a He poretration teptirg Leetth- Passer scted 1 fase, wield) Wacky ijebuggers,elchonr te Stanoing & hacked » Hach spoke system, prckebonft- nD extoyphin ind [utes te Seoreh Yalacabibts - CCNA SECURITY SUMMARY 1: what's CIA? (92: what are the common security terms? 93: Identify common network security zones 4: Identify common network attacks L 95: Describe social engineering 6: Identify malware 97: Classify the vectors of data loss/extiltration 1: what's CIA? mt: Zz, Pp Contidentialty Providing content of data guarantees thos only authorized users ponte vs Bhobine = Cich le Au & 1s Integrity: Providing integrity of data guarantees that only authorized subjects can change \ nteaity might alse guarantee the authenticity of Ny PEKIN EE Sores BULA Ys oie 1S ayo, so UP ode 5 Zé 77° Seyi Providing system and data avaiablity guarantees yninerupted acces by Lys pemmtenmnnnsmccnpetemnes eat. °F ws vette Ros Se eS Loh oo L ‘oo: witals the common securg terms? 7 PL Re: L CHIL y Ciba gla) Lag gl giSil CaS 9S a ga L www.Connect4techs.comLUSK = Vulnerabie'ty + Treat ‘Table 31-1 Common Network Security Terms Term Explanation | ‘et san ar be pea alan cde WORT ROP UST mS i Ton Edplerte (usr ai) > mechnin used BF yalnoebw lh} be Grp rmse Te. Ssper— Det hens bs ie 93: identify common network ‘security zones AB: Public: "outside" untrusted, This zone i fully outside the contr! ofthe organization, Private inside" trusted Its zone in which systems ouned by an organization reside and ‘must be protected fom systems that donot belong tothe arganization, 'Dmz: resides besides the inside and outside interfaces, The DMZ devices, such a5 web ‘serves, ae owned and controle by the organization, but they are accessed by systems ‘outside ofthe ogpnization’s con es i Demiletriee Zone Me Cf awh tisLULL —CCS Fe rei mg iweb vd ep oi oF DME et ra ees seria whine orci. peste ac Dee TORI ba spe sew te pte nor “Sake ne Tati om de pti canes he EF rl) monk vk wi) eer ny ck i nging on the plc Gold) ear a wing wand eaten et pened and pte The pe of tai een HT. o TTS be Re tic Bom te DMZ Te eet ccna pom nl on ce ene (04: Identify common network attacks ‘Aa: L az ti orb) econnaisaned Racks san attest to lam mote about the tended iin bas aaeeming2 more insive attack. Tots sch as information ales vb WHOS sev L fing seeps, por cas, vuln 2008) ® ‘Access Attacks: the hacker will attempt to access the network. Access attacks exploit -) eason vuinerabiltis in authentication services, FTP services and web services to gan entry to web accounts, confidential databases, Common types ar Qa Password acace (@ «test oxotation acres naeins veges toga sean en Tmotomiing tne target For example, #2 OZ gence as acess to he Inside network, a8 aac L eae aint ta sunng xref the DMZ device aa using tha can to func hs 2s from tert the side network © see vesvecion Anat vera compen sem a base for acs gps er ages @ «manne ite stack L © «Butter overtiow attack —J iit Opie? piemg dy Clap ct © Aeon ozpstng 7 WA, Jeon (coped ye laz2 L cia oe Omer Bei me FF Yee(Des —e Denil of serve (4) (G24, cus) Dies Bek ai >/ De printed denial pi eg pisos Attest JZ, ee SOS 28s \ aie ae a © eesand ves Attacks TAH WPL py 2,2 Moke), $30) p> 4 1,2ing f death: an aahe senso matormed or otherwise mau png to neo compet ia in ae ca tha he mm paces of 5595 bytes uhih than ees ay sutemstonammoreen APE cei cm] commis BP ee Ca Sti attack: # hacker sends nmr KP ectoseqves pokes othe banat aes 2 toe neu. Thse packets contain te victims adress atthe soe seuss Cvs hese 9 thslaoe two respnds by sending IMP eco sey atketstore van put eonksipy part pps adore EERO a ne 1 TEP SYW flood atack: fn atacer exits te TC thee wayhondsete design by Sending Iti TP SYN packets wit anon sere adeses oa vin host ean the hat one 0d wat fora RK packet ht aver ates, hs leaving te vim wld se mbes oth oes ONS) Mean ey Med Ch one Volt 8) 6 Ln Tsing 05: Describe social engineering AS: ( eM) 2b), ) Fi : fe Qernsrin eM PS sy ANC ph jr © Praening: by compromising domain name stv. When vicinsatenpt fv» epinae ‘wean th compromises nae serie stan proves he Pan ors marcos ates © «cing: nna nil nts em an tango an es pated = (©) «Spam Hactass may use spam ema otk a user int cleking an intctd nko ounloading an nteteste © ~ Bating: wacker leaves a maluareitectes physical device, such a a USB Hash die 2 public ~ location such as a comprato washioom. The linger of the device lobds kent that comune ‘unintenonaly stating he alate 6: Identify malware RG: matuares maicous software that comes in several forms, incusing the fllwing:- 1 Wis matetous compute program (executable ie] hat can copy self andinfect computer without ermsion touleda of te et on Be spends Sri aera neta ersten ‘otonvont omg Ren sreorte mdm (neds MISUOWON oped). yy {Trojan horse: mature that ater aut maces operation nde the gs ot ‘Tojn horse comes with matcous coe iden isd of. Ths malaur cde the urermatrane and ten creates ack doin the nected systers, Abe debian ~>sxHackiol beclS: - ‘seco orf , ali Unk » mete Spreut ‘orm: mauare thot epeates self by ndependentyexotingwinaabiiesnnetuots. Worms =~ retin dour nets oes neduer IUTERVENTION to spends OA Ln = |_£—~ 7 } s Spyusre atuare hats used to iter Information bout a ser and send the information rather ei inoue the users consent 1 Adware: mare that typleany plus annoying pop-psto generate revenue ois autho, 97: Classify the vectors of data loss/exfiltration data loss or data exfltraton i when data sintentionaly of unintentionally lost. stolen, to the ouside word = mall attachments, Unencrypted devices, Cloud storage devices, Removable media, Hard cons. Qe nets of Pa sree) ates? Ne payrd A tecked mets of ebleinied pap jnclibe © Guesig pe ) ? a @ Brite frre Cody, Lopnecy Sor; wep po) Yor, tied tb p Ae" OPictinarg ateckes ( ype ponitge EWR Gus av) 5 acts Phin TD be, ed = aaling — flix, ( cee Zobrh Mmee ? BNE yy Pop dhe Aros 9 te Pigyenl fassrerd Ribose use” bares f paverd 1 eR cag 2 enfuronat of anlagd cbhedl Se br 3 -— fur feta C Gate, iam no rbet )a a ee 1: Configure secure network management 02: Configure and secure access through SNMPV3 using an ACL 93: Configure and verify security for NTP 4: Configure multiple privilege levels 95: Configure Cisco 10S role-based CLI access 96: Implement Cisco 10S resilient configuration 97: Implement routing update authentication on OSPF 98: Explain the Function of control plane policing 09: Explain Automated Security Features ‘SECURE MANAGEMENT SYSTEMS. Q1: Configure secure network management AL: There are multiple router configuration commands that canbe used to increase access ‘security, ether atthe console or via the ty lines. Tabla 27-1 summarizes some ofthe more Useful options.oo a aaa Tania Cte 7* mma nate aac rise pawn nen (on seein) byte LIT § Pa Brob pa) emo nen peti ne Ta eT = ted etm — Pematen Dip tage Ng LT! PS gata at aminecope mill net] aS) Gia) antral ‘toa cnin of 39 as 9 1 ba cotenson) ‘Gio erage taps mt prod aad ‘bs ups + 55h punt EIA SeeF stg et cma ne _—Towin block for sunds attempts tes hin earns (Global configuration) DPi nz dps = 22 1 | ables lags ster ace nombre gn (PP ir PLN bE Se! eee ee AC Mies pita oss care ori ecevem tuyrcomes bp ay ‘Git cnt) Spins mbt fe he we i at fae z ‘Wincor ansennt pn atemp Top osuccomTog ey an) SSC) ae every I Loge nd wisn op tog ssH/HTTPS ‘SSH provides 8 more secure mod of acorn a sco 10S device's command tne han Tene. Tis because SSH uses eyptoprapnic tedcogy for pihacy (encption) rg authentaton ‘pobnerpate key as) ond dats ocgy (ae gdh) The sane applies to sing HTTPS insteadof HTTP for Gulaccess tothe device xample 271 shows the configuration necessary or enailag SSH anaurTes. Example 27-4 SSH and HTTPS Configuration a Example 271, ser Bob has been comgued uth a type 9 secret password The router has been jven a hostname and a domain name, both of which fe equrements fr generating the 1026-1 ASA ey. Only SSH version 2 connections ul be acaptd onthe vt nes, and they wl be athens ‘sig the local database. The HTTP server has baen cele, andthe HTTPS server has baen ened ‘and coniguted to use the oa atabaee or authentication‘Syslog “ne most oman method of acesing syttam messages fom networking Seve sto use x prota {ted sysog, whch ened n RFC 5424. Syslog Uses User Datagram Protocol (UDP) pot S14 to San eran nuestion messages ass P networks to event message colectos Cc roves can Be toolgued to send ystog merges Several erent alles, Such as 1 Logpng bfx essapes te stored in outer memary (RAM) for prod of ine Consol: Console loging is turned on by eto, = Teamnaltines: tog messages can be sent the vty nes fr viewing sng 3 Tenet o SSH session ‘asysog sever Lo messages canbe fated an external device running 3 syslog demon Susog eines eight severity Heels 0 tough 7. The lower the number, the mae severe the sue SEIo3 Sto'senes sondord names to associate with each of the levels. Table 27-2 Ins the el levels of slog merages ‘Teble 27-2 _ Syslog Severity Levels Tovar Tame Deeeripton a Example 272 Syslog Gontigu in Example 27-2. has been cofigued to send slag tothe syslog server a 192.1601.25, OOK "Messager uth a severty level of 5 ole (a, levels 05) ul be sent tothe server, Since syslog Inessages ae belag rent an enero serve, ging the console has Been abled to sve on CPU ‘Mreuces_ Ure the shou lapping command iw 199g configuration and bees syiog messones.92: Configure and verify secure access through SNMPv3 using an ACL A: simple Network Management Protocol (SNMP) SNMP was developed to allow administrators to manage devices on an IP network. SNMP ‘consist of thre elements relevant othe network management system (IMS), ' SNIP manager: An SNMP manager ons network management apple, ‘= SNMP agent: fn SUMP agent 3 pee of softs that uns ona managed device (seh 3. serve, routes ost) 4031 Days Before Your CENR Security Exam '= Management Information Base (MIB): nformavan about 3 managed device's resources and ctv dined by series of ejects. Object nthe Ma ar referenced by thelr object (OD) ‘agents listen to UDP port 161, and SNMP managers lsten to UDP port 162. And use 3 ‘mechanism: ‘= GET: nn sume cet messages uses retiavelntrmation rm 3 managed devs 1 SET: an shine SET message iusto sts varnble na managed dvi ‘managed dec, ager an action on 8 1 Trap: fn SMP tap message sous 2 network device to send unsolkted updates tea net: work ‘management station aay the SNMP manager about a signin even. Table 27-3 summurizesthedirences between SNMPy1, SNMPy2, nd SNMPY3, Toble 273 SNMP Security Models and Love Modet__tevel ‘Authentication Encryption Rawal 'SNMPVTpoautNoPrn Community ating Ne ‘Auth i sone “SIMPAomutNorwConmaniy wing No Autenicnes wit cman ‘ahNGPiv MDS oeSHIA No roids IMAC MDS o HMA “Rani MDS or TA BES DES Prov HAC MD or MAC es Sth alpina oe: pois DES SDES or [ABS eocypin abo ——‘Te stops to configure secure user-based SNMP are 2 follows: 1. Gongute an SNP engine 1D. Tis 3 eique value Kenting the managed device, typically 8 ecialeperettion a te I asso the deve 2. Deine an SNMP veto define an user aces tothe MIB wee. 3, Define an SP groups vision, and ts upto ally. 4. Detne an SNMP use, assign to an SNMP grove, and specty authentication and emotion ‘ators, 5 Define and app an ACLIo the SNMP group and/or SHMP use. 6 .Detne a host device hat wt be alowed SMMP acess. trample 27-2 snows howto configure and secre SWAY. Example 27.3 SNMPv3 Configuration (93: Configure and verify security for NTP AB: NTP san automated method to synchronize date and time setings for devices on the network, NTP uses UDP pot 123 Rahm aaaoae Fipauorscmcotiy mas 052622002097SECURE DEVICE ACCESS 04: Configure multiple privilege levels 4: fA common method of defining authorzation policy or administrative acess isto use Privilege levels. By default, the Cisco 10S software CUI has two levels of access to commands: 1 User EXEC mode (rvilege level} Provides the lowest EXEC mode user privileges at the Router prompt ' Prvleged €XEC mode (privilege level 15) Provides the highest EXEC mode user pvileges a the Router prompt ‘Ther aro 16 privilege levels in total. The higher the privilege level, the more router access a ‘ser has. Commands that are available at lawer privilege levels are aso executable a higher levels. To configure a privilege level with specific commands, vse the piilege command {Example 17-1 shows the commands necessary to st the privilege level of several commands = aa Example 17-1 Configuring Priv ‘mn example 17-1, prviege lve 5 has aces tothe pag ad show vesan comands, 25 wel asain ‘comands. Piiege level 10 hes access tothe read command a wala a evel 5 a level 1 ‘ommancs. rvloge eel 12 as access othe tou interac it commas el 95 level 10, level 5, and tevel I commands or eel sa eel 10,4 SERYPT-encyptd seeps ay bee ‘ootgured. For level 12 access a local database erty for ADMIN hasbeen corfigured aso Ung he -Hionger SCRYPT enciypton algorithm. To acest 2 cein pivlge level use the erable el) command, To ew the current peg lve use te show pivlege command as shaun in Empl Example 17-2 Accessing and Veriying Privilege Levels(95: Configure Cisco 10S role-based CLI access IS: te came nan effort to provide more Hex than privilege levels allow, enables the etwotk administrator to crete diferent views of router configurations For eiffrent users. ath view defines the CUI commands that each user can access. These vies, aso called parser views, canbe created witha subset of privilege level 15 commands. One view, named Toot i define by default. The rot vie is authorized for all commands. To configure 304 ‘he forthe system, the administrator must be in coat view. Its also possible to create uperviews. A superview consists of one or more CL views. Example 17-3 shows the Commands necessary to create a view ona Cisco routes Example 17-3 Configuring Role-Sasea CLI before eating 2 CL vi, enable secret password must be cotigured and AAR must be enable. ‘ox the administator most gin ae fot lew ig te enable via command, Att etering the bie secret possuor the na we hi ate cated fstvew, can be created ands own set suo assigned. EXEC and congue commands can hen be aesied tothe selected view using the Inco ad a keywords As with a piilege feel ez ato possible co assign view to a ser inthe focal AAA databaseExample 17-5 Assigning a View to a Use 96: Implement Cisco 10S resilient configuration AB: the cisco 10S resilient configuration feature allows for faster recovery i someone ‘maliciously or vsintentionaly formats fash memory or erases the startup configuration file nonvolatile random-access memory (NVRAIM). The feature maintains a secure working copy ‘ofthe router Cisco 105 image ile and a copy ofthe runing configuration fie To secure the (sco 105 image and enable Cisco 10S image resilience se the secure boot Image sibel ontguration mode command, Example 17-6 Cisco 108 silent Configuration SECURE ROUTING PROTOCOLS 97: Implement routing update authentication on OSPF 7: wo wll ok a enabling routing protocol authentication for Open Shortest Path Fist, (OSPR. Because MDS and SHR-1 are now considered vunerabe to cryptographic attack itis recommended that SHA-2 be used instead. We il review how to enable both ofthese ‘options. By defaut. network devices send routing infomation to and trom their routing peers Inthe cleat, which allows an attacker to introduce false rovting information nt the network ‘The primary method of preventing unauthorized systems trom participating in oxting protocols is to configure cryptographic authentication an the routing protocol, ith this method, a shared secrets configured between peer routers, ‘OSPF MDS Authentication {05 authentication for OSPF canbe configured either with akey chain or without. There are ‘two basic components: defining» key chain, and referencing the keychain onthe appropriate OSPF interfaces,Figure 16-1 Router Authentication Example Topology OSPF Area O RI Re 192.168.1.0/90 ‘onc the key chains defined t must be applied tothe appropiate interfaces Example 16-2 Assigning the Key Chain to an Interface fn identiea configuration would be aplied tothe neighbor router, (OSPF SHA Authentication Example 16-6 Creating @ SHA-256 Key Chain for OSPF 10:7 SHA Key Chain VeriticationCONTROL PLANE SECURITY 98: Explain the Function of control plane policing FB: Network devices implement processes tha can be broken down into three Functional planes the management pane, the control plane, andthe data plane. The management planes associated with ratflehat i Fenttoanetwork device ad thas ved to ‘erigure mont and manage the network deve, prtocts sucha SH SU, ang FTP ‘The conto plane: fe that malts the fanconalty of the nturk institu, potcals such 25 BGP 1, Ose. ‘The data plane: roruards data trough a netueort cele, uch a user The Ince rate thats sent tha loa Cc device ta plane doe not the vast majority of packets handled by network devices ate data plane packets. These Dackets are handled by Cisco Express Forwarding (CEP) CEF uses the control plane to pre Populate the CEFFerwarding Information Base (FI8) able Inthe data plane with the appropriate egress interface for agen packet lows Subsequent packets tha low between that same source and destination ae forwarded by the data plane bated onthe information ontained inthe FB, Figure 15-1 Funetiona Planes and Router Processing l Management ate ‘noone eyes race, $i ‘Management plane has aeady secure the of with AAR SSH, HTTPS. ACLs, ane SNMP ata plane wit be secure sing intsionpiteton systems (PS). reuse and Layer2 sect ononuol plane: SimP was and syslog mestages can be associated wth high CPU ates oro ‘nemo ovalolny, whic con affect cota plane Fanetionaty. Ths can provide an eal ination ot fending eure orator aac Control Plane Policing CoPP sco 0S feature allows you to pacity what wai is allowed and what traffic s denied on the contol plane inter: aces, tals provides Fr rate limiting of alowed tai. Therefore, trpected afi that is of lower proity canbe allowed, but atacks where floods of lower fot rte oe sent to the control plane willbe mitigated. For example, you may wish to penmitcertin Im packet types, bu rate limit them so thatthe route processors not versely impacted 99: Explain Automated Security Features A: visable unacessary services, intesfac, protocols. re secure [nv-tnreract | fall) (forvsaing | masnguns] fp tepin aan) Hiroe | teprintascept] Parameter Description TOptonad The usar wi nat be prompted foray onigurations, No ineractve ologue parameters wil be Configred, nckiing usernames or passwort. fa (Cptiona) Te usr wil be prompted fr al interactive fuestons, Tree te defer sting. rorwaraiog (Corina) Only te forwarding plane wil be secure. sanagenent (Cision) Ont the management plane wl be secured. at (iol Species the configuration ofthe NTP feature In the AutoSecure CU ois (Optional Species ha contguation ofthe Login feature ‘he AstoSacie CU on (Cotton) Specifies the configuration of he SH feature te Autasecure Cu. siren {Optional Specs the caviguatin of he Frewal feature in the Aurosecie CL tepinterct (Covina) Species the coniguaton ofthe TCP-ercent feature nthe AtaSecure CL[ey CrART Er sar AAA CONCEPTS 01: Describe AAR 2: Describe RADIUS and TACACS* technologies 93: Describe authentication and authorization using ACS and ISE 94: Configure administrative access on a Ci TACACS* and RADIUS router using Q5: Identify the functions of 802.1X component OU: Describe AAR (Jil, Auth, Ae) AT: AR network security services provide the primary amework to setup access contiot fon 2 network device. AAR Is a way to contol who is permitted to access a network (authenticate), contol what they can do while they are there (authorize), and audit what ‘actions they performed while accessing the network (accounting). And uses wo common methods Als 1) Local AAA authentcaton: Tis method stores usernames and passwoids locally in the (isco router, and users authenticate against the local database. 2) Server based ARR authentication: central AAR server contains the useinames and pas ‘woes foal users. The routers access this sewer using ether Remote Rthendaton Din User Service (ADS) or Terminal eces= Contraller Access Contol system TRCRCS*) protocols. The Cisco Secure cess Corel System (ACS) server i an example of thi ype of‘ebie 26-1 Comparing Local and ServerBased AAA Tocat AAR Berverbased AAA [Tene paar wa oan Ua ID dean wd mma ly a me SS arat nd monoid ietboled— stakbieto al wtwod devin habs oe swore Reece ‘atin dead ny ade “Dasinorca vey nel ews at pen scour yp ain ell doyle Trp in om 1 a nore avons we 02: Describe RADIUS and TACACS+ technologies <. TNA On 9 Cbet RAN On Cee fe (Set AR: racacs+ and RADIUS are both authentication potas that are sed to communicate Ca sever Bathe the rere mode enertnence) ras (eV Standered) ROWS sa general pupese AAA, uly open standard protocol. listens on elter UDP ‘ees jesne) oe B12 fr euthentaton and sutorzation and ether UDP Y64G (eg3c) ot {ord orguclrting,Communieton between te NRS and RADIUS servers nt completely ‘eres only the psu portion othe RADIUS paket headers encypted. ah Fobra. pectin awe 262 aus 4AK nu en fafertinle. Het aime as ON ee Qe + EE nous sore > nomen @) pgq 2 cp rmcacse (Cee kien Y) TACACS~ i 2 Cisco proprietary. it eneryps the entire body ofthe packet For more secure Communications and vilzes TCP port 49, and separation of al thee ARR functions Suthenticaton, authorization and accounting,Wee > AS iyWSAEG, 5 Anke AA Server 7 ae ASE> pgs pe bE Lago f OP > Active dinchy fron vent 5 paps fe h phe & Figure 26-9 TACACS+ AAA Authentication ose: end ry ne ene = o_ eee os ary oserrmecr TACACS+ Versus RADIUS TRACE FADS Tansiraliy ‘Sts ANA Rnsons i Utne Cmins my ofthe acon ‘om astezron od bof thow opt Hada cooing | srewprae Boe ning Diy when searing conte Sandel Cio pops, bu vy wellinaw, Opn salina pod by wer endo AAR pcan apc Ter vor Config ‘Alpaca eypel tenses be On he pamond nen wi ACS rer andthe outer which it Ht ‘ep phe ek th lem ch Thicker md he raat ‘ohh commands veo id sfesking alr planted “Game comme revi outing por Ayo spoiling mae ‘ated or eens anata iy tam TACACS, Acwontng Provide coin pon 93: Describe authentication and authorization using ACS and ISE AB: An servers racitate centralized resources for authentication databases, authorization policy configurations, and accounting records. Cisco offers tua ARA servers forthe enterprise ‘market: Cisco Secure Access Contra Server (ACS) and Cisco entity Services Engine SE) cs /CSis a robust AAR server offering both TACACS* and RADIUS service inane system. an ‘organization can centralize both user network acess polices and network devicesdminsttive acess polices in one sever ACS canbe integrated to use the AD service, Microsoft Windus Server can also be configured as an AAR sever Figure 26-4 ACS Authentication with External Databsse e gg see = 6... S| seen one wt Ise {Esco IE sa next generation identity management system that combines ACS with Network Remission Cantrl (HAC) but aso inciodes Features suchas 1 Profing Determines the type of davice fom which the use is accessing the network “Posture astest mont Determines the "health ofthe davic accessing the network. Cente’ web authentication: Simplifies the provisioning of quest access, + AAR Offers identity based network acess, logging. compliance, ond reporting. ‘an also simplify and ecelerate safe bring your eu device (BYOD) deployments. TACACS+AND RADIUS IMPLEMENTATION 94: Configure administrative access on a Cisco router using TACACS* and RADIUS AA: the basic steps when deplolag server-based AAR are 2 Follows: 1. enable AAA, 2. Specity the Pv4 andor IPv6 adress ofthe AAR server (ACS or other) 13. Configure the shared secret key that wil be used between the network access Sev (NAS) and the AAR sow 4. Configure authentication to ue athe the RADIUS of TACACS+ server. 5. Configure authorization to use elther the RADIUS or TACACS® server 6. Conigure accounting to use ether he RADIUS or TACACS* server.Example 26-1 Initial Setup for TACACS+ ang RADIUS Servers pe a ak Facentigne aes eercncast seer {m example 25: we are enabiing AAA olay and then coniguing the parameters ot two AAR servers: 9 TRERCS® server at aess 17216255100 anda RADIUS server at adders 72.18.2550), Since TACRCS* wses TCP, we re using the singl-connacin cemmand to maintain + gle CP “annection fr the dation of te sesin. The RADIUS sere i using te standbg UDP por numbers Instead ofthe legacy Co valves. Finally, we ave defined a sated secet key to Use Tor toch yotocol When the AAR security servers Rove bean Ket! the servers must Be Ineuded Inthe ‘method is ofthe an authentiction ag commane. The gene stax forthe conan i ‘sn athens login {feu k-name ) method (method) lunen ening loin authentcaton, you can eer use the dfs mame or rate a aston ‘efats used tists autometeany apple to al loin atts (console ty, aan tp Sesser) I defo sat used, test wi edt be apie to aah ne manually hy, you ust slot the metho) of authencvion. If mule methods are cotigurd the st option sta the pina ‘option andthe subsequent methods wil at at Flover options inte ode they ae speed Te device wil se falover methods ony when fl to get» responge tom the cerert method Fan utentication aus received the deve wil otal ever tothe ext metho“Table 25:1 bity summaries me of th authentication methods vib, Table 25-1 _ AAA Authentication Matnoos Tobie 25-1 _AAA Authentication Methods TathentieaTion ‘Desenpton Matnoa Keywors Metnod Keywors “eute Tass cal ped race ou ee Uva ais of RADIUS oe TACACSY nos br wean 3 up sve rio oro ou ser ae Soap lag Ut oS a spate Taste a cre ds wet, “OP _(0GT Bly, 2 nome “Uses no authentication. ne Ee Example 25-2 Serverbased AAA Authentication In example 25.2, we deine tee authentication its def NORUTH, and SRURUTH, Each IS Uses ‘eaie authentication methods ot edundanc, 3 acl user hasbeen cetigured on RI i case Both the TACRCSe nd. RADIUS. servers are unavolable, The default Ist i then appled to HTP ienteaon attempt il the NOAUTH Ht appa othe console He nd the SRURUTH Is i “pated tothe ty ines Netle that only SS connection ae permed on te wy nes bas thor we need to look at controling what actions and commands 2 user Is allowed to perform. [When RAR authorization isnot enabled ll users ae allowed full access, iter authorization Jr stated the defaule changes to allow no access. This means that the administrator must Create a user ith full acess rights before authorization Is enabled. Fale to do 50 Tinmeclately locks the administrator out ofthe sustem the moment the aaa authorization5 contera iy ochng oul he aminrator,autaration lsat le ‘ented one eon © by default To enable mshoraton forthe canes was ne san Suthortzation nao globa-conguration commend Configuring authorization on Cisto 10S aso involves creating method lists. The authorization ‘method ists ae similar to authentication method lists and the generic syntax fr them is 22 Follows ‘203 authorization {commands evel exec etc taut tame} metho { meted?) Example 25-3. AAA Authorization ‘xampe 25.3 continues to but on Examples 25:1 and 25-2 by ating authozation fr aces othe {EC shel other words, the CU) and aucaration for acess to pvilge eve! 18 sd global {cntigurationcmmands. et uthozton st a then appbedt the vg net. ‘Server-based AAA Accounting Helps to monitor administrative sessions and commands entered inthe sesion. 250 acourting (system | network exec connection | commas net} foul | sna) ta sop stop-only| one) imetoa maths. ‘in important consideration when enabling acounting is selecting the record type or tgge ‘The trigger species what actions cause accounting records tobe update. Possible tiggers arelistegin Table 25-2,Teble 25.2 _ Accounting Record Types Table 26.2__Accounting Record Types ecard Type Purpose ‘TRecora Type Purpose = ca at ong os wn Degg fa oS Aa war Die mong vs on ae rere Example 25-4 AAA Accounting trample 25-4 anes bul on Example 253 by ag te command hat wl ase a cong ones ncouting read tebe sent ot the end ofthe session. ls, 2 second command faded tat rare cccourtng sear tobe sex or every piviege lve 15 command ad every conigution ‘Soaecomman thts entered by the veer Goth ecoutng ist ar then apples tothe vy ines. Example 25-4 Verifying AAA RADIUS Authentication AAA LOCAL g)¥ seetane DCAD algeeite-typ eer secret StstngheTaSSnied ero802.1X 95: Identify the Functions of 802.1X components AS: ‘tere aerate soca) Parameter Description oan he unorse st erating ay E890. Pes oe tecoeasthorieed ‘het sends neces nal atl wiu 202 a-ones ‘heres efthe ere The end oting ‘soot bye canta puremi. Te sich car se ‘Straten secs ere hous hepFIREWALL 1: Describe Firewall 02: Describe ZPF (Zone-based Policy Firewall) Q1: Describe Firewall -. ple. Ligeia Ey A IDI SY, pains Ppl) sworn Las AIL: the word Firewall commonly describes a system or device that ls placed between 3 stent an an nuted tun slic eae con! ast prc ton Figure 114 tering on routers and i systemsthat Include intrusion ity, and identity management. ll realls switches, feleated Firewall appliances, or fom protection, application awareness, content se share the same base requirements: @ a Pitiewat most be resistant to attacks. Lemay plz. — Cennnatnanenen mtn i i Srl cic beth pPregSCEV: Oren trewsl eterces the access conto poy of he organs 2 ' =P PS A SM LA eM Rachel flag) yj pach 5 by po, Se Sos th # Joperninan fi iG EET AR Oy) Se¥ Firewall Type Descriptions lex 5,4) Ed? ¢ Benefits and Limitations of Firewalls -! Dbz Wrembose 4 Bigs J) cnt ed ee + ain i en a CS == Jaa @& settee fevss alton citer Fen ea; torts 45,8) CF)@ easicsinadnn > layer ( 3» shehork, 4-9 tnaprct) 7 The simplest typeof frewall As the name implies, apackettiter- ( firewnilJ) Elvi —<¢ G+ Theycan tte bsedon the souce an destination adress theft pa, G+ Tayean deren protocas atthe Gansprt age TC, UDP, IMP. OSPF. aso %: hen ne Enis TF OP sce a eatin pars cn {hen thaansport ayes ICMP, types And cedes canbe spec 5) han the wae TCP: he presence ofthe RK io the be vate 2" nit ne rR nee Rae eS et of anew TCP connection. —>Packet Fitering is commeniy implemented on Cisco 15 routers and switches by using ACLs Flthough RCLs are simpler implement and have 3 low Iron (Aclithrles here a eyes 2 Mar bs jaeeig Ho hye gure 42 | Packet Pier AGL face: (rants, i lds) Reo > (Privke ip) Wed NAT te Access We interreh CNAT Cr PAT) Loterret sory aleed te Mess (ot server busted “) He web serra (a EES Priva nletotirk Assume fr this scenario the fellowing config Te corporate natok ving the pvteP 266658 3¢8 10.00.08 ands cnmeced tothe ape ested onthe 208165 200.224/27 pate network whichis connected tothe a8 itr, ‘+The edo rover Internet acing interac VD and has a publi Padres of 200.165 201, Network Ars Translation (NAT Overload (x Port ess et NRT and PAT il beexlained in deta¥ on Oa 10 1 The edge outerures BoP with the> Evang II sowsthecontgation 39 ACL spb inbound onthe Gi inter. Example 11-4 Intrasteuctu AGL Packet Fier PASE oP 5 The A protects th omar net rom seg ates ad legit eae ao _llows the BGP exchange to orur between the edge route andthe Pally, allows Irieret users to acess the we server and permits Internet reples for corporat users. Notice she une of the established keyword When the established Keywords specie, the access contol entry wll atch TCP packets between the appropriate IP adaresses and TCP pots this cave, any) a longs ether the ACK bit or the RST itis st inthe TCP header ofthe packet ‘iso ote that the ACL wl not permitICMP ping request rom the Internet or rephes back to the corporate network. Tis acces could be added If requires. “fe ) 4, (epost KEL J obbs Ve(&) Proxuand application etewalls ( /\pplchin Jeter Pirwell) ‘ets proxy server aso known ae afpplicaton layer gta Host» Prony sever» Remote swe The ination of roxy severis that it needs to have pec ang Foe id Case Bi Pred Serer Sy cae Figure 1153. Prosy Server Communication Process io sec Apacer) Joo P PAS Jy nse tate Je 7 a 4 rey ea, ya Ls wor tl (eb omc bpd SPIKE 1 wos ae revel ge cr (Aa Packely Aa 5 a erm le Pockely 4, - 1. Request 2 Repectaged Reavet Eien lege, 9) Mises Pres wersh pe & pajterd 3 Remorse Mle SO wensener a then the pony server receives te request rom a let it performs user authentication ‘according tothe roles applied tit nd uses its Internet connection to access he requested 'webste,lt forwards only packets tha match the firewall ues On the return route, the pony ‘erver analytes the paket, including the Layer Sand Lays 7 header and posto ensure thatthe server lous te content of he reply back in (sa ing whether payload caries hidden malware) before forwarding the packet to the lent. Othe other ond, application inspection Firewalls ensure the socyjty of applications and se 5 papacy yet cp ee ae ee ‘Monitors incoming tfc or ayer 7 protocols such as HTTP and FTP. In ado determining which traffic is allowed and whichis denies ‘Stateful inspection techelogy and deep packet inspection to analyze lacoming tfc for signs o stack Having the ablty to examine th © aderess and port umber tie network packet rather than just the network© simetueteuats > lefor (5, 415) — ‘State Tables on CH ae Dake Seroenty ‘Stte table) Sessien table > he most versatile ad common Fieual technology in se where tracks each connection {tavern alnterfaces of he Rireual and cootems that they ar val (Cl - The fvewal examines information inthe headers of Layer 3 packets and Layer 4 segments © - Thy manana sesson abe stat table) where they tack so G - rms cog yoni apes anno when addon conection ube Initiated between the endpoints ee > 02: Describe ZPF {Zone based Policy Firewall) * al: Figure 9:1 Cisco 10S ZPF Traffic Flows‘ua rooting and foruncing (RFF aware ew > Azone defines a boundary wher traffic is subjected to policy restrtons ast cosses to another region ofiyour network. The default policy ofa ZPF between zones I to“seny al” ‘lass maps are used to categorize traffic and policy maps are used to specify policy to be 2p > ZPF Design “ Common designs incase @> Vavteinernet G Froatstetveen pute seners Q- Redundant fronts G> Comins frenais ro each rai category, > ZPF Actions! - G - wnepect-contgures cco 05 sats och nspectons, EF Rn an Sane ALA oo ail a He pcs pes BACLT as con oe rks fometons Rules ! - WEE leds PS Gta al G.- sn mate mst be contin ber canbe snsunad wo aannn, SUEZ | CIF Gobi dui cd we ean esign en interac to only one secuny zone? > Teewnly ae 2 oH (G - trate ito fow between al interfaces in 8 router, each interface must be a mabe of» zone. > Tage spt alow fob tau org herceshat ee ments of be sane oe ‘Teper tramtc to and tom 8 zone member inerace, ¢ polcy allowing or inapecting trate must o> Oompa ean emi ur. pate ong org Taf cannot fow beteen 8 zone member msrace and ny terface ate rota zone member. We can epoy pass. spect. and tap ecto oly bebuean to zones, ace te rtter sted anette can soln CEA stp on aa O)- reps rare ren na pene masted tae ee ey rte acetate res policy) between that zone and any other zone fo which traffic flow is desired. =Rules for Transit Traffic Soucelntrace Oestmatonnerfce Zone-Pnr Paley Rest Memoet of Zone? Member ot Zone? ss? Ext? Sena tay a ep aa uk 92 YHeerie neste aos Beene ye set ve Eien par Hate aria aw Hee or 2. tine in ington sti EiGantlptnatynn ye inet roo combate Racca dgieie 1/8 Miconrip-ityesoneemnber security oinstoe Mieontapee for AiCeonFap S)esomceeber secrity mst08 5 vetty: ? urshorboliy.map type inspect son-par sessionsDer taf [yee for = “oes deer, PY Papel Dye Vidal), Aude my 9 OY JSaf “amiiny een rps/ IDS 01: Does Firewall stops zero day attack? 2: what's the difference between IPS and IDS? 01: Does Firewall stops zero day attack? An: Exploits ow doos an ern sop 25t0doy ois? Feemnca ae, (92: what's the difference between IPS and IDS? zy Ae: fool JsFe 1 Confidentiality: Providing confidentiality of data quarantes that only authorized users ‘an view sensitive information. NSOFS {DS and IPS technology are deployedas a sensor ‘rater ois ih GscO1OS PS Stare ‘Arnstein an ASA oa Cast sn, ‘Anacapa degeedoptovoeSdcaleIDS ar ses os cmos ting onder tsewos Fn 10S-enabled sensor receives copies of the trafic stream and analyzes this traf Working offline, it compares the captured trafic stream with known mais signatures, simi 0 software that check for viruses, though the trafic monitored and perhaps repeted,no tions taken on packets bythe 10S. The flowing ae the eps that occur when an tack is nnchcd in an environment monitored by an IDS 1. An tack i lnnhed on a network that Rosa ens deployed in TDS mode, 2. The svtch nds copies ofl packets tothe IDS ser (configured in promicuous moe, ‘which isexpined ern thisection) to aay the packets Af the same time, the tet ‘machine experiences the macous tock 3, The IDS ener, using a gntue, matches the maious ric to the nature 4, The IDS sensor sends tothe svitch a command to deny ase tothe malicious afi. '5. The IDS ends an alr to & minagement console fr lgeing and ther mangement purposes ves. 0 IPS works inline inthe data steam to provide protection from malicious attacks in teal time, Unike an, an PS doesnot allow packets to enter he trusted side of the network it thay are anomalous, Rn PS has che ality to analyze tai trom the data lnk layer to the pplication ayes. ‘The flowing te the sepsthat occu When an tack s unc an environment monitored by ans. 1. Anata is ame on network tha hay ens deploy in PS mode (config i fain mode, which expe erin his ction, 2, The PS sensor anaes the packets 5.908 a hey come into the IPS enor interfae, The 1S sensor, wing ares sche the mals alist he sprue andthe tack a opp mediately. Trafic in violin of oiy ca he dropped by an IPS sn 2 The IPS sensor can end an aur 1 management come fr hggng and aher manageFigure 1S ang IPS Operational Ditterences Host-Based and Network-Based IPS Advantages Disadvantag Site neaegonattons enw ea + Cans nin nents vac 1 Att macs oe ear rang aos Note/ IPS cant detect enciypted tafe and cant determine wether the atack was successfulCisco SPAN Configuring Cisco SPAN Using Intrusion Detection Cisco SPAN Commands: + Mentor session command —useste astaie a soureport anda desnton port wih a SPAN session + Show monitor command — used to venty the SPAN session,IPS Terminology ‘+ True positive: The ary conto such aan IPS enor, acted as a consequence of mal ows svi. Thicepresents noma and optimal pean + True negative: The weary contol has aot ated, bees there was 0 maisius avy. ‘This repress normal and optimal operation. + Fuse positive: The seu contleted a. comequence of arma ac ora. Fae negative: The scary sont has notated, even though here was alisous acti. 1) signature-based 105/ IPS: signature is 2 set of rules that an 10S and an IPS use to detect Tupicaineusive activity, such a8 denial of service (00S) atfacks. By looking at predetined pattexns (signatures) in network traffic. It compares the network Laie to a database of Ktnoun attacks, and tiggers an alarm o preveats communication 2 match s found. 2) pote based IDS/ IPS: You must ceate the policies usd ina policy-based IDS o IPS. Any Traffic detected outside the policy wil generate an alam or wil be dropped. 3) Anomaty-based IDS) IPS: look for network trafic that deviates from what is seen “normally 14) Reputation based PS Signatures ‘ slonatore 2 set of cles that an 0S and an PS se co detect typical intrusive activity such 2 bos attacks. PS signatoes are dynamically updated and poste to Cisco.com. Table sc1_ summary of tyres of sions Sore ge Ss eso Lai Seca Soe EL err a GSR ION TOR gD “Singnaagg Sesh i en td IO Resetting the Connection and Blocking the Activity Specific Alert Description emaaroeccomecton Tonnes rere Ute dace tbe ceo. ‘eaateec ‘na mten nds regen n Nong Se ba erentBlacklisting SpeciicIP addresses that might pose a danger to your network. the PS can dynamically ownoad (Tales, htp:/vunytaosieel com) Secure Device Event Exchange 1-IPS using CLI: ean| eel “To recive slerts rom IPS Protocols to cary arts Coe ‘sys!09 — ME SDEE tep ‘ps manager express —s¢sM ‘isco security managerwomens 1 okies Wad wee (omega — Ws Povoes Wa =spose sae ms aa econ ange coma enon J ‘tremor ss tac vets am steSECURING LAN Q1: Describe AMP, NAC, ISE 92: Describe different ck of layer 2 Q1: Describe AMP, NAC, ISE Al: Advanced Malware Protection ‘The AMP solution can enable malware detection and blocking, continuous analysis and retrospective alerting with «File Reputation Analyze files inline and block or apply policies «File Sandboxing-Analyze unknown files to understand tue fie behavior -File Retrospection Continue to analyze files for changing threatlovels + AMP for Endpoints - AMP for Endpoints integrates with Cisco AMP for Networks to deliver comprehensive protection across extended networks and endpoints + AMP for Networks - Provides a network-based solution and is integrated into dedicated Cisco ASA Firewall and Cisco rePOWERnetwork secutty ‘appliances. “+ AMP for Content Security - This is anintegrated feature in Cisco Cloud ‘Web Secunty or Cisco Web and Email Secunly Applancesto protect against email and web-based advanced malware alacks.ion Contr Access Control Evolution Be i> = ‘> a eo What Is ISE? exten At its Core, ISE is a * RADIUS Server ww — Providing: AA A 92: Describe different attack of layer 2 -omes he co! bridge, ow fo miigate STP maripuetion attacks, use the Cisco ST sabity mec PortFast:immectotsy fr{BPOU Guard: nmnedlatey enor Ssables 2 pat that receives a BFDU. Typicaly used on Portast-anabied ports, Apply to ll end-user ports. Root Guar: prevents on inaperapriate sich fom becoming the roo! ixidge. Apply 10 «pots that should not become root pos (Root Brige por to0p Guat: preven atemata cr oo! ports tom becoming designates posts Cecoute of fale tha leads to @ undrectonalline. Apply fo all pots that ore or con L become nen-detanated: Pray Rocege Seater Rot Bdge owt, sg 0502 ARP Spoofing Innorml ARP operation, « het sends on ARP roques!brcadcat Yo determine the MAC: (Soot of e destination hes witha particular IP adaress. The device with he requested IP odes: songs on ARP reply withts MAC adress. The ofgnating hos! caches the ARP frsporve, locker deceives a victim device, causing 10 cache the attacking device's aC adores ralead of the logirite device's P addres. The victim then sens fares thot ote destined for he logtimate device's IP adares: fo tne attacker's MAC adress,Figure 16-3 ARP Spooting Attack ES eocesoan0020 aguante any, MMEDOEESDS sar renwaacinrests ethane inenanee oes [Dynamic ARP inspection Prevents ARP spoofing atacts by intercepting and validating a ARP requests ond responses. Each iniercepled ARP reply veried for vata MAC-to¥ ‘rkcresbincings before is orwarded. ARP reps with invoke MAC-io accross ‘bindings are cropped. DAl con determine the validly of on ARP reply based on Singings {hot ore storedin @ DHCP snooging dotabote, DAl atiociotes each interface with o Insted state or on untustedstate, Example 18:3 Configuring Dynamic ARP inspection Exompie 13:3 shows « somple DAl configuration assumes thot DHCP snooping has oeady been enabled. This exomple bul on Exomple 121, DAlis nbd or VLAN 20 Coniy while the up GO/! i configuted ar mused, DHCP Spoofing DHCP uses 0 fourmessage exchange proces. Fis, he cient isiues a discover ‘eroadcart. Second, the swver ressonds with an offer, hi, the chen responds 0 the fer with @ request. Finally, the server responds fo the request with an acknowledgement The attacker runs DHCP server software and resto DHCP requests romleaitmate ents, Asc rogue DHCP server the otfacker can cause a derial of sevice (005) By roving invalid IP informotion. he attocke’ can ao perform conflentty x ntegaly Breaches vo o marin the-midle attack. Th attacker con asign se o the deta!——— ‘oteway or ONS serv inthe DHCP replies. stars 'AOHCP starvation tack works by sending @ flood af DHCP requests with spocted MAC. ‘ecresses For DHCP snooping to work, each switch por must be labeled os usted or unused Trusted ports re the por over which the DHCP server ireachable ond that wil accept DACP servertenies Al otner ports shoul be labeled as unirusted ports and con only source DACP requess. snooping must Fie be enabled globaly. DHCP snoopingis then ‘elo enabied on VIAN Example 13-4 Configuring OHCP Snooping ‘overly DHCP sncoping, use the show ip dhcp sneoping command,‘MAC Spooting The attacker spoats a known MAC of another hos! (e.g gateway). Then switch forwards fromes tha are destined for he remote hot othe attacker Can be mifigated uring port secury Example 13-7 Contguring Port Security Jonitencontigetht ewcebporsport-seutity nniman 3 Example 127 shows 0 typical port securty configuration ora vice pert. These MAC ‘odcresies ore laamed cynomicaly: two forthe access VLAN [one forthe PC connected to the phone. ong one forthe phone beter discover volos VLAN) ancl one forthe voice VLAN [once the phone stars sending tagged frames). Vislatons otis policy rest inthe port being shut down (arr dvabled) and the oginglimeou! or he loomed MAC detesses being st to two hous + Protect he otlencna tame doped 1+ Reshict: me otencng tame epped ond an SNP hop ond ssog menage ore generted. + Shutdown: te interface is placed non erorstabed tate and an SP hop one ‘log message oe garsvtes. ne potencies who ion ener dabei ‘eminratwecctonrequred fo rekim ha at Yoa noel stole To very the port secuty configuration. wse the show part-secutly command. CAM Table Overfiow Affacker vies @ tool such os the macof rogram ond faad he switch wth many inva Source MAC adckestes unl the CAM fable ls up, When that accur, the swiich begins to load trafic fr unknown MAC adresse to ol ports Because there sno comin ne ‘CAM table toleam any legimate MAC addresses, mn extance, the switch acts he @ hub ‘AS 2 esl the atlocker can see al he frames that ae sen rome vctinhotl #9 anathe! het ALLOP ce ‘Cice Discovery Frotecol ond Lint-Loyer Discovery Protocol (LLOP] enable Cisco 108 network devices fo onncunce thernzives fo tne neighbors. Proving the model ‘number and operating system vanian a ne switch. When the such ses @ COP oe LID® ennouncement out cf port whete a warkslavon ls Conmectee, he wodstationnotmalyigneres it However, wth asinpe Yoo such as Witeshark. an atlacker con Capture or analae Ine CDP or LLDP announcement, An attacker can then we iis Infermaton 1 lock up published vuinerotiies, VLAN Hopping Te netwotkaitacker configures assem fo use OTF fonegotiate« rukink 10 the sigh. as a resut he attackers o member of of the VLANs that ore tunke onthe butch and can “hop” belween VLANs Te miigate configu trunking mode or access mode 0s appropriate on 60h port Do 3 Embed a tecond 602.10 tag inside the frome. Resolve thot by nol using VIAN! (native L won ‘sate A sate BEES+ SRSs+ lest — be fer eoch unusle port, there ore two posible lever of atic security firing L + Sovce IP adeross ter {1 SSuree I and MAC adres erCopptareyyis:- — Cryphlg) Ape yy Coptelyy J, < PBS GR Led by eed) hss ae jpn eb St Ee CARTER CRYPTOGRAPHIC SYSTEMS Q1: what's cryptography? 92: what's Hash Algorithms? 93: what's the difference between Symmetric and Asymmetric Encryption? 04: Describe Digital Signatures and RSA Certificates Q5: Describe Public Key Infrastructure Qt: what's cryptography? A (CNY, 22) Eeterbe), err p Comm Mf | we Cryptography isthe practice and study of techniques fo secure communications in the Presence ofr parties. Ck + Confidenioty: Uses encrytion agar to encryot one hide date, + Inlegity’ Use! hashing algorithms fo neue thot dota is unlisted duting any operation, + Authentication: Ensures thot anj messages received were actualy sent fom the pereeved ofgn 02: what's Hash Algorithms? 72: Hosting a mechanism tha vied fo(daia inlegily oskronce) Mashing is bases (n @ one-way mothematicalfuncion tha isrlatvely exry fo compute but sgnifcorty dif to reverse Dato of on arbitrary length is inut nto the hash function, and the result of the hash function the fhed-ength hosh, shih is known as the “cigest” oe ingore IID oy baile dels Fb labs debi Spo 52 oT Lyn ideee _3& Ihe heee mot commany Lied exvplogrntic hash uncon enene Dan ot vovnpd Gaba neler vay sete conse ar penis ee Soe. Mos poaicr@ 10'S fa od Pow ese Satay go naroucon ove @ + Secure Hash Algodthm 1 (SHA-1): SHA-I takes a message of up to 2/64 bits in free te ero Ett henoge as, te spn ay Howe To a ents anage et makes hae secre an ate aoe a goon cabs fs now coho Bae ch hoa Oe Schsdmenponni > Secon ition aa. si apoon ee een nn aocts sear a ae ety ata coercion a 2 eres oe roe air te ana Sid ele When choosra (oorne Sache se ut ttghr oy oe cari iar OO Mra Bag. 0 nc ere es aa ‘Authentication Using Hashing {wo systems that have agreed on a secte! key con use the key along with @ nash unction fo vefly dato megity of commusication between them by ving @keyed har ‘A message authentication cade is produced by passing the mesiage data along with the teste! Key Hvough © hash oigerthm. Only the sender and the receiver know the Joes! Key, end the oviput ofthe hash function now depen onthe message dote and the secret toy. Ths fype of authentication is relented to os keyedthash message fouinentication code (HMAC) Sol aeZb FS Scare pos fle CY Gare Ve (oe : Sire 4 2 Stent Fey OS pl) pee yh es =Frocongh Figure 293 HMACIn Action Sender Ales [oiasioinbnsonaa inc ote ‘Ace inputs data and the secret key Ino the hashing cigoithm and colcuates the fed length message auihenication code. or fngermin. The authenticated fngerpin is hen fttached to the mestoge ond sent fo 60D, Bab removes the fngeraint fom the message ond uses the received message with hit copy ofthe sectet key os Iu! 10 tne ‘ame hashing function, Ifthe fingerpeat that x calculated is denical to the ingerotnt hat was received. then date intgrty has been verified. A, the agin of Ine menage 's authenticated, becouse only Alice postestes a Copy of he shared secret Key,93: what's the difference between Symmetric and Asymmetric Encryption? AB: Eneryption is ne process of csguisng a mesioge in such @ way os 10 hice is criginl Confonls. With encryption, the plcintest readable message s converied fo ciphertex, Wich Is the unreadable, “doused” message. Decryption reverses this process Crenption i used fo guarantee confidently 50 that oniy auhied entities can read tne ofginal mesiage ot ciferent nelwodelayes. such a ne flowing! + Enerypling oppfeaton lyr dota, suen os encryping email messages with Pretty Good Privacy {PCP} + Encrypling sesion layer data using @ protoce! such os Secure Socks Loyer (SS cr rarspor Layer Secuty (LS) + Enoyping networt layer aola using protocak such os those provided in tne F secutly [Ps] protocol suit. + Enerynting date ink layer data using propistaryInk-encrypting devices A key 56 Yequred pofemeter for encryption algorinms to encrypt and decyet a mmessoge. Te Key ls the ink between the plaintext and ciphertext. Tere ore two classes Sr encryption algaxtnms, which alerin thee use of keys «+ Symmetic encryption agorthms: Ute tne some key o enerypl ond decrypt dota. 1 Xymmetic encypilon algorithms: Use cfeent keys fo encrypt ond dent ‘sata mmetic Encruption Al eee py 7 rigure 29-4 Symmetic Encryption Example The sender ond the receiver must exchange the symmetic. secret key wing a secure Chonne! before any encryption can occur The typical keyengih range of symmetric ‘Sheryption clgotths 40 fo 256 tie. Tobie 29-1 provides @ summary of the Iypes of {ymmetic encryption cigorls in use today ord thairrespective key lenght. bpd fe cae iBeb Dip dsi Be Table 204 _Symmetec Eneryption Algorithms ‘Symmelne Ereryption Algorthm Ray Lengih Un BAG) DE ‘Avoided AES Running 2,12, nd 3867 Pi i . encryp RH Asymmetric Encruption Algorithms Jiff Keys Com fry, open ® Thete goth orererurce nieve ond sero oxecate en! com eon EAE sina key palit tore on fetes fe pe to ond een he otek Complete secrcy the pate ly). Dolo et encod whe pce ey ees tre pi oy to acy coveralls encpleg win rep ey eet the pve toy to dec. Asgrmati enon we nox publ ten econ Here is one possible scenato of asymmettic encrynton in action. Figure 295, imagine thot Boo has genercted « pubicpxvate key par, Bob Keeps the private key totaly secre! but publshas ne public key 20 tis avalable fo everyone. Ace hes 8 message that she wants send 12 Bob in pote, I Aca encrypts the message using Sob's poke key. only 20D has the private key thats required lo dacrypt the message, providing content. Figure 20.5 Asymmetric Encryption Example ( pobbe Key (Privk keg (Bed) CBR) ed) ( Private pr public Deh, Ala bs wes, DD Cae fie a ee ge ae we ale phir Ale Priel Seb cnc LK A EATaymmerre Eneryoion Aigoritim Koy Conga Gn Dsl i 31 14 308.3010 ‘DSS and DSA ee i [a tae sine Fag ane io Ly Four protocols thot we axymmetic encryption algotins ore 1 ntemel Key Exchange (IKE): A fundamental component ol Psec VPN. 2. Secure Sockets Layer (SS: implements os Tr stancard Ts 43. Secure She (SSH); Provider a socure remote-cccest connection fo network sevice. 4 rly ood Pinas (Rr A comer progam not proves eplogronic pivacy ond auinenticafon, (94: Describe Digital Signatures and RSA Certificates Digital snatures: Freniga the some tnctenoly cs nandwten signatures Speciicaly they oe a tratnematca fecniaue ved To provide fiee base securyseices:ovhentcaes @ ‘lures, proving halo cern pry os en and signed the dato ih question: uctontes tht ne dota hos hol chonges rom the ine it wos sane: roves fo ath Ser that ne dato exchange aid ake place Biot igpoturs re commonly ured in code sgning to vey ihe inter of onrioaded tes) ona cite! ceictes to vey tne cent ofan erganzation or inevldva The boc four properties of gal sgratres cre: {1 he sgnotures authentic (2) he sgnotire eno orgsaele [a The signature not eusabe. {dre sgner comet amoteribot hey dnotsonk. yt ‘ eee Centyp + SHAY seh SI LPS SF | Digital certificates: ihe ured Iouthenfeate ond very that a urer sending @ message who they cain fo Co nour shows pow an Sa gal ceriicoe or sanotue used. RSA on ‘Shmmeti algortnm thats common wed for genercng and verying ditt sonore’.95: Describe Public Key Infrastructure (PKI) AS: A public key intasrcture [PA 0 Komewerk used to securely exchange information DEiween parties the foundation of Pri idonifies a ceificate aulhesty (CA). Te CA ‘stich eloys the oe ofa usted thd perty. ves cigial cerficatesInat authenticate (he wenty of crgorizalons ond users. nese cefllcates ae bo ie to sign messages qoensute hel the meszages nove no! boen tampered wi. Foue 22-1 son exompl of 6 usta thict party scenario smi how tne CA operates Bc Bob pnts ere posspor, in tha proces. he subrns evience of fisideniy Hs Spplcution s approved and a posspon issued. Later, when 800 travels abxood, Ne pievents is passport of on nternotonal border crosing. Secoure hs passport is isued by Slrusted government Bob's icentiys proven and he i alowed! fo enter the county. ale ne Gas couivalent ta tne government body bsuing the pasiper. The passPor isl S Gnologou toa coriicate ina FR. © 00 spoien ora peseron. 9 @ odereator tw boner ‘no sow county Orermarenget te FO coccrente eprie ry two ver important tems must be defined when talking about a Pi + Carticate outhoriy (CA): The tsed thre pony thal signs the puble keys of ‘niion 9 0 PKHbased ster, ¥ Caieate: & document Ina in essence binds togetner the nome ofthe entity Salis public kay and thot has been signed by the CA. ‘Te certicote of a wer always signed by © CA, Meraover, every CA has @ carificate, Toning i public key. signed by ihe. This cated o CA certificate or, more prope Oraliigned CA cerficote Mary vendors offer CA servers or a managed senice or at an ender product VerSign, Ertust Technologies, ona GoDaddy axe some exompies, Organizations may ‘ho inplement plete Ps ving Microsoft Sever er Open SSL. CAs, especialy thse that Gro cuioueced, con bive catiicater of 6 number of ciosies, which determine how fluted 9 coriicote & A cerfieate cos Usually @ pumber from Otreough 5 he higher the number ine more usted the cerficote is conscered. Ceetiicate AuthorsUsed for tsting purposes in whieh no checks have been Berermed Used for nua with focus on veto of ema Used for organization or wich soto enti required sed er servers ae software ning fr which dependent vrcaton and {hactng of density and autor is done by e suing cerhcate authrty, Used for nine business tansactions between companies, Used for private organzavon or governmental sect. PKI Operations Inthe C& authentication procedure. the fs! sep whan contacting the PRs to securely obIain a copy ofthe pubic key ofthe CA. CA cerlicates ae reeved inboond ever rework ond the authentication i done out-o-band using the telephone. Figure 288 shows the process os described in he folowing ist 1. Alice and Bob reques he CA ceriicate that contains the CA public key. 2 Upon receipt of ne CA ceriicate, Ace's ond Bob's systens very the vl of he Certicote wing public-key cyptogranhy. 3. Alice ond Bob follow up the technical verification done by thet systems by Felephoring the CA administer ond vatving the pubic Key ond sera! numer of the ccertcata, Alter rereving he CA carticate, Alice and Bob perform th folowing steps to submit Certiicote requests o the CA, as snow in Figure 286, 4. ice's ond Bob's ystems foward a certificate request hat includes thelr public keys ‘long with some identihing information. Al ofthis information is encrypted ung he public key ofthe CA, 5. Upon receipt of he carficaterequerts, the CA adrinishotor telephones Alice and Bob to confi ther submits ond the pute Keysb:the CA odminstotorisves the ceticate by adding some adtional date tothe Ccofticote request and ctl igring iol Figure 28.8 Certitcate Enrolment Process canenn ox tte the pares involved have installed cerlicotes sgned by the same CA: 1.86 and Alloa exchonge ceniicates. he CA sno longer involved, 2. Each patty vedios tha cigial signature on the ceificate by hasning the pointes! prion of the cetiicate. decrypting the digital signature ving the CA pubic key. and Comparing the resus he rests match, the cerca is veied os being signed by a ‘sted thre pony and the verication by the CA that Bob s Bob ond Alice is Ace is Figure 287 Authentication Using Certificates Eka 0 crate) o win Picky (8) cere eb) a o| cACenicate utc Key Aico)91: what's VPN? 02: Describe IPsec Framework 93: Describe IKE 04: Configure Site-to-Site VPN 5: Configure AnyConnect Remote Access VPN 6: Configure Clientless Remote Access VPN (Q1: what's VPN? Al: {A VPN provides secur services to afc Havering 2 relatively less ishworthy nelwore between two relatively mote usted systems ar netwers. Mort commonly, the les ised ‘networks the pUbIC fern. A VEN svélualin that I camres information within a evate "network, but tha information i actually raiperted over a pubic network. A VPN sos Btvate in thot ne tric is eneried to keen the data confidential whi hanspartecs ‘fst the pub|C network. There are four main benef to sing VERS 4 Gos savings: Organizations can use VPN fo reduce het connectivity Coss, “_Seeutty: Advanced encryption and eutnentcation protocas protec! date, {¥_Sealabitty: Orgarization: con use the interne fo easly interconnect new fice, ¥ Compatibily: VPns con be implemented deross a wide vaiey of WAN Ink pionsThere ore many diferent types of VPN technologies: Table 22-4 Types of VPNS VEN Tyee) Description ‘nats Rouing span Tang pac cpa by Ci Ha saps a we rt ‘emy of mer lnc rsp ype ae Panels ce ‘Went posto po ins betwen oer at nou) “ikioiowl Lael Swishing” Pro y wee prover aw a crpany wth v0 ot RO (aus ve ‘eo me lg conc betvecn tees ua he 8 pO ‘ier nena repr. (Prat ut ot HE) Sas cas aw OSD VN Inpneat ein oF TCH esioarowr ented Samed ‘cu beund fr rmtesen VPNe (Pata cu) ~ enc city oP pasha Layer 3 ofthe OSI mel and cn (eed pr sito-se VPNrand roles VPN (Pat and soe) “Tepey VPN 0025, Fame Relay, Layer 2 technology commonly wae w provide WAN coanestivigy ate ‘tween onion (rte bat bt ee) ‘he CCNA Secuity exam focuses on three of thete types of VPN [aStertosite sec VPN a Remote-cecess IPsec VPN m Remote-access SSL VPN] sit vi isan exlension of o close WAN network Sile-o-ste VPNs connect enlie networks 10 cach other For example, site-tosie VPA con connect albranch office network 10.0 Company headavorter network, [Tked ste to fied st] a worn SE Remote-access VPNs can upper the need of felecormutes, mele uses, and Suronet consumero-busines tific each het! typically hos VPN cn sftwexe Whenever the hoses to send any afi. the VPN client software encopsvites andeccry hal fic befresern it oe he eet one VPN gateway the spe Crine eget naman, fre o Mover Rear PN sea) Se) ) os" eee (O nemote-acess Sst ven {sulle of security services that ae sma to the security services provided by IPsec SL ‘VPN technology has become popular far tne mplementation af remte-access NS with or without he ute of cent stare and the capobilly to iouneh a bxowier ond simply connect fo the address ofthe VPN device, The mot suceestulappicaion runing on top of SLIsHTT. [fixed fo Movaoie / Requires VPN zotwore) Pe eS) 92: Describe IPsec Framework [R2! sec on open stanciard tha! defines how @ VPN can be secured across P ‘Networks. IPsec protects ond ovthecticatesP packels bewean source and destination, IPsec ptovides thove ertentil secu functionsConfdentoity; sec ensures confidentially by ing encryption. Security of Hash Algorithms / Ctigin authentication: Authentication ensures thatthe connections made with ‘Re desea communication porinar IPsec ues Intemet Key Exchange KE] 10 buinentcote vse and devices that con carry out communication iRdgpendenty. KE con ute the folowing methods fo authenticate the peer ster oT Prethored keys PSK) Digital ceriicctes S. Rsk-eneyplednences ¢ Antvreplay protection: Anieplayexctecton ves that each pocket is uniaue fond snot dupkcoted. Key management: Allows fr an intial ate exchange of dynamically generated key\Psee Fremewark Components | i 2H: el 7 BA ob: GB‘ota inegty, ond antiveplay pratection for P packets ht are posed between Iwo systems esr EP provides agi authentication, data intagity, and antiveplay protectionshowever, Unite Ai too provides contetiaty by encrypting IP packets, 2) Confidentaity DES algotthm: DES Uses @ Sebi symmettc Hey. DES algotthm: 2083s 0 variant of tne Sel DES. uses thre independent Sé-t tenerypton keys per 44-bit lock, which provides sgnifeontly stronger enenption stenaih ver DES [AES: AES provides sronger secuty han DES andis computationally more efficent than DES. AES offers thes dffront key longi: 128s, 192s, and 256 bits SEAL Ato steam ciohe, SEAL encrypts data continous rather than encrypting blocks of cota. SEAL uses o 1400 key. +2 Data lntearity ‘Adds o hash fo the mexzage, wich guarantees the intealy of the gina messoue. {ne teemited hash matches the received hath he message hos not been tompered wit, 4 ic Vinen you ate conducting butinast ong ditonce, it snecestary to know who & at ne ‘ther end of he phone, emo o ax. Te some ive of VPH networks. ne device on the other end ofthe VPN funnel must be auinenticated befere the communication path ‘scorsidered recure, Four peer-cuthentcation methods ex reshored keys (PSK); A secret key value is enfered into each peer manual ands used focuhentcate the peer. Ti a shored secre! that bath paries must exchange ahead otime BSA signalutes: The exchange of digital catiicates authenticates the pests. The local Govice deives c hosh and encrypt with is private ky. The encrypted nosh sattached fo ine message ond i forwarded tothe remote end, andi acts ke o signature. A he remote end, the encrypled hash decrypted using the pubtc Key ofthe local enc. the Secrypledhash moiches Ihe ecamputed Nash, thasignotue is genuine. (RSA named ffi inventors. vest, Shomi, ond Aclemon) ECDSA signatures‘5L.Keu Management Encryption oars require asymmettc, shored secret key to perform encryption ane decryption. How do the encrypiing and decrypting devices get the shored secret key? ‘The ecules! key exchange metho isto use @ pubse key exchange method. Pubic Key ‘exchange methods alow shated keys lo be dymamicaly generated batween the ‘encrypting and decyping devices. The method hos hwo vaxionts Die: Heiman (OH) CoH 03: Describe IKE AB: |Psec uses the IKE protocol o negotiate and estab secured ste-to-ste or remote ‘cee VPN tunes. IKE isa ramewerk provided by he Item Security Assocation and Key Management Protocol (SAKMP) An Pec peer accepting incoming Ike requess listens on UDP por 50. IKE Phase1 The fa! slepin KEvI main mode so negotiate the secuttypalcy that wil be used for {ne SAK!P SA, There a five parameter, which require agreement fom both sees [Eneyption algortnmy Hash aigaritmy Difle-Heiman gtoup nurnber/ Peer ‘uthentication method $A sete] hase 1 -NegateISAME poty o est ue rage rigs monmssarnio te FE Queowmsrs ey cess +f Oot corm Over seme Phase 2 Notte Ps pty fer sending secure rae scoss he turn eyIKE Phase 2 Cal Negotiate IPsec security parameters Establish IPsec SAS Periodic r-key of IPsec SAS Optional perfect forward secrecy 04: Configure Site-to-Site VPN Aa: Figuee 19-1 Si jo-Site IPsec VPN Negotiations Inet 1 Retro Rar Bare mga KE rae eon (est) ce Fs) 3 Rover HO an eure aan KE Paste eon, (as) EEE =e) + tonne mic ae ee TOS CUbotedstelosteinec VPNs re ‘The basic stp ofall when configuring Cl castoowe ‘Sep 1. Ereure that oll ACLsin the tee VPN network path aie compas with sec. Step. Configure on SAKNP polcy to determine the GAKMP parameters tha! wil be sed fo estabien the IKE Phase I tunnelStep 3. Detine the Psoe tontorm se. The defnon a he lansforn set etines the Porometers thatthe IPsec tunnel uses and con nese the encryption ondiniegry igor Sep 4. Create 0 cypio ACL. The eypto ACL detines which ral shoud be sen rough Ihe Ise tunnel and be protected bythe Pee process ‘Step . Create ond apply @ crypto map. The exo mop groups the previusty ‘configuted parameters together ana defines the sec peer devices, The ypto maps ‘oppied fo the sutgsing interface ofthe VPN device. ‘sco 10S CL-based Site-to-Site IPsec VPN Example 10-1 Siteto.site IPsec VPN ACL Example 19-2 Configuring ISAKMP Policy olcentigy# exyeto traine policy 19 Example 19-2 Configuring PSK Example 18-4 Configuring Transtorm Sets Example 19-5 Configuring ACLsExample 19:6 Configuring Crypto Map Table 192 _Paec Verification Commands “how erp taknp poey Digs contgred IE pas “Gow eyo psc ransom pinto conignel Pes tansioa ce ‘Bow eypt6 map Dips conpsd eo mam Bow cypo pecs (lees Pe me Dag KE wen a “debug crypto insee Debug Pe vents Cisco ASA Site-to-Site IPsec VPN Figure 192 Cisco ASA Siteto-Site IPsec VPN Scenario "0 sop 1: Launch the ASOM Ste-o-Ste VEN Wizard From the menu bot cick Words > VPN Wizard > Ste-to‘Ste VEN Waar. The VPN Wizard intoduction window i cleplayed. 0 shown in Figure 19-2 Click Nex! fo sat the configuration.Sep 2 Peer Device identicetion This fst configuotion step prompts you to specify the IP-address ofthe VPN peer ond the interface used foreach he peer. nou coHe, the pu IP address ofthe Branch ASA 209.165 200.2 ond the crypto map willbe oppled to the HO ASA's outide interlace, at Step 3: Trac fo Protect We wil naw detine the interesting toc that wl iiote ond then use the VPN Tish lows the administer to identy the local netwerk ond remote network. We eon ‘manually odd an odekess and subnet motk in the coresponcing field. or click the bouton toselect fom] lt of local er remote networks known bythe ASA, nour cose, the local network 182.168.1.0/24 and the ramate network is 192168.20/28 Figure 19-5 rattle to Protect ‘Stop 4 Secunty Figure 185 Custom Security Contguration Step 5: NAT Exempt Determine whether NAT should be exempted in the NAT Exempt window. Typically NAT ‘exemplion should be selected in se tosita VPNs snc. in most cases. you do nt want to frandate (tha fs. NAT] the IP aderesses of your local and rernote hott devices wnen ‘net trafic roversing he VEN tunnel. In ou cate, we will exer off crginating tom our ins network.se Figure 18-7 Enabling NAT Exempt Cck Nex! fo spay the Surmaxy window, which allows the admiistratr to venty ancl Conf the configuration bul by the wizor Figure 198 Configuration Summary ind Transport Layer Security + $SLis a cryptosystem created by Netscape in the mid-1990s, - + TLS 1.0 defined in 1999 as an IETF standard as an upgrade to SSL3.0 = Encrypts and authenticates session layer and above ~ HTTPS not the only appcation supported FTPS, POP3S, LOAPS, wireless secury (EAP-TLS), and others, Relies on cortificates to authenticate VPN peers ‘Server sie typically the only one authenticated in e-commerce scenarios Using SS instead of ssc. The remote devices requite 0 client application such os the ico AnyConnec! Secure Mabitly Clon. fo be preinsallad on the enciuser device, the oppication con be downloaded a: needed by inoly estobshing o cleniess SSL Yen. ih type of solution uses bidirectional authentication: The client auinenticotes the ASA with @ cetiiccle-based auinentication method, and the ASA authenticates theuser against © local oF remote user database, which = based on o usemame and AnyCi LVPN ona rity Appliance visco ASA, Basic Cisco AnyConnect SSL VPN on Cisco ASA security appliance ses the folowing: * Selt-sgned or CA-signed Kenttycertifeste on Cisco ASA, + Local user database on Cisco ASA Local adress poo! on Cisco ASA. ‘Spit unneling and Hairpin options on Cisco ASA. alow Iteret ‘access for clients en configuration There ore tree mejor proses 0 configuing SS VEN fu-unnel mode using Cbco ASOM so hot remote cles wit connect uing Caco AryConnect Pate 1. Contre ihe ASA for Cio AnyConmect Prete 2. Configure ne Csco Anyone! VPN Glen Phate 3. Ven AnyConnact coniguoion ond connection. Figure 21.3. Clintlass SSL VPN Reference TepolooyPhase 1 CContigue Cisco ASA for Cisco AnyConnect ‘Choose Wizards > VPN Wizards > AnyConnect VER Ward Fou Figure 208 ASDM Connection Profile Identification Window 202 ASDM Client-based VPN Wizard [ca window Fe a ‘Sup Wc. Fs 2d igh Aalto eat Wend Anya VN Wa Une Cmmureaion Wad Chante SL VPN Wad ‘Soh cety Coretta. ‘rnc 1) Remote Ace Nr cet apres ‘rac 2 Ramet Aes VN Wed Figure 204 —ASDML VPN Protocols Window Pa a re onFigure 20-5 ASDM Authentication Methods Window Figure 20-7 ASDM Client Address Assignment Window Figure 20-8 ASDM Network Name Resolstion Servers Window Figure 209 ASDM NAT Exempt WindowFigure 20-10 AGDM Wizard Summary Window = cial Phase 2: Conigure the Citco AnyConnect VPN Cent Wewil is connect 10 the ASA using @ clientes SSL VER Figure 20-11 $SL.VPN Connection ihaltine preceding chects succeed, Cisco AnyConnect willbe downloaded and instaleg automaticaly on your remote system. Fu 20:13 Cisco AnyConnact VPN Clignt Manual InstallationFigure 20-14 Starting Cinco AryConneet VPN Cian 95: Configure Clientless Remote Access VPN FAIS: resort Layer Secuty {15} and its pre that provide secure commurications on the Intemet for such things os web browsing, em ntemet faxing, Istont messaging, ond other dato ronslrs. Sie a stander based alternotve 10 SL. and the tems cre sometimes wad nterchangeoty. gui shows how SSL ls used fo encrypt and authenticate the vzton layer and above, Ass I encrypts mere than jst HTP (called HIPS): # ean dio encrypt FIP [tes TPS, POP {tor POPS), LDAP [fr LDAPS)-wirolesssecutly(EAP-TLS), and others. Cyplogrooticoly $81 ‘ond Ts re on pubic key nastuctue [PX and cigial certificates for outhenticting cr SSL. ere cryptographic protacle So) sess — SoaCentos: The emote ciant needs only an SSL-enabied browser fo access resources on ‘he private network of he secutty appliances SL clents con acees intemal resources such as HTP, HITS, or even Windows fe shores over the SS. tunnel ‘configuration The basic sep fo folow when caniguing he ASA fo supper clentess SSL VEN are 1.Laurieh the Chants SL VPN Wizard roe ASOM, 2. Confiqus the SSL VPN URL ond intrtace, 2. Contiguie user authentication. 4. Configure wser aroun policy. 5. Configure bookmats ‘me objective heres io alow ntemet-based HR employees HIPS access to Ihe mall server in he comparate OMG, Figure 21-3 Cliantoss SSL. VPN Reference Topology Tuk: Launch Cietiess 88 VEN Wiasr om ASDM CChoove Wanrds > VPN Witora > Centos SL VPN Wisc fee ema nn ee concern bromeTosh: Configure the SSL VPN URL and Interac Optionoly. selec! @ third party certificate that has been insolled on the ASA for use in connecting SL VPN cles. no ceriicates were nstalad the ASA wil we 0 selsigned Configure the URL that uses con access fo arzociate them witn tne corect group. hour scenario, we ore olowing H® staff access to specific comperata services, Figure 21.6 SSL VPN in Tsk 3 Figure 21-7 Auten race Contiguration Somowraccsntnee © Configure User Authentication ating Users for SSL VENTok : Configure User Group Policy gning a User Group Polley for the SSL VPN Users 7 oe oak 5: Configure Bookmarks On tne Bookmark List page, you are prompted as fo whether you want to provide these uthenicoted $8. VPN ures with @ converien sof Irks/URLs that goto specific snvices on the corporate network.Figu 24-46 Viewing CLI Output Breser eens * ‘ety nme pnb gt nA Te Eero aa Tete cacao a Clientess SSL VPN Vertiction Figure 21-17 Verifying Secure SSL ConnectionFigure 21-18 Verity AYN y Cla geal! La gl sisi cists www.Connect4techs.comCHAPTER 8 ASA FIREWALL tering. inruson oe Figure 81 Cisco ASA S500 FamilyFigure 62 Figure 83 ‘ovolobily (Hal falover pai functioning no po Cisco ASA 5506 Back Pan Cisco ASA SS06X Front Panel Peres 3 ASA functioning normally. An amber Status major harcware foie, js up sold green when a high aly, and ighte ye amber the unis the Ths Foote avilable inthe ASA S806W-% Joon 08 you hg in the AC power 3. Network dato ports Eigh Gigoti Eherat R45 network interfaces numbered Gigabit they ore MDYMOKK compliant. Tho Unk stat The Connection speed satus 18. The network port supper! Guto MDI os wel ants Up Sitferenty depending on the 2psed (one Bink every three seconds = 10 Mops: two rapid Dink 100 Mbps: hres ropid Binks = 1600 Mp), by Gefout but hs no P address configured. is eserves for use by the ASA's FrePOWER‘5. Console ports, two so! pats @ standard RIMS ond 6 min-USE Type B, oe proved eemanogement access vi on externa sytem, 46, USB port A standard USS Type A port & provided that allows the attocrment of on exleinal device, such at mas storage, 7 Reset button, A smal recessed button tht, If pressed for longer than the secon rosots the ASA tots default “as shipped” tate folowing the nex! rebeo!. Configuration votes cre resel to factory datout. However, the Hath isnot erased! end no fies ore 28. Lock sol The slot accepts a standors Kensington T-bar locking mechs for securing the ASA ‘ASA Features and Services ‘A opplicaion-aware satel packet inspection clgorthm 8} Application Vaibilly ond Cont! (AVC) srvices , enable to prevent many tenneing cttempis and application layer attacks that violate protoco! specications. CC Dilerent favors of NAT. including inside and ouise NAT, policy (destinotionsenstve) NAT, one-to-one and one-to-many NAT. and port fonwercng [aynamic ard sotic PAT). 1) Suppers rich P routing unetionatty fer bath ttle and cynamic outing. integrates ith Pv networks native 5) Integrates o DHCP server and len. t naively integrates with muticoxt networks In odation to these basic fectres, he ASA offers fou vanced services 1) ASA violation: A snale ASA con be pattionedtinto mlb viluol devices. ach \itual device i colle 0 secutty contest Each contex ison independent device, with fs own seeuily palcy, Merfaces, ond adirnisroton.2) High availabilty wih falover: Two identical ASAs con be pared into on ctivestondby faiover configuration to provide device redundancy. Both platforms ‘rust be ienticatin software, kcerting, memery, and interioces '3) Idenity frewall: he ASA provces optional granular access conital bored on an ‘nocotion of P addresses fo Windows Active Diector login information. For example winen a cient otlempts to accets an inde protected resource, # must fis! be Guiheniicoted using the MicroioN Active Directory Identiy-based frewall services “)FrePOWER: Cisco ASA now offer: in one device, next-generation ntusion prevention [NGIPS), cdvonced matware protection [AM ond URL feng ‘ASA Deplouments Routed mode: The ASA suppents RI (versions 1 onc 2), OSFF. EIGRP, ond BGP dynamic routing protocos fo integrate into exiting routing inasructes. ‘tonsporent (bridged) mode: bidsing mode oF a Layer 2 device. appliance can be tnitibe to devices on both ides of @ protected network. ou can manage it via 6 management IP cdctes (nich can be hosted cn a separate management iteriace, it requiedThe ASA nos thvee redundoncy options to provide for maximum uptime ond system availabilty 1) Actve/ Standby falover model: One secu oppliance actively proceies user rai ‘whereas he other unl css @ not stondby, prepared 10 foke over the active uit, tots one aa 2) Active! Active failover model: oth securly gpponces can ostvely process user ‘rofic ond can tolerate he file of ane device in the folover cuser3) Clustering: This featur ets you group multiple ASAS os a single logical device. ASA Contexts Yeu con parton a ingle ASA info mutipe vtualfrewals that are known os secutty Content. Each contexts an independent frewall wih is own security policy terface, ‘ond administrator, You mutt est configure the secufly appliance thot wil host mutisle acuity contexts nto "multe mode” 0 support vituatzation, ‘ASA Default ConfigurationGlonnuciernet 18 otter 2 Seon wis todo layer2 Swen Mangia Carat, Adapive Securty Device Manager (ASDM) access . Cisco ASDM is @ GUI contiguraion fool that designed fo focillote the setup. configuration, monitoring, and troubleshooting ofthe ASA. The ASA vies ¢ CLI commen ie! tho! beted on Cea 10S Software. The appliance provides five configuration modes, smi fo Cisco IOS devicesROM montlor: A speciol mode tho! aloms you to undate the ASA image over the ‘ewok er pexoxm posswora recovery User EXEC mode: Available when fst accessing he ASA, Provides aresticted view of he Pivleged EXEC mode; Enabies changing of curen! settings Cobol configuration made: Ena) ex changing of system configuaions, Speette conligurtion modes: Enables changing of configuations that are speciic to porto he secutly appliance, For xomple,inlerface segs. For nol configuration of the ASA, access the CU diecy trom the contole port. For emote managements posible to encble Test, SSH, and ASDM access va HITS, (0 ideniy an inside cont of 1 accress 192.1681.10 thal alowed to connect 10 the JASA ung Tene. SSH. ond ASDM via HIPS, perform rom global configcation mode the Configuttion sleps shown in Example 7-2, alhovgh MIPS is enobied os part of the factory default inetided here for comoveteness In ths exomole. he cisco12345 pasword wit be used for Telnel connections, whereos the AAA local datobose wil be vied for SH and ASDM connectios va HITS. & 102i SA bey generated for encrypting SSH and HTTPS tac. The admin user has been signed o pivieg® 1rd fodtrinpas!) wil be encrypted Inthe‘ASA Interfaces You must configure, ot minimum, basic interace configuation parameter. Thete Include IF aderess,ntrtace name, ond security level In the Cisco ASA. dataut access contol & based on intrtace secury levels. Each Interface must have a security level om o llores} to 100 highest). For example, you should osign your most secure network such as tne Ins hos! nelwark, to lvl 100, hile the ouside netwerk connected fo the nemnel con ba level 0, Other networks. such 15 DMS. con be axsoned a lavelin between, You con asign mutisis herfoces 10 the some secutty level “Tolle Hows ae defined as inbound or outbound Fes tis: 4+ Inbound ofc aval om cles ted interface to.a mare usted intertoce, Thats from alowersecutly level foc higher seeutly vel For xomple, outside ‘oinsice, + Outbound ttc ove trom o more insted intrface toa les tusled interface Tos fom aigher secur levello alower zecurly lval. For example, nse fo outide Co Example 7.3 _ASA DMZ Interface Configuration[An access ue permits or denice zations, The determination of whether fo permit or deny ‘oesion con be bazed on the protocol, 9 source and destination IP adress or network. fond optionaly the ouce and destination pers. The appliance tests the infil packet ‘gains! each ule inthe order in which the rules oFe isted. After @ match is found, no tore rules are checked, Tere ison impict deny-al ule of he end a the global occ=ss ‘ue ist. I you de not en inlerface ACLs to.a specie inerace, the oppiance appios default access potcy: + Aloutbound ore period 1 Atinbound ore denies, To configu or view cccass rule within ASDM, choose Configuration > Frewall> Access ules To.odd and apply 6 spect acest ue 1o an inerface,cfck ne Add button to open the Add Access Rule window, shown in Figue 7-5. Inthe case, the inside network 192.168. 0/24 being permitted HTTP access fo cn extesnol server ct 209.165,201.10,Example 74 shows the equivalent CU commands generated by the ASDM. Notice thet the ASA access ule ryntoxs similar fo an ACL on @ Geo IOS rover. Example 7-4 ASA CLI Access Rule Commands, ‘ASA Objects and Object Groups [An object con be defined with @ partcuar IF oddress, on entle subnet, o ronge of ‘addresses, «protocol, 0 speci port or range of pot. The abject can then be reused! in several configurations. The advantage of this feature le that when on object i ‘mostiod, the change is outomoticoty applied 10 a mes thot use the specified cbiect Therelore. wing objects makes it easy to maintain configurations, There are two types of objects hat can be contiured Network object: Contains 0 single IP acdrass anc sone! mosk, Network abjects| can be of tree typos ost ube, orange, Service object: Contain o protocol and ontianal soutce ond/ordesintion per The ASA supports vaous types of object groupe + Network: A network based object rovn specifi st of Phos, subnet. network ocdros1 Service: A senice-bosed object group is wed to group TCP, UOP, or TCP and UOP Porisinioon objec. tne ASA enabies Ine cfeaion of service object group thet Ban contcin snk of TG services, UDP services, CMP-type services and ony protocol such o: ESP. GRE. ana TCP. + Security: A zecutty object group can be usedin features that suppor Ckco Tfusgee by ncluding tne group In on extended ACL, which in in can be wsed in 1 User Botn locally created and imporled Active Directory vier groups can be Solned fo wien features nat suppor the cently Frowsi 1+ JeMPstype: ne ICMP protacal urer unique Iypes fo send contol messoges [RFC P72), The lene lye object group con group ine necessary types required 10 ‘eel on organization's securty needs 4uch a 0 create an object group called ECHO fo gtoup echo ang ecnovepty Network objeet and network object roup configuration can be accssied by folowing the ASDM menu path Configuration > Frewall> Objects > Network Objects/ Groups ond cleling Add, a8 shown in Figure 7-6 Figure 7-8 ASA.ASOM Network Opjact/OBject Groups Window Ads Menu Figute 7-7 snows tne creation of on object for Admin_host cP odes 192.1481.10 lord Figute 7-8 shows the creation oF an ebject fo he inside network ving 192.168.1.0724 Figure 7-7 ABA ASOM Agmin Host Network Object Creation a sD eeNetware Objet Creation sna cu To create on abject group, "snow orzume that there cr hwo Acimin hosts. ‘Admin nos ot address 192.148. 10-are Admin hort? at adores 192 1681.11. Fgute 7-9 shows he Add Network Object Group window where yau can enter the object group "rome, descriston, and sign group members. nhs cose. an abject group called ‘Admin hosts configured. Selecting on exiting cbjact on the lll and clicing Ad ows you 1 asian Ine grou memesExample 7.8 ASA CLI Network Object Group Configuration Service object ond senice group configuration con be accessed by folowing tne ASDM menu path Configuration > Frewal> Objects > Service Objects/ Groups and cfcking ha i Hi Example 7-7 _ ASA CLI Se ee Group Contigueation [Al these newly created cbjacs, object groups, and service groups can now be used when defining frewal acces ries, For example, the Web access service group cous ‘Se opplad to the sige intrtaca for rfc destined te the DME serverThe ASA supports Layer § to Layer 7 inspections using 0 sicher set of citeia for oppicotionspecii parametes. For inslance, the ASA MPF feature can be used to match HTTP UR and request methods, prevent users om suing to spacic ses curing specific tmes, or even prevent user tom downiaacing music (MP3) and video fils vi HITP/FT or HTPS/SFIP. Cisco MPF conséts ofthe folowing main campanants, which cre sinter tothe thee components for]an OS 2F 15 Class map: A class mop is @ bose Cisco MPF object thats used 0 iently and group © Set of particular frac ows into 2 rats cass, trafic How s generally an OS! Layer 3 fo Layer? networe sesion belwoan endpoints that fied by 0 soectc appication, 1 Paliey map: To associate on action with @ specif ‘rato class. you would create & policy mop, speciy a rac Cassin the policy mop. ond astociate an aetion wilh this specific cass of Wall. You con create paicy mans for 1 Layers 3107, 1 Service polley: You ute © sence policy to ctvole policies by speciving whete pokey ‘mops shaue clasity and apply oction 0 rat. Bete Actions wate Posey Re + S/ oSFigure 7.18 ASA ASOM Service Polley Rulos Window Notice in gure 7-15 thatthe policy map Is named globo_potcy and is appfes global. Isso rotice thot the clas map is called inspection default! ond tat the defaut Inspector-raffic service ae been applied fo the class mop for any trafic. nay. By Fovering over tne Rules Actions column, al 1S detauit inspections can be viewed Usvaly. to configure Cico MPF, you must fst configure @ class mop to classy tat then dine on action to take on the matched trafic fow in @ poly map, then apely the policy with 2 sence poly. However. f you use the ASOM to configue Cisco MPF solware-bated poles, here ae two dolls fo keep in ming 1= MPF potcies oe called sence policy resin Cisco ASDM, 1 The order in which the MPF components are created s diferent compared 10 when the configuration & done using the Cul To create policy for Layers 3 and 4 using Cisco ASDM, tne following tosks must B= pertermed Create anew senice polcy ne o eit an existing one. een which rate to match [eloss map| % Apply action tthe totic (policy map) From the Senice Policy Rules wincow. cleking the Add button brings up a menu from vitich he Add Service Pofcy Rue option can be selected to create a new Cisco MPF policy on the ASA. Anolner option & to edt the global pote’ 10 alow inspection of other protocols. For grampie, the cetoult global pofcy does rot inspect ICMP. Without Ingpection, the ASA ‘Goer rol tack ovlbourd ICMP request nthe ste tabi, and hence i does not expect allow an Inbound IGMP echo reply, Ian inside user ings on outside resource, the‘echo replies exe cropped as they arive atthe auisise inertoce. Fo ths sce, we wit Use ASDM fo eat the defaut service potcy re fo alaw for ICMP inspection, which wit resolve the ping we for our isis uses Select the inspection cetout row i the Service Policy Rules window (see Fioue 7-18) ‘nd click the Eat button. Tis pens the Et Service Potcy Rule window, own in Fayre 7-16. Notice thot there re three fabs inthe window. The window Glows the definition of © closs map and the actions tha the poly map wil take Updo tate that le matched! by the cioss map. The Trafic Clesiication 1ob spacer the closs mop curently in use (ispection_datout), te Delout inspections too confims which protocol and pet numbers are associated wih which applications by default, ond the Rule Actions fab Cows for tuther protocol inspection Figure 7-16 shows that ICMP hos bean checked in tne Protoce! inspection suctab of the Rule Actors tab in the Edit Service Polcy Rule window Figute 7-16 ASA ASOM Rule Astons with ICMP Selected ‘Bis hi Example 7-9 _ASA.CLIMPF CommandsNAT ironiotes the pivate adcretier tho! ofe used inthe inter netwatk info public ‘estes that can ne routed across the internet Figure 10-1 NAT Process 2 #21 piri . sr = 1. Hos 192.1681 sends pocket ote Web Saver. 2, The ASA prs ew tnsaion wcondng tothe NAT tbe nd the NAT confgrsion 3, The ASA replas the inde as 19216. with he ise otal aes 210.165.200.725 a frase pa. 4. The Wed Sener rece the pst wih 209165200225 whe ute ate Whe t epics pes exnaton aes of 29,165 200225. 5. When the ASA res he past ices the NAT bland inst ety ht to ao wih he ie bl re of 20916520025. 6. The ASA replete ine blades 208 168.200225 with Ue ii el ae 192 1681. an fwd the pk.NAT deployment [peteley tal whe seve mtb eae om ee te ace, + Dynamic NAT: Stipe pis thm uc Po alow fom pot of pa + Dynamic PAT QXAT Overland): Mapu pat aldo sie pbc Id ten wing he eng een anne Th i ot “+ Sie PAT: maine a neo ht ot one singe peli aon at hit ‘as et ph ao Fr sp aah ae pe Static NAT ‘The secuity appionce uses ie one-to-one methodology by asigring one global F ‘adares fo one inside Padcres. For cur sconatie, we want o create a sate NAT mapping for he OME server located of 172.161.50 The ransated or mapped adres shoud be 209.165 201.2. Wa wil ko we tne Auto NAT Teatute to help create the ra, Using ASDM navigate te Confguction > Fewal> Objects > Network Obiscs/ Groups. Sta? configuration by choosing Add > Network ObjectNext, we must define © trate dkection for ihe NAT Hransbtion fo occu. Click the Advanced Button to define the source ond destination interfaces for the dested ‘rarsaton, Figure 10-5 shows the DMZ server on the DMZintertoce wil have is P odckess siofcoly fanated to and from trafic on the oukide interface. Cick OK to close the [Advanced NAT Satins dalog box. ‘Dynamic NAT Using ASOM, navigate to Configuration > Frewall> Objects > Network Objects/ Groups. Selec! the ide-network abject Goup and cick Ei. Figure 10-7 shows nat the network ‘eject hos been named insde-network that Avo NAT wil Used, and thatthe fyoe i se! 19 Dynamic trarsation.The Trondoted Adc fil is detinad os @ network object. Click the elf ..] butlon in tne Tonialed Addr field. Choose Add > Network Objec! inthe Browse Tnscted| Ad window to open Ihe Add Network Object window. gue 10-8 shows tne creation of the ‘Symamic NAT adores po), Figure 10-8 ASOM Dynamic NAT Contiguration (Step 2) The eakess pool has been named TranstianPcl.ondit covers a range of aceresses torn 209.148 201.15 to 209.148 201.20. Clek OK fo return tothe Browse orsioled Ad vwiniow. Notice thal the newiy created address pod! highighted ae shown In Figur 10 9. Click the Transoted Ador button fo select, ond click Ok to tetun tothe Est Network Object window,ick ie Advanced button to open the Advanced NAT Settings cfaiog box. Set the Source interface fons and the Derination Interface fo outside, as shown in igure 10 10.Polley NAT The goalin his fourth scenot sto configure a policy that Konsates the IP aceras ofthe inside server (10.11.50) 10 209.148:201.30 when # communicates wih the Internet server This Boley should not affect ransotion trom the inside server to any other systems, For ther conection: fo the outside, the Insde server wil sl wie the dynamic PAT contiguation Ye need to start by configuring host objects atsaciated withthe real and tronsicted ‘estes. n ASDM, navigate to Configuration > Frewot > Objects > Netrk Objects’ Groups. Choose Add > Network Objac fo define tat object for he inside server ving ite private internal acchess a shown in gute 10-14 ‘lk OX and rept the proces by cei aber work ojo his tims fr he In| sere aden whoa in Fig 1S Figure 10:18 ASDM Policy PAT Contiguetion Step 2)Click OK ond repeat the procete © this fe, ths ine forthe pubic IP adctess the nse sever ze when communicating wi he internet server, os shown in Figue 10-18 (=D cee ae example 10-4 Polley NAT CLI ar 1 icy PAT Contiguration (Step 4)‘ASA Basic Configuration jivalent Commands ASA Basic Configuration Commands Ll “otcteratormare wie Downer sna antec soe ese paso and EXEC od 5 Sette pssmnd as seue-senave sing e022 ey conte postwort-nenption | + Sse ponepat beter an 128 car Passa onerton 28 + bles ssn enenptin a errs erConfiguring N Interfaces Example Configuring Layer 2 Ponts ExampleConfiguring Remote A Telnet Configuration CommandsCU g Cla glaall Lag gl gist casi gs www.Connect4techs.com