ccna security
TRANSCRIPT
Network Security Objective
• Confidentiality• Integrity• Availability
Cost Benefit Analysis
• Risk Management– Asset– Vulnerability– Threat– Countermeasure
Asset ClassificationGovernmental classifications• Unclassified• Sensitive but unclassified(SBU)• Confidential• Secret• Top Secret
Private Sector Classifications• Public• Sensitive• Private• Confidential
Classification Criteria and RolesClassification Criteria• Value• Age• Replacement Cost• Useful lifetime
Classification Roles• Owner• Custodian• User
Potential Network Vulnerabilities• Policy flaws• Design errors• Protocol weaknesses• Misconfiguration• Software vulnerabilities• Human factors• Malicious software• Hardware vulnerabilities• Physical access to Network Resources
Common Control Method
• Administrative• Physical• Logical
Attacks Method
• Reconnaissance• Social engineering• Privilege escalation• Back doors
Man-in-the-middle-attack
• Layer 2 attack– ARP Poisoning– Rogue Switch
• Layer 3 attack– Rogue Router
Other Attack Method
• Covert channel• Trust exploitation• Password attacks• Botnet• DoS and DDoS
Secure Network Architechture
• Rule of least privilege• Defense in depth• Separation of duties• Auditing
Security Lifecycle
• Initiation• Acquisition and development• Implementation• Operations and maintenance• Disposition
Security Posture Assessment
• General Security Posture Assessment• Internal Assessment• External Assessment• Wireless Assessment• Analysis and Documentation
Considering the Asset
• Value of the Asset• Vulnerabilities• Potential threats• Compliance issues• Bussiness requirements
New Asset that Not Calculated
• Using quantitative/qualitative approaches, identify the risk.
• Take action regarding the risk• Monitor the risk
Security Policies
• Who creates security policies ?• What is in security policy ?• Why do we have security policies ?
Specific Types of Policies
• Guideline policies• Email policies• Remote-access policies• Telephony policy• Application policies• Network policies
Security Practice Vocabulary
• Standards• Procedures• Guidelines• Policies
Testing the Security Architecture
• Network scanning• Vulnerability scanning• Password cracking• Penetration testing• Social Engineering attempts
Responding to Incident
• Assist in the recovery of bussiness operations• Document all the possible details of the
incidents.• Prevent, if possible future incidents
Bussiness Continuity Factors
• Maximum tolerable downtime(MTD)• Recovery Time Objective(RTO)• Recovery Point Objective(RPO)
Borderless Network Components
• Borderless end zone• Borderless data center• Borderless internet• Policy management point
SecureX Architecture
• Context Awareness• AnyConnect Client• TrustSec• Security Intelligence Operations
Threat Mitigation and Monitoring Tools
• ASA firewall• Integrated Services Router(ISR)• Intrusion Prevention System(IPS)• IronPort Email Security Appliances and
IronPort Web Security Appliances(WSA)• ScanSafe
Network Foundation Protection (NFP) Framework
• Management plane• Control plane • Data plane
Management Plane Security Measures
• Authentication, authorization, accounting(AAA).
• Authenticated Network Time Protocol(NTP)• Secure Shell(ssh)• Secure Socket Layer/Transport Layer
Security(SSL/TLS)• Protected syslog• Simple Network Management Protocol version
3(SNMPv3)• Parser views
Control Plane Security Measures
• Control Plane Policing(CoPP) and Control Plane Protection(CPPr)
• Authenticated routing protocol updates
Data Plane Security Measures
• Access control list(ACL)• Layer 2 controls, such as private VLANs,
Spanning Tree Protocol(STP) Guards.• IOS IPS, Zone base Firewall• Unicast Reverse Path Forwarding
Best Practices Securing Management Plane
• Max number of login and Min password length• RBAC using ACS, CLI parser view, privilege level• AAA manage by ACS• Secure NTP• Encrypted and authentication version of SNMP• Control IP Address allowed to initiate
management session• Lock down syslog using separate VLAN or
encrypted
Best Practices Securing Control Plane
• Rate-limiting management traffic• Apply QoS to management traffic and police
bogus management traffic applied to logical control plane interface
• Classified traffic based on physical or logical interface, certain data plane traffic require CPU intervention, CEF Exception
• Routing protocol authentication
Best Practices Securing Data Plane• Block unwanted traffic at router• Reduce the chance of DoS attack using TCP Intercept• Reduce spoofing attack• Implementing rate-limiting for certain traffic• IPS• Port Security against CAM overflow and MAC
Address flooding• DHCP snooping protect from rogue DHCP, DHCP
starvation attack• DAI(Dynamic Arp Inspection) protect against ARP
spoofing, poisoning, man in the middle attack• IP Source Guard protect against IP spoofing
Centralize Server Types
• Cisco secure ACS Solution Engine• Cisco secure ACS for Windows Server• Current flavors of ACS functionality• Self contain AAA
Password Creation Guidelines
• Minimum 8 character for password, set using command security passwords min-length
• Don’t use too complicated password that user need to write down to remembered
• Password should be fairly complex and change periodically
• Considering password from mathematical perspective
AAA Components to Secure Administrative And Remote LAN Access
Access Type Mode ModeWhere These
Are Likely to Be Used
AAA Command Element
Remote administrative Access
Usually TACACS+ between the router and the ACS
Character (line or EXEC mode)
Lines: vty, AUX console, and tty
login , enable , exec
Remote network access end users
Usually RADIUS betweenthe router and the ACS
Packet (interfacemode) such asan interface withPPP requiringauthentication
Interfaces: async,group-async,BRI, PRI, Otherfunctionality: VPNuser authentication
ppp , network ,vpn groups
Sending Logging Files
• Console• Vty lines• Buffer• Snmp server• Syslog server
Syslog Security Level
Level Name Description0 Emergencies System is unusable.1 Alerts Immediate action needed.2 Critical Critical conditions.3 Errors Error conditions.4 Warnings Warning conditions.5 Notifications Normal, but significant conditions.
6 Informational Informational messages.
7 Debugging Highly detailed information basedon current debugging that is turnedon.
Using Strong Password• Creating username in local database:R1(config)# username admin secret CeyeSc01$24• Login and password to access console port:R1(config)# line console 0R1(config-line)# password k4(1fmMsS1#R1(config-line)# loginR1(config-line)# exit• Login and password to access vty:R1(config)# line vty 0 4R1(config-line)# password 8wT1*eGP5@R1(config-line)# login• Login and password for access AUX line:R1(config-line)# line aux 0R1(config-line)# no execR1(config-line)# password 1wT1@ecP27R1(config-line)# loginR1(config-line)# exit
User Authentication with AAA
R1(config)# aaa new-modelR1(config)# tacacs-server host 50.50.4.101R1(config)# tacacs-server key ToUgHPaSsW0rD-1#7
• Using default method listR1(config)# aaa authentication login default local enable
• Custom authentication method listR1(config)# aaa authentication login MY-LIST-1 group tacacs local enable
Authorization and Accounting Method ListR1(config)# aaa authorization commands 1 TAC1 group tacacs+ localR1(config)# aaa authorization commands 15 TAC15 group tacacs+ localR1(config)# aaa accounting commands 1 TAC-act1 start-stop group tacacs+R1(config)# aaa accounting commands 15 TAC-act15 start-stop group tacacs+R1(config)# line vty 0 4R1(config-line)# login authentication MY-LIST-1R1(config-line)# authorization commands 1 TAC1R1(config-line)# authorization commands 15 TAC15R1(config-line)# accounting commands 1 TAC-act1R1(config-line)# accounting commands 15 TAC-act15
RBAC Privilege Level
R2(config)# privilege exec level 8 configure terminalR2(config)# enable secret level 8 0 NewPa5s123&R2(config)# endR2(config)# username Bob privilege 8 secret Cisco123R2(config)# line vty 0 4R2(config-line)# login local
Creating Parser View
R2(config)# enable secret aBc!2#&iUR2(config)# aaa new-modelR2(config)# endR2# enable viewPassword: [ ******] note password not shown when typedR2#%PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
Root View Create Custom ViewR2# configure terminalR2(config)# parser view New_VIEWR2(config-view)# secret New_VIEW_PWR2(config-view)# commands exec include pingR2(config-view)# commands exec include all showR2(config-view)# commands exec include configureR2(config-view)# commands configure include access-listR2(config-view)# exitR2(config)# exitR2# disableR2>enable view New_VIEWPassword: [ New_VIEW_PASS] Password not shown when typed in
Enabling SSH on Router/Switch
• Hostname other than the default name of “router”• Domain name• Generating a public/private key pair, used behind
the scenes by SSH• Requiring user login via the vty lines, instead of
just a password. Local authentication or authentication using an ACS server are both options.
• Having at least one user account to log in with, either locally on the router, or on an ACS server
SNMP Features
Component Description
SNMP managerAn SNMP manager runs a network management application. This SNMPmanager is sometimes called a Network Management Server (NMS) .
SNMP agentAn SNMP agent is a piece of software that runs on a managed device (such as a server, router, or switch).
Management Information Base
Information about a managed device’s resources and activity is defined bya series of objects, The structure of these management objects is definedby a managed device’s Management Information Base (MIB). This can bethought of as a collection of unique numbers associated with each of theindividual components of a router.
SNMP Message Types
• GET: An SNMP GET message is used to retrieve information from a managed device
• SET: An SNMP SET message is used to set a variable in a managed device or to trigger an action on a managed device.
• Trap: An SNMP trap message is an unsolicited message sent from a managed device to an SNMP manager. It can be used to notify the SNMP manager about a significant event that occurred on the managed device.
SNMPv3 Security Model and Level• Security model: A security model defines an approach for user
and group authentications.• Security level: A security level defines the type of security
algorithm performed on SNMP packets. Three security levels are discussed here:
– noAuthNoPriv: The noAuthNoPriv (no authentication, no privacy) security level uses community strings for authentication and does not use encryption to provide privacy.
– authNoPriv: The authNoPriv (authentication, no privacy) security level provides authentication using Hashed Message Authentication Code (HMAC) with message digest algorithm 5 (MD5) or Secure Hash Algorithm (SHA) . However, no encryption is used.
– authPriv: The authPriv (authentication, privacy) security level offers HMAC MD5, or SHA authentication and also provides privacy through encryption. Specifically, the encryption uses the Ci pher Block Chaining (CBC) Data Encryption Standard (DES) (DES-56) algorithm.
SNMPv3 Primary Security Enhancement
• Integrity: Using hashing algorithms, SNMPv3 can ensure that an SNMP message was not modified in transit.
• Authentication: Hashing allows SNMPv3 to validate the source of an SNMP message.
• Encryption: Using the CBC-DES (DES-56) encryption algorithm, SNMPv3 provides privacy for SNMP messages, making them unreadable by an attacker who might capture an SNMP packet.
NTPv3 Configuration
ntp update-calendarntp authentication-key 1 md5 pAs5w0rd!3@ntp authenticatentp trusted-key 1ntp server 55.1.2.3 key 1 source FastEthernet0/0 prefer
ACS Chain of EventA User Connects to the Router
A Router prompt a User for Username and Password
The Router sends credentials to AAA Server (ACS)
ACS makes inquiry to Active Directory Database
Active Directory confirm to ACS and ACS confirm to Router
Router allow for User access
TACACS+ versus RADIUSTACACS+ RADIUS
Functionality
Separates AAA functions intodistinct elements. Authentication
is separate from authorization, and both of those are separate from
accounting.
Combines many of the functions of authentication and authorization together. Has detailed accounting
capability when accounting is configured for use.
Standard Cisco proprietary, but very well
known.Open standard, and supported by nearly all vendors’
AAA implementation.L4 protocol TCP. UDP.
Replacementcoming
None officially planned. Possibly Diameter (named to imply that RADIUS is only
half as much, pun intended).
ConfidentialityAll packets are encrypted between
ACS server and the router (which isthe client).
Only the password is encrypted with regard to packets sent back and forth between the ACS server and the
router.
Granularcommand
by commandauthorization
This is supported, and the rules are defined on the ACS server about which commands are allowed or
disallowed.
No explicit command authorization checking rules can be implemented.
Accounting Provides accounting support. Provide accounting support, and generally
acknowledged as providing more detailed or extensive accounting capability than TACACS+.
Configuring the Router to Use ACS via TACACS+
Task How to Do It
Decide what the policy shouldbe (for example, which vtylines should requireauthentication /authorization,and which methods (ACS,local, none) should be used.
This step is done way before you ever begin configuring the router, and is basedon your security policy for your network. It is the concept of what you want toaccomplish for authentication and authorization.
Enable the ability to configure AAA.
aaa new-model is not enabled by default. If you want to use the services of ACS,you must enable the feature of AAA as the very first step of configuration on a newrouter.
Specify the address of anACS server to use.
Use the tacacs-server host command, including the IP address of the ACS serverand the password.
Create a named method list forauthentication and another forauthorization, based on yourpolicy.
Each method list is created in global configuration mode, specifying whichmethods this list uses, in order, from left to right.
Apply the method lists to thelocation that should use thosemethods
In vty line configuration mode, specify the authentication and authorization methodlists that you created in the preceding step.
Steps to Configuring ACSComponent of
ACSHow It Is Used
Network device groups
Groups of network devices, normally based on routers or switches withsimilar functions/devices managed by the same administrators.
Network devices (ACS clients/routers/switches)
The individual network devices that go into the device groups.
Identity groups (user/admin groups)
Groups of administrators, normally based on users who will need similarrights and ccess to specific groups of network devices.
User accounts Individual administrator/user accounts that are place in Identity groups.
Authorization profiles These profiles control what rights are permitted. The profile is associatedwith a network device group and a user/administrator identity group.
Threat Control and Mitigation StrategyFeature Description
Formal process forpolicy creation,implementation, and review
Senior management, ultimately, is responsible for policy. The job of the networkadministrator is to implement and enforce through technical and logical controlsthe policy that has been mandated. When there are changes to be made, a formalprocedure, including change control and a written signoff by the personauthorized for that change, should be in place. The documented history ofchange control should be kept. Auditing records detailing which administratorshave accessed which systems, along with any changes that were made, shouldbe kept and stored. This can be automated through services such asauthentication, authorization, and accounting (AAA) .
Mitigation policies and techniques
A policy should be in place specifying the course of action in response to anattack or threat. Ideally, an automated system could retaliate against theattacker’s packets or activities to stop the attack and quarantine the area ifpossible. Reporting features should be such that the highest-ranking threats canbe easily seen and addressed by both systems and administrators. An example ofan automated response to an attacker may be a system that dynamically sendsout blocking requests to perimeter routers that deny future packets from theattacker, or perhaps sending a TCP reset to the attacker and the proposedvictim. A feature such as this could be implemented on an intrusion preventionsystem (IPS) .
End-user education and awareness
Because of smart phones, virtual private networks (VPN) , and almost instantaccess everywhere, data is available at lots of different places. Having an end-user policy, educating the end users, and periodically reviewing and verifyingthat the end users are aware of their role in protecting the data is a critical piecein mitigating threats. An ounce of prevention here is worth a pound of forensicslater if a compromise has occurred.
Threat Control and Mitigation Strategy
Feature Description
Defense in depthDefense in depth refers to a layered security approach, where multiple devices mayhave overlapping security responsibilities. This is desired so that a single failure of agiven system does not represent a significant vulnerability of the entire network.
Centralized monitoringand analysis
Ideally, with multiple devices providing security, you would have centralizedmonitoring where all the information can be easily sorted and viewed. Thisinformation coming in from all these devices should be correlated (which should be anautomated process), for an enterprise-wide view of what is really happening. Afterseeing that an attack is taking place, a centralized tool may have the ability torecommend or even implement an appropriate countermeasure against the attack. (Anexample is to re-write an access control list [ACL] and apply it on a router that is inthe path of the attacker.) External information from global correlation systems couldalso be used to harden the network against a global threat that may be headed in thedirection of the current network.
Threat Control and Mitigation Strategy
Feature Description
Application layervisibility
Well-known protocols, in the hands of an attacker,could be manipulated to cause harm to your network inthe form of an attack. Application layer visibility iscritical to verify whether protocol abuse is occurring(such as malformed requests, tunneling, and so on) sothat the network can respond if needed and prevent themalicious traffic or application from proceeding further.
Incident response
The policy should state what will happen and how it willhappen as incidents occur on a network. Having aformal policy for this removes the ambiguity of howincidents are reported and the follow-up processdocumented after the event. The response may beadministrative (manual) and automated.
Security on Cisco Switches
Feature Description
Port security
Limits the number of MAC addresses that a port can learn. This protectsagainst a CAM content-addressable memory (CAM) (also known as theMAC table ) overflow, which would cause the switch to forward unicastframes out all ports in the same VLAN.
DHCP snooping
DHCP snooping only allows server responses from specifically trustedports that lead to your authorized DHCP servers. This also protects theDHCP server by rate-limiting how many TCP requests can be sent perinterval. This is useful if somewhere an attacker is requesting thousandsof IP addresses in an attempt to consume the entire pool on the DHCPserver.
Security on Cisco SwitchesFeature Description
DAI
Using the information from DHCP snooping or from manually configuring it,a switch can confirm that your traffic includes accurate MAC addressinformation in ARP communications, to protect against an attacker trying toperform Layer 2 spoofing.
IP source guardThis can be used to verify the client on a given port is not doing Layer 3spoofing (IP address spoofing).
Root guard,BPDU guard,BPDU filtering
These features enable you to control your spanning-tree topology, includingresisting a rogue switch’s attempt to become root of the spanning tree.
Storm controlThis feature allows the switch to begin clamping on traffic at configurablelevels.
Additionalmodules
Modules are supported on various networking devices, which addfunctionality to that device. Examples include IPS modules, VPN modules,firewall modules, anti-malware modules, and so on. You can expand securityservices on many network devices, such as routers, switches, and evenadd on to the functionality of firewalls.
Security on IOS RoutersFeature Description
Reflexive access lists
If a user on the inside of your network sends traffic out to a server on the outside network, the reflexive access lists looks at that flow oftraffic, creates an access control entry (ACE) , which is the mirrorimage (swapping the source and destination IP addresses andports), and dynamically applies that so that the return traffic from theserver is allowed.
Context-based accesscontrol (CBAC)
This was the evolution of the IOS router to now support statefulfiltering, without creating reflexive access lists. This used to be called the IOS Firewall, because CBAC was the primary feature of the IOSFirewall feature set.
Zoned-Based Firewall
This replaced CBAC, and is the current recommended way toimplement stateful filtering on IOS routers. Zone-Based Firewalls useclass maps to identify traffic, policy maps to specify actions to takeon that traffic, and a service policy set of commands to put the policy in place. Among other things, a Zone-Based Firewall can doapplication layer inspection and URL filtering
Packet-filtering ACLs
Using standard and extended ACLs.
AAA AAA stands for authentication, authorization, and accounting .
Security on IOS RoutersFeature Description
Secure managementprotocols
Secure Shell (SSH) and SSL are supported for managingthe router.
VPNs
IOS supports remote-access VPNs using SecureSockets Layer (SSL) or IPsec. It also supports VPNs in asite-to-site configuration when using IPsec. (SSL is notgenerally used for site-to-site VPNs.)
IPS The IOS router can implement an intrusion preventionsystem (IPS) in software or by using a hardware modulein an available option slot.
Routing protocolauthentication
This provides security that prevents an unauthorizedrouter from being trusted or believed as it sends routingupdates with an attempt to influence or learn the routinginformation from another router.
CoPP and CPPrThis enables you to set thresholds and limits for trafficthat is directed to the router.
Security on ASA Firewall
• Stateful Filtering• Modular Policy Framework(MPF)• URL Filtering• Packet Filtering ACL• AAA• VPN• IPS• Routing Protocol Authentication• Secure Management Protocol
Feature That Use Access List
• IOS Inspect class map• IOS class map• Routing protocols• Quality of Service(QoS)• VPN• ASA Firewall Modular Policy Framework• Network/Port Address Translation(NAT/PAT)• Packet filtering
Using an Access List on Router
We can use an Access list on a Router to protect from:• IP Address spoofing• TCP Intercept • Reconnaissance attack• General vulnerabilities
Access List Quirks
• If an empty access list is applied to an interface, it will not deny any traffic. The implicit deny takes effect only when there is at least one configured line in the ACL.
• if configured ACL is applied outbound on an interface, the rules in the ACL apply only to outbound traffic that is being routed through the router (transit traffic) and doesn’t have any effect on traffic generated by the router itself (such as a routing update) that is exiting that same interface
Standard ACL vs Extended ACLStandard ACL Extended ACL
Numeric range 1–99, 1300–1999. 100–199, 2000–2699.Option for usingnames for theACL instead ofnumbers
Yes. Yes.
What they canmatch on
Source IP only of thepacket being comparedto the list.
Source or destination IP, plus most Layer 4protocols, including items in the Layer 4 headerof the packet being compared.
Where to place As close as destination As close as source
Access List Tips
• Always create access-list with gap line-number, to prepare if some line would need to be inserted in between.
• Wilcard mask can be use to match network or host.
• Access list can use Object Group to simplify Administrator task.
IPv6 Packet Filtering Highlight
• Can filter based on source and destination addresses.• Can filter based on source and destination ports.• Can filter based on the presence of a next header.• There is an implicit deny at the end of the access list, with the
exception of neighbor solicitation (NS) and neighbor advertisement (NA) packets. NS and NA packets are implicitly allowed (Note that if including an explicit deny you should explicitly permit these (NS and NA), before your deny if IPv6 is to function properly.)
• If an empty access list (and access lists without any entries, which is really just a name) is applied to an interface as a filtering access list, it will not deny any traffic.
• Reflexive and time-based access lists are supported.• You can filter on IPv6 extension headers.
Firewall from Network Traffic Perspective
• A router or other Layer 3 forwarding device that has an access list or some other method used to filter traffic that is trying to go between two of its interfaces. This is the primary method that is implemented by an IOS router (using firewall features) or the ASA Firewall
• A switch that has two VLANs, without any routing in between them which would absolutely keep traffic from the two different networks separated (by not being able to have inter-VLAN communications).
• Hosts or servers that are running software that prevents certain types of received traffic from being processed and controls which traffic can be sent. This is an example of a software firewall.
Objective of a Good Firewall
• It must be resistant to attacks• Traffic between networks must be forced
through the firewall• The firewall enforces the access control
policy of the organization
Protective Measure Provided by Firewall
• Exposure of sensitive systems to untrusted individuals
• Exploitation of protocol flaws• Unauthorized users• Malicious data
Potential Firewall Limitation
• Configuration mistakes have serious consequences
• Not all network applications well written to survive going through the firewall
• Individuals who are forced to go through a firewall might try to engineer a way around it
• Latency being added by the firewall
Five Basic Firewall Methodologies
• Static packet filtering• Proxy server (also known as application layer
gateway [ALG] )• Stateful packet filtering• Application inspection• Transparent firewall
Advantages and Disadvantages of Static Packet Filter
Advantages Disadvantages
Based on simple sets of permit or deny entries
Susceptible to IP spoofing. If the access listallows traffic from a specific IP address, andsomeone is spoofing the source IP address, theaccess list permits that individual packet.
Have a minimal impact on network performance
Does not filter fragmented packets with the sameaccuracy as nonfragmented packets.
Are simple to implement
Extremely long access control lists are difficult tomaintain.
Configurable on most routers
Stateless (does not maintain session informationfor current flows of traffic going through therouter).
Can perform many of the basic filtering needs without requiring the expense of a high-end firewall
Some applications jump around and use manyports, some of which are dynamic. A staticaccess list may be required to open a very largerange of ports to support application that mayonly use a few of them.
Advantages and Disadvantages of Application Layer Gateway
Advantages Disadvantages
Very tight control is possible, due toanalyzing the traffic all the way to theapplication layer.
Is processor intensive because most of the work isdone via software on the proxy server.
It is more difficult to implement anattack against an end device because ofthe proxy server standing between theattacker and potential victim.
Not all applications are supported, and in practiceit might support a specific few applications.
Can provide very detailed logging. Special client software may be required.
May be implemented on commonhardware.
Memory and disk intensive at the proxy server.Could potentially be a single point of failure in thenetwork, unless fault tolerance is also configured.
Advantages and Disadvantages of Stateful Packet Filtering
Advantages Disadvantages
Can be used as a primary means of defense by filtering unwanted or unexpected traffic
Might not be able to identify or prevent an applicationlayer attack.
Can be implemented on routers and dedicated firewalls
Not all protocols contain tightly controlled stateinformation, such as User Datagram Protocol (UDP) andInternet Control Message Protocol (ICMP).
Dynamic in naturecompared to static packetfiltering
Some applications may dynamically open up new portsfrom the server, which if a firewall is not analyzingspecific applications or prepared for this server to openup a new port, it could cause a failure of that application for the end user. If a firewall also supports applicationlayer inspection, it may be able to predict and allow thisinbound connection.
Provides a defenseagainst spoofing anddenial-of-service (DoS)attacks
Stateful technology, by itself, does not support userauthentication. This, however, does not prevent afirewall that implements stateful packet filtering fromalso implementing authentication as an additionalfeature.
Advantages of Application Inspection Firewall
Feature Explanation
Can see deeper into theconversations, to see secondarychannels that are about to beinitiated from the server
If an application is negotiating dynamic ports, and theserver is about to initiate one of these dynamic portsto the client, the application inspection could havebeen analyzing that conversation and dynamicallyallowed that connection from the server to allow itthrough the firewall and to the client. This would allowthe application to work for the client (through thefirewall).
Awareness of the details at theapplication layer
If there is a protocol anomaly which is a deviationfrom the standard, an application layer firewall couldidentify this and either correct the packet or deny thepacket from reaching the destination.
Can prevent more kinds of attacksthan stateful filtering on its own
Current firewalls today, such as the ASA and CiscoIOS Zone-Based Firewall solutions, have the ability ofpacket filtering, stateful filtering, and applicationinspection in a single device. With the additionalfeatures, more types of traffic can be classified andthen permitted or denied based on policy.
NAT Terminology
NAT Term Description
Inside local The real IP configured on an inside host.
Inside global The mapped/global address that the router is swappingout for the inside host during NAT. (SNAT)
Outside local
If performing NAT on outside devices (outside NAT), thisis the mapped address of the outside device as it wouldappear to inside hosts. If not doing outside NAT on therouter, this appears as the normal outside device’s IPaddress to the inside devices. (DNAT)
Outside global The real IP configured on an outside host
NAT Deployment Options
• Static NAT• Dynamic NAT• Dynamic PAT(NAT with overload)• Policy NAT/PAT
Firewall Design Consideration• Firewall should be place at security boundaries• Firewall should be primary security device• A policy that starts with a “deny all” attitude and then
specifically only permits traffic that is required is a better security posture than a default “permit all” attitude first and then denying traffic specifically not wanted.
• Leverage the firewall feature that best suits the need.• Make sure that physical security controls and management
access to the firewall devices secure.• Have a regularly structured review process looking at the
firewall logs.• Practice change management for any configuration
modification on the firewalls.
Firewall Access Rules
• Rules based on service control• Rules based on address control• Rules based on direction control• Rules based on user control• Rules based on behavior control
Firewall Rules Design Guidelines
• Use a restrictive approach as opposed to a permissive approach for all interfaces and all directions of traffic.
• Presume that your internal users machines may be part of the security problem.
• Be as specific as possible in your permit statements, such as avoiding the use of the keyword any or all IP protocols if possible.
• Recognize the necessity of a balance between functionality and security.
• Filter bogus traffic, and perform logging on that traffic. • Periodically review the policies that are implemented on
the firewall to verify that they are current and correct.
Ill Considered Rules Implementation
• Rules that are too promiscuous• Redundant rules• Shadowed rules• Orphaned rules • Incorrectly planned rules• Incorrectly implemented rules
Zone Based Firewall Major Feature
• Stateful inspection• Application inspection• Packet filtering• URL filtering• Transparent firewall (implementation method)• Support for virtual routing and forwarding (VRF)• Access control lists (ACL) are not required as a
filtering method to implement the policy
Cisco Common Classification Policy Language(C3PL)
• Class maps: These are used to identify traffic, such as traffic that should be inspected.
• Policy maps: These are the actions that should be taken on the traffic.
• Service policies: This is where you apply the policies, identified from a policy map, to a zone pair.
Policy Map ActionsPolicyAction
Description When to Use It
InspectPermit andstatefully inspectthe traffic
This should be used on transit traffic initiated byusers who expect to get replies from devices on theother side of the firewall.
Pass
Permits/allows the traffic butdoes not createan entry in thestateful database
Traffic that does not need a reply. Also in the case ofprotocols that do not support inspection, this policycould be applied to the zone pair for specificoutbound traffic, and be applied to a second zonepair for inbound traffic.
Drop Deny the packet Traffic you do not want to allow between the zoneswhere this policy map is applied.
Log Log the packets If you want to see log information about packets thatwere dropped because of policy, you can add thisoption.
Traffic Interactions Between ZonesIngress
InterfaceMember of
Zone
Egress Interface
Member of Zone
Zone Pair Exists,
with Applied Policy
Result
No No Does Not Matter Traffic is forwarded
No Yes(Any Zone) Does Not Matter Traffic is dropped
Yes(Zone A) Yes(Zone A) Does Not Matter Traffic is forwarded
Yes(Zone A) Yes(Zone B) No Traffic is dropped
Yes(Zone A) Yes(Zone B) Yes
Policy is applied. If policy isinspect or pass, the initialtraffic is forwarded. If thepolicy is drop, the initialtraffic is dropped.
Zone Based Firewall Components
• Zones• Interfaces that are members of zones• Class maps that identify traffic• Policy maps that use class maps to identify traffic
and then specify the actions which should take place• Zone pairs, which identify a unidirectional traffic
flow, beginning from devices in one zone and being routed out an interface in a second zone.
• Service policy, which associates a policy map with a zone pair
Zone Based Firewall ConfigurationR3(config)# class-map type inspect match-any MY-CLASS-MAP
R3(config-cmap)# match protocol telnet
R3(config-cmap)# match protocol icmp
R3(config-cmap)# exit
R3(config)# policy-map type inspect MY-POLICY-MAP
R3(config-pmap)# class type inspect MY-CLASS-MAP
R3(config-pmap-c)# inspect
R3(config-pmap-c)# exit
R3(config-pmap)# exit
R3(config)# zone security inside
R3(config-sec-zone)# exit
R3(config)# zone security outside
R3(config-sec-zone)# zone-pair security in-to-out source inside destination outside
R3(config-sec-zone-pair)# service-policy type inspect MY-POLICY-MAP
R3(config-sec-zone-pair)# exit
R3(config)# interface GigabitEthernet3/0
R3(config-if)# description Belongs to outside zone
R3(config-if)# zone-member security outside
R3(config-if)# exit
R3(config)# interface GigabitEthernet1/0
R3(config-if)# description Belongs to inside zone
R3(config-if)# zone-member security inside
R3(config-if)# exit
Self Zone Traffic Behavior
Source TrafficMember of Zone
DestinationTraffic Memberof Zone
Zone PairExists, with aPolicy Applied
Result
Self Zone A No Traffic is passed.Zone A Self No Traffic is passed.Self Zone A Yes Policy is applied.Zone A Self Yes Policy is applied.
Feature That ASA Provide• Packet filtering• Stateful filtering• Application inspection/awareness• Network Address Translation (NAT)• DHCP• Routing• Layer 3 or Layer 2 implementation• VPN support• Object groups• Botnet traffic filtering• High availability• AAA support
Steps To Make ASA Interfaces Works
• Assign a security level to the interface• Assign a name to the interface• Bring up the interface with the no
shutdown command
Default Permission And Return Traffic On ASA
Security Level Mapping
Tools To Manage ASA
• Command-line interface (CLI)• ASA Security Device Manager (ASDM)• Cisco Security Manager (CSM)
Packet Filtering On The ASA
• Inbound to an interface• Inbound from a security level perspective• Outbound to an interface• Outbound from a security level perspective
Access List on ASA
• If using access lists on each interface of the ASA, the security levels no longer control what the initial traffic flows may be.
• No wildcard masks are used on the ASA access lists, but rather just subnet masks.
Layer 3 And 4 Class Maps Traffic Identify Methods
• Referring to an access list• Looking at the differentiated services
codepoint (DSCP) and/or IP Precedence fields of the packet
• TCP or UDP ports• IP Precedence• Real-time Transport Protocol (RTP) port
numbers• VPN tunnel groups
Policy Maps Action
• Reroute the traffic to a hardware module such as the IPS module that is inside the ASA
• Perform inspection on that traffic (related to stateful filtering or application layer inspection/filtering)
• Give priority treatment to the forwarding of that traffic
• Rate-limit or police that traffic• Perform advanced handling of the traffic
IPS and IDS Differences
IPS Versus IDSIDS IPS
Position in thenetwork flow
Off to the side, the IDS is sent copies of the original packets.
Directly inline with the flow of network traffic and touches every packet on its way through the network.
Also known as Promiscuous mode, out of band. Inline mode.
Latency or delayDoes not add delay to the original traffic because it is not inline.
Adds a small amount of delay before forwarding it through the network.
Impact caused by the sensor failing to forward packets
There is no negative impact if the sensor goes down.
If the sensor goes down, traffic that would normally flow through the sensor could be impacted.
Ability to preventmalicious traffic from going into the network
By itself, a promiscuous mode IDS cannot stop the original packet. Options do exist for a sensor in promiscuous mode to request assistance from another device that is inline which may block future packets.
The IPS can drop the packet on its own because it is inline. The IPS can also request assistance from another device to block future packets just as the IDS does.
Normalization ability
Because the IDS does not see the original packet, it cannot manipulate any original inline traffic.
Because the IPS is inline, it can normalize (manipulate or modify) traffic inline based on a current set of rules.
Sensor Platforms
• A dedicated IPS appliance, such as the 4200 series
• Software running on the router in versions of IOS that support it
• A module in an IOS router, such as the AIM-IPS or NME-IPS modules
• A module on an ASA firewall in the form of the AIP module for IPS
• A blade that works in a 6500 series multilayer switch
Positive/Negative Terminology
• False positive• False negative• True positive• True negative
IPS/IDS Method Advantages And Disadvantages
Advantages Disadvantages
Signature based
Easy to configure, simple toimplement.
Does not detect attacks outside of the rules. May need to disable signatures that are creating false positives. Signatures must be updated periodically to be current.
Policy based
Simple and reliable, verycustomizable, only allows policy-based traffic that could deny unknown attacks, which by default are outside of the policy being allowed.
Policy must be manually created. Implementation of the policy is only as good as the signatures you manually create.
Anomaly based
Self-configuring baselines, detect worms based on anomalies, even if specific signatures have not been created yet for that type of traffic.
Difficult to accurately profile extremely large networks. May cause false positives based on significant changes in valid network traffic.
Reputation based
Leverages enterprise and global correlation, providing information based on the experience of other systems. Early-warning system.
Requires timely updates, and requires participation in the correlation process.
Possible Sensor Responses to AttacksResponse What It Means
Deny attackerinline
Available only if the sensor is configured as an IPS. Thisaction denies packets from the source IP address of theattacker for a configurable duration of time, after which thedeny action can be dynamically removed.
Deny connectioninline
Available only if the sensor is configured as an IPS. Thisaction terminates the packet that triggered the action, andfuture packets on the same TCP flow. The attacker couldopen up a new TCP session (using different port numbers),which could still be permitted through the inline IPS.
Deny packetinline
Available only if the sensor is configured as an IPS. All the“deny” options only apply to IPS mode. Deny packetterminates the packet that triggered the alert.
Log attackerpackets
This action begins to log future packets based on theattacker’s source IP address. This is done usually for a shortduration, such as 30 seconds, after the initial alert. Log filesare stored in a format that is readable by most protocolanalyzers
Possible Sensor Responses to AttacksResponse What It Means
Log victimpackets
This logging action begins to log all IP packets that have a destination IP address of the victim (the destination address from the packet or packets that triggered the alert).
Log pair packets
This logging action begins to log IP packets if the source and destination addresses indicate that the packets from the source IP address that triggered the alert and the destination address match the destination address of the packet that triggered the alert. In essence, it is future packets between the attacker and the victim (the attacked device address).
Produce alert
An alert is the basic mechanism that is used by the IDS/IPS to identify that an event has occurred, such as a signature match indicating malicious traffic. This is the default behavior for most of the signatures.
Produce verbosealert
Produce verbose alert has the same behavior as produce alert, with the added bonus that it includes a copy of the entire packet that triggered the alert. If both produce alert and produce verbose alert are enabled, it will still only generate a single alert and will include a copy of the triggering packet.
Possible Sensor Responses to AttacksResponse What It Means
Request blockconnection
Some sensor devices can ask for help to block the attacker’s traffic at some point in the network. The device that connects to implement the blocking is called a blocking device, and could be an IOS router, a switch that supports VLAN access control lists (VACL) , or an Adaptive Security Appliance (ASA) Firewall. This action causes the sensor to request a blocking device to block based on the source IP address of the attacker, the destination IP address of the victim, and the ports involved in the packet that triggered the alert. The difference between this option and the one that follows is that request blocked connection gives an opportunity for the attacker to send traffic on different ports or different destination IPs and still allows connectivity for new sessions.
Request blockhost
This causes the sensor to requests its blocking devices (see the preceding paragraph) to implement blocks based on the source IP address of the attacker regardless of the ports in use or destination IP addresses for future packets.
Request SNMPtrap
This generates an Simple Network Management Protocol (SNMP) trap message that is sent to the configured management address for SNMP.
Reset TCPconnection
This causes a sensor to send a proxy TCP reset to the attacker, with the intention of fooling the attacker into believing it is the victim sending the TCP reset. This action has an effect only on TCP-based traffic.
Risk Rating Calculation FactorsFactor That Influences
Risk RatingDescription
Target value rating (TVR)
The value that you as an administrator have assigned to specific destination IP addresses or subnets where the critical servers/devices live.
Signature fidelity rating(SFR)
The accuracy of the signature as determined by the person who created that signature.
Attack severity rating (ASR)
How critical the attack is as determined by the person who created that signature.
Attack relevancy (AR)
This is a minor contributor to the risk rating. A signature matchthat is destined to a host where the attack is relevant, such as a Windows server-based attack, which is going to the destination address of a known Windows server, is considered a relevant attack, and the risk rating increases slightly as a result.
Global correlation
If the sensor is participating in global correlation and receives information about specific source addresses that are being used to implement large-scale attacks, attacks coming from the source IP addresses are also given a slightly increased risk rating value.
IPS/IDS Evasion TechniquesEvasionMethod
Description Cisco Anti-Evasion
Techniques
Trafficfragmentation
The attacker splits malicious traffic into multiple parts with the intent that any detection system will not see the attack for what it really is.
Complete session reassembly so that the IPS/IDS can see the big picture.
Trafficsubstitution andinsertion
The attacker substitutes characters in the data using different formats that have the same final meaning. An example is Unicode strings, which an end station could interpret but perhaps a lesser IPS/IDS might not.
Data normalization and de-obfuscation techniques. Cisco’s implementation is looking for Unicode, case sensitivity, substitution of spaces with tabs, and other similar anti-evasion techniques.
Protocol levelmisinterpretation
An attacker may attempt to cause a sensor to misinterpret the end-to-end meaning of a network protocol and so perhaps not catch an attack in progress.
IP Time-To-Live (TTL) analysis, TCP checksum validation.
IPS/IDS Evasion TechniquesEvasionMethod
Description Cisco Anti-Evasion
Techniques
Timing attacks
By sending packets at a rate low enough so as to nottrigger a signature (for example, a flood signaturethat triggers at 1000 packets per second, and theattacker sending packets at 900 packets persecond).
Configurable intervals and use of third-partycorrelation.
Encryption andtunneling
Encrypted payloads are called encrypted for areason. If an IPS/IDS sees only encrypted traffic, theattacker can build a Secure Sockets Layer (SSL) orIPsec session between himself and the victim andcould then send private data over that virtualprivate network (VPN).
If traffic is encrypted and passing through thesensor as encrypted data, the encrypted payloadcannot be inspected. For generic routingencapsulation (GRE) tunnels, there is support forinspection if the data is not encrypted.
Resourceexhaustion
If thousands of alerts are being generated bydistractor attacks, an attacker may just be trying todisguise the single attack that they are trying toaccomplish. The resource exhaustion could beoverwhelming the sensor and overwhelming theadministration team who has to view the events.
Dynamic and configurable event summarization.Here is an example: 20,000 devices are all underthe control of the attacker. All those devices begin to send the same attack. The sensor summarizesthose by showing a few of the attacks as alerts,and then summaries at regular intervals thatindicate the attack is still in play and how manythousands of times it occurred over the lastinterval. This is much better than trying to wadethrough thousandsof individual alerts.
Micro EnginesSignature
Micro-EngineSignatures in This Grouping
Atomic Signatures that can match on a single packet, ascompared to a string of packets
ServiceSignatures that examine application layer services,regardless of the operating system
String orMultistring
Supports flexible pattern matching, and can beidentified in a single packet or group of packets, suchas a session
Other Miscellaneous signatures that may not specifically fitinto other categories
IPS/IDS Best Practices• Implement an IPS so that you can analyze traffic going to your
critical servers and other mission-critical devices.• If you cannot afford dedicated appliances, use modules or IOS
software-based IPS/IDS.• Take advantage of global correlation to improve your resistance
against attacks that may be moving toward your organization, and use correlation internally across all your sensors to get the best visibility of the network attacks that are being attempted.
• Use a risk-based approach, where countermeasures occur based on the calculated risk rating.
• Use automated signature updates when possible instead of manually installing updates
• Continue to tune the IPS/IDS infrastructure as traffic flows and network devices and topologies change.
IOS IPS Detection Technologies
• Profile based• Signature based• Protocol analysis based
IOS IPS Signature Feature
• Regular expression string pattern matching• Response actions• Alarm summarization• Threshold configuration• Anti-evasive techniques• Risk ratings
IPS Tuning Best Practices• Begin with the basic signature category, and see how much
memory and CPU utilization this takes in the production network, before moving to the advanced signature category.
• Schedule downtime for the installation and updates.• Retire signatures that are irrelevant to your network to save
resources on the router.• Monitor free memory to ensure that you do not cause harm to
your router by loading too many additional services.• There are options available that can tell the IOS router to not
forward any traffic through an IPS protected interface if some type of problem causes the signature not to compile. The term for this is fail close and fail open.
• For performance reasons, be very careful before unretiring and enabling the All category of signatures.
Types Of VPN Based On Definition
• IPsec• SSL• MPLS
Two Major Categories VPN Placed
• Remote-access VPNs• Site-to-site VPNs
Confidentiality
A Secret Message Encrypted:
Tp uijt jt uif tfdsfu nfttbhf. Ju jt fbtz up ef-fodszqu jg zpv lopx uif lfz.
Data Integritydev-1# verify /md5 flash:/c2800nm-advipservicesk9-mz.124-24.T4.bin.....................................................................................Done!verify /md5 (flash:/c2800nm-advipservicesk9-mz.124-24.T4.bin) =28518159ba5f75ef0eeb9617fd35e2ba
Authentication
Methods To Authenticate VPN at the other end of the Tunnel: • Pre-shared keys used for authentication only• Public and private key pairs used for
authentication only• User authentication (in combination with
remote-access VPNs)
Antireplay
Once a VPN packet has been sent and accounted for, that exact same VPN packet is not valid the second time in the VPN session.
Cipher And KeysCommon method that Cipher use:• Substitution• Polyalphabetic• Transposition
Keys:OTP(One Time Pad)
Block Cipher
Example of Symmetrical Block Cipher Algorithm:• Advanced Encryption Standard (AES)• Triple Digital Encryption Standard (3DES)• Blowfish• Digital Encryption Standard (DES)• International Data Encryption Algorithm (IDEA)• RC2, RC4, RC5, RC6
Stream Cipher
• Each bit of plaintext data to be encrypted is done 1 bit at a time against the bits of the key stream, also called a cipher digit stream .
• A cipher stream does not have to fit in a given block size.
Symmetric Algorithms
• Much faster to use a symmetrical encryption algorithm and takes less CPU for the same symmetrical encryption algorithm than it would for an asymmetrical algorithm.
• A typical key length is 40 bits to 256 bits.
• The minimum key length should be at least 80 bits for symmetrical encryption algorithms to be considered fairly safe.
Asymmetric Algorithm
• Public key and private key. Together they make a key pair .
• There is a very high CPU cost when using key pairs to lock and unlock data.
• Use asymmetric algorithms for things such as authenticating a VPN peer or generating keying material that we could use for our symmetrical algorithms.
• Public key cryptography published and available to anyone who wants to use it (the public key).
Hashes
• Hashing is a method used to verify data integrity.• A cryptographic hash function is a process that takes a
block of data and creates a small fixed-sized hash value.
• The result of the hash is a fixed-length small string of data, and is sometimes referred to as the digest , message digest , or simply the hash .
• An example of using a hash to verify integrity is the sender running a hash algorithm on each packet and attaching that hash to the packet
Most Popular Types Of Hashes
• Message digest 5 (MD5): This creates a 128-bit digest.
• Secure Hash Algorithm 1 (SHA-1): This creates a 160-bit digest.
• Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.
HMAC
Hashed Message Authentication Code (HMAC) uses the mechanism of hashing, but instead of using a hash that anyone can calculate, it includes in its calculation a secret key of some type.
Digital Signature
In the world of cryptography a digital signature provides three core benefits:• Authentication• Data integrity • Nonrepudiation
VPN ComponentsComponent Function Examples of Use
Symmetrical encryptionalgorithms
Uses the same key for encrypting and decrypting data.
DES, 3DES, AES, IDEA
Asymmetrical encryption
Uses a public and private key. One key encrypts the data, and the other key in the pair is used to decrypt.
RSA, Diffie-Hellman
Digital signatureEncryption of hash using private key, and decryption of hash with the sender’s public key.
RSA signatures
Diffie-Hellmankey exchange
Uses a public-private key pair asymmetrical algorithm, but creates final shared secrets (keys) that are then used by symmetrical algorithms.
Used as one of the many services ofIPsec
ConfidentialityEncryption algorithms provide this by turning clear text into cipher text.
DES, 3DES, AES, RSA, IDEA
Data integrity Validates data by comparing hash values. MD5, SHA-1
Authentication Verifies the peer’s identity to the other peer. PSKs, RSA signatures
Asymmetrical Algorithm Examples• RSA: Named after Rivest, Shamir, and Adleman, who created the algorithm. The
primary use of this asymmetrical algorithm today is for authentication. It is also known as public key cryptography standard (PKCS) #1. The key length may be from 512 to 2048, and a minimum size for good security is at least 1024.
• DH: Diffie-Hellman key exchange protocol. DH is an asymmetrical algorithm that allows two devices to negotiate and establish shared secret keying material (keys) over an untrusted network. The interesting thing about DH is that although the algorithm itself is asymmetrical, the keys generated by the exchange are symmetrical keys that can then be used with symmetrical algorithms such as Triple Digital Encryption Standard (3DES) and Advanced Encryption Standard (AES) .
• ELGamal : This asymmetrical encryption system is based on the DH exchange.
• DSA: Digital Signature Algorithm was developed by the U.S. National Security Agency
• ECC: Elliptic Curve Cryptography.
User Data Authentication
• Two Parties Exchange Public Keys• Creating a Digital Signature• Generate matched decrypted hash
Parts Of Digital Certificate• Serial number: Assigned by the CA and used to uniquely identify the certificate• Subject: The person or entity that is being identified• Signature algorithm: The specific algorithm that was used for signing the digital
certificate• Signature: The digital signature from the certificate authority, which is used by
devices that want to verify the authenticity of the certificate issued by that CA• Issuer: The entity or CA that created and issued the digital certificate• Valid from: The date the certificate became valid• Valid to: The expiration date of the certificate• Key usage: The functions for which the public key in the certificate may be used• Public key: The public portion of the public and private key pair generated by
the host whose certificate is being looked at• Thumbprint algorithm: The hash algorithm used for data integrity• Thumbprint: The actual hash• Certificate revocation list location: The URL that can be checked to see
whether the serial number of any certificates issued by the CA have been revoked
Authenticating and Enrolling with the CA
Step 1: The first step is to authenticate the CA server, or in other words trust the CA server.
Step 2: After authenticated the root CA and have a known good root certificate for that CA, then request your own identity certificate.
Public Key Cryptography Standards• PKCS #10: This is a format of a certificate request sent to a CA who
wants to receive their identity certificate. This type of request would include the public key for the entity desiring a certificate.
• PKCS #7: This is a format that can be used by a CA as a response to a PKCS#10 request. The response itself will very likely be the identity certificate (or certificates) that had been previously requested.
• PKCS#1: RSA Cryptography Standard.
• PKCS#12: A format for storing both public and private keys using a symmetric password-based key to “unlock” the data whenever the key needs to be used or accessed.
• PKCS#3: Diffie-Hellman key exchange.
Methods Check Revoked Certificate
• Certificate Revocation List (CRL): This is a list of certificates, based on their serial numbers, that had initially been issued by a CA but have since been revoked and as a result should not be trusted. A CRL could be very large, and the client would have to process the entire list to verify the certificate is not on the list. A CRL can be thought of as the naughty list. This is the primary protocol used for this purpose, compared to OSCP and AAA. A CRL could be accessed by several protocols, including LDAP and HTTP. A CRL could also be obtained via SCEP.
• Online Certificate Status Protocol (OSCP): This is an alternative to CRLs. Using this method, a client simply sends a request to find the status of a certificate and gets a response without having to know the complete list of revoked certificates.
• Authentication, authorization, and accounting (AAA): Cisco AAA services also provide support for validating digital certificates, including a check to see whether a certificate has been revoked. Because this is a proprietary solution, this is not often used in PKI.
Uses For Digital Certificate
• HTTP Secure (HTTPS) • Transport Layer Security (TLS) • Secure Sockets Layer (SSL)• Used with protocol family of IPsec• Used with protocols such as 802.1X
PKI Topologies
• Single Root CA
• Hierarchical CA with Subordinate CA
• Cross-Certifying CA
Authenticating And Enrolling New CA• Test-asa(config)# crypto ca trustpoint New-CA-to-Use
• Test-asa(config-ca-trustpoint)# keypair New-Key-Pair
• Test-asa(config-ca-trustpoint)# id-usage ssl-ipsec
• Test-asa(config-ca-trustpoint)# no fqdn
• Test-asa(config-ca-trustpoint)# subject-name CN=ciscoasa
• Test-asa(config-ca-trustpoint)# enrollment url http://192.168.1.105
• Test-asa(config-ca-trustpoint)# exit
• Test-asa(config)# crypto ca authenticate New-CA-to-Use nointeractive
• Test-asa(config)# crypto ca enroll New-CA-to-Use noconfirm
IPSec Goals• Confidentiality: Provided through encryption changing clear text into cipher
text.
• Data integrity: Provided through hashing or through Hashed Message Authentication Code (HMAC) to verify that data has not been manipulated during its transit across the network.
• Authentication: Provided through authenticating the VPN peers near the beginning of a VPN session using pre-shared keys (PSK) or digital signatures (leveraging digital certificates). Authentication can also be done continuously through the use of an HMAC, which includes a secret known only to two ends of the VPN.
• Antireplay support: When VPNs are established, the peers can sequentially number the packets, and if a packet is attempted to be replayed again (perhaps by an attacker), the packet will not be accepted because the VPN device believes it has already processed that packet.
HAGLE• Hash algorithm: This could be MD5 or SHA on most devices.
• Authentication method: Used for verifying the identity of the VPN peer on the other side of the tunnel. Options include a PSK used only for the authentication or RSA signatures (which leverage the public keys contained in digital certificates).
• Diffie-Hellman (DH) group to use: The DH “group” refers to the modulus size (length of the key) to use for the DH key exchange. Group 1 uses 768 bits, group 2 uses 1024, and group 5 uses 1536. The purpose of DH is to generate shared secret keying material (symmetric keys) that may be used by the two VPN peers for symmetrical algorithms, such as AES. It is important to note that the DH exchange itself is asymmetrical (and is CPU intensive), and the resulting keys that are generated are symmetrical.
• Lifetime: How long until this IKE Phase 1 tunnel should be torn down. (The default is 1 day, listed in seconds.) This is the only parameter that does not have to exactly match with the other peer to be accepted.
• Encryption algorithm: This could be DES (bad idea, too weak), 3DES (better) or AES (best) with various key lengths.
Steps For IKE Phase 1
• Step 1: Negotiate the IKE Phase 1 Tunnel
• Step 2: Run the DH Key Exchange
• Step 3: Authenticate the Peer
IKE Phase 1 And IKE Phase 2IKE Phase 1:
• Two modes. Main mode or Aggressive mode. Main mode uses more packets for the process than Aggressive mode, but Main mode is considered more secure.
• Only to protect management traffic related to the VPN between the two end points.
IKE Phase 2:
• Tunnel used to protect the end-user packets as those packets cross untrusted networks between the VPN peers.
• IKE Phase 2 tunnel is called Quick mode.
• IKE Phase 2 component called Transform Set.
Protocols That May Be Required For IPSecProtocol/
Port Who
Uses It How It Is Used
UDP port 500
IKE Phase 1
IKE Phase 1 uses UDP:500 for its negotiation.
UDP port 4500
NAT-T (NATTraversal)
If both peers support NAT-T, and if they detect that they areconnecting to each other through a Network Address Translation(NAT) device (translation is happening), they may negotiate thatthey want to put a fake UDP port 4500 header on each IPsec packet(before the ESP header) to survive a NAT device that otherwisemay have a problem tracking an ESP session (Layer 4 protocol 50).
Layer 4 Protocol50
ESP
IPsec packets have the Layer 4 protocol of ESP (IP Protocol #50),which is encapsulated by the sender and de-encapsulated by thereceiver for each IPsec packet. ESP is normally used instead ofAuthentication Header (AH) . The ESP header is hidden behind aUDP header if NAT-T is in use.
Layer 4 protocol51
AHAH packets have the Layer 4 protocol of AH (IP Protocol #51). Wedo not normally use AH (as opposed to ESP) because AH lacks anyencryption capability for user data.
IKE Phase 2 Policy OptionsItem to Plan Implemented By
Peer IP addresses Crypto map
Traffic to encrypt Crypto ACL, which is referred to in the crypto map
Encryption method Transform set, which is referred to in the crypto map
Hashing(HMAC) method Transform set, which is referred to in the crypto map
Lifetime (time,or data)Global configuration command: crypto ipsec security-association lifetime
Perfect Forward Secrecy (PFS) (run DH againor not)
Crypto map
Which interface usedto peer with the other VPN device
Crypto map applied to the outbound interface
Preparing And Obtaining Digital Certificate On Router
R1(config)# ip domain name cisco.comR1(config)# crypto key generate rsaR1(config)# crypto pki trustpoint CAR1(ca-trustpoint)# enrollment URL http://3.3.3.3R1(ca-trustpoint)# exitR1(config)# crypto pki authenticate CAR1(config)# crypto pki enroll CA
Implementing Crypto Policy On Router
R1(config)# crypto isakmp policy 1R1(config-isakmp)# encr aes 256R1(config-isakmp)# group 5R1(config-isakmp)# lifetime 3600R1(config-isakmp)# authentication rsa-sigR1(config-isakmp)# hash shaR1(config)# crypto ipsec transform-set MYSET esp-aes esp-sha-hmacR1(cfg-crypto-trans)# exitR1(config)# access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
Defining Crypto Map And Implementing On Router
R1(config)# crypto map MYMAP 1 ipsec-isakmpR1(config-crypto-map)# match address 100R1(config-crypto-map)# set peer 23.0.0.2R1(config-crypto-map)# set transform-set MYSETR1(config-crypto-map)# set pfs group2R1(config-crypto-map)# exitR1(config)# interface GigabitEthernet1/0R1(config-if)# crypto map MYMAPR1(config-if)# exit
SSL vs IPSecSSL IPSec
Applications
Web-based applications, file sharing, email (if not using full client). With the full AnyConnect client, all IP-based applications, similar to IPsec, are available.
All IP-based applications are available to the user. The experience is like being on the local network.
Encryption Moderate range of key lengths. Stronger range of longer key lengths
AuthenticationModerate, one-way or two-way authentication.
Strong, two-way authentication using shared secrets or digital certificates.
Ease of use Very high. Moderate. Can be challenging for nontechnical users, and deployment is more time-consuming.
Overall security Moderate. Any device can initially connect.
Strong. Only specific devices with specific configurations, such as a VPN client, can connect.
SSL vs TLS
SSL TLS
Developed by Netscape in the 1990s Standard developed by the Internet Engineering Task Force (IETF)
Starts with a secured channel and continues directly to security negations on a dedicated port
Can start with unsecured communications and dynamically switch to a secured channel based on the negotiation with the other side
Widely supported on client-side applications
Supported and implemented more on servers,compared to end-user devices
More weaknesses identified in older SSL versions
Stronger implementation because of the standards process
SSL Steps For VPN• The client initiates a connection to the server using the destination IP address of the server and the
destination TCP port 443.
• There is the standard three-way handshake, which is the normal process for TCP in establishing sessions.
• After the client initiates its request for the connection, the server responds, providing its digital certificate, which contains the server’s public key.
• The client, upon receiving this digital certificate, has a big decision to make. That decision is whether to believe the credibility of the digital certificate that it just received from the SSL VPN server. This is where PKI comes into play. If the digital certificate is signed by a certificate authority (CA) that the client’s browser trusts, and the validity dates for that certificate causes the client to believe that the time has not run out on that certificate, and if the client is checking a certificate revocation list (CRL) (and the serial number for the certificate is not on the CRL), the client can trust the certificate and extract the public key of the server out of the certificate.
• The client then generates a shared secret that it would like to use for encryption back and forth between itself and the server. The problem is now how to get this shared secret that the client wants to use sent securely over to the server? The answer is the client uses the public key of the server to encrypt the shared secret and send the encrypted secret to the server.
• The server decrypts the sent symmetric key using the server’s own private key, and now both devices in the session know and can use the shared secret key.
• The key is then used to encrypt the SSL session.
SSL VPN FlavorsClientless SSL
VPN
Clientless SSL VPNwith Plug-Ins for Some
Port Forwarding
Full AnyConnect SSLVPN Client
Other names
Web VPN. Thin client Full SSL client.
Installedsoftware on client
No client required.Small applets and/or configuration required.
Full install of AnyConnect required, but may be installed by initially connecting via the clientless option, and securely installing it that way.
User experience
Feels like accessing resources (that are on the corporate network) through a specific browser window orhyperlink.
Some applications can be run locally with output redirected through the VPN. Includes the features of the clientless VPN to the left.
Full access to the corporate network. The local computer acts and feels like it is a full participant on the corporate network.
Servers that canbe used
IOS with the correct software, and ASA with the correct licenses.
IOS with the correct software,and ASA with the correct licenses.
IOS with the correct software, and ASA with the correct licenses.
How the userlooks fromthe corporatenetwork
Traffic is proxied ( Port Address Translation [PAT] ) by the SSL server, as the users packets enter thecorporate network.
Traffic is proxied ( Port Address Translation [PAT] ) by the SSL server as the users packets enter the corporate network.
Clients are assigned their own virtual IP address to use while accessing the corporate network. Traffic is forwarded from the given IP address of the client into the corporate network.
Clientless SSL VPN Implementationasa(config)# group-policy SSL_Group internal
asa(config)# ssl trust-point ASDM_TrustPoint0 outside
asa(config)# webvpn
asa(config-webvpn)# enable outside
asa(config-webvpn)# group-policy SSL_Group attributes
asa(config-group-policy)# vpn-tunnel-protocol ssl-clientless
asa(config-group-policy)# webvpn
asa(config-group-webvpn)# url-list value MyList
asa(config-group-webvpn)# exit
asa(config-group-policy)# exit
asa(config)# tunnel-group Connection_Profile_IINS type remote-access
asa(config)# tunnel-group Connection_Profile_IINS general-attributes
asa(config-tunnel-general)# default-group-policy SSL_Group
asa(config-tunnel-general)# tunnel-group Connection_Profile_IINS webvpn-attributes
asa(config-tunnel-webvpn)# group-alias SSL_VPN enable
asa(config-tunnel-webvpn)# group-url https://73.143.61.175/SSL_VPN enable
SSL AnyConnect Client VPN Configurationobject network NETWORK_OBJ_10.0.0.0_25
subnet 10.0.0.0 255.255.255.128
ip local pool POOLS-for-AnyConnect 10.0.0.51-10.0.0.100 mask 255.255.255.0
group-policy GroupPolicy_SSL_AnyConnect internal
group-policy GroupPolicy_SSL_AnyConnect attributes
vpn-tunnel-protocol ssl-client
dns-server value 8.8.8.8
wins-server none
default-domain value ciscoo.com
exit
webvpn
enable outside
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
tunnel-group SSL_AnyConnect type remote-access
tunnel-group SSL_AnyConnect general-attributes
default-group-policy GroupPolicy_SSL_AnyConnect
address-pool POOLS-for-AnyConnect
tunnel-group SSL_AnyConnect webvpn-attributes
group-alias SSL_AnyConnect enable
nat (inside,outside) 3 source static inside interface destination static
NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup