Your SlideShare is downloading. ×
CCNP Security-Secure
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

CCNP Security-Secure

290
views

Published on

Published in: Technology, Education

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
290
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 1 SECURE Agenda: • Network Security Technologies Overview • Routed Data Plane Security • Control Plane Security • Management Plane Security Network Foundation Protection (NFP) 802.1X and Cisco Identity-Based Networking Services (IBNS) Implementing and Configuring Basic 802.1X • Cisco IOS Foundation Security Solutions • Implementing and Configuring NAT • Implementing and Configuring Zone-Based Policy Firewalls • Implementing and Configuring IOS IPS • Cisco IOS Site-to-Site Security Solutions
  • 2. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 2 Overview of the CCNP Security • All four CCNP Security exams required • SECURE – 642-637 • IPS – 642-627 • FIREWALL – 642-618 • VPN – 642-648 • ~90 minutes with 60-70 questions • 60-70 questions • Register with Pearson Vue • http://www.vue.com/cisco • Exam cost is $200.00 US Cisco SAFE • Focuses on the development of good network security designs. • utilizes of the Cisco Security Control Framework (SCF)
  • 3. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 3 • Examples of technologies that are used to help identify include: ■ 802.1x for identity solutions ■ Biometric recognition ■ Routing authentication ■ Secure traffic mechanisms (encryption) ■ Authentication mechanisms, • Examples of technologies that can help monitor this data include • AAA • IDS and IPS • Examples of technologies that can help correlate this data include the following: • MARS • NTP • Examples of technologies that can help harden network elements include: ■ Control plane policing ■ Component redundancy ■ Device/interface redundancy ■ Topology redundancy • Examples of technologies that can isolate specific devices or data include: ■ ACL & VPN ■ Out-of-band management ■ Management traffic encryption ■ Virtual local-area networks (VLAN) • Examples of technologies that can enforce specific policies: ■ IDS and IPS ■ Port security ■ ACLs
  • 4. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 4 Examining Layer 2 Attacks: • The most common types of switched data plane attacks are as follows: ■ VLAN hopping ■ CAM flooding ■ MAC address spoofing ■ STP spoofing ■ DHCP “starvation” ■ DHCP server spoofing ■ ARP spoofing ■ IP spoofing
  • 5. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 5 CAM Table Overflow Attack: Port Security:
  • 6. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 6 Mitigating CAM Table Overflow: 1. Secure MAC Addresses: • Static • Dynamic • Sticky: The sticky secure switch port security classification includes dynamically learned addresses that are automatically added to the running configuration. • Configuration Guidelines: • Only on static access ports • Not on trunk or dynamic access ports • Not on SPAN port • Not on EtherChannel port • Voice VLAN assigned dynamic secure addresses • On port with voice VLAN, set maximum MAC addresses to two plus maximum number of MAC addresses • Dynamic port security enabled on voice VLAN when security enables on access VLAN • Not configurable on per-VLAN basis • No aging of sticky addresses • No simultaneous enabling of protect and restrict options 2. Configuring Port Security:
  • 7. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 7 Verifying Port Security
  • 8. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 8
  • 9. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 9 VLAN Hopping: Mitigating VLAN Hopping:
  • 10. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 10 Spanning Tree Manipulation: Mitigating Spanning Tree Manipulation:
  • 11. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 11 MAC Spoofing—Man-in-the-Middle Attacks: DHCP Attacks:
  • 12. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 12 Mitigating DHCP Attacks: 1. Port security: 2. DHCP Snooping: • DHCP snooping allows the configuration of ports as trusted or untrusted. • Untrusted ports cannot process DHCP replies. • Configure DHCP snooping on uplinks to a DHCP server. • Do not configure DHCP snooping on client ports.
  • 13. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 13
  • 14. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 14 Implementing Identity Management: • Cisco ACS Features • A centralized identity networking solution • Manage and administer user access for many Cisco and other devices • Many advanced features • TACACS+ and RADIUS server • Combines AAA • Cisco NAC support • Network Access Profiles • EAP-FAST support • Downloadable IP ACLs TACACS+ Overview:
  • 15. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 15 TACACS+ and RADIUS Comparison:
  • 16. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 16 Administrator Interface:
  • 17. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 17 ACS Policies: • Authentication –Authentication protocols –User databases • Posture validation –For use with NAC • Authorization –What the user is authorized to do –Based on identity, posture, or both
  • 18. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 18 Implementing Cisco IBNS: • Cisco Identity-Based Networking Services
  • 19. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 19 Concept of Cisco IBSN: • Cisco IBNS is an IEEE 802.1x-based technology solution that increases network security by authenticating users based on personal identity in addition to device MAC and IP address verification. • Unified Control of User Identity for the Enterprise Cisco VPN Concentrators, Cisco IOS Routers, Cisco PIX Firewalls IEEE 802.1x: • Standard set by the IEEE 802.1 working group • A framework designed to address and provide port-based access control using authentication • Primarily an encapsulation definition for EAP over IEEE 802 media (EAPOL is the key protocol.) • Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point) • Assumes a secure connection • Actual enforcement is via MAC-based filtering and port-state monitoring
  • 20. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 20 802.1x Components: 802.1x Operation:
  • 21. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 21 How 802.1x Works: The actual authentication conversation occurs between the client and the authentication server using EAP. The authenticator is aware of this activity, but it is just an intermediary. EAP Over LAN (EAPOL) What Is EAP? • EAP—the Extensible Authentication Protocol • A flexible transport protocol used to carry arbitrary authentication information—not the authentication method itself • Typically runs directly over data-link layers such as PPP or IEEE 802 media • Originally specified in RFC 2284, obsolete by RFC 3748 • Supports multiple “authentication” types
  • 22. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 22 Current Prevalent Authentication Methods: • Challenge-response-based • EAP-MD5: Uses MD5-based challenge-response for authentication • LEAP: Uses username/password authentication • EAP-MS-CHAPv2: uses username/password MSCHAPv2 challenge- response authentication • Cryptographic-based • EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication • Tunneling methods • PEAP: PEAP tunnel mode EAP encapsulator; tunnels other EAP types in an encrypted tunnel—much like web-based SSL • EAP-Tunneled TLS (TTLS): Other EAP methods over an extended EAP- TLS encrypted tunnel • EAP-FAST: Recent tunneling method designed to not require certificates at all for deployment • Other • EAP-GTC: Generic token and OTP authentication
  • 23. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 23
  • 24. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 24 802.1x and the Guest VLAN:
  • 25. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 25 802.1x and the Restricted VLAN: Configuring 802.1x in Cisco IOS: 1. Enable AAA. 2. Configure 802.1x authentication. 3. Configure RADIUS communications. 4. Enable 802.1x globally. 5. Configure interface and enable 802.1x. 6. Verify 802.1x operation.
  • 26. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 26 Enable AAA: Configure RADIUS Communications:
  • 27. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 27 Enable 802.1x Globally: Configure Interface and Enable 802.1x:
  • 28. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 28 Configuring Guest and Restricted VLANs: Verify 802.1x Operation:
  • 29. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 29 Introducing Cisco NFP: Network Foundation Protection (NFP): • Cisco NFP protects the network infrastructure. • There are several tools used to secure the infrastructure. Network Foundation Protection: Enterprise Model
  • 30. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 30 Securing the Control Plane: • The control plane provides the functionality that builds the tables that are necessary to properly forward traffic. These tables, which include the routing table, forwarding table, MAC address table, and so on. Control Plane Attacks and Mitigation Techniques:
  • 31. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 31 Control Plane Protection (CPPr) • A framework • Provides for all policing and protection • Extends the CoPP functionality • Finer granularity • Traffic classifier • Port filtering: providing the ability to drop packets early that are directed at closed or nonlistened-to ports. • Queue threshold: for limiting the number of unprocessed packets that a specific protocol can have at the process level
  • 32. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 32 Securing the Management Plane: • Management Plane Provides the facilities through which the device is configured for initial deployment and then monitored and maintained thereafter. • Protocols of the Management Plane • Telnet • SNMP • SSH • HTTP • HTTPS Tools Used to Secure the Management Plane: • Cisco Management Plane Protection (MPP) feature for Cisco IOS Release 12.4(6)T • SSH access only • ACLs on the vty ports • Cisco IOS Software login enhancement • Role-based CLI views
  • 33. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 33 Cisco IOS MPP:
  • 34. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 34 Verifying MPP: Securing the Data Plane: • Forwards network traffic as well as applies various services to it, such as security, QoS, accounting, and so on.
  • 35. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 35 Data Plane Protection: Flexible Packet Matching (FPM):
  • 36. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 36 Configuring FPM: 1. Load a Protocol Header Description File (PHDF) –For header field matching 2. Create a traffic class –Define a protocol stack and specify exact parameters to match –Using class map type “stack” and “access-control” 3. Create a traffic policy –Define a service policy 4. Apply the service policy to an interface • 1 & 2 PHDFs and Class Map
  • 37. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 37 • 3 Traffic Policies • 4 Applying a Service Policy to an Interface:
  • 38. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 38 Introducing IPsec: • Combines three protocols into a cohesive security framework
  • 39. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 39 IPsec Modes: Authentication Header: • RFC 2402 • IP protocol 51 • Mechanism for providing strong integrity and authentication for IP datagrams
  • 40. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 40 Encapsulating Security Payload: • RFC 2406 • IP protocol 50 • May provide the following: • Confidentiality (encryption) • Connectionless integrity • Data origin authentication • An antireplay service Internet Key Exchange: • RFC 2409 • A hybrid protocol consisting of: • SKEMEA • mechanism for using public key encryption for authentication • Oakley • A modes-based mechanism for arriving at an encryption key between two peers • ISAKMP • An architecture for message exchange, including packet formats and state transitions between two peers • Phase-based
  • 41. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 41 How IKE Works: • IKE is a two-phase protocol. Internet Security Association and Key Management Protocol (ISAKMP): • RFC 2408 • UDP 500 • Defines procedures for: • Authenticating a peer • Creation and management of SAs • Key generation techniques • Threat mitigation
  • 42. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 42 Other Protocols and Terminology IPsec Configuration Task List: 1. Check network connectivity 2. Ensure ACLs lists are compatible with Ipsec • Allow IP protocols 50 and 51 • Allow UDP 500 3. Configure IKE • ISAKMP 4. Configure Ipsec • Create crypto ACLs • Define transform sets • Create crypto map entries • Set global lifetimes for IPsec SAs • Apply crypto map to the interface
  • 43. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 43 IPsec VPN Deployment: • Site-to-site VPNs • Fully meshed (static) • Hub (static) and spoke (dynamic) • Fully meshed on demand (dynamic) • DMVPN: provide for a combination of static and dynamic on- demand tunnels • Remote-access VPNs • Cisco Easy VPN • WebVPN (Cisco IOS SSL VPN) Fully Meshed VPNs: • There are static public addresses between peers. • Local LAN addresses can be private or public.
  • 44. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 44 Hub-and-Spoke VPNs: • Static public address needed at the hub only. • Spoke addresses can be dynamically applied using DHCP. Dynamic Multipoint VPNs:
  • 45. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 45 Cisco Easy VPN: Cisco IOS WebVPN: • Integrated security and routing • Clientless and full network SSL VPN access
  • 46. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 46 Implementing IPsec VPNs Using Pre- Shared Keys: • Prepare for ISAKMP and IPsec. • Configure ISAKMP • Pre-shared key authentication • Configure IPsec transforms. • Create ACLs for encryption traffic (crypto ACLs). • Configure crypto map. • Apply crypto map to an interface. • Test and verify IKE and IPsec. Planning the IKE Policy: • Determine the following policy details: • Key distribution method • Authentication method • IPsec peer IP addresses and hostnames • ISAKMP policies for all peersEncryption algorithm • Hash algorithm • IKE SA lifetime
  • 47. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 47 IKE Phase 1 Policy Parameters:
  • 48. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 48 IPsec Transforms
  • 49. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 49 Identify IPsec Peers: Configuring ISAKMP: • Step 1: Enable or disable ISAKMP. • Step 2: Create ISAKMP policies. • Configure authentication method • Pre-shared keys • Step 3: RSA signatures (when using PKI). • Step 4: Verify ISAKMP configuration.
  • 50. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 50 • Step 1: Enable or Disable ISAKMP • Step 2: Create ISAKMP Policies:
  • 51. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 51 • Create ISAKMP Policies with the crypto isakmp Command: • Step 3: Configure Pre-Shared Keys:
  • 52. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 52 Configuring IPsec: • Step 1: Configure transform sets. • Step 2: Configure global IPsec SA lifetimes. • Configure Transform Sets:
  • 53. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 53 • crypto ipsec security-association lifetime: Purpose of Crypto Maps: • Crypto maps pull together the various parts configured for IPsec, including: • Which traffic should be protected by IPsec • Where IPsec-protected traffic should be sent • The local address to be used for the IPsec traffic • Which IPsec type should be applied to this traffic • Whether SAs are established manually or via IKE • Other parameters needed to define an IPsec SA
  • 54. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 54 • IPsec Configuration Example: Implementing IPSec VPNs Using PKI:
  • 55. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 55 Digital Signatures:
  • 56. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 56 X.509v3 Digital Certificate: Certificate Enrollment:
  • 57. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 57 Configuring a Site-to-Site VPN Using PKI: • Prepare for ISAKMP and IPsec • Configure CA support • Configure ISAKMP for Ipsec • rsa-sig authentication • Configure IPsec transforms • Create ACLs for encryption traffic (crypto ACLs) • Configure crypto map • Apply crypto map to an interface • Test and verify IPsec • Set the Router Time and Date:
  • 58. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 58 • Configuring a Hostname and Domain Name: • Add a CA Server Entry to the Router Host Table:
  • 59. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 59 • Generate an RSA Key Pair: • Declaring a CA:
  • 60. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 60 • Authenticate the CA: • Request Your Own Certificate:
  • 61. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 61 • Verify the CA Support Configuration: Configuring GRE Tunnels: • Generic Routing Encapsulation (GRE) was designed to carry multiprotocol and IP multicast traffic between sites that might not have IP connectivity. • RFCs 1701, 1702, 2784 • Uses IP protocol 47 when encapsulated within IP • Allows passing of routing information between connected networks • One of the significant advantages of GRE tunneling over (non-VTI) IPsec tunnels is that GRE uses Cisco IOS Software interfaces that can utilize QoS features. • GRE does have some limitations: ■ GRE provides no cryptographic protection for traffic and must be combined with IPsec to provide it. ■ There is no standard way to determine the end-to-end state of a GRE tunnel. Cisco IOS Software provides proprietary GRE keepalives for this purpose.
  • 62. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 62 • Deployment Scenario:
  • 63. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 63 Configuring a GRE Tunnel: 1. Create and identify the tunnel interface. 2. Configure the tunnel interface source address. 3. Configure the tunnel interface destination address. 4. Bring up tunnel interface (administratively). 5. Configure routes.
  • 64. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 64 GRE/IPsec:
  • 65. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 65 GRE with Encryption Example: Configuring a DMVPN: • The Cisco DMVPN feature allows administrators to deploy scalable IPsec VPNs for both small and large networks. • Relies on: • IPsec profiles • Next Hop Resolution Protocol (NHRP): The NHRP database maintains mappings between the router (public, physical interface) and the tunnel (inside the tunnel interface) IP addresses of each spoke. • multipoint Generic Routing Encapsulation (mGRE): allows a single Generic Routing Encapsulation (GRE) interface to support multiple GRE tunnels and makes the configuration much easier • Benefits: • Hub router configuration reduction • Automatic IPsec encryption initiation • Support for dynamically addressed spoke routers • Dynamic tunnel creation for spoke-to-spoke tunnels
  • 66. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 66 Single DMVPN Topology: Dual DMVPN Topology:
  • 67. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 67 DMVPN Deployment Models: DMVPN Configuration Tasks: • ISAKMP and IPsec configuration • Tunnel protection configuration • IPsec profiles • Tunnel interface configuration • mGRE configuration • NHRP configuration • Routing protocol configuration
  • 68. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 68 • ISAKMP and IPsec: • IPsec Profile:
  • 69. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 69 • DMVPN Example:
  • 70. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 70
  • 71. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 71 • DMVPN Routing Tables: • DMVPN NHRP Mapping Tables:
  • 72. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 72 • IPsec Profile: • Hub Configuration:
  • 73. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 73 • Spoke Configuration: Configuring Cisco IOS SSL VPN (WebVPN): Remote-Access Modes:
  • 74. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 74 Configuring WebVPN: • WebVPN prerequisites: • Configure AAA • Local or ACS authentication • Configure DNS • Router hostname and domain name • Map host to IP address in router host table • Configure certificates and trustpoints • CA or self-signed • WebVPN configuration • Configure a WebVPN gateway • Configure a WebVPN context • Configure a URL list for clientless access • Configure Microsoft file shares for clientless access • Configure application port forwarding • Configure a WebVPN policy group • AAA Configuration—Local Authentication
  • 75. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 75 • AAA Configuration—External Authentication • DNS Configuration
  • 76. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 76 • Gateway Configuration Commands: • Context Configuration Commands:
  • 77. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 77 • URL Lists • Group Policy Configuration Commands:
  • 78. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 78 Configuring Cisco Easy VPN Remote Access: Cisco Easy VPN is made up of two components: • Cisco Easy VPN Server: Enables Cisco IOS routers, Cisco ASA/Cisco PIX Firewall, and Cisco VPN 3000 Series Concentrators to act as VPN headend devices in site-to-site or remote-access VPNs, where the remote office devices are using the Cisco Easy VPN Remote feature. • Cisco Easy VPN Remote: Enables Cisco IOS routers, Cisco ASA/Cisco PIX Firewall, and Cisco VPN 3002 Hardware Clients or Cisco VPN Software Clients to act as remote VPN Clients. Remote Access Using Cisco Easy VPN:
  • 79. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 79 Cisco Easy VPN Remote Connection Process: Cisco Easy VPN Remote Configuration General Tasks for Access Routers: • Configure the DHCP server pool. • Configure the Cisco Easy VPN Remote client profile. • Group and key • Peer • Mode • Manual or automatic tunnel control • Assign the Cisco Easy VPN Remote client profile to the interfaces. • Verify the Cisco Easy VPN configuration.
  • 80. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 80
  • 81. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 81
  • 82. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 82 Cisco Easy VPN Server—General Configuration Tasks: The following general tasks are used to configure Cisco Easy VPN Server on a Cisco router: • (Optional) Create IP address pool for connecting clients • Enable group policy lookup via AAA • Create an ISAKMP policy for remote VPN Client access • Define a group policy for mode configuration push • Apply mode configuration and XAUTH • Enable RRI for the client • Enable IKE • Configure XAUTH • (Optional) Enable the XAUTH Save Password feature
  • 83. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 83 • Create ISAKMP Policy for Remote VPN Client Access • Create Transform Sets
  • 84. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 84 Examining Cisco IOS Firewall: • Deploy: • As an Internet Firewall • Between groups on internal network • As a VPN end point from branches • Between partner network and corporate • Features: • Cisco IOS Software Stateful Packet Inspection • Protection Against Attack • Alerts and Audit Trails • Authentication Proxy • Support for NAT and Port-to-Application Mapping (PAM) Cisco IOS Firewall Feature Set: • Classic firewall • Authentication proxy • Cisco IOS IPS • ACLs • TCP Intercept • PAM • NAT • Security server support • RADIUS, TACACS+, Kerberos • User authentication and authorization
  • 85. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 85 Cisco IOS Firewall Authentication Proxy: Cisco IOS IPS:
  • 86. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 86 Configuring Cisco IOS Classic Firewall: • Context-Based Access Control (CBAC), which applied policies through inspect statements and configured access control lists (ACL) between interfaces. • The Zone-Based Policy Firewall (ZBPFW) is the next Cisco implementation of a router based firewall that runs in Cisco IOS Software. It was introduced in IOS Release 12.4(6)T. • As was supported by CBAC, the ZBPFW supports stateful inspection as well as Application Inspection and Control (AIC), which is also referred to as Deep Packet Inspection (DPI). This includes inspection support for Layers 3 through 7. • As mentioned previously, one of the main differences between a firewall using CBAC and ZBPFW is the use of security zones.
  • 87. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 87 IOS Classic Firewall Configuration:
  • 88. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 88
  • 89. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 89 Configuring Cisco IOS Zoned-Based Policy Firewall:
  • 90. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 90 Zoning Rules Summary: • If two interfaces are not in zones, traffic flows freely between them. • If one interface is in a zone, and another interface is not in a zone, traffic may never flow between them. • If two interfaces are in two different zones, traffic will not flow between the interfaces until a policy is defined to allow the traffic
  • 91. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 91 Configuring a Cisco IOS Zone-Based Policy Firewall: 1. Identify interfaces that share the same function security and group them into the same security zones. 2. Determine the required traffic flow between zones in both directions. 3. Set up zones. 4. Set up zone pairs for any policy other than deny all. 5. Define class maps to describe traffic between zones. 6. Associate class maps with policy maps to define actions applied to specific policies. 7. Assign policy maps to zone pairs.
  • 92. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 92
  • 93. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 93
  • 94. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 94
  • 95. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 95 Configuring Cisco IOS Firewall Authentication Proxy: • HTTP, HTTPS, FTP, and Telnet authentication • Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols • Once authenticated, all types of application traffic can be authorized • Works on any interface type for inbound or outbound traffic
  • 96. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 96 Configuring Cisco IOS IPS:
  • 97. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 97 • Uses the underlying routing infrastructure • Inline deep packet inspection –Software based inline intrusion prevention sensor • IPS signature support –Signature based packet scanning, uses same set of signatures as IDS Sensor platform –Dynamic signature update (no need to update IOS Image) –Customized signature support • Variety of event actions configurable per-signature basis • Parallel signature scanning • Named and numbered extended ACL support Cisco IPS Hardware Modules:
  • 98. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 98 Signature Engines: Signature Actions: • Alarm • Send alarm via Syslog and SDEE • Reset • Applys to TCP connection. Send reset to both peers • Drop • Drops the packet • DenyAttackerInline • Blocks the attacker’s source IP address completely. No connection can be established from the attacker to the router until the shun time expires (this is set by the user). • DenyFlowInline • Blocks the appropriate TCP flow from the attacker. Other connections from the attacker can be established to the router
  • 99. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 99 Event Risk Rating Calculation: Signature Definition File (SDF): • A SDF contains all or a subset of the signatures supported by Cisco IPS. • An IPS loads the signatures contained in the SDF and scans incoming traffic for matching signatures. • The IPS enforces the policy defined in the signature action. • Cisco IPS uses the SDF to populates internal tables with the information necessary to detect each signature. • The SDF can be saved on the router flash memory. • SDFs are downloaded from cisco.com. • Two pre-built SDFs: • 256MB.sdf • 128MB.sdf
  • 100. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 100 Issues to Consider: • Memory use and performance impact • Limited persistent storage • CPU-intensive • Updated signature coverage • More than 1500 common attacks Configuration Tasks: • Install Cisco IOS Firewall IPS on the router: • Specify location of SDF. • Create an IPS rule. • Attach a policy to a signature (optional). • Apply IPS rule at an interface. • Configure logging via syslog or SDEE. • Verify the configuration.
  • 101. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 101 Configure SDEE and HTTPS Server on the Cisco ISR:
  • 102. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 102
  • 103. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 103
  • 104. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 104 Tune Signature in Cisco Configuration Professional: Configure Event Action Override:
  • 105. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 105 Configure Event Action Filter: Network Address Translation (NAT): NAT Types:
  • 106. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 106 • Static NAT Example: • Dynamic NAT Example:
  • 107. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 107 • PAT Example:
  • 108. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 108
  • 109. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 109 After Implementing Mitigation Techniques:

×