Sunday, 4 February 2018

Hand notes-CCNA Security 210-260-Part-1

Hand notes-CCNA Security 210-260-Part1:

Confidentiality, Integrity, and Availability

Asset, Vulnerability, Threat, Risk, Countermeasure

+ Governmental classifications: Unclassified, Sensitive but unclassified (SBU), Confidential, Secret, Top secret
+ Private sector classifications: Public, Sensitive, Private, Confidential
+ Classification criteria: Value, Age, Replacement cost, Useful lifetime
+ Classification roles: Owner (the group ultimately responsible for the data, usually senior management of a company); Custodian (the group responsible for implementing the policy as dictated by the owner); User (those who access the data and abide by the rules of acceptable use for the data)

Traffic Light Protocol (TLP): RED, AMBER, GREEN, WHITE

Common control methods used to implement countermeasures include the following:
+ Administrative: written policies, procedures, guidelines, and standards
+ Physical: physical security for the network servers, equipment, and infrastructure
+ Logical: passwords, firewalls, intrusion prevention systems, access lists, VPN tunnels, and so on

A man-in-the-middle attack results when attackers place themselves in line between two devices that are communicating

Security Information Event Management SIEM (not from the book)
Can be in the forms of:
+ Security Information Management (SIM): log collection, archiving, historical reporting, forensics
+ Security Event Management (SEM): real time reporting, log collection, normalization, correlation, aggregation
+ SIM and SEM (SIEM): log collection, normalization, correlation, aggregation, reporting

+ Log collection of event records from sources throughout the organization provides important forensic tools and helps to address compliance reporting requirements.
+ Normalization maps log messages from different systems into a common data model, enabling the  organization to connect and analyze related events, even if they are initially logged in different source formats.
+ Correlation links logs and events from disparate systems or applications, speeding detection of and reaction to security threats.
+ Aggregation reduces the volume of event data by consolidating duplicate event records.
+ Reporting presents the correlated, aggregated event data in real-time monitoring and long-term summaries.

Additional Attack Methods:
Covert channel, Trust exploitation, Brute-force (password guessing) attacks, Botnet, DoS and DDoS

Guidelines for Secure Network Architecture: Rule of least privilege, Defense in depth, Separation of duties, Auditing

DDoS attacks can generally be divided into the following three categories: Direct, Reflected, Amplification

Social Engineering Tactics: Phishing, Malvertising, Phone scams

Defenses Against Social Engineering: Password management, Two-factor authentication, Antivirus/antiphishing defenses, Change management, Information classification, Document handling and destruction, Physical security

Methods Available for Malware Identification: Packet captures, Snort, NetFlow, IPS events, Advanced Malware Protection, NGIPS

Several types of data: Intellectual property (IP), Personally identifiable information (PII), Credit/debit cards

The most popular option moving forward is to install the ACS server logically in a VMware environment such as an ESXi server with ACS running as a virtual machine.

Identity Services Engine (ISE) is an identity and access control policy platform that can validate that a computer meets the requirements of a company’s policy related to virus definition files, service pack levels, and so on before allowing the device on the network.

Implementing AAA in Cisco IOS
Two main protocols may be used between the ACS server and its client (such as a router that is using the ACS server to verify authentication requests): TACACS+ (pronounced TACKAXE, you do not need to say the +) and RADIUS (pronounced RAY-D-US).

Using the CLI to Configure IOS for Use with ACS
R1(config)# aaa new-model
R1(config)# aaa authentication login AUTHEN_via_TACACS group tacacs+ local
R1(config)# aaa authorization exec Author-Exec_via_TACACS group tacacs+ local
R1(config)# username admin privilege 15 secret cisco
R1(config)# tacacs-server host 192.168.1.252 key cisco123
R1(config)# do ping 192.168.1.252
R1(config)# line vty 0 4
R1(config-line)# authorization exec Author-Exec_via_TACACS
R1(config-line)# login authentication AUTHEN_via_TACACS

Verify
R1# debug tacacs
R1# debug aaa authentication
R1# debug aaa authorization

R1# test aaa group tacacs+ admin cisco123 legacy

There are many different ways to implement a BYOD (Bring Your Own Device) solution, and each organization must decide on the level of openness and flexibility it wants to enable its employees in terms of the type of devices they can connect and the amount of access each of these devices will be granted.

Identity Services Engine (ISE): The Cisco ISE is a critical piece to the Cisco BYOD solution. It is the cornerstone of the authentication, authorization, and accounting (AAA) requirements for endpoint access, which are governed by the security policies put forth by the organization.
                                                      
Integrated Services Routers (ISR): Cisco ISRs will be used in the Cisco BYOD solution to provide WAN and Internet access for the branch offices and Internet access for home office environments. In addition, the ISR will provide both wired and WLAN connectivity in the branch office environments. Finally, the ISRs can be leveraged to provide VPN connectivity for mobile devices that are part of the BYOD solution.

Aggregation Services Routers (ASR): Cisco Aggregation Services Routers (ASR) provide WAN and Internet access at the corporate campus and serve as aggregation points for all the branch and home office networks connecting back to the corporate campus for the Cisco BYOD solution.

Cloud Web Security (CWS): Formerly ScanSafe, Cisco Cloud Web Security (CWS) provides enhanced security for all the BYOD solution endpoints while they access Internet websites using publicly available wireless hotspots and 3G, 4G, and 4G LTE mobile networks.

Adaptive Security Appliance (ASA): The Cisco ASA provides all the standard security functions for the BYOD solution at the Internet edge. In addition to traditional firewall and intrusion prevention system (IPS) functions, the ASA also serves as a VPN termination point for mobile devices connecting over the Internet from home offices, branch offices, public wireless networks, and 3G/4G/4G LTE mobile networks.

RSA SecurID: The RSA SecurID server provides  one-time password (OTP) generation and logging for users that access network devices and other applications which require OTP authentication.

Active Directory: The Active Directory (AD) server enforces access control to the network, to servers, and to applications. It restricts access to those users with valid authentication credentials.

Certificate authority: The   certificate authority (CA) server provides for, among other things, the onboarding of endpoints that meet certificate requirements for access to the corporate network. The CA server ensures that only devices with corporate certificates can access the corporate network.

Mobile Device Management
The function of mobile device managers, also known as mobile device management (MDM), is to deploy, manage, and monitor the mobile devices that make up the Cisco BYOD solution.
Uses: PIN lock, strong passwords, Detection of attempts to “jailbreak” or “root”, data encryption requirements, remotely wipe a stolen or lost BYOD, Administration and execution of   data loss prevention (DLP).

2: MDM application software is installed on servers that are located within the corporate data center and are completely supported and maintained by the network staff of the corporation.
Cloud-Based MDM Deployment: In a cloud-based MDM deployment, MDM application software is hosted by a managed service provider who is solely responsible for the deployment, management, and maintenance of the BYOD solution.

Types of VPNs
+ IPSec: Implements security of IP packets at Layer 3 of the OSI model, and can be used for site-to-site VPNs and remote-access VPNs.
+ SSL: Secure Sockets Layer implements security of TCP sessions over encrypted SSL tunnels of the OSI model, and can be used for remote-access VPNs (as well as being used to securely visit a web server that supports it via HTTPS).
+ MPLS: Multiprotocol Label Switching and MPLS Layer 3 VPNs are provided by a service provider to allow a company with two or more sites to have logical connectivity between the sites using the service provider network for transport.

Two Main Types of VPNs
+ Remote-access VPNs: Some users might need to build a VPN connection from their individual computer to the corporate headquarters (or to the destination they want to connect to).
+ Site-to-site VPNs: The other main VPN implementation is by companies that may have two or more sites that they want to connect securely together (likely using the Internet) so that each site can communicate with the other site or sites.

Main Benefits of VPNs: Confidentiality, Data integrity, Authentication, Antireplay protection

Cryptography Basic Components

Ciphers: A cipher is a set of rules, which can also be called an algorithm, about how to perform encryption or decryption. Uses: Substitution, Polyalphabetic, Transposition.
Keys: A one-time pad (OTP) is a good example of a key that is only used once.

Block Ciphers is a symmetric key (same key to encrypt and decrypt) cipher that operates on a group of bits called a block.
+ Advanced Encryption Standard (AES)
+ Triple Digital Encryption Standard (3DES)
+ Blowfish
+ Digital Encryption Standard (DES)
+ International Data Encryption Algorithm (IDEA)

Stream Ciphers is a symmetric key cipher (same key to encrypt as decrypt), where each bit of plaintext data to be encrypted is done 1 bit at a time against the bits of the key stream, also called a cipher digit stream.

Symmetric and Asymmetric Algorithms

A symmetric encryption algorithm, also known as a symmetrical cipher, uses the same key to encrypt the data and decrypt the data. Much faster, less CPU. Minimum 128 bits for safety.

An asymmetric algorithm is public key algorithm. We use two different keys that mathematically work together as a pair. Let’s call these keys the public key and private key.
High CPU, so  we use asymmetric algorithms for things such as authenticating a VPN peer or generating keying material that we could use for our symmetrical algorithms.
+ RSA: public key cryptography standard (PKCS) #1; 512 to 2048 bits key length
+ DH: Diffie-Hellman; generates symmetrical keys that can then be used with symmetrical algorithms
+ ElGamal
+ DSA
+ ECC
A typical key length used in asymmetrical algorithms can be anywhere between 2048 and 4096. A key length that is shorter than 2048 is considered unreliable or not as se cure as a longer key.

Hashes
Hashing is a method used to verify data integrity. A cryptographic hash function is a process that takes a block of data and creates a small fixed-sized hash value. It is not possible (at least not realistically) to generate the same hash from a different block of data. This is referred to as collision resistance. Message digest 5 algorithm [MD5].
+ Message digest 5 (MD5): This creates a 128-bit digest.
+ Secure Hash Algorithm 1 (SHA-1): This creates a 160-bit digest.
+ Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.

Hashed Message Authentication Code (HMAC) uses the mechanism of hashing, but it kicks it up a notch. Instead of using a hash that anyone can calculate, it includes in its calculation a secret key of some type.

Digital Signatures
Offers Authentication, Data integrity, Nonrepudiation. Digital signatures involve public and private key pairs, hashing, and encryption.

Bob and Lois get digital certificates from a Certificate Authority (CA) and exchange those. They contain Bob’s (Lois’) public key. Bob takes the packet that what to send to Lois and makes a hash of it, after that encrypts the hash with his private key (which is a pair with its public key) and attaches the encrypted hash to the packet and sends that to Lois. Lois gets the packet with the encrypted hash and uses Bob’s public key (which she got from the digital certificate Bob sent to her) to decrypt Bob’s hash. After that Lois encrypts herself the packet received with the same hash algorithm and compares the hash against what she decrypted from Bob’s. If it matches it means the packets is genuine and Bob is who he says he is.

Key Management
Deals with generating keys, verifying keys, exchanging keys, storing keys, and at the end of their lifetime, destroying keys. The bigger the key, the more secure the algorithm will be. The only negative of having an extremely long key is that the longer the key, the more the CPU is used for the decryption and encryption of data.

Next-Generation Encryption Protocols
U.S. government selected and recommended a set of cryptographic standards called Suite B.
+ Elliptic Curve Cryptography (ECC) replaces RSA signatures with the ECDSA algorithm, and replaces the DH key exchange with ECDH.
+ AES in the Galois/Counter Mode (GCM) of operation
+ ECC Digital Signature Algorithm
+ SHA-256, SHA-384, and SHA-512

IPsec and SSL

IPsec
A collection of protocols and algorithms used to protect IP packets at Layer 3.
+ ESP and AH: Encapsulating Security Payload (ESP) uses all features of IPsec, Authentication Header (AH) does many parts of IPsec but not encryption.
+ Encryption algorithms for confidentiality: DES, 3DES, AES
+ Hashing algorithms for integrity: MD5, SHA
+ Authentication algorithms: Pre-shared keys (PSK), RSA digital signatures
+ Key management: Diffie-Hellman (DH) dynamically generate symmetrical keys to be used by symmetrical algorithms; PKI, which supports the function of digital certificates issued by trusted CAs; Internet Key Exchange (IKE), which does a lot of the negotiating and management for us for IPsec to operate.

SSL
The convenient thing about SSL is that almost every web browser on every computer supports it, so almost anyone who has a computer can use it.

Public and Private Key Pairs
A key pair is a set of two keys that work in combination with each other as a team. In a typical key pair, you have one public key and one private key.

RSA Algorithm, the Keys, and Digital Certificates

Certificate Authorities
A certificate authority is a computer or entity that creates and issues digital certificates. Inside of a digital certificate is information about the identity of a device, such as its IP address, fully qualified domain name (FQDN), and the public key of that device.
Contains:
+ IP address
+ fully qualified domain name (FQDN)
+ public key
+ URL that other devices can check to see whether this certificate has been revoked and the validity dates for the certificate

If a company wants to set up its own internal CA and then configure each of the end devices to trust the certificates issued by its internal CA.

Root and Identity Certificates

A digital certificate can be thought of as an electronic document that identifies a device or person. It includes information such as the name of a person or organization, their address, and the public key of that person or device.

Root certificates identify the CA; identity certificates identify devices.


Root Certificate
A root certificate contains the public key of the CA server and the other details about the CA server.
Includes: Serial number, Issuer, Validity dates, Subject of the certificate, Public key, Thumbprint algorithm and thumbprint.

Identity Certificate
An identity certificate is similar to a root certificate, but it describes the client and contains the public key of an individual host (the client).

X.500 and X.509v3 Certificates

X.500 is a series of standards focused on directory services and how those directories are organized. Many popular network operating systems have been based on X.500, including Microsoft Active Directory. A common protocol that is used to do lookups from a directory is called   Lightweight Directory Access Protocol (LDAP).

Authenticating and Enrolling with the CA
Step 1. authenticating the CA  after downloading the root certificate  use an out-of-band method, such as making a telephone call, to validate the root certificate.
Step 2. involves generating a public-private key pair and including the public key portion in any requests for your own identity certificate; the CA can take all of your information and generate an identity certificate for you, which includes your public key, and then send this certificate back to you.

Public Key Cryptography Standards
+ PKCS#10: This is a format of a certificate request sent to a CA that wants to receive its identity certificate. This type of request would include the public key for the entity desiring a certificate.
+ PKCS#7: This is a format that can be used by a CA as a response to a PKCS#10 request.
+ PKCS#1: RSA Cryptography Standard
+ PKCS#12: A format for storing both public and private keys using a symmetric password-based key to “unlock” the data whenever the key needs to be used or accessed.
+ PKCS#3: Diffie-Hellman key exchange

Simple Certificate Enrollment Protocol
Simple Certificate Enrollment Protocol (SCEP) can automate most of the process for requesting and installing an identity certificate.

Revoked Certificates
If a certificate revocation list (CRL) is checked, and the certificate from the peer is on that list, the authentication stops at that moment.      To check whether certificates have been revoked:
+ Certificate revocation list (CRL): A CRL could be very large and can be accessed by LDAP or HTTP.
+ Online Certificate Status Protocol (OCSP): a client simply sends a request to find the status of a certificate and gets a response without having to know the complete list of revoked certificates.
+ Authentication, authorization, and accounting (AAA)

Uses for Digital Certificates
+ can be used when you do online banking from your PC to the bank’s website
+ if you use SSL technology for your remote-access VPNs you can also use digital certificates for authenticating the peers
+ use digital certificates with the protocol family of IPsec
+ can also be used with protocols such as 802.1X, which involves authentication at the edge of the network

PKI Topologies
Single Root CA – one trusted CA with tens of thousands of customers who want to authenticate that CA
Hierarchical CA with Subordinate CAs - The root CA delegates the authority (to the subordinate CAs) to create and assign identity certificates to clients.
Putting the Pieces of PKI (public key infrastructure) to Work

The problem with a self-signed certificate is that no browsers or other devices will have the ASA listed as a trusted CA, and HTTPS connections to the ASA, such as an administrator who wants to run ASDM, will receive a warning message that the certificate is not trusted.

Generate a new public-private pair
Keith-asa1(config)# crypto key generate rsa label My-Key-Pair modulus 2048 noconfirm

Keith-asa1(config)# crypto ca trustpoint New-CA-to-Use
Keith-asa1(config-ca-trustpoint)# keypair New-Key-Pair
Keith-asa1(config-ca-trustpoint)# id-usage ssl-ipsec
Keith-asa1(config-ca-trustpoint)# no fqdn
Keith-asa1(config-ca-trustpoint)# subject-name CN=ciscoas
Keith-asa1(config-ca-trustpoint)# enrollment url http://192.168.1.105
Keith-asa1(config-ca-trustpoint)# exit
Keith-asa1(config)#  crypto ca authenticate New-CA-to-Use nointeractiv

Keith-asa1(config)#  crypto ca enroll New-CA-to-Use noconfirm

IPsec Concepts, Components, and Operations

IPsec has four fundamental goals:
+ Confidentiality à Encryption
+ Data integrity à Hashing
+ Peer authentication à Pre-shared keys (PSK), RSA digital signatures
+ Antireplay à  Integrated into IPsec, basically applying serial numbers to packets

The Internet Key Exchange (IKE) Protocol
IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and establish secured site-to-site or remote access virtual private network (VPN) tunnels. In IKE Phase 1 IPsec peers negotiate and authenticate each other. In Phase 2 they negotiate keying materials and algorithms for the encryption of the data being transferred over the IPsec tunnel.
+ IKEv2 enhances the function of performing dynamic key exchange and peer authentication.
+ Both IKEv1 and IKEv2 protocols operate in two phases. IKEv2 provides a simpler and more efficient exchange.

Phase 1 in IKEv2 is IKE_SA, consisting of the message pair IKE_SA_INIT (IKEv1 Phase 1).
Phase 2 in IKEv2 is CHILD_SA is the IKE_AUTH message pair (IKEv1 Phase 2).

The Play by Play for IPsec

Step 1: Negotiate the IKEv1 Phase 1 Tunnel
This tunnel (once established) is not going to be used to forward user packets, but rather only to protect management traffic related to the VPN between the two routers. Five basic items need to be agreed upon between the two VPN devices/gateways (in this case, the two routers) for the IKE Phase 1 tunnel to succeed, as follows:
+ Hash algorithm, MD5 or SHA
+ Encryption algorithm, DES (weak), 3DES (better) or AES (best)
+ Diffie-Hellman (DH) group to use; The DH “group” refers to the modulus size (length of the key). The purpose of DH is to generate shared secret keying material (symmetric keys) that may be used by the two VPN peers for symmetrical algorithms, such as AES.
+ Authentication method: PSK or RSA signatures
+ Lifetime: How long until this IKE Phase 1 tunnel should be torn down.


Step 2: Run the DH Key Exchange
DH allows two devices that do not yet have a secure connection to establish shared secret keying material (keys that can be used with symmetrical algorithms, such as AES).

Step 3: Authenticate the Peer
The last piece of IKE Phase 1 is to validate or authenticate the peer on the other side.

IKE Phase 1 tunnel, this tunnel is used only as a management tunnel so that the two routers can securely communicate with each other directly. IKE Phase 1 tunnel is not used to encrypt or protect the end user’s packets. The IKE Phase 2 tunnel includes the hashing and encryption algorithms.
So, we could say we have one IKE Phase 1 bidirectional tunnel used for management between the two VPN peers and two IKE Phase 2 unidirectional tunnels used for encrypting and decrypting end-user packets.

Configuring and Verifying IPsec

The first thing to plan is what protocols to use for IKE Phase 1 and IKE Phase 2 and to identify which traffic should be encrypted.

IKE Phase 1 policy
R1(config-isakmp)# crypto isakmp policy 2
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# encr aes 128
R1(config-isakmp)# hash md5
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 21600

R1(config-isakmp)# exit
R1(config)# crypto isakmp key cisco123 address 43.0.0.2

R1(config)# access-list 100 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255

IKE Phase 2 transform set
R1(config)# crypto ipsec transform-set MY-SET esp-sha-hmac esp-aes 256
R1(cfg-crypto-trans)# mode tunnel
R1(cfg-crypto-trans)# exit

R1(config)# crypto map SDM_CMAP_1 1 ipsec-isakmp
R1(config-crypto-map)# match address 100
R1(config-crypto-map)# set transform-set MY-SET
R1(config-crypto-map)# set peer 43.0.0.2
R1(config-crypto-map)# exit

R1(config)# interface GigabitEthernet1/0
R1(config-if)# crypto map SDM_CMAP_1
R1(config-if)# exit

Verifying IPsec
R1# show crypto isakmp policy = Verify the IKE Phase 1 policies in place on the route
R1# show crypto map = the details of the crypto map
R1# show crypto isakmp sa [detail] = the details for the IKE Phase 1 tunnel that is in place

R1# show crypto ipsec sa = the details for the IKE Phase 2 tunnels that are in place
R1# show crypto engine connections active = seeing that the encryption and decryption is working


Planning and Preparing an IPsec Site-to-Site VPN

IPsec uses two methods for encryption: tunnel and transport mode. If IPsec tunnel mode is used, the IP header and the payload are encrypted. When transport mode is used, only the packet payload is encrypted.

Protocols That May Be Required for IPsec:
+ UDP port 500 (IKEv1 Phase 1)
+ UDP port 4500 NAT-T (NAT Traversal)
+ Layer 4 Protocol 50 ESP
+ Layer 4 protocol 51 AH

Planning IKEv1 Phase 1
Best (ex):
+ Hashing: SHA
+ Authentication: RSA-Sigs (which require PKI to be used)
+ DH group: 5
+ Lifetime: 3600 seconds
+ Encryption: AES-256

Configure above with crypto isakmp policy command.

Planning IKEv1 Phase 2
Things to set (ex):
+ VPN Peer global IP addresses:      R1=209.165.200.225 R2=209.165.201.1
+ Traffic to protect: Bidirectional traffic between 172.16.0.0/16 (R1’s local network) and 192.168.0.0/24 (R2’s local network).
+ Encryption: AES-192 (just to mix it up a bit, default for AES is 128)
+ HMAC: SHA
+ Lifetime: Default
+ Outside interfaces of routers: G1/0 (on both
+ PFS: Group 2

Note, that a show running-config, would only show configured items in the ! policy if they were different from the default.

Troubleshooting IPsec Site-to-Site VPNs in Cisco IOS

R1# show crypto isakmp policy = to verify the configuration
R1# show crypto map
R1# debug crypto isakmp
R1# show crypto isakmp sa = IPSec Phase 1
R2# show crypto ipsec sa = IPSec Phase 2

We want to see a state of QM_IDLE, meaning the IKEv1 Phase 1 is up.

R2# show crypto engine connections active

DMVPN is a Cisco solution for deploying highly scalable IPsec site-to-site VPNs. It enables branch locations to communicate directly with each other over the Internet without requiring a permanent VPN connection between sites.

FlexVPN is a unified VPN solution that can be deployed over either public Internet connections or a private Multiprotocol Label Switching (MPLS) VPN network.


Implementing and Verifying an IPsec Site-to-Site VPN in Cisco ASA

#show crypto isakmp stats
#show crypto ikev1 stats
#show crypto ikev2 stats
#show isakmp sa
#show isakmp sa detail
#show crypto ipsec sa
#show crypto ipsec sa detail
#show vpn-sessiondb

#debug crypto ikev1|ikev2
#debug crypto ipsec
#debug crypto ikev2 platform 2
#debug crypto ikev2 protocol 2

Functions and Use of SSL for VPNs

Clientless SSL VPN feature excels when connections to only one or a few servers are needed and the full-tunneled Cisco AnyConnect Secure Mobility Client cannot be installed on the local computer.

SSL and TLS Protocol Framework
TLS and its predecessor SSL are cryptographic protocols that provide secure transactions on the Internet for things such as e-mail, web browsing, instant messaging, and so on. SSL as a protocol was originally developed by Netscape. Both of these protocols provide confidentiality, integrity, and authentication services.
Similar to IPsec, these protocols use symmetric algorithms for bulk encryption, and asymmetric algorithms are used for the authentication and for the exchange of keys.
Cisco SSL VPNs are really using TLS behind the scenes.

The Play by Play of SSL for VPNs
+ The client initiates a connection to the server on port 443 and uses internally a port > 1023
+ There is the standard three-way handshake
+ The server responds, providing its digital certificate, which contains the server’s public key
+ Validate certificate information
+ Client sends a shared secret to the server encrypting the key with the server’s public key
+ Server decrypts the shared secret using its private key
+ The key is now used to encrypt data over SSL

asa1(config)# group-policy NY-Group-Policy internal

asa1(config)# ssl trust-point ASDM_TrustPoint0 outside
asa1(config)# webvpn
asa1(config-webvpn)# enable outside
group-policy NY-Group-Policy attributes
asa1(config-group-policy)# vpn-tunnel-protocol ssl-clientless
asa1(config-group-policy)# webvpn
asa1(config-group-webvpn)# url-list value IntranetSite
asa1(config-group-webvpn)# exit
asa1(config-group-policy)# exit

asa1(config)# tunnel-group NY-connection-profile type remote-access

asa1(config)# tunnel-group NY-connection-profile general-attributes
asa1(config-tunnel-general)# default-group-policy NY-Group-Policy
asa1(config-tunnel-general)# tunnel-group NY-connection-profile webvpn-attributes
asa1(config-tunnel-webvpn)# group-alias newyork enable
asa1(config-tunnel-webvpn)# group-url https://209.165.202.129/newyork enable

Using the Cisco AnyConnect Secure Mobility Client

Types of SSL VPNs
object network NETWORK_OBJ_10.1.1.0_25
 subnet 10.1.1.0 255.255.255.128

ip local pool anyconnectPool 10.4.4.1-10.0.0.100 mask 255.255.255.0
group-policy GroupPolicy_SSL_AnyConnectinternal

group-policy GroupPolicy_SSL_AnyConnect attributes
  vpn-tunnel-protocol ssl-client
  dns-server value 10.1.1.23
  wins-server none
  default-domain value example.org
exit

webvpn
 enable outside
 anyconnect image disk0:/anyconnect-macosx-4.0-k9.pkg 1
 anyconnect enable
tunnel-group-list enable

tunnel-group SSL_AnyConnect type remote-access

tunnel-group SSL_AnyConnect general-attributes
  default-group-policy GroupPolicy_SSL_AnyConnect
  address-pool anyconnectPool

tunnel-group SSL_AnyConnectwebvpn-attributes
  group-alias SSL_AnyConnectenable

nat (inside,outside) 3 source static inside interface destination static
NETWORK_OBJ_10.1.1.0_25 NETWORK_OBJ_10.1.1.0_25 no-proxy-arp route-lookup

Groups, Connection Profiles, and Defaults

The connection profiles are responsible for the initial connection of the user.

Split Tunneling
Without split tunneling, all IP traffic leaving the client’s machine goes through the tunnel to the ASA. A split tunnel addresses this issue by sending traffic down the VPN only if it is destined for specific networks located at the headquarter site.

Troubleshooting SSL Negotiations
+ Step 1. Verify that the user’s computer can ping the Cisco ASA’s outside IP address
+ Step 2. If the user’s workstation can ping the address, issue the show running all | include ssl command on the Cisco ASA and verify that SSL encryption is configured.
+ Step 3. If SSL encryption is properly configured, use an external sniffer to verify whether the TCP three-way handshake is successful

AnyConnect clients will fail to establish connection if the Cisco ASAs are configured to accept connection with SSL Server Version 3. You must use TLSv1 for AnyConnect clients. Navigate to Configuration > Remote Access VPN > Advanced > SSL Settings to specify the SSL encryption type and version that you want to use.

Troubleshooting AnyConnect Client Issues
#debug webvpn svc
#debug webvpn anyconnect

ASA1(config)# logging on
ASA1(config)# logging class svc buffered debugging
ASA1(config)# exit
ASA1# show logging

Traffic-Specific Issues
+ Routing issues behind the ASA—internal network unable to route packets back to the assigned IP addresses and VPN clients
+ Access control lists blocking traffic
+ Network Address Translation not being bypassed for VPN traffic

Securing Layer 2 Technologies

VLAN and Trunking Fundamentals
For connections between two switches that contain ports in VLANs that exist in both switches, you configure specific trunk ports instead of configuring access ports.

SW2(config)# interface range fa0/23-24
SW2(config-if-range)# switchport trunk encapsulation dot1q
SW2(config-if-range)# switchport mode trunk

SW2(config-if-range)# do show interface trunk

Following the Frame, Step by Step
Access ports being assigned to a single VLAN, and trunk ports that tag the traffic so that a receiving switch knows which VLAN a frame belongs to.

The Native VLAN on a Trunk
When the receiving switch receives a frame on a trunk port, if that frame is missing the 802.1Q tag completely, the receiving switch assumes that the frame belongs to the native VLAN (in this case, VLAN 1).
Using a specific VLAN as the native VLAN (different from the default of VLAN 1) and never using that same VLAN for user traffic is a prudent idea.

Inter-VLAN Routing
One solution is to use a technique called router-on-a-stick.

Spanning-Tree Fundamentals

STP, or 802.1D, was developed to identify parallel Layer 2 paths and block on one of the redundant paths so that a Layer 2 loop would not occur.

STP consists of the following port states:
+ Root Port: The switch port that is closest to the root bridge in terms of STP path cost (that is, it receives the best BPDU on a switch) is considered the root port. All switches, other than the root bridge, contain one root port.
+ Designated: The switch port that can send the best BPDU for a particular VLAN on a switch is considered the designated port
+ Nondesignated: These are switch ports that do not forward packets, so as to prevent the existence of loops within the networks

STP cautiously waits for 30 seconds (by default) on a recently brought up port before letting frames go through that interface; 15 seconds of that is the listening state, where STP is seeing whether any BPDUs are coming in. When configured, enhancements to STP, including the PortFast feature, can tell the switch to bypass the listening and learning stage and go right to forwarding.

Configure portfast per interface
SW2(config)# interface fa0/2
SW2(config-if)#  spanning-tree portfast

Configure portfast globally
SW2(config)#  spanning-tree portfast default

Common Layer 2 Threats and How to Mitigate Them

Everything at Layer 3 and higher is encapsulated into some type of Layer 2 frame. If the attacker can interrupt, copy, redirect, or confuse the Layer 2 forwarding of data, that same attacker can also disrupt any type of upper-layer protocols that are being used.

Layer 2 Best Practices
+ Select an unused VLAN (other than VLAN 1) and use that for the native VLAN for all your trunks. Do not use this native VLAN for any of your enabled access ports.
+ Avoid using VLAN 1 anywhere, because it is a default
+ Administratively configure access ports as access ports so that users cannot negotiate a trunk and disable the negotiation of trunking (no Dynamic Trunking Protocol [DTP])
+ Limit the number of MAC addresses learned on a given port with the port security feature
+ Control spanning tree to stop users or unknown devices from manipulating spanning tree. You can do so by using the BPDU Guard and Root Guard features
+ Turn off Cisco Discovery Protocol (CDP) on ports facing untrusted or unknown networks that do not require CDP for anything positive
+ On a new switch, shut down all ports and assign them to a VLAN that is not used for anything else other than a parking lot. Then bring up the ports and assign correct VLANs as the ports are allocated and needed

Set a port in access mode
SW2(config)# interface fa0/2
SW2(config-if)#  switchport mode access
SW2(config-if)#  switchport access VLAN 10

SW2(config-if)#  switchport nonegotiate – disable  the ability to negotiate

Set a port in trunk mode
SW2(config-if)# interface fa 0/23
SW2(config-if)#  switchport trunk encapsulation dot1q
SW2(config-if)#  switchport mode trunk

SW2(config-if)#  switchport trunk native vlan 3 – change native VLAN

SW2(config-if)#  switchport nonegotiate -  Disables the ability to negotiate

Do Not Allow Negotiations
A user with a trunk established could perform “VLAN hopping” to any VLAN he desired by just tagging frames with the VLAN of choice.

+ Port security: Limits the number of MAC addresses to be learned on an access switch port
+ BPDU Guard: If BPDUs (any type) show up where they should not, the switch protects itself
+ Root Guard: Controls which ports are not allowed to become root ports to remote root switches
+ Dynamic ARP inspection: Prevents spoofing of Layer 2 information by hosts
+ IP Source Guard: Prevents spoofing of Layer 3 information by hosts
+ 802.1X: Authenticates users before allowing their data frames into the network
+ DHCP snooping: Prevents rogue DHCP servers from impacting the network
+ Storm control: Limits the amount of broadcast or multicast traffic flowing through the switch
+ Access control lists: Traffic control to enforce policy

BPDU Guard
When you enable BPDU Guard, a switch port that was forwarding stops and disables the port if any BPDUs are seen inbound on the port.

SW2(config-if)# interface fa 0/2
SW2(config-if)# spanning-tree bpduguard enable

To automatically recover port
SW2(config)# errdisable recovery cause bpduguard
SW2(config)# errdisable recovery interval 30

SW2#  show errdisable recovery

Root Guard
Your switch might be connected to other switches that you do not manage. If you want to prevent your local switch from learning about a new root switch through one of its local ports, you can configure Root Guard on that port.

SW1(config)# interface fa 0/24
SW1(config-if)# spanning-tree guard root

Port Security
Port security controls how many MAC addresses can be learned on a single switch port.

SW2(config-if)# interface fa 0/2
SW2(config-if)#  switchport port-security
SW2(config-if)# switchport port-security maximum 5
SW2(config-if)# switchport port-security violation protect
SW2(config-if)# switchport port-security mac-address sticky

SW2# show port-security
SW2# show port-security interface fa0/2

CDP and LLDP

CDP runs on Cisco devices (routers, switches, phones, and so on) and is also licensed to run on some network devices from other vendors.
CDP operates at Layer 2 and can provide attackers with information (for example, device types, hardware and software versions, VLAN and IP address details, and so on) that you would rather not disclose.

Disable per port
sw2(config)# interface fa1/0/24
sw2(config-if)# no cdp enable


Disable globally
sw2(config)# no cdp run

sw2#show cdp

Diabale LLDP globally
sw2(config)# no lldp run

sw2# show lldp

DHCP Snooping
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers.
DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs.
DHCP spoofing attacks take place when devices purposely attempt to generate enough DHCP requests to exhaust the number of IP addresses allocated to a DHCP pool. The DHCP snooping feature determines whether traffic sources are trusted or untrusted.

+ Step 1. Define and configure the DHCP server
+ Step 2. Enable DHCP snooping on at least one VLAN
+ Step 3. Ensure that DHCP server is connected through a trusted interface
+ Step 4. Configure the DHCP snooping database agent
+ Step 5. Enable DHCP snooping globally (The DHCP snooping feature is not active until you complete this step)

sw2(config)#  ip dhcp snooping - Enable DHCP Snooping Globally
sw2(config)# ip dhcp snooping vlan 10 - Enable DHCP Snooping on VLAN 10
sw2(config)# interface fa1/0/24
sw2(config-if)# ip dhcp snooping trust - Configure Interface Fa1/0/24 as a Trusted interface
sw2(config)# ip dhcp snooping database tftp://10.1.1.1/directory/file - Configure the DHCP snooping database agent to store the bindings at a given location

sw2# show ip dhcp snooping

Dynamic ARP Inspection
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address.

ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a gratuitous reply from a host even if an ARP request was not received.

DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks.

sw2(config)#  ip arp inspection vlan 10 -  Enable DAI on VLAN 10
sw2# show ip arp inspection vlan 10

Configure Interface Fa1/0/24 as a Trusted DAI Interface
sw2(config)# interface fa1/0/24
sw2(config-if)# ip arp inspection trust

sw2# show ip arp inspection interfaces


Network Foundation Protection

For Cisco IOS routers and switches, the Network Foundation Protection (NFP) framework is broken down into three basic planes (also called sections/areas):
+ Management plane: this includes the protocols and traffic that an administrator uses between his workstation and the router or switch itself. Ex: SSH
+ Control plane: This includes protocols and traffic that the network devices use on their own without direct interaction from an administrator. Ex: a routing protocol.
+ Data plane: This includes traffic that is being forwarded through the network (sometimes called transit traffic); the data plane represents the traffic that is either being switched or forwarded by the network devices between clients and servers.

Implementing NFP

NFP is not a single feature but rather is a holistic approach that covers the three components (that is, planes) of the infrastructure, with recommendations about protecting each one using a suite of features.

Understanding the Management Plane

Best Practices for Securing the Management Plane:
+ Enforce password policy, including features such as maximum number of login attempts and minimum password length
+ Implement role-based access control (RBAC). This concept has been around for a long time in relation to groups; using Access Control Server (ACS) and CLI parser views.
+ Use AAA services, and centrally manage those services on an ACS server
+ Keep accurate time across all network devices using secure   Network Time Protocol (NTP)
+ Use encrypted and authenticated versions of SNMP, which includes Version 3
+ Control which IP addresses are allowed to initiate management sessions with the network device
+ Lock down syslog. Use separate VLAN for management.
+ Disable any unnecessary services, especially those that use User Datagram Protocol (UDP):
         + TCP and UDP small services
         + Finger
         + BOOTP
         + DHCP
         + Maintenance Operation Protocol
         + DNS resolution
         + Packet assembler/disassembler
         + HTTP server and Secure HTTP (HTTPS) server
         + CDP       
         + LLDP

Understanding the Control Plane

Control plane security is primarily guarding against attacks that might otherwise negatively impact the CPU, including routing updates (which are also processed by the CPU).

Best Practices for Securing the Control Plane:
+ CoPP Control plane policing: You can configure this as a filter for any traffic destined to an IP address on the router itself. This is applied to a logical control plane interface (not directly to any Layer 3 interface) so that the policy can be applied globally to the router.
+ CPPr Control plane protection: This allows for a more detailed classification of traffic (more than CoPP) that is going to use the CPU for handling.
+ Routing protocol authentication

Using CoPP or CPPr, you can specify which types of management traffic are acceptable at which levels. Traffic that exceeds the thresholds can be safely dropped if it is not from one of your specific management stations.

Understanding the Data Plane

For the data plane, this discussion concerns traffic that is going through your network device rather than to a network device.

Protecting the Data Plane:
+ ACLs used for filtering
+ IOS firewall support
+ IOS IPS: software implementation of an intrusion prevention system (IPS)
+ TCP Intercept: enables the router to look at the number of half-formed sessions that are in place and intervene on behalf of the destination device
+ Unicast Reverse Path Forwarding: When this feature is enabled on an interface, as packets enter that interface the router spends an extra moment considering the source address of the packet.

Best Practices for Protecting the Data Plane:
+ Block unwanted traffic at the router: placing the ACL closer to the source saves resources
+ Reduce the chance of DoS attacks
+ Reduce spoofing attacks
+ Provide bandwidth management
+ When possible, use an IPS to inhibit the entry of malicious traffic into the network

Additional Data Plane Protection Mechanisms
Layer2:
+ Port security to protect against MAC address flooding and CAM overflow attacks.
+ Dynamic Host Configuration Protocol (DHCP) snooping to prevent a rogue DHCP server
+ Dynamic ARP inspection (DAI) can protect against Address Resolution Protocol (ARP) spoofing
+ IP Source Guard, when implemented on a switch, verifies that IP spoofing is not occurring by devices on that switch

Securing the Management Plane on Cisco IOS Devices

What Is Management Traffic and the Management Plane?
By requiring a username or password, you are taking the first steps toward improving what is called the management plane on this router or switch.
The management plane includes not only configuration of a system, but also who may access a system and what they are allowed to do while they are logged in to the system.
The management plane also includes messages to or from a Cisco router or switch that is used to maintain or report on the current status of the device, such as a management protocol like Simple Network Management Protocol (SNMP).

Management Plane Best Practices
+ Strong passwords: Make passwords very difficult to break.
+ User authentication and AAA: you can control which administrators are allowed to connect to which devices and what they can do while they are there
+ Login Password Retry Lockout: allows system administrators to lock out a local AAA user account after a configured number of unsuccessful attempts
+ Role-based access control (RBAC): you can control access through AAA and customize privilege levels/parser views
+ Encrypted management protocols: encrypted communications should be used, such as Secure Shell (SSH) or Hypertext Transfer Protocol Secure (HTTPS)
Out-of-band (OOB) management implies that there is a completely separate network just for management protocols and a different network for end users and their traffic. In-band management is when the packets used by your management protocols may intermingle with the user packets (considered less secure than OOB).
+ Logging and monitoring: includes not only what administrators have changed or done but also system events that are generated by the router or switch because of some problem that has occurred or some threshold that has been reached; the storage of the logs and the transmission of the logs should be protected. If SNMP is used, preferably use Version 3 because of its authentication and encryption capabilities. An SNMP trap is a message generated by the router or switch to alert the manager or management station of some event.
+ Network Time Protocol (NTP): to synchronize the clocks on network devices so that any logging that includes time stamps may be easily correlated. Preferably, use NTP Version 3 with authentication.
+ Secure system files: Make it difficult to delete, whether accidentally or on purpose, the startup configuration files and the IOS images that are on the file systems of the local routers and switches.

Password Recommendations
# security passwords min-length X – set the minimum password length

+ It is best to have a minimum of eight characters for a password
+ Passwords can include any alphanumeric character, a mix of uppercase and lowercase characters, and symbols and spaces. Leading spaces in a password are ignored, but any subsequent spaces, including in the middle or at the end of a password, literally become part of that password and are generally a good idea.

Using AAA to Verify Users
In a nutshell, the goal of AAA is to identify who users are before giving them any kind of access to the network, and once they are identified, only give them access to the part they are authorized to use, see, or manage.

AAA Components
+ Authentication: Authentication is the process by which individuals prove that they are who they claim to be. To specify the method to use, you create an authentication “method list” that specifies how to authenticate the user.
+ Authorization: After the user or administrator has been authenticated, authorization can be used to determine which resources the user or administrator is allowed to access, and which operations may be performed.
+ Accounting and auditing: record what the user or administrator actually does with this access, what he accesses, and how long he accesses it.

Options for Storing Usernames, Passwords, and Access Rules
Uses a centralized service to keep usernames, passwords, and configured rules about who can access which resources.
+ Cisco Secure ACS Solution Engine: This is a dedicated server that contains the usernames, their passwords,   and other information about what users are allowed to access and when they are allowed to access. TACACS+ for an administrator who is seeking command-line access to the network device, and RADIUS if you are authenticating an end user that is requesting access to the network.
+ Cisco Secure ACS for Windows Server: This software package may be used for user and administrator authentication.
+ Current flavors of ACS functionality: The most common way that ACS services are implemented today is through a virtual machine running on some flavor of VMware. Cisco Identity Services Engine (ISE), which can be bundled in a single physical or logical device or appliance.
+ Self-contained AAA: AAA services may be self-contained in the router itself. The database that contains the usernames and passwords is the running configuration of the router or IOS device, and from a AAA perspective is referred to as the local database on the router.

Authorizing VPN Users
One common implementation of AAA is its use in authenticating users accessing the corporate LAN through a remote-access IPsec VPN. We authenticate the users by asking for their username and password, and then check the rules to see what they are authorized to access. If we use the remote Access Control Server (ACS) server for the authentication and authorization for an end user, we would very likely use the RADIUS protocol between the router and the AAA server.

Router Access Authentication
We must choose authentication first if we want to also use authorization for a user or administrator. We cannot choose authorization for a user without knowing who that user is through authentication first. When an administrator is at the CLI, that interface is provided by something called an EXEC shell. This type of access (CLI) could also be referred to as character mode.


The AAA Method List
To make implementing AAA modular, we can specify individual lists of ways we want to authenticate, authorize, and account for the users. We can create method lists that define the authentication methods to use, authorization method lists that define which authorization methods to use, and accounting method lists that specify which accounting method lists to use.

aaa type {default | list-name} method-1 [method-2 method-3 method-4]

Role-Based Access Control

The concept of role-based access control (RBAC) is to create a set of permissions or limited access and assign that set of permissions to users or groups.

Custom Privilege Levels
When you first connect to a console port on the router, you are placed into user mode. User mode is really privilege level 1. This is represented by a prompt that ends with >.

Limiting the Administrator by Assigning a View
A solution to this is to use parser views, also referred to as simply a view. You can create a view and associate it with a subset of commands. When the user logs in using this view, that same user is restricted to only being able to use the commands that are part of his current view. You can also associate multiple users with a single      view.

Encrypted Management Protocols
The problem with Telnet is that it uses plain text, and anyone who gets a copy of those packets can identify our usernames and passwords used for access and any other information that goes between administrator and the router being managed (over the management plane). Secure Shell (SSH) provides the same functionality as Telnet, in that it gives you a CLI to a router or switch; unlike Telnet, however, SSH encrypts all the packets that are used in the session.
For graphical user interface (GUI) management tools such as CCP, use HTTPS rather than HTTP because,   like SSH, it encrypts the session, which provides confidentiality for the packets in that session.

Using Logging Files
Administrators should, on a regular basis, analyze logs, especially from their routers, in addition to logs from other network devices. Log output sent to a variety of destinations:
+ Console: send log messages to an attached terminal
+ vty lines: However, the terminal monitor command should be issued to cause log messages to be seen by the user on that vty line.
+ Buffer: log messages can be stored in router memory; when the router is rebooted, these messages in the buffer memory are lost.
+ SNMP server
+ Syslog server

A syslog logging solution consists of two primary components: syslog servers and syslog clients. A syslog server receives and stores log messages sent from syslog clients such as routers and switches.

Understanding NTP
Network Time Protocol (NTP) uses UDP port 123, and it allows network devices to synchronize their time. One benefit of having reliable synchronized time is that log files and messages generated by the router can be correlated.

Protecting Cisco IOS Files
To help protect a router from accidental or malicious tampering of the IOS or startup configuration, Cisco offers a resilient configuration feature. The secure files are referred to as a secure bootset; the administrator cannot disable the features remotely.

Implementing Strong Passwords

R1(config)# username admin secret CeyeSc01$24

R1(config)# line console 0
R1(config-line)# password k4(1fmMsS1#
R1(config-line)# login

R1(config)#  service password-encryption – encrypt passwords (not shown in clear text)

User Authentication with AAA

R1(config)#  aaa new-model

R1(config)# tacacs-server host 50.50.4.101
R1(config)# tacacs-server key ToUgHPaSsW0rD-1#7

R1(config)# aaa authentication login default local enable

R1(config)# aaa authentication login MY-LIST-1 group tacacs local enable

R1(config)# aaa authorization commands 1 TAC1 group tacacs+ local
R1(config)# aaa authorization commands 15 TAC15 group tacacs+ local

R1(config)# aaa accounting commands 1 TAC-act1 start-stop group tacacs+
R1(config)# aaa accounting commands 15 TAC-act15 start-stop group tacacs+

R1(config)# line vty 0 4
R1(config-line)# login authentication MY-LIST-1
R1(config-line)# authorization commands 1 TAC1
R1(config-line)# authorization commands 15 TAC15
R1(config-line)# accounting commands 1 TAC-act1
R1(config-line)# accounting commands 15 TAC-act15

Using the CLI to Troubleshoot AAA for Cisco Routers

+ debug aaa authentication
+ debug aaa authorization
+ debug aaa accounting

#test aaa group tacacs+ username password legacy – test user connectivity and rights



RBAC Privilege Level/Parser View

R2(config)#  privilege exec level 8 configure terminal – assign a specific command to a level
R2(config)# enable secret level 8 0 NewPa5s123& - assign level 8 enable password

Implementing Parser Views

To restrict users without having to create custom privilege levels, you can use a parser view, also referred to as simply a view. AAA must also be enabled on the router.

R2(config)# enable secret aBc!2#&iU
R2(config)# aaa new-model

R2#  enable view

R2(config)# parser view New_VIEW
R2(config-view)# secret New_VIEW_PW

R2(config-view)# commands exec include ping
R2(config-view)# commands exec include all show
R2(config-view)# commands exec include configure
R2(config-view)# commands configure include access-list

R2>enable view New_VIEW

R2# show parser view

We could also assign this view to a user account, so that when users log in with their username and password, they are automatically placed into their view.

R2(config)# username Lois view New_VIEW secret cisco123

SSH and HTTPS

R1(config)# ip domain-name cisco.com
R1(config)# crypto key generate rsa

R1(config)# aaa new-model
R1(config)# aaa authentication login Keith-List-1 local
R1(config)# line vty 0 4
R1(config-line)# login authentication Keith-List-1
R1(config-line)# transport input ssh

R1# ssh -l Keith 10.1.0.1

R1> show ssh

Implementing Logging Features

Logging is important as a tool for discovering events that are happening in the network and for troubleshooting.

logging 10.1.1.200
logging trap notifications
logging buffered 4096 debugging

SNMP Features

Simple Network Management Protocol (SNMP) has become a de facto standard for network management protocols.
+ SNMP manager: runs a network management application, network management server (NMS).
+ SNMP agent: is a piece of software that runs on a managed device
+ Management Information Base (MIB): Information about a managed device’s resources and activity is defined by a series of objects

SNMP messages
+ GET: An SNMP GET message is used to retrieve information from a managed device
+ SET: An SNMP SET message is used to set a variable in a managed device or to trigger an action on a managed device
+ Trap: An SNMP trap message is an unsolicited message sent from a managed device to an SNMP manager

The security integrated with SNMPv1 and SNMPv2c.
SNMPv3 uses the concept of a security model and a security level:
+ Security model
+ Security level:
         + noAuthNoPriv: security level uses community strings, does not use encryption to provide privacy
         + authNoPriv: authentication using HMAC with MD5/SHA and no encryption
         + authPriv: HMAC MD5/SHA with DES-56

SNMPv3 offers three primary security enhancements:
+ Integrity
+ Authentication
+ Encryption

snmp-server location 192.168.1.96
snmp-server contact Bubba Jones
snmp-server community CCNA RO
snmp-server host 10.1.0.26 trap cisK0tRap^

CCNA-Router(config)# snmp-server community CCNA RO 99
CCNA-Router(config)# access-list 99 permit 192.168.1.0 /24
CCNA-Router(config)# snmp-server group CCNA-group v3 noauth
CCNA-Router(config)# snmp-server user CCNA-user CCNA-group v3
CCNA-Router(config)# snmp-server community CCNA RO 99
CCNA-Router(config)# snmp-server trap-source FastEthernet0/1
CCNA-Router(config)# snmp-server host 192.168.1.96 version 3 noauth CCNA-user

Configuring NTP

Because time is such an important factor, you should use Network Time Protocol (NTP) to synchronize the time in the network so that events that generate messages and time stamps can be correlated.

#ntp authentication-key 1 md5 141411050D 7
#ntp authenticate
#ntp trusted-key 1
#ntp update-calendar
#ntp server 192.168.1.96 key 1 prefer source FastEthernet0/1

CCNA-Router#  show ntp status
CCNA-Router#  show ntp association

Secure Copy Protocol
The Secure Copy (SCP) feature provides a secure and authenticated method for copying device configurations or device image files. SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so that the device can determine whether the user has the correct privilege level.

CCNA-Router(config)# ip scp server enable

Securing the Cisco IOS Image and Configuration Files
The Cisco Resilient Configuration feature is intended to improve the recovery time by making a secure working copy of the IOS image and startup configuration files (which are referred to as the primary bootset) that cannot be deleted by a remote user.

R6(config)#  secure boot-image
R6(config)#  secure boot-config

R6# show secure bootset

Securing the Data Plane in IPv6

Understanding and Configuring IPv6

The Format of an IPv6 Address
+ Length: IPv6 addresses are 128 bits (16 bytes) long
+ Groupings: IPv6 addresses are segmented into eight groups of four hex characters
+ Separation of groups: Each group is separated by a colon (:)
+ Length of mask: Usually 50 percent (64 bits long) for network ID, which leaves 50 percent (also 64 bits) for interface ID (using a 64-bit mask)
+ Number of networks: The network part is allocated by Internet registries 264 (1.8 × 1019)

R1(config-if)#  ipv6 address 2001:0db8:0000:0000:1234:0000:0052:0001/64

A link-local address is an IPv6 address that you can use to communicate with other IPv6 devices on the same local network (local broadcast domain). It begins with FE80.

IPv6 Address Types
+ Link-local address: Link-local addresses may be manually configured, but if they are not, they are dynamically configured by the local host or router itself.
+ Loopback address: In IPv6, the address is ::1
+ All-nodes multicast address: multicasts begin with FFxx. The IPv6 multicast group that all IPv6 devices join is FF02::1.
+ All-routers multicast address: routers that have had routing enabled for IPv6 also join the multicast group FF02::2. By doing so, any client looking for a router can send a request to this group address and get a response if there is a router on the local network.
+ Unicast and anycast addresses: A global IPv6 address, unlike a link-local address, is routable and can be reached through one or more routers that are running IP routing and that have a correct routing table. Global IPv6 unicast addresses have the first four characters in the range of 2000 to 3FFF.
+ Solicited-node multicast address for each of its unicast and anycast addresses:
+ Multicast addresses of all other groups to which the host belongs.



Implementing Logging Features

Logging is important as a tool for discovering events that are happening in the network and for troubleshooting.

logging 10.1.1.200
logging trap notifications
logging buffered 4096 debugging

SNMP Features

Simple Network Management Protocol (SNMP) has become a de facto standard for network management protocols.
+ SNMP manager: runs a network management application, network management server (NMS).
+ SNMP agent: is a piece of software that runs on a managed device
+ Management Information Base (MIB): Information about a managed device’s resources and activity is defined by a series of objects

SNMP messages
+ GET: An SNMP GET message is used to retrieve information from a managed device
+ SET: An SNMP SET message is used to set a variable in a managed device or to trigger an action on a managed device
+ Trap: An SNMP trap message is an unsolicited message sent from a managed device to an SNMP manager

The security integrated with SNMPv1 and SNMPv2c.
SNMPv3 uses the concept of a security model and a security level:
+ Security model
+ Security level:
         + noAuthNoPriv: security level uses community strings, does not use encryption to provide privacy
         + authNoPriv: authentication using HMAC with MD5/SHA and no encryption
         + authPriv: HMAC MD5/SHA with DES-56

SNMPv3 offers three primary security enhancements:
+ Integrity
+ Authentication
+ Encryption

snmp-server location 192.168.1.96
snmp-server contact Bubba Jones
snmp-server community CCNA RO
snmp-server host 10.1.0.26 trap cisK0tRap^

CCNA-Router(config)# snmp-server community CCNA RO 99
CCNA-Router(config)# access-list 99 permit 192.168.1.0 /24
CCNA-Router(config)# snmp-server group CCNA-group v3 noauth
CCNA-Router(config)# snmp-server user CCNA-user CCNA-group v3
CCNA-Router(config)# snmp-server community CCNA RO 99
CCNA-Router(config)# snmp-server trap-source FastEthernet0/1
CCNA-Router(config)# snmp-server host 192.168.1.96 version 3 noauth CCNA-user

Configuring NTP

Because time is such an important factor, you should use Network Time Protocol (NTP) to synchronize the time in the network so that events that generate messages and time stamps can be correlated.

#ntp authentication-key 1 md5 141411050D 7
#ntp authenticate
#ntp trusted-key 1
#ntp update-calendar
#ntp server 192.168.1.96 key 1 prefer source FastEthernet0/1

CCNA-Router#  show ntp status
CCNA-Router#  show ntp association

Secure Copy Protocol
The Secure Copy (SCP) feature provides a secure and authenticated method for copying device configurations or device image files. SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so that the device can determine whether the user has the correct privilege level.

CCNA-Router(config)# ip scp server enable

Securing the Cisco IOS Image and Configuration Files
The Cisco Resilient Configuration feature is intended to improve the recovery time by making a secure working copy of the IOS image and startup configuration files (which are referred to as the primary bootset) that cannot be deleted by a remote user.

R6(config)#  secure boot-image
R6(config)#  secure boot-config


R6# show secure bootset


Securing the Data Plane in IPv6

Understanding and Configuring IPv6

The Format of an IPv6 Address
+ Length: IPv6 addresses are 128 bits (16 bytes) long
+ Groupings: IPv6 addresses are segmented into eight groups of four hex characters
+ Separation of groups: Each group is separated by a colon (:)
+ Length of mask: Usually 50 percent (64 bits long) for network ID, which leaves 50 percent (also 64 bits) for interface ID (using a 64-bit mask)
+ Number of networks: The network part is allocated by Internet registries 264 (1.8 × 1019)

R1(config-if)#  ipv6 address 2001:0db8:0000:0000:1234:0000:0052:0001/64

A link-local address is an IPv6 address that you can use to communicate with other IPv6 devices on the same local network (local broadcast domain). It begins with FE80.

IPv6 Address Types
+ Link-local address: Link-local addresses may be manually configured, but if they are not, they are dynamically configured by the local host or router itself.
+ Loopback address: In IPv6, the address is ::1
+ All-nodes multicast address: multicasts begin with FFxx. The IPv6 multicast group that all IPv6 devices join is FF02::1.
+ All-routers multicast address: routers that have had routing enabled for IPv6 also join the multicast group FF02::2. By doing so, any client looking for a router can send a request to this group address and get a response if there is a router on the local network.
+ Unicast and anycast addresses: A global IPv6 address, unlike a link-local address, is routable and can be reached through one or more routers that are running IP routing and that have a correct routing table. Global IPv6 unicast addresses have the first four characters in the range of 2000 to 3FFF.
+ Solicited-node multicast address for each of its unicast and anycast addresses:
+ Multicast addresses of all other groups to which the host belongs

Configuring IPv6 Routing

Dynamic routing protocols with their versions that support IPv6:
+ RIP, called RIP next generation (RIPng)
+ OSPFv3
+ EIGRP for IPv6

R1(config)#  ipv6 unicast-routing – enable ipv6 routing for other devices
R1(config-if)# ipv6 enable – enable IPv6 on an interface
R1(config-if)# ipv6 rip MYRIP enable – enable RIPng on an interface
R1(config-if)# ipv6 ospf 1 area 0 – enable OSPFv3 on an interface
R1(config-if)# ipv6 eigrp 1 – enable EIGRP for IPv6 on an interface

R1# show ipv6 protocol – show which IPv6 protocols run on the router

Best Practices Common to Both IPv4 and IPv6
+ Physical security: Keep the room where the router is housed free (safe) from electrostatic and magnetic interference.
+ Device hardening: Disable services that are not in use and features and interfaces that are not in use.
+ Control access between zones: Enforce a security policy that clearly identifies which packets are allowed between networks.
+ Routing protocol security: Use authentication with routing protocols to help stop rogue devices from abusing the information being used in routing updates by your routers.
+ Authentication, authorization, and accounting (AAA): Require AAA so that you know exactly who is accessing your systems, when they are accessing your systems, and what they are doing.
+ Mitigating DoS attacks: Denial of service refers to willful attempts to disrupt legitimate users from getting access to the resources they intend to. Unicast reverse path verification is one way to assist with this, as are access lists.
+ Have and update a security policy

Threats Common to Both IPv4 and IPv6
+ Application layer attacks: you can place filters to allow only the required protocols through the network. ASA, IOS zone-based firewall or IPS.
+ Unauthorized access: use AAA services to challenge the user for credentials, and then authorize that user for only the access they need.
+ Man-in-the-middle attacks: by implementing Layer 2 dynamic ARP inspection (DAI) and Spanning Tree Protocol (STP) guards to protect spanning tree.
+ Sniffing or eavesdropping: CAM table overflow, causing the switch to forward all frames to all other ports in the same VLAN. You can use switch port security on the switches to limit the MAC addresses that could be injected on any single port.
+ Denial-of-service (DoS) attacks: Performing packet inspection and rate limiting of suspicious traffic, physical security, firewall inspection, and IPS can all be used to help mitigate a DoS attack.
+ Spoofed packets: Filtering traffic that is attempting to enter the network is one of the best first steps to mitigating this type of traffic.
+ Attacks against routers and other network devices: Implement the techniques you learned in the NFP chapter to protect the control, management, and data planes.

Each device on an IPv6 network joins the multicast group of FF02::1. So, if the attacker has local access to that network, he could ping that local multicast group and get a response that lets him know about each device on the network. FF02::1 is local in scope, so the attacker cannot use this technique remotely; he would have to be on the local network. Disabling an unused protocol stack (in this case, the unused IPv6 stack) would appropriately mitigate this risk.

New Potential Risks with IPv6
+ Network Discovery Protocol: Clients discover routers using NDP.
+ Neighbor cache resource starvation: The IPv6 Destination Guard feature blocks data traffic from an unknown source and filters IPv6 traffic based on the destination address.
+ DHCPv6: A rogue router that has fooled a client about being a router could also manipulate the client into using incorrect DHCP-learned information.
+ Hop-by-hop extension headers: One of the IPv6 extension headers is the Routing Header, type 0 (also referred to as RH0). RH0 can be used to identify a list of one or more intermediate nodes to be included on the path toward the final destination.
+ Packet amplification attacks: Using multicast addresses rather than IPv4 broadcast addresses could allow an attacker to trick an entire network into responding to a request.
+ ICMPv6:
+ Tunneling options: Tunneling IPv6 through IPv4 parts of a network may mean that the details inside the IPv6 packet might not be inspected or filtered by the IPv4 network.
+ Autoconfiguration:
+ Dual stacks: If a device is running both IPv4 and IPv6 at the same time the other protocol stack, if not secured, provides a potential vector for an attacker to remotely access the device.
+ Bugs in code:

IPv6 Best Practices
+ Filter bogus addresses: Drop, at the edge of your network, any addresses that should never be valid source or destination addresses. These are also referred to as bogon addresses.
+ Filter nonlocal multicast addresses: If you are not running multicast applications, you should never need multicast to be forwarded beyond a specific VLAN.
+ Filter ICMPv6 traffic that is not needed on your specific networks: Normal NDP uses ICMPv6 as its core protocol. A path’s maximum transmission unit (MTU) is also determined by using ICMP. Filter the unused parts of ICMP.
+ Drop routing header type 0 packets: Routing header 0, also known as RH0, may contain many intermediate next hops, and if followed an attacker could control the path of a packet through a network. Cisco routers, by default, drop packets with this type of header.
+ Use manual tunnels rather than automatic tunnels: do not use automatic tunnel mechanisms such as automatic 6to4.
+ Protect against rogue IPv6 devices:
         + IPv6 first-hop security binding table: This table is used to validate that the IPv6 neighbors are legitimate.
         + IPv6 device tracking: This feature provides the IPv6 neighbor table with the ability to immediately reflect changes when an IPv6 host becomes inactive.
         + IPv6 port-based access list support: Similar to IPv4 port access control lists (PACL), this feature provides access control on Layer 2 switch ports for IPv6 traffic.
         + IPv6 RA Guard: reject rogue RA Guard messages that arrive at the network switch platform.
         + IPv6 ND Inspection: IPv6 ND inspection analyzes neighbor discovery messages to build a trusted binding table database, and IPv6 neighbor discovery messages that do not conform are dropped.
         + Secure Neighbor Discovery in IPv6 (SeND)

IPv6 Access Control Lists
The configuration in Example 12-4 prevents unauthorized IPv6 packets on UDP port 53 (DNS) from entering the network from interface Gigabit 0/0. In this example, 2001:DB8:1:60::/64 represents the IP address space that is used by DNS servers that the network administrator is trying to protect, and 2001:DB8::100:1 is the IP address of the host that is allowed to access the DNS servers.

CCNA-Router-1(config)#  ipv6  access-list IPv6-ACL
CCNA-Router-1(config-ipv6-acl)# permit udp 2001:DB8::100:1 2001:DB8:1:60::/64 eq 53
CCNA-Router-1(config-ipv6-acl)#  deny udp any 2001:DB8:1:60::/64 eq 53

CCNA-Router-1(config-ipv6-acl)#  permit icmp any any nd-ns
CCNA-Router-1(config-ipv6-acl)#  permit icmp any any nd-na

CCNA-Router-1(config-ipv6-acl)#   deny ipv6 any any

CCNA-Router-1(config-ipv6-acl)# interface GigabitEthernet0/0

CCNA-Router-1(config-if)#  ipv6 traffic-filter IPv6-ACL in


Refer to Part-2  Hand notes-CCNA Security 210-260-Part-2

1 comment:

  1. Nice knowledge gaining article. This post is really the best on this valuable topic. how to dragclick

    ReplyDelete

Note: only a member of this blog may post a comment.