SlideShare a Scribd company logo
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 1
SECURE
Agenda:
• Network Security Technologies Overview
• Routed Data Plane Security
• Control Plane Security
• Management Plane Security
Network Foundation Protection (NFP)
802.1X and Cisco Identity-Based Networking Services (IBNS)
Implementing and Configuring Basic 802.1X
• Cisco IOS Foundation Security Solutions
• Implementing and Configuring NAT
• Implementing and Configuring Zone-Based Policy Firewalls
• Implementing and Configuring IOS IPS
• Cisco IOS Site-to-Site Security Solutions
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 2
Overview of the CCNP Security
• All four CCNP Security exams required
• SECURE – 642-637
• IPS – 642-627
• FIREWALL – 642-618
• VPN – 642-648
• ~90 minutes with 60-70 questions
• 60-70 questions
• Register with Pearson Vue
• http://www.vue.com/cisco
• Exam cost is $200.00 US
Cisco SAFE
• Focuses on the development of good network security
designs.
• utilizes of the Cisco Security Control Framework (SCF)
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 3
• Examples of technologies that are used to help identify
include:
■ 802.1x for identity solutions
■ Biometric recognition
■ Routing authentication
■ Secure traffic mechanisms (encryption)
■ Authentication mechanisms,
• Examples of technologies that can help monitor this data
include
• AAA
• IDS and IPS
• Examples of technologies that can help correlate this data
include the following:
• MARS
• NTP
• Examples of technologies that can help harden network
elements include:
■ Control plane policing
■ Component redundancy
■ Device/interface redundancy
■ Topology redundancy
• Examples of technologies that can isolate specific devices
or data include:
■ ACL & VPN
■ Out-of-band management
■ Management traffic encryption
■ Virtual local-area networks (VLAN)
• Examples of technologies that can enforce specific policies:
■ IDS and IPS
■ Port security
■ ACLs
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 4
Examining Layer 2 Attacks:
• The most common types of switched data plane attacks
are as follows:
■ VLAN hopping
■ CAM flooding
■ MAC address spoofing
■ STP spoofing
■ DHCP “starvation”
■ DHCP server spoofing
■ ARP spoofing
■ IP spoofing
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 5
CAM Table Overflow Attack:
Port Security:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 6
Mitigating CAM Table Overflow:
1. Secure MAC Addresses:
• Static
• Dynamic
• Sticky: The sticky secure switch port security classification includes dynamically learned addresses
that are automatically added to the running configuration.
• Configuration Guidelines:
• Only on static access ports
• Not on trunk or dynamic access ports
• Not on SPAN port
• Not on EtherChannel port
• Voice VLAN assigned dynamic secure addresses
• On port with voice VLAN, set maximum MAC addresses to two plus maximum number of MAC
addresses
• Dynamic port security enabled on voice VLAN when security enables on access VLAN
• Not configurable on per-VLAN basis
• No aging of sticky addresses
• No simultaneous enabling of protect and restrict options
2. Configuring Port Security:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 7
Verifying Port Security
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 8
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 9
VLAN Hopping:
Mitigating VLAN Hopping:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 10
Spanning Tree Manipulation:
Mitigating Spanning Tree Manipulation:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 11
MAC Spoofing—Man-in-the-Middle Attacks:
DHCP Attacks:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 12
Mitigating DHCP Attacks:
1. Port security:
2. DHCP Snooping:
• DHCP snooping allows the configuration of ports as trusted or
untrusted.
• Untrusted ports cannot process DHCP replies.
• Configure DHCP snooping on uplinks to a DHCP server.
• Do not configure DHCP snooping on client ports.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 13
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 14
Implementing Identity Management:
• Cisco ACS Features
• A centralized identity networking solution
• Manage and administer user access for many Cisco and other
devices
• Many advanced features
• TACACS+ and RADIUS server
• Combines AAA
• Cisco NAC support
• Network Access Profiles
• EAP-FAST support
• Downloadable IP ACLs
TACACS+ Overview:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 15
TACACS+ and RADIUS Comparison:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 16
Administrator Interface:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 17
ACS Policies:
• Authentication
–Authentication protocols
–User databases
• Posture validation
–For use with NAC
• Authorization
–What the user is authorized to do
–Based on identity, posture, or both
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 18
Implementing Cisco IBNS:
• Cisco Identity-Based Networking Services
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 19
Concept of Cisco IBSN:
• Cisco IBNS is an IEEE 802.1x-based technology solution that
increases network security by authenticating users based on personal
identity in addition to device MAC and IP address verification.
• Unified Control of User Identity for the Enterprise
Cisco VPN Concentrators, Cisco IOS Routers, Cisco PIX Firewalls
IEEE 802.1x:
• Standard set by the IEEE 802.1 working group
• A framework designed to address and provide port-based
access control using authentication
• Primarily an encapsulation definition for EAP over IEEE 802
media (EAPOL is the key protocol.)
• Layer 2 protocol for transporting authentication messages
(EAP) between supplicant (user/PC) and authenticator
(switch or access point)
• Assumes a secure connection
• Actual enforcement is via MAC-based filtering and port-state
monitoring
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 20
802.1x Components:
802.1x Operation:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 21
How 802.1x Works:
The actual authentication conversation occurs between the client and the
authentication server using EAP. The authenticator is aware of this activity, but
it is just an intermediary.
EAP Over LAN (EAPOL)
What Is EAP?
• EAP—the Extensible Authentication Protocol
• A flexible transport protocol used to carry arbitrary
authentication information—not the authentication method
itself
• Typically runs directly over data-link layers such as PPP
or IEEE 802 media
• Originally specified in RFC 2284, obsolete by RFC 3748
• Supports multiple “authentication” types
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 22
Current Prevalent Authentication Methods:
• Challenge-response-based
• EAP-MD5: Uses MD5-based challenge-response for authentication
• LEAP: Uses username/password authentication
• EAP-MS-CHAPv2: uses username/password MSCHAPv2 challenge-
response authentication
• Cryptographic-based
• EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for
authentication
• Tunneling methods
• PEAP: PEAP tunnel mode EAP encapsulator; tunnels other EAP types in
an encrypted tunnel—much like web-based SSL
• EAP-Tunneled TLS (TTLS): Other EAP methods over an extended EAP-
TLS encrypted tunnel
• EAP-FAST: Recent tunneling method designed to not require certificates
at all for deployment
• Other
• EAP-GTC: Generic token and OTP authentication
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 23
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 24
802.1x and the Guest VLAN:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 25
802.1x and the Restricted VLAN:
Configuring 802.1x in Cisco IOS:
1. Enable AAA.
2. Configure 802.1x authentication.
3. Configure RADIUS communications.
4. Enable 802.1x globally.
5. Configure interface and enable 802.1x.
6. Verify 802.1x operation.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 26
Enable AAA:
Configure RADIUS Communications:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 27
Enable 802.1x Globally:
Configure Interface and Enable 802.1x:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 28
Configuring Guest and Restricted VLANs:
Verify 802.1x Operation:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 29
Introducing Cisco NFP:
Network Foundation Protection (NFP):
• Cisco NFP protects the network infrastructure.
• There are several tools used to secure the infrastructure.
Network Foundation Protection: Enterprise Model
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 30
Securing the Control Plane:
• The control plane provides the functionality that builds the
tables that are necessary to properly forward traffic. These
tables, which include the routing table, forwarding table, MAC
address table, and so on.
Control Plane Attacks and Mitigation Techniques:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 31
Control Plane Protection (CPPr)
• A framework
• Provides for all policing and protection
• Extends the CoPP functionality
• Finer granularity
• Traffic classifier
• Port filtering: providing the ability to drop packets early that are
directed at closed or nonlistened-to ports.
• Queue threshold: for limiting the number of unprocessed packets
that a specific protocol can have at the process level
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 32
Securing the Management Plane:
• Management Plane Provides the facilities through which the
device is configured for initial deployment and then monitored
and maintained thereafter.
• Protocols of the Management Plane
• Telnet
• SNMP
• SSH
• HTTP
• HTTPS
Tools Used to Secure the Management Plane:
• Cisco Management Plane Protection (MPP) feature for Cisco IOS
Release 12.4(6)T
• SSH access only
• ACLs on the vty ports
• Cisco IOS Software login enhancement
• Role-based CLI views
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 33
Cisco IOS MPP:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 34
Verifying MPP:
Securing the Data Plane:
• Forwards network traffic as well as applies various services
to it, such as security, QoS, accounting, and so on.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 35
Data Plane Protection:
Flexible Packet Matching (FPM):
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 36
Configuring FPM:
1. Load a Protocol Header Description File (PHDF)
–For header field matching
2. Create a traffic class
–Define a protocol stack and specify exact parameters to match
–Using class map type “stack” and “access-control”
3. Create a traffic policy
–Define a service policy
4. Apply the service policy to an interface
• 1 & 2 PHDFs and Class Map
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 37
• 3 Traffic Policies
• 4 Applying a Service Policy to an Interface:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 38
Introducing IPsec:
• Combines three protocols into a cohesive security
framework
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 39
IPsec Modes:
Authentication Header:
• RFC 2402
• IP protocol 51
• Mechanism for providing strong integrity and authentication
for IP datagrams
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 40
Encapsulating Security Payload:
• RFC 2406
• IP protocol 50
• May provide the following:
• Confidentiality (encryption)
• Connectionless integrity
• Data origin authentication
• An antireplay service
Internet Key Exchange:
• RFC 2409
• A hybrid protocol consisting of:
• SKEMEA
• mechanism for using public key encryption for authentication
• Oakley
• A modes-based mechanism for arriving at an encryption key between
two peers
• ISAKMP
• An architecture for message exchange, including packet formats and
state transitions between two peers
• Phase-based
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 41
How IKE Works:
• IKE is a two-phase protocol.
Internet Security Association and Key Management
Protocol (ISAKMP):
• RFC 2408
• UDP 500
• Defines procedures for:
• Authenticating a peer
• Creation and management of SAs
• Key generation techniques
• Threat mitigation
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 42
Other Protocols and Terminology
IPsec Configuration Task List:
1. Check network connectivity
2. Ensure ACLs lists are compatible with Ipsec
• Allow IP protocols 50 and 51
• Allow UDP 500
3. Configure IKE
• ISAKMP
4. Configure Ipsec
• Create crypto ACLs
• Define transform sets
• Create crypto map entries
• Set global lifetimes for IPsec SAs
• Apply crypto map to the interface
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 43
IPsec VPN Deployment:
• Site-to-site VPNs
• Fully meshed (static)
• Hub (static) and spoke (dynamic)
• Fully meshed on demand (dynamic)
• DMVPN: provide for a combination of static and dynamic on-
demand tunnels
• Remote-access VPNs
• Cisco Easy VPN
• WebVPN (Cisco IOS SSL VPN)
Fully Meshed VPNs:
• There are static public addresses between peers.
• Local LAN addresses can be private or public.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 44
Hub-and-Spoke VPNs:
• Static public address needed at the hub only.
• Spoke addresses can be dynamically applied using DHCP.
Dynamic Multipoint VPNs:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 45
Cisco Easy VPN:
Cisco IOS WebVPN:
• Integrated security and routing
• Clientless and full network SSL VPN access
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 46
Implementing IPsec VPNs Using Pre-
Shared Keys:
• Prepare for ISAKMP and IPsec.
• Configure ISAKMP
• Pre-shared key authentication
• Configure IPsec transforms.
• Create ACLs for encryption traffic (crypto ACLs).
• Configure crypto map.
• Apply crypto map to an interface.
• Test and verify IKE and IPsec.
Planning the IKE Policy:
• Determine the following policy details:
• Key distribution method
• Authentication method
• IPsec peer IP addresses and hostnames
• ISAKMP policies for all peersEncryption algorithm
• Hash algorithm
• IKE SA lifetime
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 47
IKE Phase 1 Policy Parameters:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 48
IPsec Transforms
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 49
Identify IPsec Peers:
Configuring ISAKMP:
• Step 1: Enable or disable ISAKMP.
• Step 2: Create ISAKMP policies.
• Configure authentication method
• Pre-shared keys
• Step 3: RSA signatures (when using PKI).
• Step 4: Verify ISAKMP configuration.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 50
• Step 1: Enable or Disable ISAKMP
• Step 2: Create ISAKMP Policies:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 51
• Create ISAKMP Policies with the crypto isakmp
Command:
• Step 3: Configure Pre-Shared Keys:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 52
Configuring IPsec:
• Step 1: Configure transform sets.
• Step 2: Configure global IPsec SA lifetimes.
• Configure Transform Sets:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 53
• crypto ipsec security-association lifetime:
Purpose of Crypto Maps:
• Crypto maps pull together the various parts configured for
IPsec, including:
• Which traffic should be protected by IPsec
• Where IPsec-protected traffic should be sent
• The local address to be used for the IPsec traffic
• Which IPsec type should be applied to this traffic
• Whether SAs are established manually or via IKE
• Other parameters needed to define an IPsec SA
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 54
• IPsec Configuration Example:
Implementing IPSec VPNs Using PKI:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 55
Digital Signatures:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 56
X.509v3 Digital Certificate:
Certificate Enrollment:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 57
Configuring a Site-to-Site VPN Using PKI:
• Prepare for ISAKMP and IPsec
• Configure CA support
• Configure ISAKMP for Ipsec
• rsa-sig authentication
• Configure IPsec transforms
• Create ACLs for encryption traffic (crypto ACLs)
• Configure crypto map
• Apply crypto map to an interface
• Test and verify IPsec
• Set the Router Time and Date:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 58
• Configuring a Hostname and Domain Name:
• Add a CA Server Entry to the Router Host Table:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 59
• Generate an RSA Key Pair:
• Declaring a CA:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 60
• Authenticate the CA:
• Request Your Own Certificate:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 61
• Verify the CA Support Configuration:
Configuring GRE Tunnels:
• Generic Routing Encapsulation (GRE) was designed to carry
multiprotocol and IP multicast traffic between sites that might not
have IP connectivity.
• RFCs 1701, 1702, 2784
• Uses IP protocol 47 when encapsulated within IP
• Allows passing of routing information between connected networks
• One of the significant advantages of GRE tunneling over (non-VTI)
IPsec tunnels is that GRE uses Cisco IOS Software interfaces that
can utilize QoS features.
• GRE does have some limitations:
■ GRE provides no cryptographic protection for traffic and must be combined
with IPsec to provide it.
■ There is no standard way to determine the end-to-end state of a GRE
tunnel. Cisco IOS Software provides proprietary GRE keepalives for this
purpose.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 62
• Deployment Scenario:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 63
Configuring a GRE Tunnel:
1. Create and identify the tunnel interface.
2. Configure the tunnel interface source address.
3. Configure the tunnel interface destination address.
4. Bring up tunnel interface (administratively).
5. Configure routes.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 64
GRE/IPsec:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 65
GRE with Encryption Example:
Configuring a DMVPN:
• The Cisco DMVPN feature allows administrators to deploy scalable
IPsec VPNs for both small and large networks.
• Relies on:
• IPsec profiles
• Next Hop Resolution Protocol (NHRP): The NHRP database maintains
mappings between the router (public, physical interface) and the tunnel
(inside the tunnel interface) IP addresses of each spoke.
• multipoint Generic Routing Encapsulation (mGRE): allows a single Generic
Routing Encapsulation (GRE) interface to support multiple GRE tunnels
and makes the configuration much easier
• Benefits:
• Hub router configuration reduction
• Automatic IPsec encryption initiation
• Support for dynamically addressed spoke routers
• Dynamic tunnel creation for spoke-to-spoke tunnels
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 66
Single DMVPN Topology:
Dual DMVPN Topology:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 67
DMVPN Deployment Models:
DMVPN Configuration Tasks:
• ISAKMP and IPsec configuration
• Tunnel protection configuration
• IPsec profiles
• Tunnel interface configuration
• mGRE configuration
• NHRP configuration
• Routing protocol configuration
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 68
• ISAKMP and IPsec:
• IPsec Profile:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 69
• DMVPN Example:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 70
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 71
• DMVPN Routing Tables:
• DMVPN NHRP Mapping Tables:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 72
• IPsec Profile:
• Hub Configuration:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 73
• Spoke Configuration:
Configuring Cisco IOS SSL VPN (WebVPN):
Remote-Access Modes:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 74
Configuring WebVPN:
• WebVPN prerequisites:
• Configure AAA
• Local or ACS authentication
• Configure DNS
• Router hostname and domain name
• Map host to IP address in router host table
• Configure certificates and trustpoints
• CA or self-signed
• WebVPN configuration
• Configure a WebVPN gateway
• Configure a WebVPN context
• Configure a URL list for clientless access
• Configure Microsoft file shares for clientless access
• Configure application port forwarding
• Configure a WebVPN policy group
• AAA Configuration—Local Authentication
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 75
• AAA Configuration—External Authentication
• DNS Configuration
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 76
• Gateway Configuration Commands:
• Context Configuration Commands:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 77
• URL Lists
• Group Policy Configuration Commands:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 78
Configuring Cisco Easy VPN Remote Access:
Cisco Easy VPN is made up of two components:
• Cisco Easy VPN Server: Enables Cisco IOS routers, Cisco
ASA/Cisco PIX Firewall, and Cisco VPN 3000 Series
Concentrators to act as VPN headend devices in site-to-site
or remote-access VPNs, where the remote office devices are
using the Cisco Easy VPN Remote feature.
• Cisco Easy VPN Remote: Enables Cisco IOS routers,
Cisco ASA/Cisco PIX Firewall, and Cisco VPN 3002
Hardware Clients or Cisco VPN Software Clients to act as
remote VPN Clients.
Remote Access Using Cisco Easy VPN:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 79
Cisco Easy VPN Remote Connection Process:
Cisco Easy VPN Remote Configuration General Tasks
for Access Routers:
• Configure the DHCP server pool.
• Configure the Cisco Easy VPN Remote client profile.
• Group and key
• Peer
• Mode
• Manual or automatic tunnel control
• Assign the Cisco Easy VPN Remote client profile to the
interfaces.
• Verify the Cisco Easy VPN configuration.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 80
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 81
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 82
Cisco Easy VPN Server—General Configuration Tasks:
The following general tasks are used to configure Cisco Easy
VPN Server on a Cisco router:
• (Optional) Create IP address pool for connecting clients
• Enable group policy lookup via AAA
• Create an ISAKMP policy for remote VPN Client access
• Define a group policy for mode configuration push
• Apply mode configuration and XAUTH
• Enable RRI for the client
• Enable IKE
• Configure XAUTH
• (Optional) Enable the XAUTH Save Password feature
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 83
• Create ISAKMP Policy for Remote VPN Client Access
• Create Transform Sets
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 84
Examining Cisco IOS Firewall:
• Deploy:
• As an Internet Firewall
• Between groups on internal network
• As a VPN end point from branches
• Between partner network and corporate
• Features:
• Cisco IOS Software Stateful Packet Inspection
• Protection Against Attack
• Alerts and Audit Trails
• Authentication Proxy
• Support for NAT and Port-to-Application Mapping (PAM)
Cisco IOS Firewall Feature Set:
• Classic firewall
• Authentication proxy
• Cisco IOS IPS
• ACLs
• TCP Intercept
• PAM
• NAT
• Security server support
• RADIUS, TACACS+, Kerberos
• User authentication and authorization
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 85
Cisco IOS Firewall Authentication Proxy:
Cisco IOS IPS:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 86
Configuring Cisco IOS Classic Firewall:
• Context-Based Access Control (CBAC), which applied policies
through inspect statements and configured access control lists
(ACL) between interfaces.
• The Zone-Based Policy Firewall (ZBPFW) is the next Cisco
implementation of a router based firewall that runs in Cisco IOS
Software. It was introduced in IOS Release 12.4(6)T.
• As was supported by CBAC, the ZBPFW supports stateful
inspection as well as Application Inspection and Control (AIC),
which is also referred to as Deep Packet Inspection (DPI). This
includes inspection support for Layers 3 through 7.
• As mentioned previously, one of the main differences between
a firewall using CBAC and ZBPFW is the use of security zones.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 87
IOS Classic Firewall Configuration:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 88
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 89
Configuring Cisco IOS Zoned-Based
Policy Firewall:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 90
Zoning Rules Summary:
• If two interfaces are not in zones, traffic flows freely
between them.
• If one interface is in a zone, and another interface is not in
a zone, traffic may never flow between them.
• If two interfaces are in two different zones, traffic will not
flow between the interfaces until a policy is defined to
allow the traffic
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 91
Configuring a Cisco IOS Zone-Based Policy Firewall:
1. Identify interfaces that share the same function security
and group them into the same security zones.
2. Determine the required traffic flow between zones in
both directions.
3. Set up zones.
4. Set up zone pairs for any policy other than deny all.
5. Define class maps to describe traffic between zones.
6. Associate class maps with policy maps to define actions
applied to specific policies.
7. Assign policy maps to zone pairs.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 92
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 93
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 94
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 95
Configuring Cisco IOS Firewall
Authentication Proxy:
• HTTP, HTTPS, FTP, and Telnet authentication
• Provides dynamic, per-user authentication and
authorization via TACACS+ and RADIUS protocols
• Once authenticated, all types of application traffic can be
authorized
• Works on any interface type for inbound or outbound
traffic
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 96
Configuring Cisco IOS IPS:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 97
• Uses the underlying routing infrastructure
• Inline deep packet inspection
–Software based inline intrusion prevention sensor
• IPS signature support
–Signature based packet scanning, uses same set of signatures as IDS
Sensor platform
–Dynamic signature update (no need to update IOS Image)
–Customized signature support
• Variety of event actions configurable per-signature basis
• Parallel signature scanning
• Named and numbered extended ACL support
Cisco IPS Hardware Modules:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 98
Signature Engines:
Signature Actions:
• Alarm
• Send alarm via Syslog and SDEE
• Reset
• Applys to TCP connection. Send reset to both peers
• Drop
• Drops the packet
• DenyAttackerInline
• Blocks the attacker’s source IP address completely. No connection can be
established from the attacker to the router until the shun time expires (this
is set by the user).
• DenyFlowInline
• Blocks the appropriate TCP flow from the attacker. Other connections from
the attacker can be established to the router
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 99
Event Risk Rating Calculation:
Signature Definition File (SDF):
• A SDF contains all or a subset of the signatures
supported by Cisco IPS.
• An IPS loads the signatures contained in the SDF and
scans incoming traffic for matching signatures.
• The IPS enforces the policy defined in the signature
action.
• Cisco IPS uses the SDF to populates internal tables with
the information necessary to detect each signature.
• The SDF can be saved on the router flash memory.
• SDFs are downloaded from cisco.com.
• Two pre-built SDFs:
• 256MB.sdf
• 128MB.sdf
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 100
Issues to Consider:
• Memory use and performance impact
• Limited persistent storage
• CPU-intensive
• Updated signature coverage
• More than 1500 common attacks
Configuration Tasks:
• Install Cisco IOS Firewall IPS on the router:
• Specify location of SDF.
• Create an IPS rule.
• Attach a policy to a signature (optional).
• Apply IPS rule at an interface.
• Configure logging via syslog or SDEE.
• Verify the configuration.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 101
Configure SDEE and HTTPS Server on the Cisco ISR:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 102
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 103
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 104
Tune Signature in Cisco Configuration Professional:
Configure Event Action Override:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 105
Configure Event Action Filter:
Network Address Translation (NAT):
NAT Types:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 106
• Static NAT Example:
• Dynamic NAT Example:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 107
• PAT Example:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 108
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 109
After Implementing Mitigation Techniques:

More Related Content

What's hot

Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation Firewall
Cisco Canada
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewall
IT Tech
 
Cisco router command configuration overview
Cisco router command configuration overviewCisco router command configuration overview
Cisco router command configuration overview
3Anetwork com
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
Anwesh Dixit
 
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Bruno Teixeira
 
Cisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA ConfigurationCisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA Configuration
Hamed Moghaddam
 
CCNA BASIC SWITCHING AND SWITCH CONFIGURATION
CCNA BASIC SWITCHING AND SWITCH CONFIGURATIONCCNA BASIC SWITCHING AND SWITCH CONFIGURATION
CCNA BASIC SWITCHING AND SWITCH CONFIGURATION
Aswini Badatya
 
Cisco Live Brksec 3032 - NGFW Clustering
Cisco Live Brksec 3032 - NGFW ClusteringCisco Live Brksec 3032 - NGFW Clustering
Cisco Live Brksec 3032 - NGFW Clustering
ib_cims
 
Aruba Mobility Controllers
Aruba Mobility ControllersAruba Mobility Controllers
Ccna command
Ccna commandCcna command
Ccna command
Siddhartha Rajbhatt
 
SPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPANSPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPAN
NetProtocol Xpert
 
CCNAS :Multi Area OSPF
CCNAS :Multi Area OSPFCCNAS :Multi Area OSPF
CCNAS :Multi Area OSPF
rooree29
 
Deep Packet Inspection technology evolution
Deep Packet Inspection technology evolutionDeep Packet Inspection technology evolution
Deep Packet Inspection technology evolution
Daniel Vinyar
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
Cisco Russia
 
Cisco nexus series
Cisco nexus seriesCisco nexus series
Cisco nexus series
Anwesh Dixit
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context Training
Tariq Bader
 
Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and Update
Cisco Canada
 
Access Network Evolution
Access Network Evolution Access Network Evolution
Access Network Evolution
Cisco Canada
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
Cisco Canada
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1
Kishore Kumar
 

What's hot (20)

Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation Firewall
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewall
 
Cisco router command configuration overview
Cisco router command configuration overviewCisco router command configuration overview
Cisco router command configuration overview
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
 
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
 
Cisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA ConfigurationCisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA Configuration
 
CCNA BASIC SWITCHING AND SWITCH CONFIGURATION
CCNA BASIC SWITCHING AND SWITCH CONFIGURATIONCCNA BASIC SWITCHING AND SWITCH CONFIGURATION
CCNA BASIC SWITCHING AND SWITCH CONFIGURATION
 
Cisco Live Brksec 3032 - NGFW Clustering
Cisco Live Brksec 3032 - NGFW ClusteringCisco Live Brksec 3032 - NGFW Clustering
Cisco Live Brksec 3032 - NGFW Clustering
 
Aruba Mobility Controllers
Aruba Mobility ControllersAruba Mobility Controllers
Aruba Mobility Controllers
 
Ccna command
Ccna commandCcna command
Ccna command
 
SPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPANSPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPAN
 
CCNAS :Multi Area OSPF
CCNAS :Multi Area OSPFCCNAS :Multi Area OSPF
CCNAS :Multi Area OSPF
 
Deep Packet Inspection technology evolution
Deep Packet Inspection technology evolutionDeep Packet Inspection technology evolution
Deep Packet Inspection technology evolution
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
 
Cisco nexus series
Cisco nexus seriesCisco nexus series
Cisco nexus series
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context Training
 
Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and Update
 
Access Network Evolution
Access Network Evolution Access Network Evolution
Access Network Evolution
 
Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing Traffic Engineering Using Segment Routing
Traffic Engineering Using Segment Routing
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1
 

Viewers also liked

Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBook
RHC Technologies
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
Mohmed Abou Elenein Attia
 
Hr interview questions and answers for senior executives
Hr interview questions and answers for senior executivesHr interview questions and answers for senior executives
Hr interview questions and answers for senior executives
Mohmed Abou Elenein Attia
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPS
mohannadalhanahnah
 
CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648
Mohmed Abou Elenein Attia
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewall
Anwesh Dixit
 
Инфографика. Программы-вымогатели: реальное положение вещей
Инфографика. Программы-вымогатели: реальное положение вещейИнфографика. Программы-вымогатели: реальное положение вещей
Инфографика. Программы-вымогатели: реальное положение вещей
Cisco Russia
 
NAT in ASA Firewall
NAT in ASA FirewallNAT in ASA Firewall
NAT in ASA Firewall
NetProtocol Xpert
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
Bryley Systems Inc.
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Cisco Russia
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
Harris Andrea
 

Viewers also liked (11)

Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBook
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
 
Hr interview questions and answers for senior executives
Hr interview questions and answers for senior executivesHr interview questions and answers for senior executives
Hr interview questions and answers for senior executives
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPS
 
CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewall
 
Инфографика. Программы-вымогатели: реальное положение вещей
Инфографика. Программы-вымогатели: реальное положение вещейИнфографика. Программы-вымогатели: реальное положение вещей
Инфографика. Программы-вымогатели: реальное положение вещей
 
NAT in ASA Firewall
NAT in ASA FirewallNAT in ASA Firewall
NAT in ASA Firewall
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
 

Similar to CCNP Security-Secure

Chapter 6 overview
Chapter 6 overviewChapter 6 overview
Chapter 6 overview
ali raza
 
Chapter 6-Securing the Local Area Network.pdf
Chapter 6-Securing the Local Area Network.pdfChapter 6-Securing the Local Area Network.pdf
Chapter 6-Securing the Local Area Network.pdf
OhmRon
 
CCNASecurity v2 Overview Presentation .pdf
CCNASecurity v2 Overview Presentation .pdfCCNASecurity v2 Overview Presentation .pdf
CCNASecurity v2 Overview Presentation .pdf
AngelBaspineiroValve
 
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_201304090314557256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
ytrui
 
Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности
Cisco Russia
 
Chapter08
Chapter08Chapter08
Chapter08
Muhammad Ahad
 
Seguridad de las redes informaticas wireless
Seguridad de las redes informaticas wirelessSeguridad de las redes informaticas wireless
Seguridad de las redes informaticas wireless
pkalckbh
 
Ccna security
Ccna security Ccna security
Ccna security
umesh patil
 
Ccna security
Ccna security Ccna security
Ccna security
sanjay joshi
 
Design and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANsDesign and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANs
Fab Fusaro
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP
FRSecure
 
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld
 
Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...
wosborne03
 
Most Advanced Cybersecurity, Network Security Training - Tonex Training
Most Advanced Cybersecurity, Network Security Training - Tonex TrainingMost Advanced Cybersecurity, Network Security Training - Tonex Training
Most Advanced Cybersecurity, Network Security Training - Tonex Training
Bryan Len
 
CCNA_RSE_Chp4 and their working principles.pptx
CCNA_RSE_Chp4 and their working principles.pptxCCNA_RSE_Chp4 and their working principles.pptx
CCNA_RSE_Chp4 and their working principles.pptx
ParthaDas754073
 
6421 b Module-09
6421 b Module-096421 b Module-09
6421 b Module-09
Bibekananada Jena
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
CASCouncil
 
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
ThousandEyes
 
Ccna security
Ccna securityCcna security
Ccna security
dkaya
 
Pristine rina-security-icc-2016
Pristine rina-security-icc-2016Pristine rina-security-icc-2016
Pristine rina-security-icc-2016
ICT PRISTINE
 

Similar to CCNP Security-Secure (20)

Chapter 6 overview
Chapter 6 overviewChapter 6 overview
Chapter 6 overview
 
Chapter 6-Securing the Local Area Network.pdf
Chapter 6-Securing the Local Area Network.pdfChapter 6-Securing the Local Area Network.pdf
Chapter 6-Securing the Local Area Network.pdf
 
CCNASecurity v2 Overview Presentation .pdf
CCNASecurity v2 Overview Presentation .pdfCCNASecurity v2 Overview Presentation .pdf
CCNASecurity v2 Overview Presentation .pdf
 
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_201304090314557256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
 
Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности
 
Chapter08
Chapter08Chapter08
Chapter08
 
Seguridad de las redes informaticas wireless
Seguridad de las redes informaticas wirelessSeguridad de las redes informaticas wireless
Seguridad de las redes informaticas wireless
 
Ccna security
Ccna security Ccna security
Ccna security
 
Ccna security
Ccna security Ccna security
Ccna security
 
Design and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANsDesign and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANs
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP
 
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
 
Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...
 
Most Advanced Cybersecurity, Network Security Training - Tonex Training
Most Advanced Cybersecurity, Network Security Training - Tonex TrainingMost Advanced Cybersecurity, Network Security Training - Tonex Training
Most Advanced Cybersecurity, Network Security Training - Tonex Training
 
CCNA_RSE_Chp4 and their working principles.pptx
CCNA_RSE_Chp4 and their working principles.pptxCCNA_RSE_Chp4 and their working principles.pptx
CCNA_RSE_Chp4 and their working principles.pptx
 
6421 b Module-09
6421 b Module-096421 b Module-09
6421 b Module-09
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
 
Ccna security
Ccna securityCcna security
Ccna security
 
Pristine rina-security-icc-2016
Pristine rina-security-icc-2016Pristine rina-security-icc-2016
Pristine rina-security-icc-2016
 

Recently uploaded

Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
Enterprise Knowledge
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
Debmalya Biswas
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
alexjohnson7307
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
ZachWylie3
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
SelfMade bd
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
bellared2
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
AmandaCheung15
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
FIDO Alliance
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
DianaGray10
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
softsuave
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Zilliz
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 

Recently uploaded (20)

Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 

CCNP Security-Secure

  • 1. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 1 SECURE Agenda: • Network Security Technologies Overview • Routed Data Plane Security • Control Plane Security • Management Plane Security Network Foundation Protection (NFP) 802.1X and Cisco Identity-Based Networking Services (IBNS) Implementing and Configuring Basic 802.1X • Cisco IOS Foundation Security Solutions • Implementing and Configuring NAT • Implementing and Configuring Zone-Based Policy Firewalls • Implementing and Configuring IOS IPS • Cisco IOS Site-to-Site Security Solutions
  • 2. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 2 Overview of the CCNP Security • All four CCNP Security exams required • SECURE – 642-637 • IPS – 642-627 • FIREWALL – 642-618 • VPN – 642-648 • ~90 minutes with 60-70 questions • 60-70 questions • Register with Pearson Vue • http://www.vue.com/cisco • Exam cost is $200.00 US Cisco SAFE • Focuses on the development of good network security designs. • utilizes of the Cisco Security Control Framework (SCF)
  • 3. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 3 • Examples of technologies that are used to help identify include: ■ 802.1x for identity solutions ■ Biometric recognition ■ Routing authentication ■ Secure traffic mechanisms (encryption) ■ Authentication mechanisms, • Examples of technologies that can help monitor this data include • AAA • IDS and IPS • Examples of technologies that can help correlate this data include the following: • MARS • NTP • Examples of technologies that can help harden network elements include: ■ Control plane policing ■ Component redundancy ■ Device/interface redundancy ■ Topology redundancy • Examples of technologies that can isolate specific devices or data include: ■ ACL & VPN ■ Out-of-band management ■ Management traffic encryption ■ Virtual local-area networks (VLAN) • Examples of technologies that can enforce specific policies: ■ IDS and IPS ■ Port security ■ ACLs
  • 4. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 4 Examining Layer 2 Attacks: • The most common types of switched data plane attacks are as follows: ■ VLAN hopping ■ CAM flooding ■ MAC address spoofing ■ STP spoofing ■ DHCP “starvation” ■ DHCP server spoofing ■ ARP spoofing ■ IP spoofing
  • 5. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 5 CAM Table Overflow Attack: Port Security:
  • 6. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 6 Mitigating CAM Table Overflow: 1. Secure MAC Addresses: • Static • Dynamic • Sticky: The sticky secure switch port security classification includes dynamically learned addresses that are automatically added to the running configuration. • Configuration Guidelines: • Only on static access ports • Not on trunk or dynamic access ports • Not on SPAN port • Not on EtherChannel port • Voice VLAN assigned dynamic secure addresses • On port with voice VLAN, set maximum MAC addresses to two plus maximum number of MAC addresses • Dynamic port security enabled on voice VLAN when security enables on access VLAN • Not configurable on per-VLAN basis • No aging of sticky addresses • No simultaneous enabling of protect and restrict options 2. Configuring Port Security:
  • 7. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 7 Verifying Port Security
  • 8. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 8
  • 9. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 9 VLAN Hopping: Mitigating VLAN Hopping:
  • 10. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 10 Spanning Tree Manipulation: Mitigating Spanning Tree Manipulation:
  • 11. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 11 MAC Spoofing—Man-in-the-Middle Attacks: DHCP Attacks:
  • 12. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 12 Mitigating DHCP Attacks: 1. Port security: 2. DHCP Snooping: • DHCP snooping allows the configuration of ports as trusted or untrusted. • Untrusted ports cannot process DHCP replies. • Configure DHCP snooping on uplinks to a DHCP server. • Do not configure DHCP snooping on client ports.
  • 13. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 13
  • 14. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 14 Implementing Identity Management: • Cisco ACS Features • A centralized identity networking solution • Manage and administer user access for many Cisco and other devices • Many advanced features • TACACS+ and RADIUS server • Combines AAA • Cisco NAC support • Network Access Profiles • EAP-FAST support • Downloadable IP ACLs TACACS+ Overview:
  • 15. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 15 TACACS+ and RADIUS Comparison:
  • 16. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 16 Administrator Interface:
  • 17. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 17 ACS Policies: • Authentication –Authentication protocols –User databases • Posture validation –For use with NAC • Authorization –What the user is authorized to do –Based on identity, posture, or both
  • 18. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 18 Implementing Cisco IBNS: • Cisco Identity-Based Networking Services
  • 19. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 19 Concept of Cisco IBSN: • Cisco IBNS is an IEEE 802.1x-based technology solution that increases network security by authenticating users based on personal identity in addition to device MAC and IP address verification. • Unified Control of User Identity for the Enterprise Cisco VPN Concentrators, Cisco IOS Routers, Cisco PIX Firewalls IEEE 802.1x: • Standard set by the IEEE 802.1 working group • A framework designed to address and provide port-based access control using authentication • Primarily an encapsulation definition for EAP over IEEE 802 media (EAPOL is the key protocol.) • Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point) • Assumes a secure connection • Actual enforcement is via MAC-based filtering and port-state monitoring
  • 20. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 20 802.1x Components: 802.1x Operation:
  • 21. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 21 How 802.1x Works: The actual authentication conversation occurs between the client and the authentication server using EAP. The authenticator is aware of this activity, but it is just an intermediary. EAP Over LAN (EAPOL) What Is EAP? • EAP—the Extensible Authentication Protocol • A flexible transport protocol used to carry arbitrary authentication information—not the authentication method itself • Typically runs directly over data-link layers such as PPP or IEEE 802 media • Originally specified in RFC 2284, obsolete by RFC 3748 • Supports multiple “authentication” types
  • 22. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 22 Current Prevalent Authentication Methods: • Challenge-response-based • EAP-MD5: Uses MD5-based challenge-response for authentication • LEAP: Uses username/password authentication • EAP-MS-CHAPv2: uses username/password MSCHAPv2 challenge- response authentication • Cryptographic-based • EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication • Tunneling methods • PEAP: PEAP tunnel mode EAP encapsulator; tunnels other EAP types in an encrypted tunnel—much like web-based SSL • EAP-Tunneled TLS (TTLS): Other EAP methods over an extended EAP- TLS encrypted tunnel • EAP-FAST: Recent tunneling method designed to not require certificates at all for deployment • Other • EAP-GTC: Generic token and OTP authentication
  • 23. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 23
  • 24. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 24 802.1x and the Guest VLAN:
  • 25. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 25 802.1x and the Restricted VLAN: Configuring 802.1x in Cisco IOS: 1. Enable AAA. 2. Configure 802.1x authentication. 3. Configure RADIUS communications. 4. Enable 802.1x globally. 5. Configure interface and enable 802.1x. 6. Verify 802.1x operation.
  • 26. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 26 Enable AAA: Configure RADIUS Communications:
  • 27. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 27 Enable 802.1x Globally: Configure Interface and Enable 802.1x:
  • 28. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 28 Configuring Guest and Restricted VLANs: Verify 802.1x Operation:
  • 29. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 29 Introducing Cisco NFP: Network Foundation Protection (NFP): • Cisco NFP protects the network infrastructure. • There are several tools used to secure the infrastructure. Network Foundation Protection: Enterprise Model
  • 30. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 30 Securing the Control Plane: • The control plane provides the functionality that builds the tables that are necessary to properly forward traffic. These tables, which include the routing table, forwarding table, MAC address table, and so on. Control Plane Attacks and Mitigation Techniques:
  • 31. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 31 Control Plane Protection (CPPr) • A framework • Provides for all policing and protection • Extends the CoPP functionality • Finer granularity • Traffic classifier • Port filtering: providing the ability to drop packets early that are directed at closed or nonlistened-to ports. • Queue threshold: for limiting the number of unprocessed packets that a specific protocol can have at the process level
  • 32. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 32 Securing the Management Plane: • Management Plane Provides the facilities through which the device is configured for initial deployment and then monitored and maintained thereafter. • Protocols of the Management Plane • Telnet • SNMP • SSH • HTTP • HTTPS Tools Used to Secure the Management Plane: • Cisco Management Plane Protection (MPP) feature for Cisco IOS Release 12.4(6)T • SSH access only • ACLs on the vty ports • Cisco IOS Software login enhancement • Role-based CLI views
  • 33. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 33 Cisco IOS MPP:
  • 34. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 34 Verifying MPP: Securing the Data Plane: • Forwards network traffic as well as applies various services to it, such as security, QoS, accounting, and so on.
  • 35. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 35 Data Plane Protection: Flexible Packet Matching (FPM):
  • 36. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 36 Configuring FPM: 1. Load a Protocol Header Description File (PHDF) –For header field matching 2. Create a traffic class –Define a protocol stack and specify exact parameters to match –Using class map type “stack” and “access-control” 3. Create a traffic policy –Define a service policy 4. Apply the service policy to an interface • 1 & 2 PHDFs and Class Map
  • 37. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 37 • 3 Traffic Policies • 4 Applying a Service Policy to an Interface:
  • 38. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 38 Introducing IPsec: • Combines three protocols into a cohesive security framework
  • 39. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 39 IPsec Modes: Authentication Header: • RFC 2402 • IP protocol 51 • Mechanism for providing strong integrity and authentication for IP datagrams
  • 40. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 40 Encapsulating Security Payload: • RFC 2406 • IP protocol 50 • May provide the following: • Confidentiality (encryption) • Connectionless integrity • Data origin authentication • An antireplay service Internet Key Exchange: • RFC 2409 • A hybrid protocol consisting of: • SKEMEA • mechanism for using public key encryption for authentication • Oakley • A modes-based mechanism for arriving at an encryption key between two peers • ISAKMP • An architecture for message exchange, including packet formats and state transitions between two peers • Phase-based
  • 41. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 41 How IKE Works: • IKE is a two-phase protocol. Internet Security Association and Key Management Protocol (ISAKMP): • RFC 2408 • UDP 500 • Defines procedures for: • Authenticating a peer • Creation and management of SAs • Key generation techniques • Threat mitigation
  • 42. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 42 Other Protocols and Terminology IPsec Configuration Task List: 1. Check network connectivity 2. Ensure ACLs lists are compatible with Ipsec • Allow IP protocols 50 and 51 • Allow UDP 500 3. Configure IKE • ISAKMP 4. Configure Ipsec • Create crypto ACLs • Define transform sets • Create crypto map entries • Set global lifetimes for IPsec SAs • Apply crypto map to the interface
  • 43. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 43 IPsec VPN Deployment: • Site-to-site VPNs • Fully meshed (static) • Hub (static) and spoke (dynamic) • Fully meshed on demand (dynamic) • DMVPN: provide for a combination of static and dynamic on- demand tunnels • Remote-access VPNs • Cisco Easy VPN • WebVPN (Cisco IOS SSL VPN) Fully Meshed VPNs: • There are static public addresses between peers. • Local LAN addresses can be private or public.
  • 44. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 44 Hub-and-Spoke VPNs: • Static public address needed at the hub only. • Spoke addresses can be dynamically applied using DHCP. Dynamic Multipoint VPNs:
  • 45. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 45 Cisco Easy VPN: Cisco IOS WebVPN: • Integrated security and routing • Clientless and full network SSL VPN access
  • 46. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 46 Implementing IPsec VPNs Using Pre- Shared Keys: • Prepare for ISAKMP and IPsec. • Configure ISAKMP • Pre-shared key authentication • Configure IPsec transforms. • Create ACLs for encryption traffic (crypto ACLs). • Configure crypto map. • Apply crypto map to an interface. • Test and verify IKE and IPsec. Planning the IKE Policy: • Determine the following policy details: • Key distribution method • Authentication method • IPsec peer IP addresses and hostnames • ISAKMP policies for all peersEncryption algorithm • Hash algorithm • IKE SA lifetime
  • 47. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 47 IKE Phase 1 Policy Parameters:
  • 48. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 48 IPsec Transforms
  • 49. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 49 Identify IPsec Peers: Configuring ISAKMP: • Step 1: Enable or disable ISAKMP. • Step 2: Create ISAKMP policies. • Configure authentication method • Pre-shared keys • Step 3: RSA signatures (when using PKI). • Step 4: Verify ISAKMP configuration.
  • 50. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 50 • Step 1: Enable or Disable ISAKMP • Step 2: Create ISAKMP Policies:
  • 51. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 51 • Create ISAKMP Policies with the crypto isakmp Command: • Step 3: Configure Pre-Shared Keys:
  • 52. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 52 Configuring IPsec: • Step 1: Configure transform sets. • Step 2: Configure global IPsec SA lifetimes. • Configure Transform Sets:
  • 53. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 53 • crypto ipsec security-association lifetime: Purpose of Crypto Maps: • Crypto maps pull together the various parts configured for IPsec, including: • Which traffic should be protected by IPsec • Where IPsec-protected traffic should be sent • The local address to be used for the IPsec traffic • Which IPsec type should be applied to this traffic • Whether SAs are established manually or via IKE • Other parameters needed to define an IPsec SA
  • 54. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 54 • IPsec Configuration Example: Implementing IPSec VPNs Using PKI:
  • 55. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 55 Digital Signatures:
  • 56. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 56 X.509v3 Digital Certificate: Certificate Enrollment:
  • 57. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 57 Configuring a Site-to-Site VPN Using PKI: • Prepare for ISAKMP and IPsec • Configure CA support • Configure ISAKMP for Ipsec • rsa-sig authentication • Configure IPsec transforms • Create ACLs for encryption traffic (crypto ACLs) • Configure crypto map • Apply crypto map to an interface • Test and verify IPsec • Set the Router Time and Date:
  • 58. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 58 • Configuring a Hostname and Domain Name: • Add a CA Server Entry to the Router Host Table:
  • 59. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 59 • Generate an RSA Key Pair: • Declaring a CA:
  • 60. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 60 • Authenticate the CA: • Request Your Own Certificate:
  • 61. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 61 • Verify the CA Support Configuration: Configuring GRE Tunnels: • Generic Routing Encapsulation (GRE) was designed to carry multiprotocol and IP multicast traffic between sites that might not have IP connectivity. • RFCs 1701, 1702, 2784 • Uses IP protocol 47 when encapsulated within IP • Allows passing of routing information between connected networks • One of the significant advantages of GRE tunneling over (non-VTI) IPsec tunnels is that GRE uses Cisco IOS Software interfaces that can utilize QoS features. • GRE does have some limitations: ■ GRE provides no cryptographic protection for traffic and must be combined with IPsec to provide it. ■ There is no standard way to determine the end-to-end state of a GRE tunnel. Cisco IOS Software provides proprietary GRE keepalives for this purpose.
  • 62. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 62 • Deployment Scenario:
  • 63. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 63 Configuring a GRE Tunnel: 1. Create and identify the tunnel interface. 2. Configure the tunnel interface source address. 3. Configure the tunnel interface destination address. 4. Bring up tunnel interface (administratively). 5. Configure routes.
  • 64. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 64 GRE/IPsec:
  • 65. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 65 GRE with Encryption Example: Configuring a DMVPN: • The Cisco DMVPN feature allows administrators to deploy scalable IPsec VPNs for both small and large networks. • Relies on: • IPsec profiles • Next Hop Resolution Protocol (NHRP): The NHRP database maintains mappings between the router (public, physical interface) and the tunnel (inside the tunnel interface) IP addresses of each spoke. • multipoint Generic Routing Encapsulation (mGRE): allows a single Generic Routing Encapsulation (GRE) interface to support multiple GRE tunnels and makes the configuration much easier • Benefits: • Hub router configuration reduction • Automatic IPsec encryption initiation • Support for dynamically addressed spoke routers • Dynamic tunnel creation for spoke-to-spoke tunnels
  • 66. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 66 Single DMVPN Topology: Dual DMVPN Topology:
  • 67. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 67 DMVPN Deployment Models: DMVPN Configuration Tasks: • ISAKMP and IPsec configuration • Tunnel protection configuration • IPsec profiles • Tunnel interface configuration • mGRE configuration • NHRP configuration • Routing protocol configuration
  • 68. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 68 • ISAKMP and IPsec: • IPsec Profile:
  • 69. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 69 • DMVPN Example:
  • 70. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 70
  • 71. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 71 • DMVPN Routing Tables: • DMVPN NHRP Mapping Tables:
  • 72. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 72 • IPsec Profile: • Hub Configuration:
  • 73. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 73 • Spoke Configuration: Configuring Cisco IOS SSL VPN (WebVPN): Remote-Access Modes:
  • 74. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 74 Configuring WebVPN: • WebVPN prerequisites: • Configure AAA • Local or ACS authentication • Configure DNS • Router hostname and domain name • Map host to IP address in router host table • Configure certificates and trustpoints • CA or self-signed • WebVPN configuration • Configure a WebVPN gateway • Configure a WebVPN context • Configure a URL list for clientless access • Configure Microsoft file shares for clientless access • Configure application port forwarding • Configure a WebVPN policy group • AAA Configuration—Local Authentication
  • 75. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 75 • AAA Configuration—External Authentication • DNS Configuration
  • 76. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 76 • Gateway Configuration Commands: • Context Configuration Commands:
  • 77. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 77 • URL Lists • Group Policy Configuration Commands:
  • 78. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 78 Configuring Cisco Easy VPN Remote Access: Cisco Easy VPN is made up of two components: • Cisco Easy VPN Server: Enables Cisco IOS routers, Cisco ASA/Cisco PIX Firewall, and Cisco VPN 3000 Series Concentrators to act as VPN headend devices in site-to-site or remote-access VPNs, where the remote office devices are using the Cisco Easy VPN Remote feature. • Cisco Easy VPN Remote: Enables Cisco IOS routers, Cisco ASA/Cisco PIX Firewall, and Cisco VPN 3002 Hardware Clients or Cisco VPN Software Clients to act as remote VPN Clients. Remote Access Using Cisco Easy VPN:
  • 79. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 79 Cisco Easy VPN Remote Connection Process: Cisco Easy VPN Remote Configuration General Tasks for Access Routers: • Configure the DHCP server pool. • Configure the Cisco Easy VPN Remote client profile. • Group and key • Peer • Mode • Manual or automatic tunnel control • Assign the Cisco Easy VPN Remote client profile to the interfaces. • Verify the Cisco Easy VPN configuration.
  • 80. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 80
  • 81. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 81
  • 82. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 82 Cisco Easy VPN Server—General Configuration Tasks: The following general tasks are used to configure Cisco Easy VPN Server on a Cisco router: • (Optional) Create IP address pool for connecting clients • Enable group policy lookup via AAA • Create an ISAKMP policy for remote VPN Client access • Define a group policy for mode configuration push • Apply mode configuration and XAUTH • Enable RRI for the client • Enable IKE • Configure XAUTH • (Optional) Enable the XAUTH Save Password feature
  • 83. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 83 • Create ISAKMP Policy for Remote VPN Client Access • Create Transform Sets
  • 84. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 84 Examining Cisco IOS Firewall: • Deploy: • As an Internet Firewall • Between groups on internal network • As a VPN end point from branches • Between partner network and corporate • Features: • Cisco IOS Software Stateful Packet Inspection • Protection Against Attack • Alerts and Audit Trails • Authentication Proxy • Support for NAT and Port-to-Application Mapping (PAM) Cisco IOS Firewall Feature Set: • Classic firewall • Authentication proxy • Cisco IOS IPS • ACLs • TCP Intercept • PAM • NAT • Security server support • RADIUS, TACACS+, Kerberos • User authentication and authorization
  • 85. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 85 Cisco IOS Firewall Authentication Proxy: Cisco IOS IPS:
  • 86. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 86 Configuring Cisco IOS Classic Firewall: • Context-Based Access Control (CBAC), which applied policies through inspect statements and configured access control lists (ACL) between interfaces. • The Zone-Based Policy Firewall (ZBPFW) is the next Cisco implementation of a router based firewall that runs in Cisco IOS Software. It was introduced in IOS Release 12.4(6)T. • As was supported by CBAC, the ZBPFW supports stateful inspection as well as Application Inspection and Control (AIC), which is also referred to as Deep Packet Inspection (DPI). This includes inspection support for Layers 3 through 7. • As mentioned previously, one of the main differences between a firewall using CBAC and ZBPFW is the use of security zones.
  • 87. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 87 IOS Classic Firewall Configuration:
  • 88. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 88
  • 89. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 89 Configuring Cisco IOS Zoned-Based Policy Firewall:
  • 90. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 90 Zoning Rules Summary: • If two interfaces are not in zones, traffic flows freely between them. • If one interface is in a zone, and another interface is not in a zone, traffic may never flow between them. • If two interfaces are in two different zones, traffic will not flow between the interfaces until a policy is defined to allow the traffic
  • 91. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 91 Configuring a Cisco IOS Zone-Based Policy Firewall: 1. Identify interfaces that share the same function security and group them into the same security zones. 2. Determine the required traffic flow between zones in both directions. 3. Set up zones. 4. Set up zone pairs for any policy other than deny all. 5. Define class maps to describe traffic between zones. 6. Associate class maps with policy maps to define actions applied to specific policies. 7. Assign policy maps to zone pairs.
  • 92. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 92
  • 93. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 93
  • 94. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 94
  • 95. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 95 Configuring Cisco IOS Firewall Authentication Proxy: • HTTP, HTTPS, FTP, and Telnet authentication • Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols • Once authenticated, all types of application traffic can be authorized • Works on any interface type for inbound or outbound traffic
  • 96. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 96 Configuring Cisco IOS IPS:
  • 97. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 97 • Uses the underlying routing infrastructure • Inline deep packet inspection –Software based inline intrusion prevention sensor • IPS signature support –Signature based packet scanning, uses same set of signatures as IDS Sensor platform –Dynamic signature update (no need to update IOS Image) –Customized signature support • Variety of event actions configurable per-signature basis • Parallel signature scanning • Named and numbered extended ACL support Cisco IPS Hardware Modules:
  • 98. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 98 Signature Engines: Signature Actions: • Alarm • Send alarm via Syslog and SDEE • Reset • Applys to TCP connection. Send reset to both peers • Drop • Drops the packet • DenyAttackerInline • Blocks the attacker’s source IP address completely. No connection can be established from the attacker to the router until the shun time expires (this is set by the user). • DenyFlowInline • Blocks the appropriate TCP flow from the attacker. Other connections from the attacker can be established to the router
  • 99. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 99 Event Risk Rating Calculation: Signature Definition File (SDF): • A SDF contains all or a subset of the signatures supported by Cisco IPS. • An IPS loads the signatures contained in the SDF and scans incoming traffic for matching signatures. • The IPS enforces the policy defined in the signature action. • Cisco IPS uses the SDF to populates internal tables with the information necessary to detect each signature. • The SDF can be saved on the router flash memory. • SDFs are downloaded from cisco.com. • Two pre-built SDFs: • 256MB.sdf • 128MB.sdf
  • 100. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 100 Issues to Consider: • Memory use and performance impact • Limited persistent storage • CPU-intensive • Updated signature coverage • More than 1500 common attacks Configuration Tasks: • Install Cisco IOS Firewall IPS on the router: • Specify location of SDF. • Create an IPS rule. • Attach a policy to a signature (optional). • Apply IPS rule at an interface. • Configure logging via syslog or SDEE. • Verify the configuration.
  • 101. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 101 Configure SDEE and HTTPS Server on the Cisco ISR:
  • 102. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 102
  • 103. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 103
  • 104. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 104 Tune Signature in Cisco Configuration Professional: Configure Event Action Override:
  • 105. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 105 Configure Event Action Filter: Network Address Translation (NAT): NAT Types:
  • 106. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 106 • Static NAT Example: • Dynamic NAT Example:
  • 107. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 107 • PAT Example:
  • 108. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 108
  • 109. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 109 After Implementing Mitigation Techniques: