CCNP Security-Secure

These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 1
SECURE
Agenda:
• Network Security Technologies Overview
• Routed Data Plane Security
• Control Plane Security
• Management Plane Security
Network Foundation Protection (NFP)
802.1X and Cisco Identity-Based Networking Services (IBNS)
Implementing and Configuring Basic 802.1X
• Cisco IOS Foundation Security Solutions
• Implementing and Configuring NAT
• Implementing and Configuring Zone-Based Policy Firewalls
• Implementing and Configuring IOS IPS
• Cisco IOS Site-to-Site Security Solutions

3/26/2014
Overview of the CCNP Security
• All four CCNP Security exams required
• SECURE – 642-637
• IPS – 642-627
• FIREWALL – 642-618
• VPN – 642-648
• ~90 minutes with 60-70 questions
• 60-70 questions
• Register with Pearson Vue
• http://www.vue.com/cisco
• Exam cost is $200.00 US
Cisco SAFE
• Focuses on the development of good network security
designs.
• utilizes of the Cisco Security Control Framework (SCF)

3/26/2014
• Examples of technologies that are used to help identify
include:
■ 802.1x for identity solutions
■ Biometric recognition
■ Routing authentication
■ Secure traffic mechanisms (encryption)
■ Authentication mechanisms,
• Examples of technologies that can help monitor this data
include
• AAA
• IDS and IPS
• Examples of technologies that can help correlate this data
include the following:
• MARS
• NTP
• Examples of technologies that can help harden network
elements include:
■ Control plane policing
■ Component redundancy
■ Device/interface redundancy
■ Topology redundancy
• Examples of technologies that can isolate specific devices
or data include:
■ ACL & VPN
■ Out-of-band management
■ Management traffic encryption
■ Virtual local-area networks (VLAN)
• Examples of technologies that can enforce specific policies:
■ IDS and IPS
■ Port security
■ ACLs

3/26/2014
Examining Layer 2 Attacks:
• The most common types of switched data plane attacks
are as follows:
■ VLAN hopping
■ CAM flooding
■ MAC address spoofing
■ STP spoofing
■ DHCP “starvation”
■ DHCP server spoofing
■ ARP spoofing
■ IP spoofing

3/26/2014
CAM Table Overflow Attack:
Port Security:

3/26/2014
Mitigating CAM Table Overflow:
1. Secure MAC Addresses:
• Static
• Dynamic
• Sticky: The sticky secure switch port security classification includes dynamically learned addresses
that are automatically added to the running configuration.
• Configuration Guidelines:
• Only on static access ports
• Not on trunk or dynamic access ports
• Not on SPAN port
• Not on EtherChannel port
• Voice VLAN assigned dynamic secure addresses
• On port with voice VLAN, set maximum MAC addresses to two plus maximum number of MAC
addresses
• Dynamic port security enabled on voice VLAN when security enables on access VLAN
• Not configurable on per-VLAN basis
• No aging of sticky addresses
• No simultaneous enabling of protect and restrict options
2. Configuring Port Security:

3/26/2014
Verifying Port Security

3/26/2014

3/26/2014
VLAN Hopping:
Mitigating VLAN Hopping:

3/26/2014
Spanning Tree Manipulation:
Mitigating Spanning Tree Manipulation:

3/26/2014
MAC Spoofing—Man-in-the-Middle Attacks:
DHCP Attacks:

3/26/2014
Mitigating DHCP Attacks:
1. Port security:
2. DHCP Snooping:
• DHCP snooping allows the configuration of ports as trusted or
untrusted.
• Untrusted ports cannot process DHCP replies.
• Configure DHCP snooping on uplinks to a DHCP server.
• Do not configure DHCP snooping on client ports.

3/26/2014

3/26/2014
Implementing Identity Management:
• Cisco ACS Features
• A centralized identity networking solution
• Manage and administer user access for many Cisco and other
devices
• Many advanced features
• TACACS+ and RADIUS server
• Combines AAA
• Cisco NAC support
• Network Access Profiles
• EAP-FAST support
• Downloadable IP ACLs
TACACS+ Overview:

3/26/2014
TACACS+ and RADIUS Comparison:

3/26/2014
Administrator Interface:

3/26/2014
ACS Policies:
• Authentication
–Authentication protocols
–User databases
• Posture validation
–For use with NAC
• Authorization
–What the user is authorized to do
–Based on identity, posture, or both

3/26/2014
Implementing Cisco IBNS:
• Cisco Identity-Based Networking Services

3/26/2014
Concept of Cisco IBSN:
• Cisco IBNS is an IEEE 802.1x-based technology solution that
increases network security by authenticating users based on personal
identity in addition to device MAC and IP address verification.
• Unified Control of User Identity for the Enterprise
Cisco VPN Concentrators, Cisco IOS Routers, Cisco PIX Firewalls
IEEE 802.1x:
• Standard set by the IEEE 802.1 working group
• A framework designed to address and provide port-based
access control using authentication
• Primarily an encapsulation definition for EAP over IEEE 802
media (EAPOL is the key protocol.)
• Layer 2 protocol for transporting authentication messages
(EAP) between supplicant (user/PC) and authenticator
(switch or access point)
• Assumes a secure connection
• Actual enforcement is via MAC-based filtering and port-state
monitoring

3/26/2014
802.1x Components:
802.1x Operation:

3/26/2014
How 802.1x Works:
The actual authentication conversation occurs between the client and the
authentication server using EAP. The authenticator is aware of this activity, but
it is just an intermediary.
EAP Over LAN (EAPOL)
What Is EAP?
• EAP—the Extensible Authentication Protocol
• A flexible transport protocol used to carry arbitrary
authentication information—not the authentication method
itself
• Typically runs directly over data-link layers such as PPP
or IEEE 802 media
• Originally specified in RFC 2284, obsolete by RFC 3748
• Supports multiple “authentication” types

3/26/2014
Current Prevalent Authentication Methods:
• Challenge-response-based
• EAP-MD5: Uses MD5-based challenge-response for authentication
• LEAP: Uses username/password authentication
• EAP-MS-CHAPv2: uses username/password MSCHAPv2 challenge-
response authentication
• Cryptographic-based
• EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for
authentication
• Tunneling methods
• PEAP: PEAP tunnel mode EAP encapsulator; tunnels other EAP types in
an encrypted tunnel—much like web-based SSL
• EAP-Tunneled TLS (TTLS): Other EAP methods over an extended EAP-
TLS encrypted tunnel
• EAP-FAST: Recent tunneling method designed to not require certificates
at all for deployment
• Other
• EAP-GTC: Generic token and OTP authentication

3/26/2014

3/26/2014
802.1x and the Guest VLAN:

3/26/2014
802.1x and the Restricted VLAN:
Configuring 802.1x in Cisco IOS:
1. Enable AAA.
2. Configure 802.1x authentication.
3. Configure RADIUS communications.
4. Enable 802.1x globally.
5. Configure interface and enable 802.1x.
6. Verify 802.1x operation.

3/26/2014
Enable AAA:
Configure RADIUS Communications:

3/26/2014
Enable 802.1x Globally:
Configure Interface and Enable 802.1x:

3/26/2014
Configuring Guest and Restricted VLANs:
Verify 802.1x Operation:

3/26/2014
Introducing Cisco NFP:
Network Foundation Protection (NFP):
• Cisco NFP protects the network infrastructure.
• There are several tools used to secure the infrastructure.
Network Foundation Protection: Enterprise Model

3/26/2014
Securing the Control Plane:
• The control plane provides the functionality that builds the
tables that are necessary to properly forward traffic. These
tables, which include the routing table, forwarding table, MAC
address table, and so on.
Control Plane Attacks and Mitigation Techniques:

3/26/2014
Control Plane Protection (CPPr)
• A framework
• Provides for all policing and protection
• Extends the CoPP functionality
• Finer granularity
• Traffic classifier
• Port filtering: providing the ability to drop packets early that are
directed at closed or nonlistened-to ports.
• Queue threshold: for limiting the number of unprocessed packets
that a specific protocol can have at the process level

3/26/2014
Securing the Management Plane:
• Management Plane Provides the facilities through which the
device is configured for initial deployment and then monitored
and maintained thereafter.
• Protocols of the Management Plane
• Telnet
• SNMP
• SSH
• HTTP
• HTTPS
Tools Used to Secure the Management Plane:
• Cisco Management Plane Protection (MPP) feature for Cisco IOS
Release 12.4(6)T
• SSH access only
• ACLs on the vty ports
• Cisco IOS Software login enhancement
• Role-based CLI views

3/26/2014
Cisco IOS MPP:

3/26/2014
Verifying MPP:
Securing the Data Plane:
• Forwards network traffic as well as applies various services
to it, such as security, QoS, accounting, and so on.

3/26/2014
Data Plane Protection:
Flexible Packet Matching (FPM):

3/26/2014
Configuring FPM:
1. Load a Protocol Header Description File (PHDF)
–For header field matching
2. Create a traffic class
–Define a protocol stack and specify exact parameters to match
–Using class map type “stack” and “access-control”
3. Create a traffic policy
–Define a service policy
4. Apply the service policy to an interface
• 1 & 2 PHDFs and Class Map

3/26/2014
• 3 Traffic Policies
• 4 Applying a Service Policy to an Interface:

3/26/2014
Introducing IPsec:
• Combines three protocols into a cohesive security
framework

3/26/2014
IPsec Modes:
Authentication Header:
• RFC 2402
• IP protocol 51
• Mechanism for providing strong integrity and authentication
for IP datagrams

3/26/2014
Encapsulating Security Payload:
• RFC 2406
• IP protocol 50
• May provide the following:
• Confidentiality (encryption)
• Connectionless integrity
• Data origin authentication
• An antireplay service
Internet Key Exchange:
• RFC 2409
• A hybrid protocol consisting of:
• SKEMEA
• mechanism for using public key encryption for authentication
• Oakley
• A modes-based mechanism for arriving at an encryption key between
two peers
• ISAKMP
• An architecture for message exchange, including packet formats and
state transitions between two peers
• Phase-based

3/26/2014
How IKE Works:
• IKE is a two-phase protocol.
Internet Security Association and Key Management
Protocol (ISAKMP):
• RFC 2408
• UDP 500
• Defines procedures for:
• Authenticating a peer
• Creation and management of SAs
• Key generation techniques
• Threat mitigation

3/26/2014
Other Protocols and Terminology
IPsec Configuration Task List:
1. Check network connectivity
2. Ensure ACLs lists are compatible with Ipsec
• Allow IP protocols 50 and 51
• Allow UDP 500
3. Configure IKE
• ISAKMP
4. Configure Ipsec
• Create crypto ACLs
• Define transform sets
• Create crypto map entries
• Set global lifetimes for IPsec SAs
• Apply crypto map to the interface

3/26/2014
IPsec VPN Deployment:
• Site-to-site VPNs
• Fully meshed (static)
• Hub (static) and spoke (dynamic)
• Fully meshed on demand (dynamic)
• DMVPN: provide for a combination of static and dynamic on-
demand tunnels
• Remote-access VPNs
• Cisco Easy VPN
• WebVPN (Cisco IOS SSL VPN)
Fully Meshed VPNs:
• There are static public addresses between peers.
• Local LAN addresses can be private or public.

3/26/2014
Hub-and-Spoke VPNs:
• Static public address needed at the hub only.
• Spoke addresses can be dynamically applied using DHCP.
Dynamic Multipoint VPNs:

3/26/2014
Cisco Easy VPN:
Cisco IOS WebVPN:
• Integrated security and routing
• Clientless and full network SSL VPN access

3/26/2014
Implementing IPsec VPNs Using Pre-
Shared Keys:
• Prepare for ISAKMP and IPsec.
• Configure ISAKMP
• Pre-shared key authentication
• Configure IPsec transforms.
• Create ACLs for encryption traffic (crypto ACLs).
• Configure crypto map.
• Apply crypto map to an interface.
• Test and verify IKE and IPsec.
Planning the IKE Policy:
• Determine the following policy details:
• Key distribution method
• Authentication method
• IPsec peer IP addresses and hostnames
• ISAKMP policies for all peersEncryption algorithm
• Hash algorithm
• IKE SA lifetime

3/26/2014
IKE Phase 1 Policy Parameters:

3/26/2014
IPsec Transforms

3/26/2014
Identify IPsec Peers:
Configuring ISAKMP:
• Step 1: Enable or disable ISAKMP.
• Step 2: Create ISAKMP policies.
• Configure authentication method
• Pre-shared keys
• Step 3: RSA signatures (when using PKI).
• Step 4: Verify ISAKMP configuration.

3/26/2014
• Step 1: Enable or Disable ISAKMP
• Step 2: Create ISAKMP Policies:

3/26/2014
• Create ISAKMP Policies with the crypto isakmp
Command:
• Step 3: Configure Pre-Shared Keys:

3/26/2014
Configuring IPsec:
• Step 1: Configure transform sets.
• Step 2: Configure global IPsec SA lifetimes.
• Configure Transform Sets:

3/26/2014
• crypto ipsec security-association lifetime:
Purpose of Crypto Maps:
• Crypto maps pull together the various parts configured for
IPsec, including:
• Which traffic should be protected by IPsec
• Where IPsec-protected traffic should be sent
• The local address to be used for the IPsec traffic
• Which IPsec type should be applied to this traffic
• Whether SAs are established manually or via IKE
• Other parameters needed to define an IPsec SA

3/26/2014
• IPsec Configuration Example:
Implementing IPSec VPNs Using PKI:

3/26/2014
Digital Signatures:

3/26/2014
X.509v3 Digital Certificate:
Certificate Enrollment:

3/26/2014
Configuring a Site-to-Site VPN Using PKI:
• Prepare for ISAKMP and IPsec
• Configure CA support
• Configure ISAKMP for Ipsec
• rsa-sig authentication
• Configure IPsec transforms
• Create ACLs for encryption traffic (crypto ACLs)
• Configure crypto map
• Apply crypto map to an interface
• Test and verify IPsec
• Set the Router Time and Date:

3/26/2014
• Configuring a Hostname and Domain Name:
• Add a CA Server Entry to the Router Host Table:

3/26/2014
• Generate an RSA Key Pair:
• Declaring a CA:

3/26/2014
• Authenticate the CA:
• Request Your Own Certificate:

3/26/2014
• Verify the CA Support Configuration:
Configuring GRE Tunnels:
• Generic Routing Encapsulation (GRE) was designed to carry
multiprotocol and IP multicast traffic between sites that might not
have IP connectivity.
• RFCs 1701, 1702, 2784
• Uses IP protocol 47 when encapsulated within IP
• Allows passing of routing information between connected networks
• One of the significant advantages of GRE tunneling over (non-VTI)
IPsec tunnels is that GRE uses Cisco IOS Software interfaces that
can utilize QoS features.
• GRE does have some limitations:
■ GRE provides no cryptographic protection for traffic and must be combined
with IPsec to provide it.
■ There is no standard way to determine the end-to-end state of a GRE
tunnel. Cisco IOS Software provides proprietary GRE keepalives for this
purpose.

3/26/2014
• Deployment Scenario:

3/26/2014
Configuring a GRE Tunnel:
1. Create and identify the tunnel interface.
2. Configure the tunnel interface source address.
3. Configure the tunnel interface destination address.
4. Bring up tunnel interface (administratively).
5. Configure routes.

3/26/2014
GRE/IPsec:

3/26/2014
GRE with Encryption Example:
Configuring a DMVPN:
• The Cisco DMVPN feature allows administrators to deploy scalable
IPsec VPNs for both small and large networks.
• Relies on:
• IPsec profiles
• Next Hop Resolution Protocol (NHRP): The NHRP database maintains
mappings between the router (public, physical interface) and the tunnel
(inside the tunnel interface) IP addresses of each spoke.
• multipoint Generic Routing Encapsulation (mGRE): allows a single Generic
Routing Encapsulation (GRE) interface to support multiple GRE tunnels
and makes the configuration much easier
• Benefits:
• Hub router configuration reduction
• Automatic IPsec encryption initiation
• Support for dynamically addressed spoke routers
• Dynamic tunnel creation for spoke-to-spoke tunnels

3/26/2014
Single DMVPN Topology:
Dual DMVPN Topology:

3/26/2014
DMVPN Deployment Models:
DMVPN Configuration Tasks:
• ISAKMP and IPsec configuration
• Tunnel protection configuration
• IPsec profiles
• Tunnel interface configuration
• mGRE configuration
• NHRP configuration
• Routing protocol configuration

3/26/2014
• ISAKMP and IPsec:
• IPsec Profile:

3/26/2014
• DMVPN Example:

3/26/2014

3/26/2014
• DMVPN Routing Tables:
• DMVPN NHRP Mapping Tables:

3/26/2014
• IPsec Profile:
• Hub Configuration:

3/26/2014
• Spoke Configuration:
Configuring Cisco IOS SSL VPN (WebVPN):
Remote-Access Modes:

3/26/2014
Configuring WebVPN:
• WebVPN prerequisites:
• Configure AAA
• Local or ACS authentication
• Configure DNS
• Router hostname and domain name
• Map host to IP address in router host table
• Configure certificates and trustpoints
• CA or self-signed
• WebVPN configuration
• Configure a WebVPN gateway
• Configure a WebVPN context
• Configure a URL list for clientless access
• Configure Microsoft file shares for clientless access
• Configure application port forwarding
• Configure a WebVPN policy group
• AAA Configuration—Local Authentication

3/26/2014
• AAA Configuration—External Authentication
• DNS Configuration

3/26/2014
• Gateway Configuration Commands:
• Context Configuration Commands:

3/26/2014
• URL Lists
• Group Policy Configuration Commands:

3/26/2014
Configuring Cisco Easy VPN Remote Access:
Cisco Easy VPN is made up of two components:
• Cisco Easy VPN Server: Enables Cisco IOS routers, Cisco
ASA/Cisco PIX Firewall, and Cisco VPN 3000 Series
Concentrators to act as VPN headend devices in site-to-site
or remote-access VPNs, where the remote office devices are
using the Cisco Easy VPN Remote feature.
• Cisco Easy VPN Remote: Enables Cisco IOS routers,
Cisco ASA/Cisco PIX Firewall, and Cisco VPN 3002
Hardware Clients or Cisco VPN Software Clients to act as
remote VPN Clients.
Remote Access Using Cisco Easy VPN:

3/26/2014
Cisco Easy VPN Remote Connection Process:
Cisco Easy VPN Remote Configuration General Tasks
for Access Routers:
• Configure the DHCP server pool.
• Configure the Cisco Easy VPN Remote client profile.
• Group and key
• Peer
• Mode
• Manual or automatic tunnel control
• Assign the Cisco Easy VPN Remote client profile to the
interfaces.
• Verify the Cisco Easy VPN configuration.

3/26/2014

3/26/2014
Cisco Easy VPN Server—General Configuration Tasks:
The following general tasks are used to configure Cisco Easy
VPN Server on a Cisco router:
• (Optional) Create IP address pool for connecting clients
• Enable group policy lookup via AAA
• Create an ISAKMP policy for remote VPN Client access
• Define a group policy for mode configuration push
• Apply mode configuration and XAUTH
• Enable RRI for the client
• Enable IKE
• Configure XAUTH
• (Optional) Enable the XAUTH Save Password feature

3/26/2014
• Create ISAKMP Policy for Remote VPN Client Access
• Create Transform Sets

3/26/2014
Examining Cisco IOS Firewall:
• Deploy:
• As an Internet Firewall
• Between groups on internal network
• As a VPN end point from branches
• Between partner network and corporate
• Features:
• Cisco IOS Software Stateful Packet Inspection
• Protection Against Attack
• Alerts and Audit Trails
• Authentication Proxy
• Support for NAT and Port-to-Application Mapping (PAM)
Cisco IOS Firewall Feature Set:
• Classic firewall
• Authentication proxy
• Cisco IOS IPS
• ACLs
• TCP Intercept
• PAM
• NAT
• Security server support
• RADIUS, TACACS+, Kerberos
• User authentication and authorization

3/26/2014
Cisco IOS Firewall Authentication Proxy:
Cisco IOS IPS:

3/26/2014
Configuring Cisco IOS Classic Firewall:
• Context-Based Access Control (CBAC), which applied policies
through inspect statements and configured access control lists
(ACL) between interfaces.
• The Zone-Based Policy Firewall (ZBPFW) is the next Cisco
implementation of a router based firewall that runs in Cisco IOS
Software. It was introduced in IOS Release 12.4(6)T.
• As was supported by CBAC, the ZBPFW supports stateful
inspection as well as Application Inspection and Control (AIC),
which is also referred to as Deep Packet Inspection (DPI). This
includes inspection support for Layers 3 through 7.
• As mentioned previously, one of the main differences between
a firewall using CBAC and ZBPFW is the use of security zones.

3/26/2014
IOS Classic Firewall Configuration:

3/26/2014

3/26/2014
Configuring Cisco IOS Zoned-Based
Policy Firewall:

3/26/2014
Zoning Rules Summary:
• If two interfaces are not in zones, traffic flows freely
between them.
• If one interface is in a zone, and another interface is not in
a zone, traffic may never flow between them.
• If two interfaces are in two different zones, traffic will not
flow between the interfaces until a policy is defined to
allow the traffic

3/26/2014
Configuring a Cisco IOS Zone-Based Policy Firewall:
1. Identify interfaces that share the same function security
and group them into the same security zones.
2. Determine the required traffic flow between zones in
both directions.
3. Set up zones.
4. Set up zone pairs for any policy other than deny all.
5. Define class maps to describe traffic between zones.
6. Associate class maps with policy maps to define actions
applied to specific policies.
7. Assign policy maps to zone pairs.

3/26/2014

3/26/2014
Configuring Cisco IOS Firewall
Authentication Proxy:
• HTTP, HTTPS, FTP, and Telnet authentication
• Provides dynamic, per-user authentication and
authorization via TACACS+ and RADIUS protocols
• Once authenticated, all types of application traffic can be
authorized
• Works on any interface type for inbound or outbound
traffic

3/26/2014
Configuring Cisco IOS IPS:

3/26/2014
• Uses the underlying routing infrastructure
• Inline deep packet inspection
–Software based inline intrusion prevention sensor
• IPS signature support
–Signature based packet scanning, uses same set of signatures as IDS
Sensor platform
–Dynamic signature update (no need to update IOS Image)
–Customized signature support
• Variety of event actions configurable per-signature basis
• Parallel signature scanning
• Named and numbered extended ACL support
Cisco IPS Hardware Modules:

3/26/2014
Signature Engines:
Signature Actions:
• Alarm
• Send alarm via Syslog and SDEE
• Reset
• Applys to TCP connection. Send reset to both peers
• Drop
• Drops the packet
• DenyAttackerInline
• Blocks the attacker’s source IP address completely. No connection can be
established from the attacker to the router until the shun time expires (this
is set by the user).
• DenyFlowInline
• Blocks the appropriate TCP flow from the attacker. Other connections from
the attacker can be established to the router

3/26/2014
Event Risk Rating Calculation:
Signature Definition File (SDF):
• A SDF contains all or a subset of the signatures
supported by Cisco IPS.
• An IPS loads the signatures contained in the SDF and
scans incoming traffic for matching signatures.
• The IPS enforces the policy defined in the signature
action.
• Cisco IPS uses the SDF to populates internal tables with
the information necessary to detect each signature.
• The SDF can be saved on the router flash memory.
• SDFs are downloaded from cisco.com.
• Two pre-built SDFs:
• 256MB.sdf
• 128MB.sdf

3/26/2014
Issues to Consider:
• Memory use and performance impact
• Limited persistent storage
• CPU-intensive
• Updated signature coverage
• More than 1500 common attacks
Configuration Tasks:
• Install Cisco IOS Firewall IPS on the router:
• Specify location of SDF.
• Create an IPS rule.
• Attach a policy to a signature (optional).
• Apply IPS rule at an interface.
• Configure logging via syslog or SDEE.
• Verify the configuration.

3/26/2014
Configure SDEE and HTTPS Server on the Cisco ISR:

3/26/2014

3/26/2014
Tune Signature in Cisco Configuration Professional:
Configure Event Action Override:

3/26/2014
Configure Event Action Filter:
Network Address Translation (NAT):
NAT Types:

3/26/2014
• Static NAT Example:
• Dynamic NAT Example:

3/26/2014
• PAT Example:

3/26/2014

3/26/2014
After Implementing Mitigation Techniques:

CCNP Security-Secure

More Related Content

What's hot (20)

Viewers also liked (14)

Similar to CCNP Security-Secure (20)

Recently uploaded (20)

CCNP Security-Secure