UNetLab topologies now available.

It seems that (and I am very thankful for this) UNetLab is making strong gains in popularity, as it should.

Whilst I do get the occasional email asking for setup help with GNS3 (which I am more than happy to do), I get far more emails asking when the book topologies will be available for UNetLab.

So, now that things have quietened down a bit, I have had time to do this.

On the relevant pages (above, under the Books menu) there are links for the files for the main topologies for all the books.

They are also here, to make it easier.

To import them you just need to create a folder called 802101 (you don't really have to have a folder, but it makes it neater):




Once thats done, go into the folder and then import an external object. Make sure its the whole zip file!


Then you should get a nice bunch of new labs:


The download links are below.

UNetLab Topology download links:

BGP for Cisco Networks
MPLS for Cisco Networks
VPNs and NAT for Cisco Networks

CCIE Security Written: Passed. Labbing begins again soon!

Just come out of the CCIE Security Written exam. I passed it after a couple of weeks study. I am not going to break any NDAs here, so it'll be a brief post. Certainly working in a PCI/HIPAA/SOX environment does help, I spend a lot of time discussing and implementing security, so I started with a good foundation.

Most of the stuff was pretty well covered in the posts I have done over the last couple of weeks, couple of curve balls, but not enough to put a dampener on it.

This gets it out of the way before Christmas, so I can afford to have a little bit of a break now before the new year.


So, I have a couple of things to do. Finish the UNetLab topologies for the books, lots of people have been asking for them, and have been very patient, which was appreciated. I plan to finish them this week.

The proof of the next book (CCNA and Beyond) should arrive soon, so I should be able to finish it off over the Christmas period.

Then I have 18 months to prepare for and take (and hopefully pass) the lab.
I'd like to get this down to a year, which leaves 6 months for one or more attempts at the lab.

I will carry on with my own CCIE Security lab, since starting it there has been a new ASA image released which has less of a memory footprint, so that will definitely help with resources.

Still need to work out some WSA stuff - the VM doesn't want to play nicely, and then there is the whole licensing thing.

So, lots of challenges, but I now have (a maximum of) 18 months to do it.
CCIE Security: Theory - Section 5.7 - 5.15

CCIE Security: Theory - Section 5.7 - 5.15

Last bunch of notes!

Lots of this has already been covered (IPSec & PKI for example). It's a bit brief, most of it it common sense (like knowing what a VPN client is...). Most of the technologies listed are end of life (EoL) anyway.

Feel free to comment with anything useful to flesh it out a bit.

5.7 Cisco Secure ACS Solution Engine

Access policy control platform
Device administration
Remote access
Wireless
NAC
RADIUS & TACACS+
LDAP, ODBC, MS AD
PAP, CHAP, MS-CHAP, EAP
dACLs

5.8 Cisco Network Admission Control (NAC) Appliance Server

Uses Cisco Clean Access Agent - checks for patches etc. Now EoL.

5.9 Endpoint and client

5.9.a Cisco AnyConnect VPN Client

Uses SSL & IPSec IKEv2

5.9.b Cisco VPN Client

5.9.c Cisco Secure Desktop

 - minimizes risks
Establishes clientless SSL VPN or AnyConnect VPN
ASA downloads HostScan to the endpoint
Checks:
OS
Specified files
Specified registry keys
Digital certificates
IPv4 or IPv6 addess wi/in specified range
HostScan gathers AV, firewall, antispyware version information
endpoint does not meet requirements 0 login denied, interaction stops
endpoint does meet requirements - prelogin policy assigned, interaction continues
HostScan checks for keystroke loggers & host emulation
AV, firewall, antispyware remediation
User logs in
ASA applies dynamic access policy to session
User terminates, HostScan terminates, cache cleaner cleans up.

5.9.d Cisco NAC Agent

5.10 Secure access gateways (Cisco IOS router or ASA)

5.10.a IPsec

Already covered pretty much.

5.10.b SSL VPN

http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htwebvpn.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-mt/sec-conn-sslvpn-15-mt-book/sec-conn-sslvpn-smart-tunnels-support.pdf
clientless, thin-client & full-tunnel
Smart tunnels - uses Winsock library
do not support split-tunnelling, Cisco Secure Desktop, private socket libraries and MAPI proxy. cannot start in two web browsers simultaneously

5.10.c PKI

Already covered.

5.11 Virtual security gateway

Multi-tenant, zone-based, context aware. Offloads packet-intensive processing to Nexus 1000V. Supports active/standby, VXLAN

5.12 Cisco Catalyst 6500 Series ASA Services Modules

Already covered ASA.

5.13 ScanSafe functionality and components

Cloud Web Security:
malware protection
DLP
LDAP integration
reporting
EoL - replaced w/ UTM (ASA, SourceFire & WSA

5.14 Cisco Web Security Appliance and Cisco Email Security Appliance

web security, anti-malware,

5.15 Security management

All much of a muchness.

5.15.a Cisco Security Manager
5.15.b Cisco Adaptive Security Device Manager (ASDM)
5.15.c Cisco IPS Device Manager (IDM)
5.15.d Cisco IPS Manager Express (IME)

Supports up to ten IPS units

5.15.e Cisco Configuration Professional

Smart wizards & advanced configuration support for LAN and WAN, NAT, stateful and application firewall policy, IPS, IPSec, & SSL VPN, QoS & NAC.
One-click router lockdown
Voice & Security auditing capabilities
Monitor router status
Troubleshooting

Express version lives on flash in ISRs:
Basic configuration of interfaces
Hostname, DNS, DHCp configs
User management
plug-n-play server
dashboard for troubleshooting & CLI

5.15.f Cisco Prime

simplifies network management
improves operational efficiency
delivers predictable services
lower TCO
CCIE Security: Theory - Section 6

CCIE Security: Theory - Section 6

6.0 Cisco Security Technologies and Solutions

6.1 Router hardening features (for example, CoPP, MPP, uRPF, and PBR)

CoPP - Control Plane Policing
Increases security on the switch by protecting RP from unnecessary/DoS traffic. gives priority to control plane and management traffic. Works with PFC3 rates limiters.
PFC3 can be used when ACl cannot classify IP options cases, TTL & MTU failure cases, packets w/ errors & multicast packets.
CoPP protects control and management planes, ensures routing stability, reachability & packet delivery. Uses MQC to provide rate-limiting.
Disabled by default. - Enable using "mls qos".
Supports multicast & broadcast traffic.
Use log keyword to enable CoPP-policy ACLs.
Can exhaust TCAM.
Does not support MAC ACLs
Supports ip precedence, ip dscp, access-group
Only IP ACLs are supported in hardware.
Show policy-map control-plane
MPP - Management Plane Protection
Restricts interfaces on which network management packets are allowed to enter a device.
Requires CEF
Disabled by default
Supports:
BEEP
FTP
HTTp/HTTPS
SSH (v1 & v2)
SNMP
Telnet
TFTP

Benefits:
Greater access control
Improved performance for data packets on non-management interfaces
Network scalability
Simplifies use of per-interface ACLs to restrict management access
Fewer ACLs needed to restrict access to the device
Management packet floods on switching and routing interfaces prevented from reaching CPU

Implementation:
enable
conf t
control-plane host
management-interface fa0/0 allow ssh snmp
show management-interface
uRPF - Unicast Reverse Path Forwarding
Limit malicious traffic - verifies reachability of source - if not valid then packet is discarded
Strict, loose or VFR mode
Strict -
packet must be received on the interface that the router would use to forward the return packet - can drop legitimate traffic is asymmetric routing
Loose -
Source address must appear in routing table. Can change using "allow-default" option - allows use of default route.More scalable than strict.
Implementation:
interface fa0/0
ip verify unicast source reachable-via {rx | any} [allow-default]
Firewall:
ip verify reverse-path interface <interface>
PBR - Policy-Based routing
flexible routing of packets by determining a defined policy for traffic flows. More control over routing.
Classify traffic (based on ACL) Match criteria
Set IP precedence (differentiated class of service)
Route packets  to specific paths.

6.2 Switch security features (for example, anti-spoofing, port, STP, MACSEC, NDAC, and NEAT)

Anti-spoofing:
- unicast RPF (above)
- ip source guard - uses information from DHCP snooping to dynamically configure a PACL on L2 interface.
ip dhcp snooping
ip dhcp snooping vlan <vlan range>
interface fa0/0
ip verify source
Port security: - same as stuff from R&S
STP: - disable dynamic trunking, restrict STP domain using PVST, BPDU guard, root guard.
MACSEC: - Provides secure communication on wired LANs. Each packet encrypted using symmetric key.
Most useful in access layer.
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/deploy_guide_c17-663760.html
offers Confidentiality, integrity, flexibility, network intelligence
Limitations:
not all endpoints support MACsec
line-rate encryption requires updated hardware on access switch
MACsec may affect other technologies (IP telephony)
Uses:
EAP, EAP method, MACsec Key Agreement (MKA), Security Association Protocol (SAP), EAPoL, RADIUS

NDAC: - TrustSec Network Device Admission Control - uses 802.1X connecting to another TrustSec device
NEAT: - Network Edge Authentication Topology
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-neat.html
- uses CISP (Client information Signalling Protocol) to propagate client MAC addresses and VLAN information between supplicant and authenticator switches. Extends secure access outside the wiring closet.
- Uses 802.1X /ACS/ ISE
Restrictions:
Not supported on an EtherChannel port
Should only be deployed w/ auto-configuration
Does not support standard ACLs on the switch port
When supplicant switch authenticates the port mode is changed from access-based to trunk-based on same vsa (device-traffic-class=switch)

6.3 NetFlow

v9 supports MPLS & IPv6

6.4 Wireless security

Covered pretty well under the EAP stuff.

6.5 Network segregation

6.5.a VRF-aware technologies

VTY access
Sysylog, AAA, SNMP
IPSec, GRE, VPDN
DNS, DHCP, HSRP, GLBP
NAT, IPS
H.323 & SIP

6.5.b VXLAN

http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/white-paper-c11-729383.html
- flexible, multi-tenant
- Uses 24-bit segment ID )VXLAN network identifier / VNID) - enables up-to 16 million VXLAN segments.
- Uses underlying L3 header, routing, equal-cost multipath routing & link aggregation
- Uses MAC-in-UDP
- Tunnels L2 over L3
- Adds 50-bytes overhead due to encapsulation in MAC-to-UDP. Therefore needs MTU of 1550 at minimum.

6.6 VPN solutions

6.6.a FlexVPN

IPSec VPN w/ IKEv2
Combines multiple frameworks (cryptomaps, ezvpn, DMVPN) into single comprehensible set of CLI commands.
Can run alongside previous IPSec VPNs
Based on IKEv2
Uses GRE over IPSec or VTI as encapsulation.
Supports IPv4 & IPv6
Dynamic spoke to spoke tunnels

6.6.b DMVPN - already written about this

6.6.c GET VPN

Group Encrypted Transport VPN
Trusted group - GMs share a common SA (group SA). GMs can decrypt traffic encrypted by another GM.
No need to negotiate point-to-point IPSec tunnels between members - tunnel-less.
Uses GDOI - takes advantage of underlying VPN - does not require overlay routing protocol
KEK secures control plane
TEK secures data traffic

6.6.d Cisco EasyVPN

Implements Cisco Unity Client Protocol - VPN parameters defined at VPN remote access server.
Client mode - entire LAN behind Easy VPN client undergoes NAT to the IP address pushed down by VPN server.
Supports split-tunnelling.

6.7 Content and packet filtering

ACLs...

6.8 QoS application for security

Not sure

6.9 Load balancing and failover

Both are good.
CCIE Security: Theory - Section 7

CCIE Security: Theory - Section 7

Jumping ahead a bit here. I'll come back to the rest shortly, but it's Sunday night, so just want to whizz through these. Most of the last ones are just common sense - isolation of virus'd computers, install AV etc etc.

7.0  Security Policies and Procedures, Best Practices, and Standards

7.1  Security policy elements 

Definition of what it means to be secure for a system, organization or other entity. Addresses constraints on behaviour on members (staff) as well as adversaries (doors, locks, keys and walls). Implements RBAC for systems access.

7.2  Information security standards (for example, ISO/IEC 27001 and ISO/IEC 27002) 

27001 formally specifies a management system that is intended to bring information security under explicit management control. Mandates specific requirements.
Was BS 7799, then BS 7799-2

Requirements:

Management should:

  • Systematically examine origination’s security risks (threats, vulnerabilities and impacts)
  • Design & implement a coherent and comprehensive suite of information security controls
  • Adopt an overarching management process to ensue information security control continue to meet the organisations information security needs

Revolves around ISMS - (Information Security Management System)

Plan, Do, Check, Act.

Domains:

Asset Management - Documents assets of company or scope in question
Asset register
Asset classification
Asset Labelling
Access control - implementation of access controls across all information processing systems (operating systems, applications etc)
User Registration
Passwprd Management
Clear Work Environment
Operating System & Application Controls
Network Security

27002 - Information Security standard - code of practice for information security management

14 domains:
Security policy - management direction
Organisation of Information Security - governance
Human Resources security - security aspects for employees, joining, moving, and leaving organization
Asset Management - inventory & classification
Access control - restriction of access rights to network, systems, data
Cryptography
Physical & Environmental security - protect of computer facilities
Operation Security procedures and responsibilities
Communication Security
System acquisition
supplier relationships
information security incident management
information security aspects of BCP
compliance

7.3  Standards bodies (for example, ISO, IEC, ITU, ISOC, IETF, IAB, IANA, and ICANN) 

ISO - International Organisation for Standardization
Independent, non-governmental. 164 member countries.
Member bodies - considered the most representative standards body in each country. The only ones that have voting rights.
Correspondent members - countries that do not have own standards organization
Subscribers - countries w/ small economies. pay reduced fees.
IEC - International Electrotechnical Commission
Works closely w/ ISO - concerned w/ electronics
ITU - International Telecommunication Union -  information & communication techniques
ISOC - Internet Society 0 internet related standards. Parent company of IETF
IETF - Internet Engineering Task Force - Develops and promotes voluntary Internet Standards- i.e TCP/IP suite
IAB - Internet Architecture Board - committee charged with oversight of technical and engineering development of the Internet by the ISOC.
IANA - Internet Assigned Numbers Authority. Department of ICANN
ICANN - Internet Corporation for Assigned Names and Numbers - Looks after TLDs, DNS root


7.4  Industry best practices (for example, SOX and PCI DSS) 

SOX - Sarbanes-Oxley Act - Public Accounting reform and Investor Protection Act / Corporate and Auditing Accountability and Responsibility Act.
Came about after Enron & Worldcom. Criminal penalties for misconduct, required the SEC to create regulations defining how public companies comply with the law. US Law - not really a “best-practice”.

PCI DSS - Payment Card Industry Data Security Standard - proorietary security standard, increases controls around cardholder data to reduce credit card fraud. Uses a Qualified Security Assessor (QSA).
Objectives:
Build and maintain a secure network (install and and maintain a firewall, do not use vendor-supplied defaults for passwords)
Protect Cardholder data (protect cardholder data, encrypt transmission of cardholder data)
Maintain a vulnerability management program (use AV software, develop and maintain secure systems)
Implement strong access controls (restrict access to cardholder data by business need-to-know, assign a unique ID to each person w/ computer access (no shared accounts), restrict physical access to cardholder data)
Regularly monitor and test networks (track and monitor all access, regularly test security systems and processes)
Maintain an information security policy (maintain a policy that addresses information security)

HIPAA - Health Insurance Portability and Accountability Act - protects health insurance coverage for workers when lose or change jobs, national standards for electronic health cate transactions

GLBA - Gramm-Leach-Bliley Act - financial Services Modernisation Act (1999) - removed prohibition of any one institution acting as investment bank, commercial bank and insurance company. Citicorp (holding company) merged w/ Travellers group - to form Citigroup - had to get waiver from Federal reserve until Glibba came in.


7.5  Common RFC and BCP (for example, RFC2827/BCP38, RFC3704/BCP84, and RFC5735) 

RFC2827 - network ingress filtering - defeating DoS attacks that use IP source address spoofing
BCP38
RFC3704 - ingress filtering for multimode networks
BCP84
RFC5735 - Special Use IP addresses


7.6  Security audit and validation 


7.7  Risk assessment 


Establish the context
Identify the risks
Analyze the risks
Evaluate & prioritize the risks
Tackle the risks

Will add more here if something useful crops up...
7.8  Change management process 

7.9  Incident response framework 

7.10  Computer security forensics 

7.11  Desktop security risk assessment and desktop security risk management 



CCIE Security: Theory - Section 5.6 - ISE

CCIE Security: Theory - Section 5.6 - ISE

5.6 Cisco Identity Services Engine (ISE)

ISE is a massive topic. This is only touching the tip of the iceberg.

Info comes from here: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide.html.

Combines AAA into one appliance
Enforces endpoint compliance through provisioning, including 802.1X
Security Group Access (SGA) through use of Security Group Tags (SGTs) and Security Group Access Control Lists (SGACL).

User authentication supports PAP, CHAP, PEAP and EAP w/ RADIUS
Supports 802.1X, MAB, & browser based authentication
Policy sets - group sets of authentication and authorisation policies.
FIPS 140-2 implementation - supported, but means EAP-MD5, LEAP and PAP are disabled when in FIPS-mode. FIPS mode automatically disabled PAP and CHAP & guest login.

Client Posture assessment:
Cisco NAC Web Agent - temporal agent
Cisco NAC agent - persistent

Service - specific feature that a persona provides (i.e. network access, profiler, posture, security group access, monitoring and troubleshooting)
Node - individual instance that runs ISE software.
Persona - determine the services provided by a node
Deployment model - determines if deployment is distributed, standalone, or HA

Different “personas” - Administration, Monitoring and Policy Service, inline posture.

Flexible deployment:
Primary and secondary administration nodes for HA - like ASA Active/Standby
Pair of monitoring for auto failover
One or more policy service nodes for session failover
Pair of inline posture nodes for HA

ISE Services:

Network Access:

Profiler:

Discover, locates and determines capabilities of attached endpoints. 
Components:
  • Sensor - contains a number of probes. Capture network packets by querying network access devices - forwards the attributes and their values to the analyser
  • Probe manager - provides support to profiler service. controls probes, start/stop collecting. Event manage within the sensor allows communication of the events between probes in the probe manager.
  • Forwarder - stores endpoints into ISE database along w/ attributes, notifies analyser of new endpoints detected on your network. classifies endpoints to the endpoint identify groups and stores endpoints w/ match profile in database
  • Analyzer - evaluates using the configured policies and identity groups to match attributes and their attribute values collected, classifies endpoints to the specified group and stores endpoints w/ matched profile in ISE database

Probes:
NetFlow, DHCP, DHCP SPAN, HTTP, RADIUS, DNS & SNMP Query & Trap probes.

Posture:

Does not support fast user switching.

Components:
Posture Administration Service - provides back-end support for posture specific custom conditions & remediation actions
Posture Run-time Services - encapsulates the SWISS protocol and all interactions between NAC agents & Cisco ISE server.

SWISS protocol - stateless request-response protocol allowing NAC agents running on managed clients to discover the IE server & to retrieve configuration & operational information. ANC agent uses UDP/8905. NAC agent tunnels all the requests over HTTPS.

Custom Permissions for Posture:

Unknown - no matching posture policy - then may be set to unknown. 
Compliant - matching posture policy - therefore compliant
Noncompliant - matching policy - but fails to meet the mandatory requirements during posture assessment.

Security Group Access - SGA solution establishes clouds to trusted network devices to build secure networks. Each device in SGA cloud is authenticated by its peers. Communication between devices secured w/ encryption, message integrity checks & data-path replay protection mechanisms. 

SGA uses device & user identity obtained during authentication to classify packets. Classification is maintained by tagging packets as they enter the SGA network. Tag is called Security Group Tag (SGT). 

Features:

Network Device Admission Control (NDAC) - NDAC uses 802.1x & EAP-FAST. Successful & authentication and authorisation in NDAC process results in Security Association Protocol.
Endpoint Admission Control (EAC) - authentication process end endpoint user or device. Typically happens at access level switch. Successful authenticator and authorisation in EAC process results in SGT assignment to user or device. Includes
802.1X
MAB
WebAuth
Security Group - (SG) - grouping of users, endpoint devices, resources that share access control policies. 
Security Group Tag (SGT) - SGA service assigns each security group a unique 16-bit security group number. Can reserve a range of SGTs for SGT-to-IP mapping.
Security Group Access Control List (SGACL) - control access and permissions on the SGTs that are assigned
Security Exchange Protocol (SXP) - protocol developed for SGA service to propagate IP-to-SGT biding table across network devices that do not have SGT-capable hardware to support hardware that supports SGT/AGACL
Environment Data download - SGA device obtains environment data from ISE -contains
Server Lists, Device SG, Expiry timeout
SGT Reservation - reserve a range of SGTs to enable IP to SGT mapping
IP-to-SGT mapping - bind endpoint IP to SGT and provision it to an GA-capable device. 1.2 supports 1000 IP-to-SGT mappings
Identity-to-port mapping - method for switch to define identity on a port to which endpoint is connected

Components required for SGA: 
  • User Identity Repository
  • DHCP Service
  • DNS Service
  • Certificate Authority Service
  • Target Servers
  • Endpoint PC




CCIE Security: Theory - Section 5.2 - 5.5

CCIE Security: Theory - Section 5.2 - 5.5

5.2 Cisco IOS firewalls and NAT

5.2.a CBAC

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/13814-32.html
http://packetlife.net/blog/2009/mar/10/ios-context-based-access-control-cbac/

Filters TCP & UDP based on application layer protocol session information. Does deep packet inspection.
ip inspect name MyCBAC ftp
ip inspect name MyCBAC smtp
ip inspect name MyCBAC tcp

int fa0/0
ip inspect MyCBAC in
Also need ACL

5.2.b Zone-based firewall

Stateful firewall - Creates zones instead of ACLs. Interfaces assigned to zones, security policies assigned to traffic between zones. Zones are security borders. Default policy between zones is deny all. Can drop, pass or inspect traffic passing between zones

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

Supports Stateful packet inspection, VRF-aware, URL filtering, DoS mitigation

http://packetlife.net/blog/2012/jan/30/ios-zone-based-firewall/
zone security Zone1
zone security Zone2

int fa0/0
zone-member security Zone1
int fa0/1
zone member security Zone2
zone-pair security Zone1->Zone2 source Zone1 destination Zone2

policy-map type inspect trusted
class class-default
pass

zone-pair security Zone1->Zone2
service-policy type inspect trusted

5.2.c Port-to-application mapping

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c8.html

PAM - Enables CBAC-supported applications to be run on non-standard ports. Customize TCP or UDP port numbers for network services or applications. Establishes table of default port-to-application mapping at the firewall.

User-Defined Port Mapping - can specify range of ports, saved with default mapping information.
Host-Specific Port mapping- port mapping for specific hosts or subnets.Can map HTTP on port 8000 to one host, and Telnet on 8000 to different host.

When to use:
to apply non-standard port number for a service or application
specific hsot or subnet uses a port for an app that is different to default in PAM table
different hosts use same port number for different applications

5.2.d Identity-based firewalling

See previous post about IDFW. Links in to Microsoft AD...

5.3 Cisco Intrusion Prevention Systems (IPS)
5.4 Cisco IOS IPS

http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7.html
http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/cli_signature_engines.html#wp1138148

Supports standardized regex.
Inline or Promiscuous

Analysis engine - packet analysis & alert detection - create virtual sensors in Analysis engine.
sensors receive data from monitored streams. Virtual sensor is a collection of data defined by set of configuration policies. Default is vs0.

MainApp - initializes system, stops/starts other applications. Contains:

  • ctlTransSource - allows sensors to send control transactions
  • Event Store - stores IPS events
  • InterfaceApp - handles bypass & physical settings, defines paired interfaces
  • Logger - writes all log messages
  • Attack Response Controller (ARC) - manages remote network devices to provide blocking capabilities. Creates and applies ACLs on controlled network devices, or shun command on firewalls
  • NotificationApp - sends SNMP traps
  • Web Server (SDEE) - web interface
  • AuthenticationApp

SensorApp - analysis engine - packet capture & analysis:

  • Time processor
  • Deny filters processor
  • Signature Event Action processor - does resets, IP log, deny packets/flow/attacker, alert, block host/connection, generate SNMP trap, capture trigger packet
  • Statistics processor
  • L2 processor
  • Database processor
  • Fragment reassembly processor
  • Stream reassembly processor
  • Signature analysis processor
  • Slave dispatch processor

CollaborationApp - interfaces MainApp & SensorApp
CLI - user roles:
Viewer - can view configurations and events - no modification
Operator - can view everything & modify signature tuning, virtual sensor definition, managed router, their user passwords
Administrator
Service - can only use bash shell - only one service account

Signature engines:

AIC - analysis of web traffic, and FTP
Atomic - L3&L4 attributes, standard regex

  • Atomic ARP
  • Atomic IP Advanced - IPv6 L3 & ICMPv6 L4
  • Atomic IP - IP protocol packets & L4 transport protocols
  • Atomic IPv6 - Detects two IOS vulnerabilities that are simulated by malformed IPv6 traffic. Inspects ND protocols types 133/134/135/136/137
Has restrictions:
Cannot detect L4 field if packets are fragmented so L4 identifier does not appear in first packet
Cannot detect L4 attacks in flows w/ packets fragmented by IPv6 (no fragment reassembly)
Cannot detect attacks w/ tunnelled flows
Limited checks provided for fragmentation header
AIM IPS and NME IPS do not support IPv6 features
Anomaly detection does not support IPv6 traffic - only IPv4
Rate limiting & blocking not supported for IPv4 traffic
Fixed - parallel regular expression matches up to a fixed depth - ICMP, TCP, UDP
Flood - detects floods - flood Host & Flood Net.
Meta - Defines events
Multi String - L4 matching several strings for one signature - inspects stream-based TCP, UDP & ICMP
Normalizer - RFC compliance. Cannot add custom signatures, but can tune existing
Service

  • DNS
  • FTP
  • Generic
  • H225
  • HTTP
  • IDENT
  • MSRPC
  • MSSQL
  • NTP
  • P2P
  • RPC
  • SMB Advanced
  • SNMP
  • SSH
  • TNS

State - searches strings
String - search on regex - Sweep & Sweep other TCP
Traffic Anomaly - detects worms
Traffic ICMP - detects TFN2k, LOKI and DDOS
Trojan - BO2K & TFN2K and UDP

Event Actions:

Alert & Log Actions
produce-alert - writes evIDsAlert to Event Store
produce-verbose-alert - includes encoded dump
log-attacker-packets - starts IP logging w/ attacker address
log-victim-packets - starts IP logging w/ victim address
log-pair-packets - does both of the above (inline only)
request-snmp-trap - sends request to NotificationApp
Deny Actions
deny-packet-inline - does not transmit this packet
deny-connection-inline - does not transmit this packet & future packets on TCP flow
deny-attacker-victiom-pair-inline - attacker/victim pair
deny-attacker-service-pair-inline - attacker/port pair
deny-attacker-inline - does not transmit this packet & future packets from attacker for specific period of time - uses dACL
modify-packet-inline - modifies packet to remove ambiguity - see normalizer
Other Actions
request-block-connection - requests ARC to block connection
request-block-host - Requests ARC block attacker host
request-rate-limit
reset-tcp-connection - TCP resets

5.5 Cisco AAA protocols and application

5.5.a RADIUS

See http://www.802101.com/2015/11/ccie-security-theory-section-2.html

5.5.b TACACS+

See http://www.802101.com/2015/11/ccie-security-theory-section-2.html

5.5.c Device administration

Not sure what to write here.

5.5.d Network access

Or here! Probably just need to be logical...

5.5.e IEEE 802.1X

See http://www.802101.com/2015/11/ccie-security-theory-section-2.html

5.5.f VSAs

Vendor specific attributes - Cisco vendor-ID = 9, vendor-type = 1, strings. See RADIUS.
CCIE Security: Theory - Section 5.1 - ASA

CCIE Security: Theory - Section 5.1 - ASA

ASAs now. Looks like I need to break section 5 down into several posts. Still very much note form. Time is not on my side, so excuse any lack of coherence.

5.1 Cisco Adaptive Security Appliance (ASA)

5.1.a Firewall functionality

Advanced stateful firewall & VPN concentrator. Can have IPS module (depending on model).
Can do contexts (like tenants), clustering, be in transparent mode (L2), or routed mode (L3). Has inspection engines, IPSec VPN, SSL VPN, clientless SSL VPN.

5.1.b Routing and multicast capabilities

Supports Static routes, OSPF, RIP, EIGRP, BGP (as of 9.1??), Multicast, & IPv6

Static - Single & multiple context, routed and transparent, supports IPv6
OSPF - single context, routed, not supported in transparent, does not support IPv6
EIGRP - As OSPF
RIP - also supported in multiple context & transparent
Multicast:
Not supported in transparent mode.
Supported in routed mode
Supported in single context mode.

5.1.c Firewall modes

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mode_fw.html

Routed - default - has IP address, acts as default gateway - router hop. Can do NAT, Each interface on different subnet. Can share interfaces between contexts.

Transparent mode - bump in the wire. connects same network on inside and outside interfaces. Supports ARP, IP, IPv6 (in 8.4 - not in 7.2).
Does not support (in 8.4):
Dynamic DNS
DHCP relay
Dynamic routing protocols
QoS
VPN termination (supported for Management)
UC

Management interface for management (obviously) - only allows management traffic - can have static route.

Multi-context:

Partitioning of ASA into multiple virtual devices. Each context is an individual device with own security policy, interfaces, and administrators. Can have admin context - allowing control over everything.

If multiple contexts share an interface then the classifier uses the interface MAC address. Can have a different MAC address in each context on the same shared interface. Therefore traffic classified by this MAC address along with destination address.

If using NAT then the traffic for shared interface is classified using the destination address of the packet, by using the NAT table and also by the destination MAC address.

5.1.d NAT (before and after version 8.4)

NAT 8.3 - uses network objects - IP address, range of, a network, or FQDN. NAT control no longer supported. If connection finds no translation rules then passes through ASA without translation.
No more Outside NAT versus Inside NAT.
NAT rule priority no longer applies.

5.1.e Object definition and ACLs

Can now use FQDN in ACLs - requires DNS server to be configured and a FQDN object to be created.
ACL order of operation different between 8.2 and more recent:

ASA 8.2
Packet comes to ingress interface - counter gets incremented.
ASA checks internal connection table to verify if current. If matches current then ACL check is bypassed and packet is forwarded.
Packet processed as per interface ACLs - in sequence - if matches then passes.
Packet verified for translation rules - if passes then connection entry created and packet passes
Packet undergoes inspection check
IP header is translated (per NAT/PAT). Packet forwarded to Advanced Inspection & prevention Security Services Module (AIP-SSM) for IPS stuff (if IPS is involved)
packet forwarded to egress interface - route lookup performed.
Once L3 route found, L2 resolution is performed. Rewrite MAC header
Packet transmitted on the wire, egress interface counter increased.

ASA 8.3
Can have interface ACL and Global ACL:
Interface ACL checked first
Global checked next
Default global checked after

5.1.f MPF functionality (IPS, QoS, and application awareness)

IPS:

Inline or promiscuous.

1. Traffic enters the ASA.
2. Incoming VPN traffic is decrypted.
3. Firewall policies are applied.
4. Traffic is sent to the IPS module over the backplane.
5. The IPS module applies its security policy to the traffic, and takes appropriate actions.
6. Valid traffic is sent back to the adaptive security appliance over the backplane; the IPS module might block some traffic according to its security policy, and that traffic is not passed on.
7. Outgoing VPN traffic is encrypted.
8. Traffic exits the adaptive security appliance.

QoS:

Single context
Routed

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_qos.html

Supports policing, priority queuing, traffic shaping

Application awareness:

Application layer protocol inspection, through Inspection engines:
DNS inspection - matches ID of reply to ID of query. Enforces maximum DNS message length (default is 512 bytes, maximum is 65535 bytes) - drops if exceed maximum. Enforces domain-name length of 255 bytes, label of 63 bytes. Uses DNS rewrite.
FTP inspection - PORT/PASV. If disable (no inspect ftp) outbound users can start only in passive mode - all inbound FTP disabled.
HTTP inspection - enhanced HTTP inspection, URL screening (websense), Java & ActiveX filtering
ICMP inspection - ensures only one response for each request & sequence number is correct
IM inspection
IP options inspection - can clear specified options and pass
NetBIOS
PPTP inspection - creates GRE connections and xlates - only version 1.
SMTP inspection - Supports:
AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTTLS, VRFY, DATA, HELO, MAIL, QUIT, RCPT, RSET.
Does not support:
ATRN, ONEX, VERB, CHUNKING
TFTP

5.1.g Context-aware firewall

Who, What, when, Where, How
Active/passive authentication
AD - one realm, ASA joins domain, AD Agent, Kerberos, NTLM, Basic for active authentication
LDAP - multiple realms, basic authentication only

5.1.h Identity-based services

https://supportforums.cisco.com/document/80646/asa-idfw-identity-firewall-step-step-configuration

Uses Microsoft AD. IDFW - requires 8.4.2.
AD agent installed on windows server - communicates w/ AD & ASA

5.1.i Failover options

Active/Active & Active/standby
Failover link - Exchanges unit state, keep-alives, network link status, MAC address change, configuration replication

Stateful failover passes:
Dynamic routing tables (as of 8.4)
NAT translation table
TCP connection states
UDP connection states
ICMP connection states
ARP table
L2 bridge table (in transparent mode)
HTTP connection states (if HTTP replication enabled)
ISAKMP and IPSec SA table
GTP PDP connection database
SIP signalling sessions

Monitoring
Interfaces are monitored.  Can monitor up to 250 interfaces divided between all contexts. Should monitor important interfaces.

If unit does not receive a hello on monitored interface it does tests:

Link up/Down - if operational performs network tests. At start of each test each unit clears the received packet count for its interfaces. - to see if it has received any traffic. If neither unit receives traffic then runs:
Network activity test - unit counts received packets for up to 5 seconds. If no traffic received it does an ARP test.
ARP test - reads ARP cache for 2 most recently acquired entries. Unit sends ARP requests to those entries, attempting to simulate network traffic. If both fail, does PIng test
Broadcast Ping test - broadcast ping - counts all received packets for up to 5 seconds.

CCIE Security: Theory - Section 4

CCIE Security: Theory - Section 4

More notes!

4.0 Threats, Vulnerability Analysis, and Mitigation

4.1 Recognize and mitigate common attacks
4.1.a ICMP attacks and PING floods

ICMP - network layer, can be used to send payloads.
ICMP tunnelling - establishes a tunnel between client and server, uses ICMP echo requests and replies. Undetectable for proxy-based firewall. Deep packet inspection should detect. Can use Hping to test:
hping -c 1 -n <destination> -e "Secret message" -1
If want to detect then normal echo request is 42 bytes - this tunnel will be longer. Use IDS/IPS rule to look for data in ICMP data header.

Common program is LOKI.

Smurf Attack - when type 8 sent (echo request) a type 0 is sent back (echo reply). In Smurf attack attacker will spoof the source address of the ICMP packet and send a broadcast to all computers. Network gets congested.

Mitigation:
Filters on routers to counteract spoofing. Filter broadcasts on L3 devices.
"no ip directed-broadcast"

Fraggle attack - same as Smurf but uses UDP. prevention is the same.

ICMP also used for information gathering. Because TTL is decremented you can map out where devices are in the network.

Port scan - can find open ports.

OS fingerprinting - If ICMP reply contains TTL of 128 = Windows, if TTL = 64 then Linux-based. Then can use timestamp to work out the version (no timestamp reply on Windows server/NT), timestamp reply on Win 98, 2000, ME - not sure about recent.

ICMP router discovery - will discover IP address of neighboring routers. Using Router Advertisements or Router Solicitations.  RA - type 9, code 0. Router discovery protocol has no authentication. Can be used in MITM attacks.

Mitigation:
Digital certificates, block all type 9 and type 10 ICMP packets.

Teardrop - Will crash or reboot machines, exploits overlapping IP fragments - each fragment has originals IP packets header & field w/ bytes contained. Destination tries to reassemble it cannot be done.

PING flood - overwhelming of ICMP echo requests.

4.1.b MITM

DNSSEC
PKI: TLS
Rouge APs

Need to add more here :)

4.1.c Replay

Valid data transmission repeated or delayed. can be used w/ MITM to sniff authentication traffic and elevate privileges.

Mitigation:
Use session tokens, OTP, Message Authentication Codes (MAC), timestamping.

4.1.d Spoofing

ARP spoofing - attacker sends spoofed ARP messages, to associate attacker's MAC w/ IP address of legitimate host - can be used to form MITM attacks.

Mitigation:
Dynamic ARP - Uses a trusted database. DHCP snooping can be used to build the trusted database, or can be built by manual configuration (from the CLI).

Legitimate uses in Proxy ARP. w/ gratuitous ARP requests.

IP address spoofing - USED in DoS - Botnet use makes IP address spoofing less pronounced.

Mitigation:
Packet filtering can defend against IP address spoofing, w/ ingress filtering and egress filtering. Block packets from outside w/ inside source address, or block packet from inside w/ source address not from the inside.
TCP uses sequence numbers to ensure arriving packets are part of established connection.

4.1.e Backdoor

Unauthorized remote access. Worms such as Sobig & Mydoom can do this as well as dedicated software (Back Orifice)

4.1.f Botnets

A Botnet is a collection of similar programs that work together to execute specific tasks
Server is command-and-control (C&C), Often uses IRC, Twitter or IM to relay commands to bots.

4.1.g Wireless attacks

Sniffing - Kismet
Probing & discovery - Active probing - attacker sends probe requests w/out SSID. Passive probing - listening on all channels for all sent and received - netstumbler - active, kismet passive.

Surveillance - kismet / airodump - can save in pcap. can gather WEP traffic and pass to aircrack (if enough WEP IVs).

4.1.h DoS and DDoS attacks

ICMP flood
SYN Flood- forged sender address, causes half-open connections by sending SYN/ACK, waiting for ACK which it never gets. Half-open connections saturate the number of connections.
Teardrop
HTTP POST - uses content-length then sends really slowly - server has to wait, slowing down the server.
Reflected DDOS - send packets w/ spoofed IP (target machine) relies will flood the target - Smurf attack is one form of this.

Mitigation:
Block IPs on firewalls, use deep packet inspection
ACLs & rate limiting on switches & routers
IPS
Black-hole traffic
Storm control (level is the % of total available bandwidth of the port) monitors the broadcast, multicast and unicast traffic, can help

4.1.i Virus and worm outbreaks

Virus - modifies other programs and can attach themselves to other programs or replicate on execution
Worm - standalone malicious program that copies itself from one host to another over a network and carries other programs (payload)

Mitigation:
ACLs, packet-filters, nullrouting.

Trojan horse - Appears to have one function but actually performs a different function

4.1.j Header attacks

HTTP header injection - headers dynamically generated based on user input, can allow for HTTP response splitting, session fixation, XSS and malicious redirect attacks.
TCP reset - header has RST flag (reset) - usually set to 0. If set to 1 then indicates receiving computer should immediately stop using the TCP connection. Can be forged by 3rd machine to kill connection.
Sequence attacks - intercept communication - uses number prediction
Useful: https://packetcrafter.wordpress.com/2011/02/13/tcp-flags-hackers-playground/

4.1.k Tunnelling attacks

SSH tunnelling - uses TCP forwarding:
ssh -f user@remote -L 2000:localhost 25 -N
telnet localhost 2000
send spam!
Mitigation:
Set "AllowTCPForwarding no" on ssh config

DNS tunnelling - website blocked by proxy - use DNS tunnelling - data encapsulated in DNS query and reply - using base32 and base64 encoding.
Useful: http://resources.infosecinstitute.com/dns-tunnelling/

Mitigation:
Use IPS/IDS

4.2 Software and OS exploits

Can be used for privilege escalation, or pivoting - using compromised system to attack another - avoiding firewall etc.

4.3 Security and attack tools

Metasploit
Kali linux / Backtrack
nmap
w3af
Burp suite
Fiddler

4.4 Generic network intrusion prevention concepts

Signature-based - monitors packets for pre-configured/pre-determined attack patterns
Statistical anomaly-based - creates baseline - bandwidth, application use, protocol use, etc - alerts on anomaly.
Stateful protocol analysis - identifies deviations of protocol states

Can sit in-line, or can have traffic passed to it (SPAN etc). can send alarms, drop traffic, reset connections, blocking IP addresses. Can correct CRC errors, unfragmented packet streams, prevent TCP sequencing issues etc.

4.5 Packet filtering

Basic Packet Filter - Allow or block traffic based on address and port. Will pass, drop (silent discard), or reject (send error response).

Stateful filters work up to L4 - Stateful Packet inspection - retains enough of packet to determine the state (new connection, existing connection)

Application layer - can understand applications and protocols - can detect of unwanted protocol is trying to bypass firewall on allowed port. Deeper inspection - IPS/WAF can mitigate.

4.6 Content filtering and packet inspection

Deep Packet Inspection - examines data & optionally the header of a packet. Combines IPS/IDP w/ stateful firewall.

4.7 Endpoint and posture assessment

Network Admission Control (NAC) - users must authenticate, and can be quarantined if AV not up to date etc.
802.1x, MS AD, Cisco NAC, can be implemented as part of AnyConnect

4.8 QoS marking attacks

Change QoS markings on packet to benefit from QoS - better class of service.
Configuration & provisioning - hackers target the provisioning system, changing the QoS configuration
Data forwarding - injects traffic with QoS markings (DSCP)
CCIE Security: Theory - Section 3

CCIE Security: Theory - Section 3

More notes, again I will probably add more to this, if you think anything should be added, then do so through the comments section.

3.0 Application and Infrastructure Security

3.1 HTTP

Port 80

Status codes

100 - Continue - client should continue with request
200 - OK - request succeeded
201 - Created - new resource should be created
202 - Accepted - request accepted but processing not completed
203 - Non-Authorative Information - metainformation gathered from local or third-party copy
204 - No Content
205 - Reset content
206 - Partial content
300 - Multiple choices
301 - Moved Permanently - new permanent URI
302 - Found
303 - See Other - response can be found under different URI and should use GET method on that resource
304 - Not Modified - if use conditional GET and document not modified then should give this
305 - Use Proxy - must be accessed through proxy given in Location Field
307 - Temporary Redirect
400 - Bad request - malformed syntax
401 - Unauthorized - requires authorization, response requires WWW-Authenticate Header
402 - Payment Required - reserved
403 - Forbidden - understood request by refused to fulfill
404 - Not Found
405 - Method Not Allowed
406 - Not Acceptable
407 - Proxy Authorization Required - similar to 401 - but client must authenticate with proxy first
408 - Request Timeout - client did not produce request quick enough
409 - Conflict - most likely to occur in PUT requests (i.e. versioning)
410 - Gone - response no longer available - not permanent - should use 404 instead
411 - Length Required - server required Content-Length
412 - Precondition failed - precondition tested false
413 - Request Entity Too Large
414 - Request-URI too Long - URI longer than one server willing to accept
415 - Unsupported Media Tytpe
416 - Requested Range Not Satisfiable
417 - Expectation Failed - request possibly not met by next-hop server
500 - Internal Server Error
501 - Not Implemented - server does not support functionality too fulfill request
502 - Bad Gateway - server acting as gateway or proxy received invalid response from upstream server
503 - Service Unavailable - temporary overloading or maintenance
504 - Gateway Timeout - server acting as gateway or proxy did not receive response from upstream server
505 - HTTP Version Not Supported - server does not support ot refused to support HTTP protocol version in Request

3.2 HTTPS

Port 443
AKA: HTTP over TLS, HTTP over SSL, HTTP Secure
Protects against MITM attacks, provides bidirectional encryption
Requires certificates

3.3 SMTP

Connection-oriented, text-based protocol
TCP port 25, port 587 for submission, SMTPS - port 465

MUA - Mail User Agent - User interface (like Outlook) used by end user connects to
MSA - Mail Submission Agent. MSA delivers mail to
MTA - Mail transfer Agent - Moves email from sending main server to recipient mail server. Uses DNS to find MX record for recipients domain. MX target accepts incoming message and passes it to
MDA - Mail delivery Agent - Moves email from MTA to user mailbox in recipient mail server, which waits for MUA to pick up using
POP/IMAP - protocol used to fetch email from recipient mail server mailbox to recipient MUA

3.4 DHCP

DORA - Discover, Offer, Request, Acknowledge

UDP/67 on server, UDP/68 on client
CIADDR - Client IP address
YIADDR - Your IP address
SIADDR - Server IP address
GIADDR - Gateway IP address
CHADDR - Client Hardware address

Options

3 - Router
4 - Timer server
5 - Name server
6 - DNS
12 - hostname
15 - Domain name
42 - NTP server
50 - Requested Ip address
51 - Lease time
52 - option overhead
53 - DHCP Discover
54 - Server Identifier
55 - Parameter request list
60 - Vendor Class identifier
61 - client Identifier
66 - TFTP Server name
67 - bootfile name

DHCP relay - point to DHCP server on different subnet

3.5 DNS

UDP/53

Opcodes 
0 - Query
1 - iQuery (obsolete)
2 - Status (server status request)
3 - Unassigned
4 - Notify
5 - Update
6 - 15 - Unassigned

RCodes
0 - NoError
1 - FormErr
2 - Servfail
3 - NXDomain (Non-Existent Domain)
4 - NotIm
5 - Refused

3.6 FTP and SFTP

Active or Passive, - Client creates TCP control connection to FTP port 21. Active - client starts listening for incoming data, sends FTP command PORT M to inform server what port it is listening on. Server initiates data channel from port 20. If client behind firewall (unable to accept incoming TCP connections) - use passive mode. In passive mode the client uses the control connection to send PASV command, receives server IP address and server port number. client then opens a data connection to server IP address and port number given.

Simple FTP (SFTP) - unsecured. Implicit SFTP - passive mode by default

3.7 TFTP

UDP port 69. No login etc.

3.8 NTP

UDP/123

Stratums
0 - Reference clocks
1 -> 15 - 1 is better, 15 lowest. Can be used.
16 - Unsynchronized

3.9 SNMP

UDP/161, udp/162 for traps and InformRequests

GetRequest
SetRequest
GetNextRequest
GetBulkRequest (added in SNMPv2)
Response
Trap
InformRequest (added in SNMPv2)
Report (added in SNMPv3)

SNMPv2 added performance, security, confidentiality, and manager to manager communications.
SNMPv3 Added confidentiality, integrity & authentication - user-based Security (NoAuthNoPriv, AuthNoPriv, AuthPriv), uses MD5 & SHA

3.10 syslog

Facilities 0 - 23.
Severity 0 - 7:
0 - Emergency
1 - Alert
2 - Critical
3 - Error
4 - Warning
5 - notice
6 - Informational
7 - Debug

3.11 Netlogon, NetBIOS, and SMB

Network Basic Input/Output system - session layer OSI. API. not usable on networks over 50 computers annoying if over 10. DNS is better.
UDP/137 & 138
TCP/137 & 139

SMB - Server Message Block AKA CIFS. Application-layer. Does network sharing. TCP port 445

3.12 RPCs

Remote Procedure Call - program causes procedure to execute in another address space.

3.13 RDP and VNC

Remote GUIs. RDP - TCCP/UDP port 3389. VNC platform independent. Server/client based. TCP port 5900+N

3.14 PCoIP

PC-over-IP - remote display protocol/ Licensed by VMWare & AWS. UDP based.

3.15 OWASP

Open Web Application Security Project - dedicated to web application security.

3.16 Manage unnecessary services

Turn them off!!!

no service tcp-small-servers (echo, chargen, discard, daytime)
no service udp-small-servers (echo, discard, chargen)

Echo - echos what you type through "telnet x.x.x.x echo"
Chargen - generates stream of ASCII "telnet x.x.x.x chargen"
Discard - Throws away whatever you type
Daytime - returns system date and time

no ip finger
no ip bootp server
no mop enabled - disables Maintenance Operation protocol
no ip domain-lookup
no service pad - disables Packet Assembler/Disassembler on X.25 networks
no ip http server
no ip http secure-server
no service config - disables looking to TFTP for config
CCIE Security: Theory - Section 2

CCIE Security: Theory - Section 2

This is basically just notes, I will probably add more from time to time, if there is anything that you think should be added, then please use the comment boxes below.

2.0 Security Protocols

2.1 RSA

One of the first public-key cryptosystems. Uses two keys, one is public (the encryption key), the other is private (the decryption key). This is asymmetric. User creates (and publishes) a public key. Relatively slow. Key sizes are from 1024 to 4096.

RFC 2409 restricts private key size to 2048 bits or less for RSA encryption. Recommended modulus value for CA (and clients) is 2048 bits.

4 steps - Key generation, key distribution, encryption and decryption.

RSA & PKI - 

PKI:

 - Certificate Authority - issues and verifies digital certificates
 - Registration Authority - verifies identify of users requesting information from CA - also called a subordinate CA, accepts requests for certificates and authenticates the requester.
 - Central Directory - secure location to store and index keys

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-deploy-rsa-pki.html

RSA key pair (public & private) required before you can obtain a certificate for your router. End host must generate pair of RSA keys and exchange public key with the CA to obtain a certificate and enrol in PKI.

A CA (Certificate Authority), which is a trustpoint, manages certificate requests and issues certificates. CA generates its own public key pair and creates a self-signed CA cert, The CA can then sign certificates and begin peer enrolment for the PKI.

RSA key pairs may need to be removed if:

  • During manual PKI operations and maintenance the old RSA keys can be removed and replaced with new keys
  • Existing CA is replaced and the new CA requires newly generated keys - i.e key size may have changed from 1024 to 2048.
  • Peer route's public keys can be deleted in order to debug signature verification problems in IKEv1 and IKEv2.

2.2 RC4

Stream cipher, simple and fast (about 10 times faster than DES for example), though insecure. Vulnerable when beginning of output stream is not discarded  - lead to inscure protocols such as WEP. RFC 7465 prohibits use of RC4 in TLS. Generates a pseudo-random stream of bits. Generates keystream through a permutation of all 256 possible bytes (which is a variable length key, typically between 40 and 256 bits), also uses two 8-bit index pointers.

2.3 MD5

Hashing function - replaces MD4, made by Ron Rivest who created RC4. Creates a digest of 128-bits. No longer recommended as vulnerable. Hashing functions take input data and return a hash function (called hash or digest). Input and message has one-to-one mapping. Hashes are one-way - can create a digest, but cannot create original data from a digest.

2.4 SHA

Multiple variants.
SHA-0 - 160-bit hash, not widely used
SHA-1 - 160-bit hash, correct issues with SHA-0. Widely used but not recommended as there are theoretical attacks
SHA-2 - creates hashes of 224, 256, 384 or 512 bits.
SHA-224, SHA-256, SHA-384, SHA-512, SHA-512.224 & SHA-512/256
SHA-512 used by TRueCrypt
SHA-256 used by DKIM signing
SHA-256 and SHA-512 recommended for DNSSEC
SHA-3

2.5 DES

Block cipher, considered insecure - small key-size of 56-bits

2.6 3DES

Applies DES algorithm three times, better practical security, 3 keys of 56-bits each.

2.7 AES

Block cipher, successor to DES. based on Rijndael cipher. Most CPUs include hardware AES support - making it fast. Supported by TrueCrypt & SSH

2.8 IPsec

Protocol suite authenticates and encrypts each IP packet. Uses Security Associations (SA) - a bundle of algorithms and parameters used to encrypt and authenticate a particular flow in one direction - in bi-directional traffic the flows a rescured by a pair of SAs.

Uses ISAKMP to establish the SAs.

IPSec adds an overhead to the packet - meaning packet may need to be fragmented. By default the router knows the IPSec overhead to add to the packet, it then performs a lookup to see if the packet will exceed the egress physical interface IP MTU after encryption has been applied. If this is the case it then fragments the packet before encrypting it, and separately encrypts the resulting IP fragments.

2.9 ISAKMP

RFC 2408. Establishes Security Associations. UDP port 500

2.10 IKE and IKEv2

Phase 1: Uses Diffie-Hellman key exchange to generate a shared secret to encrypt further IKE communications. Results in one single bi-directional ISAKMP SA. Can use pre-shared key, signatures of PKI. Operates in Main mode or Aggressive mode. Main protects identity of peers, aggressive does not.

Phase 2: IKE peers use secure channel to negotiate SAs on behalf of other services, like IPSec. Results in minimum of two unidirectional SAs (one inbound one outbound). Operates in Quick Mode only.

IKEv2 0 adds standard mobility support, NAT traversal (encapsulation of IKE and ESP in UDP port 4500, SCTP support (VoIP), reliability and state management, It is DoS resilience.

2.11 GDOI 

http://www.cisco.com/c/en/us/products/security/group-encrypted-transport-vpn/index.html
http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07_554713.html
http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/GETVPN_DIG_version_1_0_External.pdf

Group Domain of Interpretation - cryptographic protocol used for key management. RFC 6407. Based on ISAKMP and IKEv1.

It is run between group member(s) and group controller (key server). Uses IKEv1 Phase 1 SA for authenticating a GDOI member to a GDOI controller, protecting a new phase 2 exchange where a member pulls the group state from the controller.

Group key encrypts keys that decrypt application data. The group key is also called a key encrypting key (KEK). KEK is used for Rekey Security Association - once Rekey-SA is established the GDOI controller can push unsolicited updates to the group security association to members over multicast, broadcast or unicast. GDOI is referred to as a multicast key management system.

2.12 AH

AH - provides connectionless integrity and data origin authentication for IP datagrams - computed authentication data is sent to peer.
IPv4 - protects payload and all header fields (except mutable fields - those that might be altered in transit)
IPv6 - protects most of IPv6 base header, AH itself, non-mutable extension headers after the AH and the IP payload.

Uses IP protocol 51.

Packet format:
Next Header | Payload Len | Reserved protected.
Security Parameters Index (SPI)
Sequence Number
Integrity Check value (ICV)

Next header indicates what upper-layer protocol is
SPI identifies the Security Association of the receiving party
Sequence number is used for protection against anti-replay attacks, sequence numbers are never reused.

DH Does not provide data authentication

2.13 ESP

Provides confidentiality, data origin authentication, connectionless integrity and anti-replay.
2 modes: Transport mode (does not provide integrity and authentication for entire IP packet) & tunnel mode (does provide the above).

Uses IP protocol 50.

Packet format:
Security Parameters Index (SPI)
Sequence number
Payload data
Padding | padd length | next header
Integrity Check Value (ICV)

2.14 CEP

Certificate Enrollment Protocol. SCEP Simple Certificate Enrollment Protocol used for enrollment and other PKI operations. Based on HTTP, Only supports RSA-based cryptography.

Steps:

Obtain copy of CA cert and validate it
Generate CSR and send to CA
Poll SCEP server to check if cert gets signed
Re-enroll as necessary
Retrieve CRL

2.15 TLS and DTLS

Preferred over SSL. Uses private and public keys and certificates. Provides privacy and data integrity between two communicating applications, Private as uses symmetric cryptography. Keys are generated uniquely for each connection - based on a secret negotiation at the start of the session. Server and client negotiate details of encryption and cryptographic keys to use before first byte of data is transmitted. Identity of parties can be authenticated using public key cryptography. Uses Message Authentication Code (MAC) to ensure reliability.

  1. Client connects to TLS enabled server, requesting a secure connection, presents a list of supported cipher suites.
  2. Server picks a cipher and hash that it supports and notifies client of decision.
  3. Server sends its digital certificate (server name, trusted CA and public encryption key)
  4. Client may then contact issing CA confirming validity of certificate
  5. Client then generates session keys - either through random number encryption with servers public key or uses Diffie-Hellman key exchange


TLS 1.0 - RFC 2246
TLS 1.1 - RFC 4346 - added protection against cipher-block chaining (CBC) attacks, support for IANA registration of parameters
TLS 1.2 - RFC 5246 - replaced MD5-SHA1 with SHA-256
TLS 1.3 - draft - removes weak elliptic curves, removes MD5 & SHA-224

DTLS - Datagram Transport Layer Security - allows datagram-based applications to be secure. Based on TLS. RFC 6347. Used by AnyConnect.

2.16 SSL

Now deprecated

2.17 SSH 

http://www.snailbook.com/faq/ssh-1-vs-2.auto.html

Encrypted network protocol for remote login. Uses public-private key pairs, and password. Can also just use manually created public-private key pair (no need for password)

SSHv1 / SSHv2:

Both require a server key to protect the session key

SSHv2 has different layers:

  • Transport layer - RFC 4253 - handles initial key exchange, server authentication, encryption, compression and integrity validation. Exposes an interface for sending and receiving plaintext packets - also does key re-exchange afte 1GB or 1hour.
  • User Authentication layer - RC 4252 - handles client authentication - provides a number of authentication methods, client driven - can use password, publickey, keyboard-interactive, GSSAIP
  • Connection layer - RFC 4254 - can host multiple channels such as shell, direct-tcip (client-to-server), forwarded-tcpip (server-to-client)
  • SSHFTP DNS record (RFC 4255) provides public host fingerprints to aid verification of authenticity of host.

2.18 RADIUS

Centralized AAA, uses UDP at application layer. Often backend choice for 802.1X. Can use PAP, CHAP or EAP as authentication, can also connect to SQL, Kerberos, LDAP or AD.

Access-Request
Access-Accept
(or Access-Reject or Access-Challenge)

Reject - user unconditionally denied access - user unknown or user inactive
Challenge - request additional information - such as secondary password, PIN, token or card
Accept - granted access.

Authorization attributes can be included (giving extra rights) - can request IP address, L2TP parameters or VLAN parameters or QoS params.

Uses RSA MD5 to hide passwords.

Attribute value Pairs (AVP) are string values.
RADIUS does not encrypt username, authorization,or accounting

2.19 TACACS+

Cisco proprietary. remote authentication and related services for network access control through centralized server. Uses TCP. Encrypts all information (unlike Radius)

2.20 LDAP

Vendor neutral protocol for accessing and maintaining distributed directory services over an IP network. latest version is 3 - RFC 4511.

Common usage is in SSO (Single Sign On). Based on X.500. Uses TCP/UDP 389 or 636 (LDAPS). Global catalog on port 3268 & 3269. LDAPv3 can use TLS.

2.21 EAP methods (for example, EAP-MD5, EAP-TLS, EAP-TTLS, EAP-FAST, PEAP, and LEAP)

Extensible Authentication Protocol - RFC 3748 (made RFC 2284 obsolete), updated by RFC 5247. Provides transport and usage of keying material and parameters generated by EAP methods.

LEAP (Lightweight EAP) - developed by Cisco. Uses modified version of MS-CHAP - not strongly protected easily compromised. Not recommended
EAP-TLS - RFC 5216  - Still considered secure, requires client-side X.509 certificate
EAP-MD5 - RFC 2284 - minimal security, vulnerable to dictionary attacks, does not support key generation. Unsuitable for use w/ dynamic WEP or WPA/WPA2 enterprise. Only provides authentication of EAP peer to EAP server, but not mutual authentication. Vulnerable to MITM attacks.
EAP-POTP - protected one-time password - RFC 4793 - uses OTP tokens, Can provide unilateral or mutual authentication. 2 factor.
EAP-PSK - RFC 4764 - used pre-shared key.
EAP-PWD - RFC 5931 - shared password
EAP-TTLS - Client can be authenticated via a CA-signed PKI certificate to the server. Server can then use a tunnel to authenticate the client.
EAP-IKEv2 - RFC 5106 - based on IKEv2 - mutual authentication and session key establishment.
EAP-FAST - RFC 4851 - replacement for LEAP. Uses Protected Access Credential (PAC) to establish TLS tunnel. 3 phases
0 - in-band provisioning - provide shared secret, uses authenticated Diffie-Hellman Protocol (ADHP)
1 - tunnel establishment - authenticates using PAC, establishes tunnel key
2 - authentication - authenticates peer
Use manual PAC provisioning as automatic is vulnerable to attacker intercepting the PAC. PAC is issues on per-user basis, new user = need to create new PAC first.

EAP only defines message formats - needs to use another way to encapsulate
802.1X - EAP over LANs (EAPOL) - can use TKIP or CCMP (based on AES)
PEAP - (Protected EAP) - encapsulates EAP within TLS.

2.22 PKI, PKIX, and PKCS

PKIX

Also known as X.509, ITU-T standard for PKI and PMI. Specifies standard formats for public key certificates, certificate revocation lists (CRL), attribute certificates, and a certification path validation algorithm.

CA issues certificate binding public key to a particular distinguished name, or to an alternative name. Root certificates can be distributed so that they trust the PKI system.

X.509 includes certificate revocation list. IEFT-approved is OCSP (Online Certificate status Protocol)

V3 digital certificate structure:
Certificate
Version number
Serial number
Serial Algorithm ID
Issuer name
Validity period
Not before
Not after
Subject name
Subject public key info
Public Key Algorithm
Subject Public Key
Issuer Unique Identifier (optional)
Subject Unique Identifier (optional)
Extensions (optional)
Certificate Signature algorithm
Certificate signature

Formats:
.pem - privacy-enhanced Electronic Mail - encoded DER cert
.cer, .crt, .der - usually in binary DER form - can also Base64-encode
.p7b, .p7c - PKCS#7 SignedData structure w/out data, just certs of CRLs
.p12 - PKCS#12 - may contain certificates, public and private keys (password protected)
.pfx - predecessor of PKCS#12

PKCS - RSA

Group of public-key cryptographic standards created by RSA Security Inc. - Designed to promote use of cryptographic techniques using RSA patents.Covers PKCS#1 - 15.

2.23 IEEE 802.1X

IEEE standard, port-based Network Access Control (PNAC). Provides authentication to devices connecting to LAN or WLAN. Uses EAP over 802 - EAP over LAN or EAPOL.

3 parties - supplicant, authenticator and authentication server.
Supplicant - client device - but also refers to the software used to connect to authenticator
Authenticator - network device (such as switch or AP)
Authentication server - RADIUS & EAP (like ISE)

Process:

Initialization - switch port is set to unauthorised state - only 802.1X traffic is allowed - other traffic, such as IP (including TCP & UDP) is dropped.
Initiation - authenticator transmits EAP-Request Identify frames. Supplicant listens, will respond with EAP-Response Identify frame, containing identifier (i.e. User ID). Authenticator encapsulates this in a RADIUS Access-Request and forwards on to the authentication server
Negotiation - Authentication Server sends a RADIUS Access-Challenge to the authenticator, containing EAP Request with EAP method. Authenticator encapsulates the EAP Request in EAPOL frame and transmits to supplicant. Supplicant can either use this, or NAK and respond with supports EAP methods to use.
Authentication - If authentication server & supplicant agree on an EAP method and authenticity is successful then the authenticator sets port to authorised and normal traffic is allowed.

MAB - MAC Authentication Bypass - used where device not 802.1X compatible - When configured port will first check to see if device is 802.1X compliant - if not will then try to authenticate to AAA server using connected devices MAC address as username and password.

2.24 WEP, WPA, and WPA2

WEP - Wired Equivalent Privacy - for 802.11 wireless networks. Now deprecated (as of 2004). Uses RC4 (confidentiality) and CRC-32 (integrity). 64-bit WEP uses 40-bit key and 24-bit IV

WPA - Wi-Fi Protected Access (and WPA2) - uses TKIP (Temporal Key Integrity Protocol) and supports CCMP - an AES-based encryption mode.

TKIP has a 64-bit Message Integrity Check (MIC) and uses a new 128-bit key for each packet. implements key mixing function - combines secret root key with the IV before passing it to RC4.

WPA-Personal - uses pre-shared key
WPA-Enterprise - requires RADIUS server

2.25 WCCP

Web Cache communication protocol - Cisco developed protocol for content-routing. Redirects traffic in real-time, built in load balancing, scaling, fault tolerance, and service-assurance. Can also be used for traffic localisation.

WCCPv1 - only single router services a cluster of systems, supports HTTP only, uses GRE, uses UDP/2048

WCCPv2 - can use 32 routers with 32 engines/accelerators, supports any IP protocol (including multicast), supports 255 service groups, adds MD5 shared secret security (authentication)

client sends “Here I am” every 10 seconds
Server acknowledges with “I See you”

2.26 SXP

Part of TrustSec - enables security through identity-based controls. “anyone, anywhere, anytime”. data integrity and confidentiality services, policy-based governance and generalised monitoring, troubleshooting and reporting.

Establishes domains of trusted networks, each device being authenticated by its peers. packets are classified by security groups (SGs). Classification maintained by tagging packets on ingress  - called Security Group Tag (SGT).

Uses SGT Exchange Protocol (SXP) to propagate SGts.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/sec-usr-cts-xe-3s-book/cts-sxp-ipv4.html

2.27 MACsec

802.1AE aka MACsec - connectionless data confidentiality and integrity for media access independent protocols. New frame type, includes new fields - Security tag and Message Authentication Code. default cipher suite of GMC-AES-128, and GMC-AES-256.

Allows authorised Lan connections to be identified and excluded from communication within the network. Can mitigate attacks on L2 protocols.

2.28 DNSSEC

Domain Name System Security Extensions - provides origin authentication of DNS data, denial of existence, and data integrity. Designed to protect against cache poisoning, uses digital signatures. New DNS record types:
RRSIG - record set
DNSKEY - contains public key that DNS resolver uses to verify DNSSEC in RRSIG-records
DS - name of delegated zone
NSEC - link to next record name
NSEC3 - links to next record name in hash
NSEC3PARAM - authoritative DNS servers