Table of Contents

Chapter 1
Network Security Principles ..................3

CCNA Security 640-554
Quick Reference

Chapter 2
Perimeter Security ............................... 23
Chapter 3
Cisco IOS Firewalls............................... 39
Chapter 4
Site-to-Site VPNs.................................. 50
Chapter 5
Cisco IOS IPS ........................................ 66
Chapter 6
LAN, SAN, Voice,
and Endpoint Security .......................... 79

Anthony Sequeira
CCIE, CCSI, VCP, Data Center Specialist

ciscopress.com

[2]
CCNA Security 640-554 Quick Reference

About the Author
Anthony Sequeira, CCIE No. 15626, is a Cisco Certified Systems Instructor and author regarding all levels and
tracks of Cisco Certification. Anthony formally began his career in the information technology industry in 1994 with
IBM in Tampa, Florida. He quickly formed his own computer consultancy, Computer Solutions, and then discovered
his true passion—teaching and writing about Microsoft and Cisco technologies. Anthony joined Mastering
Computers in 1996 and lectured to massive audiences around the world about the latest in computer technologies.
Mastering Computers became the revolutionary online training company KnowledgeNet, and Anthony trained there
for many years. Anthony is currently pursuing his second CCIE in the area of Security and is a full-time instructor
for the next generation of KnowledgeNet, StormWind Live.

About the Technical Editor
Sean Wilkinsis an accomplished networking consultant for SR-W Consulting (http://www.sr-wconsulting.com)
and has been in the field of IT since the mid 1990s working with companies such as Cisco, Lucent, Verizon and
AT&T. Sean currently holds certifications with Cisco (CCNP/CCDP), Microsoft (MCSE), and CompTIA (A+
and Network+). He also has a master’s of science degree in Information Technology with a focus in Network
Architecture and Design, a master’s of science degree in Organizational Management, a master’s certificate in
Network Security, a bachelor’s of science degree in Computer Networking, and an associate’s degree in Applied
Science in Computer Information Systems. In addition to working as a consultant, Sean spends a lot of his time as a
technical writer and editor for various companies.

© 2012 Pearson, Inc. All rights reserved. This publication is protected by copyright. Please see page 89 for more details.

. and other methods are the focus.[3] CCNA Security 640-554 Quick Reference Chapter 1 Network Security Principles Network Security Fundamentals This section covers the need for network security and the security objectives found within most organizations. intrusion prevention systems (IPS). Internal threats are the most serious. Network Security Objectives Network security should provide the following: ■ Data confidentiality ■ Data integrity ■ Data and system availability © 2012 Pearson Education. Please see page 89 for more details. All rights reserved. For example. These threats often occur because best practices are not followed. This publication is protected by copyright. routers with access control lists (ACL). External threats typically rely on technical methods to attack the network. Firewalls. or in-house developers use insecure programming practices. blank or default passwords are used. This section also examines the different types of attacks that modern networks can experience. The CCNA in Security focuses on combating these attacks using technical means. Inc. Why Do We Need Network Security? Network threats include internal and external threats.

Information security risk is the measure of the impact of threat vectors exploiting the vulnerabilities of the assets you must to protect. A countermeasure is a safeguard that mitigates against potential risks. and physical controls. protocol weaknesses. . These attacks typically try to fail a system using an unexpected condition or input. A threat is a potential danger to information or systems. Please see page 89 for more details. Powerful methods to ensure confidentiality are encryption and access controls. Common categories include policy flaws. and Threats Assets are anything of value to the organization. Not all assets have the same value. An organization must classify its assets. technical. Data Classification Public-sector classification levels include the following: ■ Unclassified ■ Sensitive but unclassified (SBU) © 2012 Pearson Education. Integrity ensures that data has not been changed by an unauthorized individual. or fail an entire network with a large quantity of information. Countermeasures are typically administrative.[4] Chapter 1: Network Security Principles Confidentiality ensures that only authorized individuals can view sensitive data. Availability ensures that access to the data is uninterrupted. This publication is protected by copyright. All rights reserved. Denial-of-service (DoS) attacks attempt to compromise data availability. Vulnerabilities. and software vulnerabilities. A vulnerability is a weakness in a system or a design that might be exploited. Inc. Assets. There is a National Vulnerability Database and also a Common Vulnerabilities and Exposures document.

■ Personal association: The data is associated with sensitive issues or individuals. ■ Useful life: Information can be made obsolete with newer information.[5] Chapter 1: Network Security Principles ■ Confidential ■ Secret ■ Top-secret Private-sector classification levels include the following: ■ Public ■ Sensitive ■ Private ■ Confidential Classification criteria include the following: ■ Value: This is the most important factor. . This publication is protected by copyright. Inc. Classification roles include the following: ■ Owner ■ Custodian (responsible for the day-to-day management of the data) ■ User © 2012 Pearson Education. All rights reserved. Please see page 89 for more details. ■ Age: With time. the sensitivity of data typically decreases.

civil. © 2012 Pearson Education. and software. Laws and Ethics Security policy must attempt to follow criminal. Technical controls involve electronics. The system should not be shut down or rebooted before the investigation begins. Physical controls are mostly mechanical. Studying these attacks is the first step to defend against them. and means. opportunity. All rights reserved. Ethics refer to values that are even higher than the law. Network Attack Methodologies You must understand the command types of attacks that a network can experience. or detective. deterrent. hardware.[6] Chapter 1: Network Security Principles Security Controls Administrative controls involve policies and procedures. Inc. Responses Investigators must prove motive. Controls are categorized as preventative. Please see page 89 for more details. and administrative law. This publication is protected by copyright. .

An exploit happens when computer code is developed to take advantage of a vulnerability.[7] Chapter 1: Network Security Principles Motivations and Classes of Attack A vulnerability is a weakness in a system that can be exploited by a threat. This publication is protected by copyright. The main vulnerabilities of systems are categorized as follows: ■ Design errors ■ Protocol weaknesses ■ Software vulnerabilities ■ Misconfiguration ■ Hostile code ■ Human factor Potential adversaries can include the following: ■ Nations or states ■ Terrorists ■ Criminals ■ Hackers ■ Corporate competitors ■ Disgruntled employees ■ Government agencies © 2012 Pearson Education. All rights reserved. Please see page 89 for more details. . A risk is the likelihood that a specific attack will exploit a particular vulnerability of a system. Inc.

and the modification of computer hardware and other electronic devices. ■ Crackers (criminal hackers): Hackers with a criminal intent to harm information systems. Enumerate applications and operating systems. Manipulate users to gain access. Perform footprint analysis (reconnaissance). Leverage the compromised system. 2. including the following: ■ Hackers: Individuals who break into computer networks and systems to learn more about them. How Does a Hacker Usually Think? 1. . All rights reserved. Please see page 89 for more details. They do not write their own code. Instead. © 2012 Pearson Education. 7. ■ Hacktivists: Individuals who have a political agenda in doing their work. Inc. Escalate privileges. ■ Academic hackers: People who enjoy designing software and building programs with a sense for aesthetics and playful cleverness. Install back doors. they run scripts written by other. ■ Hobby hacker: Focuses mainly on computer and video games. This publication is protected by copyright. more skilled attackers. 5. 6. ■ Script kiddies: Individuals with low skill level. Gather additional passwords and secrets. ■ Phreakers (phone breakers): Individuals who compromise telephone systems.[8] Chapter 1: Network Security Principles Many different classifications are assigned to hackers. 3. software cracking. 4.

Inc. In IP spoofing. the attacker sends messages to a computer with an IP address that indicates the message is coming from a trusted host. ■ Deploy IDS or IPS. ■ Use robust components. Hackers can guess or predict the TCP sequence numbers that are used to construct a TCP packet without receiving any responses from the server. . ■ Defend the enclave boundaries. IP spoofing is often the first step in the abuse of a network service. ■ Defend the computing environment. Please see page 89 for more details. Their prediction allows them to spoof a trusted host on a local network. This publication is protected by copyright. The basis of IP spoofing lies in an inherent security weakness in TCP known as sequence prediction. All rights reserved. ■ Use robust key management. © 2012 Pearson Education. Enumeration and Fingerprinting Ping sweeps and port scans are common practices to identify all devices and services on the network. These reconnaissance attacks are typically the first steps in a much larger more damaging attack. IP Spoofing IP spoofing refers to forging the source address information of a packet so that the packet appears to come from some other host in the network. ■ Build layered defenses.[9] Chapter 1: Network Security Principles Defense in Depth The defense-in-depth strategy recommends several principles: ■ Defend in multiple places. or a DoS type of attack.

Figure 1-1 shows a man-in-the-middle attack. Man-in-theMiddle Host A Host B R1 R2 Figure 1-1 Man-in-the-Middle Attack © 2012 Pearson Education. Cisco IOS routers drop all source-routed packets if the no ip sourceroute global command is configured. Please see page 89 for more details. Source routing is the capability of the source to specify within the IP header a full routing path between endpoints.[ 10 ] Chapter 1: Network Security Principles IP spoofing attacks are categorized in one of two ways: ■ Nonblind spoofing: The attacker sniffs the sequence and acknowledgment numbers and does not need to “predict” them. Man-in-the-middle attacks are often the result of TCP/IP spoofing. . The ACK packet contains the sequence number of the next packet that the client expects. The attacker waits to receive an ACK packet from the client communicating with the server. Spoof attacks are often combined with IP source-routing options set in packets. The attacker then modifies his packet headers to spoof TCP/IP packets from the client. Security devices. ■ Blind spoofing: The attacker sends several packets to the target machine to sample sequence numbers and then predicts them for the attack. All rights reserved. An attacker sniffs to identify the client and server IP addresses and relative port numbers. This publication is protected by copyright. The attacker takes over communications with the server by spoofing the expected sequence number from the ACK previously sent from the legitimate client to the server. Inc. drop such packets by default. This packet results in a reset that disconnects the legitimate client. The attacker replies to the client using a modified packet with the source address of the server and the destination address of the client. such as Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances.

© 2012 Pearson Education. looking for information that can provide a valuable source of information for hackers. pharming. by masquerading as a trustworthy entity. ■ Social engineering: Using social skills to manipulate people inside the network to provide the information needed to access the network. ■ Emanations capturing: Capturing electrical transmissions from the equipment of an organization to obtain information about the organization. ■ Port scanning: Searching a network host for open ports. ■ Covert channels: The ability to hide information within a transmission channel based on encoding data using another set of events. This publication is protected by copyright. Inc. ■ Wiretapping: Monitoring the telephone or Internet conversations of a third party. All rights reserved. ■ Phishing. ■ Overt channels: The ability to hide information within a transmission channel based on tunneling one protocol inside another. . passwords. and identity theft: Phishing is an attempt to criminally acquire sensitive information. Steganography is an example of an overt channel: hiding messages in digital pictures and digitized audio. and credit card details.[ 11 ] Chapter 1: Network Security Principles Confidentiality Attacks Attackers can use many methods to compromise confidentiality. Pharming is an attack aimed at redirecting the traffic of one website to another website. ■ Dumpster diving: Searching through company dumpsters. ■ Data diddling: Changing data before or as it is input into a computer. Integrity Attacks Hackers can use many types of attacks to compromise integrity: ■ Salami attacks: A series of minor data security attacks that together result in a larger attack. Please see page 89 for more details. such as usernames. Following are some of the common methods: ■ Packet sniffing: Eavesdropping and logging traffic that passes over a digital network or part of a network.

Trojan horses. © 2012 Pearson Education. The hacker then installs zombie software on them. ■ Password attacks: Any attack that attempts to identify a user account. ■ DDoS (Distributed DoS): Hackers use a terminal to scan for systems to hack. This is a form of DoS. airflow. Please see page 89 for more details. password. or spikes. ■ ICMP floods: The system is sent many false ICMP packets. ■ DoS (denial-of-service): An attack seeks to make a system or service unavailable after the system is sent large amounts of traffic. water. Inc. spyware. humidity.[ 12 ] Chapter 1: Network Security Principles ■ Trust exploits: An individual taking advantage of a trust relationship within a network. ■ SYN floods: The system is sent many different false SYN requests for TCP communication channels. or both. ■ Electrical power: Attacks involve power loss. and gas. . All rights reserved. ■ Session hijacking: The exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. reduction. malware that combines the characteristics of viruses. This publication is protected by copyright. For example. worms. Blended Threats A growing trend is for attacks to combine techniques. Perhaps the trust relationship is between a system in the DMZ and a system in the inside network. Availability Attacks Hackers can use many types of attacks to compromise availability: ■ Botnets: A collection of software robots that run autonomously and automatically. and others. ■ Computer environment: Temperature.

Security Architecture Design Guidelines ■ Defense in depth ■ Compartmentalization ■ Least privilege ■ Weakest link ■ Separation and rotation of duties ■ Hierarchically trusted components and protection © 2012 Pearson Education. ■ Educate employees about the risks of social engineering. ■ Use strong passwords. ■ Control physical access to systems.[ 13 ] Chapter 1: Network Security Principles Best Practices for Mitigation These include the following: ■ Keep patches up-to-date. ■ Shut down unnecessary services and ports. ■ Avoid unnecessary web page inputs. ■ Develop a written security policy for the company. ■ Perform backups and test the backed-up files on a regular basis. ■ Implement security hardware and software. ■ Encrypt and password-protect sensitive data. All rights reserved. . Please see page 89 for more details. This publication is protected by copyright. and change them often. Inc.

[ 14 ] Chapter 1: Network Security Principles ■ Mediated access ■ Accountability and traceability ■ Regulatory compliance ■ Strengthened enforcement ■ Global spread of data breach notification laws ■ More prescriptive regulations ■ Growing requirements regarding third parties (business partners) ■ Risk-based compliance on the rise ■ Compliance process streamlined and automated ■ Examples: HIPAA. ■ Operations and maintenance: Includes configuration management and control. security functional requirements analysis. and hardware and software disposal. ■ Acquisition and development: Includes a risk assessment. security planning. FISMA. and GLB Operation Security Secure Network Life Cycle Management A general system development life cycle (SDLC) includes five phases: ■ Initiation: Consists of a security categorization and a preliminary risk assessment. system integration. Please see page 89 for more details. . security control development. and continuous monitoring. ■ Implementation: Includes inspection and acceptance. This publication is protected by copyright. All rights reserved. and security accreditation. media sanitization. Inc. cost considerations and reporting. and other planning components. developmental security test and evaluation. ■ Disposition: Includes information preservation. © 2012 Pearson Education. security assurance requirements analysis. security certification.

All rights reserved.[ 15 ] Chapter 1: Network Security Principles Security Testing Many types of testing techniques are available: ■ Network scanning ■ Vulnerability scanning ■ Password cracking ■ Log review ■ Integrity checkers ■ Virus detection ■ War dialing ■ War driving (802. a division of McAfee © 2012 Pearson Education. Inc. Please see page 89 for more details. . This publication is protected by copyright.11 or wireless LAN testing) ■ Penetration testing The following list is a collection of popular tools: ■ Nmap ■ GFI LANguard ■ Tripwire ■ Nessus ■ Metasploit ■ SuperScan by Foundstone.

Inc. recovery ■ Post-incident activities Computer Crime Investigations ■ Motive: Why did they do it? ■ Opportunity: Were they able to do it? ■ Means: Were they capable of doing it? Disaster Recovery Possible disruptions can be categorized as follows: ■ Nondisaster: A situation in which business operations are interrupted for a relatively short period of time. eradication. All rights reserved. This publication is protected by copyright. ■ Disasters: These cause interruptions of at least a day. ■ Business Continuity Concepts ■ Maximum Tolerable Downtime (MTD): The maximum length of time a business function can be discontinued without causing irreparable harm to the business © 2012 Pearson Education.[ 16 ] Chapter 1: Network Security Principles Incident Management ■ Preparation ■ Detection and analysis ■ Containment. . Please see page 89 for more details. ■ Catastrophe: The facilities are destroyed. and all operations must be moved.

All rights reserved. It features broad coverage. servers and routers). . A secure virtualized data center is another key component. Inc. The borderless end zone consists of intelligent endpoint traffic routing. Borderless Networking Mobility is dissolving the borders of networks. Please see page 89 for more details.[ 17 ] Chapter 1: Network Security Principles ■ Recovery Time Objective (RTO): The duration of time that a service level within a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity ■ Recovery Point Objective (RPO): The maximum tolerable period in which data might be lost from an IT service due to a major incident Backups ■ Hot site: A completely redundant site with similar equipment to the original site. persistent connectivity. This publication is protected by copyright. ■ Cold site: Does not typically contain redundant computing equipment (for example. ■ Warm site: A facility with similar equipment to the original site but is unlikely to have current data because of a lack of frequent replication with the original site. and advanced security. Borderless security products include the following: ■ Secure-X and context-aware security ■ Threat control and containment ■ Cloud security and data loss prevention ■ Secure connectivity through VPNs ■ Security management © 2012 Pearson Education.

high-level policy creation and enforcements for mobile users. All rights reserved. Please see page 89 for more details. used by management sessions © 2012 Pearson Education. forwarding of data packets ■ Management plane. such as routing protocols ■ Data plane. This publication is protected by copyright. .[ 18 ] Chapter 1: Network Security Principles ■ ■ Cisco SecureX: SecureX is an access control strategy that enables effective. Inc. The components of SecureX include the following: ■ Context awareness ■ Cisco AnyConnect Client ■ TrustSec: End-to-end security using security group tags on traffic ■ Cisco Security Intelligence Operations: Cloud-based security service Threats in cloud services ■ Abuse of cloud computing ■ Insecure interfaces and APIs ■ Malicious insiders ■ Shared technology issues ■ Data loss or leakage ■ Account or service hijacking ■ Unknown risk profile Network Foundation Protection Understanding the device planes: ■ Control plane.

Please see page 89 for more details. . Inc. Zone-Based Firewall. Secure Shell (SSH). Layer 2 controls. Simple Network Management Protocol (SNMP). © 2012 Pearson Education. and IOS Intrusion Prevention System (IPS) Developing a Network Security Policy This section details the creation of a network security policy—an important document that details the security objectives and procedures for the organization. and AutoSecure ■ Management Plane: Authentication. Routing protocol authentication. and Accounting (AAA). Network Time Protocol (NTP). Transport Layer Security (TLS). All rights reserved.[ 19 ] Chapter 1: Network Security Principles Cisco NFP Toolkit ■ Control Plane: Control Plane Policing (CoPP). such as the following: ■ Making employees aware of their security-practice obligations ■ Identifying specific security solutions required to meet the goals of the security policy ■ Acting as a baseline for ongoing security monitoring Components of the Security Policy What are the components found in the network security policy? This section covers these details. Control Plane Protection (CPPr). Why Do You Need One? Aside from protecting organization assets. Authorization. This publication is protected by copyright. Syslog. and command-line interface (CLI) views ■ Data Plane: Access control lists (ACLs). a security policy serves other purposes.

[ 20 ] Chapter 1: Network Security Principles Governing Policy At a high level. This publication is protected by copyright. Following are typical elements of this section: ■ Identification of the issue addressed by the policy ■ Discussion of the organization’s view of the issue ■ Examination of the relevance of the policy to the work environment ■ Explanation of how employees must comply with the policy ■ Enumeration of appropriate activities. © 2012 Pearson Education. Please see page 89 for more details. Elements of this section include the following: ■ E-mail ■ Wireless networks ■ Remote access End-User Policies End-user policies address security issues and procedures relevant to end users. All rights reserved. Inc. actions. rather than the governing policy. and processes ■ Explanation of the consequences of noncompliance Technical Policies Technical policies provide a more detailed treatment of an organization’s security policy. a governing policy addresses security concepts deemed important to an organization. .

Senior management typically oversees the development of a security policy. analysis must be performed of the probability that a threat will occur and the severity of that threat. AV is an asset value. ■ Qualitative analysis: Uses a scenario model. Inc. © 2012 Pearson Education. Senior security or IT personnel are usually directly involved with the creation of the security policy. A sample quantitative analysis formula is ALE = AV * EF * ARO. All rights reserved. this formula calculates the annualized loss expectancy (ALE). where scenarios of risk occurrence are identified. EF is the exposure factor. . The ALE produces a monetary value that you can use to help justify the expense of security solutions. and Avoidance Network designers identify threats to the network using threat identification practices. This publication is protected by copyright. Management. This is risk analysis. When performing risk analysis. you can use one of two approaches: ■ Quantitative analysis: Mathematically models the probability and severity of a risk. Also. and ARO is the annualized rate of occurrence.[ 21 ] Chapter 1: Network Security Principles More Detailed Documents More detailed documents are often contained in a security policy: ■ Standards: Support consistency within a network ■ Guidelines: Tend to be suggestions ■ Procedures: Detailed documents providing step-by-step instructions for completing specific tasks Roles and Responsibilities The ultimate responsibility for an organization’s security policy rests on the shoulders of senior management. Examples of senior security or IT personnel include the following: ■ Chief security officer (CSO) ■ Chief information officer (CIO) ■ Chief information security officer (CISO) Risk Analysis. Please see page 89 for more details.

Analysis. All rights reserved. and Response System): Provides security monitoring for network security devices and host applications made by Cisco and other providers © 2012 Pearson Education. Please see page 89 for more details. ■ Adaptive: The network can intelligently evolve and adapt the threats. ■ Collaborative: Collaboration occurs among the service and devices throughout the network. This publication is protected by copyright. . Inc. Benefits ■ Reduced integration costs ■ Proactive. planned upgrades ■ Improves efficiency of security management Key Tools Note MARS is currently End of Sale/End of Life.[ 22 ] Chapter 1: Network Security Principles Creating the Cisco Self-Defending Network This type of network is built in three phases: ■ Integrated: Every element is a point of defense. ■ Cisco Security Manager: Powerful but easy-to-use solution that enables you to centrally provision all aspects of device configurations and security policies for the Cisco family of security products ■ MARS (Cisco Security Monitoring.

2800 Series. Inc. security.[ 23 ] CCNA Security 640-554 Quick Reference Chapter 2 Perimeter Security Securing Administrative Access to Routers It is critical to secure administrative access to the routers that help power your network infrastructure. All rights reserved. . embedding data. voice. © 2012 Pearson Education. This publication is protected by copyright. Please see page 89 for more details. Router Security Principles Following are three areas of router security: ■ Physical security ■ Operating system ■ Router hardening Cisco Integrated Services Router Family Cisco Integrated Services Routers feature comprehensive security services. Models include the 800 Series. and wireless in the platform portfolio for fast. This section details exactly how you must do this. and 3800 Series. 1800 Series. scalable delivery of mission-critical business applications.

use the command exec-timeout minutes [seconds]. . use the command service password-encryption. These commands can be used: ■ Console password line console 0 login password cisco ■ Virtual terminal password line vty 0 4 login password cisco ■ Enable password enable password cisco ■ Secret password enable secret cisco All these passwords are in clear text in the configuration files with the exception of the enable secret command. To create username and password entries in the local accounts database. such as HTTP or Telnet/SSH. To disable the ability to access ROMMON to disable password recovery on your router. Please see page 89 for more details. use no service password-recovery. This publication is protected by copyright. To encrypt the passwords that are clear text. © 2012 Pearson Education.[ 24 ] Chapter 2: Perimeter Security Configuring Secure Administrative Access You need to secure administrative access for local access (console port) and remote access. Inc. use the syntax username name secret { [0] password | 5 encrypted-secret}. All rights reserved. You can also configure minimum password lengths with the security passwords min-length length command. To configure idle timeouts for router lines. You must password-protect your router.

levels 1 through 14 are levels you can customize. Level 0 is reserved for user-level access privileges. Please see page 89 for more details.[ 25 ] Chapter 2: Perimeter Security Setting Multiple Privilege Levels You can configure multiple privilege levels on the router for different levels of your administrators. Use the command commands parser-mode {include | include-exclusive | exclude} [all] [interface interfacename | command] to assign commands to the selected view. The secure boot-image command protects the IOS image. and level 15 is reserved for privileged mode commands. These protected files do not appear in a dir listing of flash. Using this approach. STEP 3. Use the enable view command to enable the feature. To configure role-based CLI. There are 16 privilege levels. The syntax for this command is privilege mode {level level command | reset command}. Remember that privilege levels “cascade. This publication is protected by copyright. Use the parser view view-name command to create a new view. . STEP 7. use the privilege command from the global configuration mode. Verify using the enable view command. STEP 2. 0 through 15. To see these protected files. © 2012 Pearson Education. use the show secure bootset command.” If a user has level 13 access. Inc. Securing the Cisco IOS image and Configuration Files You can now secure copies of the IOS and your configuration file in memory so that they cannot be maliciously or accidentally erased. Role-Based CLI Access A new approach to having various levels of access for different administrators is called role-based CLI access. Use the configure terminal command to enter global configuration mode. that user also gains access to the commands in levels 1 through 12. and the command secure boot-config protects the running configuration. These views contain the specific commands available for different administrators. All rights reserved. complete the following steps: STEP 1. STEP 5. STEP 6. Use the secret command to assign a password to the view. STEP 4. Enable AAA. To assign privileges to levels 2 through 14. different administrators have different “views” of the CLI.

■ login on-success log [every login] Generates logging messages for successful login attempts.[ 26 ] Chapter 2: Perimeter Security Enhanced Security for Virtual Logins The following commands have been added to enhance security for virtual logins: ■ login block-for seconds attempts tries within seconds This command configures your Cisco IOS device for login parameters that help provide denial-of-service (DoS) detection. The devices that match a permit statement in the ACL are exempt from the quiet period. ■ login delay seconds Configures a delay between successive login attempts. Banner Messages Banner messages are important. ■ show login Verifies that the login block-for command is issued. Please see page 89 for more details. ■ login on-failure log [every login] Generates logging messages for failed login attempts. Inc. © 2012 Pearson Education. you can ensure that unauthorized personnel are informed that they will be prosecuted for illegal access. This publication is protected by copyright. This command is mandatory. . With these messages. The syntax for this command is banner {exec | incoming | login | motd | slip-ppp} d message d. ■ login quiet-mode access-class {acl-name | acl-number} This command specifies an ACL that is to be applied to the router when it switches to quiet mode. All rights reserved. all other commands here are optional.

© 2012 Pearson Education.1. It is also available on a CD-ROM included with new routers and can be downloaded from Cisco. Supporting CCP CCP is factory-installed on some router models.[ 27 ] Chapter 2: Perimeter Security Cisco Configuration Professional (CCP) CCP is a powerful graphical user interface you can use to configure and monitor your Cisco router. you can access CCP from your PC web browser by going to http://10.10.com. All rights reserved. Inc. configure the following services for CCP to access the router properly: ■ Set up a username and password that has privilege level 15: username name privilege 15 secret password ■ Enable the HTTP server: ip ip ip ip ■ http http http http server authentication local secure-server (for enabling HTTPS access to CCP) timeout-policy idle 600 life 86400 request 1000 Define the protocol to use to connect to the Telnet and Secure Shell (SSH) vty lines: line con 0 login local line vty 0 4 privilege level login local transport input line vty 5 15 privilege level login local transport input 15 telnet ssh 15 telnet ssh On a new router. If the router is an existing router and is not configured with the CCP default configuration. . This publication is protected by copyright. Please see page 89 for more details.10.

To launch CCP from the router flash memory. Building Blocks for Ease of Management There are some new additions to the Cisco Configuration Professional that directly address the ease of management for larger environments. Many of these options lead to a wizard that aids in the configuration. Inc. and accounting (AAA) services are a powerful security addition to any organization. and User Profiles. Templates. These features include Communities. and Monitor are the main buttons you need to use. . When you click either Configure or Monitor. This publication is protected by copyright.[ 28 ] Chapter 2: Perimeter Security Running CCP To launch Cisco CCP from a PC. © 2012 Pearson Education. Configure. All rights reserved. choose Start > Programs (All Programs) > Cisco Systems > Cisco CCP > Cisco CCP. Please see page 89 for more details. open an HTTP or HTTPS connection to the IP address of the Ethernet interface on the router. ■ Communities: Groups of devices that share common components ■ Templates: Allows the simple replication of settings ■ User profiles: GUI views that provide role-based access control for different administrators Using AAA with the Local Database Authentication. This section details the use of these services with a local database on the router or switch. authorization. Navigating in CCP Home. many options appear down the button bar on the left side of the screen. These appear on the top button bar.

Then choose Configure > Router > AAA > AAA Summary to ensure that AAA is enabled. Then choose Configure > Router > AAA > Authentication Policies > Login to configure the local setting. to specify the maximum number of unsuccessful authentication attempts before a user is locked out. This publication is protected by copyright. Accounting tracks what users do. and then the router authenticates using the local database. . All rights reserved. use the show aaa user {all | unique id} command in privileged EXEC © 2012 Pearson Education. use the show aaa local user lockout command in privileged EXEC mode. Authorization dictates what these users can do after they are authenticated. For example. Inc. You can use AAA (pronounced “triple A”) to control administrative access to the device and access to the network through the device. The two modes are character mode (when the user tries to connect to the router for admin). the user connects to the router. the router prompts for a username and password. Authorization. use the aaa local authentication attempts max-fail command in global configuration mode. Use the clear aaa local user lockout command in privileged EXEC mode to unlock a locked-out user. choose Configure > Router > Router Access > User Accounts/View to add user accounts.[ 29 ] Chapter 2: Perimeter Security Authentication. To display the attributes collected for a AAA session. and Accounting Authentication requires users and administrators to prove that they actually are who they say they are. and packet mode 0 (when the user tries to connect through the router for access to the network beyond). To configure in CCP. You can make additional settings at the command line. Cisco provides four methods to implement AAA: ■ Self-contained AAA using the local database ■ Cisco Secure Access Control Server (ACS) for Microsoft Windows Server ■ Cisco Secure ACS Express (entry-level version appropriate for 350 users) ■ Cisco Secure ACS Solution Engine (rack-mountable hardware version) Local Authentication Using the local authentication method. To display a list of all locked-out users. Please see page 89 for more details.

To display information about AAA authentication. ■ The aaa authentication login default local command defines the default method list for login authentication using the local database. This publication is protected by copyright. Inc. many of the most modern security features require the use of the open-standard RADIUS protocol. Using AAA with Cisco Secure ACS ACS is a more scalable solution than trying to create and maintain user accounts on separate Cisco devices. CCP uses the following commands on the router: ■ The aaa new-model command enables AAA. . TACACS+ offers the following features: ■ Separates authentication and authorization ■ Supports a large number of features ■ Encrypts all communications ■ Uses TCP port 49 RADIUS offers the following features: ■ Scales well ■ Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting © 2012 Pearson Education. All rights reserved. CCP creates the necessary commands at the CLI from the GUI. ■ The username command adds a username and password to the local security database. use the debug aaa authentication command in privileged EXEC command mode. Of the two. Please see page 89 for more details. the Cisco device uses TACACS+ or RADIUS. Also. TACACS+ is more secure. To communicate with the external Cisco Secure ACS. You can use the show aaa sessions command to show the unique ID of a session.[ 30 ] Chapter 2: Perimeter Security mode. but RADIUS is an open standard.

. location. STEP 5. use CCP and choose Configure > Router > AAA > AAA Servers and Groups > Servers and add the servers. STEP 3. It integrates the functionality of ACS and NAC solutions.[ 31 ] Chapter 2: Perimeter Security To configure the router for AAA with ACS. Configure identity groups and identity store. You can apply a policy that you create using Configure > Router > Router Access > VTY. STEP 4. Inc. complete the following steps: STEP 1. Cisco ISE The Cisco Identity Services Engine (ISE) is a next-generation identity and access control solution. Add router as AAA client. time. date. STEP 2. and so forth. Please see page 89 for more details. Rule-based policies provide a more flexible approach that can match on a variety of access conditions found in current networks. Create an identity policy. To configure this rule-based approach in ACS. This section details how to ensure that this traffic does not represent a security breach. Then choose Configure > Router > AAA > Authentication Policies > Login to create a policy. access type. New in ACS 5. Create an authorization policy. Configure access services to process request. This would include access. © 2012 Pearson Education. Implementing Secure Management and Reporting Management traffic is often a necessity in the network infrastructure. All rights reserved. This publication is protected by copyright.2: Rule-Based Policies You can use this system to grant permissions on conditions other than the identity alone.

[ 32 ]
Chapter 2: Perimeter Security

The Architecture for Secure Management and Reporting
The information flow between management hosts and the managed devices can take two paths:

Out-of-band (OOB): Information flows within a network on which no production traffic resides.

In-band: Information flows across the enterprise production network.

Overall guidelines for secure management and reporting include the following:

Keep clocks on hosts and network devices synchronized.

Record changes and archive configurations.

OOB Management Guidelines
Help ensure that management traffic is not intercepted on the production network.

In-Band Management Guidelines

Apply only to those devices that truly need to be managed in this manner.

Use IPsec, SSH, or SSL.

Decide whether monitoring needs to be constant or periodic.

Syslog
Syslog is the current standard for logging system events in a Cisco infrastructure. It is the most popular option for storing Cisco router
log messages. The Cisco Security Monitoring, Analysis, and Response System (MARS) is a Cisco security appliance that can receive
and analyze syslog messages from various networking devices and hosts.

© 2012 Pearson Education, Inc. All rights reserved. This publication is protected by copyright. Please see page 89 for more details.

[ 33 ]
Chapter 2: Perimeter Security

Router log messages can also be sent to using the following:

Console

Terminal lines

Internal buffer

SNMP traps

Figure 2-1 shows the various Cisco log severity levels.
Cisco router log messages contain three main parts:

Time stamp

Log message name and severity level

Message text

© 2012 Pearson Education, Inc. All rights reserved. This publication is protected by copyright. Please see page 89 for more details.

[ 34 ]
Chapter 2: Perimeter Security

Level

Name

Description

0

Emergencies

A panic condition normally
broadcast to all users

1

Alerts

A condition that should be
corrected immediately, such as
a corrupted system database

2

Critical

Critical conditions; for example,
hard device errors

3

Errors

Errors

4

Warnings

Warning messages

5

Notifications

Conditions that are not error
conditions, but should possibly
be handled specially

6

Information

Informational messsages

7

Debugging

Messages that contain
information normally of use only
when debugging a program

Figure 2-1 Cisco Log Severity Levels
Figure 2-2 shows this message format.

© 2012 Pearson Education, Inc. All rights reserved. This publication is protected by copyright. Please see page 89 for more details.

[ 35 ]
Chapter 2: Perimeter Security
Name and Severity Level
Date/Time

*Apr 27 17:31:13.389: %SYS-5-CONFIG_I: Configured from console by console

The Message Text

Figure 2-2 Cisco Log Message Format
To enable syslog log on your router using CCP, choose Configure > Router > Logging. To view the syslog information, choose
Monitor > Logging.

Simple Network Management Protocol (SNMP)
Versions 1 and 2c of SNMP use clear-text passwords called community strings. This offers little to no security.
SNMP 3 uses a combination of authenticating and encrypting packets over the network to provide secure access to devices. SNMP 3
provides message integrity, authentication, and encryption.
SNMP 3 supports all three of the following security levels:

noAuth: Community string

auth: HMAC or MD5 (hashing for integrity)

Priv: DES, 3DES, or AES (encryption for confidentiality)

When actually implemented on a router, these levels can be combined. For example, authPriv enables the use of authentication and
encryption.
To use the CCP to configure SNMP, choose Configure > Router > SNMP > Edit.
© 2012 Pearson Education, Inc. All rights reserved. This publication is protected by copyright. Please see page 89 for more details.

[ 36 ]
Chapter 2: Perimeter Security

SSH
The SSH daemon is a feature that enables an SSH client to make a secure, encrypted connection to a Cisco router. Use SSH rather
than Telnet to manage Cisco devices. Cisco IOS Release 12.1(1)T and later support SSH Version 1 (SSHv1), and Cisco IOS Release
12.3(4)T and later support both SSHv1 and SSH Version 2 (SSHv2). The Cisco router acts as the SSH server, and the client must be
acquired to connect to the server. A sample client is PuTTY.
To use SDM to configure SSH, choose Configure > Additional Tasks > Router Access > SSH.
After enabling SSH on the router, configure the vty lines to support SSH. To use Cisco SDM to configure SSH on the vty lines,
choose Configure > Additional Tasks > Router Access > VTY.
To use the command line for the configuration, follow these steps:
STEP 1. Configure the IP domain name of your network using the ip domain-name domain_name command in global
configuration mode.
STEP 2. If there are any existing key pairs, overwrite them using the command crypto key zeroize rsa.
STEP 3. Generate keys to be used with SSH by generating RSA keys using the crypto key generate rsa generalkeys modulus modulus-size command in global configuration mode.
STEP 4. Configure how long the router waits for the SSH client to respond using the ip ssh timeout seconds command in global configuration mode; this step is optional.
STEP 5. Configure the number of SSH retries using the ip ssh authentication-retries integer command in
global configuration mode; this step is optional.
STEP 6. Enable vty inbound SSH sessions; use the transport input ssh command.

Locking Down the Router
Cisco provides two powerful methods for locking down the router. This means disabling or protecting unused services, and making
other configuration changes necessary for a secure network infrastructure.

© 2012 Pearson Education, Inc. All rights reserved. This publication is protected by copyright. Please see page 89 for more details.

[ 37 ] Chapter 2: Perimeter Security AutoSecure The AutoSecure IOS feature is invoked by issuing the auto secure command from the CLI. ■ One-Step Lockdown does not support the setting of Selective Packet Discard (SPD) values. ■ One-Step Lockdown does not support the configuration of AAA. ■ Although One-Step Lockdown does support the configuration of SSH access. Following are some distinctions between the two approaches: ■ One-Step Lockdown does not support the disabling of NTP. it does not support the configuration of SNMP 3. To access this feature. Please see page 89 for more details. choose Configure > Security > Security Audit > One Step Lockdown. All rights reserved. it does not support the enabling of Service Control Point or the disabling of other access services and file transfer services. IPv6 IPsec is the IETF standard for IPv6 network security. and IPsec support is mandatory. You can also use an informative Security Audit feature before performing the One-Step Lockdown. ■ One-Step Lockdown does not configure antispoofing access control lists. This publication is protected by copyright. This provides a secure end-to-end solution for internetworking. . ■ One-Step Lockdown does not support the enabling of TCP intercepts. ■ Although One-Step Lockdown does support the disabling of SNMP. CCP One-Step Lockdown The CCP One-Step Lockdown method for securing a router uses a wizard in the CCP graphical interface. Inc. © 2012 Pearson Education.

Recommended Practices for IPv6 Security ■ Ingress filtering is key.[ 38 ] Chapter 2: Perimeter Security Many of the threats faced in an IPv6 environment are the same found in an IPv4 environment. ■ Consider current and future security enhancements. © 2012 Pearson Education. All rights reserved. This publication is protected by copyright. ■ Secure each protocol in transition approaches. ■ Reliance on multicast and ICMP Version 6. ■ End nodes exposed to many more threats such as address configuration. Please see page 89 for more details. IPv6 has some new vulnerabilities: ■ Training and planning. Inc. ■ Control the use of tunneling. . ■ Header extensions can be exploited. dual stack is preferred. Unfortunately. ■ Tunneling and dual stacking become vulnerabilities.

This section details their evolution and the technologies that have resulted. Inc.[ 39 ] CCNA Security 640-554 Quick Reference Chapter 3 Cisco IOS Firewalls Firewall Technologies Firewalls are a key security technology in the modern network infrastructure. ■ Be the only transit point. All rights reserved. Advantages of these firewalls include the following: ■ Based on simple permit and deny sets ■ Low impact on network performance © 2012 Pearson Education. Static Packet-Filtering Firewalls These work at Layers 3 and 4. Firewall Fundamentals The firewall should ■ Be resistant to attacks. examining packets one at a time and are implemented on a Cisco router using access control lists (ACL). ■ Enforce the access control policy of the organization. This publication is protected by copyright. Please see page 89 for more details. .

Application layer firewalls offer advantages: ■ Authenticate individuals. provide careful detailed checks for valid data. Application Layer Gateways Application layer firewalls (also called proxy firewalls or application gateways) operate at Layers 3. 5. ■ Complex ACLs are difficult to implement and maintain correctly. not devices ■ Make it harder for hackers to spoof and implement denial-of-service (DoS) attacks ■ Can monitor and filter application data ■ Can provide detailed logging © 2012 Pearson Education. ■ Packet filters do not filter fragmented packets well. . and generate audit records about the traffic they transfer. Proxy services are specific to the protocol that they are designed to forward and can provide increased access control. 4. and 7 of the OSI model. All rights reserved. Please see page 89 for more details. This publication is protected by copyright. application layer firewalls support only a limited number of applications. they do not maintain any state information for added protection. Inc. Sometimes. ■ Packet filters are stateless. ■ Packet filters cannot dynamically filter certain services.[ 40 ] Chapter 3: Cisco IOS Firewalls ■ Easy to implement ■ Supported on most routers ■ Initial security at a low network layer ■ Perform most of what high-end firewalls do at a lower cost Disadvantages of these firewalls include the following: ■ Susceptible to IP spoofing.

Although this is the primary Cisco Firewall technology.and disk-intensive Dynamic or Stateful Packet-Filtering Firewalls Stateful inspection is a firewall architecture classified at the network layer. Inc. it has some limitations: ■ Cannot prevent application layer attacks. Unlike static packet filtering. Please see page 89 for more details. The state table is part of the internal structure of the firewall. Stateful packet filtering maintains a state table and allows modification to the security rules dynamically. © 2012 Pearson Education. It tracks all sessions and inspects all packets passing through the firewall. ■ Does not support user authentication. All rights reserved. for some applications it can analyze traffic at Layers 4 and 5. stateful inspection tracks each connection traversing all interfaces of the firewall and confirms that they are valid. too.[ 41 ] Chapter 3: Cisco IOS Firewalls The disadvantages are as follows: ■ Process packets in software ■ Support a small number of applications ■ Sometimes require special client software ■ Are memory. ■ Not all protocols are stateful. This publication is protected by copyright. . although. ■ Some applications open multiple connections.

remote server support. . through Websense or SmartFilter © 2012 Pearson Education.0) can deploy a security appliance in a secure bridging mode as a Layer 2 device to provide security services at Layer 2 through Layer 7. Inc. Please see page 89 for more details. Advantages include the following: ■ Are aware of the state of Layer 4 and Layer 5 connections ■ Check the conformity of application commands at Layer 5 ■ Can and affect Layer 7 ■ Can prevent more kinds of attacks than stateful firewalls can Transparent firewalls (Cisco PIX and Cisco Adaptive Security Appliance Software Version 7. e-mail. Cisco Firewall Family Cisco IOS Firewall features follow: ■ Zone-based policy framework for intuitive policy management ■ Application firewalling for web.[ 42 ] Chapter 3: Cisco IOS Firewalls Other Types Application inspection firewalls ensure the security of applications and services. All rights reserved. This publication is protected by copyright. and other traffic ■ Instant messenger and peer-to-peer application filtering ■ VoIP protocol firewalling ■ Virtual routing and forwarding (VRF) firewalling ■ Wireless integration ■ Stateful failover ■ Local URL whitelist and blacklist support.

Inc. All rights reserved. © 2012 Pearson Education. This publication is protected by copyright. but it is unwise to rely exclusively on a firewall for security. ■ Firewalls are the primary security device.[ 43 ] Chapter 3: Cisco IOS Firewalls Cisco PIX 500 Series Security Appliance features follow: ■ Advanced application-aware firewall services ■ Market-leading VoIP and multimedia security ■ Robust site-to-site and remote-access IP security (IPsec) VPN connectivity ■ Award-winning resiliency ■ Intelligent networking services ■ Flexible management solutions Cisco ASA 5500 Series Adaptive Security Appliance features follow: ■ World-class firewall ■ Voice and video security ■ SSL and IPsec VPN ■ IPS ■ Content security ■ Modular devices ■ High scalability Best Practices Firewall best practices include the following: ■ Position firewalls at key security boundaries. . Please see page 89 for more details.

■ Extended ACLs: Check both the source and destination packet addresses. Analysis. ■ Outbound ACLs: Incoming packets are routed to the outbound interface and then are processed through the outbound ACL. © 2012 Pearson Education. They can also check for specific protocols. All rights reserved. . ■ Ensure that physical access to the firewall is controlled. ■ Regularly monitor firewall logs. Inc. and Response System (MARS) is especially useful in monitoring firewall logs. and other parameters. port numbers. Cisco Security Monitoring. Static Packet Filters Using ACLs Fundamentals of ACLs ACLs operate in two ways: ■ Inbound ACLs: Incoming packets are processed before they are routed to an outbound interface. If there is no matching permit or deny statement and the entire access list has been processed. Cisco routers support two types of IP ACLs: ■ Standard ACLs: Check the source addresses of packets that can be routed. ■ Remember that firewalls primarily protect from technical attacks originating from the outside. the packet is denied by an implicit deny all at the end of the access list. This publication is protected by copyright. Please see page 89 for more details. ■ Practice change management.[ 44 ] Chapter 3: Cisco IOS Firewalls ■ Deny all traffic by default and permit only services that are needed.

© 2012 Pearson Education. All rights reserved.[ 45 ] Chapter 3: Cisco IOS Firewalls You can use two general methods to create ACLs: ■ Numbered ACLs: Use a number for identification. by default the ACL denies all traffic that fails to match any of the ACL lines. ■ Your ACL should be organized to allow processing from the top down.3 or later features IP access list entry sequence numbering to assist in the management of ACLs. and per interface is allowed. ■ You should create the ACL before applying it to an interface. Cisco IOS Release 12. ■ Only one ACL per protocol. This publication is protected by copyright. You must put the standard ACL as close as possible to the destination of the traffic you want to deny. the ACL filters traffic going through the router but does not filter traffic that the router generates. Inc. ■ You should typically place extended ACLs as close as possible to the source of the traffic that you want to deny. Organize your ACL so that the more specific references to a network or subnet appear before ones that are more general. ■ Every ACL should have at least one permit statement. or named ACL. per direction. ■ Unless you end your ACL with an explicit permit any statement. extended. choose a standard. ■ If you apply an ACL to an interface. Follow these guidelines with ACLs: ■ Based on the test conditions. ■ Named ACLs: Use an alphanumeric string for identification. . Please see page 89 for more details. numbered.

you can use the keyword host.15.0.255 Figure 3-1 Wildcard Masking You can use abbreviations in your wildcard masks. therefore.0. Instead of 255. instead of 0. For the third octet. Please see page 89 for more details. .0.40 must be matched exactly.0/24 to 172. An administrator wants to match the subnets 172.0 since 172. For example. you can use the keyword any.0 0.40.40. © 2012 Pearson Education. The first two octets of the wildcard mask will be 0. ■ Wildcard mask bit 1: Ignore the corresponding bit value in the address.16.0.255.40.31.16. the administrator does not care at all about any bit in the last octet.255. the wildcard mask is: 0 0 0 0 1 1 1 1 = 15 Also.255.0/24. the administrator first converts the starting range number to binary: 16 = 0 0 0 1 0 0 0 0 Notice the administrator does not care about the binary values in the last four bit positions. This publication is protected by copyright. All rights reserved. Figure 3-1 shows an example of wildcard masking. Inc. so this octet is all 1 values: 1 1 1 1 1 1 1 1 = 255 The resulting address and wildcard mask used in the ACL are: 172.[ 46 ] Chapter 3: Cisco IOS Firewalls ACL Wildcard Masking Wildcard masking for IP address bits uses the numerals 1 and 0 to specify how to treat the corresponding IP address bits: ■ Wildcard mask bit 0: Match the corresponding bit value in the address.

use access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments] [established] Use the show access-list command to verify the ACL. use access-list access-list-number {deny | permit} source [source-wildcard] To assign the standard ACL to an interface. Please see page 89 for more details.[ 47 ] Chapter 3: Cisco IOS Firewalls ACL Creation To create the standard ACL. Implicit entries exist at the end of each IPv6 ACL to enable neighbor discovery. Choose Configure > Router > > ACL > ACL Editor. Inc. and use show ip interface to check for assignment. use ip access-group {access-list-number | access-list-name} {in | out} To assign an ACL to a vty line. use access-class access-list-number {in [vrf-also] | out} To create an extended ACL. This publication is protected by copyright. IPv6 Access Lists IPv6 access lists have the same structure and operational framework as in IPv4. © 2012 Pearson Education. The syntax is ipv6 traffic-filter to assign to the interface and ipv6 access-list to create. The Cisco Configuration Professional (CCP) offers an excellent GUI for ACL creation. . You can match on the extension headers. All rights reserved.

■ Virtual private network (VPN) VRF-aware Cisco IOS Firewall. ■ Subnet. including the following: ■ Stateful packet inspection.4(6)T introduced a new configuration model for the Cisco IOS Firewall feature set. Overview Cisco IOS Release 12.[ 48 ] Chapter 3: Cisco IOS Firewalls Cisco IOS Zone-Based Policy Firewall One of the most exciting developments for Cisco in the area of IOS Firewalls has been the new zone-based firewall. This section details this new technology. © 2012 Pearson Education. This publication is protected by copyright. ■ Policies are applied between zones. which provides the following: ■ Intuitive policies for multiple interface routers ■ A greater level of granularity for firewall policy application ■ The ability to prohibit traffic between firewall zones until an explicit policy is applied to allow desirable traffic via a default deny-all policy The new zone-based policy inspection interface supports almost all the firewall features implemented in earlier releases and much more. Please see page 89 for more details. All rights reserved. ■ URL filtering. Inc. ■ DoS mitigation. ■ Default deny-all policy. This new model presented the Cisco IOS zone-based policy. ■ Combining service lists with network and host address lists is allowed. . ■ Application inspection.and host-specific policies.

All rights reserved. click Basic Firewall. ■ Unidirectional policy between zones.[ 49 ] Chapter 3: Cisco IOS Firewalls ■ Clearer statement of firewall policies. Inc. © 2012 Pearson Education. This publication is protected by copyright. choose Configure > Security > Firewall > Firewall > Create Firewall > Basic Firewall. navigate to Configure > Router > NAT > Create NAT > Configuration > Basic NAT. . Policies may be made up of combinations of the following: ■ IP addresses or subnets using ACLs ■ Protocols ■ Application services ■ Application-specific policies The zone-based firewall approach takes three possible actions: ■ Inspect: Causes Cisco IOS stateful packet inspection ■ Drop: Analogous to a deny statement in an ACL ■ Pass: Analogous to a permit statement in an ACL Configuring the Zone-Based Firewall with the Basic Firewall Wizard To configure a zone-based firewall using the Basic Firewall Wizard. Please see page 89 for more details. From the Create Firewall tab. Start Basic NAT Wizard To configure Network Address Translation using the Basic NAT Wizard in the Cisco Configuration Professional (CPP).

Overview Cryptology is the science of making and breaking secret codes. The attacker must deduce the key or keys used to encrypt the messages to decrypt other messages encrypted with the same keys. ■ A known-plain-text (the usual brute-force) attack: The attacker has access to the cipher text of several messages but also knows something about the plain text underlying that cipher text. ■ A cipher-text-only attack: The attacker has the cipher text of several messages but no knowledge of the underlying plain text. Following are examples of attacks: ■ Brute-force attack: The attacker tries every possible key with the decryption algorithm. Please see page 89 for more details. The attacker uses a brute-force attack to try keys until decryption with the correct key produces a meaningful result. Cryptanalysis is the practice of breaking codes to obtain the meaning of encrypted data. Inc. This publication is protected by copyright. The Vigenère cipher is a polyalphabetic cipher that encrypts text by using a series of different Caesar ciphers based on the letters of a keyword. ■ A chosen-plain-text attack: The attacker chooses what data the encryption device encrypts and observes the cipher-text output. You should understand these principles before studying VPN technologies. © 2012 Pearson Education. A cipher is an algorithm for performing encryption and decryption.[ 50 ] CCNA Security 640-554 Quick Reference Chapter 4 Site-to-Site VPNs Cryptographic Services This section covers the key topics of cryptography. All rights reserved. .

and 256-bit keys ■ International Data Encryption Algorithm (IDEA): 128-bit keys © 2012 Pearson Education. . Following are features that good encryption algorithms provide: ■ Resist cryptographic attacks. Inc. ■ Do not have export or import restrictions. Symmetric and Asymmetric Encryption Algorithms Following are two classes of encryption algorithms. This publication is protected by copyright. ■ Meet-in-the-middle attack: The attacker knows a portion of the plain text and the corresponding cipher text. Please see page 89 for more details. 192-. All rights reserved.[ 51 ] Chapter 4: Site-to-Site VPNs ■ A chosen-cipher-text attack: The attacker can choose different cipher texts to be decrypted and has access to the decrypted plain text. ■ Birthday attack: A form of brute-force attack against hash functions. ■ Create an avalanche effect. ■ Support variable and long key lengths and scalability.and 168-bit keys ■ AES: 128-. which differ in their use of keys: ■ Symmetric encryption algorithms: Same key to encrypt and decrypt data ■ Asymmetric encryption algorithms: Different keys to encrypt and decrypt data The following are well-known encryption algorithms that use symmetric keys: ■ DES: 56-bit keys ■ Triple Data Encryption Standard (3DES): 112.

to 2040-bit keys ■ RC6: 128-. RC5. and RC6 ■ RC2: 40. . © 2012 Pearson Education. 192-. the fixed length. DES has a block size of 64 bits. RC4 is a common stream cipher. the transformation of these smaller plain-text units varies. Currently.to 448-bit keys Because of their fast speed. typically bits. results in decryption. symmetric algorithms are frequently used for encryption services.to 256-bit keys ■ RC5: 0. Unlike block ciphers. and 256-bit keys ■ Blowfish: 32. depending on when they are encountered during the encryption process. All rights reserved. This publication is protected by copyright. using the same secret key.[ 52 ] Chapter 4: Site-to-Site VPNs ■ The RC series: RC2. Inc. Please see page 89 for more details. The best-known asymmetric cryptographic algorithms follow: ■ RSA ■ ElGamal ■ Elliptic curve algorithms Block ciphers transform a fixed-length block of plain text into a block of cipher text of the same length. also known as the block size.and 64-bit keys ■ RC4: 1. for many block ciphers is typically 128 bits. stream ciphers operate on smaller units of plain text. RC4. with additional key management algorithms providing secure key exchange. Applying the reverse transformation to the cipher-text block. With a stream cipher.

Data of arbitrary length is input into the hash function. The steps of SSL VPN establishment follows: STEP 1. The shared secret is encrypted with the public key of the router and transmitted to the router. STEP 5. typically using a web browser. All rights reserved. The router software can easily decrypt the packet using its private key. The key is used to encrypt the SSL session. which contains a public key digitally signed by a trusted certificate authority (CA). STEP 3. Inc. The router responds with a digital certificate. © 2012 Pearson Education. Please see page 89 for more details. and the result of the hash function is the fixed-length hash. This publication is protected by copyright. The user makes an outbound connection to TCP port 443. Key Management Key management consists of the following components: ■ Key generation ■ Key verification ■ Key storage ■ Key exchange ■ Key revocation and destruction SSL VPNs SSL-based VPNs provide remote-access connectivity from almost any Internet-enabled location using a standard web browser and its native SSL encryption. STEP 2. The user computer generates a shared-secret symmetric key that both parties use. STEP 4. Now both participants in the session know the shared secret key. .[ 53 ] Chapter 4: Site-to-Site VPNs Cryptographic Hashes Hashing is a mechanism used for data integrity.

Inc. ■ Use a secure channel to communicate the DES key from the sender to the receiver. © 2012 Pearson Education. Lengths of 80 bits or longer are considered trusted.[ 54 ] Chapter 4: Site-to-Site VPNs Symmetric Encryption Symmetric encryption is a common approach to encryption used with VPNs. This publication is protected by copyright. . ■ Use 3DES rather than DES. DES uses two standardized block cipher modes: ■ Electronic Code Book (ECB): Serially encrypts each 64-bit plain-text block using the same 56-bit key. ■ Use DES in CBC mode. This section describes this important technology. ■ Test a key to see whether it is weak before using it. Guidelines for DES usage include the following: ■ Change keys frequently to help prevent brute-force attacks. DES This encryption algorithm typically operates in block mode. ■ Cipher Block Chaining (CBC): Each 64-bit plain-text block is exclusive ORed (XORed) bitwise with the previous ciphertext block and then is encrypted using the DES key. Key Lengths Symmetric encryption algorithms typically use keys of length 40 to 256 bits. where it encrypts data in 64-bit blocks. All rights reserved. Please see page 89 for more details.

192. 192. especially if pure software encryption is used. 3DES. All rights reserved. AES was chosen to replace DES and 3DES because the key length of AES is much stronger than DES and AES runs faster than 3DES on comparable hardware. Please see page 89 for more details. Inc. This provides nine different combinations of key length and block length.[ 55 ] Chapter 4: Site-to-Site VPNs 3DES The technique of applying DES three times in a row to a plain-text block is called 3DES. or 256 bits. Software-Optimized Encryption Algorithm (SEAL) SEAL is an alternative algorithm to software-based DES. AES The AES algorithm currently specifies how to use keys with a length of 128. and AES. ■ The Cisco router and the other peer must support the k9 subsystem. and it cannot be hardware-based encryption. This publication is protected by copyright. low-latency environments. AES is more suitable for high-throughput. This feature is available only on Cisco equipment. Restrictions for SEAL include the following: ■ The Cisco router and the other peer must support IPsec. . SEAL encryption uses a 160-bit encryption key and has less impact on the CPU compared to other software-based algorithms. Both block length and key length can be extended easily in multiples of 32 bits. Rivest Ciphers Widely used RC algorithms include the following: ■ RC2: A variable key-size block cipher designed as a replacement for DES ■ RC4: A variable key-size Vernam stream cipher often used in file-encryption products and for secure communications © 2012 Pearson Education. or 256 bits to encrypt blocks with a length of 128.

and Yin and is based on RC5 (meant to meet the design requirements of AES) Cryptographic Hashes This section details the most common cryptographic hashes in use today. data-integrity. . Please see page 89 for more details. © 2012 Pearson Education. and data-authenticity purposes: ■ IPsec gateways and clients use hashing algorithms to provide packet integrity and authenticity. digitally signed contracts. such as that provided with file integrity checkers. All rights reserved. such as IPsec or routing protocol authentication Cisco technologies use two HMAC functions: ■ Keyed MD5. based on the SHA-1 hashing algorithm Cisco products use hashing for entity-authentication. and Public Key Infrastructure (PKI) certificates ■ To provide proof of authenticity when it is used with a symmetric secret authentication key. ■ Cisco IOS routers use hashing with secret keys to add authentication information to routing protocol updates. Sidney. This publication is protected by copyright. Inc. Hash Message Authentication Codes (HMAC) Hashing is typically used for the following: ■ To provide proof of the integrity of data. based on the MD5 hashing algorithm ■ Keyed SHA-1.[ 56 ] Chapter 4: Site-to-Site VPNs ■ RC5: A fast block cipher that has variable block size and variable key size ■ RC6: A block cipher designed by Rivest.

These blocks are then rearranged with simple operations in a main loop. The message length is also encoded into the digest. This publication is protected by copyright. 384-. . Best practices include the following: ■ Avoid MD5 if possible. Please see page 89 for more details. TACACS+ uses MD5 to encrypt its session. There are also 224-. ■ Protect HMAC secret keys. which concatenate to form a single 128-bit hash value. ■ Consider using MD5 only if speed is an issue. The algorithm is slightly slower than MD5. SHA-1 The SHA-1 algorithm takes a message of no less than 264 bits in length and produces a 160-bit message digest. MD5 MD5 is a one-way function that makes it easy to compute a hash from the given input data but makes it unfeasible to compute input data given only a hash.[ 57 ] Chapter 4: Site-to-Site VPNs ■ Cisco Software images have an MD5-based checksum available so that customers can check the integrity of downloaded images. 256-. and 512-bit versions of SHA. The input is a data block plus a feedback of previous blocks. but the larger message digest makes it more secure against brute-force collision and inversion attacks. The 512-bit blocks are divided into 16 32-bit sub-blocks. Inc. All rights reserved. The output of the algorithm is a set of four 32-bit blocks. which consists of four rounds. ■ Hashing can also be used in a feedback-like mode to encrypt data. © 2012 Pearson Education.

and data-authenticity purposes: ■ IPsec gateways and clients use digital signatures to authenticate their Internet Key Exchange (IKE) sessions. STEP 2. © 2012 Pearson Education. the document was not changed after signing. which is usually public. A user wants to sign some data. All rights reserved. STEP 6. Cisco products use digital signatures for entity-authentication. Based on the input data and a signature key. and the signature it generates ■ To prove the authenticity and integrity of PKI certificates ■ To provide a secure time stamp The following steps indicate how digital signatures function: STEP 1. The user uses a signature algorithm with a personal signature key. which checks the validity of the digital signature. and the verification key into the verification algorithm. STEP 3. the digital signature. STEP 4. If the check is successful. ■ Some of the service-provider-oriented voice management protocols use digital signatures to authenticate the involved parties. The receiving device inputs the message. the signature algorithm generates its output.[ 58 ] Chapter 4: Site-to-Site VPNs Digital Signatures Digital signatures are often used in the following situations: ■ To provide a unique proof of data source ■ To authenticate a user by using that person’s private key. This publication is protected by copyright. Inc. only the signer knows this signature key. . The receiving device verifies the signature with the verification key. data-integrity. The sending device attaches the digital signature to the message and sends the message to the receiver. Please see page 89 for more details. STEP 5. ■ Cisco SSL endpoints and the Cisco Adaptive Security Device Manager (ASDM) use digital signatures to prove the identity of the SSL server. and the document was originated by the signer of the document. called a digital signature.

. This publication is protected by copyright. The IKE protocol in IPsec VPNs uses DH algorithms extensively. RSA is mainly used for two services: ■ To ensure confidentiality of data by performing encryption ■ To perform authentication of data. using an agreed-upon algorithm. The public key can be published. or both by generating digital signatures Diffie-Hellman (DH) The DH algorithm is the basis of most modern automatic key exchange methods. Please see page 89 for more details. STEP 3. which is often a symmetric key. RSA The RSA keys are usually 512 to 2048 bits. a public key and a private key. © 2012 Pearson Education. STEP 2. the message. User A acquires User B’s public key. Inc. User A uses User B’s public key to encrypt a message. The RSA algorithm is based on the fact that each entity has two keys.[ 59 ] Chapter 4: Site-to-Site VPNs Asymmetric Encryption Following are the steps used in asymmetric encryption: STEP 1. nonrepudiation of data. STEP 4. and reveal. User B uses his private key to decrypt. All rights reserved. but the private key must be kept secret. User A transmits the encrypted message.

. Two important PKI terms follow: ■ Certificate authority (CA): The trusted third party that signs the public keys of entities in a PKI-based system.[ 60 ] Chapter 4: Site-to-Site VPNs PKI A PKI provides a framework upon which you can base security services. The CA may be a single entity. or there may be a complex hierarchy of CAs. authentication. A PKI enables scalable solutions and is becoming an extremely important authentication solution for VPNs. This publication is protected by copyright. Simple Certificate Enrollment Protocol (SCEP) is a PKI communication protocol used for automated VPN PKI enrollment. Please see page 89 for more details. such as encryption. Inc. All rights reserved. VPN Overview IPsec is the primary technology used in VPNs. Coverage includes critical topics such as the function of IPsec and IKE.509 is a well-known standard that defines basic PKI formats. X. ■ Certificate: A document that has been signed by the CA. such as SSL and IPsec. IPsec VPN Fundamentals This section ensures that you understand the fundamentals of the modern IPsec VPN. and nonrepudiation. This binds the name of the security entity with its public key. It provides the following in the network: ■ Cost savings ■ Security ■ Scalability ■ Compatibility with broadband © 2012 Pearson Education. The standard has been widely used with many Internet applications.

© 2012 Pearson Education. All rights reserved. using any number of media. as shown in Figure 4-1: ■ Authentication Header (AH): Used only when confidentiality is not required. . running over any number of networks. including the following: ■ Offers protection for any number of applications. ■ Encapsulating Security Payload (ESP): Provides confidentiality and authentication. Please see page 89 for more details. and Adaptive Security Appliances. ■ Security is provided at the network layer. Inc. firewalls. IPsec Overview IPsec has many advantages. This publication is protected by copyright. upper layers are unaffected. including routers. ■ IPsec is extremely scalable.[ 61 ] Chapter 4: Site-to-Site VPNs Following are two types: ■ Site-to-site ■ Remote-access Many Cisco devices can work together to form the VPN. IPsec features two main framework protocols. it provides authentication of the IPsec traffic only.

Inc. The following are some of the standard algorithms that IPsec uses: ■ DES ■ 3DES ■ AES ■ MD5 © 2012 Pearson Education. This publication is protected by copyright. ■ Tunnel mode: Encapsulates the original IP header and creates a new IP header that is sent unencrypted across the untrusted network. Please see page 89 for more details. Transport mode protects the payload of the packet but leaves the original IP address in the clear. All rights reserved. ESP transport mode is used between two hosts that are both configured to support IPsec.[ 62 ] Chapter 4: Site-to-Site VPNs Authentication Header (AH) Data in plaintext R1 Provides: • Authentication • Integrity R2 Encapsulating Security Payload (ESP) Data encrypted R1 Provides: • Encryption • Authentication • Integrity R2 Figure 4-1 IPsec Security Protocols You can apply ESP and AH to IP packets in two different modes: ■ Transport mode: Security is provided only for the transport layer and above. . these hosts handle the encryption/decryption process.

IKE executes the following phases: ■ IKE Phase 1: Two IPsec peers perform the initial negotiation of SAs. Mode Config. . Additional service negotiations occur in IKE Phase 1. ■ Quick mode: Similar to aggressive mode IKE negotiation. IKE Phase 2 is used to build IPsec SAs. The proposal sent by the initiator defines which encryption and authentication protocols are acceptable. that need encryption key material for operation. and whether perfect forward secrecy should be enforced. such as IPsec. DPD. © 2012 Pearson Education. used for management traffic. Inc. All rights reserved. ■ Aggressive mode: Compresses the IKE SA negotiation phases that are described thus far into three packets. and so on. except that negotiation is protected within an IKE SA. This publication is protected by copyright. ■ IKE Phase 2: SAs are negotiated by the IKE process ISAKMP on behalf of other services.[ 63 ] Chapter 4: Site-to-Site VPNs ■ SHA-1 ■ DH IKE IPsec uses the IKE protocol for the following: ■ Negotiation of security association (SA) characteristics ■ Automatic key generation ■ Automatic key refresh ■ Manageable manual configuration IKE uses three modes of operation: ■ Main mode: An IKE session begins with one computer sending a proposal to another computer. how long keys should remain active. Please see page 89 for more details. Phase 1 generates an Internet Security Association and Key Management Protocol (ISAKMP) SA. which are for passing end-user data.

Configure an ISAKMP policy to determine the ISAKMP parameters that will be used to establish the tunnel. 2. The definition of the transform set defines the parameters that the IPsec tunnel uses and can include the encryption and integrity algorithms. Please see page 89 for more details. 5. Create a crypto ACL. In IKE Phase 2. 3. The IPsec tunnel terminates when the IPsec SAs are deleted or when their lifetime expires. . use show access-lists. the IPsec peers use the authenticated and secure tunnel to negotiate IPsec SA transforms. The crypto ACL defines which traffic should be sent through the IPsec tunnel and be protected by the IPsec process. Ensure that existing access lists are compatible with IPsec. Traffic is considered interesting when it travels between the IPsec peers and meets the criteria defined in the crypto ACL. 2. follow these steps: 1.[ 64 ] Chapter 4: Site-to-Site VPNs Site-to-Site VPN Construction This section details the exact steps in creating the popular site-to-site VPN. An IPsec tunnel is initiated when Host A sends “interesting” traffic to Host B. 4. The negotiation of the shared policy determines how the IPsec tunnel is established. a secure tunnel is created using ISAKMP. the IPsec peers (Routers A and B) negotiate the established IKE SA policy. and data is transferred between the IPsec peers based on the IPsec parameters configured in the IPsec transform sets. Use the crypto isakmp policy command to define an IKE policy. The IPsec tunnel is created. In IKE Phase 1. Use the crypto ipsec transform-set global configuration command. Inc. © 2012 Pearson Education. 4. Operations VPN negotiation occurs as follows: 1. 3. This publication is protected by copyright. VPN Configuration To configure a site-to-site IPsec VPN. After the peers are authenticated. All rights reserved. Define the IPsec transform set.

show crypto ipsec transform-set. Inc. Please see page 89 for more details. All rights reserved. The CCP VPN Wizards use two sources to create a VPN connection: ■ User input during a step-by-step wizard process ■ Preconfigured VPN components The CCP provides some default VPN components: ■ Two IKE policies ■ An IPsec transform set for the Quick Setup Wizard © 2012 Pearson Education.[ 65 ] Chapter 4: Site-to-Site VPNs 5. Use the crypto map global configuration command and interface configuration command. Usually. Configure the interface ACL. This publication is protected by copyright. there are restrictions on the interface that the VPN traffic uses (for example.Verification commands include show crypto isakmp policy. VPN Configuration with CCP Choose Configure > Security > VPN to open the VPN page. . and show crypto map. 6. The crypto map is applied to the outgoing interface of the VPN device. Create and apply a crypto map. The crypto map groups the previously configured parameters and defines the IPsec peer devices. block all traffic that is not IPsec or IKE).

Sensors operating using intrusion detection run in promiscuous mode. You might add this powerful tool to your network via a dedicated hardware appliance known as a sensor. or it might be to prevent the attack from dropping the packet at a device. Please see page 89 for more details. the goal is the same: to take some action based on an attack introduced to your network. Intrusion Prevention Versus Intrusion Detection Intrusion detection is powerful in that you can be notified when potential problems or attacks are introduced into your network. or a particular network segment. Intrusion prevention is more powerful in that potential threats and attacks can be stopped from entering your network. these copies of packets are received from another Cisco device (typically a switch). Inc. Detection cannot prevent these attacks from occurring. This publication is protected by copyright. .[ 66 ] CCNA Security 640-554 Quick Reference Chapter 5 Cisco IOS IPS Understanding Intrusion Prevention and Detection Cisco provides intrusion detection and prevention in a variety of ways in its current security portfolio. or you might add this functionality using a network module inserted into a router or a switch. © 2012 Pearson Education. However you decide to implement the technology. Often. All rights reserved. This action might be to alert the network administrator via an automated notification. Prevention is possible by the sensor because it is operates inline with packet flows. Detection cannot prevent the attacks because it operates on copies of packets.

if you have poor passwords in use in your network. Inc. False Alarms False alarms are IPS events that you do not want occurring in your implementation. but it was for traffic that does not constitute an actual attack. Vulnerability A vulnerability is a weakness that compromises the security or functionality of a particular system in your network. An attacker might enter invalid characters in an attempt to corrupt the underlying database. False Negative A false negative occurs when attack traffic does not trigger an alert on the IPS device. © 2012 Pearson Education. An example of a vulnerability is a web form on your public website that does not adequately filter inputs and guards against improper data entry. Please see page 89 for more details. This publication is protected by copyright. This is often viewed as the worst type of false alarm. False Positive A false positive means that an alert has been triggered. for obvious reasons. There are two types of these alarms: false positive and false negative. All rights reserved. For example. Exploit An exploit is a mechanism designed to take advantage of vulnerabilities that exist in your systems. Both are unwanted. This type of traffic is often referred to as benign traffic. a password-cracking package might be the exploit aimed at this vulnerability. .[ 67 ] Chapter 5: Cisco IOS IPS IPS/IDS Terminology You should be aware of many security terms related to intrusion detection and prevention technologies.

[ 68 ] Chapter 5: Cisco IOS IPS True Alarms There are two types of true alarms in IPS terminology. . © 2012 Pearson Education. If a Cisco IPS device operates in inline mode. True Positive A true positive means that an attack was recognized and responded to by the IPS device. This means that a device (often a switch) captures traffic for the sensor and forwards a copy for analysis to the sensor. the device performs intrusion detection. This publication is protected by copyright. Both true positives and true negatives are wanted. Inc. True Negative This means that nonoffending or benign traffic did not trigger an alarm. It can detect an attack and send an alert (and take other actions). Because the device works with a copy of the traffic. Please see page 89 for more details. Figure 5-2 shows an example of inline mode IPS. It cannot prevent the attack because it is not operating on traffic “inline” in the forwarding path. but it does not prevent the attack from entering the network or a network segment. This makes the device more effective against worms and atomic attacks (attacks that are carried out by a single packet). Promiscuous Versus Inline Mode IDS/IPS sensors operate in promiscuous mode by default. This is because the IPS device is in the actual traffic path. it can do prevention as opposed to mere detection. All rights reserved. Figure 5-1 shows an example of a promiscuous mode IDS implementation.

Inc.[ 69 ] Chapter 5: Cisco IOS IPS Copy of Attack Attack Management System Figure 5-1 Promiscuous Mode (IDS) © 2012 Pearson Education. All rights reserved. This publication is protected by copyright. . Please see page 89 for more details.

Inc.[ 70 ] Chapter 5: Cisco IOS IPS Attack Management System Figure 5-2 Inline Mode (IPS) To configure inline mode.0 software permits a device to perform promiscuous mode and inline mode simultaneously. © 2012 Pearson Education. Please see page 89 for more details. you require two monitoring interfaces defined in the sensor as an inline pair. This enables one segment to be monitored for intrusion detection only. All rights reserved. This is an example of an inline configuration in which only intrusion detection is performed. Cisco Intrusion Prevention System (IPS) Version 6. This pair of interfaces acts as a transparent Layer 2 structure that can drop an attack that fires a signature. A sensor could be configured inline but could be set up so that it alerts only and doesn’t drop packets. whereas another segment features intrusion prevention protection. . This publication is protected by copyright.

[ 71 ] Chapter 5: Cisco IOS IPS Approaches to Intrusion Prevention A device can take many different approaches to securing the network using IPS. This publication is protected by copyright. © 2012 Pearson Education. This type of approach is also known as pattern matching. whereas policy-based is more concerned with enforcing the security policy of the organization. Inc. this approach tends to be prone to a high number of false positives. Please see page 89 for more details. The statistical approach learns about the traffic patterns on the network. . All rights reserved. w this differs from signature-based. tuned. The two common types of anomaly-based IPS are statistical anomaly detection and nonstatistical. Alarms are triggered if activities are detected that violate the security policy coded by the organization. Anomaly-Based This type of IPS technology is often called profile-based. Cisco releases signatures that are added to the device that identify a pattern that the most common attacks present. As different types of attacks are created. Because it can be so difficult to define what is normal activity for a given network. It attempts to discover activity that deviates from what an engineer defines as “normal” activity. Signature-based focuses on stopping common attacks. Signature-Based Although Cisco uses a blend of detection and prevention technologies. the security policy is “written” into the IPS device. Policy-Based With this type of technology. signature-based IPS is the primary tool used by Cisco IPS solutions. and the nonstatistical method uses information coded by the vendor. these signatures can be added. This section describes these various approaches. and updated to deal with the new attacks. This is much less prone to false positives and ensures that IPS devices are stopping common threats.

Fragmentation adds a layer of complexity for the sensor. Please see page 89 for more details. or Unicode representation help to disguise the attack. Obfuscation is one way in which control characters. the attacker breaks the attack packets into fragments so that they are more difficult to recognize. Fragmentation With this evasive measure. strings in the data are changed in minor ways in an attempt to evade detection. Exploring Evasive Techniques Because attackers are aware of IPS technologies. Session In this type of attack.[ 72 ] Chapter 5: Cisco IOS IPS Protocol Analysis-Based Although this approach is similar to signature-based. Most signatures examine rather common settings. Another string match type of evasive technique is to just change the case of the string. the attacker spreads around the attack using a large number of small packets. which now must engage in the resource-intensive process of reassembling the packets. All rights reserved. You can use TCP segment reassembly to combat this evasive measure. . they have developed ways to counter these devices in an attempt to continue attacks on network systems. not using fragmentation in the approach. but the protocol-analysis-based approach can do much deeper packet inspection and is more flexible in finding some types of attacks. hexadecimal representation. © 2012 Pearson Education. String Match In this type of attack. it looks deeper into packets thanks to a protocol-based inspection of the packet payload that can occur. Inc. This publication is protected by copyright.

the attacker has the sensor see a different data stream than the intended victim. Unlike the insertion attack. Evasion With this type of evasive technique. Please see page 89 for more details. © 2012 Pearson Education. Because this method of foiling the IPS device exists. The end system ignores the harmless data and processes only the attack data. Often. With this evasive procedure. care must be taken to ensure that encrypted sessions cannot be established by attackers. attackers simply try to overwhelm the physical device or the staff in charge of monitoring by flooding the device with alarm conditions. The IPS sensor does not fire an alert based on the harmless data. The attacker sends the attack via an encrypted session. the end system sees more data than the sensor. the attacker inserts data that is harmless along with the attack data. TTL-Based One way to implement an insertion attack is to manipulate the Time-To-Live (TTL) value of fragments. Encryption-Based This is an effective means to have attacks enter the network. the IPS sensor sees a different data stream than the end system because of the manipulation of the TTL field in the IP header. All rights reserved.[ 73 ] Chapter 5: Cisco IOS IPS Insertion In this evasive technique. The encrypted attack cannot be detected by the IPS device. This publication is protected by copyright. Inc. which results in an attack. Resource Exhaustion Another evasive approach is to just overwhelm the sensor. .

■ New signature engines: Additions to cover Server Message Block and Transparent Network Substrate traffic. including the following: ■ Virtualization support: Allowing different policies for different segments monitored by a single sensor. ■ Improved risk. ■ Anomaly detection: Designed to detect worm-infested hosts. Inc. This CCNA Security Quick Reference focuses on Cisco products that can run Version 6. Please see page 89 for more details. This 6. ■ Improved Cisco IPS Device Manager (IDM): New and improved GUI for management. All rights reserved. ■ External product interface: Enables sensors to subscribe for events from other devices.[ 74 ] Chapter 5: Cisco IOS IPS Cisco Solutions and Products Cisco offers many products and solutions that address your need for intrusion detection/prevention in your network infrastructure.0 version adds many new features. ■ Enhanced password recovery: Password recovery no longer requires reimaging. . ■ Passive operating system fingerprinting: A set of features that enables Cisco IPS to identify the OS of the victim of an attack. This publication is protected by copyright. Cisco Sensor Family The Cisco Sensor family includes the following devices: ■ Cisco IOS IPS ■ Cisco IDS Network Module ■ Cisco IDS 4215 Sensor ■ Cisco IDS 4240 Sensor © 2012 Pearson Education.and threat-rating system: The risk rating helps with alerts and is now based on many different components to improve the performance and operation of the sensor.0 of the Cisco IPS Sensor Software.

the sensor operating systems and overall architecture is worth exploring for the certification exam and beyond. IPS Sensor Software Architecture IPS Sensor Software Version 6. Please see page 89 for more details. Also.[ 75 ] Chapter 5: Cisco IOS IPS ■ Cisco ASA AIP-SSM ■ Cisco IPS 4255 Sensor ■ Cisco Catalyst 6500 Series IDSM-2 ■ Cisco IPS 4260 Sensor The following legacy devices can also run IPS 6. Inc. Telnet is disabled) ■ Intrusion Detection Application Programming Interface (IDAPI) ■ MainApp ■ SensorApp (for packet capture and analysis) ■ Sensor interfaces © 2012 Pearson Education.0 runs on the Linux OS. The components include the following: ■ Event Store (provides storage for all events) ■ SSH and Telnet (by default. All rights reserved. . This publication is protected by copyright.0 software: ■ Cisco IDS 4235 Sensor ■ Cisco IDS 4250 XL Sensor Sensor Software Solutions Many options are available for configuration and management of Cisco sensors.

It complements network IPS by protecting the integrity of applications and operating systems. it can protect many hosts at the same time. Analysis. Host IPS A host IPS solution features software installed on servers and workstations. This publication is protected by copyright. Please see page 89 for more details. Inc. options include the following: ■ Command-line interface (CLI) ■ Cisco IDM (a graphical user interface) For multiple-device management (enterprise management). © 2012 Pearson Education. options include the following: ■ Cisco IPS Event Viewer ■ Cisco Security Manager ■ Cisco Security MARS (Cisco Security Monitoring. Because the sensor is analyzing network traffic. The Cisco host IPS is called Cisco Security Agent.[ 76 ] Chapter 5: Cisco IOS IPS Management Options For single-device (element) management. This solution does not require additional hardware (sensors). All rights reserved. . and Response System) Network IPS Network IPS refers to the deployment of devices (typically sensors) in the network that capture and analyze traffic as it traverses the network.

Inc. Please see page 89 for more details. ■ Your management and monitoring options: The number of sensors often dictates the level of management you need. . and the amount and type of traffic.[ 77 ] Chapter 5: Cisco IOS IPS Deploying Sensors Technical factors to consider when selecting sensors for deployment in an organization include the following: ■ Network media in use ■ Performance of the sensor ■ Overall network design ■ IPS design (Will the sensor analyze and protect many systems or just a few?) ■ Virtualization (Will multiple virtual sensors be created in the sensor?) Important issues in an IPS design include the following: ■ Your network topology: Size and complexity. ■ Sensor placement: It is recommended that these be placed at those entry and exit points that provide sufficient IPS coverage. Locations that generally need to be protected include the following: ■ Internet: Sensor between your perimeter gateway and the Internet ■ Extranet: Between your network and extranet connection ■ Internal: Between internal data centers ■ Remote access: Hardens perimeter control ■ Server farm: Network IPS at the perimeter and host IPS on the servers © 2012 Pearson Education. connections. This publication is protected by copyright. All rights reserved.

Please see page 89 for more details. Inc. . To view SDEE alarm messages in CCP. © 2012 Pearson Education. This publication is protected by copyright. choose Monitor > Logging > Syslog. To view alarms generated by Cisco IOS IPS.[ 78 ] Chapter 5: Cisco IOS IPS Configuring Cisco IOS IPS Using Cisco Configuration Professional (CCP) Cisco IOS IPS signatures include the following advanced features: ■ Regular-expression string pattern matching ■ Support for various response actions ■ Alarm summarization ■ Threshold configuration ■ Anti-evasive techniques To configure IPS using the CCP. choose Configure > Security > Advanced Security > Intrusion Prevention. All rights reserved. choose Monitor > Logging > SDEE Message Log.

The following techniques help protect an endpoint from operating system vulnerabilities: ■ Least-privilege concept: A process should never be given more privilege than is necessary to perform a job. Inc. All rights reserved. and Endpoint Security Endpoint Security Securing endpoints in the network infrastructure is also important. Trojan horses. © 2012 Pearson Education. ■ Network infection containment: Containment focuses on automating key elements of the infection response process. Cisco NAC. ■ Cisco Network Admission Control (NAC): Ensures that every endpoint complies with network security policies before being granted access to the network. ■ Isolation between processes: An operating system should provide isolation between processes. Overview The Cisco strategy for addressing host security is based on three broad elements: ■ Endpoint protection: Cisco Security Agent protects endpoints against threats posed by viruses. this prevents rogue applications from affecting the operating system or other application. Please see page 89 for more details. SAN. Cisco Security Agent. . This section details the Cisco approach to this important security area. Voice. and Intrusion Prevention System (IPS) provide this service.[ 79 ] CCNA Security 640-554 Quick Reference Chapter 6 LAN. and worms. This publication is protected by copyright.

© 2012 Pearson Education. ■ Penetrate phase: Exploit code is transferred to the vulnerable target. and Endpoint Security ■ Reference monitor: An access control concept that refers to a mechanism that mediates all access to operating system and application objects. ■ Small. ■ Paralyze phase: Actual damage is done to the system. ■ Persist phase: The code tries to persist on the target system. This publication is protected by copyright.[ 80 ] Chapter 6: LAN. Worm Attacks A worm attack consists of the following: ■ Enabling vulnerability ■ Propagation mechanism ■ Payload The worm attack occurs in phases: ■ Probe phase: Identifies vulnerable targets. SAN. Inc. verifiable pieces of code: Small. Voice. Buffer Overflows Buffer overflow exploits overwrite memory on an application stack by supplying too much data into an input buffer. Buffer overflows are used to root a system or to cause a DoS attack. All rights reserved. easily verifiable pieces of software managed and monitored by a reference monitor. . ■ Propagate phase: Extends the attack to other targets. Please see page 89 for more details. Rooting a system is hacking a system so that the attacker has root privileges.

Inc. Please see page 89 for more details. . This publication is protected by copyright.[ 81 ] Chapter 6: LAN. Voice. The following are the security appliance products that IronPort offers: ■ IronPort C-Series: E-mail security appliances ■ IronPort S-Series: Web security appliance ■ IronPort M-Series: Security management appliance Cisco NAC Cisco NAC products are designed to allow only authorized and compliant systems to access the network and to enforce network security policy. All rights reserved. with a focus on e-mail and web security products. and Endpoint Security IronPort Cisco IronPort security appliances protect enterprises against Internet threats. The Cisco NAC Appliance includes the following components: ■ Cisco NAC Appliance Server (NAS): Performs network access control ■ Cisco NAC Appliance Manager (NAM): Centralized administrative interface ■ Cisco NAC Appliance Agent (NAA): Client software that facilitates network admission ■ Rule-set updates: Automatic updates Cisco Security Agent This product consists of the following: ■ Management Center for Cisco Security Agents ■ Cisco Security Agent © 2012 Pearson Education. SAN.

and Endpoint Security Protection of end systems is provided by the following: ■ File system interceptor ■ Network interceptor ■ Configuration interceptor ■ Execution space interceptor Storage-Area Network Security Storage-area networking is another topic becoming more important. This topic is explored in this section. © 2012 Pearson Education. Logical Unit Number Masking In computer storage. reliable access among servers and external storage resources. with a special emphasis on security for SANs. and protect growing information resources across a consolidated Fibre Channel. This publication is protected by copyright. Cisco solutions for intelligent SANs provide a better way to access. Voice. a logical unit number (LUN) is an address for an individual disk drive and the disk device itself. Please see page 89 for more details. All rights reserved. manage. Internet Small Computer Systems Interface (iSCSI). LUN masking is an authorization process that makes a LUN available to some hosts and unavailable to others. Fibre Channel over IP (FCIP).[ 82 ] Chapter 6: LAN. Inc. Gigabit Ethernet. . Overview A storage-area network (SAN) is a specialized network that enables fast. and optical network. SAN.

SAN Security Scope SAN security should focus on six areas: ■ SAN management access ■ Fabric access ■ Target access ■ SAN protocol ■ IP storage access ■ Data integrity and secrecy © 2012 Pearson Education. All rights reserved. You can partition ports within a single switch into multiple VSANs. If a SAN contains several storage devices. and Endpoint Security World Wide Names A World Wide Name (WWN) is a 64-bit address that Fibre Channel networks use to uniquely identify each element in a Fibre Channel network. Please see page 89 for more details.[ 83 ] Chapter 6: LAN. Fibre Channel Fabric Zoning Fibre Channel zoning is the partitioning of a Fibre Channel fabric into smaller subsets. Zoning can also use name servers in the switches to either allow or block access to particular WWNs in the fabric. Zoning can use WWNs to assign security permissions. Voice. Inc. Virtual SAN A virtual storage-area network (VSAN) is a collection of ports from a set of connected Fibre Channel switches that form a virtual fabric. This publication is protected by copyright. SAN. . one device should not necessarily be allowed to interact with all the other devices in the SAN.

Overview You can find the following components in the VoIP network: ■ IP phones: ■ Call agents: Replace many of the features previously provided by PBXs ■ Gateways: Can forward calls between different types of networks ■ Gatekeepers: Can be thought of as the “traffic cops” of the WAN ■ Multipoint control units (MCU): Useful for conference calling ■ Application servers: Offer additional services such as voice mail ■ Videoconference stations: Devices/software that allow a calling or called party to view/transmit video as part of their telephone conversation Common VoIP protocols include the following: ■ H. This section details this technology and lists important related security topics. .323: A suite of protocols that also defines certain devices. It defines the necessary control mechanism to allow a media gateway controller to control gateways to support multimedia streams across networks. but it is more flexible in its support for gateways and applications. Voice. SAN. ■ SIP: Session Initiation Protocol is a popular protocol to use in mixed-vendor environments.[ 84 ] Chapter 6: LAN. Inc. This publication is protected by copyright. ■ H.248 is similar to MGCP. Please see page 89 for more details. © 2012 Pearson Education.248: H. an analog port in a voice-enabled router) to communicate with a server (for example. All rights reserved. such as VoIP gateways and gatekeepers. and Endpoint Security Voice Security Voice over IP is becoming more popular. Media Gateway Control Protocol enables a client (for example. a Cisco Unified Communications server) via a series of events and signals. ■ MGCP: Originally developed by Cisco.

[ 85 ] Chapter 6: LAN. but refers to maliciously collecting such information over the phone) ■ SIP attacks (man-in-the-middle attacks and manipulation of SIP messages) Protection Mechanisms Mechanisms and methods to help secure the VoIP network include the following: ■ Auxiliary VLANs (with voice traffic getting its own VLAN). ■ Security appliances. SAN. © 2012 Pearson Education. Voice. ■ RTCP: RTP Control Protocol provides information about an RTP flow. All rights reserved. Inc. or SPIT) ■ Vishing (similar to phishing. Please see page 89 for more details. . and Endpoint Security ■ SCCP: Skinny Client Control Protocol is a Cisco-proprietary signaling protocol. Common Voice Security Issues Common attacks include the following: ■ Accessing VoIP resources without proper credentials ■ Gleaning information from unsecured networks ■ Launching a denial-of-service (DoS) attack ■ Capturing telephone conversations ■ VoIP spam (more commonly referred to as spam over IP telephony. ■ SRTP: Secure RTP secures the RTP traffic. ■ Use IPsec protected VPNs. ■ RTP: Real-time Transport Protocol carries the voice payload. This publication is protected by copyright.

All rights reserved. This publication is protected by copyright. SAN.[ 86 ] Chapter 6: LAN. ■ Root Guard: Denies a new root switch from being elected in the topology from an unauthorized port. but it should not be. . ■ Disable gratuitous ARP. Voice. ■ Disable unneeded services. © 2012 Pearson Education. One easy way to combat this is to create an empty VLAN for the native VLAN and then use this as the native VLAN on all links. VLAN Hopping Attackers can send traffic into another VLAN by double-tagging 802. Please see page 89 for more details. Mitigating Layer 2 Attacks Layer 2 is often omitted from security practices. and Endpoint Security ■ Disable web access. This section details many important security practices you must follow. ensure that switch ports are not using Dynamic Trunking Protocol (DTP) by using the switchport nonegotiate command.1Q information in the frame and using the native VLAN. STP Protections Consider the following protection mechanisms: ■ BPDU Guard: Ensures that bridges plugged into PortFast ports do not cause a temporary Layer 2 loop. Also. Inc.

or multicast frames in the LAN ■ MAC address notifications: Alerts when the MAC address on a port changes Layer 2 Best Practices Layer 2 best practices include the following: ■ Manage switches securely. Voice.[ 87 ] Chapter 6: LAN. SAN. and Endpoint Security Port Security Use this feature to lock down a port for authorized MAC address usage. ■ Set user ports to nontrunking. ■ Do not use VLAN 1. ■ Use port security. ■ Use a dedicated VLAN for trunks. Switch1(config)# switchport port-security Switch1(config)# switchport port-security maximum 2 Switch1(config)# switchport port-security violation restrict Switch1(config)# switchport port-security aging time 120 Figure 6-1 Port Security Additional Security Features ■ Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN): Copy frames to a destination port for analysis ■ Storm control: Prevents an excess of unicast. All rights reserved. To enable the feature and configure options. . broadcast. ■ Selectively use Simple Network Management Protocol (SNMP). use the command switchport port-security. © 2012 Pearson Education. Inc. This publication is protected by copyright. Figure 6-1 shows an example of port security configurations. Please see page 89 for more details.

This publication is protected by copyright.[ 88 ] Chapter 6: LAN. Voice. ■ Trim Cisco Discovery Protocol (CDP). and Endpoint Security ■ Enable STP security features. ■ Disable unused ports. © 2012 Pearson Education. All rights reserved. Please see page 89 for more details. Inc. SAN. . and place them in a VLAN.

undergoing rigorous development that involves the unique expertise of members of the professional technical community. If you have any comments on how we could improve the quality of this digital Quick Reference.com. which may include electronic versions and/or custom covers and content particular to your business. All rights reserved. Cisco Press or Cisco Systems. Inc. The author.S. We greatly appreciate your assistance. or by any information storage and retrieval system. recording. you can contact us through e-mail at feedback@ciscopress. Cisco Press. training goals. Trademark Acknowledgments All terms mentioned in this digital Quick Reference that are known to be trademarks or service marks have been appropriately capitalized. The information is provided on an “as is” basis. . Published by Cisco Press 800 East 96th Street Indianapolis. Corporate and Government Sales The publisher offers excellent discounts on this digital Quick Reference when ordered in quantity for bulk purchases or special sales. This publication is protected by copyright.. except for the inclusion of brief quotations in a review. Every effort has been made to make this digital Quick Reference as complete and accurate as possible. and Cisco Systems. Feedback Information At Cisco Press. Please be sure to include the digital Quick Reference title and ISBN in your message. Use of a term in this digital Quick Reference should not be regarded as affecting the validity of any trademark or service mark. Each book is crafted with care and precision. © 2012 Pearson Education. Inc. marketing focus. without written permission from the publisher. and branding interests. Reader feedback is a natural continuation of this process.. including photocopying. our goal is to create in-depth technical books of the highest quality and value.[ 89 ] CCNA Security 640-554 Quick Reference CCNA Security 640-554 Quick Reference Anthony Sequeira Copyright © 2012 Pearson Education. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com.com The opinions expressed in this digital Quick Reference belong to the author and are not necessarily those of Cisco Systems. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this digital Quick Reference. but no warranty or fitness is implied. electronic or mechanical. For more information. or otherwise alter it to better suit your needs. cannot attest to the accuracy of this information. Inc. For sales outside the United States please contact: International Sales international@pearsoned. please contact: U. Inc. Inc. First Release May 2012 ISBN-13: 978-1-58714-317-5 Warning and Disclaimer This digital Quick Reference is designed to provide information about the CCNA Security Certification. No part of this digital Quick Reference may be reproduced or transmitted in any form or by any means. Indiana 46240 USA All rights reserved.