You are on page 1of 60

CCNA Security

IINS (640-553)
Studyshorts
Help get yourself certified with Studyshorts

www.studyshorts.co.uk

CCNA Security IINS (640-553)

Legal notice and disclaimer .......................................................................................................................... 4
Introduction .................................................................................................................................................. 5
Cisco Security Management Tools ........................................................................................................... 6
Control of Data ......................................................................................................................................... 6
Security Policy........................................................................................................................................... 7
Risk............................................................................................................................................................ 8
System Development Life Cycle (SDLC) .................................................................................................... 8
Understanding the Risks ............................................................................................................................... 9
Layer 2 risks ............................................................................................................................................ 10
Layer 3 risks ............................................................................................................................................ 11
Upper Layer risks .................................................................................................................................... 13
Physical ................................................................................................................................................... 14
Configuring Devices .................................................................................................................................... 15
Basic device Configuration ..................................................................................................................... 15
AAA ......................................................................................................................................................... 17
User Privileges ........................................................................................................................................ 19
Logon Security ........................................................................................................................................ 20
AutoSecure and One Step Lock Down .................................................................................................... 21
Logging.................................................................................................................................................... 23
NTP ......................................................................................................................................................... 24
Layer 2 security ........................................................................................................................................... 26
Port Security ........................................................................................................................................... 26
802.1x Port Security / Network Admission Control (NAC) ..................................................................... 27
Storm Control ......................................................................................................................................... 27
Span ports (Switchport Analyser) ........................................................................................................... 28
Securing VLANs ....................................................................................................................................... 28
Securing IP at Layer 2 ............................................................................................................................. 30
Useful Commands................................................................................................................................... 31
Best Practices.......................................................................................................................................... 31
IOS Firewall ................................................................................................................................................. 32
Firewall Introduction .............................................................................................................................. 32
Static Packet Filtering ............................................................................................................................. 32
CBAC/Classic Firewall ............................................................................................................................. 35

http://www.studyshorts.co.uk

M Morgan ©2010

Page 2 of 60

CCNA Security IINS (640-553)
Zone based Firewall (ZFW) ..................................................................................................................... 35
IPS ............................................................................................................................................................... 38
IPS Introduction ...................................................................................................................................... 38
Configuring IPS on a Cisco Router using SDM ........................................................................................ 40
Logging & Monitoring ............................................................................................................................. 41
Notes ...................................................................................................................................................... 43
VPN / Cryptography .................................................................................................................................... 44
Hashing & Digital signatures................................................................................................................... 44
Encryption............................................................................................................................................... 45
Key Management ................................................................................................................................... 47
PKI ........................................................................................................................................................... 48
IPSec ....................................................................................................................................................... 49
Configuring Site to Site VPNs .................................................................................................................. 51
Endpoint Security ....................................................................................................................................... 54
Endpoint Security Introduction .............................................................................................................. 54
Cisco NAC ................................................................................................................................................ 55
Cisco Security Agent (CSA)...................................................................................................................... 56
IronPort................................................................................................................................................... 56
San and Voice Security ............................................................................................................................... 57
SAN Security ........................................................................................................................................... 57
Voice Security ......................................................................................................................................... 58
Notes .......................................................................................................................................................... 59
Further Reading .......................................................................................................................................... 60

http://www.studyshorts.co.uk

M Morgan ©2010

Page 3 of 60

uk/ or http://www. They were prepared to assist my studies and passing the associated exam and as such may contain errors and some facts may have been summarised or removed. You may not. StudyShorts guides are intended to provide enough information for last minute exam preparation and reference. host.uk/ the publication held is considered a pirated copy and must be destroyed immediately.1 Copyright © 2012 Michael Morgan.CCNA Security IINS (640-553) Legal notice and disclaimer Version 1. This publication may be used free of charge. Any redistribution or reproduction of part or all of the contents in any form is prohibited other than printing for personal use. except with our express written permission. distribute.studyshorts. or commercially exploit the content. If this publication is not obtained from http://www. and are not a substitute for other training material.caerffili.co. selling without prior written consent prohibited. http://www. All rights reserved.uk M Morgan ©2010 Page 4 of 60 .co.co.studyshorts.

2x Ethernet II (DIX v2.1w 801.1q 802.studyshorts.CCNA Security IINS (640-553) Introduction IEEE Standards IEEE No Use 802.1d 802.uk M Morgan ©2010 Page 5 of 60 .11b 802.3z 802.4 GHz (1-6-11 clean channels) WPA 2 Number Table 128 128 255 64 192 127 32 224 61 16 240 31 8 248 15 4 252 7 2 254 3 1 255 1 Well Known Ports Protocol Port IP FTP SHH Telnet SMTP Tacacs DNS DHCP / BOOTP TFTP POP3 NEWS NTP SNMP Radius 20.11i STP Vlan trunking RSTP (Rapid spanning tree protocol) Port based Network Access Control Ethernet (with Frame type field) Ethernet (With length field) 100 Base T 1000Base-X (Fibre) 1000Base-T (Ethernet) Token Ring 5 GHz 2. 21 22 23 25 49 53 67 69 110 119 123 161.co.11a 802.4 GHz (1-6-11 clean channels) 2.5 802.3 802. UDP UDP UDP TCP TCP UDP UDP UDP Definitions Term Description NIPS HIPS Network IPS Host based IPS http://www.0) 802.3ab 802.11g 802. 162 1645 / 1812 TCP TCP TCP TCP TCP TCP.3u 802.

It is therefore expected to be hardened. Cisco IDS Event Viewer (IEV) – Java based no cost solution for viewing and managing up to five IPS/IDS sensors. It is able to notify and reconfigure networks to reduce the impact of the threat.uk M Morgan ©2010 Page 6 of 60 . One or more bits are changed in a password. select custodians. Analyses and Response System (MARS) – Appliance based reporting and logging solution to correlate network events from all devices to identify threats. Confidential. Control of Data Typical data classifications include military – Unclassified. Secret & Top Secret.studyshorts. IEV supports SDEE communication with the sensor. Security Controls – http://www. Secret & Top Secret. Sensitive But Unclassified (SBU). Anti Spam etc. An attacker uses multiple means of propagation such as viruses with worm like capabilities. VPN etc). This allows an attacker to quickly find plaintext which would generate the required hash even though the plaintext would more than likely differ from the original hashed text.co. HIPS. Risk of False positives is reduced as MARS correlates data from multiple sources. An IP packet whose destination address is a valid broadcast address for some IP subnet which originates from a node that is not itself part of that destination subnet Anti Virus. Cisco Security Management Tools Security Device Manager (SDM) – A java/web based tool to configure and manage standalone routers Cisco Security Monitoring.CCNA Security IINS (640-553) Hardening a system Bastion Host Blended Threat Rainbow Tables Password salting IP Directed broadcast Anti-X Remove known system vulnerabilities by upgrading. reviews of security settings etc.  Custodian – Day to day responsibility for the data such as backups. CSM is capable of managing many Cisco devices (ASA.  User – No responsibility classification of the data but is responsible for the correct use o the data according to operational procedures. Cisco Security Manager – A powerful GUI management platform to manage a Cisco based network containing up to thousands of devices. patching and disabling unneeded applications and services A host which is placed in a vulnerable position such as a PC running a firewall. decides the classification and reviews the data. IEV is currently being replaced with the Cisco IPS Express Manager (IME). A list of plain text strings and the corresponding (ND5 / SHA) hash. US Government data classification levels – Confidential. the avalanche effect will result in a completely different hash reducing the risk of cracking using rainbow tables. Roles in data storage / use –  Owner – Ultimately responsible for the data.

specify mechanisms for security and to provide a security baseline.uk M Morgan ©2010 Page 7 of 60 . IPS sensors. Deterrent and Detective. man in the middle attack) Aims – Creation of a dynamic (monitor. Encryption is a useful method to ensure confidentiality. NIPS. racks etc) but no computing equipment. access passwords.  Means – Did the suspected attackers have the technical knowhow and tools to perform the attack. Technical – Controls the electronics. software etc. revise & adapt to latest risks) security policy Cisco’s Deference in Depth – Implement multi layer network defences ASA/Firewalls. Security Policy A defined policy for informing users (Acceptable Use Policy). locks. switched. Fire control systems etc.  Data integrity – Ensure the data is not changed during a transfer & the data origin is authentic (e.CCNA Security IINS (640-553)    Administrative – Controls policies and procedures including security awareness training. audits etc. Response to Security Breaches To prosecute an attacker the following things must be established Motive – Compile a list of individuals with motive to perform the attack. hardware. Disaster Recovery –  Hot Site – A complete redundant site with comparable hardware and a very recent copy of the data. This allows recovery in seconds or minutes. It consists of two key components. Can take weeks to bring online. authentication servers etc. Each control can be broken down into three sections. UPS. change controls. NAC & Cisco Security Agent.studyshorts. security policies and standards. security guards. Preventative. Out of Band management. OTP systems. VPN. HIPS (Cisco Security Agent). This requires physical access to the site to configure the systems and as a result can take days to bring on line.co. A policy can contain – http://www.g. Cisco Security Manager and Mars (Monitoring.  Availability – Example attack is a DoS attack.  Opportunity – Did the individuals have the opportunity to perform the attack. Includes IPS. Physical – Intruder detection. example is a reconnaissance attack. WAN links. Firewalls. Goals for security –  Confidentiality – Ensure the data is confidential. Cisco Self-Defending Network – A suite of security solutions to identify threats. To swap over only the latest data changes need to be applied. To bring online routers. the attacker wants to gather confidential information without being noticed such as data.  Cold Site – A site with core facilities (power.  Warm Site – A redundant site but the hardware is configured and does not contain the data. Analysis and Response System) to monitor and control network security devices and tools such as IOS & ASA firewalls. prevent threats and adapt to emerging threats to achieve a “Secure Network Platform”. servers etc need to be acquired before setting up.

uk M Morgan ©2010 Page 8 of 60 . Annualised Rate of Occurrence (ARO) – The expected annual frequency of the event. Disposition – Information preservation (keep the data stored on the system). http://www. implementation costs. media sanitisation and disposal. Exposure Factor (EF) – An estimated percentage of loss/destruction that would occur in an event. SLE = AV * EF. Essential to ensure consistency. system integration. System Development Life Cycle (SDLC) Phases     Initiation – Insists of definition of the potential impact should a breach of security occur and an initial risk assessment. acceptance.co. typically defined by national security agencies & institutes.CCNA Security IINS (640-553)   Standards – Define the standards used by the organisation at a high level.studyshorts. ALE = AV * EF * ARO.     Qualitative – A scenario based model used for large risk assessments where calculating the quantitative risk is impractical due to the quantity of assets. Acquisition and Development – Consists of a more in depth risk assessment. cost considerations Implementation – Inspections. development costs etc. Single Loss Expectancy (SLE) – This is the expected monetary loss for a single occurrence of a threat. Annualised Loss Expectancy (ALE) – Total expected loss per annum. This could by around 50% for example as provided the software and data is backed up offsite the loss would only be hardware.  Asset Value (AV) – Value of the asset including purchase price. security functional & assurance analysis. security certification.  Risk Risk Analysis methodsQuantitative – Uses a mathematical model to derive a monetary cost of losses per annum which can then be used to justify countermeasures. Procedures – In depth procedures with step by step instructions on how to perform day to actions. Operations and Maintenance – Configuration management & control and continuous monitoring. Guidelines – A list of suggestions and best practices. maintenance costs.

not intending to cause any harm.CCNA Security IINS (640-553) Understanding the Risks Hacker Purpose Black Hat White Hat Grey Hat Phreakers Hacktivist Script Kiddy Academic Hacker Hobby Hacker Profit financially from hacking others To test network security. Attack Category Description Passive Active Gather information / reconnaissance. Gain Access. Social Engineering Privilege escalation Security method Description Firewalls / ASA Anti – X IDS IPS Anti-Spyware. flooders). The attack will either crash the system or make it unresponsive to legitimate use. Reconnaissance – Learn about the system by performing port scans etc (also known as ‘footprinting’) 2. usually their own – ethical Combination of the above two Hack to make cheap / free phone calls Further their cause/ beliefs Not true hackers but download tools from the internet to perform hacks Attempt to hack to further their education (steal other peoples assignments or amend grades) Purely hobby.studyshorts. Two forms. passwords. reporting and filtering problems Hacking Approach 1. Anti-Virus. 5. horizontal where an attacker tries to access information for other users on the same level or vertical where the attacker tries to gain higher (administrative) privileges. Gather / create additional usernames and passwords in case the original username is removed. crashers. 4. 3. Very difficult to detect Actively trying to break into a system or leaving malicious payloads. Befriend an internal employee to exploit their position (give out network details. launch unauthorised VPN tunnel) Exploit a software vulnerability (such as buffer overflow) to gain higher authorisation. http://www. Anti-Spam etc Sits outside of the ‘forwarding oath’ looking for and reporting problems Sits inside of the ‘forwarding oath’ looking for. Indentify applications and operating systems. Login with user credentials then escalate privileges.uk M Morgan ©2010 Page 9 of 60 . This is easier to detect as the attacker must be actively sending traffic Typically external person manages to physically connect to the inside of the network to perform an attack People who are employed by a company trying to hack the internal systems/data Software/hardware developers deliberately leave “backdoors” in their systems to allow future access Close-in Insider Distribution Attack Type Description Reconnaissance Access Attacks Denial of Service Gathering information for a future access / DoS attack Attempt to steal information Attempt to break things (destroyers.co. social engineering is the most common method by persuading somebody to give out their login details. Use this information to find vulnerabilities.

If the first tag is the same VLAN as the Native VLAN / access port VALN the first tag will be stripped off leaving the second tag. Setting the native VLAN of trunks to a VLAN not used this can remove this risk. setting mode to auto is not sufficient. Additionally this can cause the switch and network bandwidth to become saturated.Enable port security . VLAN Hopping Attack (Rogue Switch) – Some Cisco switches are set to trunk mode ‘dynamic desirable’ on all switch ports.co. Conditions for a successful attack  The attacker must be connected to an access port The VLAN configured on that access port must be the native dot1q vlan. Additionally it is possible to get a host to send DTP packets in order to create a trunk with a switch. VLAN Hopping Attack (Double Tagging) – A frame can be double tagged with two separate VLAN ID’s. Layer 2 risks Reconnaissance (Packet Capture) – Use of tools such as Wireshark to pull data off the wire. Create a Backdoor to allow future access.5678.Define a static MAC address . Use the system – Steal data.studyshorts.Set maximum MAC address . To stop the risk all non trunking ports should be set to an access port. This tag will be the destination VLAN of the VLAN hopping attack.CCNA Security IINS (640-553) 6. The risk can be reduced using dot1x and some/all of the commands(config-if) # switchport port security (config-if) # switchport port security maximum 2 (config-if) # switchport port security mac-address 1234. Once the CAM is full the switch enters a failover mode where the switch treats all frames as a broadcast. in effect acting like a hub. Denial of Service (CAM Overflow Attack . in case main point of attack entry is shutdown.Enable sticky learning NOTE – Above example syntax is in italic and description in normal font. Additionally trunking ports should be placed into unconditional trunking mode and DTP disabled(config-if) # Switchport mode trunk (config-if) # Switchport nonegotiate http://www. if a rogue switch is connected to a port a trunk will dynamically be created (using DTP) giving access to all VLANs. 7.uk M Morgan ©2010 Page 10 of 60 . cause denial of service etc. Packet sniffers could now sniff confidential data as data packets are now sent out of all ports.abcd (config-if) # switchport port security mac-address sticky .MAC Flooding Attack) – An attacker floods the switch with frames containing different source MAC addresses. when received by a second switch this packet will be forwarded out the destination VLAN.

The CAM table will be updated to send traffic destined to the original host to the rogue host.co. The incorrect address could result in network traffic passing through the attacking host in an attempt to gain confidential data / password etc. Denial of Service Attack (DHCP Pool Exhaustion) – A rogue host could make multiple DHCP requests (each with a different MAC address) which will use up the allocated DHCP pool.CCNA Security IINS (640-553) STP Root Bridge Attacks – A rogue switch configured with a lower BID can become the root bridge on the network. Layer 3 risks Man in the Middle Attack (Gratuitous ARP) – A gratuitous ARP message is typically sent out when an IP Address or MAC address changes. This can be mitigated using dynamic ARP inspection. (config-if) # spanning-tree bpduguard enable Alternatively bpduguard can be automatically enabled on all portfast ports using(config) # spanning-tree portfast bpduguard default MAC Address Spoofing – A rouge host could transmit a packer with a source MAC Address of another host. Typically used a fail over situations such as server clustering. DHCP Snooping will remove the risk of unauthorised DHCP servers. if the active server / LAN card fails a gratuitous ARP message is sent out to inform all clients of the new MAC address of the new active server / LAN card. This could cause inefficient traffic flow or in a worst cases if this switch is connected to two different points in the network some or all of the LAN traffic will go through the rogue switch. Learning. This forces all connected devices to update their tables to reflect the changes. (config-if) # spanning-tree guard root If BPDUGuard is configured on a port and any BPDU is received the port will be placed into ‘err-disable’ state. If Rootguard is configured on a switch port and a superior BPDU is received on that port the port will go into ‘root-inconstant’ state and not transmit traffic.studyshorts. Two methods exist to reduce the risk.uk M Morgan ©2010 Page 11 of 60 . Forwarding). Man in the Middle Attack (rogue DHCP server) – A rogue DHCP server is introduced into the network which could give out incorrect DNS and default router IP addresses. This can be exploited for example if a rogue hosts sent a gratuitous ARP packet out replacing the MAC address of the default gateways IP address. This is typically enabled on all ports on the chosen root switch. Once the superior BPDU stop the port will transition through the STP state (Listening. This can be stopped by enabling port security with a maximum number of MAC address and using the commandhttp://www. This can be avoided using port security. all traffic destined for a gateway could be sent to the host instead.

when reassembled. Denial of service (Smurf Attacks) – An attacker broadcasts an echo request packet using the IP address of the victim host. Additionally ‘no ip directed-broadcast’ (default on 12. in an attempt to reduce the number of half open connections further. Reconnaissance (Port Scan) – Scans all ports to find open ports on a single host.uk M Morgan ©2010 Page 12 of 60 . This can be avoided if the devices are configured not to replay to pings sent to a broadcast address. processor resources to process then addition outbound bandwidth replying to the pings.x IOS) should be configured. If a host if found an attacker can launch a port scan. these take up inbound bandwidth. As many hosts will receive this echo request they will all reply to the victim server causing a potential DoS. Although this will be fragmented as it crosses through the internet. TCP Intercept in intercept mode will complete the TCP connection (send an ACK and SYN back to the originating host). Reconnaissance (Port Sweep) – Scans multiple hosts for a single open port (eg 80).studyshorts.CCNA Security IINS (640-553) (config-if) # ip dhcp snooping limit rate x Denial of service (TCP SYN flood) – The attacker send many packets to the victim with the SYN flag set.co. if this rises over a high watermark the router will enter aggressive mode and start to close half open connections as new connections attempts occur and the timeout for closing connections will be reduced. sometimes using spoofed source IP addresses. IP Spoofing – A host impersonates a valid network device Ip address to- http://www. TCP intercept also monitors the total number of half open connections. if the connection initiates successfully then the router will open a TCP connection to the server and merge the two connections. Watch mode only watches connection requests and close incomplete requests after a certain time. parameters are italicised. Mode Description Command Syntax (config) (config) (config) (config) (config) (config) Set the mode to ‘watch’ Set timeout before resetting the connection attempt Set the mode to ‘intercept’ mode Define ACL for traffic to monitor/protect Set the drop mode when aggressive mode Set high incomplete TCP connections for aggressive mode (1100 default) Set low incomplete TCP connections for aggressive mode (1100 default) Ip tcp intercept mode watch Ip tcp watch-timeout seconds Ip tcp intercept mode intercept Ip tcp intercept list aclno Ip tcp intercept drop-mode {oldest | random} Ip tcp intercept max-incomplete high number (config) Ip tcp intercept max-incomplete low number NOTE – For the command syntax. This exhausts the server resources (too many half open connections) eventually leading to a denial of service. This continues until a low watermark is reached. Reconnaissance (Ping/ICMP Sweep) – Used to find live IP addresses. Denial of service (Ping of Death) – A containing a large amount of data (some even larger than the limit of an IP packet 65535) is sent to a host. Denial of service (Ping Flood) – A number of pings hit an attacked target. a server could crash or suffer corruption.

The hacker can then ACK the connection and spoof the IP connection. Upper Layer risks Password Attacks – Find password using   Brute Force – Every password combination is attempted to gain access. Blind (Not same subnet / separated by routers).0/4 240. Salami Attack – A number of small actions that do not in themselves cause damage but combined have a greater effect.0. This is enabled by default.studyshorts.0.0. rather than directly attack the target.0. Two MethodsNon Blind (Same subnet). This can take a long time and can be mitigated by setting the maximum failed login attempts and login blocking delays on the router. Trust Exploitation – Indirect attack.uk M Morgan ©2010 Page 13 of 60 . Data diddling – Changing data before or during input or storage. Dictionary – A dictionary of common words is used. http://www.0. Virus – Cannot spread by itself. attack an easier host which has a trust relationship with the target. ideally not at the end or the start of the password.0/8 (RFC1918) 172.0. Packets with a source addresses defined in RFC3704 (RFC2827) should be filtered        0.0/16 (RFC1918) 127.168.0.0/8 224. A password policy to include numbers and symbols in passwords is advised. This can then be used as a stepping stone to the target. to turn off use the command ‘no ip source-route’. To reduce the risks inbound packets must be filtered (ingress filter). Worm – Spreads automatically throughout the network by looking for vulnerabilities in systems.0/12 (RFC1918) 192. Trick other hosts to send confidential data to the rogue host.0.0. The sniffs the network for and attempts to find the TCP sequence number of a TCP session. Part of a reconnaissance attack.0.CCNA Security IINS (640-553)    Send malicious code into the network. Trojan Horses & Key loggers – Malicious code on a device to capture passwords and other data.16.0 10.0.0.0/4 (RFC1918) IP Source routing – This allows a sender to define the route used by the packet on outbound and inbound traffic. it requires help from a user to propagate such as forwarding an infected file etc.co.

co. pin entry system) Tested UPS devices on network devices Temperature monitoring Proper disposal of equipment and documentation to avoid ‘dumpster diving’ where a hacker could acquire systems. IT documentation etc) Wiretapping. http://www. Social Engineering.studyshorts.CCNA Security IINS (640-553) Trojan Horse – This appears to be a regular program but contains a malicious payload. physical access to cables allowing electronically retrieving data passed over them.uk M Morgan ©2010 Page 14 of 60 . Buffer Overflow – A buffer overflow occurs when something inject/sends more data to a device that is larger than the buffers size. Wireless Sniffing. Typically buffer overflow attacks are used to gain escalated privileges through root escalation / rooting the system. Usually with voice traffic. Physical        Lock Doors (Card reader. This can overwrite an applications data and cause a crash or overwrite the return address in the stack allowing malicious code to be run. Many contain a backdoor allowing remote access to an infected system.

$ is the delimiter The login banner appears after the motd banner but before the login prompt.  Recommended minimum key length is 1024 bits http://www.  ‘Ip ssh time-out seconds’ command only refers to the length of time taken to perform the login procedure. Once logged in ‘exec-timeout’ takes effect.uk M Morgan ©2010 Page 15 of 60 . It is possible to use tokens in the banner text which will be replaced with the actual value.$ is the delimiter .  SSH2 is more secure but not as widely supported as SSH1.set SSH version 2 Number of login retries Set timeout of a SSH connection Enter VTY config mode Set valid VTY protocols Set VTY to use local database If using AAA use this Show ip ssh Show users username admin password <password> username admin secret <password> ip domain-name <domain name> crypto key generate rsa crypto key generate rsa general-keys modulus bits ip ssh version 2 ip ssh authentication-retries x ip ssh time-out seconds line vty 0 4 transport input ssh login local login aaa NOTES SSH settings in SDM can be found in the ‘Additional Tasks’ section under ‘Router Access. Banner message Tokens    $(hostname) $(domain) $(line) $(line-desc) Configure SSH access Telnet is unencrypted so using SSH is advised.co. This has a button ‘Generate RSA Key’.studyshorts.SSH requires either a local user database or AAA configured as SSH does not support passwords directly created on the VTY lines. The Exec banner appears after logging in. Mode Description Command Syntax # # (config) (config) (config) (config) (config) (config) (config) (config) (config) (config-line) (config-line) (config-line) Show SSH config Show logged in users Create a user with level 7 pwd Create a user with a secret pwd Required to generate certificate Generate the encryption keys Generate the encryption keys Optional .CCNA Security IINS (640-553) Configuring Devices Basic device Configuration Creating a Banner (config) # Banner motd $ This is Router 1$ (config) # Banner login $ Please leave now if you are unauthorised$ .

. The PC Version gives a richer UI with more power. Mode Description Command Syntax (config) (config) (config) (config) (config) (config) (config-line) (config-line) (config-line) Create a user in the local username database Enable http server * Set http to use the local username database Set the domain name of the router. PC or both.Disable boot config. http://www.Verify the bootset (config) # secure boot-config restore flash:/test (config) # no secure boot-config . I is still possible to use ‘break’ at bootup and after confirming the prompts the startup config will be erased entirely. IOS Resilient Configuration These commands copy the IOS image and config to a hidden area in flash (requires a large CF card for the IOS image). (config) # secure boot-image (config) # secure boot-config # show secure bootset . Rqd to install) VTY login will be set to level 15 (NOT REQUIRED) username admin privilege 15 secret password ip http server ip http authentication local Ip domain-name domainname Crypto key generate rsa general-keys Ip http secure-server Line vty 0 4 Login local Privilege level 15   Typically either HTTP of HTTPS will be configured. The SDM installer also has a set of base configuration files that will be copied to the routers flash for use in the event of the user using SDM to revert the router back to factory settings. If installed on a router some .uk M Morgan ©2010 Page 16 of 60 . Rqd for RSA * Generate the encryption certificate * Enable the http secure server * Configure the vty lines.Make a resilient copy of the current config .co. Must be connected to the console Password Recovery To stop access to rom monitor mode use the command(config) # no service password-recovery It is no longer possible to use the rom monitor functions to change the config register or xmodem an IOS into flash. Required to install SDM Set VTY to use the local user db.Make a resilient copy of the IOS image . not both. This config will perform the initial setup of the router and enable SDM access. Line VTY command are not required for SDM use but are required for SDM installation.Restore the config to a file on flash. This is called a bootset.CCNA Security IINS (640-553) Enable SDM Requires Java SDM can either be installed to a router.studyshorts.tar files containing the Java code will be copied to the routers flash.

CCNA Security IINS (640-553)

AAA
What Is AAA


Authentication - Authenticates the user. AAA can be used for PPP, VTY, Console, AUX VPN.....
Authorisation - defines what the user can do.
Accounting - logs actions performed by the user.

AAA Sources


Local Database (Self Contained AAA) – Local ‘username xxx password xxx’ database.
RADIUS
TACACS+

Access Modes

Character – Used for remote administrative access to VTY,TTY, Aux and Console. AAA can be
configured for login, exec and enable.
Packet – Used for Remote network access on async, BRI ec. AAA will be configured ppp for
network.

RADIUS
Industry standard solution (IEFT) allowing basic, combined user authentication and authorisation
(different privileges not supported). Passwords are sent encrypted but all other communication is clear.
UDP based. Radius cannot control the user level privilege.
TACACS
Cisco Secure Access Control Server (ACS) for Windows or ACS Appliance. Cisco proprietary solution
allowing complete Authentication (using internal or other databases such as Novell or Active Directory),
Authorisation levels (time of day, resource restrictions, connection limits, command limits) and
Accounting (CSV or ODBC). All communication is encrypted. TCP based.
The authentication process is completely controlled by the ACS Server. The router will ask the ACS
server for the username prompt, it then prompts the user with this prompt. Once entered the router
will forward the username to the ASC Server and ask ACS for the password prompt, again this is prompt
is sent to the user. One the user has entered the password this is sent to the ACS server for
authorisation. The ACS server will send one of the following responses


Accept
Reject
Continue – The ACS server needs more information to authenticate the user.
Error – An error has occurred in the authorisation process.

Configuring

Mode

Description

http://www.studyshorts.co.uk

Command Syntax
M Morgan ©2010

Page 17 of 60

CCNA Security IINS (640-553)
#
#
#
#
#
#
#
(config)

Display current privilege level of user
Show AAA authentication statistics
Show tacacs server config
Show radius config
Debug AAA authentication events
Debug tacacs events
Debug radius events
Turn on AAA globally

Show privilege
Show aaa sessions
Show tacacs
Show radius {local-server | server group |stat | table}
Debug aaa authentication
Debug tacacs [events]
Debug radius
Aaa new-model

Setup Local
(config)
(config)
#

Create a local username database entry
Set maximum failed attempt before
locking out user
Clear a locked out user

(config)
(config)
(config)
(config)

Set the source IP for packets
Set a server ip address
Set server with a specific key
Set a key for all radius servers

Username name secret pwd
Aaa local authentication attempts max-fail count
Clear aaa local user lockout username

Setup Radius Client
Ip radius source-interface interface
radius-server host ipaddr
radius-server host ipaddr key key
radius-server key key

Setup Tacacs Client
(config)
(config)
(config)
(config)

Set the source IP for packets
Set a server ip address
Set server with a specific key
Set a key for all tacacs servers

Ip tacacs source-interface interface
Tacacs-server host ipaddr single-connection
Tacacs-server host ipaddr single-connection key key
Tacacs-server key key

(config)
(config)

Create a login default authentication list
Create a login named authentication list

Aaa authentication login default <method list>
Aaa authentication login name <method list>

(config)

Create an enable auth list (default only)

Aaa authentication enable default <method list>

(config)
(config)

Create a PPP default authentication list
Create a PPP named authentication list

Aaa authentication ppp default <method list>
Aaa authentication ppp name <method list>

(config)
(config)

Create a default authorisation list
Create a named authorisation list

Setup Authentication Method Lists

Authorization
Aaa authorization exec default <method list>
Aaa authorization exec name <method list>

Aaa accounting
(config)
(config)

Create an default accounting list for level
15 commands
Create a default accounting list for exec
sessions

Aaa accounting commands 15 default start-stop
<method list>
Aaa accounting exec default start-stop <method list>

Apply a method list to VTY lines
(config-line)
(config-line)

Apply a default authentication list to a line
Apply a named list to a line

Apply a method list to a PPP connection
(config-if)
Set CHAP authentication using the default
PPP method list

Login authentication default
Login authentication name

Ppp authentication chap default

Aaa new-model disables all traditional authentication methods (password and login command under vty
lines etc). At a minimum a local username must be created to avoid locking yourself out of the device.
http://www.studyshorts.co.uk

M Morgan ©2010

Page 18 of 60

CCNA Security IINS (640-553)
Authentication Methods (method list)
Up to five methods can be specified in the method list (4 for SDM). When used the list is checked from
the first entry to the last entry but only if previous method fails (timeouts or fails). If an authentication
process succeeds but the user is denied on other methods are checked. Possible methods



Enable – Use enable password for authentication.
Group – Use specified server-group (radius / tacacs+)
Line – Use line password for authentication.
Local –Use local username authentication.
None – No authentication. There will be no login prompt.

Example
(config) # Aaa new-model
- Changes to new aaa method
(config) # Tacacs-server host 10.20.0.2 single-connection
- Configure a TACACS server
(config) # Aaa authentication login default group tacacs+ local
- Set tacacs with a fall back of local
(config) # Aaa accounting commands 15 default start-stop group tacacs - log Level 15 commands
(config) # line vty 0 4
(config-line) # login authentication default
(config) # Aaa authentication login NOLOGIN none
- Set no login
(config) # line con 0
(config-line) # login authentication NOLOGIN
- Turn off password on console

NOTES AAA can secure anything requiring a username/password such as PPP Lines, VPN, VTY lines,
Dialup Modems, Console & Aux access etc.
 As soon as the ‘aaa new-model’ command is entered, all lines will be automatically configured
to use the local database. Make sure a local database user has been created to remove risk of
being locked out of a device.
 By default the ‘default’ AAA method list is set to use the local database. The default method list
is used for all lines etc unless another method list is specified.
 When using AAA for the enable password, as the username is not requested devices use a
username of ‘$enab15$’ which must be configured on the AAA/Radius server.
 AAA can be configures in SDM using the ‘AAA’ settings under the ‘Additional Tasks’ functions.

User Privileges
Privilege Level Access
Commands can be made unavailable/available to lower privilege users using the ‘privilege’ command(config) # Privilege mode [all] {level level command | reset command}

Where mode is the configuration mode. E.g. exec, configure, interface etc.
(config) # privilege exec level 5 show
(config) # privilege exec level 5 ping
(config) # privilege interface level 5 ip address
(config) # privilege interface level 5 ip
(config) # privilege configure level 5 interface
(config) # privilege exec level 5 configure

http://www.studyshorts.co.uk

- Only allow level 5 and above access to show commands
- Only allow level 5 and above access to ping commands

M Morgan ©2010

Page 19 of 60

CCNA Security IINS (640-553) #enable secret level 5 TEST #enable 5 Role Based Access Assigning IOS commands to Privilege levels can be used to give different users different access but as a command can only be assigned to one level it is complicated to configure.co.Enable AAA (required) .studyshorts.Set a password for the view . The ‘log’ will enable logging to a Syslog server (config) # security authentication failure rate 3 log Set the minimum password length. Role Based Access on the other hand does not have this restriction and allows creation of restricted administrative accounts (subadministrator) with specifically defined privileges (CLI Views).Enable the root view .Set the authorisation to local (required) . (config) # security passwords min-length 6 NOTE . To create a view the ‘root view’ must be enabled.Manual / Testing or (config) # Username LIMITEDUSER view LIMITEDMODE secret test .uk M Morgan ©2010 Page 20 of 60 . Commands mode {include | include-exclusive | exclude} [all] command Configuring (config) # aaa new-model (config) # aaa authorization exec default local # enable view (config) # parser view LIMITEDMODE (config-view) # secret test (config-view) # commands exec include ping (config-view) # commands exec include all show #show parser view all .Allow show commands with wildcard Superviews # enable view (config) # parser view SPV superview (config-view) # secret test (config-view) # view LIMITEDMODE (config-view) # view LIMITEDVIEW Using the views # enable view LIMITEDMODE . not existing passwords Encrypt all clear text passwords in the config (config) # service password-encryption http://www.Allow the ping command .Create the view .Only applies to newly entered passwords.Create a user to use this view Notes‘Commands exec include all’ enables wildcard for the following command Logon Security Block logins for 15 seconds after 3 failed logons.

CCNA Security IINS (640-553) NOTE . Changes            Finger disabled PAD disabled UDP & TCP Small Servers disabled BootP disabled HTTP Services disabled CDP disabled NTP disabled Source Routing disabled Proxy ARP disabled on interfaces IP Directed broadcasts disabled on interfaces MPO (Maintenance Operations Protocol) disabled on interfaces ICMP Redirects disabled on interfaces http://www. Potentially could be too secure .is a level 7 encryption which is easily cracked (Vigenere encryption).co.studyshorts. (config) # login delay 10 Generate a Syslog message after 3 failed attempts or every successful logon attempt.This could be used for a denial of service attack – stopping all access to the router by permanently blocking it out. Using ‘enable secret’ is recommended for enable password as it uses a stronger MD5 hash. Non-Interactive – Automatically lock down router to Cisco recommendations.uk M Morgan ©2010 Page 21 of 60 .Every x is optional . Allows access from the IP address specified in the ACL even if the login is blocked out (config) # login quiet-mode access-class 10 Delay between successive failed login attempts.Every x is optional AutoSecure and One Step Lock Down AutoSecure Interactive – Similar to setup mode ‘auto secure full’. (config)#login on-failure log every 3 (config)#login on-success log every 1 . Automatically logout a session after 1 minute 30 seconds (config-line) # exec-timeout 1 30 Securing VTY Lines # Show login Block logins for 120 seconds after 3 failed logins in 60 seconds (config) # login block-for 120 attempts 3 within 60 NOTE . To configure use ‘auto secure no-interact’.

Additionally a drop down is provided to ‘Undo Security configurations’ on individual security lockdowns.uk M Morgan ©2010 Page 22 of 60 .CCNA Security IINS (640-553)                 Unreachables disabled on interfaces Mask Reply messages disabled on interfaces Password encryption enabled TCP Keepalives enabled Logging buffer size is set Sequence numbers and timestamps enabled CEF enabled Reserved IP address ranges are blocked as source addresses on outside interfaces Default route to null0 is configured is no default route is already present TCP Intercept is enabled AAA Enabled Set minimum password length and failure rate Console log Login and password applied to VTY. AUX and CON lines Banner is created SNMP is disabled depending on prompt or settings – gives opportunity to configure SNMPv3 NOTES Introduced with IOS 12.co. NOTESSDM differs from Auto Secure by the following     Does not disable NTP Does not enable TCP Intercept Does not configure AAA Does not configure three separate ACL to block commonly spoofed source addresses SDM will disable SNMP but not provide options for S NMPv3 http://www. One Step Lockdown – SDM will perform secure all security vulnerabilities automatically. accessed under ‘Configure’ / ‘Security Audit’ Security Audit – SDM will audit the security of the router and give list of vulnerabilities.3 SDM One-Step Lockdown & Security Audit This performs similar actions to the Auto-secure IOS command. The user is prompted to secure individual vulnerabilities with descriptions/help.studyshorts.

 Trap – The device will send a trap message to the manager component to alert particular issues SNMP Versions   SNMPv1 – Simple to configure. (config) # snmp-server community public ro (config) # snmp-server community CCSTRING rw 50 . Each OID is a variable/counter that can be read or set. Counters are limited in value so high bandwidth interfaces could over range counters. SNMP Agent – The monitored device itself. SMNPv3 operated in one of three modes (noAuthNoPriv.  Set – Read/Write access is essential.CCNA Security IINS (640-553) Logging Console – By default all logging is displayed on console sessions. SNMPv2c – Simple to configure.co. privacy and access control.Configure SNMP community with read only access .Set Syslog server location . authNoPriv & aithPriv) using MD5/SHA to provide authentication and DES. SNMP Messages Get – Read only access is sufficient. Similar to SMNPv1 but counters are capable of much larger values.uk (severity=0) (severity=1) (severity=2) M Morgan ©2010 Page 23 of 60 . All SNMP traffic is sent in clear text. This is very dangerous facility. All SMNP traffic is sent in clear text. VTY Lines – Logging to a telnet session can be enabled using the command ‘terminal monitor’. SMNPv3 – Addresses weaknesses of the earlier versions by including authentication. Emergencies Alert Critical System is unusable Immediate action needed Critical conditions http://www. analyses and presents the data on devices.studyshorts. This is complicated to setup particularly as SDM cannot be used to configure SNMPv3. 3DES or AES to provide the privacy. SNMP – Simple Network Management Protocol. Management Information Base (MIB) – The dictionary of object identifiers (OID) available on the device. SysLog (config) # logging hostname <ipaddress / hostname> (config) # logging <ipaddress / hostname> (config) # logging trap <level> # show logging .Set Syslog server location (alternative) Logging Levels Message will be logged for the level selected and all lower levels. it could allow an attacker to gain access to a device if not locked down.Configure SMNP community with RW & ACL Logging Buffer – All login messages can be saved to memory for later review. ‘login buffered 4096’ for example will set aside 4096 bytes to store a log history. Three core components   SMNP Manager – The tool which queries. ‘show log’ will display the login entries.

enable NTP authentication . The recommended approach is to use a public NTP server as the master source. NTP settings in SDM can be found in the ‘Additional Tasks’ section under ‘Router Properties’.Optional.Enable NTP Master . An attacker could attempt to change the time in a router which will render digital certificates invalid.x. The client authenticates the server rather than the server authenticating the client. Stratum 1 – Time server directly connected to an atomic clock.studyshorts.x. NTP can provide this. A router can act as a NTP client. A Server can also Broadcast / Multicast time updates.x prefer . Time stamping and sequencing of log messages are enabled using the commands ‘service sequence-numbers’ and ‘service timestamps’ NTP For accurate logging (syslog etc). (routers do not relay these packets).CCNA Security IINS (640-553) Errors Warnings Notifications Informational Debugging Error conditions Warning conditions Normal but significant conditions Informational messages Debugging messages (severity=3) (severity=4) (severity=5) (severity=6) (severity=7) NOTES    ‘login synchronous’ Logging can be found in ‘Additional Tasks’ then ‘Router Properties’ in SDM. Ensure the NTP port (UDP 123) is open (ACL) Stratum 0 – Atomic clock.x NOTES      NTP Authentication works differently to the norm. digital certificates and AAA accounting an accurate time source must be set. it an NTP server is run internally it is advisable to create an ACL to stop external devices accessing the NTP server.Optional.uk M Morgan ©2010 Page 24 of 60 .x.x. set key number 1 to NTP NTP Peer This must be defined both sides to define the peer relationship (config) # ntp peer x. NTP Client (config) # ntp server x. This prevents the NTP master being spoofed and supplying incorrect time. http://www.Set the time source with optional prefer statement NTP master (config) # ntp master (config) # ntp authenticate (config) # ntp authentication-key 1 md5 NTP . server or peer (bidirectional time transfer).co.

co.studyshorts.CCNA Security IINS (640-553)  Using NTP Version 3 or higher for additional security features (encryption etc). http://www.uk M Morgan ©2010 Page 25 of 60 .

enables feature .1X ports.xxxx Switchport port-security mac-address sticky Switchport port-security aging time minutes Switchport port-security aging type absolute Switchport port-security aging type inactivity Violation modes    Protect – Allow authorised hosts through but disallow unauthorised hosts Restrict – As above but log (SNMP & Log) unauthorised hosts Shutdown – Shutdown the port (err-disabled) NOTES    Default maximum MAC addresses is 1. Must set to 2 for daisy chained IP Phone & PC.co. Cannot use port security on trunk ports (must explicitly set to an access port). Destination Span ports and 802. To clear err-disabled issue a ‘shutdown’ & ‘no shutdown’ commands to the interface.studyshorts.uk .xxxx.CCNA Security IINS (640-553) Layer 2 security Port Security Mode Description Command Syntax # # # (config-if) (config-if) (config-if) Show port security summary Show security for an interface Display the MAC address table Set access port (stops dynamic trunking) Enable port security on port Set violation action (config-if) (config-if) (config-if) (config-if) (config-if) (config-if) Set the maximum mac addresses on port Set static MAC address security Port will learn the address & add to config Aging time for dynamic learned mac addrs Set aging time basis for absolute time Set aging time basis for inactivity time Show port-security Show port-security interface interface Show mac address-table Switchport mode access Switchport port-security Switchport port-security violation <protect/restrict/shutdown> Switchport port-security maximum number Switchport port-security mac-address xxxx. Default violation mode – shutdown (err-disabled).Set interface M Morgan ©2010 Page 26 of 60 . Etherchannel ports. Configure SNMP Traps for MAC Table Event Notification (config) # mac address-table Notification (config) # snmp-server enable traps Mac-notification (config-if) # snmp trap Mac-notification <added / removed> http://www.

1x requires both host (supplicant) and switch ports (authenticator) to be configured with 802.Enable dt1x globally Storm Control This feature can raise a trap or shutdown an interface is a certain percentage of a ports’ traffic is a particular type. The physical port on s supplicant is broken down into two logical ports (controlled and uncontrolled) by 802. Auto – This enables dot1x on the port. EAP EAP-MD5 EAP-TLS PEAP (MS-CHAPv2) EAP-FAST Example (config) # aaa new-model (config) # aaa authentication dot1x default group radius local (config) # dot1x system-auth-control (config) # interface fastethernet 0/4 (config-if) # dot1x port-control auto . 802.studyshorts. STP & CDP protocols.Required .1x requires a Radius server (authentication server).CCNA Security IINS (640-553) 802.co. As an example.1x. The port will be unauthorised until the EAPOL packets are exchange then the port will enter an authorised state. Dot1x port control modesForce-authorised (default) – Any host connected to this port will be considered authorised. Once authentication is successful the controlled port can pass all data.1x EAPOL (Extensible Authentication over LANs). Force-unauthorised – Connected hosts will be considered unauthorised. In effect no authentication.1x Port Security / Network Admission Control (NAC) Securing a port using 802. The uncontrolled port can only pass EAPOL.uk M Morgan ©2010 Page 27 of 60 . Mode Description Command Syntax (config-if) (config-if) (config-if) (config-if) Set the action is a storm control tolerance is exceeded Set the tolerance for broadcast traffic (% of bandwidth) Set the tolerance for multicast traffic (% of bandwidth) Set the tolerance for unicast traffic (% of bandwidth) Storm-control action <shutdown / trap> Storm-control broadcast level level Storm-control multicast level level Storm-control unicast level level http://www. storm control can shutdown a port if it receives excessive broadcasts.

10. Trunk ports can be source and destination ports. All intermediate switches between the units having the source and destination ports must be RSPAN capable devices.10.0 network- http://www. PaGP.10. Securing VLANs Filtering Intra-VLAN Traffic An ACL on a multilayer switch can be used to filter inter vlan traffic but not intra-vlan traffic. Source config(config) # vlan 100 (config-vlan) # remote-span (config-vlan) # exit (config) # monitor session 1 source interface fastethernet 0/1 (config) # monitor session 1 destination remote vlan 100 reflector-port fastethernet 0/10 Destination config(config) # monitor session 1 source remote vlan 30 (config) # monitor session 1 destination interface fastethernet 0/10 Notes       A source port can be monitored on multiple simultaneous SPAN sessions. A Destination port cannot be part of an etherchannel A Destination port does not run STP. Local SPAN – Destination and source ports are on the same switch. A port cannot be both a source and destination of a monitor session. LACP or DTP.uk M Morgan ©2010 Page 28 of 60 . Only one VACL can be applied to a vlan To restrict 172.CCNA Security IINS (640-553) Span ports (Switchport Analyser) Span will mirror all traffic from a source port or ports to a destination port (sometimes called the monitor port) on either the same switch or across a trunk to a different switch. A port can be a destination for only one SPAN session. A source port can be a part of an etherchannel. To filter traffic between two hosts on the same vlan a VLAN Access List (VACL) is used.1 – 3 from accessing any hosts on the 72.studyshorts. VTP. CDP.co.10. (config) # monitor session 1 source interface fastethernet 0/1 (config) # monitor session 1 destination interface fastethernet 0/2 # show monitor .Display configure monitor sessions Vlan SPAN (VSPAN) – The source is a Vlan. Remote SPAN (RSPAN) – A dedicated vlan will be created to trunk mirrored packets across a trunk link between two switches.

Used to specify the addresses to match (config) # vlan access-map NOACCESSVACL 10 (config-access-map) # match ip address NOACCESSACL (config-access-map) # action drop (config-access-map) # exit (config) # vlan access-map NOACCESSVACL 20 (config-access-map) # action forward (config-access-map) # exit .studyshorts.0 0. but not from the promiscuous ports. Community — Community ports communicate among themselves and with their promiscuous ports.Apply it to a VLAN Note rule 20. Community PVLAN – Hosts can communicate with other hosts in a secondary vlan and with the primary vlan but not with hosts in other secondary VLANs. Traffic from isolated port is forwarded only to promiscuous ports. Isolated PVLAN – Hosts can communicate with the primary vlan but no other host in the and secondary vlan.Consider a match any (config) # vlan filter NOACCESSVACL vlan-list 1 . Isolated — An isolated port has complete Layer 2 separation from the other ports within the same PVLAN. including the isolated and community ports within a PVLAN. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN. this allows un-matched traffic to be forwarded.10.co.0 0.uk M Morgan ©2010 Page 29 of 60 .0. (config) # vlan 200 (config-vlan) # private-vlan <isolated / community> http://www.0.255 .10.10.0.10. Private VLANs PVLANs provide layer 2 isolation between ports within the same broadcast domain. without all traffic would be dropped (similar to the implicit deny all on ACLs). There are three types of PVLAN ports   Promiscuous — A promiscuous port can communicate with all interfaces.0. PVLANs block all traffic to isolated ports except traffic from promiscuous ports.3 172. VTP must be in transparent mode to create private VLANs.CCNA Security IINS (640-553) (config) # ip access-list extended NOACCESSACL (config-ext-nacl) # permit ip 172.

As ARP packets are inspected on ingress each arp packet will only be inspected once. if a DHCP offer is received on an un-trusted port the port will be errdisabled. Once globally enabled on a switch all ports are set to un-trusted.CCNA Security IINS (640-553) Securing IP at Layer 2 DHCP Snooping This is a method for protecting against unauthorised or rogue DHCP Servers.Enable on vlan 10 . If a switch receives an ARP request on an un-trusted port and the MAC-IP mapping is in the trusted mapping database then that ARP request is forwarded. All traffic now sent between the two hosts will now be sent to the rogue host which in turn forwards to the legitimate host forming a man in the middle attack. (config) # ip arp inspection vlan 10 (config) # interface fastethernet 0/1 (config-if) # ip arp inspect trust # show ip arp inspection .Set interface as trusted . Additionally DHCP Snooping can be used to rate limit the number of DHCP requests (config) # ip dhcp snooping (config) # ip dhcp snooping vlan 10 (config) # interface fastethernet 0/3 (config-if) # ip dhcp snooping trust (config-if) # ip dhcp snooping rate 10 .Enable on additional vlans. http://www. Dynamic ARP Inspection (DAI) ARP Cache Poisoning / ARP Spoofing ARP Spoofing occurs when a host send an ARP request out onto the network requesting the MAC address for a particular ip address.Set a maximum rate for DHCP requests to 10 per second NOTES  This can be difficult to configure in a multi-switch environment as all inter switch link interfaces (trunks) must be set as trusted. Vlan 1 enabled by default .co.Set as a trusted port The recommendation is to set all ports connected to hosts as un-trusted and all ports connected to other switches as trusted.Enable . A rogue host could respond to the request before the legitimate host which would result in an incorrect MAC address in the first host.uk M Morgan ©2010 Page 30 of 60 .studyshorts. If a port is configure as a Dynamic ARP trusted port the ARP request is forwarded regardless. DHCP Snooping allows all switch ports to be placed in to a trusted or un-trusted mode. which could cause a host to send all network traffic through an unauthorised router enabling traffic sniffing etc. These can be used to give out an incorrect gateway address. This uses the database created by the DHCP Snooping feature and this forms trusted mapping database. If the MAC-IP mapping is not in the trusted database the ARP request is dropped. It is therefore important to manually enable trusted ports as required for the DHCP infrastructure.

OOB. Useful Commands Mode Description Command Syntax # # # Show all mac addresses Show only dynamic learnt address Show address for a particular vlan Select a range of interface Show mac address-table Show mac address-table dynamic Show mac address-table dynamic vlan vlanid interface range f0/6 . This address is recorded and will only accept traffic from that IP address. Disable dynamic trunking (set all non trunking ports as access ports). An un-trusted port will only accept DHCP packets until it receives an IP address. Unused port recommendation Disable the port (shutdown)  Set the port to an assess port (switchport mode access)  Assign the port to another Vlan (switchport access vlan 99) http://www. Try to reduce the use of VLAN 1 and don’t use it as the native VLAN. bpduguard etc).co.CCNA Security IINS (640-553) IP Source Guard This prevents a host using another hosts’ Ip address and like Dynamic ARP Inspection requires DHCP Snooping to be enabled.10 (config) Best Practices       Use secure management (SSH. Access-class on VTY lines). keep community strings secret. This reduces the risk of IP Spoofing. Make an audit sheet (portfast.studyshorts.uk M Morgan ©2010 Page 31 of 60 . avoid RW access). Lock down SNMP (Set ACLs.

OSPF etc are supported. Static Packet Filtering Description Identifier Typical syntax IP Standard Standard expanded range IP Extended Extended expanded range MAC Address list 1-99 1300-1999 100-199 2000. By default only ARP traffic can pass. Core network Security 4. An ALG can enforce user authentication rather than devices Transparent Firewalls – Transparent firewalls are layer 2 devices which act like a network bridge. Application Layer Gateway – Acts as proxy. Endpoint Security Cisco IOS Firewall feature set  IOS Firewall – CBAC & Zone Based firewall.uk Access-list number <permit/deny/remark> <protocol> <source> <dest> <comparison> <port> <log> M Morgan ©2010 Page 32 of 60 . Operates at OSI layers 3. Stateful – Monitors the state of connections storing them in a session/state table. As much network traffic uses random port numbers (FTP. Transparent Firewalls do not pass traffic with an EtherType greater than or equal to 0x600 (CDP.). EIGRP.2699 700-799 Access-list number <permit/deny/remark> source <log> http://www. this method is not optimum. in bound HTTP traffic etc). Perimeter 2. IS-IS etc. 4 & 5.studyshorts.CCNA Security IINS (640-553) IOS Firewall Firewall Introduction Firewall Types Stateless – Use of static packet filters (ACLs) to control what traffic can enter a network. A Stateful firewall will not allow a TCP packet with the SYN bit set and only allows packets with the ACK bit set if there is an entry in the session table indicating an inside user initiated the connection. Extended ACLs can be created for IP traffic and EtherType ACLs for non IP traffic. Layered Defence Strategy 1. Operates at OSI layers 3. Spanning Tree BPDUs.  IPS  Authentication Gateway – Allows creation of security profiles on a per user basis. Uses Radius or Tacacs servers to store the profiles. 4. 5 & 7.co. Communications Security 3. They are easily introduced as IP addressing of the existing networks do not need to be changed. Storing open connections allows the firewall to detect attacks by examining the sequence numbers (TCP Only) and allows return traffic for outbound connections.

255.255. Similar to the established rule.255.50 0.0.0.0.0 0.0.0.0 any eq 80 100 deny ip host 192.255.0 0.studyshorts.2.168.0 255. access-list access-list access-list access-list 110 110 110 110 deny deny deny deny ip ip ip ip host 0.2.255 any access-list 110 deny ip 172. Named – Alternative way of creating and managing all access lists.168.0.0 0. both source and destination IP addresses and source and destination ports.255 100 permit ip any any !--.0.3.4 http://www.255.0.0.0.10.168.168. Lists can be named rather than just numbers and it is possible to edit ACLs as each line of the ACL is assigned a number.0. An access list is modified to allow traffic if a user telnets in to the router.255.2.4 log 1 deny 192.255.0 192.0 0. Dynamic ACL – Lock and Key.0 31.0 0.0.3.255 any !--.255 any 192.0. Examples  Access-list  Access-list  Access-list  Access-list  Access-list  Access-list  Access-list  Access-list  Access-list  Access-list  Access-list              1 deny 192.50 192.uk M Morgan ©2010 Page 33 of 60 .0 any 127.168.Refer to RFC 3330 for additional special use addresses. Typically used for filtering.10.255 any Named access lists Mode Description Command Syntax (config) (config-std-nacl) (config) (config-ext-nacl) (config-ext-nacl) Create / edit a standard ACL Create an entry Create / edit an extended ACL Create an entry Create an entry with a line no Ip access-list standard <no / name> Permit sourceaddr Ip access-list extended DENY_HOSTA Permit tcp host sourceadr host sourceaddr 15 permit tcp host 192.255 150 deny ip 192.255. !--.4 1 permit host 192.255.Filter RFC 1918 space.0.168.0 0.168.0.0 1 deny any 1 permit host 192.0.255.5.50 host 4.Deny special-use address sources.0.0.10.255 any access-list 110 deny ip 192.168.168.5.0.15. Time-based – Access list enabled/disabled at a particular time.168.0. Extended – Filter on protocol.0. Reflexive / Established – Opens an inbound traffic rule based on an outbound TCP connections.0 150 deny tcp 192. access-list 110 deny ip 10.50 0. Typically used for controlling access to VTY lines.255 any 224.0.0.0.0.255 1 permit any 2 permit 0.168.CCNA Security IINS (640-553) ACL Types       Standard – Filter only on the source IP address.16.co.0 0.0.3.2.0.100 0.0.50 0. NAT etc rather than filtering.10.

ACLs with about four or more lines will see a speed improvement / reduction in CPU load.studyshorts. (config) # access-list compiled # show access-lists compiled .Enable Turbo ACLs .Displays the Turbo ACL state for all ACLs ACL States  Operational  Unsuitable – ACL Cannot be compiled. Turbo ACL cannot be used for dynamic ACLs and time based ACLs.  Packets generated by a router are not subject to ACL filters.co.  Make sure console messages are visible (‘terminal monitor’ if using VTY lines) while implementing/changing ACL just in case an ACL takes some routers functionality out. the line must be removed using the ‘no x’ command then readded.CCNA Security IINS (640-553) (config-ext-nacl) (config-ext-nacl) (config) Create a reflexive entry Delete an existing access list line Re-sequence an ACL Permit tcp any any established No 15 ip access-list resequence aclno/name startno interval Apply a list to an interface / line Mode Description Command Syntax (config-if) (config-line) Apply access list to an interface Apply access list to a VTY line Ip access-group number <in / out> Access-class number <in / out> Show commands Mode Description Command Syntax # # # Show interface info (inc ACL) Show all access lists Show a specific access list Show ip interfaces Show {ip} access-lists Show {ip} access-lists number Turbo ACLs High end routers (7200.  Deleted – There are no ACLs in this entry  Out Of Memory NOTES  A packet filtering firewall operates at layers 3 & 4.uk M Morgan ©2010 Page 34 of 60 . 7500 routers and 12000 Gigabit Switch routers) have the ability process ACL quicker.  Use Notepad to write ACLs then copy and paste into the router.  To change a line in a named ACL. If the Turbo ACL feature is enabled. This avoids unintentionally locking yourself out of the device.  Use the ‘reload in 3‘ command before applying an ACL to an interface. ACLs are compiled into a lookup table which allows for much faster processing.  A packet filter typically only filters the first fragment of a fragmented packet as the later fragments will not contain a TCP header. http://www. The router will reload itself in the specified number of minutes unless the command ‘reload cancel’ is issued.  Building – Currently building.

CCNA Security IINS (640-553)   Have an inbound ACL denying with a same source address range as the internal IP addresses to protect against IP Spoofing. Generic inspection does not support protocol specific features such as random ports (SIP. Inbuilt defence against TCP SYN and IP Spoofing attacks.co.4(6)T Policies are applied between zones (Zone pair) All traffic between zones is denied by default unlike access lists which allow all until configured.0 and 255.Create an inspection rule names FW for http traffic . Additionally it is recommended to black traffic from RFC1918 addresses.Enable TCP generic inspection . both generic TCP & UDP traffic can be inspected to allow returned packets. Has the ability to monitor control channels of protocols such as FTP/SIP to allow opening of correct dynamic UDP/TCP ports. For the inspection process to work there must be an Extended ACL applied to the inbound direction while outbound traffic can be either standard or extended. FTP etc).255.studyshorts.uk M Morgan ©2010 Page 35 of 60 . This allows Dynamic ACL entries to be added to allow returned traffic back in.Set UDP timeout value. 0.0.0.255.Enable UDP generic inspection . Zone based Firewall (ZFW)        Released with IOS 12. The dynamic ACL entries are removed when the TCP session is closed or after a timeout. An exception is the ‘self’ zone where traffic is allowed to pass by default unless explicitly denied An interface can only belong to one Zone Traffic can flow between interfaces in the same zone Traffic cannot flow between a zone and a non zone interface Cannot combine zone based and legacy firewall inspection http://www. IP Inspection does not apply for traffic generated by the router unless ‘router-traffic’ is used as an option on the ‘ip inspect’ commands. It is advised to allow the following IMCP traffic back in to the router from the interneto Echo-reply o Time-exceeded o Packet-too-big o Traceroute o Unreachable CBAC/Classic Firewall       Provides Stateful packet inspection. In addition to per application filtering. Outbound traffic is inspected up to the application layer in order to check validity and to open corresponding holes in the inbound filter for the return traffic. alerts and logging. Example(config) # ip inspect name FW http (config) # ip inspect name FW tcp (config) # ip inspect name FW udp (config) # ip inspect name FW timeout 60 (config) # interface fastethernet 0/1 (config-if) # ip inspect FW out .255 to prevent broadcast attacks.

studyshorts. SDM ‘Configure’. Create Class Maps – Used to identify traffic. It is analogous to an ACL deny statement. Example(config) # parameter-map type protocol-info aol-servers (config-profile) # server name login. ‘Additional Tasks’. Hosts connected to an interface will be a part of the zone assigned to that interface.com .aol. A DPI map must be nested with in layer 4 class map.blue. http://www. ‘C3PL’. ‘Class Map’ followed by ‘Inspection’. Create Zone Pairs – Use the command ‘zone-pair security pairname source sourcezonename destination destinationzonename’. A Class map can match on among others ACLs  Protocol / NBAR (Network based application recognition).co. Creation of a ZFW using Cisco Common Classification Policy (C3PL) Create Zones – Create zones using the command ‘zone security name’ command. ‘Policy Map’ followed by ‘Protocol Inspection’. SDM ‘Configure’.aol.CCNA Security IINS (640-553)    Uses a Deep Packet Inspection to catch dynamic port number protocols such as BitTorrent & IM applications.  Pass (permit) – Does not inspect.oscar. SDM ‘Configure’. Each policy map has one or more class maps assigned together with an action for that traffic. This looks at the packet data to attempt to identify the protocol used e. SDM will prompt for a DNS config if not already configured as the rules it creates include domain names such as yahoo instant messaging servers.aol. A sub command is available to put a description against the zone.com (config-profile) # server name toc. ‘Additional Tasks’.Create a parameter map for AOL servers C3PL/MQC (Modular QoS CLI) – Class maps Class maps are used to identify and classify traffic. The IP Address of the interface itself is assigned to the ‘self’ zone. select ‘Configure’.g. a layer 4 map which can match traffic and protocols at layer 4 and Deep Packet Inspection (DPI) class maps which inspect up to layer 7. ZFW Actions  Inspect – Allows the traffic through but inspect the packet to ensure the data is not malicious  Drop (deny) – Does not allows the packet to pass. creation & assigning a policy. ‘Additional Tasks’ followed by ‘Zones’. Additionally SDM will allow assigning the zone to an interface at the same time. A sub command is available to put a description against the zonepair and assign a policy ‘service-policy type inspect policyname’. Using SDM. ‘C3PL’. HTTP on a non standard port. C3PL/MQC (Modular QoS CLI) – Parameter maps Used to create additional parameters to match on. A ‘self’ zone is created by default and refers to the router itself. Create Policy Maps – A policy map defines what action to perform on traffic.uk M Morgan ©2010 Page 36 of 60 .com (config-profile) # server name oam-d09a.  Another subordinate class map Two types of inspection class map can be created. ‘Additional Tasks’ followed by ‘Zone Pairs’ allows editing. Assign interfaces to Zones – Use the ‘zone-member security name’ command under an interface.oscar.

classes & stats Show in-depth policies.co.Create map to DPI HTTP (config-cmap) # match request port-misuse im (config-cmap) # match request port-misuse p2p (config-cmap) # match req-resp protocol-violation C3PL/MQC (Modular QoS CLI) – Policy-map A Policy map controls what to do with traffic identified by a class map.Create map to identify IM using NBAR (config) # class-map type inspect http match-any sdm-http-blockparam .CCNA Security IINS (640-553) Mode Description Command Syntax (config) (config) (config) (config-cmap) (config-cmap) (config-cmap) (config-cmap) Create a match any class map Create a match all class map Create a DPI class map Set match criteria on an ACL Set match criteria on input interface Match based on NBAR Match on NBAR with parameter map Class-map type inspect match-any name Class-map type inspect match-all name Class-map type inspect protocol match-any name Match access-group aclno Match input-interface Match protocol protocol Match protocol protocol parametermap NOTE Match-any signifies an or condition between statements  Match-all signified an AND condition between statements Examples(config) # class-map type inspect match-all HTTPFOMACL (config-cmap) # match protocol http (config-cmap) # match access-group 100 . classes & stats for pair Create an inspect policy map Add a class map to the policy Set action for traffic class Show policy-map type inspect Show policy-map type inspect zone-pair Show policy-map type inspect zone-pair pair Policy map type inspect policyname Class type inspect classname Inspect / pass / drop (config) # policy-map type inspect sdm-permit-icmpreply (config-pmap) # class type inspect sdm-icmp-access (config-pmap-c) # inspect (config-pmap-c) # exit (config-pmap) # class type inspect SDM-Voice (config-pmap-c) # inspect (config-pmap-c) # exit (config-pmap) # class class-default (config-pmap-c) # pass (config-pmap-c) # exit http://www.Create map to identify HTTP and ACL 100 (config) # class-map type inspect match-any sdm-cls-protocol-im (config-cmap) # match protocol ymsgr yahoo-servers (config-cmap) # match protocol msnmsgr msn-servers (config-cmap) # match protocol aol aol-servers . Mode Description Command Syntax # # # (config) (config-pmap) (config-pmap-c) Show classes & actions for all policies Show in-depth policies.studyshorts.uk M Morgan ©2010 Page 37 of 60 .

In addition to the functionality provided by IDS solutions. Policy – Violation of a network policy such as maximum new connections per second (SYN attacks DoS attacks etc). Initially signature based analysis can create lots of false positives which signature tuning will reduce/stop. This can signal to another router to block traffic but this traffic would have already entered the network. As an IPS sits in-line with the traffic flow. Intrusion Detection Methods Signature – Uses known attacks strings. Low processing requirement but can become out of date if not frequently updated.CCNA Security IINS (640-553) IPS IPS Introduction Types of IPS/IDS solutions IDS (Intrusion Detection System) – Sits outside the routing path (Promiscuous mode connected to a SPAN port) and raises alerts in the event of suspicious traffic. Anomaly – Traffic considered not ‘normal’. IPS (Intrusion Prevention System) – Sits inside the routing path (Inline mode). Using HIPS on clients would reduce this risk.studyshorts. particular IP addresses etc. This is sometimes referred to as network behaviour or heuristic analysis. http://www. NIPS (Network IPS) – A router / appliance based IPS. IPS will then watch this server to enable better tuning of the IPS system. DoS attack signatures. IDS can get overrun with traffic. an IPS is able to take actions on suspicious traffic Logs (Syslog or SDEE)  Drops  Resets the TCP Connection (TCP Reset)  Blocks the attackers IP address for ‘x’ minutes.uk M Morgan ©2010 Page 38 of 60 . Four types of signatures can be used.  Blocks the traffic causing the alarm HIPS (Host IPS) – A software based IPS on installed on a host. Policy based methods are able to identify some zero day attacks. Exploit signatures to spot byte and traffic patterns of known attacks. IDSs are more effective on “Composite pattern” attacks were the attack takes place over multiple packets/hosts.co. because of this IDSs are vulnerable to “Atomic pattern” attacks where the attack payload is contained in one packet. Attackers are now trying to use HTTPS/VPN technologies to bypass detection of a Network based IPS system. Honey Pot Detection – An isolated server is placed at risk / not protected in an attempt to draw attacks. This requires extensive tuning to avoid false positives. as they are not inline traffic flow will not be slowed but malicious traffic could potentially not be checked. the IPS can slow the flow of traffic. Event action ‘Deny Attacker Inline’ creates a dynamic access-list to block the IP address.. Zero day attacks will not be detected. Connection signatures to identify traffic which does not match the standard protocols behaviour in an established connection and String signatures which are Regex patterns.

Good – True Positive & True Negative Signatures Signature severity levels    Informational Low Medium High Event Actions     Deny Attacker Inline – Denies the source IP address of the offending packets (Creates dynamic ACL) for a defined period of time. Produce Alert – Generate an alarm/alert message Reset TCP Connection – Send a TCP reset to terminate the traffic flow Cisco IDS / IPS Range IOS – Some Cisco IOS images implement technology from other IPS/IDS systems to create an IOS IPS. Can be run in the routing path or on a SPAN port. 4200 Series Appliances – Dedicated appliance for IPS. This can capture encrypted attacks which network based solutions cannot detect. the command and control interface and the monitoring interface. The sensors contain at least two interfaces. Deny Connection Inline – Stops the offending packets but not other traffic from the source.co.studyshorts.uk M Morgan ©2010 Page 39 of 60 . Deny Packet Inline – Drop this packet only. Able to monitor inter VLAN traffic etc. HIPS (Cisco CSA) – Client software that sits on the end client to identify suspicious traffic on the client. IDS Network / AIM Modules (AIM-IPS) – Fit inside a router to perform the IDS function taking the load off the routers processor. http://www.CCNA Security IINS (640-553) Alerts Bad – False Positive & False Negative. Catalyst 6500 IDSM-2 – Fits inside a Cisco 6500 series switches. Cisco Adaptive Security Appliance Advanced Inspection and Prevention Security Service Module (ASA AIP SSM) – Provides high performance anti-x services. To avoid false positives some signatures may require ‘Signature Tuning’ or removing a particular signature.

Set which interfaces to enable IPS . not be on the internet facing connection as this will generate many hundreds of alarms/alerts. Typically IPS will be enabled on the inbound and outbound directions on the internal interfaces. Choose Config Location.co.uk . 2.studyshorts. Interface selection.CCNA Security IINS (640-553) Configuring IPS on a Cisco Router using SDM 1.Select all categories .Retire all rules . Configuration generated by SDM(config) # ip ips notify SDEE (config) # ip ips name sdm_ips_rule (config) # interface FastEthernet0/0 (config-if) # ip ips sdm_ips_rule in (config-if) # ip ips sdm_ips_rule out (config-if) # exit (config) # ip ips config location flash:/ips/ (config) # ip ips signature-category (config-ips-category) # category all (config-ips-category-action) # retired true (config-ips-category-action) # exit (config-ips-category) # category ios_ips advanced http://www. 5.Define n IPS rule name of sdm_ips_rule .Set the location of the IPS configuration files . set Inbound / Outbound on specific interfaces. 3. Typically flash:/ or flash:/ips/ on systems which support directories 6. copy it to flash or tftp/ftp/http and select from there).Select the advanced set of rules M Morgan ©2010 Page 40 of 60 .Enter the IPS Signature category configuration . Specify the signature file. The IPS Policy Wizard will now start. Clicking ‘Launch IPS Rule Wizard’ SDM will enable SSDE on the router and open a subscription with the router so SDM can receive events. 4.PKG files on the PC. Choose Category – Basic or Advanced (128MB of router memory required).Enable SDEE notifications . public key name and key (SDM will not accept IOS-Sxxx-CLI.

Logging & Monitoring Reporting / Logging The outputs of an IDP/IPS system are used to achieve two things. Click the ‘Apply Changes’ button to commit the change to the router. reporting where analysis is performed on historic data and event monitoring to identify when an attack is taking place. SDM can pull these events or the router can be configured to export them to an external server. CLI Monitoring # show ip ips configurations # show ip ips interfaces # show ip ips all Monitoring using SDM ‘IPS Status’ (shows loaded signatures and hit and drop counts) & ‘Logging’ followed by ‘SDEE Message Log’ under the ‘Monitoring’ section. Global Settings – Allows setting up the basic IPS properties. event action etc.co. enabled/disabled or edited. Signatures – This displays a category tree of all signatures installed. HTTP/HTTPS must also be enabled to use SDEE. Each signature can be deleted. Once a change is made the modified signature is highlighted in SDM but not directly applied to the router. number of SDEE alerts to store. Security Dashboard Tab The Dashboard allows a user to update the list of top threats from the Cisco IPS Alert Center then deploy the signatures for those threats. ‘Engine Fail Closed’ stops passing packets when the IOS is coming the signatures (disabled by default) ‘ip ips failed closed’. http://www. Logging. Typical editable options include severity. number of SDDE messages to store and the number of SDEE subscriptions. Syslog – Basic reporting method logged to a Syslog server. Location of the IPS configuration files within the router.uk M Morgan ©2010 Page 41 of 60 .Un-retire. Category selection (basic or advanced) and the public key.CCNA Security IINS (640-553) (config-ips-category-action) # retired false .studyshorts. The signatures will now be compiled Edit IPS Tab IPS Policies – Allows enabling / disabling IPS on individual interfaces and apply an optional ACL to control what traffic is scanned. The router can store up to 1000 (200 by default) events for later retrieval. alarm interval. Security Device Event Exchange (SDEE) – Advanced logging method designed specifically for alerting on security devices. SDEE & Syslog.

co.studyshorts.uk M Morgan ©2010 Page 42 of 60 .CCNA Security IINS (640-553) http://www.

uk F70D0101 5097A975 37FDD9C8 359C189E DED7A5B8 FA9E481D CC189CB9 9FB7B3CB 87BFCA3B 01050003 206BE3A2 11FC7AF7 F30AF10A 9479039D F65875D6 69C46F9C 5539E1D1 BFF668E9 82010F00 06FBA13F DCDD81D9 C0EFB624 20F30663 85EAF974 A84DFBA5 9693CCBB 689782A5 M Morgan ©2010 3082010A 6F12CB5B 43CDABC3 7E0764BF 9AC64B93 6D9CC8E3 7A0AF99E 551F78D2 CF31CB6E 02820101 4E441F16 6007D128 3E53053E C0112A35 F0B08B85 AD768C36 892356AE B4B094D3 Page 43 of 60 .co. Version 5 files.4(11)T.sdf’.CCNA Security IINS (640-553) Notes      VFR (Virtual Fragmentation Reassembly) – Allows the IOS firewall to create dynamic access lists to protect against fragmentation attacks. Version 4 IPS definition files consist of Signature Definition Files (SDF) such as ‘128MB. used since Cisco IOS Release 12.pub Public Key : 30820122 00C19E93 17E630D5 B199ABCB 5B2146A9 FE3F0C87 50437722 006CF498 2F56D826 F3020301 300D0609 A8AF124A C02AC252 D34ED0F9 D7A5EDE3 89BCB7BB FFBE85B9 079F88F8 8918EF3C 0001 2A864886 D6CC7A24 912BE27F 085FADC1 0298AF03 994AE74C 5E4189FF A3B3FB1F 80CA4F4D http://www. are in the format of ‘IOS-S360-CLI-pkg’ and are signed with a Cisco private key.studyshorts. Overlapping and Buffer Overflow fragment attacks. Command is ‘ip virtual-assembly’ under an interface. Helps to protect against Tiny. Public Key Name : realm-cisco.

uk M Morgan ©2010 Page 44 of 60 .CCNA Security IINS (640-553) VPN / Cryptography Term Definition Cryptology Cryptography Cryptoanalysis Steganography Science of making and breaking secret codes Developing and using codes / encryption techniques Breaking encryption technologies and codes Technique to hide messages in some other message rather than encrypting the message PKCS Public Key Cryptography Standards – define a set of standards / low level formats for the secure exchange of data RSA Cryptography standard DH Key agreement standard Password based cryptography standard Cryptography message syntax Used for sending certificate requests using SCEP Rivest-Shamir-Adelman – SSL. This can be used in an attempt to derive the key The attacker is able to encrypt some chosen plaintext and vire the cipher text. The same principle can be used when attempting to break a hash function using brute force techniques to improve the chances of breaking the hash The attacker is able to both decrypt cipher text and encrypt plain text in an attempt to find a matching key Hashing & Digital signatures Hashing algorithms  MD5 – 128bit  SHA-1 – 168bit A hash function simply calculates a signature/fingerprint/CRC of the message.studyshorts.co. Improves the chances of deriving the key Similar to chosen plain text attack Statistically the probability that two people share the same birthday in a group of 23 people is greater than 50%. Allows router to negotiate a point to point VPN with any other router on a hub and spoke VPN topology A standard which defines the format for digital certificate transmission and certificate revocation lists (CRL) Protocol using public / private keys to exchange a shared secret. Encryption at the transport layer – Layer 4 Encryption at the network layer – Layer 3 Voice and Video enabled VPN Dynamic Multipoint VPN. HMAC – Hashed Message Authentication Codes Hashing functions by themselves cannot guarantee the authenticity of the message as anyone can generate a message and calculate a hash. Encryption Technologies PKCS # 1 PKCS # 3 PKCS # 5 PKCs # 7 PKCS # 10 RSA SSL / TLS IPSec V3PN DMVPN X.509 Diffie Hellman Attack Methods Brute force Cipher text only Known plain text Chosen plain text Chosen cipher text Birthday Meet in the middle Every possibly key is tried The attacker has a number of encrypted message to decrypt The attacker has both the cipher text and some knowledge of the corresponding plaintext. HMAC adds a secret key to the message before applying the http://www.

Digital Signatures Digital signatures are similar to the HMAC principle above but use an asymmetric private public key pair. Both feedback cipher text back into the algorithm Iterated Block Cipher. A software based cipher designed to have a low impact on CPU A encryption method based on the Vernam cipher. multiple operations are performed on each block to derive the cipher text International Data Encryption Algorithm Software Encryption Algorithm. Up 100 times slower than symmetric encryption in software and up to 1000 times in hardware. Digital Signature Algorithm (DSA) is the current standard for digital signatures.co.CCNA Security IINS (640-553) hashing routine resulting in a hash that depends on both the message and the key. if the decrypted digest matches the calculated digest of the message the message is authentic and the sender is verified. Encryption  Symmetric Encryption – The same key is used to encrypt and decrypt. The digest of the message is generated and then encrypted using the private key. used in SSL & WEP A fast block based cipher Key exchange algorithm Encryption Methods in more depth Caesar / Substitution Cipher http://www. A Digital signature scheme is typically made up of a key generation algorithm.  Asymmetric Encryption – A key pair is required. CBC feeds back cipher text into the algorithm Output Feedback (OFB) & Cipher Feedback (CFB).uk M Morgan ©2010 Page 45 of 60 . The receiver decrypts the digital signature with public key. Typically referred to as a shared secret encryption. one to encrypt and another to decrypt. The receiver of the message can then generate the hash of the plaintext message using the same secret key. a signing algorithm and a signature verifying algorithm.studyshorts. if the hash matches then the message is authentic. The resulting digital signature is attached to the message. Encryption Summary Method Bit Length Notes AKA a Substitution Cipher Symmetric Block Symmetric Block Symmetric Stream Symmetric Stream Symmetric Block Varies Varies 56 112 & 168 56 112 & 169 128. 192 & 256 Symmetric Block Symmetric Stream 128 160 RC2 RC4 Symmetric Block Symmetric Stream 40 & 56 1 to 2048 RC5 Blowfish RSA Diffie Hellman Symmetric Block Symmetric Block Asymmetric Block 0 to 2040 32 to 448 360 to 2048 Caesar Cipher Vigenere One Time Pad Transposition DES 3DES (EDE) DES 3DES (EDE) AES (Rijndael cipher) IDEA SEAL Type Vernam Cipher Electronic Code Book (ECB) & Cipher Block Chaining (CBC).

‘a’ becomes ‘m’. Adi Shamir & Leonard Adleman) is a public key infrastructure (PKI) system capable of both encryption and signed requirements. Provided the receiving party knows the number of spaces substituted (the key) then encryption is possible. http://www. Small section below- A B C A A B C B B C D C C D E One Time Pad / Vernam Cipher Uses the principle of a Vigenere cipher but the key is a stream of random characters equal to the length of the message.studyshorts. The message if encrypted wit h the first key. making it invulnerable to a frequency analysis attack. Creation of a truly random key is almost impossible and it is very difficult to distribute the key.uk M Morgan ©2010 Page 46 of 60 . This avoids the scenario where two identical plaintext packets result in the same cipher text. CBC is used by Cisco devices. All but EBC use XOR operations on the previous cipher text block to generate the next cipher block. Stream Cipher – Output Feedback (OFB) and Cipher Feedback (CFB) modes. Transposition Cipher The characters are simply rearranged in the message using a secret sequence. This is very weak as simple character frequency analysis will allow the code to be broken. Suppose the phrase ‘ATTACK AT DAWN’ is coded using the key ‘SECRETKEY’. decrypted with the second key then finally encrypted with the third key to derive the cipher text. ‘b’ becomes ‘n’ etc.CCNA Security IINS (640-553) Characters of a message are substituted with another character from ‘n’ spaces in the alphabet. If the first and third keys are then same then the effective key length is reduced to 112 bits. This results in an almost unbreakable code but with limitations. 12 semi weak keys DES offers two types of ciphers  Block Cipher – Electronic Code Book (ECB) and Cipher Block Chaining (CBC). Vigenere Cipher A substitution cipher where the number of characters / spaces moved for each character depends on a corresponding character in a key word. e. RSA is a Block Cipher. 3DES uses three 56bit keys. The Vernam Cipher instead XORs the each character of the message with the corresponding key character. Each 64bit block is encrypted using the 56 bit key. This uses a table to perform the cipher where the key is on one axis and the message on another to be encoded is on the other.co. the resulting message will be ‘SXVRGDKXBSAP’. RSA RSA named after the inventors (Ron Rivest. An example is the rail fence cipher DES (56bit) & 3DES – EDE (112 & 168it) 4 weak keys.g.

4. An attack uses a spy process to statistically discover the private key when being processed using these processors.uk M Morgan ©2010 Page 47 of 60 . IDEA. Party 1 computes s = B a mod p 6 o 19 mod 23 = 2. then sends Party 1 B = gb mod p 15 o B = 5 mod 23 = 19. http://www. Key Storage – Storage of the keys in a manner which is considered secure. RSA Vulnerabilities   Timing attack – An attacker could measure the decryption times for a number of cipher texts and if the hardware is known the decryption key could be deduced quickly. RC4.co. Key Exchange – Ensure any keys exchanges are performed securely. 2048 to a 112 bit symmetric key and 3072 to a 128 bit symmetric key. Adaptive chosen cipher text attack – Uses weaknesses in RSA / PKCS #1 when used in SSL protocols and is used to recovery session keys. Party 2 chooses a secret integer b=15. Each party then generates a public number from its secret and the two non secret numbers and this is passed to the other party. then sends Party 2 A = ga mod p 6 o A = 5 mod 23 = 8. Diffie Hellman Key exchange The DH process works by both parties agreeing on two non secret numbers and each party generating a secret number. Party 2 computes s = A b mod p 15 o 8 mod 23 = 2. Party 1 chooses a secret integer a=6. Most RSA implementations use a scheme known as blinding to stop the decryption time being correlated to the cipher text. 1. 3DES. Does the cryptographic community trust the algorithm 2. The two parties agree on two non secret numbers (generator and base). 3. An updated version of PKCS #1 has been released which is not vulnerable to this attack. Key verification – make sure the chosen key is no ‘weak’. Each party then generates a shared secret by from its own secret and the public number generated on the other party.studyshorts. 2. Choosing an encryption method Two main criteria1. Resistance level to brute force attacks DES. 5. RSA and DH are considered trust worthy. Key Management     Key Generation – Typically generated using a random number generator. Branch Prediction Analysis (BPA) attack – Used in modern processors that use branch prediction and Simultaneous multithreading (SMT).CCNA Security IINS (640-553) The bit lengths are not directly comparable to symmetric bit lengths. AES. A 1024 bit RSA key is considered equal to an 80 bit symmetric key. p=23 and base g=5.

CCNA Security IINS (640-553)  Key Revocation and Destruction – A method to notify all interested parties that a key has been compromised ad should not be user. Public key of the device/server. CRL query etc. The higher the class the more must be done to prove the authenticity of the requester. The message can only be decrypted with the senders public key proving the message is authentic.co. 3. devices etc Storage and Protocols Supporting organisational framework Supporting legal framework Certificates A Certificate contains1. Only the receiving party can decrypt the message with their private key. Device signature (name and other information) encrypted with the private key of the device/server. class 1 may require an email from the domain to prove identity.uk M Morgan ©2010 Page 48 of 60 . SCEP (Simple Certificate Enrolment Protocol) – SCEP is an automated method to manage certificates. certificate query request. To request a certificate a host will create a request containing all required information using PKCS #10. Message Confidentiality – the Message is encrypted with the receiving party’s public key. A certificate can have a certificate class to indicate the trustworthiness of the certificate. proves the device/router is who he says he is. 2. Class 0 may require no checks. This can only be decrypted using the public key. the higher the number the more trustworthy the certificate. Typically a number. PKI PKI uses asymmetric encryption. people. Certificate Authority Signature. Operates in two modesManual – Administrator approves the request http://www. package this up in a PKCS #7 message then send it to the CA for generation/signing. Message authenticity – The message is encrypted using the senders private key. certificate revocation. It allows a number of operations. certificate enrolment. This is the name of the CA encrypted with the CA private key.studyshorts. Only the CA public key can decrypt the signature proving the certificate was signed by the certification authority. A public key infrastructure contains the following parts     Certificate Authorities Users.

There are multiple topologies for a PKI system   Single root – Difficult to scale and vulnerable in that if the root key is compromised all certificates generated are invalid. Cisco routers support the following appliances / servers  Entrust  Baltimore  Verisign  Windows 2000 IPSec Components Name Use AH Bits - Protocol ESP DES (S) 3DES (S) AES (S) MD5 SHA-1 DH1 (A) DH2 (A) DH5 (A) DH7 (A) RSA (A) Encryption Hash / Auth Protection Encryption 56 168 128. Key 1 encrypt. used to create a shared secret key without actually passing the key between two parties.CCNA Security IINS (640-553) Pre-shared key – Devices will pass a key to the CA to allow the CA to automatically generate the certificate. Data Integrity and Anti replay using HMAC codes.co. Data Integrity and Anti replay.uk M Morgan ©2010 Page 49 of 60 . 64 bit keys 8 bits are parity Three 56 bits keys are used. HMAC-SHA-1)  Confidentiality – Data is encrypted as it flows through the VPN http://www. Authentication.192. The entire IP Packet is hashed so will not work through NAT Provides Encryption. Certificate Authority A trusted third party which signs/issues certificates to users or devices. in effect creating a trust relationship. Hierarchical – A root CA in turn issues certificates to subordinate CA’s. A CA can perform many tasks in addition to signing user certificates such as authenticating users when they enrol with the PKI.studyshorts.256 128 160 768 1024 1536 360 to 2048 Provides Authentication. Cross-certifying – A CA will cross certify with another CA on different PKI installation. 2 decrypt 3 encrypt VPN Phase 1 initiation. The subordinate CA’s then issue certificates to end users.  Data Integrity – Hashing (HMAC-MD5. IPSec Benefits  Authentication – Ensures the connection is made with the correct remote endpoint. SSH. key generation and distribution of certificates. These tasks can be offloaded to a Registration Authority (RA) enabling the CA to concentrate on signing. This improves scalability and reduces the impact if a key is compromised.

uk M Morgan ©2010 Page 50 of 60 . The initiator sends all data required to initiate an SA. The result of these transfers is a bi-directional tunnel ready for phase two negotiation. IPSec Tunnel 4. Phase one Main Mode – Three exchanges1. Interesting traffic initiates the raising the VPN. Data is transferred 5. Operation methods Transport Mode Data ESP IP MAC Typically used internally (LAN/WAN) to secure inter host communication. Phase two This uses a mode called ‘Quick Mode’ to negotiate IPSec parameters/transform sets.. 2. Identity verification / authenticates an Internet Security Association and Kay Management Protocol (ISAKMP) session using PSK or certificates. NOTE – Italics indicate encrypted data Negotiation 1.CCNA Security IINS (640-553)  Anti-Relay – Ensures each packet is unique. Tunnel Mode Data IP ESP IP MAC Typically used to secure and tunnel data over the internet. 3. There are two directional IPSec SA’s generated during phase 2. IKE Phase 2. key. Aggressive Mode – A total of three packets are sent1. The responder replies with the proposal. Uses an ACL to match interesting traffic. ID and authenticates the session.co. VPN is torn down. This data is sent unencrypted 2. The initiator replies by authenticating the session. Stops man in the middle devices replaying packets in an attempt to cause system issues. periodically renegotiation the SAs to improve security.studyshorts. establish the IPSec SAs. 3. http://www. 3. Exchange DH keys. IKEMPE Tunnel. IKE Phase 1. 2. Exchange and negotiate policy and algorithms.

The router will decrypt the certificate using the routers public key and verify the CA signature using the CA public key. DH2.255 (config) # crypto ipsec transform-set VSPTSET esp-sha-hmac esp-3des (cfg-crypto-trans) # mode tunnel (cfg-crypto-trans) # exit (config) # crypto map SDM_CMAP_1 1 ipsec-isakmp (config-crypto-map) # description Tunnel to4. interface where the encrypted traffic originates. 3. The routers will then generate a session key (AES. both ends have the same pre shared key. Configuring Site to Site VPNs Configuring Site to Site VPNs using SDM SDM Site-to-Site VPN offers two creation modesQuick Setup – This uses a number of defaults options. ESP_SHA_HMAC.2 (config-crypto-map) # match address 100 (config-crypto-map) # exit (config) # interface Vlan1 (config-if) # crypto map SDM_CMAP_1 (config-if) # exit http://www.2. Phase 2 : ESP_3DES. Works well for small networks but can become unmanageable for large networks (10 to 15 sites) as ideally the pre shared key should be changed frequently. SHA_1. All routers will enrol with a CA (OOB).0. Prompts for the ext interface. This allows the router to trust the CA. Step by Step wizard – Allows defining all parameters. The CA will issue each router with its own certificate. DES etc).255 192. The router will receive the CAs public key and certificate to verify the CA. The following defaults are used .0. remote peer IP address. remote destination IP address range and authentication (PSK or certificates).0.168.0 0.2.0. A router can authenticate another router by passing its certificate and public key.2.Phase 1 : 3DES.0 0. 4.studyshorts.2. Certificates – Each end point receives a certificate from a trusted certificate authority. Typical generated config(config) # access-list 100 remark SDM_ACL Category=4 (config) # access-list 100 remark IPSec Rule (config) # access-list 100 permit ip 10.co.0.1.uk M Morgan ©2010 Page 51 of 60 . 2.CCNA Security IINS (640-553) IPSec Authentication Username / Password – Used for user access VPNs One time password – Used for user access VPNs Pre shared key – Typically used for site to site VPNs.20.2 (config-crypto-map) # set transform-set VSPTSET (config-crypto-map) # set peer 4. other endpoints can then verify the endpoint by examining the certificate 1.

2.uk M Morgan ©2010 Page 52 of 60 .70.70.0.70.209 eq isakmp access-list 101 permit esp host 82.2.0.213 host 82.70.70.209 access-list 101 permit ahp host 82.0.209 eq non500-isakmp access-list 101 permit udp host 82.co.213 host 82.213 host 82.70.0.0.0.CCNA Security IINS (640-553) (config) # crypto isakmp policy 1 (config-isakmp) # authentication pre-share (config-isakmp) # encr 3des (config-isakmp) # hash sha (config-isakmp) # group 2 (config-isakmp) # lifetime 86400 (config-isakmp) # exit (config) # crypto isakmp key ***** address 4.213 host 82.70.2 Configuring Site to Site VPNs using CLI Allow IPSec traffic through the external interface ACLs    ISAKMP – UDP 500 ESP – IP Protocol 50 AH – IP Protocol 51 access-list 101 permit udp host 82.0.studyshorts.0.70.209 ISAKPM Phase 1 Mode Description Command Syntax # # # (config) (config) (config-isakmp) (config-isakmp) (config-isakmp) (config-isakmp) (config-isakmp) (config-isakmp) Enable ISAKMP debuging Show defines ISAKMP Policies Show active ISAKMO Security Associations Enable ISAKMP globally Define a isakmp policy Set authentication method Set DES / 3DES encryption Set AES encryption and key length Set hashing Set DH group Set the lifetime Debug crypto isakmp show crypto isakmp policy show crypto isakmp sa Crypto isakmp enable Crypto isakmp policy no Authentication <pre-share / rsa-encr / rsa-sig> Encryption <des / 3des> Encryption aes <128 / 192 / 256> Hash <md5 / sha> Group <1 / 2 / 5 / 14 / 15 / 16> Lifetime seconds (config) Set method of identifying phase 1 tunnel (config) (config) Configure the key for the remote ipaddress Configure the key for the remote hostname Set the identity of this router crypto identity <address / dn / hostname> Set the Phase 1 Key for a peer Crypto isakmp key key address ipaddress Crypto isakmp key key address hostname Example(config) # crypto isakmp enable (config-isakmp) # crypto isakmp policy 20 (config-isakmp) # authentication pre-share (config-isakmp) # encryption aes 128 (config-isakmp) # group 2 (config-isakmp) # hash sha (config-isakmp) # lifetime 28800 http://www.

0.x.0.0.31.y.x.20.0.0.31.0.255 172.255.y Crypto map tag sequence ipsec-isakmp Match address aclno Set peer remoteipaddress Set transform-set tranformsettag Apply the Crypto map to an interface (config-if) Crypto map maptag NOTE – only one crypto map tag can be assigned to an interface but multiple crypto maps can be configured against the tag be using different sequence numbers.0 255.2 (config-crypto-map) # set transform-set VPNTRANSFORM (config-crypto-map) # exit (config) # interface fastethernet 0/0 (config-if) # crypto map VPN (config-if) # exit (config) # ip route 172.y x.y.CCNA Security IINS (640-553) (config-isakmp) # exit (config) # crypto isakmp identity address (config) # crypto isakmp key VPN address 10.0.x.0 0.0 10.studyshorts.x.0.255 (config) # crypto map VPN 1 ipsec-isakmp (config-crypto-map) # match address 150 (config-crypto-map) # set peer 10.1.2 Clear a Tunnel # clear crypto isakmp # clear crypto sa http://www.20.uk M Morgan ©2010 Page 53 of 60 .x y.y.x y.31.y.0.20. (config) # crypto ipsec transform-set VPNTRANSFORM esp-aes 128 esp-sha-hmac (cfg-crypto-trans) # exit (config) # crypto ipsec security-association lifetime seconds 3660 (config) # access-list 150 permit ip 172.255.2 IPSec Phase 2 Mode Description Command Syntax # # # # # # Debug the IPSec processes Show all defines transform sets Show all crypto maps Show active IPSes SAs Debug crypto ipsec show crypto ipsec transform-set show crypto map show crypto ipsec sa show crypto engine connections active show crypto session (config) (cfg-crypto-trans) Create a transform set Set Tunnelling mode (config) (config) Set IPSec tunnel timeout Set IPSec lifetime Create a Transform Set Crypto ipsec transform-set tag <encrypt> <hash> Mode <tunnel / transport> Set lifetimes Crypto ipsec security-association lifetime seconds sec Crypto ipsec security-association lifetime kilobytes kb Define Crypto map and match ACL (config) (config) (config-crypto-map) (config-crypto-map) (config-crypto-map) Create access list to match traffic Create the map Set the IP addresses to encrypt Set remote IP address Set the IPSec transform set Access-list no permit ip x.0 0.co.

Additionally other techniques can help protect endpoints Least privilege – A process/user should never be given higher privileges than required. Trusted Path – A facility to ensure that a user is performing a genuine operation rather than a Trojan horse. bug free and secure manner.uk M Morgan ©2010 Page 54 of 60 . steal data.  Penetrate – Once a vulnerable system is found. These can be monitored by the reference monitor Applications Application attacks are one of two types  Direct – An attacker get the application to perform a task. Indirect – An attacker compromises a different system and then launches an attack to the target through the compromised system (privilege escalation) Phases of an attack  Probe – Find vulnerable targets using ping sweeps. Memory isolation – Protects the memory space of one application from others. Access control – Restrict access to files from unauthorised users. launch a distributes DoS attack etc).g.co.CCNA Security IINS (640-553) Endpoint Security Endpoint Security Introduction Operating Systems Operating systems provide some basic security services to applications     Trusted Code – Ensures code / OS system is not compromised using a HMAC (Hash Message Authentication Code) or digital signatures.  Isolation between processes – An OS should isolate a process from mall other processes. cause DoS. http://www. Ctrl-Alt-Delete to login to a Windows OS.  Persist – Once the vulnerable code is on the target and running.  Reference Monitor . open ports scans etc. take advantage of the vulnerability to gain access to the system.A control concept that provides a mechanism then mediates all access to objects  Small verifiable pieces of code – Small code blocks that do a small amount of work in a controlled. Privileged context of execution – Provides some identity authentication and privileges based on the identity of the user. E.  Propagate – Find other vulnerable systems in order to spread the attack to other systems..  Paralyse – Carry out the malicious action (erase data.studyshorts. find a way of ensuring the code runs at all times even after a reboot.

Cisco NAC Appliance – A self contained appliance that performs all the NAC functions. Cisco NAC Appliance Server (NAS) – A device that perms network access control and device compliance checks as users access the network.CCNA Security IINS (640-553) Example of some previous attacks and their phases Phase Morris (198) Log Bug Code Red (2000) (2001) Scan for Scan for IIS Probe Slammer (2003) MyDoom (2004) Zolob (2005) - - Scan for MS Directory Services Buffer overflow in UPnP fingerd Penetrate Buffer overflow in fingerd Email attachment Buffer overflow in IIS Persist Execute script to download code Create executable and edit registry Execute script to download code Open address book and email copies Pick new address and spread to new victims Run many process to slow the system Propagate Look for email address to spread Paralyse Run many process to slow the system Worm spreads Buffer overflow in MSDE and MSSQL - Email attachment Pick new address and spread to new victim Generate lots of network packets to slow network Open address book and email copies Worm spreads Create executable and edit registry Create executable. Does not require Cisco infrastructure. edit the registry and download code Start FTP and FTFTP services Delete registry keys. Cisco NAC Appliance Manager (NAM) – A centralised web based administrative tool for managing users and security policies.uk M Morgan ©2010 Page 55 of 60 .co.studyshorts. http://www. files and terminate processes Cisco NAC NAC is designed to only allow authorised and compliant systems access to the network by providing four main features    Authentication and authorisation Posture assessment – Evaluates the security of the device against defines policies Quarantining of noncompliant systems Remediation of noncompliant systems NAC Components NAC Framework – A framework using the Cisco network infrastructure and third-party systems using software modules embedded within NAC enabled devices. Cisco NAC Appliance Agent – Software that runs on the client / endpoint computer that is used to audit the endpoint to compliance and launch updates.

distributed firewall. The range consists of three products   IronPort C-Series – Email security.  Managed – The agent is managed by and reports to Cisco CSA Management Centre and/or MARS. policy enforcement and mail routing.senderbase. launching port scans etc. The interceptors combines give the following functionality. Worms.uk M Morgan ©2010 Page 56 of 60 .co. If complaints the host is granted access to the network. Network Interceptor – All network access is scanned. This also can limit the number of network connections allowed within a specific time to prevent DoS attacks. network worm prevention and file integrity monitoring.org) which collects date from more than 100. CSA is not a conventional signature based virus/spyware scanner but functions as a host based IPS (HIPS) to detect anomalies or signs of undesirable behaviour such as Windows registry changing. Interceptors    File system Interceptor – Scans all file read and writes. Application sandbox. IronPort Cisco IronPort security appliances protect networks from internet based threats. Spyware. IronPort S-Series – Web security using Web Reputation data (trustworthiness) and a Dynamic Vectoring and Streaming (DVS) engine to provide signature based spyware filtering IronPort M-Series – Management.  Headless – The agent is installed in a standalone configuration.studyshorts. The user attempt to access a network resource 2. 3. If a policy of violated an error message is passed back to the calling application and an alert is generated to be sent to the Management Centre for CSA. particularly email and web security. The host is scanned for posture compliance.CCNA Security IINS (640-553) The NAC Process 1. Viruses etc. Configuration Interceptor – Read and write attempts to the registry in Windows and rc files in Unix systems checked for compliance. reporting and spam quarantine management http://www.000 ISP and other organisations on various email parameters derive trends and virus/spyware propagation data. Execution Space Interceptor – Detects and blocks attempts to access memory not owned by the calling application The agent runs in two modes. This appliance implements a full mail transfer agent and can provide anti-x capabilities. User is redirected to a login page. Cisco Security Agent (CSA) A hot based security solution designed to prevent s host being compromised by DoS. The basis of the email security appliance is SenderBase (http://www. a. HIPS. It not compliant the host if quarantined to a separate VLAN which only allows the host to be patched / remediated b. CSA operates by intercepting operating system and application calls using four interceptors which examining the calls against security policies.

Is the host already knows the volume address it can still gain access.studyshorts. This is written like 54:25:B5:3E:76:FE:43:FF.CCNA Security IINS (640-553) San and Voice Security SAN Security SANs help reduce capital and operating expenses. This is typically used as a means to stop misbehaving servers from corrupting disks not belonging to themselves. World Wide Name – A 64bit address used by Fibre Channel networks to identify each element. http://www.co. Port Authentication Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) – Password based key exchange protocol supporting switch to switch and host to switch authentication. It requires a PKI and has such has strong security capabilities. Fibre Channel Password Authentication Protocol (FCPAP) – Optional password based authentication key exchange protocol offering mutual authentication between fibre channel ports.  Hard zoning – This restricts access using ACLs applied to the fibre channel switch port ASICs. This is cheaper to implement as the existing network infrastructure can be used. increase storage versatility to respond to changing business priorities & requirements and improve backup.  Virtual SAN (VSAN) – Similar to network VLANs. Host Bus Adaptor (HBA) – the interface card that is installed in a server to communicate with the fibre channel infrastructure Securing SANs  LUN Masking – An authorisation process than allows access to a LUN at the host bus adaptor level. The only significant disadvantage is the requirement of a PKI. This has many of the benefits of FCAP without requiring a PKI. Fibre Channel Authentication Protocol (FCAP) – This uses certificates (or keys) to authenticate hosts. Challenge Handshake Authentication Protocol (CHAP) – The mandatory protocol using shared secrets for iSCSI authentication. FCIP – Used to connect SAN to SANs over an IP network (WAM or MAN) Logical Unit Number (LUN) – An address for an individual disk/volume on SCSI bus / HBA. Communication types   Fibre Channel – The primary SAN transport for host to SAN communications. iSCSI – This uses an IP network to transport the SCSI communications between a host and a storage system.uk M Morgan ©2010 Page 57 of 60 . replication & recovery. This on not considered secure as the HBA could become compromised or the source address could be forged.  Soft zoning – This partitions the SAN into smaller subsets by restricting the name services in the fibre channel fabric/switches from advertising the devices a host is not allowed to communicate with.

Phone loads/Images – Loads can be signed using a Cisco private key to ensure only Cisco phone images are loaded on to a phone. Additionally the RTP stream between phones can be secured using TLS/SSL (SRTP). PBXs) Call Agent – Provides call control.CCNA Security IINS (640-553) Data Confidentiality Two protocols are available to ensure data confidentiality when in transit  ESP Fibre Channel Security Protocol (FC-SP) Voice Security Definitions      VoIP – Transmission of voice data over an IP network. Voice Attacks SPIT – Span over IP telephony. address translation. In effect the phone will only accept config files from the specified TFTP server. Fax machines. long distance toll bypass. QoS etc. unified messaging. Vishing – An attacker attempts to gain confidential information over a telephone. http://www. Gateway – Translation between IP and traditional telephony (PSTN. Web access and other vulnerabilities such as Gratuitous ARP can be disabled on the CUCM ephone configuration screens. The PC will not be able to access the phones RTP stream Encapsulation/VPN – The SCCP (Skinny) communications between a phone and CUCM can be encapsulated into TLS/SSL. gateways. advanced features (advanced call routing. Some benefits of VoIP – Cost savings. IP Phone vulnerabilities Cisco IP phones by default have a unsecured web interface accessible using HTTP.studyshorts. IP Telephony – Is the superset of VoIP including all telephony aspects such as dialling. call admission control. Phone configuration files – Can be signed with a private key of the TFTP server to ensure the config files are genuine. encryption). flexibility. Toll Fraud – Inappropriate use of a telephony system to make long distance / international calls.uk M Morgan ©2010 Page 58 of 60 . SIP Attacks – Use the open SIP standard to intercept or manipulate SIP messages or launch a DoS attack. signalling. CUCME & CUCM function as call agents. Gatekeeper – AKA Cisco Multimedia Conference Manager (MCM) provides bandwidth management. gatekeepers.co. Approaches to secure VoIP Auxiliary / Voice VLANs – Use auxiliary VLANs when daisy chaining PCs to the Phones switch ports. Eavesdropping – Listening on conversations.

2 Syslog Server .Kiwi Syslog Server http://www.http://www.kiwisyslog.org/nessus/ http://www.splunk.studyshorts.nessus.2.uk M Morgan ©2010 Page 59 of 60 .http://www.com/product Vulnerability Scanner .2.com/ SNMP Logging Toot .CCNA Security IINS (640-553) Notes Open DNS server 4.co.

sh tml VPN http://www.html#wp100165 9 http://www.uk M Morgan ©2010 Page 60 of 60 .co.cisco.CCNA Security IINS (640-553) Further Reading Zone based Firewall http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/IPSec_Over.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.studyshorts.