SlideShare a Scribd company logo
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 1
SECURE
Agenda:
• Network Security Technologies Overview
• Routed Data Plane Security
• Control Plane Security
• Management Plane Security
Network Foundation Protection (NFP)
802.1X and Cisco Identity-Based Networking Services (IBNS)
Implementing and Configuring Basic 802.1X
• Cisco IOS Foundation Security Solutions
• Implementing and Configuring NAT
• Implementing and Configuring Zone-Based Policy Firewalls
• Implementing and Configuring IOS IPS
• Cisco IOS Site-to-Site Security Solutions
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 2
Overview of the CCNP Security
• All four CCNP Security exams required
• SECURE – 642-637
• IPS – 642-627
• FIREWALL – 642-618
• VPN – 642-648
• ~90 minutes with 60-70 questions
• 60-70 questions
• Register with Pearson Vue
• http://www.vue.com/cisco
• Exam cost is $200.00 US
Cisco SAFE
• Focuses on the development of good network security
designs.
• utilizes of the Cisco Security Control Framework (SCF)
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 3
• Examples of technologies that are used to help identify
include:
■ 802.1x for identity solutions
■ Biometric recognition
■ Routing authentication
■ Secure traffic mechanisms (encryption)
■ Authentication mechanisms,
• Examples of technologies that can help monitor this data
include
• AAA
• IDS and IPS
• Examples of technologies that can help correlate this data
include the following:
• MARS
• NTP
• Examples of technologies that can help harden network
elements include:
■ Control plane policing
■ Component redundancy
■ Device/interface redundancy
■ Topology redundancy
• Examples of technologies that can isolate specific devices
or data include:
■ ACL & VPN
■ Out-of-band management
■ Management traffic encryption
■ Virtual local-area networks (VLAN)
• Examples of technologies that can enforce specific policies:
■ IDS and IPS
■ Port security
■ ACLs
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 4
Examining Layer 2 Attacks:
• The most common types of switched data plane attacks
are as follows:
■ VLAN hopping
■ CAM flooding
■ MAC address spoofing
■ STP spoofing
■ DHCP “starvation”
■ DHCP server spoofing
■ ARP spoofing
■ IP spoofing
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 5
CAM Table Overflow Attack:
Port Security:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 6
Mitigating CAM Table Overflow:
1. Secure MAC Addresses:
• Static
• Dynamic
• Sticky: The sticky secure switch port security classification includes dynamically learned addresses
that are automatically added to the running configuration.
• Configuration Guidelines:
• Only on static access ports
• Not on trunk or dynamic access ports
• Not on SPAN port
• Not on EtherChannel port
• Voice VLAN assigned dynamic secure addresses
• On port with voice VLAN, set maximum MAC addresses to two plus maximum number of MAC
addresses
• Dynamic port security enabled on voice VLAN when security enables on access VLAN
• Not configurable on per-VLAN basis
• No aging of sticky addresses
• No simultaneous enabling of protect and restrict options
2. Configuring Port Security:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 7
Verifying Port Security
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 8
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 9
VLAN Hopping:
Mitigating VLAN Hopping:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 10
Spanning Tree Manipulation:
Mitigating Spanning Tree Manipulation:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 11
MAC Spoofing—Man-in-the-Middle Attacks:
DHCP Attacks:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 12
Mitigating DHCP Attacks:
1. Port security:
2. DHCP Snooping:
• DHCP snooping allows the configuration of ports as trusted or
untrusted.
• Untrusted ports cannot process DHCP replies.
• Configure DHCP snooping on uplinks to a DHCP server.
• Do not configure DHCP snooping on client ports.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 13
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 14
Implementing Identity Management:
• Cisco ACS Features
• A centralized identity networking solution
• Manage and administer user access for many Cisco and other
devices
• Many advanced features
• TACACS+ and RADIUS server
• Combines AAA
• Cisco NAC support
• Network Access Profiles
• EAP-FAST support
• Downloadable IP ACLs
TACACS+ Overview:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 15
TACACS+ and RADIUS Comparison:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 16
Administrator Interface:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 17
ACS Policies:
• Authentication
–Authentication protocols
–User databases
• Posture validation
–For use with NAC
• Authorization
–What the user is authorized to do
–Based on identity, posture, or both
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 18
Implementing Cisco IBNS:
• Cisco Identity-Based Networking Services
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 19
Concept of Cisco IBSN:
• Cisco IBNS is an IEEE 802.1x-based technology solution that
increases network security by authenticating users based on personal
identity in addition to device MAC and IP address verification.
• Unified Control of User Identity for the Enterprise
Cisco VPN Concentrators, Cisco IOS Routers, Cisco PIX Firewalls
IEEE 802.1x:
• Standard set by the IEEE 802.1 working group
• A framework designed to address and provide port-based
access control using authentication
• Primarily an encapsulation definition for EAP over IEEE 802
media (EAPOL is the key protocol.)
• Layer 2 protocol for transporting authentication messages
(EAP) between supplicant (user/PC) and authenticator
(switch or access point)
• Assumes a secure connection
• Actual enforcement is via MAC-based filtering and port-state
monitoring
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 20
802.1x Components:
802.1x Operation:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 21
How 802.1x Works:
The actual authentication conversation occurs between the client and the
authentication server using EAP. The authenticator is aware of this activity, but
it is just an intermediary.
EAP Over LAN (EAPOL)
What Is EAP?
• EAP—the Extensible Authentication Protocol
• A flexible transport protocol used to carry arbitrary
authentication information—not the authentication method
itself
• Typically runs directly over data-link layers such as PPP
or IEEE 802 media
• Originally specified in RFC 2284, obsolete by RFC 3748
• Supports multiple “authentication” types
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 22
Current Prevalent Authentication Methods:
• Challenge-response-based
• EAP-MD5: Uses MD5-based challenge-response for authentication
• LEAP: Uses username/password authentication
• EAP-MS-CHAPv2: uses username/password MSCHAPv2 challenge-
response authentication
• Cryptographic-based
• EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for
authentication
• Tunneling methods
• PEAP: PEAP tunnel mode EAP encapsulator; tunnels other EAP types in
an encrypted tunnel—much like web-based SSL
• EAP-Tunneled TLS (TTLS): Other EAP methods over an extended EAP-
TLS encrypted tunnel
• EAP-FAST: Recent tunneling method designed to not require certificates
at all for deployment
• Other
• EAP-GTC: Generic token and OTP authentication
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 23
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 24
802.1x and the Guest VLAN:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 25
802.1x and the Restricted VLAN:
Configuring 802.1x in Cisco IOS:
1. Enable AAA.
2. Configure 802.1x authentication.
3. Configure RADIUS communications.
4. Enable 802.1x globally.
5. Configure interface and enable 802.1x.
6. Verify 802.1x operation.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 26
Enable AAA:
Configure RADIUS Communications:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 27
Enable 802.1x Globally:
Configure Interface and Enable 802.1x:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 28
Configuring Guest and Restricted VLANs:
Verify 802.1x Operation:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 29
Introducing Cisco NFP:
Network Foundation Protection (NFP):
• Cisco NFP protects the network infrastructure.
• There are several tools used to secure the infrastructure.
Network Foundation Protection: Enterprise Model
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 30
Securing the Control Plane:
• The control plane provides the functionality that builds the
tables that are necessary to properly forward traffic. These
tables, which include the routing table, forwarding table, MAC
address table, and so on.
Control Plane Attacks and Mitigation Techniques:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 31
Control Plane Protection (CPPr)
• A framework
• Provides for all policing and protection
• Extends the CoPP functionality
• Finer granularity
• Traffic classifier
• Port filtering: providing the ability to drop packets early that are
directed at closed or nonlistened-to ports.
• Queue threshold: for limiting the number of unprocessed packets
that a specific protocol can have at the process level
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 32
Securing the Management Plane:
• Management Plane Provides the facilities through which the
device is configured for initial deployment and then monitored
and maintained thereafter.
• Protocols of the Management Plane
• Telnet
• SNMP
• SSH
• HTTP
• HTTPS
Tools Used to Secure the Management Plane:
• Cisco Management Plane Protection (MPP) feature for Cisco IOS
Release 12.4(6)T
• SSH access only
• ACLs on the vty ports
• Cisco IOS Software login enhancement
• Role-based CLI views
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 33
Cisco IOS MPP:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 34
Verifying MPP:
Securing the Data Plane:
• Forwards network traffic as well as applies various services
to it, such as security, QoS, accounting, and so on.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 35
Data Plane Protection:
Flexible Packet Matching (FPM):
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 36
Configuring FPM:
1. Load a Protocol Header Description File (PHDF)
–For header field matching
2. Create a traffic class
–Define a protocol stack and specify exact parameters to match
–Using class map type “stack” and “access-control”
3. Create a traffic policy
–Define a service policy
4. Apply the service policy to an interface
• 1 & 2 PHDFs and Class Map
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 37
• 3 Traffic Policies
• 4 Applying a Service Policy to an Interface:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 38
Introducing IPsec:
• Combines three protocols into a cohesive security
framework
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 39
IPsec Modes:
Authentication Header:
• RFC 2402
• IP protocol 51
• Mechanism for providing strong integrity and authentication
for IP datagrams
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 40
Encapsulating Security Payload:
• RFC 2406
• IP protocol 50
• May provide the following:
• Confidentiality (encryption)
• Connectionless integrity
• Data origin authentication
• An antireplay service
Internet Key Exchange:
• RFC 2409
• A hybrid protocol consisting of:
• SKEMEA
• mechanism for using public key encryption for authentication
• Oakley
• A modes-based mechanism for arriving at an encryption key between
two peers
• ISAKMP
• An architecture for message exchange, including packet formats and
state transitions between two peers
• Phase-based
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 41
How IKE Works:
• IKE is a two-phase protocol.
Internet Security Association and Key Management
Protocol (ISAKMP):
• RFC 2408
• UDP 500
• Defines procedures for:
• Authenticating a peer
• Creation and management of SAs
• Key generation techniques
• Threat mitigation
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 42
Other Protocols and Terminology
IPsec Configuration Task List:
1. Check network connectivity
2. Ensure ACLs lists are compatible with Ipsec
• Allow IP protocols 50 and 51
• Allow UDP 500
3. Configure IKE
• ISAKMP
4. Configure Ipsec
• Create crypto ACLs
• Define transform sets
• Create crypto map entries
• Set global lifetimes for IPsec SAs
• Apply crypto map to the interface
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 43
IPsec VPN Deployment:
• Site-to-site VPNs
• Fully meshed (static)
• Hub (static) and spoke (dynamic)
• Fully meshed on demand (dynamic)
• DMVPN: provide for a combination of static and dynamic on-
demand tunnels
• Remote-access VPNs
• Cisco Easy VPN
• WebVPN (Cisco IOS SSL VPN)
Fully Meshed VPNs:
• There are static public addresses between peers.
• Local LAN addresses can be private or public.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 44
Hub-and-Spoke VPNs:
• Static public address needed at the hub only.
• Spoke addresses can be dynamically applied using DHCP.
Dynamic Multipoint VPNs:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 45
Cisco Easy VPN:
Cisco IOS WebVPN:
• Integrated security and routing
• Clientless and full network SSL VPN access
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 46
Implementing IPsec VPNs Using Pre-
Shared Keys:
• Prepare for ISAKMP and IPsec.
• Configure ISAKMP
• Pre-shared key authentication
• Configure IPsec transforms.
• Create ACLs for encryption traffic (crypto ACLs).
• Configure crypto map.
• Apply crypto map to an interface.
• Test and verify IKE and IPsec.
Planning the IKE Policy:
• Determine the following policy details:
• Key distribution method
• Authentication method
• IPsec peer IP addresses and hostnames
• ISAKMP policies for all peersEncryption algorithm
• Hash algorithm
• IKE SA lifetime
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 47
IKE Phase 1 Policy Parameters:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 48
IPsec Transforms
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 49
Identify IPsec Peers:
Configuring ISAKMP:
• Step 1: Enable or disable ISAKMP.
• Step 2: Create ISAKMP policies.
• Configure authentication method
• Pre-shared keys
• Step 3: RSA signatures (when using PKI).
• Step 4: Verify ISAKMP configuration.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 50
• Step 1: Enable or Disable ISAKMP
• Step 2: Create ISAKMP Policies:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 51
• Create ISAKMP Policies with the crypto isakmp
Command:
• Step 3: Configure Pre-Shared Keys:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 52
Configuring IPsec:
• Step 1: Configure transform sets.
• Step 2: Configure global IPsec SA lifetimes.
• Configure Transform Sets:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 53
• crypto ipsec security-association lifetime:
Purpose of Crypto Maps:
• Crypto maps pull together the various parts configured for
IPsec, including:
• Which traffic should be protected by IPsec
• Where IPsec-protected traffic should be sent
• The local address to be used for the IPsec traffic
• Which IPsec type should be applied to this traffic
• Whether SAs are established manually or via IKE
• Other parameters needed to define an IPsec SA
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 54
• IPsec Configuration Example:
Implementing IPSec VPNs Using PKI:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 55
Digital Signatures:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 56
X.509v3 Digital Certificate:
Certificate Enrollment:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 57
Configuring a Site-to-Site VPN Using PKI:
• Prepare for ISAKMP and IPsec
• Configure CA support
• Configure ISAKMP for Ipsec
• rsa-sig authentication
• Configure IPsec transforms
• Create ACLs for encryption traffic (crypto ACLs)
• Configure crypto map
• Apply crypto map to an interface
• Test and verify IPsec
• Set the Router Time and Date:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 58
• Configuring a Hostname and Domain Name:
• Add a CA Server Entry to the Router Host Table:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 59
• Generate an RSA Key Pair:
• Declaring a CA:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 60
• Authenticate the CA:
• Request Your Own Certificate:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 61
• Verify the CA Support Configuration:
Configuring GRE Tunnels:
• Generic Routing Encapsulation (GRE) was designed to carry
multiprotocol and IP multicast traffic between sites that might not
have IP connectivity.
• RFCs 1701, 1702, 2784
• Uses IP protocol 47 when encapsulated within IP
• Allows passing of routing information between connected networks
• One of the significant advantages of GRE tunneling over (non-VTI)
IPsec tunnels is that GRE uses Cisco IOS Software interfaces that
can utilize QoS features.
• GRE does have some limitations:
■ GRE provides no cryptographic protection for traffic and must be combined
with IPsec to provide it.
■ There is no standard way to determine the end-to-end state of a GRE
tunnel. Cisco IOS Software provides proprietary GRE keepalives for this
purpose.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 62
• Deployment Scenario:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 63
Configuring a GRE Tunnel:
1. Create and identify the tunnel interface.
2. Configure the tunnel interface source address.
3. Configure the tunnel interface destination address.
4. Bring up tunnel interface (administratively).
5. Configure routes.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 64
GRE/IPsec:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 65
GRE with Encryption Example:
Configuring a DMVPN:
• The Cisco DMVPN feature allows administrators to deploy scalable
IPsec VPNs for both small and large networks.
• Relies on:
• IPsec profiles
• Next Hop Resolution Protocol (NHRP): The NHRP database maintains
mappings between the router (public, physical interface) and the tunnel
(inside the tunnel interface) IP addresses of each spoke.
• multipoint Generic Routing Encapsulation (mGRE): allows a single Generic
Routing Encapsulation (GRE) interface to support multiple GRE tunnels
and makes the configuration much easier
• Benefits:
• Hub router configuration reduction
• Automatic IPsec encryption initiation
• Support for dynamically addressed spoke routers
• Dynamic tunnel creation for spoke-to-spoke tunnels
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 66
Single DMVPN Topology:
Dual DMVPN Topology:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 67
DMVPN Deployment Models:
DMVPN Configuration Tasks:
• ISAKMP and IPsec configuration
• Tunnel protection configuration
• IPsec profiles
• Tunnel interface configuration
• mGRE configuration
• NHRP configuration
• Routing protocol configuration
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 68
• ISAKMP and IPsec:
• IPsec Profile:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 69
• DMVPN Example:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 70
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 71
• DMVPN Routing Tables:
• DMVPN NHRP Mapping Tables:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 72
• IPsec Profile:
• Hub Configuration:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 73
• Spoke Configuration:
Configuring Cisco IOS SSL VPN (WebVPN):
Remote-Access Modes:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 74
Configuring WebVPN:
• WebVPN prerequisites:
• Configure AAA
• Local or ACS authentication
• Configure DNS
• Router hostname and domain name
• Map host to IP address in router host table
• Configure certificates and trustpoints
• CA or self-signed
• WebVPN configuration
• Configure a WebVPN gateway
• Configure a WebVPN context
• Configure a URL list for clientless access
• Configure Microsoft file shares for clientless access
• Configure application port forwarding
• Configure a WebVPN policy group
• AAA Configuration—Local Authentication
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 75
• AAA Configuration—External Authentication
• DNS Configuration
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 76
• Gateway Configuration Commands:
• Context Configuration Commands:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 77
• URL Lists
• Group Policy Configuration Commands:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 78
Configuring Cisco Easy VPN Remote Access:
Cisco Easy VPN is made up of two components:
• Cisco Easy VPN Server: Enables Cisco IOS routers, Cisco
ASA/Cisco PIX Firewall, and Cisco VPN 3000 Series
Concentrators to act as VPN headend devices in site-to-site
or remote-access VPNs, where the remote office devices are
using the Cisco Easy VPN Remote feature.
• Cisco Easy VPN Remote: Enables Cisco IOS routers,
Cisco ASA/Cisco PIX Firewall, and Cisco VPN 3002
Hardware Clients or Cisco VPN Software Clients to act as
remote VPN Clients.
Remote Access Using Cisco Easy VPN:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 79
Cisco Easy VPN Remote Connection Process:
Cisco Easy VPN Remote Configuration General Tasks
for Access Routers:
• Configure the DHCP server pool.
• Configure the Cisco Easy VPN Remote client profile.
• Group and key
• Peer
• Mode
• Manual or automatic tunnel control
• Assign the Cisco Easy VPN Remote client profile to the
interfaces.
• Verify the Cisco Easy VPN configuration.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 80
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 81
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 82
Cisco Easy VPN Server—General Configuration Tasks:
The following general tasks are used to configure Cisco Easy
VPN Server on a Cisco router:
• (Optional) Create IP address pool for connecting clients
• Enable group policy lookup via AAA
• Create an ISAKMP policy for remote VPN Client access
• Define a group policy for mode configuration push
• Apply mode configuration and XAUTH
• Enable RRI for the client
• Enable IKE
• Configure XAUTH
• (Optional) Enable the XAUTH Save Password feature
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 83
• Create ISAKMP Policy for Remote VPN Client Access
• Create Transform Sets
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 84
Examining Cisco IOS Firewall:
• Deploy:
• As an Internet Firewall
• Between groups on internal network
• As a VPN end point from branches
• Between partner network and corporate
• Features:
• Cisco IOS Software Stateful Packet Inspection
• Protection Against Attack
• Alerts and Audit Trails
• Authentication Proxy
• Support for NAT and Port-to-Application Mapping (PAM)
Cisco IOS Firewall Feature Set:
• Classic firewall
• Authentication proxy
• Cisco IOS IPS
• ACLs
• TCP Intercept
• PAM
• NAT
• Security server support
• RADIUS, TACACS+, Kerberos
• User authentication and authorization
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 85
Cisco IOS Firewall Authentication Proxy:
Cisco IOS IPS:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 86
Configuring Cisco IOS Classic Firewall:
• Context-Based Access Control (CBAC), which applied policies
through inspect statements and configured access control lists
(ACL) between interfaces.
• The Zone-Based Policy Firewall (ZBPFW) is the next Cisco
implementation of a router based firewall that runs in Cisco IOS
Software. It was introduced in IOS Release 12.4(6)T.
• As was supported by CBAC, the ZBPFW supports stateful
inspection as well as Application Inspection and Control (AIC),
which is also referred to as Deep Packet Inspection (DPI). This
includes inspection support for Layers 3 through 7.
• As mentioned previously, one of the main differences between
a firewall using CBAC and ZBPFW is the use of security zones.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 87
IOS Classic Firewall Configuration:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 88
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 89
Configuring Cisco IOS Zoned-Based
Policy Firewall:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 90
Zoning Rules Summary:
• If two interfaces are not in zones, traffic flows freely
between them.
• If one interface is in a zone, and another interface is not in
a zone, traffic may never flow between them.
• If two interfaces are in two different zones, traffic will not
flow between the interfaces until a policy is defined to
allow the traffic
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 91
Configuring a Cisco IOS Zone-Based Policy Firewall:
1. Identify interfaces that share the same function security
and group them into the same security zones.
2. Determine the required traffic flow between zones in
both directions.
3. Set up zones.
4. Set up zone pairs for any policy other than deny all.
5. Define class maps to describe traffic between zones.
6. Associate class maps with policy maps to define actions
applied to specific policies.
7. Assign policy maps to zone pairs.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 92
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 93
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 94
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 95
Configuring Cisco IOS Firewall
Authentication Proxy:
• HTTP, HTTPS, FTP, and Telnet authentication
• Provides dynamic, per-user authentication and
authorization via TACACS+ and RADIUS protocols
• Once authenticated, all types of application traffic can be
authorized
• Works on any interface type for inbound or outbound
traffic
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 96
Configuring Cisco IOS IPS:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 97
• Uses the underlying routing infrastructure
• Inline deep packet inspection
–Software based inline intrusion prevention sensor
• IPS signature support
–Signature based packet scanning, uses same set of signatures as IDS
Sensor platform
–Dynamic signature update (no need to update IOS Image)
–Customized signature support
• Variety of event actions configurable per-signature basis
• Parallel signature scanning
• Named and numbered extended ACL support
Cisco IPS Hardware Modules:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 98
Signature Engines:
Signature Actions:
• Alarm
• Send alarm via Syslog and SDEE
• Reset
• Applys to TCP connection. Send reset to both peers
• Drop
• Drops the packet
• DenyAttackerInline
• Blocks the attacker’s source IP address completely. No connection can be
established from the attacker to the router until the shun time expires (this
is set by the user).
• DenyFlowInline
• Blocks the appropriate TCP flow from the attacker. Other connections from
the attacker can be established to the router
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 99
Event Risk Rating Calculation:
Signature Definition File (SDF):
• A SDF contains all or a subset of the signatures
supported by Cisco IPS.
• An IPS loads the signatures contained in the SDF and
scans incoming traffic for matching signatures.
• The IPS enforces the policy defined in the signature
action.
• Cisco IPS uses the SDF to populates internal tables with
the information necessary to detect each signature.
• The SDF can be saved on the router flash memory.
• SDFs are downloaded from cisco.com.
• Two pre-built SDFs:
• 256MB.sdf
• 128MB.sdf
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 100
Issues to Consider:
• Memory use and performance impact
• Limited persistent storage
• CPU-intensive
• Updated signature coverage
• More than 1500 common attacks
Configuration Tasks:
• Install Cisco IOS Firewall IPS on the router:
• Specify location of SDF.
• Create an IPS rule.
• Attach a policy to a signature (optional).
• Apply IPS rule at an interface.
• Configure logging via syslog or SDEE.
• Verify the configuration.
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 101
Configure SDEE and HTTPS Server on the Cisco ISR:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 102
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 103
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 104
Tune Signature in Cisco Configuration Professional:
Configure Event Action Override:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 105
Configure Event Action Filter:
Network Address Translation (NAT):
NAT Types:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 106
• Static NAT Example:
• Dynamic NAT Example:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 107
• PAT Example:
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 108
These slides taken from the official SECURE
guide and Cisco SNRS slides
3/26/2014
Eng. Mohannad Alhanahnah 109
After Implementing Mitigation Techniques:

More Related Content

What's hot

Juniper SRX
Juniper SRX Juniper SRX
Juniper SRX
Niasta Learning
 
VPN, Its Types,VPN Protocols,Configuration and Benefits
VPN, Its Types,VPN Protocols,Configuration and BenefitsVPN, Its Types,VPN Protocols,Configuration and Benefits
VPN, Its Types,VPN Protocols,Configuration and Benefits
qaisar17
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
Mohamed Shishtawy
 
Fortinet
FortinetFortinet
Fortinet
ABEP123
 
CCNA 1 Routing and Switching v5.0 Chapter 4
CCNA 1 Routing and Switching v5.0 Chapter 4CCNA 1 Routing and Switching v5.0 Chapter 4
CCNA 1 Routing and Switching v5.0 Chapter 4
Nil Menon
 
Ccnp3 lab 3_4_en
Ccnp3 lab 3_4_enCcnp3 lab 3_4_en
Ccnp3 lab 3_4_en
Omar Herrera
 
CCNP Switching Chapter 5
CCNP Switching Chapter 5CCNP Switching Chapter 5
CCNP Switching Chapter 5
Chaing Ravuth
 
Ccna PPT
Ccna PPTCcna PPT
Ccna PPT
AIRTEL
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
ISE-CiscoLive.pdf
ISE-CiscoLive.pdfISE-CiscoLive.pdf
ISE-CiscoLive.pdf
ssuserf4db0a
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall concepts
Mostafa El Lathy
 
Wi-fi Hacking
Wi-fi HackingWi-fi Hacking
Wi-fi Hacking
Paul Gillingwater, MBA
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Netskope
 
VPN (virtual private network)
VPN (virtual private network) VPN (virtual private network)
VPN (virtual private network)
Netwax Lab
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation Firewall
Cisco Canada
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
Cisco Canada
 
SD WAN
SD WANSD WAN
SD WAN
Bri Molina
 
CCNAv5 - S4: Chapter 1 Hierarchical Network Design
CCNAv5 - S4: Chapter 1 Hierarchical Network DesignCCNAv5 - S4: Chapter 1 Hierarchical Network Design
CCNAv5 - S4: Chapter 1 Hierarchical Network Design
Vuz Dở Hơi
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
Peter R. Egli
 

What's hot (20)

Juniper SRX
Juniper SRX Juniper SRX
Juniper SRX
 
VPN, Its Types,VPN Protocols,Configuration and Benefits
VPN, Its Types,VPN Protocols,Configuration and BenefitsVPN, Its Types,VPN Protocols,Configuration and Benefits
VPN, Its Types,VPN Protocols,Configuration and Benefits
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
 
Fortinet
FortinetFortinet
Fortinet
 
CCNA 1 Routing and Switching v5.0 Chapter 4
CCNA 1 Routing and Switching v5.0 Chapter 4CCNA 1 Routing and Switching v5.0 Chapter 4
CCNA 1 Routing and Switching v5.0 Chapter 4
 
Ccnp3 lab 3_4_en
Ccnp3 lab 3_4_enCcnp3 lab 3_4_en
Ccnp3 lab 3_4_en
 
CCNP Switching Chapter 5
CCNP Switching Chapter 5CCNP Switching Chapter 5
CCNP Switching Chapter 5
 
Ccna PPT
Ccna PPTCcna PPT
Ccna PPT
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
ISE-CiscoLive.pdf
ISE-CiscoLive.pdfISE-CiscoLive.pdf
ISE-CiscoLive.pdf
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall concepts
 
Wi-fi Hacking
Wi-fi HackingWi-fi Hacking
Wi-fi Hacking
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
 
VPN (virtual private network)
VPN (virtual private network) VPN (virtual private network)
VPN (virtual private network)
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation Firewall
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
 
SD WAN
SD WANSD WAN
SD WAN
 
CCNAv5 - S4: Chapter 1 Hierarchical Network Design
CCNAv5 - S4: Chapter 1 Hierarchical Network DesignCCNAv5 - S4: Chapter 1 Hierarchical Network Design
CCNAv5 - S4: Chapter 1 Hierarchical Network Design
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
 

Viewers also liked

Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBook
RHC Technologies
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
Mohmed Abou Elenein Attia
 
Hr interview questions and answers for senior executives
Hr interview questions and answers for senior executivesHr interview questions and answers for senior executives
Hr interview questions and answers for senior executives
Mohmed Abou Elenein Attia
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPS
mohannadalhanahnah
 
CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648
Mohmed Abou Elenein Attia
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewall
Anwesh Dixit
 
Инфографика. Программы-вымогатели: реальное положение вещей
Инфографика. Программы-вымогатели: реальное положение вещейИнфографика. Программы-вымогатели: реальное положение вещей
Инфографика. Программы-вымогатели: реальное положение вещей
Cisco Russia
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context Training
Tariq Bader
 
NAT in ASA Firewall
NAT in ASA FirewallNAT in ASA Firewall
NAT in ASA Firewall
NetProtocol Xpert
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
Bryley Systems Inc.
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
Cisco Russia
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Cisco Russia
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
Harris Andrea
 

Viewers also liked (13)

Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBook
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
 
Hr interview questions and answers for senior executives
Hr interview questions and answers for senior executivesHr interview questions and answers for senior executives
Hr interview questions and answers for senior executives
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPS
 
CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648CCNP Security SIMOS 300-209=vpn 642-648
CCNP Security SIMOS 300-209=vpn 642-648
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewall
 
Инфографика. Программы-вымогатели: реальное положение вещей
Инфографика. Программы-вымогатели: реальное положение вещейИнфографика. Программы-вымогатели: реальное положение вещей
Инфографика. Программы-вымогатели: реальное положение вещей
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context Training
 
NAT in ASA Firewall
NAT in ASA FirewallNAT in ASA Firewall
NAT in ASA Firewall
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
 

Similar to CCNP Security-Secure

Chapter 6 overview
Chapter 6 overviewChapter 6 overview
Chapter 6 overview
ali raza
 
CCNASecurity v2 Overview Presentation .pdf
CCNASecurity v2 Overview Presentation .pdfCCNASecurity v2 Overview Presentation .pdf
CCNASecurity v2 Overview Presentation .pdf
AngelBaspineiroValve
 
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_201304090314557256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
ytrui
 
Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности
Cisco Russia
 
Chapter08
Chapter08Chapter08
Chapter08
Muhammad Ahad
 
Seguridad de las redes informaticas wireless
Seguridad de las redes informaticas wirelessSeguridad de las redes informaticas wireless
Seguridad de las redes informaticas wireless
pkalckbh
 
Ccna security
Ccna security Ccna security
Ccna security
umesh patil
 
Ccna security
Ccna security Ccna security
Ccna security
sanjay joshi
 
Design and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANsDesign and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANs
Fab Fusaro
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP
FRSecure
 
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld
 
Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...
wosborne03
 
Most Advanced Cybersecurity, Network Security Training - Tonex Training
Most Advanced Cybersecurity, Network Security Training - Tonex TrainingMost Advanced Cybersecurity, Network Security Training - Tonex Training
Most Advanced Cybersecurity, Network Security Training - Tonex Training
Bryan Len
 
CCNA_RSE_Chp4 and their working principles.pptx
CCNA_RSE_Chp4 and their working principles.pptxCCNA_RSE_Chp4 and their working principles.pptx
CCNA_RSE_Chp4 and their working principles.pptx
ParthaDas754073
 
6421 b Module-09
6421 b Module-096421 b Module-09
6421 b Module-09
Bibekananada Jena
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
CASCouncil
 
Ccna security
Ccna securityCcna security
Ccna security
dkaya
 
Pristine rina-security-icc-2016
Pristine rina-security-icc-2016Pristine rina-security-icc-2016
Pristine rina-security-icc-2016
ICT PRISTINE
 
Ccnp
CcnpCcnp
Vp ns
Vp nsVp ns

Similar to CCNP Security-Secure (20)

Chapter 6 overview
Chapter 6 overviewChapter 6 overview
Chapter 6 overview
 
CCNASecurity v2 Overview Presentation .pdf
CCNASecurity v2 Overview Presentation .pdfCCNASecurity v2 Overview Presentation .pdf
CCNASecurity v2 Overview Presentation .pdf
 
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_201304090314557256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
 
Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности
 
Chapter08
Chapter08Chapter08
Chapter08
 
Seguridad de las redes informaticas wireless
Seguridad de las redes informaticas wirelessSeguridad de las redes informaticas wireless
Seguridad de las redes informaticas wireless
 
Ccna security
Ccna security Ccna security
Ccna security
 
Ccna security
Ccna security Ccna security
Ccna security
 
Design and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANsDesign and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANs
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP
 
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
VMworld 2016: Migrating from a hardware based firewall to NSX to improve perf...
 
Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...
 
Most Advanced Cybersecurity, Network Security Training - Tonex Training
Most Advanced Cybersecurity, Network Security Training - Tonex TrainingMost Advanced Cybersecurity, Network Security Training - Tonex Training
Most Advanced Cybersecurity, Network Security Training - Tonex Training
 
CCNA_RSE_Chp4 and their working principles.pptx
CCNA_RSE_Chp4 and their working principles.pptxCCNA_RSE_Chp4 and their working principles.pptx
CCNA_RSE_Chp4 and their working principles.pptx
 
6421 b Module-09
6421 b Module-096421 b Module-09
6421 b Module-09
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
Ccna security
Ccna securityCcna security
Ccna security
 
Pristine rina-security-icc-2016
Pristine rina-security-icc-2016Pristine rina-security-icc-2016
Pristine rina-security-icc-2016
 
Ccnp
CcnpCcnp
Ccnp
 
Vp ns
Vp nsVp ns
Vp ns
 

Recently uploaded

Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 

Recently uploaded (20)

Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 

CCNP Security-Secure

  • 1. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 1 SECURE Agenda: • Network Security Technologies Overview • Routed Data Plane Security • Control Plane Security • Management Plane Security Network Foundation Protection (NFP) 802.1X and Cisco Identity-Based Networking Services (IBNS) Implementing and Configuring Basic 802.1X • Cisco IOS Foundation Security Solutions • Implementing and Configuring NAT • Implementing and Configuring Zone-Based Policy Firewalls • Implementing and Configuring IOS IPS • Cisco IOS Site-to-Site Security Solutions
  • 2. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 2 Overview of the CCNP Security • All four CCNP Security exams required • SECURE – 642-637 • IPS – 642-627 • FIREWALL – 642-618 • VPN – 642-648 • ~90 minutes with 60-70 questions • 60-70 questions • Register with Pearson Vue • http://www.vue.com/cisco • Exam cost is $200.00 US Cisco SAFE • Focuses on the development of good network security designs. • utilizes of the Cisco Security Control Framework (SCF)
  • 3. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 3 • Examples of technologies that are used to help identify include: ■ 802.1x for identity solutions ■ Biometric recognition ■ Routing authentication ■ Secure traffic mechanisms (encryption) ■ Authentication mechanisms, • Examples of technologies that can help monitor this data include • AAA • IDS and IPS • Examples of technologies that can help correlate this data include the following: • MARS • NTP • Examples of technologies that can help harden network elements include: ■ Control plane policing ■ Component redundancy ■ Device/interface redundancy ■ Topology redundancy • Examples of technologies that can isolate specific devices or data include: ■ ACL & VPN ■ Out-of-band management ■ Management traffic encryption ■ Virtual local-area networks (VLAN) • Examples of technologies that can enforce specific policies: ■ IDS and IPS ■ Port security ■ ACLs
  • 4. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 4 Examining Layer 2 Attacks: • The most common types of switched data plane attacks are as follows: ■ VLAN hopping ■ CAM flooding ■ MAC address spoofing ■ STP spoofing ■ DHCP “starvation” ■ DHCP server spoofing ■ ARP spoofing ■ IP spoofing
  • 5. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 5 CAM Table Overflow Attack: Port Security:
  • 6. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 6 Mitigating CAM Table Overflow: 1. Secure MAC Addresses: • Static • Dynamic • Sticky: The sticky secure switch port security classification includes dynamically learned addresses that are automatically added to the running configuration. • Configuration Guidelines: • Only on static access ports • Not on trunk or dynamic access ports • Not on SPAN port • Not on EtherChannel port • Voice VLAN assigned dynamic secure addresses • On port with voice VLAN, set maximum MAC addresses to two plus maximum number of MAC addresses • Dynamic port security enabled on voice VLAN when security enables on access VLAN • Not configurable on per-VLAN basis • No aging of sticky addresses • No simultaneous enabling of protect and restrict options 2. Configuring Port Security:
  • 7. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 7 Verifying Port Security
  • 8. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 8
  • 9. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 9 VLAN Hopping: Mitigating VLAN Hopping:
  • 10. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 10 Spanning Tree Manipulation: Mitigating Spanning Tree Manipulation:
  • 11. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 11 MAC Spoofing—Man-in-the-Middle Attacks: DHCP Attacks:
  • 12. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 12 Mitigating DHCP Attacks: 1. Port security: 2. DHCP Snooping: • DHCP snooping allows the configuration of ports as trusted or untrusted. • Untrusted ports cannot process DHCP replies. • Configure DHCP snooping on uplinks to a DHCP server. • Do not configure DHCP snooping on client ports.
  • 13. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 13
  • 14. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 14 Implementing Identity Management: • Cisco ACS Features • A centralized identity networking solution • Manage and administer user access for many Cisco and other devices • Many advanced features • TACACS+ and RADIUS server • Combines AAA • Cisco NAC support • Network Access Profiles • EAP-FAST support • Downloadable IP ACLs TACACS+ Overview:
  • 15. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 15 TACACS+ and RADIUS Comparison:
  • 16. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 16 Administrator Interface:
  • 17. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 17 ACS Policies: • Authentication –Authentication protocols –User databases • Posture validation –For use with NAC • Authorization –What the user is authorized to do –Based on identity, posture, or both
  • 18. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 18 Implementing Cisco IBNS: • Cisco Identity-Based Networking Services
  • 19. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 19 Concept of Cisco IBSN: • Cisco IBNS is an IEEE 802.1x-based technology solution that increases network security by authenticating users based on personal identity in addition to device MAC and IP address verification. • Unified Control of User Identity for the Enterprise Cisco VPN Concentrators, Cisco IOS Routers, Cisco PIX Firewalls IEEE 802.1x: • Standard set by the IEEE 802.1 working group • A framework designed to address and provide port-based access control using authentication • Primarily an encapsulation definition for EAP over IEEE 802 media (EAPOL is the key protocol.) • Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point) • Assumes a secure connection • Actual enforcement is via MAC-based filtering and port-state monitoring
  • 20. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 20 802.1x Components: 802.1x Operation:
  • 21. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 21 How 802.1x Works: The actual authentication conversation occurs between the client and the authentication server using EAP. The authenticator is aware of this activity, but it is just an intermediary. EAP Over LAN (EAPOL) What Is EAP? • EAP—the Extensible Authentication Protocol • A flexible transport protocol used to carry arbitrary authentication information—not the authentication method itself • Typically runs directly over data-link layers such as PPP or IEEE 802 media • Originally specified in RFC 2284, obsolete by RFC 3748 • Supports multiple “authentication” types
  • 22. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 22 Current Prevalent Authentication Methods: • Challenge-response-based • EAP-MD5: Uses MD5-based challenge-response for authentication • LEAP: Uses username/password authentication • EAP-MS-CHAPv2: uses username/password MSCHAPv2 challenge- response authentication • Cryptographic-based • EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication • Tunneling methods • PEAP: PEAP tunnel mode EAP encapsulator; tunnels other EAP types in an encrypted tunnel—much like web-based SSL • EAP-Tunneled TLS (TTLS): Other EAP methods over an extended EAP- TLS encrypted tunnel • EAP-FAST: Recent tunneling method designed to not require certificates at all for deployment • Other • EAP-GTC: Generic token and OTP authentication
  • 23. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 23
  • 24. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 24 802.1x and the Guest VLAN:
  • 25. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 25 802.1x and the Restricted VLAN: Configuring 802.1x in Cisco IOS: 1. Enable AAA. 2. Configure 802.1x authentication. 3. Configure RADIUS communications. 4. Enable 802.1x globally. 5. Configure interface and enable 802.1x. 6. Verify 802.1x operation.
  • 26. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 26 Enable AAA: Configure RADIUS Communications:
  • 27. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 27 Enable 802.1x Globally: Configure Interface and Enable 802.1x:
  • 28. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 28 Configuring Guest and Restricted VLANs: Verify 802.1x Operation:
  • 29. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 29 Introducing Cisco NFP: Network Foundation Protection (NFP): • Cisco NFP protects the network infrastructure. • There are several tools used to secure the infrastructure. Network Foundation Protection: Enterprise Model
  • 30. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 30 Securing the Control Plane: • The control plane provides the functionality that builds the tables that are necessary to properly forward traffic. These tables, which include the routing table, forwarding table, MAC address table, and so on. Control Plane Attacks and Mitigation Techniques:
  • 31. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 31 Control Plane Protection (CPPr) • A framework • Provides for all policing and protection • Extends the CoPP functionality • Finer granularity • Traffic classifier • Port filtering: providing the ability to drop packets early that are directed at closed or nonlistened-to ports. • Queue threshold: for limiting the number of unprocessed packets that a specific protocol can have at the process level
  • 32. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 32 Securing the Management Plane: • Management Plane Provides the facilities through which the device is configured for initial deployment and then monitored and maintained thereafter. • Protocols of the Management Plane • Telnet • SNMP • SSH • HTTP • HTTPS Tools Used to Secure the Management Plane: • Cisco Management Plane Protection (MPP) feature for Cisco IOS Release 12.4(6)T • SSH access only • ACLs on the vty ports • Cisco IOS Software login enhancement • Role-based CLI views
  • 33. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 33 Cisco IOS MPP:
  • 34. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 34 Verifying MPP: Securing the Data Plane: • Forwards network traffic as well as applies various services to it, such as security, QoS, accounting, and so on.
  • 35. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 35 Data Plane Protection: Flexible Packet Matching (FPM):
  • 36. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 36 Configuring FPM: 1. Load a Protocol Header Description File (PHDF) –For header field matching 2. Create a traffic class –Define a protocol stack and specify exact parameters to match –Using class map type “stack” and “access-control” 3. Create a traffic policy –Define a service policy 4. Apply the service policy to an interface • 1 & 2 PHDFs and Class Map
  • 37. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 37 • 3 Traffic Policies • 4 Applying a Service Policy to an Interface:
  • 38. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 38 Introducing IPsec: • Combines three protocols into a cohesive security framework
  • 39. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 39 IPsec Modes: Authentication Header: • RFC 2402 • IP protocol 51 • Mechanism for providing strong integrity and authentication for IP datagrams
  • 40. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 40 Encapsulating Security Payload: • RFC 2406 • IP protocol 50 • May provide the following: • Confidentiality (encryption) • Connectionless integrity • Data origin authentication • An antireplay service Internet Key Exchange: • RFC 2409 • A hybrid protocol consisting of: • SKEMEA • mechanism for using public key encryption for authentication • Oakley • A modes-based mechanism for arriving at an encryption key between two peers • ISAKMP • An architecture for message exchange, including packet formats and state transitions between two peers • Phase-based
  • 41. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 41 How IKE Works: • IKE is a two-phase protocol. Internet Security Association and Key Management Protocol (ISAKMP): • RFC 2408 • UDP 500 • Defines procedures for: • Authenticating a peer • Creation and management of SAs • Key generation techniques • Threat mitigation
  • 42. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 42 Other Protocols and Terminology IPsec Configuration Task List: 1. Check network connectivity 2. Ensure ACLs lists are compatible with Ipsec • Allow IP protocols 50 and 51 • Allow UDP 500 3. Configure IKE • ISAKMP 4. Configure Ipsec • Create crypto ACLs • Define transform sets • Create crypto map entries • Set global lifetimes for IPsec SAs • Apply crypto map to the interface
  • 43. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 43 IPsec VPN Deployment: • Site-to-site VPNs • Fully meshed (static) • Hub (static) and spoke (dynamic) • Fully meshed on demand (dynamic) • DMVPN: provide for a combination of static and dynamic on- demand tunnels • Remote-access VPNs • Cisco Easy VPN • WebVPN (Cisco IOS SSL VPN) Fully Meshed VPNs: • There are static public addresses between peers. • Local LAN addresses can be private or public.
  • 44. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 44 Hub-and-Spoke VPNs: • Static public address needed at the hub only. • Spoke addresses can be dynamically applied using DHCP. Dynamic Multipoint VPNs:
  • 45. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 45 Cisco Easy VPN: Cisco IOS WebVPN: • Integrated security and routing • Clientless and full network SSL VPN access
  • 46. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 46 Implementing IPsec VPNs Using Pre- Shared Keys: • Prepare for ISAKMP and IPsec. • Configure ISAKMP • Pre-shared key authentication • Configure IPsec transforms. • Create ACLs for encryption traffic (crypto ACLs). • Configure crypto map. • Apply crypto map to an interface. • Test and verify IKE and IPsec. Planning the IKE Policy: • Determine the following policy details: • Key distribution method • Authentication method • IPsec peer IP addresses and hostnames • ISAKMP policies for all peersEncryption algorithm • Hash algorithm • IKE SA lifetime
  • 47. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 47 IKE Phase 1 Policy Parameters:
  • 48. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 48 IPsec Transforms
  • 49. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 49 Identify IPsec Peers: Configuring ISAKMP: • Step 1: Enable or disable ISAKMP. • Step 2: Create ISAKMP policies. • Configure authentication method • Pre-shared keys • Step 3: RSA signatures (when using PKI). • Step 4: Verify ISAKMP configuration.
  • 50. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 50 • Step 1: Enable or Disable ISAKMP • Step 2: Create ISAKMP Policies:
  • 51. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 51 • Create ISAKMP Policies with the crypto isakmp Command: • Step 3: Configure Pre-Shared Keys:
  • 52. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 52 Configuring IPsec: • Step 1: Configure transform sets. • Step 2: Configure global IPsec SA lifetimes. • Configure Transform Sets:
  • 53. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 53 • crypto ipsec security-association lifetime: Purpose of Crypto Maps: • Crypto maps pull together the various parts configured for IPsec, including: • Which traffic should be protected by IPsec • Where IPsec-protected traffic should be sent • The local address to be used for the IPsec traffic • Which IPsec type should be applied to this traffic • Whether SAs are established manually or via IKE • Other parameters needed to define an IPsec SA
  • 54. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 54 • IPsec Configuration Example: Implementing IPSec VPNs Using PKI:
  • 55. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 55 Digital Signatures:
  • 56. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 56 X.509v3 Digital Certificate: Certificate Enrollment:
  • 57. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 57 Configuring a Site-to-Site VPN Using PKI: • Prepare for ISAKMP and IPsec • Configure CA support • Configure ISAKMP for Ipsec • rsa-sig authentication • Configure IPsec transforms • Create ACLs for encryption traffic (crypto ACLs) • Configure crypto map • Apply crypto map to an interface • Test and verify IPsec • Set the Router Time and Date:
  • 58. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 58 • Configuring a Hostname and Domain Name: • Add a CA Server Entry to the Router Host Table:
  • 59. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 59 • Generate an RSA Key Pair: • Declaring a CA:
  • 60. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 60 • Authenticate the CA: • Request Your Own Certificate:
  • 61. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 61 • Verify the CA Support Configuration: Configuring GRE Tunnels: • Generic Routing Encapsulation (GRE) was designed to carry multiprotocol and IP multicast traffic between sites that might not have IP connectivity. • RFCs 1701, 1702, 2784 • Uses IP protocol 47 when encapsulated within IP • Allows passing of routing information between connected networks • One of the significant advantages of GRE tunneling over (non-VTI) IPsec tunnels is that GRE uses Cisco IOS Software interfaces that can utilize QoS features. • GRE does have some limitations: ■ GRE provides no cryptographic protection for traffic and must be combined with IPsec to provide it. ■ There is no standard way to determine the end-to-end state of a GRE tunnel. Cisco IOS Software provides proprietary GRE keepalives for this purpose.
  • 62. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 62 • Deployment Scenario:
  • 63. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 63 Configuring a GRE Tunnel: 1. Create and identify the tunnel interface. 2. Configure the tunnel interface source address. 3. Configure the tunnel interface destination address. 4. Bring up tunnel interface (administratively). 5. Configure routes.
  • 64. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 64 GRE/IPsec:
  • 65. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 65 GRE with Encryption Example: Configuring a DMVPN: • The Cisco DMVPN feature allows administrators to deploy scalable IPsec VPNs for both small and large networks. • Relies on: • IPsec profiles • Next Hop Resolution Protocol (NHRP): The NHRP database maintains mappings between the router (public, physical interface) and the tunnel (inside the tunnel interface) IP addresses of each spoke. • multipoint Generic Routing Encapsulation (mGRE): allows a single Generic Routing Encapsulation (GRE) interface to support multiple GRE tunnels and makes the configuration much easier • Benefits: • Hub router configuration reduction • Automatic IPsec encryption initiation • Support for dynamically addressed spoke routers • Dynamic tunnel creation for spoke-to-spoke tunnels
  • 66. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 66 Single DMVPN Topology: Dual DMVPN Topology:
  • 67. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 67 DMVPN Deployment Models: DMVPN Configuration Tasks: • ISAKMP and IPsec configuration • Tunnel protection configuration • IPsec profiles • Tunnel interface configuration • mGRE configuration • NHRP configuration • Routing protocol configuration
  • 68. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 68 • ISAKMP and IPsec: • IPsec Profile:
  • 69. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 69 • DMVPN Example:
  • 70. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 70
  • 71. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 71 • DMVPN Routing Tables: • DMVPN NHRP Mapping Tables:
  • 72. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 72 • IPsec Profile: • Hub Configuration:
  • 73. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 73 • Spoke Configuration: Configuring Cisco IOS SSL VPN (WebVPN): Remote-Access Modes:
  • 74. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 74 Configuring WebVPN: • WebVPN prerequisites: • Configure AAA • Local or ACS authentication • Configure DNS • Router hostname and domain name • Map host to IP address in router host table • Configure certificates and trustpoints • CA or self-signed • WebVPN configuration • Configure a WebVPN gateway • Configure a WebVPN context • Configure a URL list for clientless access • Configure Microsoft file shares for clientless access • Configure application port forwarding • Configure a WebVPN policy group • AAA Configuration—Local Authentication
  • 75. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 75 • AAA Configuration—External Authentication • DNS Configuration
  • 76. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 76 • Gateway Configuration Commands: • Context Configuration Commands:
  • 77. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 77 • URL Lists • Group Policy Configuration Commands:
  • 78. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 78 Configuring Cisco Easy VPN Remote Access: Cisco Easy VPN is made up of two components: • Cisco Easy VPN Server: Enables Cisco IOS routers, Cisco ASA/Cisco PIX Firewall, and Cisco VPN 3000 Series Concentrators to act as VPN headend devices in site-to-site or remote-access VPNs, where the remote office devices are using the Cisco Easy VPN Remote feature. • Cisco Easy VPN Remote: Enables Cisco IOS routers, Cisco ASA/Cisco PIX Firewall, and Cisco VPN 3002 Hardware Clients or Cisco VPN Software Clients to act as remote VPN Clients. Remote Access Using Cisco Easy VPN:
  • 79. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 79 Cisco Easy VPN Remote Connection Process: Cisco Easy VPN Remote Configuration General Tasks for Access Routers: • Configure the DHCP server pool. • Configure the Cisco Easy VPN Remote client profile. • Group and key • Peer • Mode • Manual or automatic tunnel control • Assign the Cisco Easy VPN Remote client profile to the interfaces. • Verify the Cisco Easy VPN configuration.
  • 80. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 80
  • 81. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 81
  • 82. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 82 Cisco Easy VPN Server—General Configuration Tasks: The following general tasks are used to configure Cisco Easy VPN Server on a Cisco router: • (Optional) Create IP address pool for connecting clients • Enable group policy lookup via AAA • Create an ISAKMP policy for remote VPN Client access • Define a group policy for mode configuration push • Apply mode configuration and XAUTH • Enable RRI for the client • Enable IKE • Configure XAUTH • (Optional) Enable the XAUTH Save Password feature
  • 83. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 83 • Create ISAKMP Policy for Remote VPN Client Access • Create Transform Sets
  • 84. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 84 Examining Cisco IOS Firewall: • Deploy: • As an Internet Firewall • Between groups on internal network • As a VPN end point from branches • Between partner network and corporate • Features: • Cisco IOS Software Stateful Packet Inspection • Protection Against Attack • Alerts and Audit Trails • Authentication Proxy • Support for NAT and Port-to-Application Mapping (PAM) Cisco IOS Firewall Feature Set: • Classic firewall • Authentication proxy • Cisco IOS IPS • ACLs • TCP Intercept • PAM • NAT • Security server support • RADIUS, TACACS+, Kerberos • User authentication and authorization
  • 85. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 85 Cisco IOS Firewall Authentication Proxy: Cisco IOS IPS:
  • 86. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 86 Configuring Cisco IOS Classic Firewall: • Context-Based Access Control (CBAC), which applied policies through inspect statements and configured access control lists (ACL) between interfaces. • The Zone-Based Policy Firewall (ZBPFW) is the next Cisco implementation of a router based firewall that runs in Cisco IOS Software. It was introduced in IOS Release 12.4(6)T. • As was supported by CBAC, the ZBPFW supports stateful inspection as well as Application Inspection and Control (AIC), which is also referred to as Deep Packet Inspection (DPI). This includes inspection support for Layers 3 through 7. • As mentioned previously, one of the main differences between a firewall using CBAC and ZBPFW is the use of security zones.
  • 87. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 87 IOS Classic Firewall Configuration:
  • 88. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 88
  • 89. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 89 Configuring Cisco IOS Zoned-Based Policy Firewall:
  • 90. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 90 Zoning Rules Summary: • If two interfaces are not in zones, traffic flows freely between them. • If one interface is in a zone, and another interface is not in a zone, traffic may never flow between them. • If two interfaces are in two different zones, traffic will not flow between the interfaces until a policy is defined to allow the traffic
  • 91. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 91 Configuring a Cisco IOS Zone-Based Policy Firewall: 1. Identify interfaces that share the same function security and group them into the same security zones. 2. Determine the required traffic flow between zones in both directions. 3. Set up zones. 4. Set up zone pairs for any policy other than deny all. 5. Define class maps to describe traffic between zones. 6. Associate class maps with policy maps to define actions applied to specific policies. 7. Assign policy maps to zone pairs.
  • 92. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 92
  • 93. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 93
  • 94. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 94
  • 95. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 95 Configuring Cisco IOS Firewall Authentication Proxy: • HTTP, HTTPS, FTP, and Telnet authentication • Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols • Once authenticated, all types of application traffic can be authorized • Works on any interface type for inbound or outbound traffic
  • 96. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 96 Configuring Cisco IOS IPS:
  • 97. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 97 • Uses the underlying routing infrastructure • Inline deep packet inspection –Software based inline intrusion prevention sensor • IPS signature support –Signature based packet scanning, uses same set of signatures as IDS Sensor platform –Dynamic signature update (no need to update IOS Image) –Customized signature support • Variety of event actions configurable per-signature basis • Parallel signature scanning • Named and numbered extended ACL support Cisco IPS Hardware Modules:
  • 98. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 98 Signature Engines: Signature Actions: • Alarm • Send alarm via Syslog and SDEE • Reset • Applys to TCP connection. Send reset to both peers • Drop • Drops the packet • DenyAttackerInline • Blocks the attacker’s source IP address completely. No connection can be established from the attacker to the router until the shun time expires (this is set by the user). • DenyFlowInline • Blocks the appropriate TCP flow from the attacker. Other connections from the attacker can be established to the router
  • 99. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 99 Event Risk Rating Calculation: Signature Definition File (SDF): • A SDF contains all or a subset of the signatures supported by Cisco IPS. • An IPS loads the signatures contained in the SDF and scans incoming traffic for matching signatures. • The IPS enforces the policy defined in the signature action. • Cisco IPS uses the SDF to populates internal tables with the information necessary to detect each signature. • The SDF can be saved on the router flash memory. • SDFs are downloaded from cisco.com. • Two pre-built SDFs: • 256MB.sdf • 128MB.sdf
  • 100. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 100 Issues to Consider: • Memory use and performance impact • Limited persistent storage • CPU-intensive • Updated signature coverage • More than 1500 common attacks Configuration Tasks: • Install Cisco IOS Firewall IPS on the router: • Specify location of SDF. • Create an IPS rule. • Attach a policy to a signature (optional). • Apply IPS rule at an interface. • Configure logging via syslog or SDEE. • Verify the configuration.
  • 101. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 101 Configure SDEE and HTTPS Server on the Cisco ISR:
  • 102. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 102
  • 103. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 103
  • 104. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 104 Tune Signature in Cisco Configuration Professional: Configure Event Action Override:
  • 105. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 105 Configure Event Action Filter: Network Address Translation (NAT): NAT Types:
  • 106. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 106 • Static NAT Example: • Dynamic NAT Example:
  • 107. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 107 • PAT Example:
  • 108. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 108
  • 109. These slides taken from the official SECURE guide and Cisco SNRS slides 3/26/2014 Eng. Mohannad Alhanahnah 109 After Implementing Mitigation Techniques: