After reading, understanding and reviewing the extended CCNA
Security 640-554 Exam Cram these following brief notes are for the final
push.
Note: These notes
exist on this blog purely as a personal tool to help with revision since the
information presents itself nicely within a smartphone browser, which is handy
for learning when have a spare moment on a commute or similar!
Final Push
1 Networking
Security Concepts
Two characteristics that represent a blended threat = Trojan horse attack and day zero attack.
Control
plane = secures traffic destined to the router itself
Data
plane =
Management
plane = secures router access
A VLAN
is a logical broadcast
domain that can span multiple
physical LAN segments.
STP
is a Layer 2 protocol
that provides loop
resolution by managing the physical paths to a given network segment.
Four method used by hackers: footprint analysis attack, privilege escalation
attack, social engineering
attack, Trojan Horse
attack
3 Building a
Security Strategy
A step to be taken when a security policy is developed = perform quantitative risk
analysis.
Threat
mitigation is defense
in depth.
The VPN
security policy is categorized under the remote access policy.
Two important considerations about secure network management = log tampering and accurate time stamping.
Build ACLs based upon your security policy.
4 Network
Foundation Protection
Threats
to the physical
installation of an enterprise
network include: electrical
power and computer
room access.
Separating management traffic from production traffic = out-of-band.
Syslog
level 4 = LOG_WARNING.
6 Securing the
Management Plane on Cisco IOS Devices
A secured
Cisco IOS image file using the Cisco IOS image resilience feature; is not visible in the output
from the show flash
command.
#secure boot-image =
enables Cisco IOS image resilience.
#show secure bootset =
Cisco IOS command used to verify that either the Cisco IOS image, the
configuration files, or both, have been properly backed up and secured
The #secure boot-config
global configuration takes a snapshot
of the router running configuration and securely archives it in persistent storage.
aaa
new-model CLI configuration command must be enabled before any user views can be created.
aaa accounting exec start-stop
tacacs+ = enables logging
of the start and stop records for user terminal sessions on the router.
#sh run | include
username (gives) username test secret 5 … => the user password is hashed using MD5.
#enable secret level 5 password
=> sets the enable secret command to privilege level 5.
Common examples
of AAA implementation on Cisco routers includes: authenticating remote users over an IPsec
VPN, authenticating
administrator access to console/AUX/vty ports, and performing router commands authorization
using TACACS+.
An important factor when implementing syslogging = synchronize clocks on the
network with a protocol such as NTP.
Synchronizing
clocks on hosts and devices is an important step to take when
implementing secure networking
management.
SSH
secures router management session traffic.
Role-based
CLI router management feature provides the ability to configure multiple
administrative views.
When configuring
role-based CLI on a Cisco router, the first step is to enable the root view on the
router.
When the RSA key is generated for a Cisco router, to prepare for secure
device management the SSH
protocol is automatically
enabled.
Example Syslog
output:
The syslog message
shown tells us that service timestamps
have been globally enabled, and the message is a level 5 notification message
Feb 9 11:12:13 GMT:
%SYS-5-CONFIG_I: Configured from console by vty0
(10.2.2.6)
Example router
security:
Router in quiet
mode for 93 more seconds and configured with “if more than 2 login failures
occur in 100 seconds or less, logins will be disabled for 100 seconds” means
three or more login requests have failed within the last 100 seconds.
Example AAA:
ROUTER(config)# username admin privilege level 15 secret
hardt0ckRackPw
ROUTER(config)# aaa new-model
ROUTER(config)# aaa authentication login default tacacs+
ROUTER(config)# aaa authentication login test tacacs+ local
ROUTER(config)# line vty 0 4
ROUTER(config-line)#
login authentication test
ROUTER(config-line)#
line con 0
ROUTER(config-line)# end
Note: Here the authentication method list
used by the vty port
is named test.
The no service password-recovery command
will disable the ROMMON
(ROM Monitor.)
The MD5 algorithm takes a
variable-length message and produces
a 128-bit message digest.
7 Implementing
AAA Using Cisco IOS and the ACS Server
RADIUS
combines authentication and
authorization in one process.
TACACS+
protocol characteristics:
> Uses TCP (port 49)
> Separates
the authentication, authorization, and accounting functions
> Encrypts the entire body of the packet
> Supports authorization of router commands on a per-user or per-group
basis
RADIUS protocol characteristics:
> Uses UDP
> Combines
the authentication and authorization functions
> Encrypts the password only
(and ‘Has no option
to authorise router commands’)
AAA: Local
and enable
authentication methods should be used as the final method to ensure login, in case external AAA server fails.
Two characteristics of TACACS+ protocol: separates AAA functions and encrypts the body of every
packet.
8 Securing
Layer 2 Technologies
CAM
overflow attack is a Layer 2 attack that causes a switch to flood all incoming traffic to
all ports.
STP
attack = a layer 2
attack where an attacker broadcasts
BDPUs with a lower
switch priority.
Native
VLANs for trunk
ports should never be used anywhere else on the switch.
Best
practice when configuring trunking on a switch port is to configure an unused VLAN as the
native VLAN.
The best way to prevent a VLAN hopping attack is to disable DTP negotiations.
When implementing VLAN trunking, an additional
configuration parameter which should be added to the trunking configuration is:
# switchport nonnegotiate
Two methods to mitigate rogue layer 2 device interception of traffic from
multiple VLANs – set the
native VLAN on the trunk ports to an unused VLAN and disable DTP on ports that
require trunking.
Port
security enabled on a Cisco Catalyst switch: default action when configured maximum
number of allowed MAC addresses value is exceeded = the port is shut down.
The root
guard feature should be deployed toward ports that connect to switches that should not be the root bridge.
Two switches with same default priority, the switch with the lower MAC
address becomes the root bridge.
CLI Example: to
configure an interface on a switch to limit the maximum number of MAC addresses
that are allowed to accesss the port to two and to shutdown the interface when
there is a violation:
SW1> enable
SW1# config t
SW1(config)# int fa0/12
SW1(config-if)# switchport mode access
SW1(config-if)# switchport port-security maximum
2
SW1(config-if)# switchport port-security
violation shutdown
SW1(config-if)# no shut
SW1(config-if)# exit
SW1(config)# do copy run start
SW1(config)# end
SW1(config)# end
SW1# sh port-security interface fa0/12
9 Securing the
Data Plane in IPv6
Two built-in
features of IPv6 = native
IPsec and mobile IP
IPv6
unicast address types: Global, Link-local,
6to4, Site-local
11 Using Access
Control List for Threat Mitigation
Cisco IOS extended ACL defined by 100 to 199 and 2000 to 2699.
Extended
ACLs are recommended as close to the source traffic as possible.
Cisco
IOS access control lists are configured with wildcard masking.
Cisco
IOS access control lists are processed from top down.
True statements regarding applying access control lists to a
Cisco router:
> Place
more specific ACL entries at the top of the ACL
> Router-generated
packets cannot be filtered by ACLs on the
router
> If an access list is applied but it is not configured, all traffic passes
Characteristics of a static packet filter firewall rule:
> Can permit or deny traffic based on IP address
> Can permit or deny traffic based on protocol
> Can permit or deny traffic based on source and destination ports
When configuring
ACLs to control say Telnet traffic destined to the router for example –
the ACL should be applied
to all vty lines in the direction in to prevent an unwanted user from connection to an
unsecured port.
A standard ACL applied to interface
Serial 0, if traffic being filtered by the ACL does not match the configured ACL statements for
Serial 0 then the traffic
is dropped.
12
Understanding Firewall Fundamentals
A stateful
packet filter firewall is considered the versatile and most commonly used firewall technology.
A stateful
firewall allows modification of security rule sets in real time to allow return traffic.
A state
table is used to keep track of the connections through the firewall.
An access
control list applied to a router interface only filters traffic that passes through the router.
Information stored
in the stateful session
flow table: the source and destination IP address, port numbers, TCP
sequencing information, and additional flags for each TCP or UDP connection
associated with a particular session.
That it cannot detect application-layer
attacks is a potential security weakness of a traditional stateful
firewall.
13 Implementing
Cisco IOS Zone-Based Firewalls
Cisco IOS zone-based policy firewall: 3 actions that can
be applied to a traffic
class – pass,
inspect, and drop.
Cisco IOS zone-based policy firewall default > 3 types
of traffic permitted by
the router when some of the router interfaces are assigned to a zone:
> traffic flowing to and from the router interfaces (the self-zone)
> traffic flowing among interfaces that are members of the same zone
> traffic flowing among the interfaces that are not assigned to any zone
On Cisco ISR routers, the realm-cisco.pub public encryption key is used to
verify the digital signature of the IPS signature file.
Two characteristics of the CCP Security Audit Wizard: displays a screen with fix-it check boxes to let
you choose which potential security-related configuration changes to implement;
and; requires users to first identify which router interfaces connect to the inside network and which
connect to the outside
network.
A source and destination zone with a zone pair but no policy exists, result
= drop.
Two protocols that enable the CCP to pull IPS alerts from a Cisco ISR router
= syslog and SDEE (Security
Device Event Exchange)
Example:
Class-map:
TEST-Class (match-all)
Match: access-group 110
Match: protocol http
Inspect ……………
Class-map:
class-default (match-any)
Match: any
Drio (default
action)
Result: Stateful
packet inspection will be applied only
to HTTP packets that also match ACL
110.
Example:
interface E0
ip address 10.20.20.20 255.255.255.0
ip access-group 101 in
…
Access-list 101 permit tcp 10.20.20.0
0.0.0.255 any
Access-list 101 permit tcp 10.20.20.0
0.0.0.255 any
Access-list 101 permit tcp 10.20.20.0
0.0.0.255 any
Note: Access-list
101 will prevent address
spoofing from interface E0 (because only let 10.20.20.0 traffic out!)
14 Configuring
Basic Firewall Policies on Cisco ASA
True statements about Cisco ASA appliance:
> The DMZ interface(s) on the Cisco ASA appliance most
typically use a security
level between 1 and 99
> The Cisco ASA appliance supports Active/Active or Active/Standby failover
> The Cisco ASA appliance uses security contexts to virtually partition
the ASA into multiple
virtual firewalls
The Cisco
ASA appliance interface ACL configurations use netmasks instead of wildcard masks (unlike
Cisco IOS routers.)
Two options that are advantages of an application layer firewall: makes DoS attacks difficult
and authenticates
individuals.
Dynamic
PAT = a type of NAT where you translate multiple internal IP addresses to a single global, routable IP
address.
Configure static NAT if a host on the external network requires access to
an internal host.
Cisco ASA access lists: object groups can be configured to match multiple entries in a
single statement.
15 Cisco
IPS/IDS Fundamentals
IPS
> Can stop the attack trigger packet
> Can use stream normalization techniques
> Has some impact on network latency and jitter
> Deployed in inline mode
IDS
> No
network impact if there is a sensor overload
> Allows malicious traffic to pass before it can respond
> Deployed in promiscuous mode
> More vulnerable to network evasion techniques.
Risk
rating is an IPS
technique commonly used to improve
accuracy and context
awareness, aiming to detect and respond to relevant incidents only and therefore, reduce noise.
False
positive = an alarm that is triggered by normal traffic or a benign action
False
negative = a signature that is not fired when offending traffic is detected
True
positive = generates an alarm when offending traffic is detected
True
negative = a signature is not fired when non-offending traffic is captured and analysed
Network-based
IPS can provide protection to desktops and servers without the need of installing specialized
software on the end hosts and servers.
16 Implementing
IOS-Based IPS
A large enterprise with many remote locations – best place to deploy Cisco IOS IPS solution
is at the remote branch
offices.
The Cisco
IOS IPS product – an integrated
services router which offers an inline, deep-packet inspection feature
The benefit
of using Cisco IOS IPS is that it uses the underlying routing infrastructure to provide an
additional layer of security.
4 tasks when configuring the Cisco IOS IPS using CCP IPS wizard:
> select the interface(s) to apply the IPS rule
> select the traffic flow direction that should be applied by
the IPS rule
> specify the signature file and the Cisco public key
> specify the configuration location and select the category of signatures to
be applied to the selected interface(s)
Using CCP
to enable Cisco IOS IPS,
the signature must
be enabled, unretired, and successfully compiled
before any actions can be taken when an attack matches that signature.
IPS Detection
Approaches:
Policy
based = only allows HTTPS traffic to the web servers (for example)
Anomaly
based = detects unexpected
traffic spikes
Signature
based = detects attacks based on known attack fingerprints
Reputation
based = detects events based on correlations with a blacklist downloaded from a
dynamically updated database
Disabled
signatures (when using Cisco IOS IPS) still consume router resources.
Signature-based
type of intrusion prevention technology is the primary type used by the Cisco IPS security appliances.
Cisco IOS
IPS on Cisco IOS Release 12.4(11)T and later uses Cisco IPS 5.x signature format.
17 Fundamentals
of VPN Technology
Diffie-Hellman
provides a way for two peers to establish a shared-secret key, which only they will know, even
though they are communicating over an unsecured channel.
Two functions required for IPsec operations: using IKE to negotiate the SA and using Diffie-Hellman to establish a
shared-secret key.
Diffie-Hellman
is used to establish a symmetric
shared key via a public
key exchange process.
Asymmetric
encryption algorithms use different keys for encryption and decryption of data.
Pre-shared
key can be used to authenticate
the IPsec peers
during IKE Phase 1.
3 modes of access that can be delivered by SSL VPN = full tunnel client, thin client and clientless.
Asymmetric
encryption: The sender
encrypts the data using the receiver’s public key, and the receiver decrypts the message using the receiver’s private key.
Symmetric
encryption: The sender encrypts the message with a particular cryptosystem using the secret key and the receiver decrypts the message with the same key.
True statements about SSL-based VPNs: asymmetric algorithms are used for authentication
and key exchange; and the authentication process uses hashing technologies.
Symmetric
algorithms include: DES, 3DES, AES, IDEA, CAST5, BLOWFISH,
TWOFISH
Asymmetric
algorithms include: RSA,
Diffie-Hellman, Elliptical Curve, DSA,
ELGAMAL
19 Fundamentals
of IP Security
IKE
Phase 1:
1.1 Negotiate
IKE policy sets and authenticate
peers
1.2 Perform a Diffie-Hellman Exchange
IKE
Phase 2:
2.1 Negotiate
IPsec security policies
2.2 Establish IPsec SAs
2.3 Perform an optional Diffie-Hellman exchange
20 Implementing
IPsec Site-to-Site VPNs
Confidentiality
and Data Integrity
are two services provided by IPsec.
crypto ipsec transform-set 3 esp-aes 256
esp-sha-hmac will provide strong protection
Using the CCP site-to-site VPN wizard to implement a site-to-site IPsec VPN using pre-shared key, requires:
> the interface of the VPN connection
> the VPN peer IP address
> the interesting traffic (the traffic to be protected)
> the pre-shared key
True statements about the IPsec ESP (Encapsulating security payload) modes
of operation: Tunnel mode is used between a host and a security gateway + tunnel mode is used
between two security
gateways + transport mode leaves the original IP header in the clear.
21 Implementing
SSL VPNs Using Cisco ASA
IP
address pool is required only for Cisco AnyConnect full tunnel SSL VPN access and
not required for clientless SSL VPN.
Purpose of the Cisco ASA appliance web launch SSL VPN feature is to enable
users to login to a web portal to download and launch the AnyConnect client.
4 types
of VPN supported using Cisco ISRs and Cisco ASA appliances:
> SSL
clientless remote-access VPNs
> SSL
full-tunnel client remote-access VPNs
> IPsec
site-to-site VPNs
> IPsec
client remote-access VPNs
A Miscellaneous/Uncategorized
Cisco
Security Manager tool can centrally provision all aspects of device configuration across
the Cisco family of security products.
PVLAN
Edge (Private VLAN Edge – protected ports): The switch does not forward any traffic
from one protected port to any other protected port.
Two features of Cisco IronPort Security Gateway: spam protection and email encryption.
Consistent
cloud-based policy is a feature of Cisco ScanSafe technology.
The Secure
Network Platform characteristic is the foundation of Cisco Self-Defending
Network technology.
Lab Training
Example with the Cisco Configuartion Professional
CCP Example: how to
find properties included in the inspection Cisco Map OUT_SERVICE
Example result: FTP, HTTP, P2P, ICMP
CCP Example: how to
find the NAT address assigned by ACL 1
Example result: 192.168.1.0/25
CCP Example: how to
find which Class Map is used by INBOUND Rule
Example results: Class-map-ccp-cls-2
CCP Example: how to
find which policy is assigned to Zone Pair sdm-zip-OUT-IN?
Example result: ccp-policy-ccp-cls-2
CCP Example: how to
find what is included in the Network Object Group INSIDE?
Example result: network
175.25.133.0/24 and network 10.0.10.0/24
Comments
Post a Comment