UNetLab topologies now available.

It seems that (and I am very thankful for this) UNetLab is making strong gains in popularity, as it should.

Whilst I do get the occasional email asking for setup help with GNS3 (which I am more than happy to do), I get far more emails asking when the book topologies will be available for UNetLab.

So, now that things have quietened down a bit, I have had time to do this.

On the relevant pages (above, under the Books menu) there are links for the files for the main topologies for all the books.

They are also here, to make it easier.

To import them you just need to create a folder called 802101 (you don't really have to have a folder, but it makes it neater):




Once thats done, go into the folder and then import an external object. Make sure its the whole zip file!


Then you should get a nice bunch of new labs:


The download links are below.

UNetLab Topology download links:

BGP for Cisco Networks
MPLS for Cisco Networks
VPNs and NAT for Cisco Networks

CCIE Security Written: Passed. Labbing begins again soon!

Just come out of the CCIE Security Written exam. I passed it after a couple of weeks study. I am not going to break any NDAs here, so it'll be a brief post. Certainly working in a PCI/HIPAA/SOX environment does help, I spend a lot of time discussing and implementing security, so I started with a good foundation.

Most of the stuff was pretty well covered in the posts I have done over the last couple of weeks, couple of curve balls, but not enough to put a dampener on it.

This gets it out of the way before Christmas, so I can afford to have a little bit of a break now before the new year.


So, I have a couple of things to do. Finish the UNetLab topologies for the books, lots of people have been asking for them, and have been very patient, which was appreciated. I plan to finish them this week.

The proof of the next book (CCNA and Beyond) should arrive soon, so I should be able to finish it off over the Christmas period.

Then I have 18 months to prepare for and take (and hopefully pass) the lab.
I'd like to get this down to a year, which leaves 6 months for one or more attempts at the lab.

I will carry on with my own CCIE Security lab, since starting it there has been a new ASA image released which has less of a memory footprint, so that will definitely help with resources.

Still need to work out some WSA stuff - the VM doesn't want to play nicely, and then there is the whole licensing thing.

So, lots of challenges, but I now have (a maximum of) 18 months to do it.
CCIE Security: Theory - Section 5.7 - 5.15

CCIE Security: Theory - Section 5.7 - 5.15

Last bunch of notes!

Lots of this has already been covered (IPSec & PKI for example). It's a bit brief, most of it it common sense (like knowing what a VPN client is...). Most of the technologies listed are end of life (EoL) anyway.

Feel free to comment with anything useful to flesh it out a bit.

5.7 Cisco Secure ACS Solution Engine

Access policy control platform
Device administration
Remote access
Wireless
NAC
RADIUS & TACACS+
LDAP, ODBC, MS AD
PAP, CHAP, MS-CHAP, EAP
dACLs

5.8 Cisco Network Admission Control (NAC) Appliance Server

Uses Cisco Clean Access Agent - checks for patches etc. Now EoL.

5.9 Endpoint and client

5.9.a Cisco AnyConnect VPN Client

Uses SSL & IPSec IKEv2

5.9.b Cisco VPN Client

5.9.c Cisco Secure Desktop

 - minimizes risks
Establishes clientless SSL VPN or AnyConnect VPN
ASA downloads HostScan to the endpoint
Checks:
OS
Specified files
Specified registry keys
Digital certificates
IPv4 or IPv6 addess wi/in specified range
HostScan gathers AV, firewall, antispyware version information
endpoint does not meet requirements 0 login denied, interaction stops
endpoint does meet requirements - prelogin policy assigned, interaction continues
HostScan checks for keystroke loggers & host emulation
AV, firewall, antispyware remediation
User logs in
ASA applies dynamic access policy to session
User terminates, HostScan terminates, cache cleaner cleans up.

5.9.d Cisco NAC Agent

5.10 Secure access gateways (Cisco IOS router or ASA)

5.10.a IPsec

Already covered pretty much.

5.10.b SSL VPN

http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htwebvpn.html
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-mt/sec-conn-sslvpn-15-mt-book/sec-conn-sslvpn-smart-tunnels-support.pdf
clientless, thin-client & full-tunnel
Smart tunnels - uses Winsock library
do not support split-tunnelling, Cisco Secure Desktop, private socket libraries and MAPI proxy. cannot start in two web browsers simultaneously

5.10.c PKI

Already covered.

5.11 Virtual security gateway

Multi-tenant, zone-based, context aware. Offloads packet-intensive processing to Nexus 1000V. Supports active/standby, VXLAN

5.12 Cisco Catalyst 6500 Series ASA Services Modules

Already covered ASA.

5.13 ScanSafe functionality and components

Cloud Web Security:
malware protection
DLP
LDAP integration
reporting
EoL - replaced w/ UTM (ASA, SourceFire & WSA

5.14 Cisco Web Security Appliance and Cisco Email Security Appliance

web security, anti-malware,

5.15 Security management

All much of a muchness.

5.15.a Cisco Security Manager
5.15.b Cisco Adaptive Security Device Manager (ASDM)
5.15.c Cisco IPS Device Manager (IDM)
5.15.d Cisco IPS Manager Express (IME)

Supports up to ten IPS units

5.15.e Cisco Configuration Professional

Smart wizards & advanced configuration support for LAN and WAN, NAT, stateful and application firewall policy, IPS, IPSec, & SSL VPN, QoS & NAC.
One-click router lockdown
Voice & Security auditing capabilities
Monitor router status
Troubleshooting

Express version lives on flash in ISRs:
Basic configuration of interfaces
Hostname, DNS, DHCp configs
User management
plug-n-play server
dashboard for troubleshooting & CLI

5.15.f Cisco Prime

simplifies network management
improves operational efficiency
delivers predictable services
lower TCO
CCIE Security: Theory - Section 6

CCIE Security: Theory - Section 6

6.0 Cisco Security Technologies and Solutions

6.1 Router hardening features (for example, CoPP, MPP, uRPF, and PBR)

CoPP - Control Plane Policing
Increases security on the switch by protecting RP from unnecessary/DoS traffic. gives priority to control plane and management traffic. Works with PFC3 rates limiters.
PFC3 can be used when ACl cannot classify IP options cases, TTL & MTU failure cases, packets w/ errors & multicast packets.
CoPP protects control and management planes, ensures routing stability, reachability & packet delivery. Uses MQC to provide rate-limiting.
Disabled by default. - Enable using "mls qos".
Supports multicast & broadcast traffic.
Use log keyword to enable CoPP-policy ACLs.
Can exhaust TCAM.
Does not support MAC ACLs
Supports ip precedence, ip dscp, access-group
Only IP ACLs are supported in hardware.
Show policy-map control-plane
MPP - Management Plane Protection
Restricts interfaces on which network management packets are allowed to enter a device.
Requires CEF
Disabled by default
Supports:
BEEP
FTP
HTTp/HTTPS
SSH (v1 & v2)
SNMP
Telnet
TFTP

Benefits:
Greater access control
Improved performance for data packets on non-management interfaces
Network scalability
Simplifies use of per-interface ACLs to restrict management access
Fewer ACLs needed to restrict access to the device
Management packet floods on switching and routing interfaces prevented from reaching CPU

Implementation:
enable
conf t
control-plane host
management-interface fa0/0 allow ssh snmp
show management-interface
uRPF - Unicast Reverse Path Forwarding
Limit malicious traffic - verifies reachability of source - if not valid then packet is discarded
Strict, loose or VFR mode
Strict -
packet must be received on the interface that the router would use to forward the return packet - can drop legitimate traffic is asymmetric routing
Loose -
Source address must appear in routing table. Can change using "allow-default" option - allows use of default route.More scalable than strict.
Implementation:
interface fa0/0
ip verify unicast source reachable-via {rx | any} [allow-default]
Firewall:
ip verify reverse-path interface <interface>
PBR - Policy-Based routing
flexible routing of packets by determining a defined policy for traffic flows. More control over routing.
Classify traffic (based on ACL) Match criteria
Set IP precedence (differentiated class of service)
Route packets  to specific paths.

6.2 Switch security features (for example, anti-spoofing, port, STP, MACSEC, NDAC, and NEAT)

Anti-spoofing:
- unicast RPF (above)
- ip source guard - uses information from DHCP snooping to dynamically configure a PACL on L2 interface.
ip dhcp snooping
ip dhcp snooping vlan <vlan range>
interface fa0/0
ip verify source
Port security: - same as stuff from R&S
STP: - disable dynamic trunking, restrict STP domain using PVST, BPDU guard, root guard.
MACSEC: - Provides secure communication on wired LANs. Each packet encrypted using symmetric key.
Most useful in access layer.
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/deploy_guide_c17-663760.html
offers Confidentiality, integrity, flexibility, network intelligence
Limitations:
not all endpoints support MACsec
line-rate encryption requires updated hardware on access switch
MACsec may affect other technologies (IP telephony)
Uses:
EAP, EAP method, MACsec Key Agreement (MKA), Security Association Protocol (SAP), EAPoL, RADIUS

NDAC: - TrustSec Network Device Admission Control - uses 802.1X connecting to another TrustSec device
NEAT: - Network Edge Authentication Topology
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-neat.html
- uses CISP (Client information Signalling Protocol) to propagate client MAC addresses and VLAN information between supplicant and authenticator switches. Extends secure access outside the wiring closet.
- Uses 802.1X /ACS/ ISE
Restrictions:
Not supported on an EtherChannel port
Should only be deployed w/ auto-configuration
Does not support standard ACLs on the switch port
When supplicant switch authenticates the port mode is changed from access-based to trunk-based on same vsa (device-traffic-class=switch)

6.3 NetFlow

v9 supports MPLS & IPv6

6.4 Wireless security

Covered pretty well under the EAP stuff.

6.5 Network segregation

6.5.a VRF-aware technologies

VTY access
Sysylog, AAA, SNMP
IPSec, GRE, VPDN
DNS, DHCP, HSRP, GLBP
NAT, IPS
H.323 & SIP

6.5.b VXLAN

http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/white-paper-c11-729383.html
- flexible, multi-tenant
- Uses 24-bit segment ID )VXLAN network identifier / VNID) - enables up-to 16 million VXLAN segments.
- Uses underlying L3 header, routing, equal-cost multipath routing & link aggregation
- Uses MAC-in-UDP
- Tunnels L2 over L3
- Adds 50-bytes overhead due to encapsulation in MAC-to-UDP. Therefore needs MTU of 1550 at minimum.

6.6 VPN solutions

6.6.a FlexVPN

IPSec VPN w/ IKEv2
Combines multiple frameworks (cryptomaps, ezvpn, DMVPN) into single comprehensible set of CLI commands.
Can run alongside previous IPSec VPNs
Based on IKEv2
Uses GRE over IPSec or VTI as encapsulation.
Supports IPv4 & IPv6
Dynamic spoke to spoke tunnels

6.6.b DMVPN - already written about this

6.6.c GET VPN

Group Encrypted Transport VPN
Trusted group - GMs share a common SA (group SA). GMs can decrypt traffic encrypted by another GM.
No need to negotiate point-to-point IPSec tunnels between members - tunnel-less.
Uses GDOI - takes advantage of underlying VPN - does not require overlay routing protocol
KEK secures control plane
TEK secures data traffic

6.6.d Cisco EasyVPN

Implements Cisco Unity Client Protocol - VPN parameters defined at VPN remote access server.
Client mode - entire LAN behind Easy VPN client undergoes NAT to the IP address pushed down by VPN server.
Supports split-tunnelling.

6.7 Content and packet filtering

ACLs...

6.8 QoS application for security

Not sure

6.9 Load balancing and failover

Both are good.
CCIE Security: Theory - Section 7

CCIE Security: Theory - Section 7

Jumping ahead a bit here. I'll come back to the rest shortly, but it's Sunday night, so just want to whizz through these. Most of the last ones are just common sense - isolation of virus'd computers, install AV etc etc.

7.0  Security Policies and Procedures, Best Practices, and Standards

7.1  Security policy elements 

Definition of what it means to be secure for a system, organization or other entity. Addresses constraints on behaviour on members (staff) as well as adversaries (doors, locks, keys and walls). Implements RBAC for systems access.

7.2  Information security standards (for example, ISO/IEC 27001 and ISO/IEC 27002) 

27001 formally specifies a management system that is intended to bring information security under explicit management control. Mandates specific requirements.
Was BS 7799, then BS 7799-2

Requirements:

Management should:

  • Systematically examine origination’s security risks (threats, vulnerabilities and impacts)
  • Design & implement a coherent and comprehensive suite of information security controls
  • Adopt an overarching management process to ensue information security control continue to meet the organisations information security needs

Revolves around ISMS - (Information Security Management System)

Plan, Do, Check, Act.

Domains:

Asset Management - Documents assets of company or scope in question
Asset register
Asset classification
Asset Labelling
Access control - implementation of access controls across all information processing systems (operating systems, applications etc)
User Registration
Passwprd Management
Clear Work Environment
Operating System & Application Controls
Network Security

27002 - Information Security standard - code of practice for information security management

14 domains:
Security policy - management direction
Organisation of Information Security - governance
Human Resources security - security aspects for employees, joining, moving, and leaving organization
Asset Management - inventory & classification
Access control - restriction of access rights to network, systems, data
Cryptography
Physical & Environmental security - protect of computer facilities
Operation Security procedures and responsibilities
Communication Security
System acquisition
supplier relationships
information security incident management
information security aspects of BCP
compliance

7.3  Standards bodies (for example, ISO, IEC, ITU, ISOC, IETF, IAB, IANA, and ICANN) 

ISO - International Organisation for Standardization
Independent, non-governmental. 164 member countries.
Member bodies - considered the most representative standards body in each country. The only ones that have voting rights.
Correspondent members - countries that do not have own standards organization
Subscribers - countries w/ small economies. pay reduced fees.
IEC - International Electrotechnical Commission
Works closely w/ ISO - concerned w/ electronics
ITU - International Telecommunication Union -  information & communication techniques
ISOC - Internet Society 0 internet related standards. Parent company of IETF
IETF - Internet Engineering Task Force - Develops and promotes voluntary Internet Standards- i.e TCP/IP suite
IAB - Internet Architecture Board - committee charged with oversight of technical and engineering development of the Internet by the ISOC.
IANA - Internet Assigned Numbers Authority. Department of ICANN
ICANN - Internet Corporation for Assigned Names and Numbers - Looks after TLDs, DNS root


7.4  Industry best practices (for example, SOX and PCI DSS) 

SOX - Sarbanes-Oxley Act - Public Accounting reform and Investor Protection Act / Corporate and Auditing Accountability and Responsibility Act.
Came about after Enron & Worldcom. Criminal penalties for misconduct, required the SEC to create regulations defining how public companies comply with the law. US Law - not really a “best-practice”.

PCI DSS - Payment Card Industry Data Security Standard - proorietary security standard, increases controls around cardholder data to reduce credit card fraud. Uses a Qualified Security Assessor (QSA).
Objectives:
Build and maintain a secure network (install and and maintain a firewall, do not use vendor-supplied defaults for passwords)
Protect Cardholder data (protect cardholder data, encrypt transmission of cardholder data)
Maintain a vulnerability management program (use AV software, develop and maintain secure systems)
Implement strong access controls (restrict access to cardholder data by business need-to-know, assign a unique ID to each person w/ computer access (no shared accounts), restrict physical access to cardholder data)
Regularly monitor and test networks (track and monitor all access, regularly test security systems and processes)
Maintain an information security policy (maintain a policy that addresses information security)

HIPAA - Health Insurance Portability and Accountability Act - protects health insurance coverage for workers when lose or change jobs, national standards for electronic health cate transactions

GLBA - Gramm-Leach-Bliley Act - financial Services Modernisation Act (1999) - removed prohibition of any one institution acting as investment bank, commercial bank and insurance company. Citicorp (holding company) merged w/ Travellers group - to form Citigroup - had to get waiver from Federal reserve until Glibba came in.


7.5  Common RFC and BCP (for example, RFC2827/BCP38, RFC3704/BCP84, and RFC5735) 

RFC2827 - network ingress filtering - defeating DoS attacks that use IP source address spoofing
BCP38
RFC3704 - ingress filtering for multimode networks
BCP84
RFC5735 - Special Use IP addresses


7.6  Security audit and validation 


7.7  Risk assessment 


Establish the context
Identify the risks
Analyze the risks
Evaluate & prioritize the risks
Tackle the risks

Will add more here if something useful crops up...
7.8  Change management process 

7.9  Incident response framework 

7.10  Computer security forensics 

7.11  Desktop security risk assessment and desktop security risk management 



CCIE Security: Theory - Section 5.6 - ISE

CCIE Security: Theory - Section 5.6 - ISE

5.6 Cisco Identity Services Engine (ISE)

ISE is a massive topic. This is only touching the tip of the iceberg.

Info comes from here: http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide.html.

Combines AAA into one appliance
Enforces endpoint compliance through provisioning, including 802.1X
Security Group Access (SGA) through use of Security Group Tags (SGTs) and Security Group Access Control Lists (SGACL).

User authentication supports PAP, CHAP, PEAP and EAP w/ RADIUS
Supports 802.1X, MAB, & browser based authentication
Policy sets - group sets of authentication and authorisation policies.
FIPS 140-2 implementation - supported, but means EAP-MD5, LEAP and PAP are disabled when in FIPS-mode. FIPS mode automatically disabled PAP and CHAP & guest login.

Client Posture assessment:
Cisco NAC Web Agent - temporal agent
Cisco NAC agent - persistent

Service - specific feature that a persona provides (i.e. network access, profiler, posture, security group access, monitoring and troubleshooting)
Node - individual instance that runs ISE software.
Persona - determine the services provided by a node
Deployment model - determines if deployment is distributed, standalone, or HA

Different “personas” - Administration, Monitoring and Policy Service, inline posture.

Flexible deployment:
Primary and secondary administration nodes for HA - like ASA Active/Standby
Pair of monitoring for auto failover
One or more policy service nodes for session failover
Pair of inline posture nodes for HA

ISE Services:

Network Access:

Profiler:

Discover, locates and determines capabilities of attached endpoints. 
Components:
  • Sensor - contains a number of probes. Capture network packets by querying network access devices - forwards the attributes and their values to the analyser
  • Probe manager - provides support to profiler service. controls probes, start/stop collecting. Event manage within the sensor allows communication of the events between probes in the probe manager.
  • Forwarder - stores endpoints into ISE database along w/ attributes, notifies analyser of new endpoints detected on your network. classifies endpoints to the endpoint identify groups and stores endpoints w/ match profile in database
  • Analyzer - evaluates using the configured policies and identity groups to match attributes and their attribute values collected, classifies endpoints to the specified group and stores endpoints w/ matched profile in ISE database

Probes:
NetFlow, DHCP, DHCP SPAN, HTTP, RADIUS, DNS & SNMP Query & Trap probes.

Posture:

Does not support fast user switching.

Components:
Posture Administration Service - provides back-end support for posture specific custom conditions & remediation actions
Posture Run-time Services - encapsulates the SWISS protocol and all interactions between NAC agents & Cisco ISE server.

SWISS protocol - stateless request-response protocol allowing NAC agents running on managed clients to discover the IE server & to retrieve configuration & operational information. ANC agent uses UDP/8905. NAC agent tunnels all the requests over HTTPS.

Custom Permissions for Posture:

Unknown - no matching posture policy - then may be set to unknown. 
Compliant - matching posture policy - therefore compliant
Noncompliant - matching policy - but fails to meet the mandatory requirements during posture assessment.

Security Group Access - SGA solution establishes clouds to trusted network devices to build secure networks. Each device in SGA cloud is authenticated by its peers. Communication between devices secured w/ encryption, message integrity checks & data-path replay protection mechanisms. 

SGA uses device & user identity obtained during authentication to classify packets. Classification is maintained by tagging packets as they enter the SGA network. Tag is called Security Group Tag (SGT). 

Features:

Network Device Admission Control (NDAC) - NDAC uses 802.1x & EAP-FAST. Successful & authentication and authorisation in NDAC process results in Security Association Protocol.
Endpoint Admission Control (EAC) - authentication process end endpoint user or device. Typically happens at access level switch. Successful authenticator and authorisation in EAC process results in SGT assignment to user or device. Includes
802.1X
MAB
WebAuth
Security Group - (SG) - grouping of users, endpoint devices, resources that share access control policies. 
Security Group Tag (SGT) - SGA service assigns each security group a unique 16-bit security group number. Can reserve a range of SGTs for SGT-to-IP mapping.
Security Group Access Control List (SGACL) - control access and permissions on the SGTs that are assigned
Security Exchange Protocol (SXP) - protocol developed for SGA service to propagate IP-to-SGT biding table across network devices that do not have SGT-capable hardware to support hardware that supports SGT/AGACL
Environment Data download - SGA device obtains environment data from ISE -contains
Server Lists, Device SG, Expiry timeout
SGT Reservation - reserve a range of SGTs to enable IP to SGT mapping
IP-to-SGT mapping - bind endpoint IP to SGT and provision it to an GA-capable device. 1.2 supports 1000 IP-to-SGT mappings
Identity-to-port mapping - method for switch to define identity on a port to which endpoint is connected

Components required for SGA: 
  • User Identity Repository
  • DHCP Service
  • DNS Service
  • Certificate Authority Service
  • Target Servers
  • Endpoint PC




CCIE Security: Theory - Section 5.2 - 5.5

CCIE Security: Theory - Section 5.2 - 5.5

5.2 Cisco IOS firewalls and NAT

5.2.a CBAC

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/13814-32.html
http://packetlife.net/blog/2009/mar/10/ios-context-based-access-control-cbac/

Filters TCP & UDP based on application layer protocol session information. Does deep packet inspection.
ip inspect name MyCBAC ftp
ip inspect name MyCBAC smtp
ip inspect name MyCBAC tcp

int fa0/0
ip inspect MyCBAC in
Also need ACL

5.2.b Zone-based firewall

Stateful firewall - Creates zones instead of ACLs. Interfaces assigned to zones, security policies assigned to traffic between zones. Zones are security borders. Default policy between zones is deny all. Can drop, pass or inspect traffic passing between zones

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

Supports Stateful packet inspection, VRF-aware, URL filtering, DoS mitigation

http://packetlife.net/blog/2012/jan/30/ios-zone-based-firewall/
zone security Zone1
zone security Zone2

int fa0/0
zone-member security Zone1
int fa0/1
zone member security Zone2
zone-pair security Zone1->Zone2 source Zone1 destination Zone2

policy-map type inspect trusted
class class-default
pass

zone-pair security Zone1->Zone2
service-policy type inspect trusted

5.2.c Port-to-application mapping

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c8.html

PAM - Enables CBAC-supported applications to be run on non-standard ports. Customize TCP or UDP port numbers for network services or applications. Establishes table of default port-to-application mapping at the firewall.

User-Defined Port Mapping - can specify range of ports, saved with default mapping information.
Host-Specific Port mapping- port mapping for specific hosts or subnets.Can map HTTP on port 8000 to one host, and Telnet on 8000 to different host.

When to use:
to apply non-standard port number for a service or application
specific hsot or subnet uses a port for an app that is different to default in PAM table
different hosts use same port number for different applications

5.2.d Identity-based firewalling

See previous post about IDFW. Links in to Microsoft AD...

5.3 Cisco Intrusion Prevention Systems (IPS)
5.4 Cisco IOS IPS

http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7.html
http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/cli_signature_engines.html#wp1138148

Supports standardized regex.
Inline or Promiscuous

Analysis engine - packet analysis & alert detection - create virtual sensors in Analysis engine.
sensors receive data from monitored streams. Virtual sensor is a collection of data defined by set of configuration policies. Default is vs0.

MainApp - initializes system, stops/starts other applications. Contains:

  • ctlTransSource - allows sensors to send control transactions
  • Event Store - stores IPS events
  • InterfaceApp - handles bypass & physical settings, defines paired interfaces
  • Logger - writes all log messages
  • Attack Response Controller (ARC) - manages remote network devices to provide blocking capabilities. Creates and applies ACLs on controlled network devices, or shun command on firewalls
  • NotificationApp - sends SNMP traps
  • Web Server (SDEE) - web interface
  • AuthenticationApp

SensorApp - analysis engine - packet capture & analysis:

  • Time processor
  • Deny filters processor
  • Signature Event Action processor - does resets, IP log, deny packets/flow/attacker, alert, block host/connection, generate SNMP trap, capture trigger packet
  • Statistics processor
  • L2 processor
  • Database processor
  • Fragment reassembly processor
  • Stream reassembly processor
  • Signature analysis processor
  • Slave dispatch processor

CollaborationApp - interfaces MainApp & SensorApp
CLI - user roles:
Viewer - can view configurations and events - no modification
Operator - can view everything & modify signature tuning, virtual sensor definition, managed router, their user passwords
Administrator
Service - can only use bash shell - only one service account

Signature engines:

AIC - analysis of web traffic, and FTP
Atomic - L3&L4 attributes, standard regex

  • Atomic ARP
  • Atomic IP Advanced - IPv6 L3 & ICMPv6 L4
  • Atomic IP - IP protocol packets & L4 transport protocols
  • Atomic IPv6 - Detects two IOS vulnerabilities that are simulated by malformed IPv6 traffic. Inspects ND protocols types 133/134/135/136/137
Has restrictions:
Cannot detect L4 field if packets are fragmented so L4 identifier does not appear in first packet
Cannot detect L4 attacks in flows w/ packets fragmented by IPv6 (no fragment reassembly)
Cannot detect attacks w/ tunnelled flows
Limited checks provided for fragmentation header
AIM IPS and NME IPS do not support IPv6 features
Anomaly detection does not support IPv6 traffic - only IPv4
Rate limiting & blocking not supported for IPv4 traffic
Fixed - parallel regular expression matches up to a fixed depth - ICMP, TCP, UDP
Flood - detects floods - flood Host & Flood Net.
Meta - Defines events
Multi String - L4 matching several strings for one signature - inspects stream-based TCP, UDP & ICMP
Normalizer - RFC compliance. Cannot add custom signatures, but can tune existing
Service

  • DNS
  • FTP
  • Generic
  • H225
  • HTTP
  • IDENT
  • MSRPC
  • MSSQL
  • NTP
  • P2P
  • RPC
  • SMB Advanced
  • SNMP
  • SSH
  • TNS

State - searches strings
String - search on regex - Sweep & Sweep other TCP
Traffic Anomaly - detects worms
Traffic ICMP - detects TFN2k, LOKI and DDOS
Trojan - BO2K & TFN2K and UDP

Event Actions:

Alert & Log Actions
produce-alert - writes evIDsAlert to Event Store
produce-verbose-alert - includes encoded dump
log-attacker-packets - starts IP logging w/ attacker address
log-victim-packets - starts IP logging w/ victim address
log-pair-packets - does both of the above (inline only)
request-snmp-trap - sends request to NotificationApp
Deny Actions
deny-packet-inline - does not transmit this packet
deny-connection-inline - does not transmit this packet & future packets on TCP flow
deny-attacker-victiom-pair-inline - attacker/victim pair
deny-attacker-service-pair-inline - attacker/port pair
deny-attacker-inline - does not transmit this packet & future packets from attacker for specific period of time - uses dACL
modify-packet-inline - modifies packet to remove ambiguity - see normalizer
Other Actions
request-block-connection - requests ARC to block connection
request-block-host - Requests ARC block attacker host
request-rate-limit
reset-tcp-connection - TCP resets

5.5 Cisco AAA protocols and application

5.5.a RADIUS

See http://www.802101.com/2015/11/ccie-security-theory-section-2.html

5.5.b TACACS+

See http://www.802101.com/2015/11/ccie-security-theory-section-2.html

5.5.c Device administration

Not sure what to write here.

5.5.d Network access

Or here! Probably just need to be logical...

5.5.e IEEE 802.1X

See http://www.802101.com/2015/11/ccie-security-theory-section-2.html

5.5.f VSAs

Vendor specific attributes - Cisco vendor-ID = 9, vendor-type = 1, strings. See RADIUS.
CCIE Security: Theory - Section 5.1 - ASA

CCIE Security: Theory - Section 5.1 - ASA

ASAs now. Looks like I need to break section 5 down into several posts. Still very much note form. Time is not on my side, so excuse any lack of coherence.

5.1 Cisco Adaptive Security Appliance (ASA)

5.1.a Firewall functionality

Advanced stateful firewall & VPN concentrator. Can have IPS module (depending on model).
Can do contexts (like tenants), clustering, be in transparent mode (L2), or routed mode (L3). Has inspection engines, IPSec VPN, SSL VPN, clientless SSL VPN.

5.1.b Routing and multicast capabilities

Supports Static routes, OSPF, RIP, EIGRP, BGP (as of 9.1??), Multicast, & IPv6

Static - Single & multiple context, routed and transparent, supports IPv6
OSPF - single context, routed, not supported in transparent, does not support IPv6
EIGRP - As OSPF
RIP - also supported in multiple context & transparent
Multicast:
Not supported in transparent mode.
Supported in routed mode
Supported in single context mode.

5.1.c Firewall modes

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mode_fw.html

Routed - default - has IP address, acts as default gateway - router hop. Can do NAT, Each interface on different subnet. Can share interfaces between contexts.

Transparent mode - bump in the wire. connects same network on inside and outside interfaces. Supports ARP, IP, IPv6 (in 8.4 - not in 7.2).
Does not support (in 8.4):
Dynamic DNS
DHCP relay
Dynamic routing protocols
QoS
VPN termination (supported for Management)
UC

Management interface for management (obviously) - only allows management traffic - can have static route.

Multi-context:

Partitioning of ASA into multiple virtual devices. Each context is an individual device with own security policy, interfaces, and administrators. Can have admin context - allowing control over everything.

If multiple contexts share an interface then the classifier uses the interface MAC address. Can have a different MAC address in each context on the same shared interface. Therefore traffic classified by this MAC address along with destination address.

If using NAT then the traffic for shared interface is classified using the destination address of the packet, by using the NAT table and also by the destination MAC address.

5.1.d NAT (before and after version 8.4)

NAT 8.3 - uses network objects - IP address, range of, a network, or FQDN. NAT control no longer supported. If connection finds no translation rules then passes through ASA without translation.
No more Outside NAT versus Inside NAT.
NAT rule priority no longer applies.

5.1.e Object definition and ACLs

Can now use FQDN in ACLs - requires DNS server to be configured and a FQDN object to be created.
ACL order of operation different between 8.2 and more recent:

ASA 8.2
Packet comes to ingress interface - counter gets incremented.
ASA checks internal connection table to verify if current. If matches current then ACL check is bypassed and packet is forwarded.
Packet processed as per interface ACLs - in sequence - if matches then passes.
Packet verified for translation rules - if passes then connection entry created and packet passes
Packet undergoes inspection check
IP header is translated (per NAT/PAT). Packet forwarded to Advanced Inspection & prevention Security Services Module (AIP-SSM) for IPS stuff (if IPS is involved)
packet forwarded to egress interface - route lookup performed.
Once L3 route found, L2 resolution is performed. Rewrite MAC header
Packet transmitted on the wire, egress interface counter increased.

ASA 8.3
Can have interface ACL and Global ACL:
Interface ACL checked first
Global checked next
Default global checked after

5.1.f MPF functionality (IPS, QoS, and application awareness)

IPS:

Inline or promiscuous.

1. Traffic enters the ASA.
2. Incoming VPN traffic is decrypted.
3. Firewall policies are applied.
4. Traffic is sent to the IPS module over the backplane.
5. The IPS module applies its security policy to the traffic, and takes appropriate actions.
6. Valid traffic is sent back to the adaptive security appliance over the backplane; the IPS module might block some traffic according to its security policy, and that traffic is not passed on.
7. Outgoing VPN traffic is encrypted.
8. Traffic exits the adaptive security appliance.

QoS:

Single context
Routed

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_qos.html

Supports policing, priority queuing, traffic shaping

Application awareness:

Application layer protocol inspection, through Inspection engines:
DNS inspection - matches ID of reply to ID of query. Enforces maximum DNS message length (default is 512 bytes, maximum is 65535 bytes) - drops if exceed maximum. Enforces domain-name length of 255 bytes, label of 63 bytes. Uses DNS rewrite.
FTP inspection - PORT/PASV. If disable (no inspect ftp) outbound users can start only in passive mode - all inbound FTP disabled.
HTTP inspection - enhanced HTTP inspection, URL screening (websense), Java & ActiveX filtering
ICMP inspection - ensures only one response for each request & sequence number is correct
IM inspection
IP options inspection - can clear specified options and pass
NetBIOS
PPTP inspection - creates GRE connections and xlates - only version 1.
SMTP inspection - Supports:
AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTTLS, VRFY, DATA, HELO, MAIL, QUIT, RCPT, RSET.
Does not support:
ATRN, ONEX, VERB, CHUNKING
TFTP

5.1.g Context-aware firewall

Who, What, when, Where, How
Active/passive authentication
AD - one realm, ASA joins domain, AD Agent, Kerberos, NTLM, Basic for active authentication
LDAP - multiple realms, basic authentication only

5.1.h Identity-based services

https://supportforums.cisco.com/document/80646/asa-idfw-identity-firewall-step-step-configuration

Uses Microsoft AD. IDFW - requires 8.4.2.
AD agent installed on windows server - communicates w/ AD & ASA

5.1.i Failover options

Active/Active & Active/standby
Failover link - Exchanges unit state, keep-alives, network link status, MAC address change, configuration replication

Stateful failover passes:
Dynamic routing tables (as of 8.4)
NAT translation table
TCP connection states
UDP connection states
ICMP connection states
ARP table
L2 bridge table (in transparent mode)
HTTP connection states (if HTTP replication enabled)
ISAKMP and IPSec SA table
GTP PDP connection database
SIP signalling sessions

Monitoring
Interfaces are monitored.  Can monitor up to 250 interfaces divided between all contexts. Should monitor important interfaces.

If unit does not receive a hello on monitored interface it does tests:

Link up/Down - if operational performs network tests. At start of each test each unit clears the received packet count for its interfaces. - to see if it has received any traffic. If neither unit receives traffic then runs:
Network activity test - unit counts received packets for up to 5 seconds. If no traffic received it does an ARP test.
ARP test - reads ARP cache for 2 most recently acquired entries. Unit sends ARP requests to those entries, attempting to simulate network traffic. If both fail, does PIng test
Broadcast Ping test - broadcast ping - counts all received packets for up to 5 seconds.

CCIE Security: Theory - Section 4

CCIE Security: Theory - Section 4

More notes!

4.0 Threats, Vulnerability Analysis, and Mitigation

4.1 Recognize and mitigate common attacks
4.1.a ICMP attacks and PING floods

ICMP - network layer, can be used to send payloads.
ICMP tunnelling - establishes a tunnel between client and server, uses ICMP echo requests and replies. Undetectable for proxy-based firewall. Deep packet inspection should detect. Can use Hping to test:
hping -c 1 -n <destination> -e "Secret message" -1
If want to detect then normal echo request is 42 bytes - this tunnel will be longer. Use IDS/IPS rule to look for data in ICMP data header.

Common program is LOKI.

Smurf Attack - when type 8 sent (echo request) a type 0 is sent back (echo reply). In Smurf attack attacker will spoof the source address of the ICMP packet and send a broadcast to all computers. Network gets congested.

Mitigation:
Filters on routers to counteract spoofing. Filter broadcasts on L3 devices.
"no ip directed-broadcast"

Fraggle attack - same as Smurf but uses UDP. prevention is the same.

ICMP also used for information gathering. Because TTL is decremented you can map out where devices are in the network.

Port scan - can find open ports.

OS fingerprinting - If ICMP reply contains TTL of 128 = Windows, if TTL = 64 then Linux-based. Then can use timestamp to work out the version (no timestamp reply on Windows server/NT), timestamp reply on Win 98, 2000, ME - not sure about recent.

ICMP router discovery - will discover IP address of neighboring routers. Using Router Advertisements or Router Solicitations.  RA - type 9, code 0. Router discovery protocol has no authentication. Can be used in MITM attacks.

Mitigation:
Digital certificates, block all type 9 and type 10 ICMP packets.

Teardrop - Will crash or reboot machines, exploits overlapping IP fragments - each fragment has originals IP packets header & field w/ bytes contained. Destination tries to reassemble it cannot be done.

PING flood - overwhelming of ICMP echo requests.

4.1.b MITM

DNSSEC
PKI: TLS
Rouge APs

Need to add more here :)

4.1.c Replay

Valid data transmission repeated or delayed. can be used w/ MITM to sniff authentication traffic and elevate privileges.

Mitigation:
Use session tokens, OTP, Message Authentication Codes (MAC), timestamping.

4.1.d Spoofing

ARP spoofing - attacker sends spoofed ARP messages, to associate attacker's MAC w/ IP address of legitimate host - can be used to form MITM attacks.

Mitigation:
Dynamic ARP - Uses a trusted database. DHCP snooping can be used to build the trusted database, or can be built by manual configuration (from the CLI).

Legitimate uses in Proxy ARP. w/ gratuitous ARP requests.

IP address spoofing - USED in DoS - Botnet use makes IP address spoofing less pronounced.

Mitigation:
Packet filtering can defend against IP address spoofing, w/ ingress filtering and egress filtering. Block packets from outside w/ inside source address, or block packet from inside w/ source address not from the inside.
TCP uses sequence numbers to ensure arriving packets are part of established connection.

4.1.e Backdoor

Unauthorized remote access. Worms such as Sobig & Mydoom can do this as well as dedicated software (Back Orifice)

4.1.f Botnets

A Botnet is a collection of similar programs that work together to execute specific tasks
Server is command-and-control (C&C), Often uses IRC, Twitter or IM to relay commands to bots.

4.1.g Wireless attacks

Sniffing - Kismet
Probing & discovery - Active probing - attacker sends probe requests w/out SSID. Passive probing - listening on all channels for all sent and received - netstumbler - active, kismet passive.

Surveillance - kismet / airodump - can save in pcap. can gather WEP traffic and pass to aircrack (if enough WEP IVs).

4.1.h DoS and DDoS attacks

ICMP flood
SYN Flood- forged sender address, causes half-open connections by sending SYN/ACK, waiting for ACK which it never gets. Half-open connections saturate the number of connections.
Teardrop
HTTP POST - uses content-length then sends really slowly - server has to wait, slowing down the server.
Reflected DDOS - send packets w/ spoofed IP (target machine) relies will flood the target - Smurf attack is one form of this.

Mitigation:
Block IPs on firewalls, use deep packet inspection
ACLs & rate limiting on switches & routers
IPS
Black-hole traffic
Storm control (level is the % of total available bandwidth of the port) monitors the broadcast, multicast and unicast traffic, can help

4.1.i Virus and worm outbreaks

Virus - modifies other programs and can attach themselves to other programs or replicate on execution
Worm - standalone malicious program that copies itself from one host to another over a network and carries other programs (payload)

Mitigation:
ACLs, packet-filters, nullrouting.

Trojan horse - Appears to have one function but actually performs a different function

4.1.j Header attacks

HTTP header injection - headers dynamically generated based on user input, can allow for HTTP response splitting, session fixation, XSS and malicious redirect attacks.
TCP reset - header has RST flag (reset) - usually set to 0. If set to 1 then indicates receiving computer should immediately stop using the TCP connection. Can be forged by 3rd machine to kill connection.
Sequence attacks - intercept communication - uses number prediction
Useful: https://packetcrafter.wordpress.com/2011/02/13/tcp-flags-hackers-playground/

4.1.k Tunnelling attacks

SSH tunnelling - uses TCP forwarding:
ssh -f user@remote -L 2000:localhost 25 -N
telnet localhost 2000
send spam!
Mitigation:
Set "AllowTCPForwarding no" on ssh config

DNS tunnelling - website blocked by proxy - use DNS tunnelling - data encapsulated in DNS query and reply - using base32 and base64 encoding.
Useful: http://resources.infosecinstitute.com/dns-tunnelling/

Mitigation:
Use IPS/IDS

4.2 Software and OS exploits

Can be used for privilege escalation, or pivoting - using compromised system to attack another - avoiding firewall etc.

4.3 Security and attack tools

Metasploit
Kali linux / Backtrack
nmap
w3af
Burp suite
Fiddler

4.4 Generic network intrusion prevention concepts

Signature-based - monitors packets for pre-configured/pre-determined attack patterns
Statistical anomaly-based - creates baseline - bandwidth, application use, protocol use, etc - alerts on anomaly.
Stateful protocol analysis - identifies deviations of protocol states

Can sit in-line, or can have traffic passed to it (SPAN etc). can send alarms, drop traffic, reset connections, blocking IP addresses. Can correct CRC errors, unfragmented packet streams, prevent TCP sequencing issues etc.

4.5 Packet filtering

Basic Packet Filter - Allow or block traffic based on address and port. Will pass, drop (silent discard), or reject (send error response).

Stateful filters work up to L4 - Stateful Packet inspection - retains enough of packet to determine the state (new connection, existing connection)

Application layer - can understand applications and protocols - can detect of unwanted protocol is trying to bypass firewall on allowed port. Deeper inspection - IPS/WAF can mitigate.

4.6 Content filtering and packet inspection

Deep Packet Inspection - examines data & optionally the header of a packet. Combines IPS/IDP w/ stateful firewall.

4.7 Endpoint and posture assessment

Network Admission Control (NAC) - users must authenticate, and can be quarantined if AV not up to date etc.
802.1x, MS AD, Cisco NAC, can be implemented as part of AnyConnect

4.8 QoS marking attacks

Change QoS markings on packet to benefit from QoS - better class of service.
Configuration & provisioning - hackers target the provisioning system, changing the QoS configuration
Data forwarding - injects traffic with QoS markings (DSCP)