature-based IPS/IDS: A signature is just a set of rules looking for some specific pattern or characteristic in either a single packet or a stream of packets. It is the most significant method used on sensors today.
+ Policy-based IPS/IDS: This type of traffic matching can be implemented based on the security policy for your network.
+ Anomaly-based IPS/IDS: An example of anomaly-based IPS/IDS is creating a baseline of how many TCP sender requests are generated on average each minute that do not get a response; used to identify worms that may be propagating through the network
+ Reputation-based IPS/IDS: collects input from systems all over the planet that are participating in global correlation; may include descriptors such as blocks of IP addresses, URLs, DNS domains, and so on as indicators of the sources for these attacks.

Possible Sensor Responses to Detected Attacks
+ Deny attacker inline: denies packets from the source IP address of the attacker for a configurable duration of time, after which the deny action can be dynamically removed.
+ Deny connection inline: terminates the packet that triggered the action and future packets that are part of the same TCP connection
+ Deny packet inline: terminates the packet that triggered the event
+ Log attacker (source) packets: begins to log future packets based on attacker’s source IP address
+ Log victim (destination) packets: begins to log all IP packets with a destinations address of the victim
+ Log pair (source, destination) packets
+ Produce alert: This is the default behavior for most signatures enabled on a sensor.
+ Produce verbose alert: same as above plus it includes a copy of the packets that triggered the alert
+ Request block connection: This action causes the sensor to request a blocking device to block based on the source IP address of the attacker, the destination IP address of the victim, and the ports involved in the packet that triggered the alert.
+ Request block host: blocks the attacker’s/destination’s IP address regardless of the port used
+ Request SNMP trap
+ Reset TCP connection: send a proxy TCP reset to the attacker.

Controlling Which Actions the Sensors Should Take
This is implemented using a calculated result called a risk rating. The maximum value for risk rating is 100.
There are three primary factors, or influencers, of the final risk rating value:
+ Signature fidelity rating (SFR): The accuracy of the signature as determined by the person who created that signature
+ Attack severity rating (ASR): The criticality of the attack as determined by the person who created that signature
+ Target value rating (TVR): The value that you, as an administrator, have assigned to specific destination IP addresses or subnets where the critical servers/ devices live.

Implementing Actions Based on the Risk Rating
Although it is true that you can implement actions as properties of individual signatures, it makes the most sense, and it is much more scalable to manage, to configure actions based on the risk rating that is created as a result of the signature matches.

IPS/IDS Evasion Techniques
+ Traffic fragmentation: the attacker splits malicious traffic into multiple parts; IPS/IDS does complete session reassembly to see the entire traffic
+ Traffic substitution and insertion: The attacker substitutes characters in the data using different formats that have the same final meaning
+ Protocol level misinterpretation: Cisco does TTL analysis and TCP checksum validation
+ Timing attacks (for example, “low and slow” attacks): attacker sending packets at lower packets per second
+ Encryption and tunneling
+ Resource exhaustion: If thousands of alerts are being generated by distracter attacks; dynamic and configurable summarization.

Managing Signatures

The most effective way to identify malicious traffic in the Cisco IPS/IDS systems is through the use of signature-based matching. Cisco organizes its signatures into groups that have similar characteristics. For each of its groups, a signature micro-engine is used to govern that set of signatures.

Micro-Engines (Groupings of Signatures)
+ Atomic: Signatures that can match on a single packet, as compared to a string of packets
+ Service: Signatures that examine application layer services, regardless of the operating system
+ String or Multistring: Supports flexible pattern matching and can be identified in a single packet or group of packets, such as a session
+ Other: Miscellaneous signatures that may not specifically fit into the previously mentioned other categories

Signature or Severity Levels
Instead of having to set a numeric value for the severity, the interface for IPS/IDS prompts us for one of four levels:
+ Informational
+ Low
+ Medium
+ High

Monitoring and Managing Alarms and Alerts

Three main protocols are used in delivering alerts. They are Security Device Event Exchange (SDEE), syslog, and SNMP. SDEE is used for real-time delivery of alerts, and is the most secure method for delivering alerts. Applications: IPS Manager Express (IME), Cisco Security Manager (CSM).


Security Intelligence
So, in short, the more sensors you have reporting, the more granular and complete the information is going to be about the attacks and the patterns that exist in the network. With global correlation, we can increase the risk rating for specific attacks if they are from source addresses that we identified as suspect in information learned from external sensors through the global correlation process. Global correlation is available on the sensor appliances but does not have to be enabled – Cisco Security Intelligence Operations (SIO)

IPS/IDS Best Practices
+ Implement an IPS so that you can analyze traffic going to your critical servers and other mission-critical devices, or the “crown jewels” for your organization.
+ If you cannot afford dedicated appliances, use modules or IOS software-based IPS/IDS
+ Take advantage of global correlation to improve your resistance against attacks that may be targeting your organization
+ Use a risk-based approach, where countermeasures occur based on the calculated risk rating as opposed to manually assigning countermeasures to individual signatures
+ Use automated signature updates when possible instead of manually installing updates
+ Continue to tune the IPS/IDS infrastructure as traffic flows and network devices and topologies change

Cisco Next-Generation IPS Solutions
+ Cisco FirePOWER 8000/7000 series appliances
+ Virtual Next-Generation IPS (NGIPSv) for VMware
+ ASA with FirePOWER Services
+ FireSIGHT Management Center

Mitigation Technologies for E-mail Based and Web-Based Threats

The Cisco E-mail Security Appliances (ESA) and the Cisco Web Security Appliance (WSA) provide a great solution designed to protect corporate users against these threats. Cisco has added Advanced Malware Protection (AMP) to the ESA and WSA to allow security administrators to detect and block malware and perform continuous analysis and retrospective alerting.

Mitigation Technology for E-mail-Based Threats

E-mail-Based Threats
+ Spam: unsolicited e-mail messages that can be advertising a service or (typically) a scam or a message with malicious intent
+ Malware attachments: mail messages containing malicious software
+ Phishing: an attacker’s attempt to fool a user that such e-mail communication comes from a legitimate entity or site, such as banks, social media websites, online payment processors, or even corporate IT communications.
+ Spear phishing: These phishing e-mails are directed to specific individuals or organizations

Cisco Cloud E-mail Security
Cisco cloud e-mail security provides a cloud-based solution that allows companies to outsource the management of their e-mail security management.

Cisco Hybrid E-mail Security
The Cisco hybrid e-mail security solution combines both cloud-based and on-premises ESAs.

Cisco E-mail Security Appliance
+ Cisco X-Series E-mail Security Appliances
         + Cisco X1070: High-performance ESA for service providers and large enterprises
+ Cisco C-Series E-mail Security Appliances
         + Cisco C680: The high-performance ESA for service providers and large enterprises
         + Cisco C670: Designed for medium-size enterprises
         + Cisco C380: Designed for medium-size enterprises
         + Cisco C370: Designed for small- to medium-size enterprises
         + Cisco C170: Designed for small businesses and branch offices

Features supported by the Cisco ESA:
+ Access control: Controlling access for inbound senders according to the sender’s IP address, IP address range, or domain name.
+ Antispam
+ Network Antivirus
+ Advanced malware protection (AMP): Allows security administrators to detect and block malware and perform continuous analysis and retrospective alerting
+ DLP: The ability to detect any sensitive e-mails and documents leaving the corporation
+ E-mail encryption
+ Outbreak filters: Preventive protection against new security outbreaks and e-mail-based scams with SIO

The Cisco ESA acts as the e-mail gateway to the organization, handling all e-mail connections, accepting messages, and relaying them to the appropriate systems.
The Cisco ESA uses listeners to handle incoming SMTP connection requests. A listener defines an e-mail processing service that is configured on an interface in the Cisco ESA. The following listeners can be configured:
+ Public listeners for e-mail coming in from the Internet
+ Private listeners for e-mail coming from hosts in the corporate (inside) network

Cisco ESA Initial Configuration
+ Step 1. Log in to the Cisco ESA. The default username is admin, and the default password is ironport
+ Step 2. Use the systemsetup command in CLI of the Cisco ESA to initiate the System Setup Wizard

Mitigation Technology for Web-Based Threats

The core solutions for mitigating web-based threats are the Cisco Cloud Web Security (CWS) offering and the integration of advanced malware protection (AMP) to the Cisco Web Security Appliance (WSA).

Cisco CWS
Cisco CWS is a cloud-based security service from Cisco that provides worldwide threat intelligence, advanced threat defense capabilities, and roaming user protection. Cisco customers can connect to the Cisco CWS service directly by using a   proxy autoconfiguration (PAC) file in the user endpoint or through connectors integrated into the following Cisco products:
+ Cisco ISR G2 routers
+ Cisco ASA
+ Cisco WSA
+ Cisco AnyConnect Secure Mobility Client

Cisco WSA
The Cisco WSA uses cloud-based intelligence from Cisco to help protect the organization before, during, and after an attack. The Cisco WSA can be deployed in explicit proxy mode or as a transparent proxy using the   Web Cache Communication Protocol (WCCP).

The following are the different Cisco WSA models:
+ Cisco WSA S680: 6-12k users, 2 rack unit (RU), 2 octa core CPUs, 32GB of mem, 4,8TB of space
+ Cisco WSA S670
+ Cisco WSA S380: 1,5 to 6k users
+ Cisco WSA S370
+ Cisco WSA S170: up to 1,5k users, 1 RU, 1 dual core CPUs, 4GB of mem, 500GB of space

The Cisco WSA runs Cisco AsyncOS operating system.

Cisco Content Security Management Appliance

Cisco Security Management Appliance (SMA) is a Cisco product that centralizes the management and reporting for one or more Cisco ESAs and Cisco WSAs.

Mitigation Technologies for Endpoint Threats

Antivirus and Antimalware Solutions

The following are the most common types of malicious software:
+ Computer viruses: A malicious software that infects a host file or system area to perform undesirable outcomes such as erasing data, stealing information, or corrupting the integrity of the system
+ Worms: Viruses that replicate themselves over the network infecting numerous vulnerable systems
+ Mailers and mass-mailer worms: A type of worm that sends itself in an e-mail message
+ Logic bombs: A type of malicious code that is injected into a legitimate application
+ Trojan horses: A type of malware that executes instructions determined by the nature of the Trojan to delete files, steal data, and compromise the integrity of the underlying operating system
+ Back doors: A piece of malware or configuration change that allows attackers to control the victim’s system remotely
+ Exploits: A malicious program designed to “exploit” or take advantage of a single vulnerability or set
+ Downloaders: A piece of malware that downloads and installs other malicious content from the Internet to perform additional exploitation on an affected system
+ Spammers: the act of sending unsolicited messages via e-mail, instant messaging, newsgroups, or any other kind of computer or mobile device communications
+ Key loggers: A piece of malware that captures the user’s keystrokes on a compromised computer or mobile device
+ Rootkits: A set of tools that are used by an attacker to elevate their privilege to obtain root-level access to be able to completely take control of the affected system
+ Ransomware: A type of malware that compromises a system and then demands a ransom from the victim to often pay the attacker in order for the malicious activity to cease or for the malware to be removed from the affected system – ex: Crypto Locker and Crypto Wall

Known antivirus programs:
+ Avast
+ AVG Internet Security
+ Bitdefender Antivirus Free
+ ZoneAlarm PRO Antivirus + Firewall and ZoneAlarm Internet Security Suite
+ F-Secure Antivirus
+ Kaspersky Anti-Virus
+ McAfee Antivirus
+ Panda Antivirus
+ Sophos Antivirus
+ Norton AntiVirus
+ ClamAV: sponsored and maintained by Cisco and non-Cisco engineers
+ Immunet: a free community-based antivirus software maintained by Cisco Sourcefire

Personal Firewalls and Host Intrusion Prevention Systems
Are software applications that you can install on end-user machines or servers to protect them from external security threats and intrusions.

Advanced Malware Protection for Endpoints
Cisco AMP for Endpoints provides mitigation capabilities that go beyond point-in-time detection. It uses threat intelligence from Cisco to perform retrospective analysis and protection. Cisco AMP for Endpoints also provides device and file trajectory capabilities to allow the security administrator to analyze the full spectrum of the attack.

Cisco acquired a security company called ThreatGRID that provides cloud-based and on-premise malware analysis solutions. Cisco integrated Cisco AMP and ThreatGRID to provide a solution for advanced malware analysis with deep threat analytics.

Hardware and Software Encryption of Endpoint Data

E-mail Encryption
When people refer to e-mail encryption, they often are referring to encrypting the actual e-mail message so that only the intended receiver can decrypt and read the message.
To effectively protect your e-mails, you should make sure of the following:
+ The connection to your e-mail provider or e-mail server is actually encrypted
+ Your actual e-mail messages are encrypted
+ Your stored, cached, or archived e-mail messages are also protected

The following are examples of e-mail encryption solutions:
+ Pretty Good Privacy (PGP): requires you to generate a public and private key
+ GNU Privacy Guard (GnuPG)
+ Secure/Multipurpose Internet Mail Extensions (S/MIME): requires you to install a security certificate on your computer
+ Web-based encryption e-mail service like Sendinc or JumbleMe

Encrypting Endpoint Data at Rest
Much commercial and free software enables you to encrypt files in an end-user workstation or mobile device. The following are a few examples of free solutions:
+ GPG: GPG also enables you to encrypt files and folders on a Windows, Mac, or Linux system
+ The built-in MAC OS X Disk Utility: enables you to create secure disk images by encrypting files with AES 128-bit or AES 256-bit encryption
+ TrueCrypt: free encryption tool for Windows, Mac, and Linux systems
+ AxCrypt: free Windows-only file encryption tool
+ BitLocker: Full disk encryption feature included in several Windows operating systems
+ Many Linux distributions such as Ubuntu
+ MAC OS X FileVault: Supports full disk encryption on Mac OS X systems

Virtual Private Networks
Many organizations deploy virtual private networks (VPN) to provide data integrity, authentication, and data encryption to ensure confidentiality of the packets sent over an unprotected network or the Internet.

Many different protocols are used for VPN implementations, including the following:
+ Point-to-Point Tunneling Protocol (PPTP) – very weak security
+ Layer 2 Forwarding (L2F) Protocol
+ Layer 2 Tunneling Protocol (L2TP)
+ Generic routing encapsulation (GRE)
+ Multiprotocol Label Switching (MPLS) VPN
+ Internet Protocol Security (IPsec)
+ Secure Sockets Layer (SSL)

VPN implementations can be categorized into two distinct groups:
+ Site-to-site VPNs: Enable organizations to establish VPN tunnels between two or more network infrastructure devices in different sites so that they can communicate over a shared medium such as the Internet. Many organizations use IPsec, GRE, or MPLS VPN as site-to-site VPN protocols.
+ Remote-access VPNs: Enable users to work from remote locations such as their homes, hotels, and other premises as if they were directly connected to their corporate network. Many organizations use IPsec and SSL VPN for remote access VPNs.


+ RADIUS is mainly used to allow users to authenticate into a network
+ TACACS is used to authenticate administrators
+ #show mac address-table count – number of MAC addresses
+ shutting down a switch port it removes all the MAC addresses dynamically learned
+ CAM table overflow attack comes through MAC spoofing; use Port-Security to protect (max MAC)
+ we need to specify a port in access mode in order to activate port-security
+ the default behavior of port-security violation is shutdown
+ #show interfaces status err-disabled – shows ports in err-disable state
+ use DHCP snooping to protect against rogue DHCP servers; enable trusted ports on the switch
+ VLAN Hopping involves tricking a switch to have an access port be trunk so we can communicate with other VLANs; protect through disabling autonegotiation (Dynamic Trunking Protocol – DTP) on a port; manually designate the port for what it needs to be – access or trunk port
+ #switchport mode access – removes the DTP and manually sets a port in access
+ #switchport nonegociate - turn off trunking mode
+ never user VLAN 1; use separate VLAN for management (out-of-band), use different native VLAN
+ unused ports should be put in shutdown and moved to some unused VLAN, like 999
+ STP can be used to attack a network so to protect we use BPDU Guard feature (globally or locally)
+ BPDU Filter doesn’t allow BPDU packets through but doesn’t shutdown the port
+ #spanning-tree portfast default
+ # spanning-tree portfast bpduguard default – enable globally Portfast and BPDU Guard
+ #spanning-tree portfast
+ #spanning-tree bpduguard enable – enable per interface Portfast and BPDU Guard
+ #show spanning-tree summary – show information on STP regarding Portfast and BPDU Guard
+ Gratuitous ARP – someone is sending its information without anyone asking; it’s used for L2 Man-in-the-Middle attack; to protect we use DHCP Snooping and Dynamic ARP Inspection (DAI)
+ Securing Data Plane: DHCP Snooping, Port-Security, no DTP/trunking, BPDU Guard, DAI
+ Parser View is a “filter”
+ #show parser view – current view
+ Control-Plane Host – restrict what management protocols are allowed
+ To activate RSA key for SSH we need a domain name and hostname changed to other than Router.
+ #crypto key generate rsa modulus 1024 – command to create a key
+ #management-interface fa2/0 allow ssh https – restrict protocols for management on interface
+ enable logging and send that information to a syslog server
+ enable IP Unicast RPF to check the direction the packets are coming from
+ authenticate NTP process to have correct clock on the router
+ Use SNMPv3 because higher security with authentication; can use trap to send information upstream
+ Cisco Configuration Professional (CCP) doesn’t support SNMPv3
+ use Secure-Boot to protect the IOS image and the start-up configuration file
+ #show secure bootset – information about securing the IOS and start-up file
+ To control the Data Plane we use ACLs for packet filtering
+ Router self-generated traffic passes through an ACL with a deny ip any any line; outbound ACL only filters transit traffic
+ an empty ACL lets all the traffic pass
+ Standard ACL can only match based on L3 source address; no. 1-99, 1300-1999
+ Extended ACL used to match destination source, port, protocol L3+L4; no. 100-199, 2000-2699
+ ACLs can use object groups
+ IPv6 user send Router Solicitation (RS) message to get an IPv6 address and receives a Router Advertisement (RA) message from a router on the network running IPv6; autoconfiguration without DHCPv6
+ IPv6 has no ARP or broadcast; uses Network Discovery Protocol (NDP); hosts join a multicast group and asks there what’s the address of someone
+ First group IPv6 from 2000 to 3FFF it’s a Global IPv6 address
+ Link local IPv6 address starts with FE80; used by routing protocols in advertisements
+ every address that starts with FF is a multicast address
+ ::1 is the local loopback
+ for OSPF routing protocol we need to have a router-ID, which can be an IPv4 address, if none exists then we have to specify a router-ID
+ Secure IPv6: physical security, device hardening (close unused services/), services, features, AAA
+ Secure Neighbor Discovery (SEND) used to mitigate rogue DHCP servers in IPv6 – RA Snooping
+ to transport IPv6 traffic across IPv4 networks use tunneling; don’t use Auto 6to4
+ use Proxy to hide a host from the outside traffic; ex: www traffic goes through a proxy server which does all the communication on behalf of the local host with the www server
+ Reflexive ACL like Stateful Filtering allow returned traffic; use reflect name attribute to create a dynamic inbound ACL from the outside to allow return traffic; create an inbound ALC on the outside interface that evaluates name and denies everything else
+ Context Based Access Control (CBAC) it does stateful filtering; uses inspect function ports
#ip inspect name REMEMBER TCP
#ip inspect name REMEMBER UDP
#ip inspect name REMEMBER ICMP
#ip inspect REMEMBER out – apply the inspection on packets leaving the outside interface

+ Zone-Based Firewall (ZBF), default there is no traffic between zones
+ ZBF identifies traffic by class-maps
+ ZBF’s policy-map takes the action: allow, pass and drop.
+ ZBF creates zone-pair, unidirectional
+ ZBF uses service-policy to say where to apply the action
+ ZBF contains a Self zone by default, which is the router; all traffic is allowed between other zones and self- zone
+ ASA initial traffic from higher to lower security level is allowed
+ ASA initial traffic from lower to higher security level is denied
+ ASA features: stateful inspection, application and protocol inspection, NAT/PAT, VPN, BotNet filter
+ ASA won’t accept HTTP requests for management, only HTTPS
+ IDS used in promiscuous mode
+ IDS could send messages to the router or/and the firewall to tell them to block a source IP; on the router it does it by modifying an ACL, on a firewall that’s done with a SHUN;
+ we can have a software IPS on a router – an IOS/IPS
+ IPS: physical appliance, software on IOS, hardware module, host based software
+ True positive: threat detected, generated an alert and acted on it
+ False positive: acting by mistake on traffic that wasn’t malware; must be eliminated – set exception
+ True negative: no malicious traffic happening – normal traffic
+ False negative: traffic that doesn’t seem malicious but it is
+ Signature matching is the first option for malicious traffic detection (ping sweep, port scan etc); thousands created by Cisco exist on the appliances or software IOS
+ Policy-based is another tool to identify malicious or unwanted traffic
+ Anomaly based method scans the traffic that goes over certain accepted levels; ex 20 half sessions are accepted on the network within a minute, if 60/90/200 or more are seen that is an indication that there is a worm in the network, for instance; then IPS steps in
+ Reputation based method uses global databases information on attacks that happened to others
+ deny connections is better than IP addresses
+ log traffic to analyze later for better understanding on what’s happening on the network
+ alerts generated let us know what’s happening; uses SDEE protocol on top TCP.
+ Verbose alert sends the alert and the packet which triggered the alert
+ IDS/IPS can ask for help to block traffic, for example
+ IDS/IPS can ask for a TCP reset by sending it on behalf of the victim (spoofing)
+ IOSv5 supports the latest IPS software based (has same signatures as the appliance)
+ we need to download from Cisco the packages with the signatures and update them regularly
+ we need the public key from Cisco to verify the packages
+ Security Device Events Exchange SDEE is in action
+ IPS software based uses separate files for the signatures, it doesn’t put them in the running-config
+ Un-retired and retired signatures use memory
+ Cisco Security Manager (CSM) is used in corporate networks
+ Event Action Filter (EAF)
+ Event Action Override uses Risk Rating (RR) to override the default countermeasures
+ RR (Severity, Fidelity, Target Value Rating) = (SVR*Fid*TVR)/10.000; 1-100 value
+ an Enabled and Retired signature doesn’t do anything.
+ verify Source (IP Source Guard) to check spoofed addresses; IP Unicast Reverse-Path can be used too
+ Confidentiality handles Encryption and Authentication
+ Symmetrical encryption uses one single Key for encryption and decrypting
+ Symmetrical algorithms: DES, 3DES, AES (Advanced Encryption Standard), IDEA
+ Asymmetrical algorithms use 2 Keys – pair, one to encrypt the message, which is private, and a second to decrypt the message with its pair public key
+ Symmetrical is used to encrypt bulked data moved across the network
+ Asymmetrical is used for authentication functions
+ Asymmetrical algorithms used are RSA, DSA etc
+ Hashing helps us check the integrity of the packets: SHA, MD5-128
+ R1#veryfy /md5 flash:c2801xxx.bin – verify the flash of a downloaded IOS
+ this method can be hacked because the hash itself is not secure; we use Hashed Message Authentication Code (HMAC) to secure it with a secret key
+ with a Digital Signature we prove who is sending the data; the receiver gets the public key
+ the encrypted hash IS the digital signature
+ Data – hash (checksum/digest) – encrypt the hash with the private key (digital signature)
+ Primary objective of IPSec is Confidentiality
+ Second is Integrity with hashing
+ 3rd is Authentication, with a pre-shared key (PSK), RSA signatures
+ 4th is to Prevent Anti-Replay attacks; it counts packets
+ with IPSec there are two tunnels involved
+ basic IPSec without GRE doesn’t use IP addresses on the VPN tunnel
+ IKE – Internet Key Exchange; IKE Phase1 Tunnel – private conversation between routers
+ IKE Phase2 Tunnel is for user traffic – the IPSec tunnel
+ SASecurity Association
+ DH group happens in step 2 of IKE Phase1; allows two devices to negotiate and establish secrets – dynamically for symmetrical algorithms, even though itself is an asymmetrical algorithm
+ Has 2 modes: Main mode (with more packets back and forth) and Aggressive mode (IKE Phase2 is Quick mode)
+ PFS (Perfect Secrecy) works with IKE Phase2 tunnel
+ the routers during the IKE Phase1 can disagree on one single option, the Lifetime; all others mush match
+ PSK are used once in IKE Phase1 for authentication, before the DH
+ Transform Set is in fact the IKE Phase2 setup for negotiation
+ the ACL is called a crypto ACL
+ Inside IPSec are two protocols: ESP (Encapsulation Security Payload) and AH (Authentication Header), which is not used now; is a L4 protocol 50
+ RC4 is a symmetrical encryption algorithm used with SSL
+ the public key comes inside a Digital Certificate, released by a trusted Certificate Authority, with validity dates, issuer etc
+ user encrypts the key it wants to use with the server using the public key it received so when it sends the key encrypted the server can decrypt it using its private key so now both have the key for encrypting
+ user proves who he is by authentication with username and password, usually
+ Clientless SSL VPN doesn’t use a IPSec VPN client on the user’s machine (ex Cisco AnyConnect)
+ With SSL we don’t use Site-to-Site VPN
+ use more gate security
+ Smurf attack, one spoofs its address and request sessions from you and you unwillingly reply to the real network which is also under attack, not by you
+ Cisco Security Agent (CSA) is the host based IPS
+ Scan Safe from Cisco analyzes traffic, for cloud based services (it is in the cloud)
+ IronPort can help against viruses and spam travelling through emails
+ Cisco Security Manager (CSM) to manage many appliances at once

+ enable secret takes precedence over enable password
+ the only password encrypted by default is the enable secret, with MD5
+ top layer Stratum 0 is for GPS and atomic watches with NTP
+ a Cisco router can’t serve as a Stratum 0 device, nor can it get it’s time directly from one
+ a Cisco router can be a server, client or a peer in NTP process
+ use NTPv3 or higher, offers security features
+ to manually set the time and date you need to disable NTP first (any active association)
+ NTP uses UDP port 123
+ when configure a Cisco router with NTP and it synchronizes it gets Stratum level 8 by default; this value will change depending on how further way it is from the Master
+ for unsynchronized clocks the Stratum level is 16
+ 127.127.7.1 is the IP address that the Master is using  for a reference for itself
+ #show ntp status and #show ntp associations – most important for troubleshoot
+ while telnet allows a single password as a valid entry ssh requires both username and password
+ with ssh you must: define a domain, no “router” named router and issue #crypto key generate rsa
+ telnet is disable by default
+ Password required, but not set error message – no password defined on the VTY lines
+ if no enable passwords are set the remote user can’t get into privileged     mode – % No password set error
+ if #privilege level 15 is set on VTY lines then the user telnets directly into the privileged mode with the password set on VTY lines
+ if a username exists and login local is set on the VTY lines then that user and passwords are used
+ SNMPv1/2 have “passwords” – the community strings, which are known, not secure
+ SNMPv3 is not supported in Cisco Configuration Professional
+ to work with parser view you need two things: enable secret and aaa new-model
+ TCP intercept can run in intercept mode or watch mode to protect againt SYN-flood attack (DoS)
#ip tcp intercept mode intercept/watch
create an ACL to link to the TCP intercept
#ip tcp intercept list x

+ in exec mode dir doesn’t work for secure files
+ secure bootset cat be activated remotely, but not deactivated
+ VLAN hopping attacks: switch spoofing (with DTP), double tagging
+ BPDU Guard takes action upon receiving any BPDUs on the port; works only with portfast
+ Root Guard takes action upon receiving superior BPDUs; configured at the port level
+ #switchport port-security is issued on access ports
+ the defaults for port-security are: 1 MAC and shutdown action
+ DAI is performed or ARP messages received (not sent) by the device; enabled with DHCP spooping
+ same as DHCP snooping all ports are by default untrusted
+ #ip arp inspection vlan
+ #show ip arp inspection [interfaces]
+ RADIUS UDP 1812
+ TACACS+ TCP 49
+ TACACS+ server messages: accept, reject, continue (more info required) or error (not failed auth)