Hand notes-CCNA Security 210-260-Part-2
Securing
Routing Protocols and the Control Plane
Securing
the Control Plane
The control plane ensures that the management and data planes are
maintained and operational. Control plane packets are network device–generated
or received packets that are used for the creation and operation of the network
itself. Some examples of control plane functions include routing protocols
(for example, BGP, OSPF, EIGRP), as well as protocols like Internet Control
Message Protocol (ICMP) and the Resource Reservation Protocol (RSVP).
In many cases, you can disable the reception and transmission of certain types
of packets on an interface to minimize the amount of CPU load that is required
to process unneeded packets.
Process switched traffic falls into two primary categories:
+ Receive adjacency traffic: This traffic contains an entry in the
Cisco Express Forwarding (CEF) table whereby the next router hop is the
device itself, which is indicated by the term receive in the show ip
cef CLI. Any of the IP
addresses/subnets for which “receive” is listed as the Next Hop indicates that
packets destined for this address space will end up hitting the control plane
and CPU.
+ Data plane traffic requiring special processing by the CPU: The
following types of data plane traffic require special processing by the CPU
resulting in a performance impact on the CPU:
+ Access control list
(ACL) logging:
+ Unicast Reverse Path
Forwarding (Unicast RPF)
+ IP options: Any IP
packets with options included must be processed by the CPU
+ Fragmentation: Any
IP packet that requires fragmentation must be passed to the CPU for processing
+ Time-To-Live (TTL)
expiry: Packets that have a TTL value less than or equal to 1 require
“Internet Control Message Protocol Time Exceeded
+ ICMP unreachables:
Packets that result in ICMP unreachable messages due to routing, maximum transmission unit
(MTU), or filtering are processed by the CPU
+ Traffic requiring an
ARP request: Destinations for which an ARP entry does not exist require
processing by the CPU
+ Non-IP traffic: All
non-IP traffic is processed by the CPU
Control
Plane Policing
Control plane policing (CoPP) can be used to identify the type and
rate of traffic that reaches the control plane of the Cisco IOS device.
# show policy-map
control-plane
CoPP is a Cisco IOS-wide feature designed to allow users to manage the
flow of traffic handled by the route processor of their network devices.
In Example 13-2, only BGP and Secure Shell (SSH) traffic from trusted
hosts (that is, devices in the 192.168.1.0/24 subnet) is permitted to reach the
Cisco IOS device CPU. In addition, certain types of ICMP traffic destined to
the network infrastructure (that is, devices with IP addresses in the
10.1.1.0/24 subnet) will be rate-limited to 5000 packets per second (pps).
!
access-list 101
permit icmp any 10.1.1.0 0.0.0.255 echo
access-list 101
permit icmp any 10.1.1.0 0.0.0.255 echo-reply
access-list 101
permit icmp any 10.1.1.0 0.0.0.255 time-exceeded
access-list 101
permit icmp any 10.1.1.0 0.0.0.255 ttl-exceeded
access-list 123 permit
tcp 192.168.1.0 0.0.0.255 any eq 22
access-list 123 permit
udp 192.168.1.0 0.0.0.255 any eq bgp
access-list 123 deny tcp any any eq 22
access-list 123 deny udp any any eq bgp
access-list 123
deny ip any any
!
class-map
match-all ICMP
match access-group 101
class-map
match-all UNDESIRABLE-TRAFFIC
match access-group 123
!
policy-map COPP-INPUT-POLICY
class UNDESIRABLE-TRAFFIC
drop
class ICMP
police 50000 5000 5000 conform-action
transmit exceed-action drop
!
control-plane
service-policy input COPP-INPUT-POLICY
!
CCNA-Router-1#
show policy-map control-plane
Control
Plane Protection
Control plane protection (CPPr) is another feature, similar to
control plane policing, that can help to mitigate the effects on the CPU of
traffic that requires processing by the CPU.
CPPr can restrict traffic with finer
granularity by dividing the aggregate control plane into three separate
control plane categories known as subinterfaces:
+ Host subinterface
+ Transit subinterface
+ CEF-Exception subinterface
CPPr feature also additionally provides the following:
+ Port-filtering feature: Enables the policing and dropping of packets
that are sent to closed or nonlistening TCP or UDP ports
+ Queue-thresholding feature: Limits the number of packets for a
specified protocol that are allowed in the control-plane IP input queue
Securing
Routing Protocols
MD5 authentication is still susceptible to brute-force and dictionary
attacks if weak passwords are chosen. You are advised to use passwords with
sufficient randomization.
Implement
Routing Update Authentication on OSPF
MD5 authentication for OSPF requires configuration at both the interface
level, that is, for each interface in which OSPF will be used, as well within
the router OSPF process itself. Use the ip ospf authentication-key
interface command to specify this password.
If you enable MD5 authentication with the message-digest keyword,
you must configure a password with the ip ospf message-digest-key
interface command.
!
interface GigabitEthernet0/1
ip
address 192.168.10.1 255.255.255.0
ip
ospf authentication message-digest
ip
ospf message-digest-key 1 md5 CCNA
!
router ospf 65000
router-id
192.168.10.1
area
0 authentication message-digest
network
10.1.1.0 0.0.0.255 area 10
network
192.168.10.0 0.0.0.255 area 0
!
Implement
Routing Update Authentication on EIGRP
As with OSPF, MD5 authentication for EIGRP requires configuration at the
interface level, there is no specific configuration required within the router
EIGRP process itself. EIGRP authentication also makes use of a key chain that
is configured in global configuration mode.
!
key chain CCNA
key
1
key-string
CCNA-SECURITY
!
!
interface Loopback0
ip
address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/1
ip
address 192.168.10.1 255.255.255.0
ip
authentication mode eigrp 65000 md5
ip
authentication key-chain eigrp 65000 CCNA
!
router eigrp 65000
network
192.168.10.0
network
192.168.100.0
!
Implement
Routing Update Authentication on RIP
RIP Version 1 (RIPv1) does not support authentication. If you are sending
and receiving RIPv2 packets, you can enable RIP authentication on an interface.
!
key chain CCNA
key
1
key-string
CCNA-SECURITY
!
!
interface Loopback0
ip
address 192.168.100.1 255.255.255.0
!
!
interface GigabitEthernet0/1
ip
address 192.168.10.1 255.255.255.0
ip
rip authentication mode md5
ip
rip authentication key-chain CCNA
!
router rip
version
2
network
192.168.10.0
network
192.168.100.0
!
Implement Routing Update Authentication on BGP
Peer authentication with MD5
creates an MD5 digest of each packet sent as part of a BGP session. Peer
authentication with MD5 is configured with the password option to the neighbor BGP router configuration command.
interface Loopback1
ip
address 192.168.15.1 255.255.255.0
!
interface GigabitEthernet0/1
ip
address 192.168.10.1 255.255.255.0
!
router bgp 65000
bgp log-neighbor-changes
network 192.168.15.0
neighbor 192.168.10.2 remote-as 65100
neighbor 192.168.10.2 password CCNA-SECURITY
CCNA-Router-1#show
ip bgp neighbors | include Option Flags – Verifying MD5 authentication between BGP Peers
Understanding
Firewall Fundamentals
The word firewall commonly describes systems or devices that are placed
between a trusted and an untrusted network. Complete separation means that no
network connectivity exists, which does not serve anyone very well. By allowing
specific traffic through the firewall, you can implement a balance of the
required connectivity and security.
Firewall
Technologies
A firewall is a concept that can be implemented by a single device, a
group of devices, or even simply software running on a device such as a host or
a server. Could be implemented by the following:
+ A router or other Layer 3 forwarding device that has an access
list or some other method used to filter traffic that is trying to go between
two of its interfaces. Adaptive Security Appliance (ASA) firewall.
+ A switch that has two virtual LANs (VLAN) without any routing in
between them, which would absolutely keep traffic from the two different
networks separate (by not being able to have inter-VLAN communications).
+ Hosts or servers that are running software that prevents certain
types of received traffic from being processed and controls which traffic can
be sent. This is an example of a software firewall.
Objectives
of a Good Firewall
+ It must be resistant to attacks
+ Traffic between networks must be forced through the firewall
+ The firewall enforces the access control policy of the organization
Protective
Measures Provided by a Firewall
+ Exposure of sensitive systems to untrusted individuals: By
hiding most of the functionality of a host or network device, and permitting
only the minimum required connectivity to that given system
+ Exploitation of protocol flaws: configure a firewall to inspect
protocols to ensure compliance with the standards for that protocol at multiple
layers of the protocol stack.
+ Unauthorized users: By using authentication methods, a firewall
could control which user’s traffic is allowed through the firewall
+ Malicious data: A firewall can detect and block malicious data
Potential
Firewall Limitations
+ Configuration mistakes have serious consequences
+ Not all network applications were written to survive going through the
firewall
+ Individuals who are forced to go through a firewall might try to engineer
a way around it
+ Latency being added by the firewall
The Defense-in-Depth
Approach
Having just one single point of
control/security for your entire network is not wise. One solution, which is
really more an idea than a solution, is to use a defense-in-depth approach or
what is known as a layered approach to security. In short, it cannot be just a
single device protecting all of your network; it needs to be a team effort by
nearly all the devices.
Firewall
Methodologies
Network-based firewalls provide key features used for perimeter security.
May include:
+ Simple packet-filtering techniques
+ Proxy servers
+ NAT
+ Stateful inspection firewalls
+ Transparent firewalls
+ Next-generation context and application-aware firewalls
Static
Packet Filtering
Static packet filtering is based on Layer 3 and Layer 4 of the OSI model.
ACLs. Stateless (does not
maintain session information for current flows of traffic going through the
router).
Application
Layer Gateway
Application layer firewalls, which are also sometimes called proxy
firewalls or application gateways, can operate at Layer 3 and higher in the OSI
reference model. Most of these proxy servers include specialized application
software that takes requests from a client, puts that client on hold for a
moment, and then turns around and makes the requests as if it is its own
request out to the final destination. No direct communication occurs between
the client and the destination server.
Stateful
Packet Filtering
Stateful packet filtering is one of the most important firewall
technologies in use today. It is called stateful because it remembers the state
of sessions that are going through the firewall. In short, the reply traffic
goes back to the users successfully, but attackers on the outside trying to
initiate sessions are denied by default.
Application
Inspection
An application inspection firewall can analyze and verify protocols all
the way up to Layer 7 of the OSI reference model, but does not act as a proxy between
the client and the server being accessed by the client.
+ Can see deeper into the conversations
+ Awareness of the details at the application layer
+ Can prevent more kinds of attacks than stateful filtering on its own
Transparent
Firewalls
A transparent firewall is more about how we inject the firewall into the
network as opposed to what technologies it uses for filtering. A transparent
firewall can use packet-based filtering, stateful filtering, application
inspection as we discussed earlier, but the big difference with transparent
firewalls is that they are implemented at Layer 2.
Next-Generation
Firewalls
An example of an NGFW is the Cisco ASA with FirePOWER Services.
Using
Network Address Translation
Network Address Translation (NAT) is an important feature that is
often implemented on firewalls.
Inside,
Outside, Local, Global
+ Inside local: The real IP configured on an inside host
+ Inside global: The mapped/global address that the router is swapping
out for the inside host during NAT
+ Outside local: If performing NAT on outside devices (outside NAT), this
is the mapped address of the outside device (such as Server A) as it would
appear to inside hosts. If not doing outside NAT on the router, this appears as
the normal outside device’s IP address to the inside devices
+ Outside global: The real IP configured on an outside host, such as the
IP on Server A
NAT is also used to allow communications between two networks that
otherwise would have incompatible IP addressing (such as overlapping
addresses), and with the use of PAT, we have been able to extend the lifetime
of IPv4 for a least a decade longer than it should have been used.
Port
Address Translation
PAT device keeps track of individual sessions based on port numbers and
other unique identifiers, and then forwards all packets using a single source
IP address, which is shared - NAT with overload.
NAT
Deployment Options
+ Static NAT: This is a one-to-one permanent mapping
+ Dynamic NAT: Dynamic NAT involves having a pool of global
addresses and only mapping those global addresses to inside devices when those
inside devices have and need to go out to the Internet.
+ Dynamic PAT (NAT with overload): It combines the benefits of
dynamically assigning global addresses only when needed, and it uses overload
so that literally thousands of inside devices can be translated to the same
global IP address
+ Policy NAT/PAT: Policy-based NAT is based on a set of rules,
such as what is the source IP address, what is the destination IP address, and
which ports are used that would qualify that packet to have NAT/PAT applied to
it.
Creating
and Deploying Firewalls
Firewall
Technologies
Most commercial firewalls today can do packet filtering, application
layer inspection, stateful packet filtering, NAT (in all its flavors), AAA
functions, and perform virtual private network (VPN) services.
Firewall
Design Considerations
+ Firewalls should be placed at security boundaries
+ Firewalls should be a primary security device, but not the only
security device or security measure on the network.
+ A policy that starts with a “deny all” attitude and then specifically
only permits traffic that is required is a better security posture than a
default “permit all” attitude first and then denying traffic specifically not
wanted
+ Leverage the firewall feature that best suits the need
+ Make sure that physical security controls and management access to the
firewall devices, and the infrastructure that supports them such as cables and
switches, are secure
+ Have a regularly structured review process looking at the firewall logs
+ Practice change management for any configuration modification on the
firewalls
Firewall
Access Rules
+ Rules based on service control: access to web servers, both HTTP
and HTTPS, is allowed while all other types of traffic are denied
+ Rules based on address control: These rules are based on the
source/destination addresses involved
+ Rules based on direction control: These rules specify where the
initial traffic can flow.
+ Rules based on user control: This can be implemented via AAA
services
+ Rules based on behavior control
Packet-Filtering
Access Rule Structure
In the context of packet filtering, an ACL is applied to an interface
either inbound or outbound on that interface.
Firewall
Rule Design Guidelines
+ Use a restrictive approach as opposed to a permissive approach for all
interfaces and all directions of traffic.
+ Presume that your internal users’ machines may be part of the security
problem
+ Be as specific as possible in your permit statements, such as avoiding
the use of the keyword any or all IP protocols if possible
+ Recognize the necessity of a balance between functionality and security
+ Filter bogus traffic, and perform logging on that traffic. Even if you
think your service provider will deny the traffic, you should implement the
same filtering on your perimeter routers as well
+ Periodically review the policies that are implemented on the firewall
to verify that they are current and correct
Rule
Implementation Consistency
For any changes that will be
made to a firewall, a change control procedure should identify exactly what is
going to be done, why it is going to be done, and the approval of the person in
charge of making that authorization for the work to be done.
Results
of Inconsistent or Ill-Considered Rule Implementation
+ Rules that are too promiscuous: allow more access than is
necessary for the business requirement
+ Redundant rules: If a rule is already in place as allowing a
specific flow of traffic, a second rule for that does not need to be added to
the control lists
+ Shadowed rules: incorrect placement of ACL. Access control entries are added by default to the bottom of an ACL
+ Orphaned rules: This most likely results from a configuration
error that is referencing incorrect IP addresses that would never be seen by
the firewall
+ Incorrectly planned rules: This may be due to a lack of
understanding what protocols (and/or ports) are really used by the devices in
the network with the applications in use.
+ Incorrectly implemented rules: This results from an
administrator implementing the incorrect port, protocol, or IP information on
the firewall
ACLs can be configured in Cisco IOS and Cisco ASA to permit or deny
traffic. An ACL is a sequential list of rules that includes at least one permit
statement and may also include one or more deny statements.
IP packets are routed to the egress interface and then processed by the
outbound ACL.
Implementing
Cisco IOS Zone-Based Firewalls
Cisco has implemented a stateful firewall feature set in Cisco IOS
Software called zone-based firewall (ZBF).
How
Zone-Based Firewall Operates
With ZBFs, interfaces are placed into zones. Zones are created by the
network administrator, using any naming convention that makes sense (although
names such as inside, outside, and demilitarized zone [DMZ] are quite common).
Specific
Features of Zone-Based Firewalls
+ Stateful inspection
+ Application inspection
+ Packet filtering
+ URL filtering
+ Transparent firewall
+ Support for virtual routing and forwarding (VRF)
+ Access control lists (ACL) are not required as a filtering method to
implement the policy
Uniform resource locator (URL) filtering refers to the ability to
control what traffic is permitted or denied (mostly denied) based on the URL
that is trying to be accessed by the client.
VRFs are virtual routing tables on a Cisco router
that can be used to compartmentalize the routing tables on the router instead
of keeping all the routes in the global (primary) routing tables.
Zones
and Why We Need Pairs of Them
A zone is a logical area where devices with similar trust levels reside.
By default, any traffic to or from the self zone (the router itself)
is allowed, but you can change this policy. For the rest of the
administrator-created zones, no traffic is allowed between interfaces in different
zones. For interfaces that are members of the same zone, all traffic is
permitted by default.
Putting
the Pieces Together
Cisco uses a language called the Cisco Common Classification Policy
Language (C3PL) for the implementation of the policy. This process
has three primary components:
+ Class maps: These are used to identify traffic, such as traffic
that should be inspected. L3 to L7. A class map can specify that all match
statements have to match (which is a match-all condition) or can specify
that matching any of the entries is considered a match (which is a match-any condition).
+ Policy maps: These are the actions that should be taken on the
traffic. The primary actions that can be implemented by the policy map are inspect
(which means that stateful inspection should happen), permit (which
means that traffic is permitted but not inspected), drop, or log.
+ Service policies: This is where you apply the policies,
identified from a policy map, to a zone pair.
The default policy for traffic that is trying to be initiated between two
zones is an implicit deny.
Policy Map Actions
+ Inspect (stateful): This should be used on transit traffic
initiated by users who expect to get replies from devices on the other side of
the firewall
+ Pass (no stateful): traffic that does not need a reply
+ Drop: Traffic you do not want to allow between the zones
+ Log
Service
Policies
A service policy is applied to a zone pair. The zone pair represents a
unidirectional flow of traffic between two zones. A specific zone pair can have
only a single service policy assigned to it.
Create de class-map to match either telnet or ICMP packets (match-any)
R3(config)#
class-map type inspect match-any MY-CLASS-MAP
R3(config-cmap)#
match protocol telnet
R3(config-cmap)#
match protocol icmp
Create the policy which will use the class-map
R3(config)#
policy-map type inspect MY-POLICY-MAP
R3(config-pmap)#
class type inspect MY-CLASS-MAP
R3(config-pmap-c)#
inspect
Create security zones
R3(config)# zone
security inside
R3(config)# zone
security outside
Create a zone-pair
R3(config-sec-zone)#
zone-pair security in-to-out source inside destination outside
Use the policy-map
R3(config-sec-zone-pair)#
service-policy type inspect MY-POLICY-MAP
Put interfaces in zones
R3(config)#
interface GigabitEthernet3/0
R3(config-if)#
description Belongs to outside zone
R3(config-if)#
zone-member security outside
R3(config)#
interface GigabitEthernet1/0
R3(config-if)#
description Belongs to inside zone
R3(config-if)#
zone-member security inside
The
Self Zone
Traffic directed to the router itself (as opposed to traffic going
through the router as transit traffic that is not destined directly to the
router) involves the self zone. Regarding the self zone, if there is a zone
pair but no policy is applied, the default behavior is to forward all traffic.
Configuring
and Verifying Cisco IOS Zone-Based Firewalls
First Things First
When configuring the ZBF Wizard, you can choose from three security
levels:
+ High Security: With this setting, the firewall identifies and
drops instant messaging and peer-to-peer traffic.
+ Medium Security: This is similar to the High Security option,
but it does not check web and e-mail traffic for protocol compliance.
+ Low Security: The router does not perform any application layer
inspection. It does do generic TCP and UDP inspection.
Verifying
the Configuration from the Command Line
R3# show class-map
type inspect
R3# show
policy-map type inspect zone-pair ccp-zp-in-out sessions
Implementing
NAT in Addition to ZBF
R3(config)# access-list 2 permit 10.0.0.0 0.0.0.255
R3(config)#
interface GigabitEthernet3/0
R3(config-if)# ip
nat outside
R3(config)#
interface GigabitEthernet1/0
R3(config-if)# ip
nat inside
R3(config)# ip nat
inside source list 2 interface GigabitEthernet3/0 overload
Verifying Whether
NAT Is Working
R3# show ip nat
translations
Configuring
Basic Firewall Policies on Cisco ASA
ASA Features and
Services
+ Packet filtering: Simple packet filtering normally represents an
access list. The most significant difference between an access-list on an ASA
versus an access list on a router is that the ASA never ever uses a wildcard
mask.
+ Stateful filtering: by default, the ASA enters stateful tracking
information about packets that have been initially allowed through the
firewall. Probably the most significant and most used feature on the ASA.
+ Application inspection/awareness: The ASA can listen in on
conversations between devices on one side and devices on the other side of the
firewall. The benefit of listening in is so that the firewall can pay attention
to application layer information. The challenge with this is that the initial
packets for this data connection are initiated from the server on the outside
sometimes.
+ Network Address Translation (NAT): It supports inside and
outside NAT, and both static and dynamic NAT and PAT, including Policy NAT,
which is only triggered based on specific matches of IP addresses or ports.
Also it supports NAT exemption (certain traffic should not be translated) – NAT
zero.
+ DHCP: The ASA can act as a Dynamic Host Configuration Protocol
(DHCP) server or client or both.
+ Routing: RIP, EIGRP, OSPF, static.
+ Layer 3 or Layer 2 implementation: The ASA can be implemented as
a traditional Layer 3 firewall, which has IP addresses assigned to each of its
routable interfaces. The other option is to implement a firewall as a
transparent firewall
+ VPN support: The ASA can operate as either the head-end or
remote-end device for VPN tunnels.
+ Object groups: An object group is a configuration item on the
ASA that refers to one or more items. The benefit of an object group is that a
single entry in an ACL could refer to an object group as the source IP or
destination IP address in an individual access control entry.
+ Botnet traffic filtering: A botnet is a collection of computers
that have been compromised.
+ Advanced malware protection (AMP): The Cisco ASA provides
next-generation firewall (NGFW) capabilities
+ High availability: By using two firewalls in a high-availability
failover combination, you can implement protection against a single system
failure
+ AAA support: locally or external ACS server.
ASA
Security Levels
The ASA uses security levels associated with each routable interface. The
security level is a number between 0 and 100. The bigger the number, the more
trust you have for the network that the interface is connected to. So, you do
three things to make interfaces on the ASA operational:
+ Assign a security level to the interface
+ Assign a name to the interface
+ Bring up the interface with the no shutdown command
The best practice for allowing users to access a resource on your network
is to avoid placing your server on your internal private network - a common
name assigned to this third interface is the demilitarized zone (DMZ).
The
Default Flow of Traffic
By default ASA forwards traffic from a high security level host to a
lower security level host. By default, if two interfaces are both at the exact
same security level, traffic is not allowed between those two interfaces. Also
by default the ASA does not like to (meaning it will not) receive a packet on a
specific interface and route the same packet out of the exact same interface
(hairpin routing).
Packet
Filtering on the ASA
To provide access, you can implement packet filtering ACLs on the
interfaces.
+ Inbound to an interface: Traffic that is going into an interface
(any interface).
+ Inbound from a security level perspective: Traffic that is being
routed by the ASA from a lower-security interface to a higher-security
interface
+ Outbound to an interface: Traffic that is exiting an interface
(any interface) is also referred to as egress traffic (from an interface
perspective).
+ Outbound from a security level perspective: Traffic that is
being routed by the ASA from a high-security interface to a lower-security interface
Implementing
a Packet-Filtering ACL
The big challenge with ACLs comes into play when you apply them inbound
on a high-security interface such as the inside interface. So, if you are using
ACLs on each interface of the ASA, the security levels no longer control what
the initial traffic flows may be.
Modular
Policy Framework
For IOS ZBFs, class maps are used to identify traffic, policy maps are
used to implement actions on that traffic, and the application of those
policies is done with the service policy commands. On the ASA, you also use
class maps to identify traffic, policy maps to identify the actions you are
going to take on that traffic, and service policy commands to implement the
policy you are going to take on that traffic, and service policy commands to
implement the policy. The service policies can attach the policy to a specific
interface or can be applied globally, which would affect all interfaces on the
ASA.
Modular Policy Framework (MPF) is to allow the ASA to perform
application layer inspection on FTP traffic, to listen in and dynamically allow
the data connection to commence from the server.
Class maps can identify traffic based on Layer 3 and Layer 4:
+ Referring to an ACL
+ Looking at the differentiated services code point (DSCP)/IP Precedence
fields of the packet
+ TCP or UDP ports
+ IP Precedence
+ Real-time Transport Protocol (RTP) port numbers
+ VPN tunnel groups
Configuring
the ASA
IP Addresses for
Clients
Configuration >
Device Management > DHCP > DHCP Server in ASDM or CLI:
ASA1(config)#
dhcpd address 10.0.0.101-10.0.0.132 inside
ASA1(config)#
dhcpd enable inside
ASA1(config)#
dhcpd dns 10.8.8.8 interface inside
ASA1(config)#
dhcpd domain example.org interface inside
The ASA, by default, assigns itself as the default gateway for the DHCP
clients to use.
Basic
Routing to the Internet
Configuration >
Device Setup > Routing.
From this location, you can view or manage static routes and dynamic routing
protocols.
ASA1(config)#
route outside 0.0.0.0 0.0.0.0 23.1.2.7
NAT
and PAT
Configuration
> Firewall > NAT Rules
Create an object group to use for translation
ASA1(config)#
object network Inside_Hosts
ASA1(config-network-object)#
subnet 10.0.0.0 255.255.255.0
ASA1(config-network-object)#
description Inside_Hosts
Make the translation
ASA1(config)# nat
(inside,outside) 1 source dynamic Inside_Hosts interface
Permitting
Additional Access Through the Firewall
Configuration >
Firewall > Access Rules
Using
Packet Tracer to Verify Which Packets Are Allowed
ASA1#
packet-tracer input inside tcp 10.0.0.101 1065 22.33.44.55 80
Cisco
IDS/IPS Fundamentals
Cisco intrusion detection systems (IDS) and intrusion
prevention systems (IPS) are some of many systems used as part of a
defense-in-depth approach to protecting the network against malicious traffic.
IPS
Versus IDS
What
Sensors Do
A sensor is a device that looks at traffic on the network and then makes
a decision based on a set of rules to indicate whether that traffic is okay or
whether it is malicious in some way.
Difference
between IPS and IDS
You can place a sensor in the network to analyze network traffic in one
of two ways. The first option is to put a sensor inline with the
traffic, which just means that any traffic going through your network is forced
to go in one physical or logical port on the sensor. At the sensor, the traffic
is analyzed. That is the concept behind intrusion prevention systems (IPS).
IDS is detecting the attack (hence the term
intrusion detection system) but is not preventing the attack.
Sensor
Platforms
+ A dedicated IPS appliance, such as the 4200 series
+ Software running on the router in versions of IOS that support
it
+ A module in an IOS router, such as the AIM-IPS or NME-IPS
modules
+ A module on an ASA firewall in the form of the AIP module
for IPS
+ A blade that works in a 6500 series multilayer
switch
+ Cisco FirePOWER 8000/7000 series appliances
+ Virtual Next-Generation IPS (NGIPSv) for VMware
+ ASA with FirePOWER services
Positive/Negative
Terminology
+ False positive: the sensor generates an alert about traffic and
that traffic is not malicious or important as related to the safety of the
network
+ False negative: there is malicious traffic on the network, and
for whatever reason the IPS/IDS did not trigger an alert
+ True positive: there was malicious traffic and that the sensor
saw it and reported on it
+ True negative: there was normal nonmalicious traffic, and the
sensor did not generate any type of alert
Identifying
Malicious Traffic on the Network
There are several different methods that sensors can be configured to use
to identify malicious traffic, including the following:
+ Signature-based IPS/IDS: A signature is just a set of rules
looking for some specific pattern or characteristic in either a single packet
or a stream of packets. It is the most significant method used on sensors
today.
+ Policy-based IPS/IDS: This type of traffic matching can be
implemented based on the security policy for your network.
+ Anomaly-based IPS/IDS: An example of anomaly-based IPS/IDS is
creating a baseline of how many TCP sender requests are generated on average
each minute that do not get a response; used to identify worms that may be
propagating through the network
+ Reputation-based IPS/IDS: collects input from systems all over
the planet that are participating in global correlation; may include
descriptors such as blocks of IP addresses, URLs, DNS domains, and so on as
indicators of the sources for these attacks.
Possible
Sensor Responses to Detected Attacks
+ Deny attacker inline: denies packets from the source IP address
of the attacker for a configurable duration of time, after which the deny
action can be dynamically removed.
+ Deny connection inline: terminates the packet that triggered the
action and future packets that are part of the same TCP connection
+ Deny packet inline: terminates the packet that triggered the
event
+ Log attacker (source) packets: begins to log future packets
based on attacker’s source IP address
+ Log victim (destination) packets: begins to log all IP packets
with a destinations address of the victim
+ Log pair (source, destination) packets
+ Produce alert: This is the default behavior for most signatures
enabled on a sensor.
+ Produce verbose alert: same as above plus it includes a copy of
the packets that triggered the alert
+ Request block connection: This action causes the sensor to
request a blocking device to block based on the source IP address of the
attacker, the destination IP address of the victim, and the ports involved in
the packet that triggered the alert.
+ Request block host: blocks the attacker’s/destination’s IP
address regardless of the port used
+ Request SNMP trap
+ Reset TCP
connection: send a proxy TCP reset to
the attacker.
Controlling
Which Actions the Sensors Should Take
This is implemented using a calculated result called a risk rating. The
maximum value for risk rating is 100.
There are three primary factors, or influencers, of the final risk rating
value:
+ Signature fidelity rating (SFR): The accuracy of the signature
as determined by the person who created that signature
+ Attack severity rating (ASR): The criticality of the attack as
determined by the person who created that signature
+ Target value rating (TVR): The value that you, as an
administrator, have assigned to specific destination IP addresses or subnets
where the critical servers/ devices live.
Implementing
Actions Based on the Risk Rating
Although it is true that you can implement actions as properties of
individual signatures, it makes the most sense, and it is much more scalable to
manage, to configure actions based on the risk rating that is created as a
result of the signature matches.
IPS/IDS
Evasion Techniques
+ Traffic fragmentation: the attacker splits malicious traffic
into multiple parts; IPS/IDS does complete session reassembly to see the entire
traffic
+ Traffic substitution and insertion: The attacker substitutes
characters in the data using different formats that have the same final meaning
+ Protocol level misinterpretation: Cisco does TTL analysis and
TCP checksum validation
+ Timing attacks (for example, “low and slow” attacks): attacker
sending packets at lower packets per second
+ Encryption and tunneling
+ Resource exhaustion: If thousands of alerts are being generated
by distracter attacks; dynamic and configurable summarization.
Managing
Signatures
The most effective way to identify malicious traffic in the Cisco IPS/IDS
systems is through the use of signature-based matching. Cisco organizes its
signatures into groups that have similar characteristics. For each of its
groups, a signature micro-engine is used to govern that set of signatures.
Micro-Engines
(Groupings of Signatures)
+ Atomic: Signatures that can match on a single packet, as
compared to a string of packets
+ Service: Signatures that examine application layer services,
regardless of the operating system
+ String or Multistring: Supports flexible pattern matching and
can be identified in a single packet or group of packets, such as a session
+ Other: Miscellaneous signatures that may not specifically fit
into the previously mentioned other categories
Signature
or Severity Levels
Instead of having to set a numeric value for the severity, the interface
for IPS/IDS prompts us for one of four levels:
+ Informational
+ Low
+ Medium
+ High
Monitoring
and Managing Alarms and Alerts
Three main protocols are used in delivering alerts. They are Security
Device Event Exchange (SDEE), syslog, and SNMP. SDEE is
used for real-time delivery of alerts, and is the most secure method for
delivering alerts. Applications: IPS Manager Express (IME), Cisco Security
Manager (CSM).
Security
Intelligence
So, in short, the more sensors you have reporting, the more granular and
complete the information is going to be about the attacks and the patterns that
exist in the network. With global correlation, we can increase the risk rating
for specific attacks if they are from source addresses that we identified as
suspect in information learned from external sensors through the global
correlation process. Global correlation is available on the sensor appliances
but does not have to be enabled – Cisco Security Intelligence Operations
(SIO)
IPS/IDS
Best Practices
+ Implement an IPS so that you can analyze traffic going to your critical
servers and other mission-critical devices, or the “crown jewels” for your
organization.
+ If you cannot afford dedicated appliances, use modules or IOS
software-based IPS/IDS
+ Take advantage of global correlation to improve your resistance against
attacks that may be targeting your organization
+ Use a risk-based approach, where countermeasures occur based on the
calculated risk rating as opposed to manually assigning countermeasures to
individual signatures
+ Use automated signature updates when possible instead of manually
installing updates
+ Continue to tune the IPS/IDS infrastructure as traffic flows and
network devices and topologies change
Cisco
Next-Generation IPS Solutions
+ Cisco FirePOWER 8000/7000 series appliances
+ Virtual Next-Generation IPS (NGIPSv) for VMware
+ ASA with FirePOWER Services
+ FireSIGHT Management Center
Mitigation
Technologies for E-mail Based and Web-Based Threats
The Cisco E-mail Security Appliances (ESA) and the Cisco Web
Security Appliance (WSA) provide a great solution designed to
protect corporate users against these threats. Cisco has added Advanced
Malware Protection (AMP) to the ESA and WSA to allow security
administrators to detect and block malware and perform continuous analysis and
retrospective alerting.
Mitigation
Technology for E-mail-Based Threats
E-mail-Based
Threats
+ Spam: unsolicited e-mail messages that can be advertising a
service or (typically) a scam or a message with malicious intent
+ Malware attachments: mail messages containing malicious software
+ Phishing: an attacker’s attempt to fool a user that such e-mail
communication comes from a legitimate entity or site, such as banks, social
media websites, online payment processors, or even corporate IT communications.
+ Spear phishing: These phishing e-mails are directed to specific
individuals or organizations
Cisco
Cloud E-mail Security
Cisco cloud e-mail security provides a cloud-based solution that allows
companies to outsource the management of their e-mail security management.
Cisco
Hybrid E-mail Security
The Cisco hybrid e-mail security solution combines both cloud-based and
on-premises ESAs.
Cisco E-mail Security Appliance
+ Cisco X-Series E-mail Security Appliances
+ Cisco X1070:
High-performance ESA for service providers and large enterprises
+ Cisco C-Series E-mail Security Appliances
+ Cisco C680: The
high-performance ESA for service providers and large enterprises
+ Cisco C670: Designed for
medium-size enterprises
+ Cisco C380: Designed for
medium-size enterprises
+ Cisco C370: Designed for
small- to medium-size enterprises
+ Cisco C170: Designed for
small businesses and branch offices
Features
supported by the Cisco ESA:
+ Access control: Controlling access for inbound senders according
to the sender’s IP address, IP address range, or domain name.
+ Antispam
+ Network Antivirus
+ Advanced malware
protection (AMP): Allows security administrators
to detect and block malware and perform continuous analysis and retrospective
alerting
+ DLP: The ability to detect any sensitive e-mails
and documents leaving the corporation
+ E-mail encryption
+ Outbreak filters: Preventive protection against new security
outbreaks and e-mail-based scams with SIO
The Cisco ESA acts as the e-mail gateway to the organization, handling
all e-mail connections, accepting messages, and relaying them to the
appropriate systems.
The Cisco ESA uses listeners to handle incoming SMTP connection requests.
A listener defines an e-mail processing service that is configured on an
interface in the Cisco ESA. The following listeners can be configured:
+ Public listeners for e-mail coming in from the Internet
+ Private listeners for e-mail coming from hosts in the corporate
(inside) network
Cisco
ESA Initial Configuration
+ Step 1. Log in to the Cisco ESA. The default username is admin,
and the default password is ironport
+ Step 2. Use the systemsetup command in CLI of the Cisco ESA to
initiate the System Setup Wizard
Mitigation
Technology for Web-Based Threats
The core solutions for mitigating web-based threats are the Cisco Cloud
Web Security (CWS) offering and the integration of advanced malware
protection (AMP) to the Cisco Web Security Appliance (WSA).
Cisco
CWS
Cisco CWS is a cloud-based security service from Cisco that provides
worldwide threat intelligence, advanced threat defense capabilities, and
roaming user protection. Cisco customers can connect to the Cisco CWS service
directly by using a proxy
autoconfiguration (PAC) file in the user endpoint or through connectors
integrated into the following Cisco products:
+ Cisco ISR G2 routers
+ Cisco ASA
+ Cisco WSA
+ Cisco AnyConnect Secure Mobility Client
Cisco
WSA
The Cisco WSA uses cloud-based intelligence from Cisco to help protect
the organization before, during, and after an attack. The Cisco WSA can be
deployed in explicit proxy mode or as a transparent proxy using the Web Cache Communication Protocol (WCCP).
The following are the different Cisco WSA models:
+ Cisco WSA S680: 6-12k users, 2 rack unit (RU), 2 octa core CPUs,
32GB of mem, 4,8TB of space
+ Cisco WSA S670
+ Cisco WSA S380: 1,5 to 6k users
+ Cisco WSA S370
+ Cisco WSA S170: up to 1,5k users, 1 RU, 1 dual core CPUs, 4GB of
mem, 500GB of space
The Cisco WSA runs Cisco AsyncOS operating system.
Cisco
Content Security Management Appliance
Cisco Security Management Appliance (SMA) is a Cisco product that
centralizes the management and reporting for one or more Cisco ESAs and Cisco
WSAs.
Mitigation
Technologies for Endpoint Threats
Antivirus
and Antimalware Solutions
The following are the most common types of malicious software:
+ Computer viruses: A malicious software that infects a host file
or system area to perform undesirable outcomes such as erasing data, stealing
information, or corrupting the integrity of the system
+ Worms: Viruses that replicate themselves over the network
infecting numerous vulnerable systems
+ Mailers and mass-mailer worms: A type of worm that sends itself
in an e-mail message
+ Logic bombs: A type of malicious code that is injected into a
legitimate application
+ Trojan horses: A type of malware that executes instructions
determined by the nature of the Trojan to delete files, steal data, and
compromise the integrity of the underlying operating system
+ Back doors: A piece of malware or configuration change that
allows attackers to control the victim’s system remotely
+ Exploits: A malicious program designed to “exploit” or take
advantage of a single vulnerability or set
+ Downloaders: A piece of malware that downloads and installs
other malicious content from the Internet to perform additional exploitation on
an affected system
+ Spammers: the act of sending unsolicited messages via e-mail,
instant messaging, newsgroups, or any other kind of computer or mobile device
communications
+ Key loggers: A piece of malware that captures the user’s
keystrokes on a compromised computer or mobile device
+ Rootkits: A set of tools that are used by an attacker to elevate
their privilege to obtain root-level access to be able to completely take
control of the affected system
+ Ransomware: A type of malware that compromises a system and then
demands a ransom from the victim to often pay the attacker in order for the
malicious activity to cease or for the malware to be removed from the affected
system – ex: Crypto Locker and Crypto Wall
Known antivirus programs:
+ Avast
+ AVG Internet Security
+ Bitdefender Antivirus Free
+ ZoneAlarm PRO Antivirus + Firewall and ZoneAlarm Internet Security
Suite
+ F-Secure Antivirus
+ Kaspersky Anti-Virus
+ McAfee Antivirus
+ Panda Antivirus
+ Sophos Antivirus
+ Norton AntiVirus
+ ClamAV: sponsored and maintained by Cisco and non-Cisco engineers
+ Immunet: a free community-based antivirus software maintained by Cisco
Sourcefire
Personal
Firewalls and Host Intrusion Prevention Systems
Are software applications that you can install on end-user machines or
servers to protect them from external security threats and intrusions.
Advanced
Malware Protection for Endpoints
Cisco AMP for Endpoints provides mitigation capabilities that go beyond
point-in-time detection. It uses threat intelligence from Cisco to perform retrospective
analysis and protection. Cisco AMP for Endpoints also provides device and file
trajectory capabilities to allow the security administrator to analyze the full
spectrum of the attack.
Cisco acquired a security company called ThreatGRID that provides
cloud-based and on-premise malware analysis solutions. Cisco integrated Cisco
AMP and ThreatGRID to provide a solution for advanced malware analysis with
deep threat analytics.
Hardware
and Software Encryption of Endpoint Data
E-mail
Encryption
When people refer to e-mail encryption, they often are referring to
encrypting the actual e-mail message so that only the intended receiver can
decrypt and read the message.
To effectively protect your e-mails, you should make sure of the
following:
+ The connection to your e-mail provider or e-mail server is actually
encrypted
+ Your actual e-mail messages are encrypted
+ Your stored, cached, or archived e-mail messages are also protected
The following are examples of e-mail encryption solutions:
+ Pretty Good Privacy (PGP): requires you to generate a
public and private key
+ GNU Privacy Guard (GnuPG)
+ Secure/Multipurpose Internet Mail Extensions (S/MIME):
requires you to install a security certificate on your computer
+ Web-based encryption e-mail service like Sendinc or JumbleMe
Encrypting
Endpoint Data at Rest
Much commercial and free software enables you to encrypt files in an
end-user workstation or mobile device. The following are a few examples of free
solutions:
+ GPG: GPG also enables you to encrypt files and folders on a
Windows, Mac, or Linux system
+ The built-in MAC OS X Disk Utility: enables you to create secure
disk images by encrypting files with AES 128-bit or AES 256-bit encryption
+ TrueCrypt: free encryption tool for Windows, Mac, and Linux
systems
+ AxCrypt: free Windows-only file encryption tool
+ BitLocker: Full disk encryption feature included in several
Windows operating systems
+ Many Linux distributions such as Ubuntu
+ MAC OS X FileVault: Supports full disk encryption on Mac OS X
systems
Virtual
Private Networks
Many organizations deploy virtual private networks (VPN) to provide data
integrity, authentication, and data encryption to ensure confidentiality of the
packets sent over an unprotected network or the Internet.
Many different protocols are used for VPN implementations, including the
following:
+ Point-to-Point Tunneling Protocol (PPTP) – very weak security
+ Layer 2 Forwarding (L2F) Protocol
+ Layer 2 Tunneling Protocol (L2TP)
+ Generic routing encapsulation (GRE)
+ Multiprotocol Label Switching (MPLS) VPN
+ Internet Protocol Security (IPsec)
+ Secure Sockets Layer (SSL)
VPN implementations can be categorized into two distinct groups:
+ Site-to-site VPNs: Enable organizations to establish VPN tunnels
between two or more network infrastructure devices in different sites so that
they can communicate over a shared medium such as the Internet. Many
organizations use IPsec, GRE, or MPLS VPN as site-to-site VPN protocols.
+ Remote-access VPNs: Enable users to work from remote locations
such as their homes, hotels, and other premises as if they were directly
connected to their corporate network. Many organizations use IPsec and SSL VPN
for remote access VPNs.
+ RADIUS is mainly used to allow users to authenticate into a network
+ TACACS is used to authenticate administrators
+ #show mac address-table count – number of MAC addresses
+ shutting down a switch port it removes all the MAC addresses
dynamically learned
+ CAM table overflow attack comes through MAC spoofing; use
Port-Security to protect (max MAC)
+ we need to specify a port in access mode in order to activate
port-security
+ the default behavior of port-security violation is shutdown
+ #show interfaces status err-disabled – shows ports in
err-disable state
+ use DHCP snooping to protect against rogue DHCP servers;
enable trusted ports on the switch
+ VLAN Hopping involves tricking a switch to have an access port
be trunk so we can communicate with other VLANs; protect through disabling
autonegotiation (Dynamic Trunking Protocol – DTP) on a port; manually
designate the port for what it needs to be – access or trunk port
+ #switchport mode access – removes the DTP and manually sets a
port in access
+ #switchport nonegociate - turn off trunking mode
+ never user VLAN 1; use separate VLAN for management (out-of-band), use
different native VLAN
+ unused ports should be put in shutdown and moved to some unused VLAN,
like 999
+ STP can be used to attack a network so to protect we use BPDU
Guard feature (globally or locally)
+ BPDU Filter doesn’t allow BPDU packets through but doesn’t
shutdown the port
+ #spanning-tree portfast default
+ # spanning-tree portfast bpduguard default – enable
globally Portfast and BPDU Guard
+ #spanning-tree portfast
+ #spanning-tree bpduguard enable – enable per interface Portfast
and BPDU Guard
+ #show spanning-tree summary – show information on STP regarding
Portfast and BPDU Guard
+ Gratuitous ARP – someone is sending its information without
anyone asking; it’s used for L2 Man-in-the-Middle attack; to protect we use DHCP
Snooping and Dynamic ARP Inspection (DAI)
+ Securing Data Plane: DHCP Snooping, Port-Security, no
DTP/trunking, BPDU Guard, DAI
+ Parser View is a “filter”
+ #show parser view – current view
+ Control-Plane Host – restrict what management protocols are
allowed
+ To activate RSA key for SSH we need a domain name and
hostname changed to other than Router.
+ #crypto key generate rsa modulus 1024 – command to create a key
+ #management-interface fa2/0 allow ssh https – restrict protocols
for management on interface
+ enable logging and send that information to a syslog server
+ enable IP Unicast RPF to check the direction the packets are
coming from
+ authenticate NTP process to have correct clock on the router
+ Use SNMPv3 because higher security with authentication; can use
trap to send information upstream
+ Cisco Configuration Professional (CCP) doesn’t support SNMPv3
+ use Secure-Boot to protect the IOS image and the start-up
configuration file
+ #show secure bootset – information about securing the IOS and
start-up file
+ To control the Data Plane we use ACLs for packet
filtering
+ Router self-generated traffic passes through an ACL with a deny ip any
any line; outbound ACL only filters transit traffic
+ an empty ACL lets all the traffic pass
+ Standard ACL can only match based on L3 source address; no. 1-99,
1300-1999
+ Extended ACL used to match destination source, port, protocol L3+L4;
no. 100-199, 2000-2699
+ ACLs can use object groups
+ IPv6 user send Router Solicitation (RS) message to get an
IPv6 address and receives a Router Advertisement (RA) message from a
router on the network running IPv6; autoconfiguration without DHCPv6
+ IPv6 has no ARP or broadcast; uses Network Discovery Protocol (NDP);
hosts join a multicast group and asks there what’s the address of someone
+ First group IPv6 from 2000 to 3FFF it’s a Global IPv6 address
+ Link local IPv6 address starts with FE80; used by routing protocols in advertisements
+ every address that starts with FF is a multicast address
+ ::1 is the local loopback
+ for OSPF routing protocol we need to have a router-ID, which can be an
IPv4 address, if none exists then we have to specify a router-ID
+ Secure IPv6: physical security, device hardening (close unused
services/), services, features, AAA
+ Secure Neighbor Discovery (SEND) used to mitigate rogue
DHCP servers in IPv6 – RA Snooping
+ to transport IPv6 traffic across IPv4 networks use tunneling; don’t use
Auto 6to4
+ use Proxy to hide a host from the outside traffic; ex: www traffic goes
through a proxy server which does all the communication on behalf of the local
host with the www server
+ Reflexive ACL like Stateful Filtering allow returned
traffic; use reflect name attribute to create a dynamic inbound
ACL from the outside to allow return traffic; create an inbound ALC on the
outside interface that evaluates name and denies everything else
+ Context Based Access Control (CBAC) it does stateful
filtering; uses inspect function ports
#ip inspect name
REMEMBER TCP
#ip inspect name
REMEMBER UDP
#ip inspect name
REMEMBER ICMP
#ip inspect
REMEMBER out – apply the inspection on
packets leaving the outside interface
+ Zone-Based Firewall (ZBF), default there is no traffic
between zones
+ ZBF identifies traffic by class-maps
+ ZBF’s policy-map takes the action: allow, pass and drop.
+ ZBF creates zone-pair, unidirectional
+ ZBF uses service-policy to say where to apply the action
+ ZBF contains a Self zone by default, which is the router; all traffic
is allowed between other zones and self- zone
+ ASA initial traffic from higher to lower security level is allowed
+ ASA initial traffic from lower to higher security level is denied
+ ASA features: stateful inspection, application and protocol inspection,
NAT/PAT, VPN, BotNet filter
+ ASA won’t accept HTTP requests for management, only HTTPS
+ IDS used in promiscuous mode
+ IDS could send messages to the router or/and the firewall to tell them
to block a source IP; on the router it does it by modifying an ACL, on a
firewall that’s done with a SHUN;
+ we can have a software IPS on a router – an IOS/IPS
+ IPS: physical appliance, software on IOS, hardware module, host based
software
+ True positive: threat detected, generated an alert and acted on it
+ False positive: acting by mistake on traffic that wasn’t malware; must
be eliminated – set exception
+ True negative: no malicious traffic happening – normal traffic
+ False negative: traffic that doesn’t seem malicious but it is
+ Signature matching is the first option for malicious traffic detection
(ping sweep, port scan etc); thousands created by Cisco exist on the appliances
or software IOS
+ Policy-based is another tool to identify malicious or unwanted traffic
+ Anomaly based method scans the traffic that goes over certain accepted
levels; ex 20 half sessions are accepted on the network within a minute, if
60/90/200 or more are seen that is an indication that there is a worm in the
network, for instance; then IPS steps in
+ Reputation based method uses global databases information on attacks
that happened to others
+ deny connections is better than IP addresses
+ log traffic to analyze later for better understanding on what’s
happening on the network
+ alerts generated let us know what’s happening; uses SDEE protocol on
top TCP.
+ Verbose alert sends the alert and the packet which triggered the alert
+ IDS/IPS can ask for help to block traffic, for example
+ IDS/IPS can ask for a TCP reset by sending it on behalf of the victim
(spoofing)
+ IOSv5 supports the latest IPS software based (has same signatures as
the appliance)
+ we need to download from Cisco the packages with the signatures and
update them regularly
+ we need the public key from Cisco to verify the packages
+ Security Device Events Exchange SDEE is in action
+ IPS software based uses separate files for the signatures, it doesn’t
put them in the running-config
+ Un-retired and retired signatures use memory
+ Cisco Security Manager (CSM) is used in corporate
networks
+ Event Action Filter (EAF)
+ Event Action Override uses Risk Rating (RR) to override
the default countermeasures
+ RR (Severity, Fidelity, Target Value Rating) = (SVR*Fid*TVR)/10.000;
1-100 value
+ an Enabled and Retired signature doesn’t do anything.
+ verify Source (IP Source Guard) to check spoofed addresses; IP Unicast
Reverse-Path can be used too
+ Confidentiality handles Encryption and Authentication
+ Symmetrical encryption uses one single Key for encryption and
decrypting
+ Symmetrical algorithms: DES, 3DES, AES (Advanced
Encryption Standard), IDEA
+ Asymmetrical algorithms use 2 Keys – pair, one to encrypt the message,
which is private, and a second to decrypt the message with its pair public key
+ Symmetrical is used to encrypt bulked data moved across the network
+ Asymmetrical is used for authentication functions
+ Asymmetrical algorithms used are RSA, DSA etc
+ Hashing helps us check the integrity of the packets: SHA, MD5-128
+ R1#veryfy /md5 flash:c2801xxx.bin – verify the flash of a
downloaded IOS
+ this method can be hacked because the hash itself is not secure; we use
Hashed Message Authentication Code (HMAC) to secure it with a secret key
+ with a Digital Signature we prove who is sending the data; the receiver
gets the public key
+ the encrypted hash IS the digital signature
+ Data – hash (checksum/digest) – encrypt the hash with the private key
(digital signature)
+ Primary objective of IPSec is Confidentiality
+ Second is Integrity with hashing
+ 3rd is Authentication, with a pre-shared key (PSK),
RSA signatures
+ 4th is to Prevent Anti-Replay attacks; it counts
packets
+ with IPSec there are two tunnels involved
+ basic IPSec without GRE doesn’t use IP addresses on the VPN tunnel
+ IKE – Internet Key Exchange; IKE Phase1 Tunnel – private conversation
between routers
+ IKE Phase2 Tunnel is for user traffic – the IPSec tunnel
+ SA – Security Association
+ DH group happens in step 2 of IKE Phase1; allows two
devices to negotiate and establish secrets – dynamically for
symmetrical algorithms, even though itself is an asymmetrical algorithm
+ Has 2 modes: Main mode (with more packets back and forth) and Aggressive
mode (IKE Phase2 is Quick mode)
+ PFS (Perfect Secrecy) works with IKE Phase2 tunnel
+ the routers during the IKE Phase1 can disagree on
one single option, the Lifetime; all others mush match
+ PSK are used once in IKE Phase1 for authentication, before the DH
+ Transform Set is in fact the IKE Phase2 setup for negotiation
+ the ACL is called a crypto ACL
+ Inside IPSec are two protocols: ESP (Encapsulation
Security Payload) and AH (Authentication Header), which is
not used now; is a L4 protocol 50
+ RC4 is a symmetrical encryption algorithm used with SSL
+ the public key comes inside a Digital Certificate, released by a
trusted Certificate Authority, with validity dates, issuer etc
+ user encrypts the key it wants to use with the server using the public
key it received so when it sends the key encrypted the server can decrypt it
using its private key so now both have the key for encrypting
+ user proves who he is by authentication with username and password,
usually
+ Clientless SSL VPN doesn’t use a IPSec VPN client on the user’s machine
(ex Cisco AnyConnect)
+ With SSL we don’t use Site-to-Site VPN
+ use more gate security
+ Smurf attack, one spoofs its address and request sessions from
you and you unwillingly reply to the real network which is also under attack,
not by you
+ Cisco Security Agent (CSA) is the host based IPS
+ Scan Safe from Cisco analyzes traffic, for cloud based services
(it is in the cloud)
+ IronPort can help against viruses and spam travelling through
emails
+ Cisco Security Manager (CSM) to manage many appliances at
once
+ enable secret takes precedence over enable password
+ the only password encrypted by default is the enable secret, with MD5
+ top layer Stratum 0 is for GPS and atomic watches with NTP
+ a Cisco router can’t serve as a Stratum 0 device, nor can it get it’s
time directly from one
+ a Cisco router can be a server, client or a peer in NTP process
+ use NTPv3 or higher, offers security features
+ to manually set the time and date you need to disable NTP first (any
active association)
+ NTP uses UDP port 123
+ when configure a Cisco router with NTP and it synchronizes it
gets Stratum level 8 by default; this value will change depending
on how further way it is from the Master
+ for unsynchronized clocks the Stratum level is 16
+ 127.127.7.1 is the IP address that the Master is using for a reference for itself
+ #show ntp status and #show ntp associations – most
important for troubleshoot
+ while telnet allows a single password as a valid entry ssh
requires both username and password
+ with ssh you must: define a domain, no “router”
named router and issue #crypto key generate rsa
+ telnet is disable by default
+ Password required, but not set error message – no password
defined on the VTY lines
+ if no enable passwords are set the remote user can’t get into
privileged mode – % No password set
error
+ if #privilege level 15 is set on VTY lines then the user telnets
directly into the privileged mode with the password set on VTY lines
+ if a username exists and login local is set on the VTY lines then that
user and passwords are used
+ SNMPv1/2 have “passwords” – the community strings, which are known, not
secure
+ SNMPv3 is not supported in Cisco Configuration Professional
+ to work with parser view you need two things: enable secret
and aaa new-model
+ TCP intercept can run in intercept mode or watch mode to protect
againt SYN-flood attack (DoS)
#ip tcp intercept
mode intercept/watch
create an ACL to link to the TCP intercept
#ip tcp intercept
list x
+ in exec mode dir doesn’t work for secure files
+ secure bootset cat be activated remotely, but not deactivated
+ VLAN hopping attacks: switch spoofing (with DTP), double tagging
+ BPDU Guard takes action upon receiving any BPDUs on the
port; works only with portfast
+ Root Guard takes action upon receiving superior BPDUs;
configured at the port level
+ #switchport port-security is issued on access ports
+ the defaults for port-security are: 1 MAC and shutdown action
+ DAI is performed or ARP messages received (not sent) by the device;
enabled with DHCP spooping
+ same as DHCP snooping all ports are by default untrusted
+ #ip arp inspection vlan
+ #show ip arp inspection
[interfaces]
+ RADIUS UDP 1812
+ TACACS+ TCP 49
+ TACACS+ server messages: accept, reject, continue
(more info required) or error (not failed auth)