Professional Documents
Culture Documents
Ccna Security
Ccna Security
Ccna Security
Topics to be covered
1. Network Foundation Protection
2. Management Plane Protection
3. Data Plane Protection
4. Control Plane Protection
5. Zone-based Firewall
6. Firewall Fundamentals
7. Basic Firewall Policies on cisco ASA
8. Fundamentals of VPN Technology and Cryptography
9. Fundamentals of IP Security
10. Implementing IPSEC Site-to-Site VPN
11. Implementing SSL VPN
12. Securing Layer 2 Technologies
13. Cisco IPS/IDS Fundamentals
14. Bring Your Own Device
15. Mitigation Technologies for E-mail-Based and Web-based Threats
What is Network Security?
Network security is the process of taking physical and software
preventive measure to protect the networking infrastructure from
unauthorized access, misuse, malfunction, modification, destruction,
or improper disclosure, thereby creating a secure platform for
computers, users.
What approach should be followed to protect the network?
Layered approach
Before starting you should be familiar with well known ports and
protocol numbers
Principles of Security—The CIA Model
Confidentiality
Prevents unauthorized disclosure of sensitive information
When it comes to security, confidentiality is perhaps the most obvious aspect of the CIA triad
Cryptography and encryption methods are examples of attempts to ensure the confidentiality of data
transferred from one computer to another.
Integrity
Prevents unauthorized modification of data, systems, and information
If your data has integrity, you can be sure that it is an accurate and unchanged representation of the
original secure information
A common type of a security attack is man-in-the-middle attack
Availability
It is the prevention of loss of access to resources and information to ensure that information is available
for use when it is needed
Denial of service (DoS) is one of several types of security attacks that attempts to deny access to a
particular service
Network Foundation Protection
All about breaking the infrastructure down into smaller components
Systematically focus on how to secure each of those components
Management Plane:
Includes all the protocols and traffic that an administrator uses between his
workstation and the router or switch.
An example is using a remote management protocol such as SSH
Network Foundation Protection
Control Plane:
Includes all the protocols and traffic that the network devices uses on
their own without direct interaction with administrator
An example is routing protocol
Can say it includes all the traffic that uses CPU processing
Data Plane:
Includes all the traffic that is being forwarded through the network
Represents the traffic that is either being switched or forwarded by the
network device between the client and the server
Network Foundation Protection
Securing the Management Plane:
Controlling interactive access
Enforce password policy, including features such as maximum
number of login attempts and minimum password length
Implement Role Based Access Control
Use AAA services with local database and with ACS server
Control which IP addresses are allowed to initiate management
sessions with the network device
Keep accurate time across all network devices such as secure NTP
Network Foundation Protection
Interactive Access Methods:
To gain access to a device for administrative purpose
Three basic methods:
Console Port, VTY Port, Auxiliary Ports
1. Console Port
Default access method for device management and configuration
By default, it is not password protected
No Exec-timeout set
2. VTY Ports:
IOS can support multiple remote sessions serviced by a logical vty line
Can support up to 100 vty lines depending on IOS version
By default, five lines (0 to 4) are available using the line vty 0 4 command
By default, it is not password protected
No Exec-timeout set
An ACL can also be used optionally to further secure access control to authorized users
Network Foundation Protection
Passwords:
A password is a protected string of characters that is used to authenticate a user
Three types of password protection schemes in Cisco IOS
1. Clear-text passwords:
Most insecure because they have no encryption
Passwords are viewable in the device configuration in clear text
2. Type 7 passwords:
Use the Cisco proprietary encryption algorithm and are known to be weak
Used by the enable password, username, and line password commands
3. Types 5 password:
Use MD5 hashing algorithm (one-way hash)
Used by the enable secret and username secret command
Network Foundation Protection
Strong Password:
At least eight to ten characters
Includes a combination of letters (uppercase and lowercase combination)
Numbers and special symbols
Use passphrase to create a strong password
How many times do I need to change my password? = hmtd!n2cmp?
service password-encryption command is used to encrypt all the passwords in the
configuration
security passwords min-length command is used to set the minimum character
length for all password
Login block for command is used to set authentication failure rate
Network Foundation Protection
Privilege Levels:
Cisco IOS provides 16 privileges levels ranging from 0 to 15
By default, there are three predefined user level are enabled
1. Privilege level 0 includes the disable, enable, exit, help, and logout
commands.
2. Privilege level 1 is the User EXEC mode. This is normal level on Telnet and
includes all user-level commands at the Router> prompt
3. Privilege level 15 is the Privileged EXEC mode (enable mode). It includes all
enable-level commands at the Router# prompt
Key points:
Excluding any command from any privilege level is not possible
Higher privilege level will always inherit all the lower level commands
Network Foundation Protection
Role Based Access Control:
Implemented either via CLI(parser view) or GUI(ACS server)
Parser View:
Same as privilege level
Only one parser view is default configured Root view which is same as privilege level 15
To create any parser view:
1. Make sure you are logged in to the Root view
2. AAA must be enabled with aaa new-model command
3. Enable password for level 15 must be configured
Overcomes the limitation of privilege level:
1. Excluding any command is possible
2. Any parser view will not inherit any command from other parser view
Network Foundation Protection
AAA:
1. Authentication: who is the user(identity)
2. Authorization: what can user do(services)
3. Accounting: what did the user do(audit)
AAA can be used in two ways:
1. Local database
2. AAA server
Two authentication protocols used if using a AAA server
1. RADIUS
2. TACACS+
Network Foundation Protection
Simple Network Management Protocol
An application layer protocol that provides communication between SNMP manager and
SNMP agent
Provides a standardized framework that is used for monitoring and managing devices in
the network
SNMP framework consists of three parts:
1. SNMP Manager:
Can be any machine that can send query request to SNMP agents
2. SNMP Agent:
Responsible for gathering information about the local system and storing them in a
format that can be queried
3. Management Information Base:
A database that follows a standard that manager and agents understand and use to
communicate with each other
Simple Network Management Protocol
Main SNMP message types:
1. Get
Used to retrieve information from a SNMP agent
2. Set
Used to set variables in a managed device or to trigger an action on a managed device
3. Trap
An unsolicited message sent from the SNMP agent to the SNMP server
SNMP protocol versions(V1, V2, V3)
SNMP v1 and v2 uses a community string for authentication(no security)
SNMP v3 provides secure communication using users and groups
SNMPv3 security level
1. noAuthnoPriv: no authentication no privacy
2. AuthnoPriv: authentication using HMAC with md5 or SHA but no encryption
3. AuthPriv: authentication using md5 or SHA and encryption using DES algorithm
Network Foundation Protection
Network Time Protocol:
Designed to synchronize time on machine
Uses UDP port 123 for communication
Uses the concept of stratum number to describe how many NTP
hops away a machine is
NTP will never synchronize its time to a machine that is not in turn
synchronized
NTP is disabled on all interfaces by default
NTP authentication should be used and it is the client who will
authenticate the NTP server
Protecting the Data Plane
ACLs used for filtering
IOS firewall(ZBF)
TCP intercept
Unicast reverse path forwarding(URPF)
Firewall Methodologies
Stateful inspection, Application inspection, Packet filtering, Application Layer Gateway, Transparent firewall
IOS Based Firewall:
1. Reflexive Access-list
2. Context Based Access Control
3. Zone-based firewall
Zone-based Firewall:
Introduced in cisco IOS Software Release 12.4(6) T.
Added to overcome the limitations of CBAC
Limitation was that all traffic passing through the interface was subjected to the same inspection policy
Zone-based Firewall
Features of ZBF:
Stateful inspection, packet filtering, URL filtering, Transparent firewall
Steps to configure Zone-based Firewall:
1. Define zones
2. Define zone-pair
3. Define class-map
4. Define policy-map
5. Apply policy-map to zone-pair
6. Assign interfaces to zones
Zone-based Firewall
Zone:
A zone is a logical area where devices with similar trust level reside.
Mostly defined zones are DMZ, INSIDE, OUTSIDE.
Self Zone:
Only default zone configured on the router
Includes all traffic that is to the directed to the device
Zone-based Firewall
Self zone traffic behavior
Zone-based Firewall
Inter and Intra Zone traffic behavior
Zone-based Firewall
Cisco uses Cisco Common Classification Policy Language(C3PL)
Three primary components:
1. Class-map:
Must be of type inspect in ZBF
Used to identify traffic(match protocol and match ACL)
Match-all vs. Match-any
2. Policy-map:
Used to define the action on the class-map
Can call multiple class-map into a single policy-map and can take
different action on each class-map
Zone-based Firewall
Zone-based Firewall
Service policies:
Policies are applied here and applied to a zone pair
Zone-pair represent a unidirectional flow of traffic between two
zone.
Cisco ASA
Firewall:
A firewall is a hardware or software solution implemented within
the network to enforce security policies by controlling network
access
A firewall is often seen as first step towards a network security
solution
Software firewall has underlying dependency on the OS they run on
Should use hardware firewall as they are robust and built
specifically for the purpose of firewalling
Cisco ASA
Cisco ASA
ASA Hardware Family
Cisco ASA
ASA Features and Services
1. Packet filtering
Represents an access list
Supports both standard and extended access list
2. Stateful filtering
Maintains the state of packet passing through the ASA to allow reply traffic.
3. Application inspection
ASA can listen conversation b/w devices on one side and devices on other side and can pay attention on the application layer information
For example FTP
4. Network Address Translation(NAT)
5. DHCP
Can act as DHCP server or client or both
6. Routing
Support routing protocols
Also supports static routing
Cisco ASA
7. Layer 3 or Layer 2 implementation
Can be implemented in Routed mode or Transparent mode
8. VPN support
Can operate as head-end or remote-end device for VPN tunnels
Site-to-Site VPN, Remote VPN
9. High availability
10. AAA support
11. Modular Policy Framework
12. Security Context
Cisco ASA
Firewall modes
1. Routed firewall mode
2. Transparent firewall mode
Routed Firewall mode
Default mode of cisco ASA
ASA is considered to a router hop in the network
Almost support all the features of ASA such as NAT and Dynamic routing protocol
Transparent mode:
Introduced after software version 7.0
Can be deployed as secure bridging mode, as a layer 2
Acts like bump in the wire and is not considered as router hop
Static routes are only used for traffic originating from the appliance
Only layer 3 addressing required is management IP address and must be of same subnet as connected
network
Cisco ASA
Configuring an ASA interface:
1. Enable the interface with no shutdown command
2. Configure an IP address with ip address command
3. Give a logical name with nameif command
4. Define a security level with security-level command
Security-level
it a number b/w 0 to 100 that defines the trustworthiness of the interface
Default behavior of cisco ASA
Higher S.L. to lower S.L. Everything is allowed
Lower S.L. to higher S.L everything is denied; can be permitted by applying access-list on interface
Same-security-traffic is denied by default
By default ASA inspect all TCP and UDP traffic passing through the firewall
TCP and UDP reply traffic is always permitted through the firewall
Cisco ASA
Packet flow(before ASA 8.3)
Whenever a packet comes to an ingress interface
1. ASA checks its connection table
2. If it is an existing connection, Access-list and security-level check is bypassed
3. If it is new connection, TCP state of the packet is verified and processed for
Access-list check
4. Packet is processed as per interface Access-list. If no access-list is configured
on interface then packet is processed as per default behavior
5. Packet is verified for translation on NAT rules
6. Packet is subjected to inspection check
7. IP header information is changed as per NAT/PAT rule
8. Packet is forwarded to egress interface
Cisco ASA
Access list on ASA
Supports two types; standard and extended access list
ACLs have many applications
1. To control traffic flow and network access through the ASA
2. To identify addresses for NAT exemption or policy NAT
3. To identify traffic for AAA rules
4. To identify traffic for a class map for MPF
5. To control route redistribution
6. To define traffic for IPsec VPN encryption
Note:
If an access list is configured on an interface, then all the initiating traffic from that
interface will be checked as per access list
Cisco ASA
Network Address Translation
Performs translation of an IP address that is used within one network to a different IP address known within another network
Can be used for security purpose
Can be used for communication b/w overlapping subnets
Can be used to preserve IP address
Types of NAT:
1. Dynamic NAT
2. Dynamic PAT
3. Static NAT
4. Static PAT
Dynamic NAT
Translates a group of real(private) addresses to public IP address drawn from a pool of registered(public) addresses that are routable to destination
network
Address are handed out on first come, first server basis
Used for unidirectional communication only
Default timeout is 3 hours can be changed
Cisco ASA
Dynamic PAT
Translates a group of real(private) addresses that are mapped to a single mapped IP address by using a combination of mapped
IP address and source port number
Unidirectional communication only
Default timeout is 30 seconds and cannot be changed
Static NAT
Creates a fixed translation(one-to-one) of real address to mapped address
Allows bi-directional communication
Entry will remain permanent in nat translation table
Static PAT
Static PAT is similar to static NAT, with exception that it allows for specifying the layer 4 port information for the real and
mapped address
Entry will remain permanent in nat translation table
Policy NAT
Similar to static NAT, but it allow for defining a conditional criterion to check for source address and destination address to
determine address translation
Cisco ASA
ASA can be configured as DHCP server
ASA1(config)# dhcpd address 10.0.0.101-10.0.0.132 inside
ASA1(config)# dhcpd enable inside
ASA1(config)# dhcpd dns 10.8.8.8 interface inside
ASA1(config)# dhcpd domain example.org interface inside