Hand notes-CCNA Security 210-260-Part1:
Confidentiality, Integrity, and Availability
Asset,
Vulnerability, Threat, Risk, Countermeasure
+ Governmental
classifications: Unclassified, Sensitive but unclassified (SBU), Confidential,
Secret, Top secret
+ Private sector
classifications: Public, Sensitive, Private, Confidential
+ Classification
criteria: Value, Age, Replacement cost, Useful lifetime
+ Classification
roles: Owner (the group ultimately responsible for the data, usually senior
management of a company); Custodian (the group responsible for implementing the
policy as dictated by the owner); User (those who access the data and abide by
the rules of acceptable use for the data)
Traffic Light Protocol (TLP): RED,
AMBER, GREEN, WHITE
Common control methods
used to implement countermeasures include the following:
+ Administrative: written policies, procedures, guidelines,
and standards
+ Physical: physical security for the network servers,
equipment, and infrastructure
+ Logical: passwords, firewalls, intrusion prevention
systems, access lists, VPN tunnels, and so on
A
man-in-the-middle attack results when attackers place themselves in line
between two devices that are communicating
Security Information Event Management
SIEM (not from the book)
Can be in the
forms of:
+ Security Information Management (SIM): log collection, archiving, historical reporting, forensics
+ Security Event Management (SEM): real time reporting, log collection, normalization, correlation,
aggregation
+ SIM and SEM (SIEM):
log collection, normalization, correlation,
aggregation, reporting
+ Log
collection of event records from sources throughout the organization
provides important forensic tools and helps to address compliance reporting
requirements.
+ Normalization
maps log messages from different systems into a common data model, enabling
the organization to connect and analyze
related events, even if they are initially logged in different source formats.
+ Correlation
links logs and events from disparate systems or applications, speeding
detection of and reaction to security threats.
+ Aggregation
reduces the volume of event data by consolidating duplicate event records.
+ Reporting
presents the correlated, aggregated event data in real-time monitoring and
long-term summaries.
Additional
Attack Methods:
Covert channel,
Trust exploitation, Brute-force (password guessing) attacks, Botnet, DoS and DDoS
Guidelines
for Secure Network Architecture: Rule
of least privilege, Defense in depth, Separation of duties, Auditing
DDoS
attacks can generally be divided
into the following three categories: Direct, Reflected, Amplification
Social
Engineering Tactics: Phishing, Malvertising, Phone scams
Defenses
Against Social Engineering: Password management,
Two-factor authentication, Antivirus/antiphishing defenses, Change management,
Information classification, Document handling and destruction, Physical
security
Methods
Available for Malware Identification: Packet
captures, Snort, NetFlow, IPS events, Advanced Malware Protection, NGIPS
Several
types of data: Intellectual property (IP), Personally
identifiable information (PII), Credit/debit cards
The most popular option moving forward is to install the ACS server
logically in a VMware environment such as an ESXi server with ACS running as a
virtual machine.
Identity
Services Engine (ISE) is an identity and access control policy
platform that can validate that a computer meets the requirements of a
company’s policy related to virus definition files, service pack levels, and so
on before allowing the device on the network.
Implementing
AAA in Cisco IOS
Two main protocols may be used between the ACS server and its
client (such as a router that is using the ACS server to verify authentication
requests): TACACS+ (pronounced TACKAXE, you do not need to say the +)
and RADIUS (pronounced RAY-D-US).
Using the CLI to Configure IOS for Use with ACS
R1(config)# aaa
new-model
R1(config)# aaa
authentication login AUTHEN_via_TACACS group tacacs+ local
R1(config)# aaa
authorization exec Author-Exec_via_TACACS group tacacs+ local
R1(config)#
username admin privilege 15 secret cisco
R1(config)#
tacacs-server host 192.168.1.252 key cisco123
R1(config)# do
ping 192.168.1.252
R1(config)# line
vty 0 4
R1(config-line)#
authorization exec Author-Exec_via_TACACS
R1(config-line)#
login authentication AUTHEN_via_TACACS
Verify
R1# debug tacacs
R1# debug aaa
authentication
R1# debug aaa
authorization
R1# test
aaa group tacacs+ admin cisco123 legacy
There are many different ways to implement a BYOD (Bring Your Own
Device) solution, and each organization must decide on the level of openness
and flexibility it wants to enable its employees in terms of the type of
devices they can connect and the amount of access each of these devices will be
granted.
Identity
Services Engine (ISE): The Cisco ISE is a critical piece to the Cisco
BYOD solution. It is the cornerstone of the authentication, authorization, and
accounting (AAA) requirements for endpoint access, which are governed by the
security policies put forth by the organization.
Integrated
Services Routers (ISR): Cisco ISRs will be used in
the Cisco BYOD solution to provide WAN and Internet access for the branch
offices and Internet access for home office environments. In addition, the ISR
will provide both wired and WLAN connectivity in the branch office
environments. Finally, the ISRs can be leveraged to provide VPN connectivity
for mobile devices that are part of the BYOD solution.
Aggregation
Services Routers (ASR): Cisco Aggregation Services
Routers (ASR) provide WAN and Internet access at the corporate campus and serve
as aggregation points for all the branch and home office networks connecting
back to the corporate campus for the Cisco BYOD solution.
Cloud
Web Security (CWS): Formerly ScanSafe, Cisco Cloud Web Security
(CWS) provides enhanced security for all the BYOD solution endpoints while they
access Internet websites using publicly available wireless hotspots and 3G, 4G,
and 4G LTE mobile networks.
Adaptive
Security Appliance (ASA): The Cisco ASA provides all
the standard security functions for the BYOD solution at the Internet edge. In
addition to traditional firewall and intrusion prevention system (IPS)
functions, the ASA also serves as a VPN termination point for mobile devices
connecting over the Internet from home offices, branch offices, public wireless
networks, and 3G/4G/4G LTE mobile networks.
RSA
SecurID: The RSA SecurID server provides one-time password (OTP) generation and
logging for users that access network devices and other applications which
require OTP authentication.
Active
Directory: The Active Directory (AD) server
enforces access control to the network, to servers, and to applications. It
restricts access to those users with valid authentication credentials.
Certificate
authority: The certificate authority (CA) server
provides for, among other things, the onboarding of endpoints that meet
certificate requirements for access to the corporate network. The CA server
ensures that only devices with corporate certificates can access the corporate
network.
Mobile
Device Management
The function of mobile device managers, also known as mobile device
management (MDM), is to deploy, manage, and monitor the mobile devices
that make up the Cisco BYOD solution.
Uses: PIN lock, strong passwords, Detection of attempts to “jailbreak” or
“root”, data encryption requirements, remotely wipe a stolen or lost BYOD,
Administration and execution of data
loss prevention (DLP).
2: MDM application software is installed on servers that are located
within the corporate data center and are completely supported and maintained by
the network staff of the corporation.
Cloud-Based MDM Deployment: In a cloud-based MDM deployment, MDM
application software is hosted by a managed service provider who is solely
responsible for the deployment, management, and maintenance of the BYOD
solution.
Types
of VPNs
+ IPSec: Implements security of IP packets at Layer 3 of
the OSI model, and can be used for site-to-site VPNs and remote-access
VPNs.
+ SSL: Secure Sockets Layer implements security of TCP sessions
over encrypted SSL tunnels of the OSI model, and can be used for remote-access
VPNs (as well as being used to securely visit a web server that
supports it via HTTPS).
+ MPLS: Multiprotocol Label Switching and MPLS Layer 3 VPNs
are provided by a service provider to allow a company with two or more sites to
have logical connectivity between the sites using the service provider network
for transport.
Two Main
Types of VPNs
+ Remote-access VPNs: Some users might need to build a VPN
connection from their individual computer to the corporate headquarters (or to
the destination they want to connect to).
+ Site-to-site VPNs: The other main VPN implementation is by
companies that may have two or more sites that they want to connect securely
together (likely using the Internet) so that each site can communicate with the
other site or sites.
Main Benefits of VPNs: Confidentiality, Data integrity, Authentication, Antireplay
protection
Cryptography
Basic Components
Ciphers: A cipher is a set of rules, which can also be
called an algorithm, about how to perform encryption or decryption. Uses:
Substitution, Polyalphabetic, Transposition.
Keys: A one-time pad (OTP) is a good example of a
key that is only used once.
Block
Ciphers is a symmetric key (same key to encrypt and
decrypt) cipher that operates on a group of bits called a block.
+ Advanced Encryption Standard (AES)
+ Triple Digital Encryption Standard (3DES)
+ Blowfish
+ Digital Encryption Standard (DES)
+ International Data Encryption Algorithm (IDEA)
Stream
Ciphers is a symmetric key cipher (same key to encrypt
as decrypt), where each bit of plaintext data to be encrypted is done 1 bit at
a time against the bits of the key stream, also called a cipher digit stream.
Symmetric
and Asymmetric Algorithms
A symmetric encryption algorithm,
also known as a symmetrical cipher, uses the same key to encrypt the
data and decrypt the data. Much faster, less CPU. Minimum 128 bits for safety.
An asymmetric algorithm is public key algorithm. We use two
different keys that mathematically work together as a pair. Let’s call these
keys the public key and private key.
High CPU, so we use asymmetric
algorithms for things such as authenticating a VPN peer or generating keying
material that we could use for our symmetrical algorithms.
+ RSA: public key cryptography standard (PKCS) #1; 512 to 2048
bits key length
+ DH: Diffie-Hellman; generates symmetrical keys that can then be
used with symmetrical algorithms
+ ElGamal
+ DSA
+ ECC
A typical key length used in asymmetrical algorithms can be anywhere
between 2048 and 4096. A key length that is shorter than 2048 is considered
unreliable or not as se cure as a longer key.
Hashes
Hashing is a method used to verify data integrity. A cryptographic
hash function is a process that takes a block of data and creates a small
fixed-sized hash value. It is not possible (at least not realistically) to
generate the same hash from a different block of data. This is referred to as collision
resistance. Message digest 5 algorithm [MD5].
+ Message digest 5 (MD5): This creates a 128-bit digest.
+ Secure Hash Algorithm 1 (SHA-1): This creates a 160-bit digest.
+ Secure Hash Algorithm 2 (SHA-2): Options include a digest
between 224 bits and 512 bits.
Hashed
Message Authentication Code (HMAC) uses the mechanism of hashing, but it kicks
it up a notch. Instead of using a hash that anyone can calculate, it includes
in its calculation a secret key of some type.
Digital
Signatures
Offers Authentication, Data integrity, Nonrepudiation. Digital signatures
involve public and private key pairs, hashing, and encryption.
Bob and Lois get digital certificates from a Certificate Authority
(CA) and exchange those. They contain Bob’s (Lois’) public key. Bob takes
the packet that what to send to Lois and makes a hash of it, after that
encrypts the hash with his private key (which is a pair with its public key)
and attaches the encrypted hash to the packet and sends that to Lois. Lois gets
the packet with the encrypted hash and uses Bob’s public key (which she got
from the digital certificate Bob sent to her) to decrypt Bob’s hash. After that
Lois encrypts herself the packet received with the same hash algorithm and
compares the hash against what she decrypted from Bob’s. If it matches it means
the packets is genuine and Bob is who he says he is.
Key
Management
Deals with generating keys, verifying keys, exchanging keys, storing
keys, and at the end of their lifetime, destroying keys. The
bigger the key, the more secure the algorithm will be. The only negative of
having an extremely long key is that the longer the key, the more the CPU is
used for the decryption and encryption of data.
Next-Generation
Encryption Protocols
U.S. government selected and recommended a set of cryptographic standards
called Suite B.
+ Elliptic Curve Cryptography (ECC) replaces RSA signatures with
the ECDSA algorithm, and replaces the DH key exchange with ECDH.
+ AES in the Galois/Counter Mode (GCM) of operation
+ ECC Digital Signature Algorithm
+ SHA-256, SHA-384, and SHA-512
IPsec
and SSL
IPsec
A collection of protocols and algorithms used to protect IP packets at
Layer 3.
+ ESP and AH: Encapsulating Security Payload (ESP) uses all
features of IPsec, Authentication Header (AH) does many parts of IPsec but not
encryption.
+ Encryption algorithms for confidentiality: DES, 3DES, AES
+ Hashing algorithms for integrity: MD5, SHA
+ Authentication algorithms: Pre-shared keys (PSK), RSA digital
signatures
+ Key management: Diffie-Hellman (DH) dynamically
generate symmetrical keys to be used by symmetrical algorithms; PKI,
which supports the function of digital certificates issued by trusted CAs; Internet
Key Exchange (IKE), which does a lot of the negotiating and management for
us for IPsec to operate.
SSL
The convenient thing about SSL is that almost every web browser on every
computer supports it, so almost anyone who has a computer can use it.
Public
and Private Key Pairs
A key pair is a set of two keys that work in combination with each other
as a team. In a typical key pair, you have one public key and one private key.
RSA
Algorithm, the Keys, and Digital Certificates
Certificate
Authorities
A certificate authority is a computer or entity that creates and issues
digital certificates. Inside of a digital certificate is information about the
identity of a device, such as its IP address, fully qualified domain name
(FQDN), and the public key of that device.
Contains:
+ IP address
+ fully qualified domain name (FQDN)
+ public key
+ URL that other devices can check to see whether this certificate has
been revoked and the validity dates for the certificate
If a company wants to set up its own internal CA and then configure each
of the end devices to trust the certificates issued by its internal CA.
Root
and Identity Certificates
A digital certificate can be thought of as an electronic document that
identifies a device or person. It includes information such as the name of a
person or organization, their address, and the public key of that person or
device.
Root certificates identify the CA; identity certificates identify
devices.
Root
Certificate
A root certificate contains the public key of the CA server and the other
details about the CA server.
Includes: Serial number, Issuer, Validity dates, Subject of the
certificate, Public key, Thumbprint algorithm and thumbprint.
Identity
Certificate
An identity certificate is similar to a root certificate, but it
describes the client and contains the public key of an individual host (the
client).
X.500
and X.509v3 Certificates
X.500 is a series of standards focused on directory services and how
those directories are organized. Many popular network operating systems have
been based on X.500, including Microsoft Active Directory. A common protocol
that is used to do lookups from a directory is called Lightweight Directory Access Protocol (LDAP).
Authenticating
and Enrolling with the CA
Step 1. authenticating the CA after downloading the root certificate use an out-of-band method, such as making a
telephone call, to validate the root certificate.
Step 2. involves generating a public-private key pair
and including the public key portion in any requests for your own identity
certificate; the CA can take all of your information and generate an identity
certificate for you, which includes your public key, and then send this
certificate back to you.
Public
Key Cryptography Standards
+ PKCS#10: This is a format of a certificate request sent to a CA
that wants to receive its identity certificate. This type of request would
include the public key for the entity desiring a certificate.
+ PKCS#7: This is a format that can be used by a CA as a response
to a PKCS#10 request.
+ PKCS#1: RSA Cryptography Standard
+ PKCS#12: A format for storing both public and private keys using
a symmetric password-based key to “unlock” the data whenever the key needs to
be used or accessed.
+ PKCS#3: Diffie-Hellman key exchange
Simple
Certificate Enrollment Protocol
Simple Certificate Enrollment Protocol (SCEP) can automate most of
the process for requesting and installing an identity certificate.
Revoked
Certificates
If a certificate revocation list (CRL) is checked, and the
certificate from the peer is on that list, the authentication stops at that
moment. To check whether certificates
have been revoked:
+ Certificate revocation list (CRL): A CRL could be very large and
can be accessed by LDAP or HTTP.
+ Online Certificate Status Protocol (OCSP): a client simply sends
a request to find the status of a certificate and gets a response without
having to know the complete list of revoked certificates.
+ Authentication, authorization, and accounting (AAA)
Uses
for Digital Certificates
+ can be used when you do online banking from your PC to the bank’s
website
+ if you use SSL technology for your remote-access VPNs you can also use
digital certificates for authenticating the peers
+ use digital certificates with the protocol family of IPsec
+ can also be used with protocols such as 802.1X, which involves
authentication at the edge of the network
PKI
Topologies
Single Root CA – one trusted CA with tens of thousands of
customers who want to authenticate that CA
Hierarchical CA
with Subordinate CAs - The root CA delegates the
authority (to the subordinate CAs) to create and assign identity certificates
to clients.
Putting the Pieces
of PKI (public key infrastructure) to Work
The problem with a self-signed certificate is that no browsers or other devices
will have the ASA listed as a trusted CA, and HTTPS connections to the ASA,
such as an administrator who wants to run ASDM, will receive a warning message
that the certificate is not trusted.
Generate a new public-private pair
Keith-asa1(config)#
crypto key generate rsa label My-Key-Pair modulus 2048 noconfirm
Keith-asa1(config)#
crypto ca trustpoint New-CA-to-Use
Keith-asa1(config-ca-trustpoint)#
keypair New-Key-Pair
Keith-asa1(config-ca-trustpoint)#
id-usage ssl-ipsec
Keith-asa1(config-ca-trustpoint)#
no fqdn
Keith-asa1(config-ca-trustpoint)#
subject-name CN=ciscoas
Keith-asa1(config-ca-trustpoint)#
enrollment url http://192.168.1.105
Keith-asa1(config-ca-trustpoint)#
exit
Keith-asa1(config)# crypto ca authenticate New-CA-to-Use
nointeractiv
Keith-asa1(config)# crypto ca enroll New-CA-to-Use noconfirm
IPsec
Concepts, Components, and Operations
IPsec has four fundamental goals:
+ Confidentiality à Encryption
+ Data integrity à Hashing
+ Peer authentication à Pre-shared keys (PSK), RSA digital signatures
+ Antireplay à
Integrated into IPsec, basically applying serial numbers to packets
The
Internet Key Exchange (IKE) Protocol
IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and
establish secured site-to-site or remote access virtual private network (VPN)
tunnels. In IKE Phase 1 IPsec peers negotiate and authenticate each
other. In Phase 2 they negotiate keying materials and algorithms for the
encryption of the data being transferred over the IPsec tunnel.
+ IKEv2 enhances the function of performing dynamic key exchange and peer
authentication.
+ Both IKEv1 and IKEv2 protocols operate in two phases. IKEv2 provides a
simpler and more efficient exchange.
Phase 1 in IKEv2 is IKE_SA, consisting of the message pair IKE_SA_INIT
(IKEv1 Phase 1).
Phase 2 in IKEv2 is CHILD_SA is the IKE_AUTH message pair (IKEv1 Phase
2).
The
Play by Play for IPsec
Step 1: Negotiate
the IKEv1 Phase 1 Tunnel
This tunnel (once established) is not going to be used to forward user
packets, but rather only to protect management traffic related to the VPN
between the two routers. Five basic items need to be agreed upon between the
two VPN devices/gateways (in this case, the two routers) for the IKE Phase 1
tunnel to succeed, as follows:
+ Hash algorithm, MD5 or SHA
+ Encryption algorithm, DES (weak), 3DES (better) or AES (best)
+ Diffie-Hellman (DH) group to use; The DH “group” refers to the modulus
size (length of the key). The purpose of DH is to generate shared secret keying
material (symmetric keys) that may be used by the two VPN peers for symmetrical
algorithms, such as AES.
+ Authentication method: PSK or RSA signatures
+ Lifetime: How long until this IKE Phase 1 tunnel should be torn down.
Step 2: Run the DH
Key Exchange
DH allows two devices that do not yet have a secure connection to
establish shared secret keying material (keys that can be used with symmetrical
algorithms, such as AES).
Step 3:
Authenticate the Peer
The last piece of IKE Phase 1 is to validate or authenticate the peer on
the other side.
IKE Phase 1 tunnel, this tunnel is used only as a management tunnel so
that the two routers can securely communicate with each other directly. IKE
Phase 1 tunnel is not used to encrypt or protect the end user’s packets. The
IKE Phase 2 tunnel includes the hashing and encryption algorithms.
So, we could say we have one IKE Phase 1 bidirectional tunnel
used for management between the two VPN peers and two IKE Phase 2
unidirectional tunnels used for encrypting and decrypting end-user packets.
Configuring
and Verifying IPsec
The first thing to plan is what protocols to use for IKE Phase 1 and IKE
Phase 2 and to identify which traffic should be encrypted.
IKE Phase 1 policy
R1(config-isakmp)#
crypto isakmp policy 2
R1(config-isakmp)#
authentication pre-share
R1(config-isakmp)#
encr aes 128
R1(config-isakmp)#
hash md5
R1(config-isakmp)#
group 2
R1(config-isakmp)#
lifetime 21600
R1(config-isakmp)#
exit
R1(config)# crypto
isakmp key cisco123 address 43.0.0.2
R1(config)#
access-list 100 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
IKE Phase 2 transform set
R1(config)# crypto
ipsec transform-set MY-SET esp-sha-hmac esp-aes 256
R1(cfg-crypto-trans)#
mode tunnel
R1(cfg-crypto-trans)#
exit
R1(config)# crypto
map SDM_CMAP_1 1 ipsec-isakmp
R1(config-crypto-map)#
match address 100
R1(config-crypto-map)#
set transform-set MY-SET
R1(config-crypto-map)#
set peer 43.0.0.2
R1(config-crypto-map)#
exit
R1(config)#
interface GigabitEthernet1/0
R1(config-if)#
crypto map SDM_CMAP_1
R1(config-if)#
exit
Verifying
IPsec
R1# show crypto
isakmp policy = Verify the IKE Phase 1
policies in place on the route
R1# show crypto
map = the details of the crypto
map
R1# show crypto
isakmp sa [detail] = the details for the IKE Phase 1 tunnel that
is in place
R1# show crypto
ipsec sa = the details for the IKE
Phase 2 tunnels that are in place
R1# show crypto
engine connections active =
seeing that the encryption and decryption is working
Planning
and Preparing an IPsec Site-to-Site VPN
IPsec uses two methods for encryption: tunnel and transport mode. If
IPsec tunnel mode is used, the IP header and the payload are encrypted. When
transport mode is used, only the packet payload is encrypted.
Protocols That May Be Required for IPsec:
+ UDP port 500 (IKEv1 Phase 1)
+ UDP port 4500 NAT-T (NAT Traversal)
+ Layer 4 Protocol 50 ESP
+ Layer 4 protocol 51 AH
Planning
IKEv1 Phase 1
Best (ex):
+ Hashing: SHA
+ Authentication: RSA-Sigs (which require PKI to be used)
+ DH group: 5
+ Lifetime: 3600 seconds
+ Encryption: AES-256
Configure above with crypto isakmp policy command.
Planning
IKEv1 Phase 2
Things to set (ex):
+ VPN Peer global IP addresses:
R1=209.165.200.225 R2=209.165.201.1
+ Traffic to protect: Bidirectional traffic between 172.16.0.0/16 (R1’s
local network) and 192.168.0.0/24 (R2’s local network).
+ Encryption: AES-192 (just to mix it up a bit, default for AES is 128)
+ HMAC: SHA
+ Lifetime: Default
+ Outside interfaces of routers: G1/0 (on both
+ PFS: Group 2
Note, that a show running-config, would only show configured items in the
! policy if they were different from the default.
Troubleshooting
IPsec Site-to-Site VPNs in Cisco IOS
R1# show crypto
isakmp policy = to verify the
configuration
R1# show crypto map
R1# debug crypto
isakmp
R1# show crypto
isakmp sa = IPSec Phase 1
R2# show crypto
ipsec sa = IPSec Phase 2
We want to see a state of QM_IDLE, meaning the IKEv1 Phase 1 is up.
R2# show crypto
engine connections active
DMVPN is a Cisco solution for deploying highly
scalable IPsec site-to-site VPNs. It enables branch locations to communicate
directly with each other over the Internet without requiring a permanent VPN
connection between sites.
FlexVPN is a unified VPN solution that can be
deployed over either public Internet connections or a private Multiprotocol
Label Switching (MPLS) VPN network.
Implementing
and Verifying an IPsec Site-to-Site VPN in Cisco ASA
#show crypto
isakmp stats
#show crypto ikev1
stats
#show crypto ikev2
stats
#show isakmp sa
#show isakmp sa
detail
#show crypto ipsec
sa
#show crypto ipsec
sa detail
#show
vpn-sessiondb
#debug crypto
ikev1|ikev2
#debug crypto
ipsec
#debug crypto
ikev2 platform 2
#debug crypto
ikev2 protocol 2
Functions and Use
of SSL for VPNs
Clientless
SSL VPN feature excels when connections to only one or
a few servers are needed and the full-tunneled Cisco AnyConnect Secure Mobility
Client cannot be installed on the local computer.
SSL
and TLS Protocol Framework
TLS and its predecessor SSL are cryptographic protocols that provide
secure transactions on the Internet for things such as e-mail, web browsing, instant
messaging, and so on. SSL as a protocol was originally developed
by Netscape. Both of these protocols provide confidentiality, integrity,
and authentication services.
Similar to IPsec, these protocols use symmetric algorithms for bulk
encryption, and asymmetric algorithms are used for the authentication and for
the exchange of keys.
Cisco SSL VPNs are really using TLS behind the scenes.
The
Play by Play of SSL for VPNs
+ The client initiates a connection to the server on port 443 and uses
internally a port > 1023
+ There is the standard three-way handshake
+ The server responds, providing its digital certificate, which contains
the server’s public key
+ Validate certificate information
+ Client sends a shared secret to the server encrypting the key with the
server’s public key
+ Server decrypts the shared secret using its private key
+ The key is now used to encrypt data over SSL
asa1(config)#
group-policy NY-Group-Policy internal
asa1(config)# ssl
trust-point ASDM_TrustPoint0 outside
asa1(config)#
webvpn
asa1(config-webvpn)#
enable outside
group-policy
NY-Group-Policy attributes
asa1(config-group-policy)#
vpn-tunnel-protocol ssl-clientless
asa1(config-group-policy)#
webvpn
asa1(config-group-webvpn)#
url-list value IntranetSite
asa1(config-group-webvpn)#
exit
asa1(config-group-policy)#
exit
asa1(config)#
tunnel-group NY-connection-profile type remote-access
asa1(config)#
tunnel-group NY-connection-profile general-attributes
asa1(config-tunnel-general)#
default-group-policy NY-Group-Policy
asa1(config-tunnel-general)#
tunnel-group NY-connection-profile webvpn-attributes
asa1(config-tunnel-webvpn)#
group-alias newyork enable
asa1(config-tunnel-webvpn)#
group-url https://209.165.202.129/newyork enable
Using
the Cisco AnyConnect Secure Mobility Client
Types
of SSL VPNs
object network
NETWORK_OBJ_10.1.1.0_25
subnet 10.1.1.0 255.255.255.128
ip local pool
anyconnectPool 10.4.4.1-10.0.0.100 mask 255.255.255.0
group-policy
GroupPolicy_SSL_AnyConnectinternal
group-policy
GroupPolicy_SSL_AnyConnect attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.1.1.23
wins-server none
default-domain value example.org
exit
webvpn
enable outside
anyconnect image
disk0:/anyconnect-macosx-4.0-k9.pkg 1
anyconnect enable
tunnel-group-list
enable
tunnel-group
SSL_AnyConnect type remote-access
tunnel-group SSL_AnyConnect
general-attributes
default-group-policy
GroupPolicy_SSL_AnyConnect
address-pool anyconnectPool
tunnel-group
SSL_AnyConnectwebvpn-attributes
group-alias SSL_AnyConnectenable
nat
(inside,outside) 3 source static inside interface destination static
NETWORK_OBJ_10.1.1.0_25
NETWORK_OBJ_10.1.1.0_25 no-proxy-arp route-lookup
Groups,
Connection Profiles, and Defaults
The connection profiles are responsible for the initial connection of the
user.
Split
Tunneling
Without split tunneling, all IP traffic leaving the client’s machine goes
through the tunnel to the ASA. A split tunnel addresses this issue by sending
traffic down the VPN only if it is destined for specific networks located at
the headquarter site.
Troubleshooting
SSL Negotiations
+ Step 1. Verify that the user’s computer can ping the Cisco ASA’s
outside IP address
+ Step 2. If the user’s workstation can ping the address, issue the show
running all | include ssl command on the Cisco ASA and verify that SSL
encryption is configured.
+ Step 3. If SSL encryption is properly configured, use an external
sniffer to verify whether the TCP three-way handshake is successful
AnyConnect clients will fail to establish connection if the Cisco ASAs
are configured to accept connection with SSL Server Version 3. You must use
TLSv1 for AnyConnect clients. Navigate to Configuration > Remote Access
VPN > Advanced > SSL Settings to specify the SSL encryption type and
version that you want to use.
Troubleshooting
AnyConnect Client Issues
#debug webvpn svc
#debug webvpn
anyconnect
ASA1(config)#
logging on
ASA1(config)#
logging class svc buffered debugging
ASA1(config)# exit
ASA1# show logging
Traffic-Specific Issues
+ Routing issues behind the ASA—internal network unable to route packets
back to the assigned IP addresses and VPN clients
+ Access control lists blocking traffic
+ Network Address Translation not being bypassed for VPN traffic
Securing
Layer 2 Technologies
VLAN
and Trunking Fundamentals
For connections between two switches that contain ports in VLANs that
exist in both switches, you configure specific trunk ports instead of
configuring access ports.
SW2(config)#
interface range fa0/23-24
SW2(config-if-range)#
switchport trunk encapsulation dot1q
SW2(config-if-range)#
switchport mode trunk
SW2(config-if-range)#
do show interface trunk
Following
the Frame, Step by Step
Access ports being assigned to a single VLAN, and trunk ports that tag
the traffic so that a receiving switch knows which VLAN a frame belongs to.
The
Native VLAN on a Trunk
When the receiving switch receives a frame on a trunk port, if that frame
is missing the 802.1Q tag completely, the receiving switch assumes that the
frame belongs to the native VLAN (in this case, VLAN 1).
Using a specific VLAN as the native VLAN (different from the default of
VLAN 1) and never using that same VLAN for user traffic is a prudent idea.
Inter-VLAN
Routing
One solution is to use a technique called router-on-a-stick.
Spanning-Tree
Fundamentals
STP, or 802.1D, was developed to identify parallel Layer 2 paths and
block on one of the redundant paths so that a Layer 2 loop would not occur.
STP consists of the following port states:
+ Root Port: The switch port that is closest to the root bridge in
terms of STP path cost (that is, it receives the best BPDU on a switch) is
considered the root port. All switches, other than the root bridge, contain one
root port.
+ Designated: The switch port that can send the best BPDU for a
particular VLAN on a switch is considered the designated port
+ Nondesignated: These are switch ports that do not forward
packets, so as to prevent the existence of loops within the networks
STP cautiously waits for 30 seconds (by default) on a recently brought up
port before letting frames go through that interface; 15 seconds of that is the
listening state, where STP is seeing whether any BPDUs are coming in. When
configured, enhancements to STP, including the PortFast feature, can tell the
switch to bypass the listening and learning stage and go right to forwarding.
Configure portfast per interface
SW2(config)#
interface fa0/2
SW2(config-if)# spanning-tree portfast
Configure portfast globally
SW2(config)# spanning-tree portfast default
Common
Layer 2 Threats and How to Mitigate Them
Everything at Layer 3 and higher is encapsulated into some type of Layer
2 frame. If the attacker can interrupt, copy, redirect, or confuse the Layer 2
forwarding of data, that same attacker can also disrupt any type of upper-layer
protocols that are being used.
Layer
2 Best Practices
+ Select an unused VLAN (other than VLAN 1) and use that for the native
VLAN for all your trunks. Do not use this native VLAN for any of your
enabled access ports.
+ Avoid using VLAN 1 anywhere, because it is a default
+ Administratively configure access ports as access ports so that users
cannot negotiate a trunk and disable the negotiation of trunking (no
Dynamic Trunking Protocol [DTP])
+ Limit the number of MAC addresses learned on a given port
with the port security feature
+ Control spanning tree to stop users or unknown devices from
manipulating spanning tree. You can do so by using the BPDU Guard and Root
Guard features
+ Turn off Cisco Discovery Protocol (CDP) on ports facing
untrusted or unknown networks that do not require CDP for anything positive
+ On a new switch, shut down all ports and assign them to a VLAN
that is not used for anything else other than a parking lot. Then bring
up the ports and assign correct VLANs as the ports are allocated and needed
Set a port in access mode
SW2(config)#
interface fa0/2
SW2(config-if)# switchport mode access
SW2(config-if)# switchport access VLAN 10
SW2(config-if)# switchport nonegotiate – disable
the ability to negotiate
Set a port in trunk mode
SW2(config-if)#
interface fa 0/23
SW2(config-if)# switchport trunk encapsulation dot1q
SW2(config-if)# switchport mode trunk
SW2(config-if)# switchport trunk native vlan 3 – change native VLAN
SW2(config-if)# switchport nonegotiate -
Disables the ability to negotiate
Do
Not Allow Negotiations
A user with a trunk established could perform “VLAN hopping” to any VLAN
he desired by just tagging frames with the VLAN of choice.
+ Port security: Limits the number of MAC addresses to be learned
on an access switch port
+ BPDU Guard: If BPDUs (any type) show up where they should not,
the switch protects itself
+ Root Guard: Controls which ports are not allowed to become root ports
to remote root switches
+ Dynamic ARP inspection: Prevents spoofing of Layer 2 information
by hosts
+ IP Source Guard: Prevents spoofing of Layer 3 information by
hosts
+ 802.1X: Authenticates users before allowing their data frames
into the network
+ DHCP snooping: Prevents rogue DHCP servers from impacting the
network
+ Storm control: Limits the amount of broadcast or multicast
traffic flowing through the switch
+ Access control lists: Traffic control to enforce policy
BPDU
Guard
When you enable BPDU Guard, a switch port that was forwarding stops and
disables the port if any BPDUs are seen inbound on the port.
SW2(config-if)#
interface fa 0/2
SW2(config-if)# spanning-tree
bpduguard enable
To automatically recover port
SW2(config)# errdisable
recovery cause bpduguard
SW2(config)#
errdisable recovery interval 30
SW2# show errdisable recovery
Root
Guard
Your switch might be connected to other switches that you do not manage.
If you want to prevent your local switch from learning about a new root switch
through one of its local ports, you can configure Root Guard on that port.
SW1(config)#
interface fa 0/24
SW1(config-if)#
spanning-tree guard root
Port
Security
Port security controls how many MAC addresses can be learned on a single
switch port.
SW2(config-if)#
interface fa 0/2
SW2(config-if)# switchport port-security
SW2(config-if)#
switchport port-security maximum 5
SW2(config-if)#
switchport port-security violation protect
SW2(config-if)#
switchport port-security mac-address sticky
SW2# show
port-security
SW2# show
port-security interface fa0/2
CDP
and LLDP
CDP runs on Cisco devices (routers, switches, phones, and so on) and is also
licensed to run on some network devices from other vendors.
CDP operates at Layer 2 and can provide attackers with information (for
example, device types, hardware and software versions, VLAN and IP address
details, and so on) that you would rather not disclose.
Disable per port
sw2(config)#
interface fa1/0/24
sw2(config-if)# no
cdp enable
Disable globally
sw2(config)# no
cdp run
sw2#show cdp
Diabale LLDP globally
sw2(config)# no
lldp run
sw2# show lldp
DHCP
Snooping
DHCP snooping is a security feature that acts like a firewall between untrusted
hosts and trusted DHCP servers.
DHCP snooping is enabled on a per-VLAN basis. By default, the feature is
inactive on all VLANs.
DHCP spoofing attacks take place when devices purposely attempt to generate
enough DHCP requests to exhaust the number of IP addresses allocated to a DHCP
pool. The DHCP snooping feature determines whether traffic sources are trusted
or untrusted.
+ Step 1. Define and configure the DHCP server
+ Step 2. Enable DHCP snooping on at least one VLAN
+ Step 3. Ensure that DHCP server is connected through a trusted
interface
+ Step 4. Configure the DHCP snooping database agent
+ Step 5. Enable DHCP snooping globally (The DHCP snooping feature is not
active until you complete this step)
sw2(config)# ip dhcp snooping - Enable DHCP Snooping Globally
sw2(config)# ip
dhcp snooping vlan 10 - Enable DHCP Snooping on
VLAN 10
sw2(config)#
interface fa1/0/24
sw2(config-if)# ip
dhcp snooping trust - Configure Interface
Fa1/0/24 as a Trusted interface
sw2(config)# ip
dhcp snooping database tftp://10.1.1.1/directory/file - Configure the DHCP snooping database agent
to store the bindings at a given location
sw2# show ip dhcp
snooping
Dynamic
ARP Inspection
ARP provides IP communication within a Layer 2 broadcast domain by
mapping an IP address to a MAC address.
ARP spoofing attacks and ARP cache poisoning can occur because ARP allows
a gratuitous reply from a host even if an ARP request was not received.
DAI is a security feature that validates ARP packets in a network. DAI
intercepts, logs, and discards ARP packets with invalid IP-to-MAC address
bindings. This capability protects the network from some man-in-the-middle attacks.
sw2(config)# ip arp inspection vlan 10 -
Enable DAI on VLAN 10
sw2# show ip arp
inspection vlan 10
Configure Interface Fa1/0/24 as a Trusted DAI Interface
sw2(config)#
interface fa1/0/24
sw2(config-if)# ip
arp inspection trust
sw2# show ip arp
inspection interfaces
Network
Foundation Protection
For Cisco IOS routers and switches, the Network Foundation Protection (NFP)
framework is broken down into three basic planes (also called sections/areas):
+ Management plane: this includes the protocols and traffic that
an administrator uses between his workstation and the router or switch itself.
Ex: SSH
+ Control plane: This includes protocols and traffic that the
network devices use on their own without direct interaction from an
administrator. Ex: a routing protocol.
+ Data plane: This includes traffic that is being forwarded
through the network (sometimes called transit traffic); the data plane
represents the traffic that is either being switched or forwarded by the
network devices between clients and servers.
Implementing
NFP
NFP is not a single feature but rather is a holistic approach that covers
the three components (that is, planes) of the infrastructure, with
recommendations about protecting each one using a suite of features.
Understanding
the Management Plane
Best
Practices for Securing the Management Plane:
+ Enforce password policy, including features such as maximum
number of login attempts and minimum password length
+ Implement role-based access control (RBAC). This concept has
been around for a long time in relation to groups; using Access Control Server
(ACS) and CLI parser views.
+ Use AAA services, and centrally manage those services on an ACS
server
+ Keep accurate time across all network devices using secure Network Time Protocol (NTP)
+ Use encrypted and authenticated versions of SNMP, which includes
Version 3
+ Control which IP addresses are allowed to initiate management sessions
with the network device
+ Lock down syslog. Use separate VLAN for management.
+ Disable any unnecessary services, especially those that use User
Datagram Protocol (UDP):
+ TCP and UDP small
services
+ Finger
+ BOOTP
+ DHCP
+ Maintenance Operation
Protocol
+ DNS resolution
+ Packet assembler/disassembler
+ HTTP server and Secure
HTTP (HTTPS) server
+ CDP
+ LLDP
Understanding
the Control Plane
Control plane security is primarily guarding against attacks that might
otherwise negatively impact the CPU, including routing updates (which are also
processed by the CPU).
Best
Practices for Securing the Control Plane:
+ CoPP Control plane policing: You can configure this as a
filter for any traffic destined to an IP address on the router itself. This is
applied to a logical control plane interface (not directly to any Layer 3
interface) so that the policy can be applied globally to the router.
+ CPPr Control plane protection: This allows for a more
detailed classification of traffic (more than CoPP) that is going to use the
CPU for handling.
+ Routing protocol authentication
Using CoPP or CPPr, you can specify which types of management traffic are
acceptable at which levels. Traffic that exceeds the thresholds can be safely
dropped if it is not from one of your specific management stations.
Understanding
the Data Plane
For the data plane, this discussion concerns traffic that is going
through your network device rather than to a network device.
Protecting
the Data Plane:
+ ACLs used for filtering
+ IOS firewall support
+ IOS IPS: software implementation of an intrusion prevention system
(IPS)
+ TCP Intercept: enables the router to look at the number of half-formed
sessions that are in place and intervene on behalf of the destination device
+ Unicast Reverse Path Forwarding: When this feature is enabled on an
interface, as packets enter that interface the router spends an extra moment
considering the source address of the packet.
Best
Practices for Protecting the Data Plane:
+ Block unwanted traffic at the router: placing the ACL closer to the
source saves resources
+ Reduce the chance of DoS attacks
+ Reduce spoofing attacks
+ Provide bandwidth management
+ When possible, use an IPS to inhibit the entry of malicious traffic into
the network
Additional
Data Plane Protection Mechanisms
Layer2:
+ Port security to protect against MAC address flooding and CAM
overflow attacks.
+ Dynamic Host Configuration Protocol (DHCP) snooping to
prevent a rogue DHCP server
+ Dynamic ARP inspection (DAI) can protect against Address
Resolution Protocol (ARP) spoofing
+ IP Source Guard, when implemented on a switch, verifies that IP
spoofing is not occurring by devices on that switch
Securing
the Management Plane on Cisco IOS Devices
What
Is Management Traffic and the Management Plane?
By requiring a username or password, you are taking the first steps
toward improving what is called the management plane on this router or switch.
The management plane includes not only configuration of a system, but
also who may access a system and what they are allowed to do while they are
logged in to the system.
The management plane also includes messages to or from a Cisco router or
switch that is used to maintain or report on the current status of the device,
such as a management protocol like Simple Network Management Protocol (SNMP).
Management
Plane Best Practices
+ Strong passwords: Make passwords very difficult to break.
+ User authentication and AAA: you can control which
administrators are allowed to connect to which devices and what they can do
while they are there
+ Login Password Retry Lockout: allows system administrators to
lock out a local AAA user account after a configured number of unsuccessful
attempts
+ Role-based access control (RBAC): you can control access
through AAA and customize privilege levels/parser views
+ Encrypted management protocols: encrypted communications should
be used, such as Secure Shell (SSH) or Hypertext Transfer Protocol
Secure (HTTPS)
Out-of-band (OOB) management implies that there is
a completely separate network just for management protocols and a different
network for end users and their traffic. In-band management is when the packets
used by your management protocols may intermingle with the user packets
(considered less secure than OOB).
+ Logging and monitoring: includes not only what administrators
have changed or done but also system events that are generated by the router or
switch because of some problem that has occurred or some threshold that has
been reached; the storage of the logs and the transmission of the logs should
be protected. If SNMP is used, preferably use Version 3 because of its
authentication and encryption capabilities. An SNMP trap is a message generated
by the router or switch to alert the manager or management station of some
event.
+ Network Time Protocol (NTP): to synchronize the clocks on
network devices so that any logging that includes time stamps may be easily
correlated. Preferably, use NTP Version 3 with authentication.
+ Secure system files: Make it difficult to delete, whether
accidentally or on purpose, the startup configuration files and the IOS images
that are on the file systems of the local routers and switches.
Password
Recommendations
# security
passwords min-length X –
set the minimum password length
+ It is best to have a minimum of eight characters for a password
+ Passwords can include any alphanumeric character, a mix of uppercase
and lowercase characters, and symbols and spaces. Leading spaces in a password
are ignored, but any subsequent spaces, including in the middle or at the end
of a password, literally become part of that password and are generally a good
idea.
Using
AAA to Verify Users
In a nutshell, the goal of AAA is to identify who users are before giving
them any kind of access to the network, and once they are identified, only give
them access to the part they are authorized to use, see, or manage.
AAA
Components
+ Authentication: Authentication is the process by which
individuals prove that they are who they claim to be. To specify the method to
use, you create an authentication “method list” that specifies how to
authenticate the user.
+ Authorization: After the user or administrator has been
authenticated, authorization can be used to determine which resources the user
or administrator is allowed to access, and which operations may be performed.
+ Accounting and auditing: record what the user or administrator
actually does with this access, what he accesses, and how long he accesses it.
Options
for Storing Usernames, Passwords, and Access Rules
Uses a centralized service to keep usernames, passwords, and configured
rules about who can access which resources.
+ Cisco Secure ACS Solution Engine: This is a dedicated server
that contains the usernames, their passwords,
and other information about what users are allowed to access and when
they are allowed to access. TACACS+ for an administrator who is seeking
command-line access to the network device, and RADIUS if you are authenticating
an end user that is requesting access to the network.
+ Cisco Secure ACS for Windows Server: This software package may
be used for user and administrator authentication.
+ Current flavors of ACS functionality: The most common way that
ACS services are implemented today is through a virtual machine running on some
flavor of VMware. Cisco Identity Services Engine (ISE), which can
be bundled in a single physical or logical device or appliance.
+ Self-contained AAA: AAA services may be self-contained in the
router itself. The database that contains the usernames and
passwords is the running configuration of the router or IOS device, and from a
AAA perspective is referred to as the local database on the router.
Authorizing
VPN Users
One common implementation of AAA is its use in authenticating users
accessing the corporate LAN through a remote-access IPsec VPN. We authenticate
the users by asking for their username and password, and then check the rules
to see what they are authorized to access. If we use the remote Access Control
Server (ACS) server for the authentication and authorization for an end
user, we would very likely use the RADIUS protocol between the router and the
AAA server.
Router
Access Authentication
We must choose authentication first if we want to also use authorization
for a user or administrator. We cannot choose authorization for a user without
knowing who that user is through authentication first. When an administrator is
at the CLI, that interface is provided by something called an EXEC shell.
This type of access (CLI) could also be referred to as character mode.
The
AAA Method List
To make implementing AAA modular, we can specify individual lists of ways
we want to authenticate, authorize, and account for the users. We can create
method lists that define the authentication methods to use, authorization
method lists that define which authorization methods to use, and accounting
method lists that specify which accounting method lists to use.
aaa type {default
| list-name} method-1 [method-2 method-3 method-4]
Role-Based
Access Control
The concept of role-based access control (RBAC) is to create a set of
permissions or limited access and assign that set of permissions to users or
groups.
Custom
Privilege Levels
When you first connect to a console port on the router, you are placed
into user mode. User mode is really privilege level 1. This is represented by a
prompt that ends with >.
Limiting
the Administrator by Assigning a View
A solution to this is to use parser views, also referred to as simply a
view. You can create a view and associate it with a subset of commands. When
the user logs in using this view, that same user is restricted to only being
able to use the commands that are part of his current view. You can also
associate multiple users with a single
view.
Encrypted
Management Protocols
The problem with Telnet is that it uses plain text, and anyone who
gets a copy of those packets can identify our usernames and passwords used for
access and any other information that goes between administrator and the router
being managed (over the management plane). Secure Shell (SSH) provides
the same functionality as Telnet, in that it gives you a CLI to a router or
switch; unlike Telnet, however, SSH encrypts all the packets that are used in
the session.
For graphical user interface (GUI) management tools such as CCP, use HTTPS
rather than HTTP because, like SSH, it
encrypts the session, which provides confidentiality for the packets in that
session.
Using
Logging Files
Administrators should, on a regular basis, analyze logs, especially from
their routers, in addition to logs from other network devices. Log output sent
to a variety of destinations:
+ Console: send log messages to an attached terminal
+ vty lines: However, the terminal monitor command should be
issued to cause log messages to be seen by the user on that vty line.
+ Buffer: log messages can be stored in router memory; when the router is
rebooted, these messages in the buffer memory are lost.
+ SNMP server
+ Syslog server
A syslog logging solution consists of two primary components: syslog
servers and syslog clients. A syslog server receives and stores log messages
sent from syslog clients such as routers and switches.
Understanding
NTP
Network Time Protocol (NTP) uses UDP port 123, and it allows
network devices to synchronize their time. One benefit of having reliable
synchronized time is that log files and messages generated by the router can be
correlated.
Protecting
Cisco IOS Files
To help protect a router from accidental or malicious tampering of the
IOS or startup configuration, Cisco offers a resilient configuration feature. The
secure files are referred to as a secure bootset; the administrator
cannot disable the features remotely.
Implementing
Strong Passwords
R1(config)#
username admin secret CeyeSc01$24
R1(config)# line
console 0
R1(config-line)#
password k4(1fmMsS1#
R1(config-line)#
login
R1(config)# service password-encryption – encrypt passwords (not shown in clear text)
User Authentication
with AAA
R1(config)# aaa new-model
R1(config)#
tacacs-server host 50.50.4.101
R1(config)#
tacacs-server key ToUgHPaSsW0rD-1#7
R1(config)# aaa
authentication login default local enable
R1(config)# aaa
authentication login MY-LIST-1 group tacacs local enable
R1(config)# aaa
authorization commands 1 TAC1 group tacacs+ local
R1(config)# aaa
authorization commands 15 TAC15 group tacacs+ local
R1(config)# aaa
accounting commands 1 TAC-act1 start-stop group tacacs+
R1(config)# aaa
accounting commands 15 TAC-act15 start-stop group tacacs+
R1(config)# line
vty 0 4
R1(config-line)#
login authentication MY-LIST-1
R1(config-line)#
authorization commands 1 TAC1
R1(config-line)#
authorization commands 15 TAC15
R1(config-line)#
accounting commands 1 TAC-act1
R1(config-line)#
accounting commands 15 TAC-act15
Using
the CLI to Troubleshoot AAA for Cisco Routers
+ debug aaa authentication
+ debug aaa authorization
+ debug aaa accounting
#test aaa group
tacacs+ username password legacy – test user connectivity and rights
RBAC
Privilege Level/Parser View
R2(config)# privilege exec level 8 configure terminal – assign a specific command to a level
R2(config)# enable
secret level 8 0 NewPa5s123& - assign level 8 enable password
Implementing
Parser Views
To restrict users without having to create custom privilege levels, you
can use a parser view, also referred to as simply a view. AAA must also be
enabled on the router.
R2(config)# enable
secret aBc!2#&iU
R2(config)# aaa
new-model
R2# enable view
R2(config)# parser
view New_VIEW
R2(config-view)#
secret New_VIEW_PW
R2(config-view)#
commands exec include ping
R2(config-view)#
commands exec include all show
R2(config-view)#
commands exec include configure
R2(config-view)#
commands configure include access-list
R2>enable view
New_VIEW
R2# show parser
view
We could also assign this view to a user account, so that when users log
in with their username and password, they are automatically placed into their
view.
R2(config)#
username Lois view New_VIEW secret cisco123
SSH
and HTTPS
R1(config)# ip
domain-name cisco.com
R1(config)# crypto
key generate rsa
R1(config)# aaa
new-model
R1(config)# aaa
authentication login Keith-List-1 local
R1(config)# line
vty 0 4
R1(config-line)#
login authentication Keith-List-1
R1(config-line)#
transport input ssh
R1# ssh -l Keith
10.1.0.1
R1> show ssh
Implementing
Logging Features
Logging is important as a tool for discovering events that are happening
in the network and for troubleshooting.
logging 10.1.1.200
logging trap
notifications
logging buffered
4096 debugging
SNMP
Features
Simple Network Management Protocol (SNMP) has become a de facto standard for network management
protocols.
+ SNMP manager: runs a network management application, network management
server (NMS).
+ SNMP agent: is a piece of software that runs on a managed device
+ Management Information Base (MIB): Information about a managed
device’s resources and activity is defined by a series of objects
SNMP messages
+ GET: An SNMP GET message is used to retrieve information from a
managed device
+ SET: An SNMP SET message is used to set a variable in a managed
device or to trigger an action on a managed device
+ Trap: An SNMP trap message is an unsolicited message sent from a
managed device to an SNMP manager
The security integrated with SNMPv1 and SNMPv2c.
SNMPv3 uses the concept of a security model and a
security level:
+ Security model
+ Security level:
+ noAuthNoPriv: security
level uses community strings, does not use encryption to provide privacy
+ authNoPriv: authentication
using HMAC with MD5/SHA and no encryption
+ authPriv: HMAC MD5/SHA
with DES-56
SNMPv3 offers three primary security enhancements:
+ Integrity
+ Authentication
+ Encryption
snmp-server
location 192.168.1.96
snmp-server
contact Bubba Jones
snmp-server
community CCNA RO
snmp-server host
10.1.0.26 trap cisK0tRap^
CCNA-Router(config)#
snmp-server community CCNA RO 99
CCNA-Router(config)#
access-list 99 permit 192.168.1.0 /24
CCNA-Router(config)#
snmp-server group CCNA-group v3 noauth
CCNA-Router(config)#
snmp-server user CCNA-user CCNA-group v3
CCNA-Router(config)#
snmp-server community CCNA RO 99
CCNA-Router(config)#
snmp-server trap-source FastEthernet0/1
CCNA-Router(config)#
snmp-server host 192.168.1.96 version 3 noauth CCNA-user
Configuring
NTP
Because time is such an important factor, you should use Network Time
Protocol (NTP) to synchronize the time in the network so that events that
generate messages and time stamps can be correlated.
#ntp
authentication-key 1 md5 141411050D 7
#ntp authenticate
#ntp trusted-key 1
#ntp
update-calendar
#ntp server
192.168.1.96 key 1 prefer source FastEthernet0/1
CCNA-Router# show ntp status
CCNA-Router# show ntp association
Secure
Copy Protocol
The Secure Copy (SCP) feature provides a secure and authenticated
method for copying device configurations or device image files. SCP requires
that authentication, authorization, and accounting (AAA) authorization be
configured so that the device can determine whether the user has the correct
privilege level.
CCNA-Router(config)#
ip scp server enable
Securing the Cisco
IOS Image and Configuration Files
The Cisco Resilient Configuration feature is intended to improve the
recovery time by making a secure working copy of the IOS image and startup
configuration files (which are referred to as the primary bootset) that
cannot be deleted by a remote user.
R6(config)# secure boot-image
R6(config)# secure boot-config
R6# show secure
bootset
Securing
the Data Plane in IPv6
Understanding
and Configuring IPv6
The Format of an IPv6 Address
+ Length: IPv6 addresses are 128 bits (16 bytes) long
+ Groupings: IPv6 addresses are segmented into eight groups of four hex
characters
+ Separation of groups: Each group is separated by a colon (:)
+ Length of mask: Usually 50 percent (64 bits long) for network ID, which
leaves 50 percent (also 64 bits) for interface ID (using a 64-bit mask)
+ Number of networks: The network part is allocated by Internet
registries 264 (1.8 × 1019)
R1(config-if)# ipv6 address
2001:0db8:0000:0000:1234:0000:0052:0001/64
A link-local address is an IPv6 address that you can use to
communicate with other IPv6 devices on the same local network (local broadcast
domain). It begins with FE80.
IPv6
Address Types
+ Link-local address: Link-local addresses may be manually configured,
but if they are not, they are dynamically configured by the local host or
router itself.
+ Loopback address: In IPv6, the address is ::1
+ All-nodes multicast address: multicasts begin with FFxx. The IPv6
multicast group that all IPv6 devices join is FF02::1.
+ All-routers multicast address: routers that have had routing enabled
for IPv6 also join the multicast group FF02::2. By doing so, any client looking
for a router can send a request to this group address and get a response if
there is a router on the local network.
+ Unicast and anycast addresses: A global IPv6 address, unlike a
link-local address, is routable and can be reached through one or more routers
that are running IP routing and that have a correct routing table. Global IPv6
unicast addresses have the first four characters in the range of 2000 to 3FFF.
+ Solicited-node multicast address for each of its unicast and anycast
addresses:
+ Multicast addresses of all other groups to which the host belongs.
Implementing
Logging Features
Logging is important as a tool for discovering events that are happening
in the network and for troubleshooting.
logging 10.1.1.200
logging trap
notifications
logging buffered
4096 debugging
SNMP
Features
Simple Network Management Protocol (SNMP) has become a de facto standard for network management
protocols.
+ SNMP manager: runs a network management application, network management
server (NMS).
+ SNMP agent: is a piece of software that runs on a managed device
+ Management Information Base (MIB): Information about a managed
device’s resources and activity is defined by a series of objects
SNMP messages
+ GET: An SNMP GET message is used to retrieve information from a
managed device
+ SET: An SNMP SET message is used to set a variable in a managed
device or to trigger an action on a managed device
+ Trap: An SNMP trap message is an unsolicited message sent from a
managed device to an SNMP manager
The security integrated with SNMPv1 and SNMPv2c.
SNMPv3 uses the concept of a security model and a
security level:
+ Security model
+ Security level:
+ noAuthNoPriv: security
level uses community strings, does not use encryption to provide privacy
+ authNoPriv: authentication
using HMAC with MD5/SHA and no encryption
+ authPriv: HMAC MD5/SHA
with DES-56
SNMPv3 offers three primary security enhancements:
+ Integrity
+ Authentication
+ Encryption
snmp-server
location 192.168.1.96
snmp-server
contact Bubba Jones
snmp-server
community CCNA RO
snmp-server host
10.1.0.26 trap cisK0tRap^
CCNA-Router(config)#
snmp-server community CCNA RO 99
CCNA-Router(config)#
access-list 99 permit 192.168.1.0 /24
CCNA-Router(config)#
snmp-server group CCNA-group v3 noauth
CCNA-Router(config)#
snmp-server user CCNA-user CCNA-group v3
CCNA-Router(config)#
snmp-server community CCNA RO 99
CCNA-Router(config)#
snmp-server trap-source FastEthernet0/1
CCNA-Router(config)#
snmp-server host 192.168.1.96 version 3 noauth CCNA-user
Configuring
NTP
Because time is such an important factor, you should use Network Time
Protocol (NTP) to synchronize the time in the network so that events that
generate messages and time stamps can be correlated.
#ntp
authentication-key 1 md5 141411050D 7
#ntp authenticate
#ntp trusted-key 1
#ntp
update-calendar
#ntp server
192.168.1.96 key 1 prefer source FastEthernet0/1
CCNA-Router# show ntp status
CCNA-Router# show ntp association
Secure
Copy Protocol
The Secure Copy (SCP) feature provides a secure and authenticated
method for copying device configurations or device image files. SCP requires
that authentication, authorization, and accounting (AAA) authorization be
configured so that the device can determine whether the user has the correct
privilege level.
CCNA-Router(config)#
ip scp server enable
Securing the Cisco
IOS Image and Configuration Files
The Cisco Resilient Configuration feature is intended to improve the
recovery time by making a secure working copy of the IOS image and startup
configuration files (which are referred to as the primary bootset) that
cannot be deleted by a remote user.
R6(config)# secure boot-image
R6(config)# secure boot-config
R6# show secure
bootset
Securing
the Data Plane in IPv6
Understanding
and Configuring IPv6
The Format of an IPv6 Address
+ Length: IPv6 addresses are 128 bits (16 bytes) long
+ Groupings: IPv6 addresses are segmented into eight groups of four hex
characters
+ Separation of groups: Each group is separated by a colon (:)
+ Length of mask: Usually 50 percent (64 bits long) for network ID, which
leaves 50 percent (also 64 bits) for interface ID (using a 64-bit mask)
+ Number of networks: The network part is allocated by Internet
registries 264 (1.8 × 1019)
R1(config-if)# ipv6 address
2001:0db8:0000:0000:1234:0000:0052:0001/64
A link-local address is an IPv6 address that you can use to
communicate with other IPv6 devices on the same local network (local broadcast
domain). It begins with FE80.
IPv6
Address Types
+ Link-local address: Link-local addresses may be manually configured,
but if they are not, they are dynamically configured by the local host or
router itself.
+ Loopback address: In IPv6, the address is ::1
+ All-nodes multicast address: multicasts begin with FFxx. The IPv6
multicast group that all IPv6 devices join is FF02::1.
+ All-routers multicast address: routers that have had routing enabled
for IPv6 also join the multicast group FF02::2. By doing so, any client looking
for a router can send a request to this group address and get a response if
there is a router on the local network.
+ Unicast and anycast addresses: A global IPv6 address, unlike a
link-local address, is routable and can be reached through one or more routers
that are running IP routing and that have a correct routing table. Global IPv6
unicast addresses have the first four characters in the range of 2000 to 3FFF.
+ Solicited-node multicast address for each of its unicast and anycast
addresses:
+ Multicast addresses of all other groups to which the host belongs
Configuring
IPv6 Routing
Dynamic routing protocols with their versions that support IPv6:
+ RIP, called RIP next generation (RIPng)
+ OSPFv3
+ EIGRP for IPv6
R1(config)# ipv6 unicast-routing – enable ipv6 routing for other devices
R1(config-if)#
ipv6 enable – enable IPv6 on an
interface
R1(config-if)#
ipv6 rip MYRIP enable – enable RIPng on an
interface
R1(config-if)#
ipv6 ospf 1 area 0 – enable OSPFv3 on an
interface
R1(config-if)#
ipv6 eigrp 1 – enable EIGRP for IPv6 on
an interface
R1# show ipv6
protocol – show which IPv6 protocols
run on the router
Best
Practices Common to Both IPv4 and IPv6
+ Physical
security: Keep the room where the
router is housed free (safe) from electrostatic and magnetic interference.
+ Device
hardening: Disable services that are
not in use and features and interfaces that are not in use.
+ Control
access between zones: Enforce a security policy
that clearly identifies which packets are allowed between networks.
+ Routing protocol security: Use authentication with routing
protocols to help stop rogue devices from abusing the information being used in
routing updates by your routers.
+ Authentication, authorization, and accounting (AAA): Require AAA
so that you know exactly who is accessing your systems, when they are accessing
your systems, and what they are doing.
+ Mitigating DoS attacks: Denial of service refers to willful
attempts to disrupt legitimate users from getting access to the resources they
intend to. Unicast reverse path verification is one way to assist with this, as
are access lists.
+ Have and update a security policy
Threats
Common to Both IPv4 and IPv6
+ Application
layer attacks: you can place filters to
allow only the required protocols through the network. ASA, IOS zone-based
firewall or IPS.
+ Unauthorized access: use AAA services to challenge the user for
credentials, and then authorize that user for only the access they need.
+ Man-in-the-middle
attacks: by implementing Layer 2 dynamic
ARP inspection (DAI) and Spanning Tree Protocol (STP) guards
to protect spanning tree.
+ Sniffing or eavesdropping: CAM table overflow, causing the
switch to forward all frames to all other ports in the same VLAN. You can use
switch port security on the switches to limit the MAC addresses
that could be injected on any single port.
+ Denial-of-service
(DoS) attacks: Performing packet
inspection and rate limiting of suspicious traffic, physical security, firewall
inspection, and IPS can all be used to help mitigate a DoS attack.
+ Spoofed
packets: Filtering traffic that is
attempting to enter the network is one of the best first steps to mitigating
this type of traffic.
+ Attacks against routers and other network devices: Implement the
techniques you learned in the NFP chapter to protect the control, management,
and data planes.
Each device on an IPv6 network joins the multicast group of FF02::1. So,
if the attacker has local access to that network, he could ping that local
multicast group and get a response that lets him know about each device on the
network. FF02::1 is local in scope, so the attacker cannot use this technique
remotely; he would have to be on the local network. Disabling an unused
protocol stack (in this case, the unused IPv6 stack) would appropriately
mitigate this risk.
New
Potential Risks with IPv6
+ Network Discovery Protocol: Clients discover routers using NDP.
+ Neighbor
cache resource starvation: The
IPv6 Destination Guard feature blocks data traffic from an unknown source and
filters IPv6 traffic based on the destination address.
+ DHCPv6: A rogue router that has fooled a client about being a
router could also manipulate the client into using incorrect DHCP-learned
information.
+ Hop-by-hop extension headers: One of the IPv6 extension headers
is the Routing Header, type 0 (also referred to as RH0). RH0 can be used to
identify a list of one or more intermediate nodes to be included on the path
toward the final destination.
+ Packet
amplification attacks: Using multicast addresses
rather than IPv4 broadcast addresses could allow an attacker to trick an entire
network into responding to a request.
+ ICMPv6:
+ Tunneling
options: Tunneling IPv6 through
IPv4 parts of a network may mean that the details inside the IPv6 packet might
not be inspected or filtered by the IPv4 network.
+ Autoconfiguration:
+ Dual stacks: If a device is running both IPv4 and IPv6 at
the same time the other protocol stack, if not secured, provides a potential
vector for an attacker to remotely access the device.
+ Bugs in code:
IPv6
Best Practices
+ Filter bogus addresses: Drop, at the edge of your network, any
addresses that should never be valid source or destination addresses. These are
also referred to as bogon addresses.
+ Filter nonlocal multicast addresses: If you are not running
multicast applications, you should never need multicast to be forwarded beyond
a specific VLAN.
+ Filter ICMPv6 traffic that is not needed on your specific networks:
Normal NDP uses ICMPv6 as its core protocol. A path’s maximum transmission unit
(MTU) is also determined by using ICMP. Filter the unused parts of ICMP.
+ Drop routing header type 0 packets: Routing header 0, also known
as RH0, may contain many intermediate next hops, and if followed an attacker
could control the path of a packet through a network. Cisco routers, by
default, drop packets with this type of header.
+ Use manual tunnels rather than automatic tunnels: do not use
automatic tunnel mechanisms such as automatic 6to4.
+ Protect against rogue IPv6 devices:
+ IPv6 first-hop security
binding table: This table is used to validate that the IPv6 neighbors are
legitimate.
+ IPv6 device tracking:
This feature provides the IPv6 neighbor table with the ability to immediately
reflect changes when an IPv6 host becomes inactive.
+ IPv6 port-based access
list support: Similar to IPv4 port access control lists (PACL), this
feature provides access control on Layer 2 switch ports for IPv6 traffic.
+ IPv6 RA Guard:
reject rogue RA Guard messages that arrive at the network switch platform.
+ IPv6 ND Inspection:
IPv6 ND inspection analyzes neighbor discovery messages to build a trusted
binding table database, and IPv6 neighbor discovery messages that do not
conform are dropped.
+ Secure Neighbor
Discovery in IPv6 (SeND)
IPv6
Access Control Lists
The configuration in Example 12-4 prevents unauthorized IPv6 packets on
UDP port 53 (DNS) from entering the network from interface Gigabit 0/0. In this
example, 2001:DB8:1:60::/64 represents the IP address space that is used by DNS
servers that the network administrator is trying to protect, and
2001:DB8::100:1 is the IP address of the host that is allowed to access the DNS
servers.
CCNA-Router-1(config)# ipv6
access-list IPv6-ACL
CCNA-Router-1(config-ipv6-acl)#
permit udp 2001:DB8::100:1 2001:DB8:1:60::/64 eq 53
CCNA-Router-1(config-ipv6-acl)# deny udp any 2001:DB8:1:60::/64 eq 53
CCNA-Router-1(config-ipv6-acl)# permit icmp any any nd-ns
CCNA-Router-1(config-ipv6-acl)# permit icmp any any nd-na
CCNA-Router-1(config-ipv6-acl)# deny ipv6 any any
CCNA-Router-1(config-ipv6-acl)#
interface GigabitEthernet0/0
CCNA-Router-1(config-if)# ipv6 traffic-filter IPv6-ACL in
Nice knowledge gaining article. This post is really the best on this valuable topic. how to dragclick
ReplyDelete