TYPES OF NETWORK ATTACKS

— No standard method
o Reconnaissance attacks: information gathering
o Access attacks: gaining access, data retrieval, escalate access privileges to
administrator status
o DoS Attacks: create interruption of network services to users, devices, or
applications
DEFENDING THE NETWORK
— Shut down unnecessary ports
— Complex passwords which are frequently changed
— Develop written security policy for company
— Develop identity validation methods and educate employees about social engineering
risk
— Control physical system access
— Encrypt and password protect sensitive data
— Security hardware and software such as: firewalls, IPSs, VPN devices, antivirus,
content filtering
— Perform backups and test backed-up files regularly
— Keep patches up-to-date via a weekly or daily installation if possible — to prevent
buffer overflow and privilege escalation attacks
— Perform security audits to test the network
SECURE THE EDGE ROUTER
SECURE THE NETWORK INFRASTURCTURE

— Critical to overall network security

— Network infrastructure: routers, switches, servers, endpoints, and other devices
— Routers a primary attack target due to directing traffic into, out of, and between
networks
— Edge router = last router between internal network and an untrusted network (e.g. the
internet). All organisation traffic goes through an edge router, which oft functions as
first and last line of defence for a network
o [untrusted] -- (edge router) – [trusted]
EDGE ROUTER SECURITY APPROACHES

— Single Router: Single router connects protected network / internal LAN to the internet.
All security policies configured on this router
— Défense-in-Depth: multiple layers of security prior to traffic entering the protected
LAN. Three primary layers of defence: the edge router, the firewall, and an internal
routers that connects to the protected LAN
— DMZ: can be used for servers that must be accessible from the internet or another
external network. DMZ can be set up between two routers, with an internal router
connecting to the protected network and an external router connecting to the
unprotected network
THREE AREAS OF ROUTER SECURITY

— Three areas of router security must be maintained

— Physical:
o place the router and physical devices connected to it in a secure locked room
only accessible to authorised personnel.
o Install an uninterruptible power supply (UPS) or diesel backup power generator
— Operating System:
o configure the router with maximum amount of possible memory. Availability of
memory can help mitigate DoS attacks.
o Use latest, stable version of the OS that meets the feature specifications of the
router or network device
o Keep a secure copy of router OS images and router configuration files as
backups
— Router Hardening:
o Ensure only authorised personnel have access and that their level of access is
controlled
o Disable unused ports and interfaces
o Disable unnecessary services (a router has services that are enabled by default.
Some of these can be used by an attacker to gather information about the router
and the network)
SECURE ADMINISTRATIVE ACCESS

— Is important
— If unauthorised person gains admin access to a router, that person could alter routing
parameters, disable routing functions, or discover and gain access to other systems
within the network
— Several tasks involved in securing administrative access to an infrastructure device:
o Restrict device accessibility
o Log and account for all access
o Authenticate access
o Authorise actions
o Present legal notification
o Ensure the confidentiality of data
SECURE LOCAL AND REMOTE ACCESS

— A router can be access for admin purposes locally or remotely

— Local access: admin must have physical access to the router and use a console cable to
connect to the console port. Local access typically used for initial configuration of the
device
— Remote access: although the aux port option available, most common remote access
method involves allowing Telnet, SSH, HTTP, HTTPS, or SNMP connections to the
router from a computer. The computer can be on the local network or a remote network

CONFIGURE SECURE ADMINISTRATIVE ACCESS

PASSWORDS

— Weak passwords: simple dictionary words, mother’s maiden name, car make, user name
and birthday, simple words and numbers
— Strong passwords: alphanumeric character combinations, combinations of alphanumeric
characters, symbols, and inclusion of a space
CONFIGURE PASSWORDS

— To Secure user EXEC mode access:

o config terminal — enter config mode
o line console 0 — enter global config mode
o password password — specify user EXEC mode pasword
o login — enable user EXEC access
— To gain admin access to all IOS commands including configuring a device, you must
gain privilleged EXEC mode access
o enable secret password — secure privilleged EXEC access (write in global)
 — To secure vty lines:
o line vty 0 15 — enter line vty mode
o password password — specify vty password
o login — enable vty access
o end
ENCRYPT PASSWORDS

— Strong passwords only useful if secret

— Several steps can be taken to esnure passwords remain secret on Cisco router and
switch, including:
o Enrypting all plaintext passwords
o Setting mimimum acceptable password length
o Deterring brute-force password guessing attack
o Disabling an inactive privilleged EXEC mode access after a specified amount
of time
o service password-encryption — encrypt all plaintext passwords (global)
o show running-config — verify passwords now encrypted
ADDITIONAL PASSWORD SECURITY

— security passwords min-length length — ensure configured passwords a minimum of a

specified length
— login block-for seconds attempts number within seconds — limits amount of password
attempts within a set time (global) | deters attack when attacker attempts to use
password cracking software to bruteforce password via continous attacks till correct one
found

SECRET PASSWORD ALGORITHMS

— MD5 hashes no longer considered secure because attackers can reconstruct valid
certificates
o This allows attackers to spoof any website
o Enable secret password uses a MD5 hash by default
— Now recommended that you configure all secret passwords using either type 8 or type 9
passwords
— Type 8 and type 9 introduced in Cisco IOS 15.3(3)M.
 — Type 8 and type 9 use SHA encryption
— enable algorithm-type command syntax — enter an unecrypted password

SECRET PASSWORD ALGORITHMS

CONFIGURE ENHANCED SECURITY FOR VIRTUAL LOGINS

ENHANCE THE LOGIN PROCESS

— login blocking = enabling a detection profile that lets you configure a network device to
react to repeated failed login attempts by refusing furrther connection requests
— Access Control Lists (ACLs) can be used to permit legitimate connections from
addresses of know system admininstrators
— banner — global configuration mode command to specify appropraite messages.
Banners protect organisation from a legal perspective
CONFIGURE LOGIN ENHANCEMENT FEATURES

— login block-for — disables logins after a specified number of failed login attempts
(defends against DoS attacks)
— login quiet-mode — maps to an ACL that identifes the permitted hosts
— login-delay — specifies number of seconds that user must wait between unsuccesful
login attempts
— log on-success — logs succesful login attempts
— log on-failure — logs unsuccesful login attempts

ENABLE LOGIN ENHANCEMENTS

— to hep Cisco IOS device provide DoS detection use: login block-for — monitors login
device activity and operates in two modes. Must issue before any other login command
o Normal mode (watch mode): router keeps count of number of failed login
attempts within an identified amount of time
o Quiet mode (quiet period): if number of failed logins exceeds configured
threshold, all login attempts using Telnet, SSH, and HTTP are denied for time
period specified in the login block-for command

LOG FAILED ATTEMPTS

— Three commands that can be configured to help an admin detect a password attack
— Each lets a device generate syslog messges for failed or succesful login attempts
— First two generate syslog messages for successful and unsuccesful login attempts
o login on-success log
o login on-failure log
— security authentication failure rate — can be configured to generate a log message when
the login failure rate is exceeded | an altenative to the login on-failure log command

— show login — verify login block-for command settings and current mode
 — show login failures — displays info regarding the failed attempts, such as IP address
form which failed login attempts originated

CONFIGURE SSH
ENABLE SSH

— configure a Cisco device to support SSH using the following six steps:
1. configure a unique device hostname (config terminal) (hostname R1)
2. generate the IP domain name (ip domain name span.com)
3. generate a key to encrypt SSH traffic (crypto key generate rsa general-keys
modulus 1024)
4. verify or create a local database entry (username bob secret cisco)
5. authenticate against the local database (line vty 0 4)
6. enable vty inbound SSH sessions (login local) (transport input ssh) (exit)

ENHANCE SSH LOGIN SECURITY

— show ip ssh — verify the optional SSH command settings

 — ip ssh time-out seconds — (global). Modify the default 120-second timeout interval.
This configures number of seconds SSH can use to authenticate user
— ip ssh authentication-retires integer — configure a different number of consecutive SSH
retries. By default, a user logging in has three attempts to enter the correct password
before being disconnected — this allows you to change the amount of tries

CONNECT A ROUTER TO AN SSH-ENABLED ROUTER

— show ssh — verify status of client connections

— two different ways to connect to an SSH-enabled router
o by default, when SSH enabled, a Cisco router can act as a SSH server or SSH
client
 as a server: router can accept SSH client connections
 as a client: router can connect via SSH to another SSH-enabled router
— e.g. ssh -1 Bob 192.168.2.101 — connect from R2 to R1

CONNECT A HOST TO AN SSH-ENABLED ROUTER

— connect using an SSH client (e.g., PuTTY, OpenSSH, TeraTerm) running on a host
— Generally, the SSH client initiates an SSH connection to the router
— The router SSH service prompts for correct username and password combination
 — After login verified, the router can be managed as if the admin was using a standrard
telnet session
CONFIGURE PRIVILEGE LEVELS
LIMITING COMMAND AVAILABILITY

— Cisco IOS can provide infrasturcture access using privilege level or role-based CLI
— By default, the Cisco IOS software CLI has two levels of access to commands
o User EXEC mode (privlilege level 1), and Privileged EXEC mode (privilege
level 15)
— 16 privilege levels in total (higher = user has more router access)
— Commands available at lower levels are also executable at higher levels
o Level 0: predefined for user-level access privileges. Seldom used, but includes
five commands: disable, enable, exit, help, and logout
o Level 1: default level for login with the router promp Router >. User cannot
make any changes or view the running configuration file
o Level 2-14: may be customised for user-level privileges. Commands from
lower levels may be moved up to another higher level, or higher level
commands can be moved down to a lower level
o Level 15: reserved for enable mode privileges (enable command). Users can
change configurations and view configuration files
LIMITING COMMAND AVAILABILITY

— Ptivilege mode {level level | reset} — assign commands to a custom privilege level

CONFIGURING AND ASSIGNING PRIVILEGE LEVELS

— Privilege exec level level [command] — Configure privilege level with specific commands
— Are two methods for assigning passwords to the different privilege levels
o username name privilege level secret password — (global). Assign privilege level to a
specific user
o enable secret level level — (global). Assign privilege level to a specific EXEC mode
LIMITATIONS OF PRIVILEGE LEVELS

— no access control to specific interfaces, ports, logical interfaces, and slots on a router
— commands available at lower privilege levels are always executanle at higher levels
— commands specifically set at a higher privilege level arte not avialble for lower
privileged users
— assigning a command with multiple keywords allows access to all commands that use
those keywords. E.g. allowing access to show ip route allows the user access to all
‘show’ and ‘show ip’ commands
CONFIGURE ROLE-BASED CLI
ROLE-BASED CLI ACCESS

— Cisco IOS Release 12.3.(11)T feature provides finer, mor granulat access by controlling
which commands are available to specific roles
— Role-based CLI access enables the network admin to create different views of router
configurations for different users
— Each view defines the CLI commands that each user can access
— It addresses security, availability, and operational efficency
ROLE-BASED VIEWS

— Role-based CLI provides three types of views that dicate which commands are available
 o Root View: to configure any view for the system, the admin must be in root
view
o CLI View: a specific set of commands can be bundled into a CLI view
o Superview: a superview consists of one or more CLI views
— Superviews have several specific characteristics:
o A single CLI can be shared within multiple superviews
o Commands cannot be configured for a superview. An admin must add
commands to the CLI view and add that CLI view to the superview
o Users logged into a superview can access all the commands that are configured
for any of the CLI views that are part of the superview
o Each superview has a password that is used to switch between superviews or
from a CLI view to a superview
o Deleting a superview does not delete the associated CLI views. The CLI views
remain available to be assigned to another superview

CONFIGURE ROLE-BASED VIEWS

— Are five steps to create and manage a specific view

1. Enable AAA (aaa new-model (global)) | Exit and enter root view (enable [view
[view-name]])
2. Create a view (parser view view-name (global)). This enables the view
configuration mode

3. Assign a secret password to the view (secret password (global))

4. Assign commands to the selected view (commands parser-mode (config-view))
5. Exit view configuration mode (exit)
 — Below is a list of commands and the description

CONFIGURE ROLE-BASED CLI SUPERVIEWS

— Steps essentially the same as configuring a CLI view, except that the view view-name
command is used to assign commands to the superview
1. Create view and enter superview configuration mode (parser view view-name
superview)
2. Assign a secret password to the view (secret password). This sets a password to
protect access to the superview

3. Assign an existing view (view view-name (view-config)). Adds a CLI view to

superview
4. Exit superview configuration (exit)

VERIFY ROLE-BASED CLI VIEWS

— enable view view-name — verify a view. Enter the name of the view to verify and
provide the password to log into the view
— use question mark (?) command to verify that the commands available in the view are
correct. The example enables the USER superview and list the commands available in
the view

— the example below enables the SUPPORT superview and lists the commands available
in the view

— this example enables the JR-ADMIN view and lists the commands available in the view

— By not specifying a view for the enable view command, you can login as root. From the
root view, use the show parser view all command to see a summary of all views
SUMMARY
SECURE CISCO IOS IMAGE AND CONFIGURATION FILES
CISCO IOS RESILIENT CONFIGURATION FEATURE
— Cisco IOS resilient configuration feature allows for faster recovery if someone
maliciously or unintentionally reformats flash memory or erases the startup
configuration file in non-volatile random-access memory (NVRAM)
o The config file in the primary bootset is a copy of the running configuration
that was in the router when the feature was first enabled
o The feature secures the smallest working set of files to preserve persistent
storage space
o No extra space is required to secure the primary Cisco IOS image file. The
feature automatically detects image or configuration version mismatch
o Only local storage is used for securing files
o The feature can be disabled only through a console session

ENABLING THE IOS IMAGE RESILIENCE FEATURE

— To secure IOS image and enable Cisco IOS image resilience = use secure boot-image
global configuration command.
— When enabled for the first time = the running Cisco IOS image is secured, and a log
entry is generated
— Disable Cisco IOS image resilience feature = use no form of the command (only way)
— show secure bootset = verify existence of the archive
— secure boot-config = take snapshot of the router running configuration and securely
archive it in persistent storage | global config mode command
— The configuration archive is hidden and cannot be viewed or removed from the CLI
prompt
— Can repeatedly use secure boot-config command to upgrade the configuration archive
to a newer version after new configuration commands have been issued
THE PRIMARY BOOTSET IMAGE
— Restore a primary bootset from a secure archive after the router has been tampered with,
as follows:
1. Reload router using reload command. If necessary, issue the break sequence to
enter ROM monitor (ROMmon) mode
2. From ROMmon mode, enter dir command to list the contents of the device that
contains the secure bootset file
3. Boot the router with the secure bootset image using the boot command followed by
the flash memory location (e.g. flash0), a colon, and the filename found in Step 2
4. Enter global config mode and restore the secure configuration to a filename of your
choice using the secure boot-config restore command followed by the flash
memory location (e.g. flash0), a colon, and a filename of your choice. In the figure,
the filename rescue-cfg is used
5. Exit global configuration mode and issue the copy command to copy the rescued
configuration file to the running configuration
CONFIGURING SECURE COPY
— Secure Copy Protocol (SCP) feature is used to remotely copy IOS and configuration
files. SCP provides a secure and authenticated method for copying router configuration
or router image files to a remote location. SRC relies on SCP relies on SSH to secure
communication and AAA to provide authentication and authorisation
— Configure the router for server-side SCP with local AAA:
1. Configure SSH, if not already configured
2. For local authentication, configure at least one local database user with privilege
level 15
3. Enable AAA with the aaa new-model global config command
4. Use the aaa authentication login default local command to specify that the local
database be used for authentication
5. Use the aaa authorization exec default local command to configure command
authorisation. In this example, all local users will have access to EXEC commands
6. Enable SCP server-side functionality with the ip scp server enable command
RECOVER A ROUTER PASSWORD
— If a router is compromised or needs to be recovered from a misconfigured password, an
administrator must use password recover procedures, such as the following steps:
1. Connect to the console port
2. Record the configuration register setting
3. Power cycle the router
4. Issue the break sequence
5. Change the default configuration register with the confreg 0x2142 command
6. Reboot the router
7. Press Ctrl-C to skip the initial setup procedure
8. Put the router into privileged EXEC mode
9. Copy the startup configuration to the running configuration
10. Verify the configuration
11. Change the enable secret password
12. Enable all interfaces
13. Return the configuration-register to the original setting recorded from step 2. Use
the config-register global config command
14. Save the configuration changes
PASSWORD RECOVERY
— If someone gained physical access to a router, they could potentially gain control of that
device through the password recovery procedure
— An administrator can mitigate this potential security breach by using the no service
password-recovery global config mode command
— This command is a hidden Cisco IOS command and has no arguments or keywords
— When the no service password-recovery command is entered, a warning message
displays and must be acknowledged before the feature is enabled, as shown in the
figure:
 — When it is configured, the show running-config command displays a no service
password-recovery statement, as shown here:

— To recover a device after the no service password-recovery command is entered,

initiate the break sequence within five seconds after the image decompressed during the
boot
— You are prompted to confirm the break key action. After the action is confirmed, the
startup configuration is completely erased, the password recover procedure is enabled,
and the router boots with the factory default configuration
— If you do not confirm the break action, the router boots normally with the no service
password-recovery command enabled
LOCK DOWN A ROUTER USING AUTOSECURE
DISCOVERY PROTOCOLS CDP AND LLDP
— Some of the default services can make the device vulnerable to attack if security is not
enabled
o The Cisco Discovery Protocol (CDP) is an example of a service that is enabled
by default on Cisco routers
o The Link Layer Discovery Protocol (LLDP) is an open standard that can be
enabled on Cisco devices, as well as other vendor devices that support LLDP
o The intent of CDP and LLDP = to make it easier for administrators to discover
and troubleshoot other devices on the network. However, because of the
security implications, these discovery protocols should be used with caution
 o Edge devices are an example of a device that should have this feature disabled
— LLDP configuration and verification is similar to CDP

SETTINGS FOR PROTOCOLS AND SERVICES

— Attackers choose services and protocols that make the network more vulnerable to
malicious exploitation. Many of these features should be disabled or restricted in their
capabilities based on the security needs of an organisation
— These features range from network discovery protocols, such as CDP and LLDP, to
globally available protocols such as ICMP and other scanning tools
— The following table summarises the feature and default settings for protocols and
services:

FEATURE DEFAULT
Cisco Discovery Protocol (CDP) Enabled
Link Layer Discovery Protocol (LLDP) Disabled
Configuration autoloading Disabled
FTP server Disabled
TFTP server Disabled
Network Time Protocol (NTP) service Disabled
Packet assembler / dissembler (PAD) service Enabled
TCP and User Datagram Protocol (UDP) Enabled in versions 11.3 and later
minor services
Maintenance Operation Protocol (MDP) Enabled on most Ethernet interfaces
service
Simple Network Management Protocol Enabled
(SNMP)
HTTP or HTTPS configuration and Setting is Cisco device dependent
monitoring
Domain Name System (DNS) Enabled
Internet Control Message Protocol (ICMP) Enabled
redirects
IP source routing Enabled
Finger service Enabled
ICMP unreachable notifications Enabled
ICMP mask reply Disabled
IP identification service Enabled
TCP keepalives Disabled
Gratuitous ARP (GARP) Enabled
Proxy ARP Enabled
— The table below shows recommended security settings for protocols and services:

FEATURE RECOMMENDATION
Link Layer Discovery Protocol (LLDP) Should be disabled globally or on a per-
interface basis if it is not required
Configuration autoloading Should remain disabled when not in use by
the router
FTP server Should be disabled when it is not required
TFTP server It should be disabled when it is not required
Network Time Protocol (NTP) service It should remain disabled when it is not
required
Packet assembler / disassembler (PAD) It should be explicitly disabled when not in
service use
TCP and User Datagram Protocol (UDP) Disable this service explicitly
minor services
Maintenance Operation Protocol (MOP) It should be explicitly disabled when it is not
service in use
Simple Network Management Protocol Disable this service when it is not required
(SNMP)
HTTPS or HTTPS configuration and Disable service if it is not required. If this
monitoring service is required, restrict access to the
router HTTP or HTTPS service using access
control lists (ACLs)
Domain Name System (DNS) Disable when it is not required. If the DNS
lookup service is required, ensure that you
set the DNS server address explicitly
Internet Control Message Protocol (ICMP) Disable when it is not required
redirects
IP source routing Disable this service when it is not required
Finger service Disable this service when it is not required
ICMP unreachable notifications Disable on interfaces to untrusted networks
ICMP mask reply Disable on interfaces to untrusted networks
IP identification service Service should be explicitly disabled
TCP keepalives Should be enabled globally to manage TCP
connections and prevent certain denial of
service (DoS) attacks. Service is enabled in
Cisco IOS Software releases before Cisco
IOS Release 12.0 and is disabled in Cisco
 IOS Release 12.0 and later. Disable this
service when it is not required
Gratuitous ARP (GARP) Disable gratuitous ARPs on each router
interface unless this service is needed
Proxy ARP Disable this service on each interface

CISCO AUTOSECURE
— AutoSecure can lock down the management plane functions and the forwarding plane
services and functions of a router. There are several management plane services and
functions:
o Secure BOOTP, CDP, FTP, TFTP, PAD, UDP, and TCP small servers, MOP,
ICMP (redirects, mask-replies), IP source routing, Finger, password encryption,
TCP keepalives, gratuitous ARP, proxy ARP, and directed broadcast
o Legal notification using a banner
o Secure password and login functions
o Secure NTP
o Secure SSH access
o TCP intercept services
— There are three forwarding plane services and functions that AutoSecure enables:
o Cisco Express Forwarding (CEF)
o Traffic filtering with ACLs
o Cisco IOS firewall inspection for common protocols

CISCO AUTOSECURE COMMAND SYNTAX

— auto secure = enable Cisco AutoSecure feature setup
— This setup can be interactive or non-interactive. The figure shows the command syntax
for the auto secure command:

USING THE AUTOSECURE COMMAND

— When the auto secure command is initiated, a CLI wizard steps the administrator
through the configuration of the device. User input is required
1. auto secure command is entered. The router displays the AutoSecure configuration
wizard welcome message
2. The wizard gathers information about the outside interfaces
3. AutoSecure secures the management plane by disabling unnecessary services
4. AutoSecure prompts for a banner
5. AutoSecure prompts for passwords and enables password and login features
6. Interfaces are secured
 7. The forwarding plane is secured
— AutoSecure should be used when a router is initially being configured. it is not
recommended on production routers
ROUTING PROTOCOL AUTHENTICATION
DYNAMIC ROUTING PROTOCOLS
— Dynamic routing protocols perform several activities: including network discovery and
maintaining routing tables
— Important advantages of dynamic routing protocols are the ability to select a best path,
and the ability to automatically discover a new best path when there is a change in the
topology
— A dynamic routing protocol allows the routers to automatically learn about these
networks from other routers
— The figure shows routers R1 and R2 using a common routing protocol to share network
information:

ROUTING PROTOCOL SPOOFING

— Routing systems can be attacked by disrupting peer network routers, or by falsifying or
spoofing the information carried with the routing protocols. Spoofing routing
information may generally be used to cause systems to misinform (lie to) each other,
cause a DoS attack, or cause traffic to follow a path it would not normally follow
— There are several consequences of routing information being spoofed:
o Redirecting traffic to create routing loops
o Redirecting traffic so it can be monitored on an insecure link
o Redirecting traffic to discard it
OSPF MD5 ROUTING PROTOCOL AUTHENTICATION
— Enable OSPF MD5 authentication globally:
o ip ospf message-digest-key key md5 password interface configuration
command
o area area-id authentication message-digest router configuration command
o This method forces authentication on all OSPF enabled interfaces. If an
interface is not configured with the ip ospf message-digest-key command, it
will not be able to form adjacencies with other OSPF neighbours
— Enable MD5 authentication on a per interface basis:
o ip ospf message-digest-key key md5 password interface configuration
o ip ospf authentication message-digest interface configuration command

OSPF SHA ROUTING PROTOCOL AUTHENTICATION

— MD5 is now considered vulnerable to attacks and should only be used when stronger
authentication is not available. Administrators should use SHA authentication as long as
all of the router operating systems support OSPF SHA authentication
1. Specify an authentication key chain in global configuration mode:
a. Configure a key chain with the key chain command
b. Assign the key chain a number and a password with the key and key-string
commands
c. Specify SHA authentication with the cryptographic-algorithm command
d. (Optional) Specify when this key will expire with the send-lifetime
command
 2. Assign the authentication key to the desired interfaces with the ip ospf
authentication key-chain command

— The next slide shows an authentication example for R1 and R2

SECURE MANAGEMENT AND REPORTING

TYPES OF MANAGEMENT ACCESS
— (From a reporting standpoint, most network device can send log data that can be
invaluable when troubleshooting network problems or security threats). This data can
be viewed in real time, on demand, and in scheduled reports
— When logging and managing information, the information flow between management
hosts and the managed devices can take two paths:
o In-band – information flows across an enterprise production network, the
internet, or both, using regular data channels
o Out-of-band (OOB) – information flows on a dedicated management network
on which no production traffic resides
OUT-OF-BAND AND IN-BAND ACCESS
— As a general rule, for security purposes, OOB management is appropriate for large
enterprise networks. However, it is not always desirable
— The decision to used OOB management depends on the type of management
applications running and the protocols being monitored
— OOB management guidelines are:
o Provide the highest level of security
o Mitigate the risk of passing insecure management protocols over the production
network
— In-band management is recommended in smaller networks as a means of achieving a
more cost-effective security deployment
— In such architectures, management traffic flows in-band in all cases. It is made as secure
as possible using secure management protocols, for example using SSH instead of
Telnet.
— In-band management guidelines are:
o Apply only to devices that need to be managed or monitored
o Use IPsec, SSH, or SSL when possible
o Decide whether the management channel needs to be open at all times
NETWORK SECURITY USING SYSLOG
INTRODUCTION TO SYSLOG
— Most common method of accessing system messages is to use a protocol called syslog
— Syslog is a term used to describe a standard
— It is also used to describe the protocol developed for that standard
— Many networking devices support syslog, including routers, switches, application
servers, firewalls, and other network appliances
— The syslog protocol allows networking devices to send their system messages across the
network to syslog servers
— The syslog logging service provides three primary functions, as follows:
o The ability to gather logging information for monitoring and troubleshooting
o The ability to select the type of logging information that is captured
o The ability to specify the destinations of captured syslog messages

SYSLOG OPERATION
— On Cisco network devices, the syslog protocol starts by sending system messages and
debug output to a local logging process that is internal to the device
— How the logging process manages these messages and outputs is based on device
configuration
— As shown in the figure, popular destinations for syslog messages include the:
o Logging buffer (RAM inside a router or switch)
o Console line
o Terminal line
o Syslog server

— It is possible to remotely monitor system messages by viewing the logs on a syslog

server, or by accessing the device through Telnet, SSH, or through the console port
SYSLOG MESSAGE FORMAT
— Cisco devices produce syslog messages as a result of network events. Every syslog
message contains a severity level and a facility
— The smaller numerical levels are the more critical syslog alarms

Severity Name Severity Level Description

Emergency Level 0 System Unstable
Alert Level 1 Immediate Action Needed
Critical Level 2 Critical Condition
Error Level 3 Error Condition
Warning Level 4 Warning Condition
Notification Level 5 Normal, but Significant
Condition
Informational Level 6 Informational Message
Debugging Level 7 Debugging Message

SYSLOG FACILITIES
— Syslog facilities are service identifiers that identify and categorise system state data for
error and event message reporting
— The logging facility options that are available are specific to the networking device
— By default, the format of syslog messages on the Cisco IOS Software is as follows:

— For example, sample output on a Cisco switch for an EtherChannel link changing state
to up is:

— Here the facility is LINK and the severity level is 3, with a MNEMONIC of UPDOWN
CONFIGURE SYSLOG TIMESTAMPS
— By default, log messages are not timestamped
— Log messages should be timestamped so that when they are sent to another destination,
such as a Syslog server, there is record of when the message was generated
— service timestamps log datetime = force logged events to display date and time
— As shown in the command output, when the R1 GigabitEthernet 0/0/0 interface is
reactivated, the log messages now contain the date and time
SYSLOG SYSTEMS
— Syslog implementations always contain two types of systems:
o Syslog servers (log hosts): these systems accept and process log messages from
syslog clients
o Syslog clients: routers or other types of equipment that generate and forward
log messages to syslog servers
— The topology in the figure identifies the syslog server at IP address 10.2.2.6. The rest of
the servers and devices in the topology can be configured as syslog clients, which send
syslog messages to the syslog server

SYSLOG CONFIGURATION
— Configure system logging with the following steps:
1. Set the destination logging host using the logging [host] command
2. (Optional) Set the log severity (trap) level using the logging trap command
3. (Optional) Set the source interface using the logging source-interface command
4. (Optional) Enable logging to all enabled destinations with the logging on command
NTP CONFIGURATION
TIME AND CALENDAR SERVICES
— The software clock on a router or switch starts when the system boots
— It is the primary source of time for the system
— It is important to synchronise the time across all devices on the network because all
aspects of managing, securing, troubleshooting, and planning networks require accurate
timestamping
— The date and time settings on a router or switch can be manually configured, using the
clock set command, as shown in the example:

NTP CONFIGURATION
— NTP networks use a hierarchical system of time sources
— Each level in this hierarchical system is called a stratum
— The stratum level is defined as the number of hop counts from the authorative source
— The sample network consists of four stratum levels who acquire their times as follows:
o Stratum 1 server gets its time from the stratum 0 time source
o Stratum 2 server gets its time from the stratum 1 server
 o Stratum 3 server gets its time from the stratum 2 server

CONFIGURE AND VERIFY NTP

— Before NTP is configured on the network
— show clock detail = displays the time source is user configuration

— ntp server ip-address = configure a NTP server the device should use as a source. If the
source is another Cisco device. It must be configured with the ntp master [stratum]
command

— Use the show ntp associations and show ntp status commands to verify the device is
synchronised with the NTP server
SNMP CONFIGURATION
INTRODUCTION TO SNMP
— SNMP is an application layer protocol that provides a message format for
communication between managers and agents
— The SNMP system consists of three elements:
o SNMP manager
o SNMP agents (managed node)
o Management Information Base (MIB)
— To configure SNMP on a networking device, it is first necessary to define the
relationship between the manager and the agent
— The SNMP manager is part of a network management system (NMS). The SNMP
manager runs SNMP management software
— As shown in the figure, the SNMP manager can collect information from an SNMP
agent by using the ‘get’ action
— It can change configurations on an agent by using the ‘set’ action.
— In addition, SNMP agents can forward information directly to a network manager by
using ‘traps’

SNMP OPERATION
— There are two primary SNMP manager requests:
o get request: used by the NMS to query the device for data
o set request: used by the NMS to change configuration variables in the agent
device. A set request can also initiate actions within a device. For example, a
set request can cause a router to reboot, send a configuration file, or receive a
configuration file
— SNMP manager uses the get and set actions to perform the operations described in the
table

get-request Retrieves a value from a specific variable

get-next-request Retrieves a value from a variable within a
table; the SNMP manager does not need to
 know the exact variable name. A sequential
search is performed to find the needed
variable from within a table
get-bulk-request Retrieves large blocks of data, such as
multiple rows in a table, that would
otherwise require the transmission of many
small blocks of data. (Only works with
SNMPv2 or later)
get-response Replies to a get-request, get-next-request,
and set-request sent by an NMS
set-request Stores a value in a specific variable

MANAGEMENT INFORMATION BASE (MIB)

— The MIB organises variables hierarchically. MIB variables enable the management
software to monitor and control the network device
— Formally, the MIB defines each variable as an object ID (OID)
— OIDs uniquely identify managed objects in the MIB hierarchy
— The MIB organises the OIDs based on RFC standards into a hierarchy of OIDs, usually
shown as a tree
— The figure shows portions of the MIB structure defined by Cisco. Note how the OID
can be described in words or numbers to help locate a particular variable in the tree.
OIDs belonging to Cisco, are numbered as follows: .iso (1).org (3).dod (6).internet
(1).private (4).enterprises (1).cisco (9). Therefore, the OID is 1.3.6.1.4.1.9

SNMP VERSIONS
— Here are several versions of SNMP:
o SNMPv1: this is the Simple Network Management Protocol, a Full Internet
Standard, that is defined in RFC 1157
o SNMPv2c: this is defined in RFCs 1901 to 1908. It uses a community-string-
based Administrative Framework
 o SNMPv3: this is an interoperable standards-based protocol originally defined in
RFCs 2273 to 2275. It provides secure access to devices by authenticating and
encrypting packets over the network. It includes these security features:
message integrity to ensure that a packet was not tampered with in transit,
authentication to determine that the message is from a valid source, and
encryption to prevent the contents of a message from being read by an
unauthorised source
— All versions use SNMP managers, agents, and MIBs. Cisco IOS software supports the
above three versions. Both SNMPv1 and SNMPv2c use a community-based form of
security. The community of managers that is able to access the MIB of the agent is
defined by a community string. SNMPv3 provides for both security models and security
levels
SNMP VULNERABILITES
— In any network topology, at least on manager node should run SNMP management
software. Network devices that can be managed, such as switches, routers, servers, and
workstations, are equipped with the SNMP agent software module
— SNMP is vulnerable to attack precisely because SNMP agents can be polled with get
requests and accept configuration changes with set requests, as shown in the figure:

SNMPv3
— SNMPv3 provides three security features:
o Message integrity and authentication: ensures that a packet has not been
tampered with in transit and is from a valid source
o Encryption: scrambles the contents of a packet to prevent it from being seen by
an unauthorised source
o Access control: restricts each principal to certain actions on specific portions of
data
SNMPv3 SECURITY CONFIGURATION
— SNMPv3 can be secured with only a few commands:
1. Configure an ACL that will permit access to authorised SNMP managers

2. Configure an SNMP view with the snmp-server view command to identify the
MIB OIDs that the SNMP manager will be able to read. Configuring a view is
required to limit SNMP messages to read-only access

3. Configure SNMP group features with the snmp-server group command:

a. Configure a name for the group
b. Set the SNMP version to 3 with the v3 keyword
c. Require authentication and encryption with the priv keyword
d. Associate a view to the group and give it read-only access with the read
command
e. Specify the ACL configured in Step 1

4. Configure SNMP group user features with the snmp-server user command:
a. Configure a username and associate the user with the group name
configured in step 3
b. Set the SNMP version to 3 with the v3 keyword
c. Set the authentication type to either md5 or sha and configure an
authentication password. SHA is preferred and should be supported by the
SNMP management software
d. Require encryption with the priv keyword and configure an encryption
password

SNMPv3 SECURITY CONFIGURATION EXAMPLE

— The figure shows an example configuration for securing SNMPv3

1. A standard ACL is named PERMIT-ADMIN and is configured to permit only the
192.168.1.0/24 network
2. An SNMP view is named SNMP-RO and is configured to include the entire iso tree
from the MIB
3. An SNMP group is configured with the name ADMIN, SNMPv3, and access for
those allowed with the PERMIT-ADMIN ACL
 4. An SNMP user, BOB, is configured as a member of the group ADMIN using
SNMPv3, with SHA authentication, AES 256 encryption, and the encryption
password

SNMPv3 VERIFICATION

— Verify most of the SNMPv3 security configuration by viewing the running

configuration, as shown in the figure. Notice that the snmp-server user configuration is
hidden. Use the show snmp user command to view the user information

— Verify that the SNMP manager can send get requests to R1 by using an SNMP
management tool, such as the ManageEngine’s free SNMP MIB Browser. Configure
the tool with the user details. When a user is configured, use the SNMP management
tool’s features to test that the configured user can access the SNMP agent
— In the figure below, the network administrator entered the OID for the IP addressing
table. The get request returned all the addressing information for R1. The network
administrator authenticated with the appropriate credentials
 — Verify that the data was encrypted by running a protocol analyser, such as Wireshark,
and capture the SNMP packets

DEVICE MONITORING AND MANAGING SUMMARY

WHAT DID I LEARN IN THIS MODULE?
— The Cisco IOS resilient configuration feature maintains a secure working copy of the
router IOS image file and a copy of the running configuration file, which cannot be
removed by the user and is referred to as the primary bootset
— To secure the IOS image and enable Cisco IOS image resilience, use the secure boot-
image global configuration mode command
— To take a snapshot of the router running configuration and securely archive it in
persistent storage, use the secure boot-config global configuration mode command
— The SCP feature provides a secure and authenticated method for copying router
configuration or router image files to a remote location
— Some default services, such as CDP and LLDP, can make the network vulnerable to
attack
— AutoSecure is often used in the field to provide a baseline security policy on a new
router. However, it is not recommended on production routers
— Dynamic routing protocols are used by routers to automatically share information about
the reachability and status of remote networks
— Dynamic routing protocols are used by routers to automatically share information about
the reachability and status of remote networks
— Routing systems can be attacked by disrupting peer network routers, or by falsifying or
spoofing the information carried within the routing protocols
— Routing protocol updates can be configured to use MD5 or SHA authentication. This
helps ensure that routing protocol updates are coming from trusted sources
— In-band information paths use the production network, the internet or both.
Management traffic is sent on the same network as user traffic
— Out-of-band (OOB) management paths use dedicated management networks which do
not transmit user traffic
— The most common method of accessing system messages is to use a protocol called
syslog
— On Cisco network devices, the syslog protocol can send system messages and debug
command output to a local logging process that is internal to the device or can send
messages to an internal buffer
— Syslog messages contain a severity level that can range from Level 0 to Level 7. The
lower the level number, the higher the severity
— The service timestamps log datetime command configures the device to use system
timestamps for all messages
— A Cisco device is configured to use syslog by specifying the logging host with the
logging command and activating the logging process with the logging on command
— It is desirable to configure devices to use NTP to synchronize time between all network
devices
— NTP uses a hierarchical system of time sources that are arranged in strata. Stratum 0 is
the most authoritative time source, and it may use atomic or GPS clocks. The lower the
strata number, the closer the source is to the Strata 0 authoritative source
— NTP is configured on a device with the ntp server command
— SNMP defines how management information is exchanged between network
management applications and management agents
— The SNMP system requires three elements and consists of an SNMP manager, SNMP
agent, and the MIB
— SNMPv1 is obsolete. SNMPv2c should be used at a minimum. SNMPv3 strongly
recommended
— SNMPv3 authenticates and encrypts packets over the network to provide secure access
to devices
MODULE 7
7.1. AAA Characteristics
7.1.1 AUTHENTICATION WITHOUT AAA

 To limit hacker access to sensitive network equipment and services — deploy Access
control to limit who or what can use specific resources. Also limits services or options
available after access granted
 Many types of authentication possible on a Cisco device — varying security levels
 Simplest method of remote access authentication: configure a login and password
combination on console, vty lines, and aux ports — easiest to implement, but also
weakest and least secure. Provides no accountability. Anyone with password can enter
device and alter configuration if have password
 SSH: more secure form of remote access. Requires both username and password (both
encrypted during transmissions). Local database method provides additional security
because an attacker is required to know a username and a password.
 Also provides more accountability because the username is recorded when a user logs
in. although Telnet can be configured using a username and password, both are sent in
plaintext, which makes it vulnerable to being captured and exploited.
 Local database method has some limitations
o The user accounts must be configured locally on each device
o In a large enterprise environment that has multiple routers and switches to
manage, it can take time to implement and change local databases on each
device. Additionally, the local database configuration provides no fallback
authentication method. e.g. what if the administrator forgets the username and
password for that device? With no backup method available for authentication,
password recovery becomes only option
 Better solution is to have all devices refer to the same database of usernames and
passwords from a central server
7.1.2 AAA COMPONENTS

 AAA network security services provide primary framework to set up access control on
a network device
 AAA: a way to control who is permitted to access a network (authenticate) and what
they can do while they are there (authorise)
 AAA also allows auditing of actions that users perform while accessing the network
(accounting)
 Network and administrative AAA security in the Cisco environment has three
functional components:
o Authentication: Users and admins must prove identity before accessing the
network and network resources. Authentication can be established using:
username and password combinations, challenge and response questions, token
cards, and other methods
o Authorisation: after user is authenticated, authorisation services determine
which resource the user can access and which operations the user is allowed to
perform. E.g. “User ‘Student’ can access host serverXYZ using SSH only”
 o Accounting and auditing: accounting records what the user does, including
what is accessed, the amount of time the resource is accessed, and any changes
that were made. Accounting keeps track of how network resources are used. An
example is “User ‘Student’ accessed host serverXYZ using SSH for 15
minutes”
o Like a credit card: card identifies who can use it, how much user can spend, and
keeps account of items and services user purchased

7.1.3 AUTHENTICATION MODES

 AAA Authentication can be used to authenticate users for administrative access or can
be used to authenticate users for remote network access.
 Cisco provides two common methods of implementing AAA services:
o Local AAA Authentication: Local AAA uses a local database for
authentication. This method sometimes known as self-contained
authentication. Method stores usernames and passwords locally in the Cisco
router, and users authenticate against the local database, as shown in the figure.
This database is the same one that is required for establishing role-based CLI.
Local AAA ideal for smaller networks
o Server-Based AAA Authentication: with server-based method, the router
accesses a central AAA server, such as the Cisco Secure Access Control
System (ACS) for Windows, which is shown in the figure. Central AAA server
contains the usernames and passwords for all users. The router uses either the
Remote Authentication Dial-In User Service (RADIUS) or Terminal Access
Controller Access Control System (TACACS+) protocols to communicate with
the AAA server. When there are multiple routers and switches, server-based
AAA is more appropriate because accounts can be administered from a central
location rather than on individual devices

7.1.4 AUTHORISATION

 After users successfully authenticated against selected AAA data source, either local or
server-based, they are then authorised for specific network resources, as shown in the
figure
 Authorisation: controls what users can and cannot do on the network after they are
authenticated. Similar to how privilege levels and role-based CLI give users specific
rights and privileges to certain commands on the router
 Authorisation is typically implemented using a AAA server. Authorisation uses a set of
attributes that describes the user’s access to the network. These attributes are compared
to the information contained within the AAA database, and a determination of
restrictions for that user is made and delivered to the local router where the user is
connected
 Authorisation is automatic and does not require users to perform additional steps after
authentication, authorisation is implemented immediately after the user is authenticated
7.1.5 ACCOUNTING

 AAA Accounting collects and reports usage data. This data can be used for purposes
such as auditing or billing. Collected data might include: the start and stop connection
times, the commands executed, the number of packets, and the number of bytes
 Accounting is implemented using a AAA server. This service reports usage statistics
back to the ACS server. These statistics can be extracted to create detailed reports about
the configuration of the network
 One widely deployed use of accounting is to combine it with AAA authentication. This
helps with managing access to internetworking devices by network administrative staff.
Accounting provides more security than just authentication. The AAA servers keep a
detailed log of exactly what the authenticated user does on the device, as shown in the
figure. This includes all EXEC and configuration commands issued by the user. The log
contains numerous data fields, including the username, the date and time, and the actual
command that was entered by the user. This information is useful when troubleshooting
devices. It also provides leverage against individuals who perform malicious actions
 Network Accounting: collects usage records for network access over various remote
access connections
 Connection Accounting: captures information about all outbound connections made
from the AAA client, such as Telnet or SSH
 EXEC Accounting: captures information about user EXEC terminal sessions (user
shells) on the network access server, including username, date, start and stop times, and
the access server IP address
 System Accounting: captures information about all system-level events (for example,
when the system reboots or when accounting is turned on or off)
 Command Accounting: captures information about the EXEC shell commands for a
specified privilege level that are being executed on a network access server. Each
command accounting records includes a list of the commands executed for that
privilege level, as well as the date and time each command was executed, and the user
who executed it
7.2 CONFIGURE LOCAL AAA AUTHENTICATION
7.2.1 AUTHENTICATE ADMINISTRATIVE ACCESS

 Local AAA Authentication should be configured for smaller networks

 Smaller networks = networks that have one or two network devices that provide access
to a limited number of users.
 This method uses the local usernames and passwords that have been configured and
stored on a device. The system admin must populate the local security database by
specifying username and password profiles for each user that might log in
 Local AAA Authentication method similar to using login local command with one
exception. AAA also provides a way to configure backup methods of authentication
 Configuring local AAA services to authenticate admin access requires a few basic
steps:
1. Add usernames and passwords to the local router database for users
that need administrative access to the router
2. Enable AAA globally on the router
3. Configure AAA parameters on the router
 4. Confirm and troubleshoot the AAA configuration
 aaa authentication login = (in the figure) allows ADMIN and JR-ADMIN users to log
into the router via the console or vty terminal lines
 default keyword = means that the authentication method applies to all lines, except
those for which a specific line configuration overrides the default. The authentication is
case-sensitive, indicated by the local-case keyword. This means that both the password
and username are case sensitive

7.2.2 AUTHENTICATION METHODS

 aaa new-model = enable AAA | global config command | must be configured first | no
other AAA commands available until entered | Note: when command first entered: an
unseen ‘default’ authentication using the local database is automatically applied to all
lines except the console. For this reason, always configure a local database entry before
enabling AAA
 no aaa… = disable AAA
 aaa authentication login = enable authentication of the console, aux, and vty lines |
default keyword applies authentication to all lines. Alternatively, a custom
authentication method can be configured using a list-name

Command Description

Uses the listed authentication methods that follow this

default
keyword as the default list of methods when a user logs in.

Instead of using default list name, the administrator may wish

list-name to specify a name for documentation purposes. The name can
be up to 31 characters.

Identifies the list of methods that the AAA authentication

process will query in the given sequence. At least one method
method1...[method4]
must be specified. A maximum of four methods may be
specified.

 Final portion of command identifies the type of methods that will be queried to
authenticate the users. Up to four methods can be defined, providing fallback methods
should one method not be available
 When user attempts to log in: first method listed is used
 Cisco IOS software attempts authentication with the next listed authentication method
only when there is no response or an error from the previous method occurs
 If the authentication method denies the user access, the authentication process stops and
no other authentication methods are allowed
 local or local-case = enable local authentication using a preconfigured database | local
accepts a username regardless of case | local-case is case sensitive
 enable = specify that a user can authenticate using the enable password | to ensure that
the authentication succeeds even if all methods return an error, specify none as the final
 method | Note: for security purposes, use none only when testing the AAA
configuration. It should never be applied on a live network | keyword
 The table displays common methods that can be specified:

Method Type Keywords Description

enable Uses the enable password for authentication.

local Uses the local username database for authentication.

local-case Uses case-sensitive local username authentication.

none Uses no authentication.

group radius Uses the list of all RADIUS servers for authentication.

group tacacs+ Uses the list of all TACACS+ servers for authentication.

Uses a subset of RADIUS or TACACS+ servers for

group group-name authentication as defined by the aaa group server radius or aaa
group server tacacs+ command.

7.2.3 DEFAULT AND NAMED METHODS

 aaa authentication login list-name = different method lists can be applied to different
interfaces and lines | for flexibility | e.g. an admin could apply a special login for SSH
and then have the default login method for the line console, as shown in the example
 in this example: the vty line would only use the local database for authentication. All
other lines (i.e., console and aux lines) would use the local database and use the enable
password as a fallback if there were no database entries on the device
 Notice that the named list has to be explicitly enable on the line using the login
authentication line config command. If a line has a custom authentication method list
applied to it, that method list overrides the default method list for that interface
 When a custom authentication method list is applied to an interface, it is possible to
return to the default method list by using the no authentication login command

7.2.4 FINE-TUNING THE AUTHENTICATION CONFIGURATION

 Additional security can be implemented on the line using:

 aaa local authentication attempts max-fail = secures AAA user accounts by locking
out accounts that have excessive failed attempts | global config command
Command Description

Number of unsuccessful authentication

number-of-unsuccessful-attempts attempts before a connection is dropped and
the user account is locked.

 Unlike login delay command which introduces a delay between failed login attempts
without locking the account, the aaa local authentication attempts max-fail
command locks the user account if the authentication fails. The locked out user account
remains locked until it is manually cleared by an administrator using the clear aaa
local user lockout | privileged EXEC mode command
 show aaa local user lockout = display a list of all locket-out users | in privileged
EXEC mode
 when a user logs into a Cisco router that uses AAA, a unique ID is assigned to that
user’s session. Throughout the life of the sessions, various attributes that are related to
the session are collected and stored internally within the AAA database. These
attributes can include: the IP address of the user, the protocol that is used to access the
router (e.g., PPP), the speed of the connection, and the number of packets or bytes that
are received or transmitted
 show aaa user = display attributes that are collected for one AAA session | in
privileged EXEC mode | this command does not provide information for all users who
are logged into a device, but only for those who have been authenticated or authorised
using AAA, or whose sessions are being accounted for by the AAA module
 show aaa sessions = can be used to show the unique ID of a session, as shown in the
example

7.3. SERVER-BASED AAA CHARACTERISTICS AND PROTOCOLS

7.3.1 COMPARE LOCAL AAA AND SERVER-BASED AAA IMPLEMENTATIONS

 Local suitable in very small networks — but does not scale well
 Most corporate environments have multiple switches, routers, other infrastructure
devices, multiple router admins, and hundreds or thousands of users needing access to
the corporate LAN — maintaining a local database for each device is not feasible
 To solve this challenge, one or more AAA servers can be used to manage the user and
administrative access needs for an entire corporate network
 AAA server software can create a central user and administrative access database to
which all devices in the network can refer. It may also work with many external
databases, including Active Directory and Lightweight Directory Access Protocol
(LDAP)
 These databases store user account information and passwords, allowing for central
administration of user accounts. For increased redundancy, multiple servers can be
implemented. The figure shows the process of authenticating router administrator users
 Server-Based Authentication:
1. User establishes a connection with the router
2. The router prompts the user for a username and password
 3. The router passes the username and password to the Cisco Secure ACS
(server or engine)
4. The Cisco Secure ACS authenticates the user. The user is provided access
to the router (administrative access) or the network, based on information
found in the Cisco Secure ACS database

7.3.2 CISCO IDENTITY SERVICES ENGINE (ISE)

 Cisco Identity Services Engine (ISE) is an identity and access control policy platform
that enables enterprises to enforce compliance, enhance infrastructure security, and
streamline their service operations.
 The architecture of Cisco ISE allows enterprises to gather real-time contextual
information from networks, users, and devices.
 The administrator can then use that information to make proactive governance decisions
by tying identity to various network elements.
 These network elements include access switches, wireless LAN controllers (WLCs),
VPNs, gateways, and data center switches.

 BYOD (Bring Your Own Device) is becoming more common and even necessary in
many enterprises. Cisco ISE defines fair access policies and enforces compliance for all
end devices including BYOD.
 Cisco ISE is the main policy component for Cisco TrustSec and is a Cisco technology
that protects assets such as data, applications, and mobile devices from unauthorized
access.

 Cisco ISE combines policy definition, control, and reporting in one appliance. ISE
works with existing network infrastructure to provide network administrators with
information about the end devices (known as endpoints) that attach to the network.
 Several features of ISE are:
o Asset Visibility - Provides visibility and control over who and what is on the
network consistently, across wireless, wired, and VPN connections. Cisco ISE
uses probes and device sensors to listen to the way devices connect to the
network. The Cisco ISE profile database, which is extensive, then classifies the
device. This gives the visibility and context that is required to grant the right
level of network access
o Posture assessment – Determines if the device complies with device security
policies before it connects to the network. It can determine if a device is clean
of viruses and suspicious applications and can even make sure that a device’s
antivirus software is up to date
o Segmentation - Cisco ISE uses contextual data about network devices and
endpoints to facilitate network segmentation. Security group tags, access
control lists, network access protocols, and policy sets that define authorization,
access, and authentication, are some ways in which Cisco ISE enables secure
network segmentation
 o Guest management and secure wireless – Enables providing secure network
access to visitors, contractors, consultants, and customers
o Threat Containment - If Cisco ISE detects threat or vulnerability attributes
from an endpoint, adaptive network control policies are sent to dynamically
change the access levels of the endpoint. After the threat or vulnerability is
evaluated and addressed, the endpoint can be given back its original access
policy
 ISE provides context-aware identity management:
o To determine whether users are accessing the network on an authorized, policy-
compliant device
o To establish user identity, location, and access history, which can be used for
compliance and reporting
o To assign services based on the assigned user role, group, and associated policy
(job role, location, device type, etc.)
o To grant authenticated users access to specific segments of the network, or
specific applications and services, or both, based on authentication results

7.3.3 THE TACACS+ AND RADIUS PROTOCOLS

 TACAS+ and RADIUS are both authentication protocols that are used to communicate
with AAA servers. As shown in the table, each supports different capabilities:

Capabilities TACACS+ RADIUS

Separates AAA according to Combines authentication and

the AAA architecture, authorization but separates
Functionality allowing modularity of the accounting, allowing less
security server flexibility in implementation
implementation than TACACS+

Standard Mostly Cisco supported Open/RFC standard

Transport Protocol TCP UDP

Bidirectional challenge and

Unidirectional challenge and
response as used in
response from the RADIUS
CHAP Challenge Handshake
security server to the RADIUS
Authentication Protocol
client
(CHAP)

Confidentiality Entire packet encrypted Password encrypted

Capabilities TACACS+ RADIUS

Provides authorization of Has no option to authorize

Customization router commands on a per- router commands on a per-user
user or per-group basis or per-group basis

Accounting Limited Extensive

 Whether TACACS+ or RADIUS is selected depends on the needs of the organization.

For example, a large ISP might select RADIUS because it supports the detailed
accounting required for billing users. An organization with various user groups might
select TACACS+ because it requires authorization policies to be applied on a per-user
or per-group basis
 It is important to understand the many differences between the TACACS+ and
RADIUS protocols
 These are three critical factors for TACACS+:
o Separates authentication and authorization
o Encrypts all communication
o Utilizes TCP port 49
 These are four critical factors for RADIUS:
o Combines RADIUS authentication and authorization as one process
o Encrypts only the password
o Utilizes UDP
o Supports remote-access technologies, 802.1X, and Session Initiation Protocol
(SIP)
 While both protocols can be used to communicate between a router and AAA servers,
TACACS+ is considered the more secure protocol. This is because all TACACS+
protocol exchanges are encrypted, while RADIUS only encrypts the user’s password.
RADIUS does not encrypt usernames, accounting information, or any other information
carried in the RADIUS message

7.3.4 TACACS+ AUTHENTICATION

 TACACS+ is a Cisco enhancement to the original TACACS protocol

 Despite its name, TACACS+ is an entirely new protocol that is incompatible with any
previous version of TACACS. TACACS+ is supported by the Cisco family of routers
and access servers
 TACACS+ provides separate AAA services.
 Separating the AAA services provides flexibility in implementation because it is
possible to use TACACS+ for authorization and accounting while using another method
of authentication.
 The extensions to the TACACS+ protocol provide more types of authentication requests
and response codes than were in the original TACACS specification.
  TACACS+ offers multiprotocol support, such as IP and legacy AppleTalk. Normal
TACACS+ operation encrypts the entire body of the packet for more secure
communications and utilizes TCP port 49.

7.3.5 RADIUS AUTHENTICATION

 RADIUS, which was developed by Livingston Enterprises, is an open IETF standard

AAA protocol for applications such as network access or IP mobility.
 RADIUS works in both local and roaming situations and is commonly used for
accounting purposes. RADIUS is currently defined by RFCs 2865, 2866, 2867, 2868,
3162 and 6911.
 The RADIUS protocol hides passwords during transmission, even with the Password
Authentication Protocol (PAP), using a rather complex operation that involves
Message Digest 5 (MD5) hashing and a shared secret. However, the rest of the packet
is sent in plaintext.
 RADIUS combines authentication and authorization as one process. When a user is
authenticated, that user is also authorized. RADIUS uses UDP port 1645 or 1812 for
authentication and UDP port 1646 or 1813 for accounting.
 RADIUS is widely used by VoIP service providers. It passes login credentials of a SIP
endpoint, such as a broadband phone, to a SIP registrar using digest authentication, and
then to a RADIUS server using RADIUS. RADIUS is also a common authentication
protocol that is utilized by the 802.1X security standard.

7.4 CONFIGURE SERVER-BASED AUTHENTICATION

7.4.1 STEPS TO CONFIGURE SERVER-BASED AAA AUTHENTICATION

 Unlike Local AAA Authentication, server-based AAA must identify various TACACS+
and RADIUS servers that the AAA service should consult when authenticating and
authorizing users
 There are four basic steps to configure server-based authentication:
1. Globally enable AAA to allow the use of all AAA elements. This step is a
prerequisite for all other AAA commands
2. Specify the server that will provide AAA services for the router. This can be a
TACACS+ or RADIUS server
3. Configure the encryption key needed to encrypt the data transfer between the
network device and AAA server
4. Configure the AAA authentication method list to refer to the TACACS+ or
RADIUS server. For redundancy, it is possible to configure more than one
server
7.4.2 CONFIGURE TACACS+ SERVERS

 TACACS+ and RADIUS protocols are used to communicate between clients and the
AAA security servers. The figure displays the AAA reference topology for this topic
 To configure a TACACS+ server:
o globally enable AAA using the aaa new-model command.
o Next, use the tacacs server name command.
o In TACACS+ server configuration mode, configure the IPv4 address of the
TACACS+ server using the address ipv4 command. The address ipv4
command allows the option to modify the authentication port and the
accounting port.
o You can also specify an IPv6 address with the address ipv6 ipv6-address
command
o Next, use the single-connection command to enhance TCP performance by
maintaining a single TCP connection for the life of the session. Otherwise, by
default, a TCP connection is opened and closed for each session. If required,
multiple TACACS+ servers can be identified by entering their respective IPv4
addresses using the tacacs server name command
o The key key command is used to configure the shared secret key to encrypt the
data transfer between the TACACS+ server and AAA-enabled router. This key
must be configured exactly the same way on both the router and the TACACS+
server
 The example displays a sample TACACS+ server configuration

7.4.3 CONFIGURE RADIUS SERVERS

 To configure a RADIUS server, use the radius server name command. This puts you
into radius server configuration model
 Because RADIUS uses UDP, there is no equivalent single-connection keyword. If
required, multiple RADIUS servers can be identified by entering a radius server name
command for each server
 In RADIUS server configuration mode, configure the IPv4 address of the RADIUS
server using the address ipv4 ipv4-address command. You can also specify an IPv6
address with the address ipv6 ipv6-address command
 By default, Cisco routers use port 1645 for the authentication and port 1646 for the
accounting. However, IANA has reserved ports 1812 for the RADIUS authentication
port and 1813 for the RADIUS accounting port. It is important to make sure these ports
match between the Cisco router and the RADIUS server
 To configure the shared secret key for encrypting the password, use the key command.
This key must be configured exactly the same way on the router and the RADIUS
server
 The example displays a sample RADIUS server configuration
7.4.4 AUTHENTICATE TO THE AAA SERVER CONFIGURATION COMMANDS

 When the AAA security servers have been identified, the servers must be included in
the method list of the aaa authentication login command.
 AAA servers are identified using the group tacacs+ or group radius keywords.
 Refer to the example to see command syntax options available with the aaa
authentication login command

 To configure a method list for the default login to authenticate first using a TACACS+
server, second with a RADIUS server, and finally with a local username database,
specify the order with the aaa authentication login default command, as highlighted in
the example.
 It is important to realize that R1 will only attempt to authenticate using RADIUS if the
TACACS+ server is not reachable. Likewise, R1 would only attempt to authenticate
using the local database if the TACACS+ and RADIUS servers are unavailable

7.5 CONFIGURE SERVER-BASED AUTHORISATION AND ACCOUNTING

7.5.1 INTRODUCTION TO SERVER-BASED AAA AUTHORISATION

 While authentication must ensure that the device or end user is legitimate, authorization
is concerned with allowing and disallowing authenticated users access to functions of
the network device interface
 The TACACS+ protocol allows the separation of authentication from authorization.
 A router can be configured to restrict the user to performing only certain functions after
successful authentication.
 Keep in mind that RADIUS does not separate the authentication from the authorization
process
 Another important aspect of authorization is the ability to control user access to specific
services. Controlling access to configuration commands greatly simplifies the
infrastructure security in large enterprise networks
 In the animation, the JR-ADMIN has successfully established an SSH session with the
router and authenticated to the TACACS+ AAA server. Click Play to see how the
server responds to different commands

 In the animation, the JR-ADMIN is permitted to access the show version command, but
not the configure terminal command. The router queries the AAA server for
permission to execute the commands on behalf of the user. When the user issues
the show version command, the server sends an ACCEPT response. If the user issues
a configure terminal command, the server sends a REJECT response
 By default, TACACS+ establishes a new TCP session for every authorization request,
which can lead to delays when users enter commands. To improve performance, AAA
supports persistent TCP sessions that are configured with the single-connection tacacs
server configuration mode command
7.5.2 AAA AUTHORISATION CONFIGURATION

 To configure authorization, use the aaa authorization command, as shown in the

examples below . The authorization type can specify the types of commands or
services:
o Network: for network services such as PPP and SLIP
o exec: for User EXEC terminal sessions
o commands level: command authorisation attempts authorisation for all EXEC
mode commands, including global configuration commands, associated with a
specific privilege level

 When AAA authorization is not enabled, all users are allowed full access.
 After authentication is started, the default changes to allow no access.
 This means that the administrator must create a user with full access rights before
authorization is enabled, as shown in the example. Failure to do so immediately locks
the administrator out of the system the moment the aaa authorization command is
entered.
 The only way to recover from this is to reboot the router. If this is a production router,
rebooting might be unacceptable. Be sure that at least one user always has full rights.

7.5.3 INTRODUCTION TO SERVER-BASED AAA ACCOUNTING

 Companies often need to keep track of which resources individuals or groups use. AAA
accounting enables usage tracking. An example of usage tracking is when one
department charges another department for access, or when one company provides
internal support to another company. The accounting function is similar to the
accounting information provided in a credit card billing statement as shown in the
figure
 Although accounting is generally considered a network management or financial
management issue, it is discussed briefly here because it is so closely linked with
security
 One security issue that is addressed by accounting is the creation of a list of users and
the time of day they logged into the system. If, for example, the administrator knows
that a worker logs in to the system in the middle of the night, this information can be
used to further investigate the purpose of the login
 Another reason to implement accounting is to create a list of changes occurring on the
network, the user that made the changes, and the exact nature of the changes. Knowing
this information helps the troubleshooting process if the changes cause unexpected
results
 When accounting is configured on a AAA server it functions as a central repository for
accounting information.
 It tracks events that occur on the network, similar to the way in which financial activity
is tracked for a credit card account.
  Each session that is established through Cisco Secure ACS can be fully accounted for
and stored on the server. This stored information can be very helpful for management,
security audits, capacity planning, and network usage billing.
 Like authentication and authorization method lists, method lists for accounting define
the way accounting is performed and the sequence in which these methods are
performed.
 After it is enabled, the default accounting method list is automatically applied to all
interfaces, except those that have a user-defined, or custom, accounting method list that
has been explicitly defined.

7.5.4 AAA ACCOUNTING CONFIGURATION

 aaa = to configure AAA accounting

 The following three parameters are commonly used aaa accounting keywords:
o network: runs accounting for all network-related service requests, including
PPP
o exec: runs accounting for the EXEC shell session
o connection: runs accounting on all outbound connections such as SSH and
Telnet

 As with AAA authentication, either the keyword default or a list-name can be used
 Next, the record type, or trigger, is configured. The trigger specifies what actions cause
accounting records to be updated. Possible triggers include:
o start-stop: sends a ‘start’ accounting notice at the beginning of a process and a
‘stop’ accounting notice at the end of a process
o stop-only: sends a ‘stop’ accounting record for all cases including
authentication failures
o none: disables accounting services on a line or interface
 The examples show the command syntax and method list options available

 The example shows an accounting configuration that logs the use of EXEC commands
and network connections

7.6 AUTHENTICATION, AUTHORISATION, AND ACCOUNTING (AAA) SUMMARY

7.6.1 WHAT DID I LEARN IN THIS MODULE?
AAA CHARACTERISTICS

 Local authentication can be configured on networking devices with usernames and

passwords that protect console, vty lines, and User EXEC mode. This is the easiest
authentication to implement, but also the weakest and least secure.
  SSH should be used for remote access to vty lines because telnet is not secure.
AAA provides a means by which users can be authenticated against a centralized
database of users.
 AAA authentication requires users and admins to prove their identity with
usernames and passwords or through other methods.
 AAA authorization can be used to limit the access of users or groups of users to
only the network resources that they need to access. It also can control what the
user can do with various resources.
 Authorization can be configured to control what different users can do on network
devices.
 AAA accounting records user actions including when the user accessed the network
or device, the length of time for the session, and the resources or functions that
were accessed by the user.
 AAA can be configured to access a local user database that has been configured on
a router or switch, or centralized AAA server.
 After authentication has successfully occurred, authorization for user access is
determined.
 After successful authentication, AAA accounting records the beginning of the
session.

CONFIGURE LOCAL AAA AUTHENTICATION

 Local AAA authentication should be configured for smaller networks.

 Usernames and passwords are configured on the networking device, similar to
when login local is configured on the console and vty lines.
 AAA local authentication provides additional options that are not available when AAA
is not used. For example, different authentication methods can be configured on
different lines, including using local authentication for some lines and server-based
authentication for others.
 In addition, local AAA authentication can be configured to lock users out after a
specified number of login attempts. The user will remain locked out until an
administrator manually clears the user from the list of locked-out local users.

SERVER-BASED AAA CHARACTERISTICS AND PROTOCOLS

 Local authentication does not scale well to large networks that have many networking
devices and users.
 The legacy Cisco Secure ACS AAA server has been replaced by Cisco ISE.
 ISE provides many access-related security functions beyond AAA functionality.
 The TACACS+ and RADIUS protocols provide communication between a network
device and a AAA server.
 The choice of protocol defends on the needs of the enterprise.
 TACACS+ encrypts all communication while RADIUS only encrypts passwords.
TACACS+ separates the authentication and authorization processes, while they are
combined in RADIUS.
  In addition, TACACS+ uses TCP while RADIUS uses UDP. It is important to note that
RADIUS supports remote access technologies such as 802.1X and SIP. There are other
important differences between the protocols.
 TACACS+ is a Cisco enhancement of the original TACACS protocol and is not
compatible with the original version.
 RADIUS is an open standard IETF protocol. It is widely used with VoIP because it
supports SIP.
 The next generation protocol that is an alternative to RADIUS is Diameter AAA.

CONFIGURE SERVER-BASED AUTHENTICATION

 There are four basic steps to configuring AAA server-based authentication.

 First AAA must be globally enabled on the device.
 Second, the AAA server IP address and protocol are specified.
 Then, the matching encryption key that will be used by the network device and AAA
server is specified.
 The device must also be configured to use the AAA server or servers for authentication
by specifying the aaa authentication method list that includes the login group as either
RADIUS, TACACS+ or both.
 Note that by default, Cisco routers use port 1645 for authentication and port 1646 for
accounting. However, IANA has reserved ports 1812 for RADIUS authentication and
1813 for RADIUS accounting. It is important to make sure these ports match between
the networking device and the RADIUS server.

CONFIGURE SERVER-BASED AUTHENTICATION AND ACCOUNTING

 AAA authorization is concerned with allowing authenticated users access to only the
resources that they need to access.
 For network administrators, the type of access that is permitted to the device command
line and network services can be controlled.
 The type of authorization is configured with the aaa authorization command. Types
can be network, for network services, exec, for the User EXEC mode,
and command for all EXEC mode commands including configuration commands.
 When AAA authorization is not enabled, all users are allowed full access.
 After authentication is started, the default changes to allow no access.
 This means that the administrator must create a user with full access rights before
authorization is enabled. Failure to do so immediately locks the administrator out of the
system the moment the aaa authorization command is entered. The only way to
recover from this is to reboot the router.

 AAA accounting tracks the resources accessed by a user, or the device functions that an
administrator has accessed.
 One reason to implement accounting is to create a list of changes that occurred on the
network device, the user that made the changes, and the exact nature of the changes.
  Knowing this information helps the troubleshooting process if the changes cause
unexpected results.
 The aaa accounting command options track the following types of information:
o network - all network-related service requests, including PPP
o exec - accounting for the EXEC shell session
o connection - accounting on all outbound connections such as SSH and Telnet

 The record type or trigger specifies what actions cause accounting records to be
updated.
 Triggers include the beginning and end of a process or authentication failures.
 Accounting can also be disabled on a device line or interface.

MODULE 8
8.1 INTRODUCTION TO ACCESS CONTROL LISTS
8.1.1 WHAT IS AN ACL?

 Routers make routing decisions based on information in the packet header.

 Traffic entering a router interface is routed solely based on information within the
routing table.
 The router compares the destination IP address with routes in the routing table to find
the best match and then forwards the packet based on the best match route. That same
process can be used to filter traffic using an access control list (ACL)

 An ACL is a series of IOS commands that are used to filter packets based on
information found in the packet header.
 By default, a router does not have any ACLs configured. However, when an ACL is
applied to an interface, the router performs the additional task of evaluating all network
packets as they pass through the interface to determine if the packet can be forwarded.
 An ACL uses a sequential list of permit or deny statements, known as access control
entries (ACEs) | Note: ACEs are also commonly called ACL statements
 When network traffic passes through an interface configured with an ACL, the router
compares the information within the packet against each ACE, in sequential order, to
determine if the packet matches one of the ACEs. This process is called packet
filtering
 Several tasks performed by routers require the use of ACLs to identify traffic. The table
lists some of these tasks with examples:

Task Example

Limit network traffic to increase network  A corporate policy prohibits video traffic on
performance the network to reduce the network load.
Task Example

 A policy can be enforced using ACLs to block

video traffic.

 A corporate policy requires that routing

protocol traffic be limited to certain links
only.
Provide traffic flow control
 A policy can be implemented using ACLs to
restrict the delivery of routing updates to only
those that come from a known source.

 Corporate policy demands that access to the

Human Resources network be restricted to
Provide a basic level of security for authorized users only.
network access
 A policy can be enforced using ACLs to limit
access to specified networks.

 Corporate policy requires that email traffic be

permitted into a network, but that Telnet
Filter traffic based on traffic type access be denied.
 A policy can be implemented using ACLs to
filter traffic by type.

 Corporate policy requires that access to some

file types (e.g., FTP or HTTP) be limited to
Screen hosts to permit or deny access to user groups.
network services
 A policy can be implemented using ACLs to
filter user access to services.

 Corporate traffic specifies that voice traffic be

forwarded as fast as possible to avoid any
Provide priority to certain classes of interruption.
network traffic  A policy can be implemented using ACLs and
QoS services to identify voice traffic and
process it immediately.

8.1.2 PACKET FILTERING

 Packet filtering controls access to a network by analysing the incoming and/or outgoing
packets and forwarding them or discarding them based on given criteria. Packet filtering
can occur at Layer 3 or Layer 4, as shown in the figure.
  Cisco routers support two types of ACLs:
o Standard ACLs: ACLs only filter at Layer 3 using the source IPv4 address
only
o Extended ACLs: ACLs filter at Layer 3 using the source and / or destination
IPv4 address. They can only filter at Layer 4 using TCP, UDP ports, and
optional protocol type information for finer control

8.1.3 NUMBERED AND NAMED ACLs

Numbered ACLs

 ACLs number 1 to 99, or 1300 to 1999 are standard ACLs while ACLs number 100 to
199, or 2000 to 2699 are extended ACLs, as shown in the output.
Named ACLs

 Named ACLs is the preferred method to use when configuring ACLs. Specifically,
standard and extended ACLs can be named to provide information about the purpose of
the ACL. For example, naming an extended ACL FTP-FILTER is far better than having
a numbered ACL 100.
 The ip access-list global configuration command is used to create a named ACL, as
shown in the following example

 The following summarizes the rules to follow for named ACLs:

o Assign a name to identify the purpose of the ACL.
o Names can contain alphanumeric characters.
o Names cannot contain spaces or punctuation.
o It is suggested that the name be written in CAPITAL LETTERS.
o Entries can be added or deleted within the ACL.

8.1.4 ACL OPERATION

 ACLs define the set of rules that give added control for packets that enter inbound
interfaces, packets that relay through the router, and packets that exit outbound
interfaces of the router.
 ACLs can be configured to apply to inbound traffic and outbound traffic, as shown in
the figure.
 Note: ACLs do not act on packets that originate from the router itself.

 An inbound ACL filters packets before they are routed to the outbound interface.
 An inbound ACL is efficient because it saves the overhead of routing lookups if the
packet is discarded. If the packet is permitted by the ACL, it is then processed for
routing.
  Inbound ACLs are best used to filter packets when the network attached to an inbound
interface is the only source of packets that need to be examined.
 An outbound ACL filters packets after being routed, regardless of the inbound interface.
 Incoming packets are routed to the outbound interface and then they are processed
through the outbound ACL.
 Outbound ACLs are best used when the same filter will be applied to packets coming
from multiple inbound interfaces before exiting the same outbound interface.

 When an ACL is applied to an interface, it follows a specific operating procedure. For

example, here are the operational steps used when traffic has entered a router interface
with an inbound standard IPv4 ACL configured:
1. The router extracts the source IPv4 address from the packet header.
2. The router starts at the top of the ACL and compares the source IPv4 address to
each ACE in a sequential order.
3. When a match is made, the router carries out the instruction, either permitting
or denying the packet, and the remaining ACEs in the ACL, if any, are not
analysed.
4. If the source IPv4 address does not match any ACEs in the ACL, the packet is
discarded because there is an implicit deny ACE automatically applied to all
ACLs.

 The last ACE statement of an ACL is always an implicit deny that blocks all traffic.
 By default, this statement is automatically implied at the end of an ACL even though it
is hidden and not displayed in the configuration.
 Note: An ACL must have at least one permit statement otherwise all traffic will be
denied due to the implicit deny ACE statement.

8.2 WILDCARD MASKING

8.2.1 WILDCARD MASK OVERVIEW

 In the previous topic, you learned about the purpose of ACLs. This topic explains how
ACLs use wildcard masks.
 An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to
examine for a match. Wildcard masks are also used by the Open Shortest Path First
(OSPF) routing protocol.
 A wildcard mask is similar to a subnet mask in that it uses the ANDing process to
identify which bits in an IPv4 address to match. However, they differ in the way they
match binary 1s and 0s.
 Unlike a subnet mask, in which binary 1 is equal to a match and binary 0 is not a match,
in a wildcard mask, the reverse is true.
 Wildcard masks use the following rules to match binary 1s and 0s:
o Wildcard mask bit 0: match the corresponding bit value in the address
o Wildcard mask bit 1: ignore the corresponding bit value in the address
  The table lists some examples of wildcard masks and what they would identify:

Wildcard Last Octet (in

Meaning (0 - match, 1 - ignore)
Mask Binary)

0.0.0.0 00000000 Match all octets.

 Match the first three octets

0.0.0.63 00111111  Match the two left most bits of the last octet
 Ignore the last 6 bits

 Match the first three octets

0.0.0.15 00001111  Match the four left most bits of the last octet
 Ignore the last 4 bits of the last octet

 Match the first three octets

0.0.0.252 11111100  Ignore the six left most bits of the last octet
 Match the last two bits

 Match the first three octet

0.0.0.255 11111111
 Ignore the last octet

8.2.2 WILDCARD MASK TYPES

 Using wildcard masks will take some practice. Refer to the examples to learn how the
wildcard mask is used to filter traffic for one host, one subnet, and a range IPv4
addresses.
Wildcard to Match a Host

 In this example, the wildcard mask is used to match a specific host IPv4 address.
Assume ACL 10 needs an ACE that only permits the host with IPv4 address
192.168.1.1. Recall that “0” equals a match and “1” equals ignore. To match a specific
host IPv4 address, a wildcard mask consisting of all zeroes (i.e., 0.0.0.0) is required.
 The table lists in binary, the host IPv4 address, the wildcard mask, and the permitted
IPv4 address.
 The 0.0.0.0 wildcard mask stipulates that every bit must match exactly. Therefore, when
the ACE is processed, the wildcard mask will permit only the 192.168.1.1 address. The
resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.1 0.0.0.0.
 INSERT TABLE
Wildcard Mask to Match an IPv4 Subnet

 In this example, ACL 10 needs an ACE that permits all hosts in the 192.168.1.0/24
network. The wildcard mask 0.0.0.255 stipulates that the very first three octets must
match exactly but the fourth octet does not.
 The table lists in binary, the host IPv4 address, the wildcard mask, and the permitted
IPv4 addresses.
 When processed, the wildcard mask 0.0.0.255 permits all hosts in the 192.168.1.0/24
network. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.0
0.0.0.255.
 INSERT TABLE
Wildcard Mask to Match an IPv4 Address Range

 In this example, ACL 10 needs an ACE that permits all hosts in the 192.168.16.0/24,
192.168.17.0/24, …, 192.168.31.0/24 networks. The wildcard mask 0.0.15.255 would
correctly filter that range of addresses.
 The table lists in binary the host IPv4 address, the wildcard mask, and the permitted
IPv4 addresses.
 The highlighted wildcard mask bits identify which bits of the IPv4 address must match.
When processed, the wildcard mask 0.0.15.255 permits all hosts in the 192.168.16.0/24
to 192.168.31.0/24 networks. The resulting ACE in ACL 10 would be access-list 10
permit 192.168.16.0 0.0.15.255.
 INSERT TABLE

8.2.3 WILDCARD MASK CALCULATION

 Calculating wildcard masks can be challenging. One shortcut method is to subtract the
subnet mask from 255.255.255.255. Refer to the examples to learn how to calculate the
wildcard mask using the subnet mask.
Example 1

 Assume you wanted an ACE in ACL 10 to permit access to all users in the
192.168.3.0/24 network. To calculate the wildcard mask, subtract the subnet mask (i.e.,
255.255.255.0) from 255.255.255.255, as shown in the table.
 The solution produces the wildcard mask 0.0.0.255. Therefore, the ACE would
be access-list 10 permit 192.168.3.0 0.0.0.255.
 INSERT TABLE
Example 2

 In this example, assume you wanted an ACE in ACL 10 to permit network access for
the 14 users in the subnet 192.168.3.32/28. Subtract the subnet (i.e., 255.255.255.240)
from 255.255.255.255, as shown in the table.
 This solution produces the wildcard mask 0.0.0.15. Therefore, the ACE would
be access-list 10 permit 192.168.3.32 0.0.0.15.
 INSERT TABLE
Example 3

 In this example, assume you needed an ACE in ACL 10 to permit only networks
192.168.10.0 and 192.168.11.0. These two networks could be summarized as
192.168.10.0/23 which is a subnet mask of 255.255.254.0. Again, you subtract
255.255.254.0 subnet mask from 255.255.255.255, as shown in the table.
 This solution produces the wildcard mask 0.0.1.255. Therefore, the ACE would
be access-list 10 permit 192.168.10.0 0.0.1.255.
 INSERT TABLE
Example 4

 Consider an example in which you need an ACL number 10 to match networks in the
range between 192.168.16.0/24 to 192.168.31.0/24. This network range could be
summarized as 192.168.16.0/20 which is a subnet mask of 255.255.240.0. Therefore,
subtract 255.255.240.0 subnet mask from 255.255.255.255, as shown in the table.
 This solution produces the wildcard mask 0.0.15.255. Therefore, the ACE would
be access-list 10 permit 192.168.16.0 0.0.15.255.
 INSERT TABLE

8.2.4 WILDCARD MASK KEYWORDS

 Working with decimal representations of binary wildcard mask bits can be tedious. To
simplify this task, the Cisco IOS provides two keywords to identify the most common
uses of wildcard masking. Keywords reduce ACL keystrokes but more importantly,
keywords make it easier to read the ACE.
 The two keywords are:
 host: this keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4
address bits must match to filter just one host address
 any: this keyword substitutes for the 255.255.255.255 mask. This mask says to ignore
the entire IPv4 address or to accept any addresses

 For example, in the command output, two ACLs are configured. The ACL 10 ACE
permits only the 192.168.10.10 host and the ACL 11 ACE permits all hosts.

 Alternatively, the keywords host and any could have been used to replace the
highlighted output.
 The following commands accomplishes the same task as the previous commands.

8.3 CONFIGURE ACLs

8.3.1 CREATE AN ACL
  All access control lists (ACLs) must be planned. However, this is especially true for
ACLs requiring multiple access control entries (ACEs).
 When configuring a complex ACL, it is suggested that you:
o Use a text editor and write out the specifics of the policy to be implemented.
o Add the IOS configuration commands to accomplish those tasks.
o Include remarks to document the ACL.
o Copy and paste the commands onto the device.
o Always thoroughly test an ACL to ensure that it correctly applies the desired
policy.
 These recommendations enable you to create the ACL thoughtfully without impacting
the traffic on the network.

8.3.2 NUMBERED STANDARD IPv4 ACL SYNTAX

 To create a numbered standard ACL, use the following global configuration command:
 Use the no access-list access-list-number global configuration command to remove a
numbered standard ACL.
 The table provides a detailed explanation of the syntax for a standard ACL:

Parameter Description

 This is the decimal number of the ACL.

access-list-number  Standard ACL number range is 1 to 99 or 1300 to
1999.

deny This denies access if the condition is matched.

permit This permits access if the condition is matched.

 (Optional) This adds a text entry for documentation

purposes.
remark text  Remarks are extremely useful, especially in longer or
more complex ACLs.
 Each remark is limited to 100 characters.

 This identifies the source network or host address to

filter.
 Use the any keyword to specify all networks.
source
 Use the host ip-address keyword or simply enter
an ip-address (without the host keyword) to identify a
specific IP address.
Parameter Description

(Optional) This is a 32-bit wildcard mask that is applied to the

source-wildcard
source. If omitted, a default 0.0.0.0 mask is assumed.

 (Optional) This keyword generates an informational

message whenever the ACE is matched.
 Message includes ACL number, matched condition
(i.e., permitted or denied), source address, and number
of packets.
log
 This message is generated for the first matched packet.
 Unfortunately, ACL logging can be CPU intensive and
can negatively affect other functions therefore it
should only be implemented for troubleshooting or
security reasons.

8.3.3 NAMED STANDARD IPv4 ACL SYNTAX

 Naming an ACL makes it easier to understand its function. To create a named standard
ACL, use the following global configuration command:
 This command enters the named standard configuration mode where you configure the
ACL ACEs.
 ACL names are alphanumeric, case sensitive, and must be unique. Capitalizing ACL
names is not required but makes them stand out when viewing the running-config
output. It also makes it less likely that you will accidentally create two different ACLs
with the same name but with different uses of capitalization.
 Note: Use the no ip access-list standard access-list-name global configuration
command to remove a named standard IPv4 ACL.
 In the example, a named standard IPv4 ACL called NO-ACCESS is created. Notice that
the prompt changes to named standard ACL configuration mode. ACE statements are
entered in the named standard ACL sub configuration mode. Use the help facility to
view all the named standard ACL ACE options.
 The three highlighted options are configured similar to the numbered standard ACL.
Unlike the numbered ACL method, there is no need to repeat the initial ip access-
list command for each ACE.

8.3.4 NUMBERED EXTENDED IPv4 ACL SYNTAX

 The procedural steps for configuring extended ACLs are the same as for standard
ACLs. The extended ACL is first configured, and then it is activated on an interface.
However, the command syntax and parameters are more complex to support the
additional features provided by extended ACLs.
  To create a numbered extended ACL, use the following global configuration command:
ip access-group 0 0
 Use the no access-list access-list-number global configuration command to remove an
extended ACL.
 Although there are many keywords and parameters for extended ACLs, it is not
necessary to use all of them when configuring an extended ACL. The table provides a
detailed explanation of the syntax for an extended ACL:

Parameter Description

 This is the decimal number of the ACL.

access-list-number  Extended ACL number range is 100 to 199 and 2000
to 2699.

deny This denies access if the condition is matched.

permit This permits access if the condition is matched.

 (Optional) Adds a text entry for documentation

remark text purposes.
 Each remark is limited to 100 characters.

 Name or number of an internet protocol.

protocol  Common keywords include ip, tcp, udp, and icmp.
 The ip keyword matches all IP protocols.

 This identifies the source network or host address to

filter.
 Use the any keyword to specify all networks.
source
 Use the host ip-address keyword or simply enter
an ip-address (without the host keyword) to identify a
specific IP address.

source-wildcard (Optional) A 32-bit wildcard mask that is applied to the source.

 This identifies the destination network or host address

to filter.
destination
 Use the any keyword to specify all networks.
 Use the host ip-address keyword or ip-address.

destination-wildcard (Optional) This is a 32-bit wildcard mask that is applied to the

Parameter Description

destination.

 (Optional) This compares source or destination ports.

operator  Some operators include lt (less than), gt (greater
than), eq (equal), and neq (not equal).

(Optional) The decimal number or name of a TCP or UDP

port
port.

 (Optional) For the TCP protocol only.

established
 This is a 1st generation firewall feature.

 (Optional) This keyword generates and sends an

informational message whenever the ACE is matched.
 This message includes ACL number, matched
condition (i.e., permitted or denied), source address,
log and number of packets.
 This message is generated for the first matched packet.
 This keyword should only be implemented for
troubleshooting or security reasons.

 The command to apply an extended IPv4 ACL to an interface is the same as the
command used for standard IPv4 ACLs.
 To remove an ACL from an interface, first enter the no ip access-group interface
configuration command. To remove the ACL from the router, use the no access-
list global configuration command.
 Note: The internal logic applied to the ordering of standard ACL statements does not
apply to extended ACLs. The order in which the statements are entered during
configuration is the order they are displayed and processed.

8.3.5 PROTOCOLS AND PORT NUMBERS

 Extended ACLs can filter on many different types of internet protocols and ports.
Protocol Options

 The four highlighted protocols are the most popular options.

 Note: Use the ? to get help when entering a complex ACE.
 Note: If an internet protocol is not listed, then the IP protocol number could be
specified. For instance, the ICMP protocol number 1, TCP is 6, and UDP is 17.
Port Keyword Options
  Selecting a protocol influences port options. For instance, selecting the:
o tcp protocol would provide TCP related ports options
o udp protocol would provide UDP specific ports options
o icmp protocol would provide ICMP related ports (i.e., message) options
 Again, notice how many TCP port options are available. The highlighted ports are
popular options.
 Port names or number can be specified. However, port names make it easier to
understand the purpose of an ACE. Notice how some common ports names (e.g., SSH
and HTTPS) are not listed. For these protocols, port numbers will have to be specified.

8.3.6 PROTOCOLS AND PORT NUMBERS CONFIGURATION EXAMPLES

 Extended ACLs can filter on different port number and port name options. This
example configures an extended ACL 100 to filter HTTP traffic. The first ACE uses
the www port name. The second ACE uses the port number 80. Both ACEs achieve
exactly the same result.

 Configuring the port number is required when there is not a specific protocol name
listed such as SSH (port number 22) or an HTTPS (port number 443), as shown in the
next example.

8.3.7 TCP ESTABLISHED EXTENDED ACL

 TCP can also perform basic stateful firewall services using the
TCP established keyword. The keyword enables inside traffic to exit the inside private
network and permits the returning reply traffic to enter the inside private network, as
shown in the figure.
 However, TCP traffic generated by an outside host and attempting to communicate with
an inside host is denied.
 The established keyword can be used to permit only the return HTTP traffic from
requested websites, while denying all other traffic.
 In the topology, the design for this example shows that ACL 110, which was previously
configured, will filter traffic from the inside private network. ACL 120, using
the established keyword, will filter traffic coming into the inside private network from
the outside public network.

 In the example, ACL 120 is configured to only permit returning web traffic to the inside
hosts. The new ACL is then applied outbound on the R1 G0/0/0 interface. The show
access-lists command displays both ACLs. Notice from the match statistics that inside
hosts have been accessing the secure web resources from the internet.
  Notice that the permit secure HTTPS counters (i.e., eq 443) in ACL 110 and the return
established counters in ACL 120 have increased.
 The established parameter allows only responses to traffic that originates from the
192.168.10.0/24 network to return to that network. Specifically, a match occurs if the
returning TCP segment has the ACK or reset (RST) flag bits set. This indicates that the
packet belongs to an existing connection. Without the established parameter in the
ACL statement, clients could send traffic to a web server, and receive traffic returning
from the web server. All traffic would be permitted.

8.3.8 NAMED EXTENDED IPv4 ACL SYNTAX

 Naming an ACL makes it easier to understand its function. To create a named extended
ACL, use the following global configuration command:

 This command enters the named extended configuration mode. Recall that ACL names
are alphanumeric, case sensitive, and must be unique.
 In the example, a named extended ACL called NO-FTP-ACCESS is created and the
prompt changed to named extended ACL configuration mode. ACE statements are
entered in the named extended ACL sub configuration mode.

8.3.9 NAMED EXTENDED IPv4 ACL EXAMPLE

 Named extended ACLs are created in essentially the same way that named standard
ACLs are created.
 The topology in the figure is used to demonstrate configuring and applying two named
extended IPv4 ACLs to an interface:
 SURFING - This will permit inside HTTP and HTTPS traffic to exit to the internet.
 BROWSING - This will only permit returning web traffic to the inside hosts while all
other traffic exiting the R1 G0/0/0 interface is implicitly denied.

 The example shows the configuration for the inbound SURFING ACL and the
outbound BROWSING ACL.
 The SURFING ACL permits HTTP and HTTPS traffic from inside users to exit the
G0/0/1 interface connected to the internet. Web traffic returning from the internet is
permitted back into the inside private network by the BROWSING ACL.
 The SURFING ACL is applied inbound and the BROWSING ACL applied outbound
on the R1 G0/0/0 interface, as shown in the output.
 Inside hosts have been accessing the secure web resources from the internet. The show
access-lists command is used to verify the ACL statistics. Notice that the permit secure
HTTPS counters (i.e., eq 443) in the SURFING ACL and the return established
counters in the BROWSING ACL have increased.
8.4 MODIFY ACLs
8.4.1 TWO METHODS TO MODIFY AN ACL

 After an ACL is configured, it may need to be modified. ACLs with multiple ACEs can
be complex to configure. Sometimes the configured ACE does not yield the expected
behaviours. For these reasons, ACLs may initially require a bit of trial and error to
achieve the desired filtering result.
 This section will discuss two methods to use when modifying an ACL:
o Use a Text Editor
o Use Sequence Numbers

8.4.2 TEXT EDITOR METHOD

 ACLs with multiple ACEs should be created in a text editor. This allows you to plan the
required ACEs, create the ACL, and then paste it into the router interface. It also
simplifies the tasks to edit and fix an ACL.
 For example, assume ACL 1 was entered incorrectly using 19 instead of 192 for the
first octet, as shown in the running configuration:

 In the example, the first ACE should have been to deny the host at 192.168.10.10.
However, the ACE was incorrectly entered.
 To correct the error:
o Copy the ACL from the running configuration and paste it into the text editor.
o Make the necessary changes.
o Remove the previously configured ACL on the router. Otherwise, pasting the
edited ACL commands will only append (i.e., add) to the existing ACL ACEs
on the router.
o Copy and paste the edited ACL back to the router.
 Assume that ACL 1 has now been corrected. Therefore, the incorrect ACL must be
deleted, and the corrected ACL 1 statements must be pasted in global configuration
mode, as shown in the output:

8.4.3 SEQUENCE NUMBER METHOD

 An ACL ACE can also be deleted or added using the ACL sequence numbers. Sequence
numbers are automatically assigned when an ACE is entered. These numbers are listed
in the show access-lists command. The show running-config command does not
display sequence numbers.
 In the previous example, the incorrect ACE for ACL 1 is using sequence number 10, as
shown in the example:

 Use the ip access-list standard command to edit an ACL. Statements cannot be

overwritten using the same sequence number as an existing statement. Therefore, the
 current statement must be deleted first with the no 10 command. Then the correct ACE
can be added using sequence number 10 is configured. Verify the changes using
the show access-lists command, as shown in the example:

8.5 IMPLEMENT ACLs

8.5.1 ACL CONFIGURATION GUIDELINES

 An ACL is made up of one or more access control entries (ACEs) or statements. When
configuring and applying an ACL, be aware of the guidelines summarized in this list:
o Create an ACL globally and then apply it.
o Ensure the last statement is an implicit deny any or deny ip any any.
o Remember that statement order is important because ACLs are processed top-
down.
o As soon as a statement is matched the ACL is exited.
o Always filter from the most specific to the most generic. For example, deny a
specific host and then permit all other hosts.
o Remember that only one ACL is allowed per interface, per protocol, per
direction.
o Remember that new statements for an existing ACL are added to the bottom of
the ACL by default.
o Remember that router-generated packets are not filtered by outbound ACLs.
o Place standard ACLs as close to the destination as possible.
o Place extended ACLs as close to the source as possible.

8.5.2 APPLY AN ACL

 After creating an ACL, the administrator can apply it in a number of different ways.
The following shows the command syntax to apply an ACL to an interface or to the vty
lines.
Named Standard ACL Example

 The figure below shows a named standard ACL applied to outbound traffic.
 This figure shows two named extended ACLs. The SURFING ACL is applied to
inbound traffic and the BROWSING ACL is applied to outbound traffic.
Named Extended ACL Example

Named ACL on VTY Lines with Logging

 Enabling the log parameter on a Cisco router or switch seriously affects the
performance of that device. The log parameter should only be used when the network is
under attack, and an administrator is trying to determine who the attacker is.
  Applying ACLs to interfaces and lines is just one of their many possible uses. ACLs are
also an integral part of other security configurations, such as network address
translation (NAT), zone-based firewalls, and virtual private networks.

 To remove an ACL from an interface, first enter the no ip access-group interface

configuration command. However, the ACL will still be configured on the router. To
remove the ACL from the router, use the no access-list global configuration command

8.5.3 WHERE TO PLACE ACLs

 Every ACL should be placed where it is the most efficient.

 The figure illustrates where standard and extended ACLs should be located in an
enterprise network. Assume the objective is to prevent traffic that originates in the
192.168.10.0/24 network from reaching the 192.168.30.0/24 network.

 Extended ACLs should be located as close as possible to the source of the traffic to be
filtered. This way, undesirable traffic is denied close to the source network without
crossing the network infrastructure.
 Standard ACLs should be located as close to the destination as possible. If a standard
ACL was placed at the source of the traffic, the "permit" or "deny" will occur based on
the given source address no matter where the traffic is destined.
 Placement of the ACL and therefore, the type of ACL used, may also depend on a
variety of factors as listed in the table.

Factors Influencing ACL

Explanation
Placement

Placement of the ACL can depend on whether or not the

The extent of organizational
organization has control of both the source and destination
control
networks.

Bandwidth of the networks It may be desirable to filter unwanted traffic at the source to
involved prevent transmission of bandwidth-consuming traffic.

 It may be easier to implement an ACL at the

destination, but traffic will use bandwidth
unnecessarily.
Ease of configuration  An extended ACL could be used on each router where
the traffic originated. This would save bandwidth by
filtering the traffic at the source, but it would require
creating extended ACLs on multiple routers.
8.5.4 STANDARD ACL PLACEMENT EXAMPLE

 Following the guidelines for ACL placement, standard ACLs should be located as close
to the destination as possible.
 In the figure, the administrator wants to prevent traffic originating in the
192.168.10.0/24 network from reaching the 192.168.30.0/24 network.

 Following the basic placement guidelines, the administrator would place a standard
ACL on router R3. There are two possible interfaces on R3 to apply the standard ACL:
 R3 S0/1/1 interface (inbound) - The standard ACL can be applied inbound on the R3
S0/1/1 interface to deny traffic from .10 network. However, it would also filter .10
traffic to the 192.168.31.0/24 (.31 in this example) network. Therefore, the standard
ACL should not be applied to this interface.

 R3 G0/0/0 interface (outbound) - The standard ACL can be applied outbound on the
R3 G0/0/0 interface. This will not affect other networks that are reachable by R3.
Packets from .10 network will still be able to reach the .31 network. This is the best
interface to place the standard ACL to meet the traffic requirements.

8.5.7 EXTENDED ACL PLACEMENT EXAMPLE

 Extended ACLs should be located as close to the source as possible. This prevents
unwanted traffic from being sent across multiple networks only to be denied when it
reaches its destination.
 However, the organization can only place ACLs on devices that they control. Therefore,
the extended ACL placement must be determined in the context of where organizational
control extends.
 In the figure, for example, Company A wants to deny Telnet and FTP traffic to
Company B’s 192.168.30.0/24 network from their 192.168.11.0/24 network while
permitting all other traffic.
 There are several ways to accomplish these goals. An extended ACL on R3 would
accomplish the task, but the administrator does not control R3. In addition, this solution
allows unwanted traffic to cross the entire network, only to be blocked at the
destination. This affects overall network efficiency.
 The solution is to place an extended ACL on R1 that specifies both source and
destination addresses.
 There are two possible interfaces on R1 to apply the extended ACL:
 R1 S0/1/0 interface (outbound) - The extended ACL can be applied outbound on the
S0/1/0 interface. However, this solution will process all packets leaving R1 including
packets from 192.168.10.0/24.
 R1 G0/0/1 interface (inbound) - The extended ACL can be applied inbound on the
G0/0/1 so that only packets from the 192.168.11.0/24 network are subject to ACL
processing on R1. Because the filter is to be limited to only those packets leaving the
192.168.11.0/24 network, applying the extended ACL to G0/0/1 is the best solution.

8.6 MITIGATE ATTACKS WITH ACLs

8.6.1 MITIGATE SPOOFING ATTACKS

 ACLs can be used to mitigate many network threats, such as IP address spoofing and
denial of service (DoS) attacks. Most DoS attacks use some type of spoofing. IP address
spoofing overrides the normal packet creation process by inserting a custom IP header
with a different source IP address. Attackers can hide their identity by spoofing the
source IP address.
 There are many well-known classes of IP addresses that should never be seen as source
IP addresses for traffic entering an organization’s network. For example, in the figure
the S0/0/0 interface is attached to the internet and should never accept inbound packets
from the following addresses:
o All zeros addresses
o Broadcast addresses
o Local host addresses (127.0.0.0/8)
o Automatic Private IP Addressing (APIPA) addresses (169.254.0.0/16)
o Reserved private addresses (RFC 1918)
o IP multicast address range (224.0.0.0/4)
 The 192.168.1.0/24 network is attached to the R1 G0/0 interface. This interface should
only allow inbound packets with a source address from that network. The ACL for G0/0
shown in the figure will only permit inbound packets from the 192.168.1.0/24 network.
All others will be discarded.

 Inbound on S0/0/0:

 Inbound on G0/0:

8.6.2 PERMIT NECESSARY TRAFFIC THROUGH A FIREWALL

 An effective strategy for mitigating attacks is to explicitly permit only certain types of
traffic through a firewall. For example, Domain Name System (DNS), Simple Mail
Transfer Protocol (SMTP), and File Transfer Protocol (FTP) are services that often
must be allowed through a firewall.
 It is also common to configure a firewall so that it permits administrators remote access
through the firewall.
 Secure Shell (SSH), syslog, and Simple Network Management Protocol (SNMP) are
examples of services that a router may need to include.
 While many of these services are useful, they should be controlled and monitored.
Exploitation of these services leads to security vulnerabilities.
 The figure shows an example topology with ACL configurations to permit specific
services on the Serial 0/0/0 interface
INBOUND ON SERIAL 0/0/0
8.6.3 MTIGATE ICMP ATTACKS

 Hackers can use Internet Control Message Protocol (ICMP) echo packets (pings) to
discover subnets and hosts on a protected network and to generate DoS flood attacks.
Hackers can use ICMP redirect messages to alter host routing tables. Both ICMP echo
and redirect messages should be blocked inbound by the router.
 Several ICMP messages are recommended for proper network operation and should be
allowed into the internal network:
o Echo reply - Allows users to ping external hosts.
o Source quench - Requests that the sender decrease the traffic rate of messages.
o Unreachable - Generated for packets that are administratively denied by an
ACL.
 As a rule, block all other ICMP message types outbound.
 ACLs are used to block IP address spoofing, selectively permit specific services
through a firewall, and to allow only required ICMP messages.
 The figure shows a sample topology and possible ACL configurations to permit specific
ICMP services on the G0/0 and S0/0/0 interfaces.
INBOUND ON S0/0/0

INBOUND ON G0/0

8.6.4 MITIGATE SNMP ATTACKS

 Management protocols, such as SNMP, are useful for remote monitoring and
management of networked devices.
 However, they can still be exploited. If SNMP is necessary, exploitation of SNMP
vulnerabilities can be mitigated by applying interface ACLs to filter SNMP packets
from non-authorized systems.
 An exploit may still be possible if the SNMP packet is sourced from an address that has
been spoofed and is permitted by the ACL.

 These security measures are helpful, but the most effective means of exploitation
prevention is to disable the SNMP server on IOS devices for which it is not required.
 As shown in the figure, use the command no snmp-server to disable SNMP services on
Cisco IOS devices.

8.7 IPv6 ACLs

8.7.1 IPv6 ACL OVERVIEW

 In recent years, many networks have begun the transition to an IPv6 environment. Part
of the need for the transition to IPv6 is because of the inherent weaknesses in IPv4.
  Unfortunately, as the migration to IPv6 continues, IPv6 attacks are becoming more
pervasive.
 IPv4 will not disappear overnight. IPv4 will coexist with IPv6 and then gradually be
replaced by IPv6.
 This creates potential security holes.
 An example of a security concern is threat actors leveraging IPv4 to exploit IPv6 in dual
stack environments.
 Dual stack is an integration method in which a device has connectivity to both IPv4 and
IPv6 networks.
 In a dual stack environment devices operate with two IP protocol stacks.

 Threat actor can accomplish stealth attacks that result in trust exploitation by using
dual-stacked hosts, rogue Neighbor Discovery Protocol (NDP) messages, and tunneling
techniques.
 Teredo tunneling, for example, is an IPv6 transition technology that provides automatic
IPv6 address assignment when IPv4/IPv6 hosts are located behind IPv4 network
address translation (NAT) devices.
 It accomplishes this by embedding the IPv6 packets inside IPv4 UDP packets. The
threat actor gains a foothold in the IPv4 network. The compromised host sends rogue
router advertisements (RAs), which triggers dual stacked hosts to obtain an IPv6
address.
 The threat actor can then use this foothold to move around, or pivot, inside the network.
The threat actor can compromise additional hosts before sending traffic back out of the
network, as shown in the figure.

 It is necessary to develop and implement a strategy to mitigate attacks against IPv6

infrastructures and protocols. This mitigation strategy should include filtering at the
edge using various techniques, such as IPv6 ACLs.

8.7.2 IPL ACL SYNTAX

 The ACL functionality in IPv6 is similar to ACLs in IPv4. However, there is no

equivalent to IPv4 standard ACLs.
 In addition, all IPv6 ACLs must be configured with a name.
 IPv6 ACLs allow filtering based on source and destination addresses that are traveling
inbound and outbound to a specific interface.
 They also support traffic filtering based on IPv6 option headers and optional, upper-
layer protocol type information for finer granularity of control, similar to extended
ACLs in IPv4.
 To configure an IPv6 ACL, use the ipv6 access-list command to enter into IPv6 ACL
configuration mode.
 Next, use the syntax shown in the figure to configure each access list entry to
specifically permit or deny traffic.
  The syntax shown is a simplified version of the IPv6 ACE syntax. There are additional
options. It should be clear from the provided syntax that IPv6 ACLs are considerably
more flexible than IPv4 ACLs.
 Apply an IPv6 ACL to an interface with the ipv6 traffic-filter command.

Parameter Description

deny | permit Specifies whether to deny or permit the packet.

Enter the name or number of an Internet protocol, or

protocol
an integer representing an IPv6 protocol number.

source-ipv6-prefix /
The source or destination IPv6 network or class of
prefix-length
networks for which to set deny or permit conditions.
destination-ipv6-address / prefix-length

Enter any as an abbreviation for the IPv6 prefix ::/0.

any
This matches all addresses.

For host source-ipv6-address or destination-ipv6-

host address , enter the source or destination IPv6 host
address for which to set deny or permit conditions.

(Optional) An operand that compares the source or

destination ports of the specified protocol. Operands
operator
are lt (less than), gt (greater than), eq (equal), neq (not
equal), and range.

(Optional) A decimal number or the name of a TCP or

port-number
UDP port for filtering TCP or UDP, respectively.

(Optional) Matches a differentiated services codepoint

value against the traffic class value in the Traffic Class
dscp
field of each IPv6 packet header. The acceptable range
is from 0 to 63.

(Optional) Matches non-initial fragmented packets

where the fragment extension header contains a non-
zero fragment offset. The fragments keyword is an
fragments option only if the operator [port-number ] arguments
are not specified. When this keyword is used, it also
matches when the first fragment does not have Layer 4
information.
Parameter Description

(Optional) Causes an informational logging message

about the packet that matches the entry to be sent to
log the console. (The level of messages logged to the
console is controlled by the logging
console command.)

(Optional) Provides the same function as

log input the log keyword, except that the logging message also
includes the input interface.

(Optional) Specifies the sequence number value for

sequence value the access list statement. The acceptable range is from
1 to 4294967295.

(Optional) Specifies the time range that applies to the

permit statement. The name of the time range and its
time-range name restrictions are specified by the time-
range and absolute or periodic commands,
respectively.

8.7.3 CONFIGURE IPv6 ACLs

 An IPv6 ACL contains an implicit deny ipv6 any any.

 Each IPv6 ACL also contains implicit permit rules to enable IPv6 neighbor discovery.
 The IPv6 Neighbor Discovery Protocol (NDP) requires the use of the IPv6 network
layer to send neighbor advertisements (NAs) and neighbor solicitations (NSs).
 If an administrator configures the deny ipv6 any any command without explicitly
permitting neighbor discovery, then the NDP will be disabled.
 In the figure, R1 is permitting inbound traffic on G0/0 from the 2001:DB8:1:1::/64
network. NA and NS packets are explicitly permitted. Traffic sourced from any other
IPv6 address is explicitly denied. If the administrator only configured the first permit
statement, the ACL would have the same effect. However, it is a good practice to
document the implicit statements by explicitly configuring them.

8.8 ACCESS CONTROL LISTS SUMMARY

8.8.1 WHAT DID I LEARN IN THIS MODULE?
INTRODUCTION TO ACCESS CONTROL LISTS

 An ACL is a series of IOS commands that are used to filter packets based on
information found in the packet header. By default, a router does not have any ACLs
configured. An ACL uses a sequential list of permit or deny statements, known as
 ACEs. The packet filtering process occurs when network traffic passes through an
interface configured with an ACL, and the router compares the information within the
packet against each ACE, in sequential order, to determine if the packet matches one of
the ACEs. Packet filtering can occur at Layer 3 or Layer 4. Cisco routers support
Standard ACLs and Extended ACLs. ACLs number 1 to 99, or 1300 to 1999 are
standard ACLs while ACLs number 100 to 199, or 2000 to 2699 are extended ACLs.
Named ACLs are the preferred method to use when configuring ACLs. The name
provides information about the purpose of the ACL. ACLs define the set of rules that
give added control for packets that enter inbound interfaces, packets that relay through
the router, and packets that exit outbound interfaces of the router.
WILDCARD MASKING

 An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to
examine for a match. Wildcard masks are also used by the OSPF routing protocol. A
wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify
which bits in an IPv4 address to match. However, they differ in the way they match
binary 1s and 0s. Unlike a subnet mask, in which binary 1 is equal to a match and
binary 0 is not a match, in a wildcard mask, the reverse is true. One shortcut method to
calculate wildcard masks is to subtract the subnet mask from 255.255.255.255. The
Cisco IOS provides two keywords, host and any, to simplify the most common uses of
wildcard masking. Keywords reduce ACL keystrokes and make it easier to read the
ACE.
CONFIGURING ACLs

 When configuring a complex ACL, it is suggested that you use a text editor and write
out the specifics of the policy to be implemented, add the IOS configuration commands
to accomplish those tasks, include remarks to document the ACL, and copy and paste
the commands onto the device. Always thoroughly test an ACL to ensure that it
correctly applies the desired policy. To create a numbered standard ACL, use the
command access-list access-list-number {deny | permit | remark text} source [source-
wildcard] [log]. To create a named standard ACL, use the command ip access-list
standard access-list-name. ACL names are alphanumeric, case sensitive, and must be
unique. The procedural steps for configuring extended ACLs are the same as for
standard ACLs. The command to apply an extended IPv4 ACL to an interface is the
same as the command used for standard IPv4 ACLs is ip access-group {access-list-
number | access-list-name} {in | out}. Extended ACLs can filter on many different
types of internet protocols and ports. TCP can also perform basic stateful firewall
services using the TCP established keyword. The keyword enables inside traffic to exit
the inside private network and permits the returning reply traffic to enter the inside
private network.
MODIFYING ACLs

 ACLs with multiple ACEs should be created in a text editor. This allows you to plan the
required ACEs, create the ACL, and then paste it into the router interface, and makes
editing the ACL simpler. An ACL ACE can also be deleted or added using the ACL
sequence numbers. Sequence numbers are automatically assigned when an ACE is
entered. These numbers are listed in the show access-lists command.
IMPLEMENTING ACLs

 When configuring and applying an ACL, be aware of the guidelines summarized in this
list:

o Create an ACL globally and then apply it.

o Ensure the last statement is an implicit deny any or deny ip any any.
o Remember that statement order is important because ACLs are processed top-
down.
o As soon as a statement is matched the ACL is exited.
o Always filter from the most specific to the most generic. For example, deny a
specific host and then permit all other hosts.
o Remember that only one ACL is allowed per interface, per protocol, per
direction.
o Remember that new statements for an existing ACL are added to the bottom of
the ACL by default.
o Remember that router-generated packets are not filtered by outbound ACLs.
o Place standard ACLs as close to the destination as possible.
o Place extended ACLs as close to the source as possible.

 Every ACL should be placed where it is the most efficient. Extended ACLs should be
located as close as possible to the source of the traffic to be filtered. Standard ACLs
should be located as close to the destination as possible. Factors influencing ACL
placement include the extent of organizational control, bandwidth of the networks
involved, and ease of configuration.
MITIGATE ATTACKS WITH ACLs

 ACLs can be used to mitigate many network threats, such as IP address spoofing and
DoS attacks. An effective strategy for mitigating attacks is to explicitly permit only
certain types of traffic through a firewall. Both ICMP echo and redirect messages
should be blocked inbound by the router. If SNMP is necessary, exploitation of SNMP
vulnerabilities can be mitigated by applying interface ACLs to filter SNMP packets
from non-authorized systems. Several ICMP messages are recommended for proper
network operation and should be allowed into the internal network including echo reply,
source quench, and unreachable. Several ICMP messages should be allowed to exit the
network including echo, parameter problem, packet too big, and source quench. As a
rule, block all other ICMP message types outbound.
IPv6 ACLs

 IPv6 has several features that meet modern-day network requirements: IPsec, Mobile
IP, RSVP, and address scalability. Dual stack is an integration method in which a
device has connectivity to both IPv4 and IPv6 networks. In a dual stack environment
devices operate with two IP protocol stacks. Attackers can accomplish stealth attacks
that result in trust exploitation by using dual-stacked hosts, rogue NDP messages, and
tunneling techniques. To mitigate attacks against IPv6 infrastructures and protocols, the
strategy should include filtering at the edge using various techniques, such as IPv6
 ACLs. The ACL functionality in IPv6 is similar to ACLs in IPv4. However, there is no
equivalent to IPv4 standard ACLs. In addition, all IPv6 ACLs must be configured with
a name. IPv6 ACLs allow filtering based on source and destination addresses that are
traveling inbound and outbound to a specific interface. They also support traffic
filtering based on IPv6 option headers and optional, upper-layer protocol type
information for finer granularity of control, similar to extended ACLs in IPv4.

MODULE 9
9.1 SECURE NETWORKS WITH FIREWALLS
9.1.1 FIREWALLS

 Firewall = a system, or group of systems, that enforces an access control policy between
networks
Common Firewall Properties

 All firewalls share some common properties:

o They are resistant to network attacks
 o They are the only transit point between internal corporate networks and external
networks because all traffic flows through the firewall
o They enforce the access control policy

Firewall Benefits

 There are several benefits of using a firewall in a network:

o They prevent the exposure of sensitive hosts, resources, and applications to
untrusted users
o They sanitize protocol flow, which prevents the exploitation of protocol flaws
o They block malicious data from servers and clients
o They reduce security management complexity by off-loading most of the
network access control to a few firewalls in the network
Firewall Limitations

 Firewalls also have some limitations:

o A misconfigured firewall can have serious consequences for the network, such
as becoming a single point of failure
o The data from many applications cannot be passed over firewalls securely
o Users might proactively search for ways around the firewall to receive blocked
material, which exposes the network to potential attack
o Network performance can slow down
o Unauthorized traffic can be tunnelled or hidden as legitimate traffic through the
firewall

9.1.2 TYPES OF FIREWALLS

 Important to understand the different types of firewalls and their specific capabilities so
that the right firewall is used for each situation:
Packet Filtering (Stateless) Firewall

 Packet filtering firewalls are usually part of a router firewall, which permits or denies
traffic based on Layer 3 and Layer 4 information. They are stateless firewalls that use a
simple policy table look-up that filters traffic based on specific criteria
 For example, SMTP servers listen to port 25 by default. An administrator can configure
the packet filtering firewall to block port 25 from a specific workstation to prevent it
from broadcasting an email virus
Stateful Firewall

 Stateful firewalls are the most versatile and the most common firewall technologies in
use. Stateful firewalls provide stateful packet filtering by using connection information
maintained in a state table. Stateful filtering is a firewall architecture that is classified at
the network layer. It also analyses traffic at OSI Layer 4 and Layer 5
Application Gateway Firewall
  An application gateway firewall (proxy firewall), as shown in the figure, filters
information at Layers 3, 4, 5, and 7 of the OSI reference model. Most of the firewall
control and filtering is done in software. When a client needs to access a remote server,
it connects to a proxy server. The proxy server connects to the remote server on behalf
of the client. Therefore, the server only sees a connection from the proxy server
Next Generation Firewall

 Next-generation firewalls (NGFW) go beyond stateful firewalls by providing:

o Integrated intrusion prevention
o Application awareness and control to see and block risky apps
o Upgrade paths to include future information feeds
o Techniques to address evolving security threats

Host-based (server and personal) Firewall

 A PC or server with firewall software running on it

Transparent Firewall

 Filters IP traffic between a pair of bridged interfaces

Hybrid Firewall

 A combination of the various firewall types. For example, an application inspection

firewall combines a stateful firewall with an application gateway firewall

9.1.4 PACKET FILTERING FIREWALL BENEFITS AND LIMITATIONS

 Packet filtering firewalls are usually part of a router firewall, which permits or denies
traffic based on Layer 3 and Layer 4 information.
 They are stateless firewalls that use a simple policy table look-up that filters traffic
based on specific criteria, as shown in the figure.
 For example, SMTP servers listen to port 25 by default. An administrator can configure
the packet filtering firewall to block port 25 from a specific workstation to prevent it
from broadcasting an email virus
 There are several advantages of using a packet filtering firewall:
o Packet filters implement simple permit or deny rule sets
o Packet filters have a low impact on network performance
o Packet filters are easy to implement, and are supported by most routers
o Packet filters provide an initial degree of security at the network layer
o Packet filters perform almost all the tasks of a high-end firewall at a much
lower cost

 Packet filters do not represent a complete firewall solution, but they are an important
element of a firewall security policy. There are several disadvantages of using a packet
filtering firewall:
 o Packet filters are susceptible to IP spoofing. Threat actors can send arbitrary
packets that meet ACL criteria and pass through the filter.
o Packet filters do not reliably filter fragmented packets. Because fragmented IP
packets carry the TCP header in the first fragment and packet filters filter on
TCP header information, all fragments after the first fragment are passed
unconditionally. Decisions to use packet filters assume that the filter of the first
fragment accurately enforces the policy.
o Packet filters use complex ACLs, which can be difficult to implement and
maintain.
o Packet filters cannot dynamically filter certain services. For example, sessions
that use dynamic port negotiations are difficult to filter without opening access
to a whole range of ports.
 Packet filters are stateless. They examine each packet individually rather than in the
context of the state of a connection.

9.1.5 STATEFUL FIREWALL BENEFITS AND LIMITATIONS

 There are several benefits to using a stateful firewall in a network:

o Stateful firewalls are often used as a primary means of defence by filtering
unwanted, unnecessary, or undesirable traffic.
o Stateful firewalls strengthen packet filtering by providing more stringent
control over security.
o Stateful firewalls improve performance over packet filters or proxy servers.
o Stateful firewalls defend against spoofing and DoS attacks by determining
whether packets belong to an existing connection or are from an unauthorized
source.
o Stateful firewalls provide more log information than a packet filtering firewall.
 Stateful firewalls also present some limitations:
o Stateful firewalls cannot prevent application layer attacks because they do not
examine the actual contents of the HTTP connection.
o Not all protocols are stateful. For example, UDP and ICMP do not generate
connection information for a state table, and, therefore, do not garner as much
support for filtering.
o It is difficult to track connections that use dynamic port negotiation. Some
applications open multiple connections. This requires a whole new range of
ports that must be opened to allow this second connection.
o Stateful firewalls do not support user authentication.

Benefits Limitations
Primary
means of No Application Layer inspection
defence
Strong Limited tracking of stateless protocols
packet
filtering
Improved
performance
Difficult to defend against dynamic port negotiation
over packet
filters
Defends
against
No authentication support
spoofing and
DoS attacks
Richer data
log

9.2 FIREWALLS IN NETWORK DESIGN

9.2.1 COMMON SECURITY ARCHITECTURES

 Firewall design is primarily about device interfaces permitting or denying traffic based
on the source, the destination, and the type of traffic.
 Some designs are as simple as designating an outside network and inside network,
which are determined by two interfaces on a firewall.
 Here are three common firewall designs:
Private and Public

 As shown in the figure, the public network (or outside network) is untrusted, and the
private network (or inside network) is trusted.
 Typically, a firewall with two interfaces is configured as follows:
o Traffic originating from the private network is permitted and inspected as it
travels toward the public network. Inspected traffic returning from the public
network and associated with traffic that originated from the private network is
permitted.
o Traffic originating from the public network and traveling to the private network
is generally blocked.
Demilitarised Zone

 A demilitarized zone (DMZ) is a firewall design where there is typically one inside
interface connected to the private network, one outside interface connected to the public
network, and one DMZ interface, as shown in the figure.
o Traffic originating from the private network is inspected as it travels toward the
public or DMZ network. This traffic is permitted with little or no restriction.
Inspected traffic returning from the DMZ or public network to the private
network is permitted.
o Traffic originating from the DMZ network and traveling to the private network
is usually blocked.
 o Traffic originating from the DMZ network and traveling to the public network
is selectively permitted based on service requirements.
o Traffic originating from the public network and traveling toward the DMZ is
selectively permitted and inspected. This type of traffic is typically email, DNS,
HTTP, or HTTPS traffic. Return traffic from the DMZ to the public network is
dynamically permitted.
o Traffic originating from the public network and traveling to the private network
is blocked.
Zone-Based Policy Firewalls

 Zone-based policy firewalls (ZPFs) use the concept of zones to provide additional
flexibility.
 A zone is a group of one or more interfaces that have similar functions or features.
 Zones help you specify where a Cisco IOS firewall rule or policy should be applied.
 In the figure, security policies for LAN 1 and LAN 2 are similar and can be grouped
into a zone for firewall configurations.
 By default, the traffic between interfaces in the same zone is not subject to any policy
and passes freely. However, all zone-to-zone traffic is blocked. In order to permit traffic
between zones, a policy allowing or inspecting traffic must be configured.

 The only exception to this default deny any policy is the router self zone.
 The self zone is the router itself and includes all the router interface IP addresses.
 Policy configurations that include the self zone would apply to traffic destined to and
sourced from the router. By default, there is no policy for this type of traffic.
 Traffic that should be considered when designing a policy for the self zone includes
management plane and control plane traffic, such as SSH, SNMP, and routing
protocols.

9.2.2 LAYERED DEFENCE

 A layered defence uses different types of firewalls that are combined in layers to add
depth to the security of an organization.
 Policies can be enforced between the layers and inside the layers.
 These policy enforcement points determine whether traffic is forwarded or discarded.
 For example, traffic that comes in from the untrusted network first encounters a packet
filter on the edge router. If allowed by the policy, the traffic goes to the screened
firewall or bastion host system that applies more rules to the traffic and discards suspect
packets.
 A bastion host is a hardened computer that is typically located in the DMZ. Then the
traffic goes to an interior screening router. The traffic moves to the internal destination
host only after successfully passing through all policy enforcement points between the
outside router and the inside network. This type of DMZ setup is called a screened
subnet configuration.
  A layered defence approach is not all that is needed to ensure a safe internal network. A
network administrator must consider many factors when building a complete in-depth
defence:
o Firewalls typically do not stop intrusions that come from hosts within a network
or zone.
o Firewalls do not protect against rogue access point installations.
o Firewalls do not replace backup and disaster recovery mechanisms resulting
from attack or hardware failure.
o Firewalls are no substitute for informed administrators and users.

Considerations for Layered Network Defence

1. Network Core security: protects against malicious software and traffic anomalies,
enforces network policies, and ensures survivability
2. Perimeter security: secures boundaries between zones
3. Communications security: provides information assurance
4. Endpoint security: provides identity and device security policy compliance
Partial List of Best Practices

 This partial list of best practices can serve as a starting point for a firewall security
policy:
o Position firewalls at security boundaries. Firewalls are a critical part of network
security, but it is unwise to rely exclusively on a firewall for security.
o Deny all traffic by default.
o Permit only services that are needed.
o Ensure that physical access to the firewall is controlled.
o Regularly monitor firewall logs.
o Practice change management for firewall configuration changes.
o Remember that firewalls primarily protect from technical attacks originating
from the outside.

9.3 WHAT DID I LEARN IN THIS MODULE?

9.3.1 WHAT DID I LEARN IN THIS MODULE?
Secure Networks with Firewalls

 There are several different types of firewalls.

 Packet filtering (stateless) firewalls provide Layer 3 and sometimes Layer 4 filtering.
 A stateful inspection firewall allows or blocks traffic based on state, port, and protocol.
 Application gateway firewalls (proxy firewall) filter information at Layers 3, 4, 5, and
7.
 Next-generation firewalls provide additional services beyond application gateways such
as Integrated intrusion prevention, application awareness and control to see and block
risky apps, access to future information feeds, and techniques to address evolving
security threats.
Firewalls in Network Designs
  Common security architectures define the boundaries of traffic entering and leaving the
network.
 When looking at a topology that has access to outside or public networks, you should be
able to determine the security architecture.
 Some designs are as simple as designating an outside network and inside network which
are determined by two interfaces on a firewall.
 Networks that require public access to services will often include a DMZ that the public
can access, while strictly blocking access to the inside network.
 ZPFs use the concept of zones to provide additional flexibility. A zone is a group of one
or more interfaces that have similar functions, features, and security requirements.
 A layered security approach uses firewalls and other security measures to provide
security at different functional layers of the network.

MODULE 10
10.1 ZPF OVERVIEW
10.1.1 BENEFITS OF A ZPF

 There are two configuration models for Cisco IOS Firewall:

o Classic Firewall - The traditional configuration model in which firewall policy
is applied on interfaces.
o Zone-based Policy Firewall (ZPF) - The configuration model in which
interfaces are assigned to security zones, and firewall policy is applied to traffic
moving between the zones.
 If an additional interface is added to the private zone, the hosts connected to the new
interface in the private zone can pass traffic to all hosts on the existing interface in the
same zone. A simple three-zone network is shown in the figure.

 The primary motivations for network security professionals to migrate to the ZPF
model are structure and ease of use.
 The structured approach is useful for documentation and communication. The ease of
use makes network security implementations more accessible to a larger community of
security professionals.
 There are several benefits of a ZPF:
o It is not dependent on ACLs.
o The router security posture is to block unless explicitly allowed.
o Policies are easy to read and troubleshoot with the Cisco Common
Classification Policy Language (C3PL). C3PL is a structured method to create
traffic policies based on events, conditions, and actions. This provides
scalability because one policy affects any given traffic, instead of needing
multiple ACLs and inspection actions for different types of traffic.
o Virtual and physical interfaces can be grouped into zones.
o Policies are applied to unidirectional traffic between zones.
  When deciding whether to implement IOS Classic Firewall or a ZPF, it is important to
note that both configuration models can be enabled concurrently on a router.
 However, the models cannot be combined on a single interface. For example, an
interface cannot be simultaneously configured as a security zone member and for IP
inspection.
10.1.2 ZPF DESIGN

 Designing ZPFs involves several steps:

 Step 1. Determine the zones - The administrator focuses on the separation of the
network into zones. Zones establish the security borders of a network. A zone defines a
boundary where traffic is subjected to policy restrictions as it crosses to another region
of the network. For example, the public network would be one zone and the internal
network would be another zone.
 Step 2. Establish policies between zones - For each pair of "source-destination" zones
(for example, from the inside network to the outside internet), define the sessions that
clients in the source zones can request from servers in destination zones. These sessions
are most often TCP and UDP sessions, but may also be ICMP sessions, such as ICMP
echo. For traffic that is not based on the concept of sessions, the administrator must
define unidirectional traffic flows from source to destination and vice versa. Policies are
unidirectional and are defined based on source and destination zones, which are known
as zone pairs.
 Step 3. Design the physical infrastructure - After the zones have been identified, and
the traffic requirements between them documented, the administrator must design the
physical infrastructure. The administrator must take into account security and
availability requirements when designing the physical infrastructure. This includes
dictating the number of devices between most-secure and least-secure zones and
determining redundant devices.
 Step 4. Identify subsets within zones and merge traffic requirements - For each
firewall device in the design, the administrator must identify zone subsets that are
connected to its interfaces and merge the traffic requirements for those zones. For
example, multiple zones might be indirectly attached to a single interface of a firewall.
This would result in a device-specific interzone policy. Although an important
consideration, implementing zone subsets is beyond the scope of this curriculum.

10.2 ZPF OPERATION

10.2.1 ZPF ACTIONS

 Policies identify actions that the ZPF will perform on network traffic. Three possible
actions can be configured to process traffic by protocol, source and destination zones
(zone pairs), and other criteria.
o Inspect - This performs Cisco IOS stateful packet inspection.
o Drop - This is analogous to a deny statement in an ACL. A log option is
available to log the rejected packets.
o Pass - This is analogous to a permit statement in an ACL. The pass action does
not track the state of connections or sessions within the traffic.
10.2.2 RULES FOR TRANSIT TRAFFIC

 Traffic transiting through router interfaces is subject to several rules governing interface
behaviour. For the transit traffic example, refer to the topology shown in the figure.
Basic Security Zone Topology

 The rules depend on whether or not the ingress and egress interfaces are members of the
same zone:
 If neither interface is a zone member, then the resulting action is to pass the traffic.
 If both interfaces are members of the same zone, then the resulting action is to pass the
traffic.
 If one interface is a zone member, but the other is not, then the resulting action is to
drop the traffic regardless of whether a zone-pair exists.
 If both interfaces belong to the same zone-pair and a policy exists, then the resulting
action is inspect, allow, or drop as defined by the policy.
 The table summarises these rules:

Source
Interface Destination Interface Member of Zone-Pair Policy
Result
Member Zone? Exists? Exists?
of Zone?
NO NO N/A N/A PASS
YES NO N/A N/A DROP
NO YES N/A N/A DROP
YES
YES (private) N/A N/A PASS
(private)
YES
YES (public) NO N/A DROP
(private)
YES
YES (public) YES NO PASS
(private)
YES
YES (public) YES YES INSPECT
(private)

10.2.3 RULES FOR TRAFFIC TO THE SELF ZONE

 The self zone is the router itself and includes all of the IP addresses assigned to the
router interfaces.
 This is traffic that originates at the router or is addressed to a router interface.
Specifically, the traffic is either for device management, for example SSH, or traffic
forwarding control, such as routing protocol traffic.
 The rules for a ZPF are different for the self zone. For the self zone traffic example,
refer to the topology shown in the previous figure.
  The rules depend on whether the router is the source or the destination of the traffic, as
shown in the table.
 If the router is the source or the destination, then all traffic is permitted. The only
exception is if the source and destination are a zone-pair with a specific service-policy.
In that case, the policy is applied to all traffic.

Source
Interface Destination Interface Member of Zone-Pair Policy
Result
Member Zone? Exists? Exists?
of Zone?
YES (self
YES NO N/A PASS
zone)
YES (self
YES YES NO PASS
zone)
YES (self
YES YES YES INSPECT
zone)
YES YES (self zone) NO N/A PASS
YES YES (self zone) YES NO PASS
YES YES (self zone) YES YES INSPECT

10.3 CONFIGURE A ZPF

10.3.1 CONFIGURE A ZPF

 The topology shown in the figure will be used throughout the remainder of this topic to
demonstrate ZPF configuration.
 The sequence of steps is not required. However, some configurations must be
completed in order. For instance, you must configure a class-map before you assign a
class-map to a policy-map.
 Similarly, you cannot assign a policy-map to a zone-pair until you have configured the
policy.
 If you try to configure a section that relies on another portion of the configuration that
you have not yet configured, the router responds with an error message.
Zone-Based Policy Firewall Configuration Steps

 Step 1: create the zones

 Step 2: identify traffic with a class-map
 Step 3:define an action with a policy-map
 Step 4: identify a zone pair and match it to a policy-map
 Step 5: assign zones to the appropriate interfaces
10.3.2 STEP 1. CREATE THE ZONES

 The first step is to create the zones. However, before creating the zones answer a few
questions:
 o What interfaces should be included in the zones?
o What will be the name for each zone?
o What traffic is necessary between the zones and in which direction?
 In the example topology, we have two interfaces, two zones, and traffic flowing in one
direction. Traffic sourced from the public zone will not be allowed. Create the private
and public zones for the firewall with the zone security command, as shown here.

Router(config)# zone security zone-name

R1(config)# zone security PRIVATE

R1(config-sec-zone)# exit

R1(config)# zone security PUBLIC

R1(config-sec-zone)# exit

R1(config)#

10.3.3 STEP 2. IDENTIFY TRAFFIC

 The second step is to use a class-map to identify the traffic to which a policy will be
applied.
 A class is a way of identifying a set of packets based on its contents using “match”
conditions.
 Typically, you define a class so that you can apply an action to the identified traffic that
reflects a policy. A class is defined with class-maps.
 The example below shows the syntax for the class-map command.
 There are several types of class-maps. For a ZPF configuration, use
the inspect keyword to define a class-map.
 Determine how packets are evaluated when multiple match criteria exist. Packets must
meet one of the match criteria (match-any) or all of the match criteria (match-all) to be
considered a member of the class.
Router(config)# class-map type inspect [match-any | match-all] class-map-
name

Parameter Description

match-any Packets must meet one of the match criteria to be

considered a member of the class.

match-all Packets must meet all of the match criteria to be considered

a member of the class.

class-map-name Name of the class-map that will be used to configure the

policy for the class in the policy-map.
  The example below shows the syntax for the match statements in class-map sub-
configuration mode. Match traffic to an ACL, a specific protocol, or even another class-
map.
Router(config-cmap)# match access-group {acl-# | acl-name }
Router(config-cmap)# match protocol protocol-name
Router(config-cmap)# match class-map class-map-name

Parameter Description

match access-group Configures the match criteria for a class-map based on the
specified ACL number or name.

match protocol Configures the match criteria for a class-map based on the
specified protocol.
match class-map Uses another class-map to identify traffic.

 In the topology, HTTP traffic is being allowed to cross R1 from the PRIVATE to the
PUBLIC zone.
 When allowing HTTP traffic, it is recommended to specifically include HTTPS and
DNS protocols, as shown in the example below. Traffic can match any of the statements
to become a member of the HTTP-TRAFFIC class.
R1(config)# class-map type inspect match-any HTTP-TRAFFIC
R1(config-cmap)# match protocol http
R1(config-cmap)# match protocol https
R1(config-cmap)# match protocol dns

10.3.4 STEP 3. DEFINE AN ACTION

 The third step is to use a policy-map to define what action should be taken for traffic
that is a member of a class.
 The example below shows the command syntax to configure a policy-map. An action is
a specific functionality. It is typically associated with a traffic class. For
example, inspect, drop, and pass are actions.
R1(config)# policy-map type inspect policy-map-name
R1(config-pmap)# class type inspect class-map-name
R1(config-pmap-c)# {inspect | drop | pass}

Parameter Description
An action that offers state−based traffic control. The router
inspect maintains session information for TCP and UDP and permits return
traffic.
drop Discards unwanted traffic
pass A stateless action that allows the router to forward traffic from one
Parameter Description
zone to another

 The example below shows an example of a policy-map configuration.

 The class HTTP-TRAFFIC that was configured in the previous step is associated with a
new policy-map named PRIV-TO-PUB-POLICY.
 The third inspect command configures R1 to maintain state information for all traffic
that is a member of the class HTTP-TRAFFIC.
R1(config)# policy-map type inspect PRIV-TO-PUB-POLICY
R1(config-pmap)# class type inspect HTTP-TRAFFIC
R1(config-pmap-c)# inspect

 inspect - This action offers state-based traffic control. For example, if traffic traveling
from the PRIVATE zone to the PUBLIC zone is inspected, the router maintains
connection or session information for TCP and UDP traffic. The router would then
permit return traffic sent from PUBLIC zone hosts in reply to PRIVATE zone
connection requests.
 drop - This is the default action for all traffic. Similar to the implicit deny any at the
end of every ACL, there is an explicit drop applied by the IOS to the end of every
policy−map. It is listed as class class-default in the last section of any policy-map
configuration. Other class−maps within a policy−map can also be configured to drop
unwanted traffic. Unlike ACLs, traffic is silently dropped, and no ICMP unreachable
messages are sent to the source of the traffic.
 pass - This action allows the router to forward traffic from one zone to another. The
pass action does not track the state of connections. Pass only allows the traffic in one
direction. A corresponding policy must be applied to allow return traffic to pass in the
opposite direction. The pass action is ideal for secure protocols with predictable
behaviour, such as IPsec. However, most application traffic is better handled in the ZPF
with the inspect action.
10.3.5 STEP 4. IDENTIFY A ZONE-PAIR AND MATCH TO A POLICY

 The fourth step is to identify a zone pair and associate that zone pair to a policy-map.
 The example below shows the command syntax.
 Create a zone-pair with the zone-pair security command. Then use the service-policy
type inspect command to attach a policy-map and its associated action to the zone-pair.
Router(config)# zone-pair security zone-pair-name source {source-zone-
name | self} destination {destination-zone-name | self}
Router(config-sec-zone-pair)# service-policy type inspect policy-map-name

Parameter Description
source source-zone- Specifies the name of the zone from which traffic is
name originating.
Parameter Description
destination
destination-zone-name Specifies the name of the zone to which traffic is destined.

self Specifies the system-defined zone. Indicates whether traffic

will be going to or from the router itself.

 The example below shows an example of a zone-pair configuration.

 A zone-pair named PRIV-PUB is created with PRIVATE assigned as the source zone
and PUBLIC assigned as the destination zone. Then the policy-map created in the
previous step is associated to the zone-pair.
 After the firewall policy has been configured, the administrator applies it to traffic
between a pair of zones using the zone-pair security command.
 To apply a policy, it is assigned to a zone pair. The zone pair needs to specify the
source zone, the destination zone, and the policy for handling the traffic between the
source and destination zones.
R1(config)# zone-pair security PRIV-PUB source PRIVATE destination PUBLIC
R1(config-sec-zone-pair)# service-policy type inspect PRIV-TO-PUB-POLICY

10.3.6 STEP 5. ASSIGN ZONES TO INTERFACES

 The fifth step is to assign zones to the appropriate interfaces.

 Associating a zone to an interface will immediately apply the service-policy that has
been associated with the zone.
 If no service-policy is yet configured for the zone, all transit traffic will be dropped. Use
the zone-member security command to assign a zone to an interface, as shown in the
example below.
Router(config-if)# zone-member security zone-name

 In the following example, GigabitEthernet 0/0 is assigned the PRIVATE zone, and
Serial 0/0/0 is assigned the PUBLIC zone.
R1(config)# interface GigabitEthernet 0/0
R1(config-if)# zone-member security PRIVATE
R1(config-if)# interface Serial 0/0/0
R1(config-if)# zone-member security PUBLIC
 The service-policy is now active.
 HTTP, HTTPS, and DNS traffic sourced from the PRIVATE zone and destined for the
PUBLIC zone will be inspected.
 Traffic sourced from the PUBLIC zone and destined for the PRIVATE zone will only
be allowed if it is part of sessions originally initiated by PRIVATE zone hosts.
10.3.7 VERIFY A ZPF CONFIGURATION

 Verify a ZPF configuration by viewing the running configuration.

  Notice that the class-map is listed first. Then the policy-map makes use of the class-
map.
 Also, notice the highlighted class class-default that will drop all other traffic that is not
a member of the HTTP-TRAFFIC class.
 The zone configurations follow the policy-map configurations with zone naming, zone
pairing, and associating a service-policy to the zone pair. Finally, the interfaces are
assigned zones.
R1# show run | begin class-map
!
<some output omitted>
!
class-map type inspect match-any HTTP-TRAFFIC
match protocol http
match protocol https
match protocol dns
!
policy-map type inspect PRIV-TO-PUB-POLICY
class type inspect HTTP-TRAFFIC
inspect
class class-default
drop
!
zone security PRIVATE
zone security PUBLIC
zone-pair security PRIV-PUB source PRIVATE destination PUBLIC
service-policy type inspect PRIV-TO-PUB-POLICY
!
interface GigabitEthernet0/0
zone-member security PRIVATE
!
interface Serial0/0/0
zone-member security PUBLIC
!

 The example below shows verification information after a test of the ZPF configuration.
 A PRIVATE zone host 192.168.1.3 established an HTTPS session with a web server at
10.1.1.2.
 Notice further down in the command output that four packets matched the class class-
default. This verification information was generated by having host 192.168.1.3 ping
the web server at 10.1.1.2.

R1# show policy-map type inspect zone-pair sessions

policy exists on zp PRIV-PUB

Zone-pair: PRIV-PUB

Service-policy inspect : PRIV-TO-PUB-POLICY

 Class-map: HTTP-TRAFFIC (match-any)
Match: protocol http
12 packets, 384 bytes
30 second rate 0 bps
Match: protocol https
5 packets, 160 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps

Inspect

Number of Established Sessions = 1

Established Sessions
Session 2204E220 (192.168.1.3:1049)=>(10.1.1.2:443) https:tcp
SIS_OPEN/TCP_CLOSEWAIT
Created 00:00:14, Last heard 00:00:11
Bytes sent (initiator:responder) [821:1431]

Class-map: class-default (match-any)

Match: any
Drop
4 packets, 160 bytes
R1#

 The example below shows four other ZPF verification commands that allow a view of
specific portions of the ZPF configuration..
R1# show class-map type inspect
Class Map type inspect match-any HTTP-TRAFFIC (id 1)
Match protocol http
Match protocol https
Match protocol dns

R1# show zone security

zone self
Description: System Defined Zone

zone PRIVATE
Member Interfaces:
GigabitEthernet0/0

zone PUBLIC
Member Interfaces:
Serial0/0/0

R1# show zone-pair security

Zone-pair name PRIV-PUB
Source-Zone PRIVATE Destination-Zone PUBLIC
service-policy PRIV-TO-PUB-POLICY
R1# show policy-map type inspect
Policy Map type inspect PRIV-TO-PUB-POLICY
Class HTTP-TRAFFIC
Inspect
Class class-default
Drop

10.3.9 ZPF CONFIGURATION CONSIDERATIONS

 When configuring a ZPF with the CLI, there are several factors to consider:
o The router never filters the traffic between interfaces in the same zone.
o An interface cannot belong to multiple zones. To create a union of security
zones, specify a new zone and appropriate policy map and zone pairs.
o ZPF can coexist with Classic Firewall although they cannot be used on the
same interface. Remove the ip inspect interface configuration command before
applying the zone-member security command.
o Traffic can never flow between an interface assigned to a zone and an interface
without a zone assignment. Applying the zone-member configuration command
always results in a temporary interruption of service until the other zone-
member is configured.
o The default inter-zone policy is to drop all traffic unless otherwise specifically
allowed by the service-policy configured for the zone-pair.
o The zone-member command does not protect the router itself (traffic to and
from the router is not affected) unless the zone- pairs are configured using the
predefined self zone.

10.4 ZONE-BASED FIREWALLS SUMMARY

10.4.1 WHAT DID I LEARN IN THIS MODULE?
ZPF Overview

 The IOS ZPF provides a flexible and powerful replacement for the older Classic IOS
Firewall.
 It provides a new configuration mode in which interfaces are assigned to security zones
and firewall policies are applied to traffic moving between the zones.
 The ZPF provides a structured and simplified method of designing and implementing
network security on routers that are performing a firewall function.
ZPF Operation

 ZPFs use user-defined policies to act on specific traffic that is travelling from a source
zone to a destination zone. Three actions can be specified:
o Inspect - The ZPF performs stateful packet inspection.
o Drop - The traffic is not permitted to travel to the destination. The rejected
packets can be logged.
o Pass - The traffic is permitted to travel to the destination zone. This does not
track the state of connections or sessions.
  Default rules are applied to transit traffic based on the configuration of the ingress and
egress interfaces and the existence of policies.
 For example, if neither ingress or egress interface is defined as member of a zone,
traffic is permitted to exit the egress interface.
 Similarly, if both interfaces are members of the same zone, then traffic is allowed to
pass.
 However, if one interface is a member of a zone and the other is not, traffic will be
dropped. It is important to understand these and the other rules covered in the module.
 A special zone exists that is known as the self zone.
 The self zone is the router itself.
 In the self zone, the router interfaces serve as either the source or destination of the
traffic.
 Self zone traffic is either for management of the device, or for traffic forwarding
control.
 Similar to the rules for transit traffic, rules exist for how traffic in the self zone will be
handled.
Configure a ZPF

 There are five steps in the process of configuring a ZPF.

 First the zones are created.
 Next, one or more class maps are created to specify the traffic which should be
associated with a policy.
 Then, policies are created that associate the class-map traffic with the pass, drop, or
inspect actions.
 It is then necessary to create zone pairs that will be associated with policy maps.
 Finally interfaces are associated with zones. At this point, the ZPF policy is active.

MODULE 11
11.1 IDS AND IPS CHARACTERISTICS
11.1.1 ZERO-DAY ATTACKS
  Malware can spread across the world in a matter of minutes. A network must instantly
recognize and mitigate malware threats. Firewalls can only do so much and cannot
provide protection against all malware and zero-day attacks.
 A zero-day attack, sometimes referred to as a zero-day threat, is a cyberattack that tries
to exploit software vulnerabilities that are unknown or undisclosed by the software
vendor, as shown in the figure. The term zero-day describes the moment when a
previously unknown threat is identified.

 During the time it takes the software vendor to develop and release a patch, the network
is vulnerable to these exploits, as shown in the figure. Defending against these fast-
moving attacks requires network security professionals to adopt a more sophisticated
view of the network architecture. It is no longer possible to contain intrusions at a few
points in the network.
Microsoft Internet Explorer Zero-Day Vulnerability

11.1.2 MONTIOR FOR ATTACKS

 One approach to prevent malware exploits is for an administrator to continuously

monitor the network and analyse the log files generated by network devices.
 Security operations center (SOC) tools, such as security information and event
management (SIEM) and security orchestration, automation, and response (SOAR)
systems automate the log file gathering and analysis process.
 It has become an accepted fact that malware will enter the network despite the best
defences. For this reason, a multilayered approach to malware protection must be
employed.
 Logfiles generated by devices at each layer will help to identify whether an exploit has
occurred, the diagnostic features of the exploit, and the extent of the damage within the
enterprise.
 The information gathered in logfiles will also help to inform measures taken in response
to the exploit, such as containment and mitigation.

 Intrusion Detection Systems (IDS) were implemented to passively monitor the traffic on
a network. The figure shows that an IDS-enabled device copies the traffic stream and
analyses the copied traffic rather than the actual forwarded packets.

Intrusion Detection System Operation

 Working offline, the IDS compares the captured traffic stream with known malicious
signatures, similar to software that checks for viruses. Working offline means several
things:
o The IDS works passively.
o The IDS device is physically positioned in the network so that traffic must be
mirrored in order to reach it.
 o Network traffic does not pass through the IDS unless it is mirrored.
o Very little latency is added to network traffic flow.
 Although the traffic is monitored, logged, and perhaps reported, no action is taken on
packets by the IDS. This offline IDS implementation is referred to as promiscuous
mode.
 The advantage of operating with a copy of the traffic is that the IDS does not negatively
affect the packet flow of the forwarded traffic. The disadvantage of operating on a copy
of the traffic is that the IDS cannot stop malicious single-packet attacks from reaching
the target. An IDS often requires assistance from other networking devices, such as
routers and firewalls, to respond to an attack.
 A better solution is to use a device that can immediately detect and stop an attack. An
Intrusion Prevention System (IPS) performs this function.
11.1.3 INTRUSION PREVENTION AND DETECTION DEVICES

 A networking architecture paradigm shift is required to defend against fast-moving and

evolving attacks. This must include cost-effective detection and prevention systems,
such as intrusion detection systems (IDS) or the more scalable intrusion prevention
systems (IPS). The network architecture integrates these solutions into the entry and
exit points of the network.
 When implementing IDS or IPS, it is important to be familiar with the types of systems
available, host-based and network-based approaches, the placement of these systems,
the role of signature categories, and possible actions that a Cisco IOS router can take
when an attack is detected.
 The figure shows how an IPS device handles malicious traffic.
IDS and IPS Characteristics

 IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor can be in
the form of several different devices:
o A router configured with IPS software
o A device specifically designed to provide dedicated IDS or IPS services
o A hardware module installed in an adaptive security appliance (ASA), switch,
or router
 IDS and IPS technologies use signatures to detect patterns in network traffic. A
signature is a set of rules that an IDS or IPS uses to detect malicious activity. Signatures
can be used to detect severe breaches of security, to detect common network attacks,
and to gather information. IDS and IPS technologies can detect atomic signature
patterns (single-packet) or composite signature patterns (multi-packet).
11.1.4 ADVANTAGES AND DISADVANTAGES OF IDS AND IPS

 The table summarizes the advantages and disadvantages of IDS and IPS:

Solution Advantages Disadvantages

IDS  No impact on network  Response action cannot stop
(latency, jitter) trigger packets
 No network impact if there  Correct tuning required for
is a sensor failure response actions
Solution Advantages Disadvantages
 No network impact if there  More vulnerable to network
is sensor overload security evasion techniques

 Sensor issues might affect

network traffic
 Stops trigger packets
 Sensor overloading impacts
 Can use stream
IPS the network
normalization techniques
 Some impact on network
(latency, jitter)

IDS Advantages and Disadvantages

 Advantages: An IDS is deployed in offline mode and therefore:

o The IDS does not impact network performance. Specifically, it does not
introduce latency, jitter, or other traffic flow issues.
o The IDS does not affect network functionality if the sensor fails. It only affects
the ability of the IDS to analyse the data.
 Disadvantages:
o An IDS sensor cannot stop the packets that have triggered an alert and are less
helpful in detecting email viruses and automated attacks, such as worms.
o Tuning IDS sensors to achieve expected levels of intrusion detection can be
very time-consuming. Users deploying IDS sensor response actions must have a
well-designed security policy and a good operational understanding of their IDS
deployments.
o An IDS implementation is more vulnerable to network security evasion
techniques because it is not inline.
IPS Advantages and Disadvantages

 Advantages:
o An IPS sensor can be configured to drop the trigger packets, the packets
associated with a connection, or packets from a source IP address.
o Because IPS sensors are inline, they can use stream normalization. Stream
normalization is a technique used to reconstruct the data stream when the attack
occurs over multiple data segments.
 Disadvantages:
o Because it is deployed inline, errors, failure, and overwhelming the IPS sensor
with too much traffic can have a negative effect on network performance.
o An IPS sensor can affect network performance by introducing latency and jitter.
o An IPS sensor must be appropriately sized and implemented so that time-
sensitive applications, such as VoIP, are not adversely affected.
Deployment Considerations
  You can deploy both an IPS and an IDS. Using one of these technologies does not
negate the use of the other. In fact, IDS and IPS technologies can complement each
other.
 For example, an IDS can be implemented to validate IPS operation because the IDS can
be configured for deeper packet inspection offline. This allows the IPS to focus on
fewer but more critical traffic patterns inline.
 Deciding which implementation to use is based on the security goals of the organization
as stated in their network security policy.

11.2 IPS IMPLEMENTATION

11.2.1 TYPES OF IPS

 There are two primary kinds of IPS available: host-based IPS and network-based IPS
Host-based IPS

 Host-based IPS (HIPS) is software installed on a host to monitor and analyze suspicious
activity.
 A significant advantage of HIPS is that it can monitor and protect operating system and
critical system processes that are specific to that host.
 With detailed knowledge of the operating system, HIPS can monitor abnormal activity
and prevent the host from executing commands that do not match typical behavior. This
suspicious or malicious behavior might include unauthorized registry updates, changes
to the system directory, executing installation programs, and activities that cause buffer
overflows. Network traffic can also be monitored to prevent the host from participating
in a denial-of-service (DoS) attack or being part of an illicit FTP session.
 HIPS can be thought of as a combination of antivirus software, antimalware software,
and a firewall. An example of a HIPS is Windows Defender. It provides a range of
protection measures for Windows hosts. Combined with a network-based IPS, HIPS is
an effective tool in providing additional protection for the host.
 A disadvantage of HIPS is that it operates only at a local level. It does not have a
complete view of the network, or coordinated events that might be happening across the
network. To be effective in a network, HIPS must be installed on every host and have
support for every operating system. The table lists the advantages and disadvantages of
HIPS.

Advantages Disadvantages
 Provides protection specific to a
host operating system
 Provides operating system and  Operating system dependent
application level protection  Must be installed on all hosts
 Protects the host after the
message is decrypted

Network-based IPS
  A network-based IPS can be implemented using a dedicated or non-dedicated IPS
device such as a router. Network-based IPS implementations are a critical component of
intrusion prevention. Host-based IDS/IPS solutions must be integrated with a network-
based IPS implementation to ensure a robust security architecture.
 Sensors detect malicious and unauthorized activity in real time and can take action
when required. As shown in the figure, sensors are deployed at designated network
points. This enables security managers to monitor network activity while it is occurring,
regardless of the location of the attack target.
Sample IPS Sensor Deployment

11.2.2 NETWORK-BASED IPS

 Network-based IPS Sensors can be implemented in several ways:

o On a Cisco Firepower appliance
o On an ASA firewall device
o On an ISR router
o As a virtual Next-Generation IPS (NGIPSv) for VMware
 An example of a network-based IPS is the Cisco Firepower NGIPS. It is tuned for
intrusion prevention analysis. The underlying operating system of the platform is
stripped of unnecessary network services, and essential services are secured. This is
known as hardening.
 The hardware of all network-based sensors includes three components:
o NIC - The network-based IPS must be able to connect to any network, such as
Ethernet, Fast Ethernet, and Gigabit Ethernet.
o Processor - Intrusion prevention requires CPU power to perform intrusion
detection analysis and pattern matching.
o Memory - Intrusion detection analysis is memory-intensive. Memory directly
affects the ability of a network-based IPS to efficiently and accurately detect an
attack.
 Network-based IPS gives security managers real-time security insight into their
networks regardless of growth.
 Additional hosts can be added to protected networks without requiring more sensors.
Additional sensors are only required when their rated traffic capacity is exceeded, when
their performance does not meet current needs, or when a revision in security policy or
network design requires additional sensors to help enforce security boundaries. When
new networks are added, additional sensors are easy to deploy.
11.2.3 MODES OF DEPLOYMENT

 IDS and IPS sensors can operate in inline mode (also known as inline interface pair
mode) or promiscuous mode (also known as passive mode).
 As shown in the figure, packets do not flow through the sensor in promiscuous mode.
The sensor analyses a copy of the monitored traffic, not the actual forwarded packet.
The advantage of operating in promiscuous mode is that the sensor does not affect the
packet flow with the forwarded traffic.
  The disadvantage of operating in promiscuous mode is that the sensor cannot stop
malicious traffic from reaching its intended target for certain types of attacks, such as
atomic attacks (single-packet attacks).
 The response actions implemented by promiscuous sensor devices are post-event
responses and often require assistance from other networking devices (for example,
routers and firewalls) to respond to an attack.
 Such response actions can prevent some classes of attacks. However, in atomic attacks
the single packet has the chance of reaching the target system before the promiscuous-
based sensor can apply an ACL modification on a managed device (such as a firewall,
switch, or router). In the figure, Switched Port Analyzer (SPAN) is used to mirror the
traffic entering, going to, and coming from the host.
Promiscuous Mode

 As shown in the figure below, operating in inline mode puts the IPS directly into the
traffic flow and makes packet-forwarding rates slower by adding latency. Inline mode
allows the sensor to stop attacks by dropping malicious traffic before it reaches the
intended target, thus providing a protective service.
 Not only is the inline device processing information on Layers 3 and 4, but it is also
analysing the contents and payload of the packets for more sophisticated embedded
attacks (Layers 3 to 7).
 This deeper analysis lets the system identify and stop or block attacks that would pass
through a traditional firewall device. An IDS sensor could also be deployed inline. The
IDS would be configured so that it only sends alerts and does not drop any packets.
Inline Mode

11.3 IPS ON CISCO ISRs

11.3.1 IPS COMPONENTS

 An IPS sensor has two components:

o IPS detection and enforcement engine - To validate traffic, the detection
engine compares incoming traffic with known attack signatures that are
included in the IPS attack signature package.
o IPS attack signatures package - This is a list of known attack signatures that
are contained in one file. The signature pack is updated frequently as new
attacks are discovered. Network traffic is analysed for matches to these
signatures.
 As shown in the figure, the IPS detection and enforcement engine that can be
implemented depends on the router platform:
o Cisco IOS Intrusion Prevention System (IPS) - This is available on older
Cisco 800, 1900, 2900, and 3900 Series ISRs. IOS IPS is no longer supported
and should not be used.
o Cisco Snort IPS - This is available on the Cisco 4000 Series ISRs and Cisco
Cloud Services Routers in the 1000v Series.
  The Cisco Snort IPS delivers traditional intrusion detection and prevention by
comparing network traffic to continually updated databases of known malware and
threat signatures. The Cisco IOS IPS signatures are no longer updated.
Cisco IPS Options

11.3.2 CISCO IOS IPS

 Enabling a router to work as an IPS is a cost-effective way to protect branch office

networks. Rather than purchasing a router and a dedicated IPS device, combining the
functionalities in one device not only saves money but also simplifies network designs
and administration.
 In the past, a Cisco ISR could be enabled as an IPS sensor that scanned packets and
sessions to match any of the Cisco IOS IPS signatures. The legacy Cisco IOS IPS
operated in RAM as illustrated in the figure. This means that it shared device memory
with other Cisco IOS features.
 When Cisco IOS IPS detected suspicious activity, it responded before network security
could be compromised. It logged the event as Cisco IOS syslog messages or through
Security Device Event Exchange (SDEE).
 The network administrator could configure the Cisco IOS IPS to choose the appropriate
response to various threats. For example, when packets in a session matched a
signature, Cisco IOS IPS could be configured to respond as follows:
o Send an alarm to a syslog server or a centralized management interface
o Drop the packet
o Reset the connection
o Deny traffic from the source IP address of the threat for a specified amount of
time
o Deny traffic on the connection for which the signature was seen for a specified
amount of time
Cisco IOS IPS

11.3.3 SNORT IPS

 Many of the devices that supported Cisco IOS IPS are no longer available, or no longer
supported. The newer Cisco 4000 Series Integrated Services Routers (ISR) no longer
support IOS IPS. Instead, they provide IPS services using the Snort IPS feature. Snort
IPS complements existing network security features of the 4000 Series without the need
to deploy a second appliance at branch locations.
 Snort is the most widely deployed IPS solution in the world. It is an open source
network IPS that performs real-time traffic analysis and generates alerts when threats
are detected on IP networks. It can also perform protocol analysis, content searching or
matching, and detect a variety of attacks and probes, such as buffer overflows, stealth
port scans, and so on.
 The Snort engine runs in a virtual service container on Cisco 4000 Series ISRs. A
virtual service container is a virtual machine that runs on the ISR router operating
 system. Service containers are applications that can be hosted directly on Cisco IOS XE
routing platforms. These apps use the Linux aspects of the IOS XE operating system to
host both Linux Virtual Containers (LXC) and Kernel virtual machines (KVM). The
Snort container is distributed as an Open Virtualization Appliance (OVA) file that is
installed on the router.
 Unlike IOS IPS, Snort IPS can use the computer power of the service container to scale
security with the platform without affecting routing capabilities or other data plane
functionality. The virtual service supports three resource profiles that indicate how the
Snort container uses system CPU, RAM, and Flash or disk resources.
Snort IPS

11.3.4 SNORT OPERATION

 Snort IPS signatures are delivered automatically to the ISR by Cisco Talos. There are
currently more than 30,000 signatures in the Snort rule set. It also supports the ability to
customize rule sets and provides centralized deployment and management capabilities
for 4000 Series ISRs.
 Snort can be enabled in either of the following modes:
o IDS mode - Snort inspects the traffic and reports alerts, but does not take any
action to prevent attacks.
o IPS mode - In addition to intrusion detection, actions are taken to prevent
attacks.
 In the network intrusion detection and prevention mode, Snort performs the following
actions:
o Monitors network traffic and analyses against a defined rule set.
o Performs attack classification.
o Invokes actions against matched rules.
 The Snort IPS monitors the traffic and reports events to an external log server or the
IOS syslog. Enabling logging to the IOS syslog may impact performance due to the
potential volume of log messages. External third-party monitoring tools that support
Snort logs can be used for log collection and analysis.
11.3.5 SNORT FEATURES

 The table lists the features and benefits of Snort IPS:

Feature Benefit
Signature-based intrusion Snort open-source IPS, capable of performing real-time
detection system (IDS) and traffic analysis and packet logging on IP networks, runs on
intrusion prevention system the 4000 Series ISR service container without the need to
(IPS) deploy an additional device at the branch.
Snort rule set updates for 4000 Series ISRs are generated
by Cisco Talos, a group of leading-edge network security
Snort rule set updates experts who work around the clock to proactively discover,
assess, and respond to the latest trends in hacking
activities, intrusion attempts, malware, and vulnerabilities.
Feature Benefit
The router will be able to download rule sets directly from
Snort rule set pull cisco.com or snort.org to a local server, using one-time
commands or periodic automated updates.
A centralized management tool can push the rule sets
Snort rule set push based on preconfigured policy, instead of the router directly
downloading on its own.
Allowed listing allows the disabling of certain signatures
Signature allowed listing from the rule set. Disabled signatures can be reenabled at
any time.

11.3.6 SNORT SYSTEM REQUIREMENTS

 To run the service container infrastructure with IDS/IPS functionality, Snort IPS
requires an ISR 4000 (i.e., 4300 or higher) with a minimum of 8 GB of memory
(DRAM) and 8 GB of flash.
 Note: The Cisco 4200 series ISR does not support the default Snort IPS
implementation.
 A security K9 license (SEC) is required to activate Snort IPS functionality. Customers
also need to purchase a yearly subscription for the signature package distributed on
cisco.com. To keep current with the latest threat protection, Snort rule sets are term-
based subscriptions, available for one or three years.
 There are two types of term-based subscriptions:
o Community Rule Set - This set offers limited coverage against threats,
focusing on reactive response to security threats versus proactive research
work. There is 30-day delayed access to updated signatures in the Community
Rule Set, and this subscription does not entitle the customer to Cisco support.
o Subscriber Rule Set - This set offers the best protection against threats. It
includes coverage in advance of exploits by using the research work of the
Cisco Talos security experts. The Subscriber Rule Set also provides the fastest
access to updated signatures in response to a security incident or the proactive
discovery of a new threat. This subscription is fully supported by Cisco.
 PulledPork is a rule management application that can be used to automatically
download Snort rule updates. In order to use PulledPork, you must obtain an
authorization code, called an oinkcode, from your snort.org account. The oinkcode is
free with registration.

11.4 CISCO SWITCHED PORT ANALYSER

11.4.1 NETWORK MONITORING METHODS

 The day-to-day operation of a network consists of common patterns of traffic flow,

bandwidth usage, and resource access. Together, these patterns identify normal network
behaviour. Security analysts must be intimately familiar with normal network behaviour
because abnormal network behaviour typically indicates a problem.
  To determine normal network behaviour, network monitoring must be implemented.
Various tools are used to help discover normal network behaviour including IDS,
packet analysers, SNMP, NetFlow, and others.
 Some of these tools require captured network data. There are two common methods
used to capture traffic and send it to network monitoring devices:
o Network taps, sometimes known as test access points (TAPs)
o Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring
approaches
11.4.2 NETWORK TAPS

 A network tap is typically a passive splitting device implemented inline between a

device of interest and the network. A tap forwards all traffic, including physical layer
errors, to an analysis device while also allowing the traffic to reach its intended
destination.
 The figure displays a sample topology displaying a tap installed between a network
firewall and the internal router.

 Notice how the tap simultaneously sends both the transmit (TX) data stream from the
internal router and the receive (RX) data stream to the internal router on separate,
dedicated channels. This ensures that all data arrives at the monitoring device in real
time. Therefore, network performance is not affected or degraded by monitoring the
connection.
 Taps are also typically fail-safe, which means if a tap fails or loses power, traffic
between the firewall and internal router is not affected.
 Search the internet for information on NetScout Taps for copper UTP Ethernet, fiber
Ethernet, and serial links.
11.4.3 TRAFFIC MIRRORING AND SPAN

 Network switches segment the network by design. This limits the amount of traffic that
is visible to network monitoring devices.
 Because capturing data for network monitoring requires all traffic to be captured,
special techniques must be employed to bypass the network segmentation imposed by
network switches.
 Port mirroring is one of these techniques. Supported by many enterprise switches, port
mirroring enables the switch to copy frames that are received on one or more ports to a
Switch Port Analyzer (SPAN) port that is connected to an analysis device.
 The table identifies and describes terms used by the SPAN feature:

SPAN Term Description

Ingress traffic Traffic that enters the switch.
Egress traffic Traffic that leaves the switch.
Source (SPAN) Source ports are monitored as traffic entering them is replicated
port (mirrored) to the destination ports.
SPAN Term Description
Destination A port that mirrors source ports. Destination SPAN ports often connect
(SPAN) port to analysis devices such as a packet analyser or an IDS.

 The figure shows a switch that interconnects two hosts and mirrors traffic to an
intrusion detection device (IDS) and network management server.
SPAN

 The switch will forward ingress traffic on F0/1 and egress traffic on F0/2 to the
destination SPAN port G0/1 that connects to an IDS.
 The association between source ports and a destination port is called a SPAN session. In
a single session, one or multiple ports can be monitored. On some Cisco switches,
session traffic can be copied to more than one destination port. Alternatively, a source
VLAN can be specified in which all ports in the source VLAN become sources of
SPAN traffic. Each SPAN session can have ports or VLANs as sources, but not both.
 Note: A variation of SPAN called Remote SPAN (RSPAN) enables a network
administrator to use the flexibility of VLANs to monitor traffic on remote switches.
11.4.4 CONFIGURE CISCO SPAN

 The SPAN feature on Cisco switches sends a copy of each frame entering the source
port out the destination port and toward the packet analyser or IDS.
 A session number is used to identify a SPAN session. The examples show the monitor
session command, which is used to associate a source port and a destination port with a
SPAN session. A separate monitor session command is used for each session. A
VLAN can be specified instead of a physical port.

Switch(config)# monitor session number source [interface interface

| vlan vlan]

Switch(config)# monitor session number destination [interface

interface | vlan vlan]

 In the figure below, PCA is connected to F0/1 and an IDS is connected to F0/2. The
objective is to capture all the traffic that is sent or received by PCA on port F0/1 and
send a copy of those frames to the IDS (or a packet analyser) on port F0/2. The SPAN
session on the switch will copy all the traffic that it sends and receives on source port
F0/1 to the destination port F0/2.
Cisco SPAN Configuration
S1(config)# monitor session 1 source interface fastethernet 0/1
S1(config)# monitor session 1 destination interface fastethernet
0/2
  The show monitor command is used to verify the SPAN session. The command
displays the type of the session, the source ports for each traffic direction, and the
destination port. In the example below, the session number is 1, the source port for both
traffic directions is F0/1, and the destination port is F0/2. The ingress SPAN is disabled
on the destination port, so only traffic that leaves the destination port is copied to that
port.
S1# show monitor
Session 1
---------
Type : Local Session
Source Ports :
Both : Fa0/1
Destination Ports : Fa0/2
Encapsulation : Native
Ingress : Disabled

S1#

 Note: Remote SPAN (RSPAN) can be used when the packet analyser or IDS is on a
different switch than the traffic being monitored.
 RSPAN extends SPAN by enabling remote monitoring of multiple switches across the
network. The traffic for each RSPAN session is carried over a user-specified RSPAN
VLAN that is dedicated (for that RSPAN session) in all participating switches.

IPS TECHNOLOGIES SUMMARY

11.5.1 WHAT DID I LEARN IN THIS MODULE?
IDS and IPS Characteristics

 Malware is an ever-increasing threat to network security. New network attacks occur

daily. The threat landscape is constantly evolving.
 Monitoring network logs is one way to know that an exploit has occurred. But by then it
is too late.
 IDS and IPS make up part of a multi-layered approach to network security.
 IDS work offline to detect malicious traffic through traffic mirroring.
 IDS can alert security personnel about a potential attack.
 While the IDS does nothing to stop network attacks, it has no effect on network
performance.
 IPS devices work inline to prevent network attacks, however they can add latency and
slow network performance.
 IDS and IPS devices can be routers equipped with IPS software, dedicated devices, or
hardware modules installed in adaptive security appliances, switches or routers.
IPS Implementations

 Intrusion prevention systems can be host-based or network-based.

  HIPS are installed on network hosts. They monitor activity on the host and can prevent
attacks and log suspicious activity.
 HIPS are like a combination of antimalware and firewall software.
 HIPS have mostly a local view of the network and are only an effective solution if they
are used on all hosts. In addition, they should not be the only security measure taken in
a network, but instead are just one layer of security.

 NIPS can be implemented using a dedicated device or a router with IPS software.
 Network-based IPS act in real time to block malicious software and network attacks.
 Network-based IPS can be deployed in two modes.
 In promiscuous mode, they function as IDS by monitoring mirrored traffic. While they
can’t stop network attacks, they can alert personnel and log information when attacks
occur.
 An inline mode IPS processes all traffic that enters a network and checks that traffic at
Layers 3 to 7. IPS can also check the contents of payloads that are carried in network
traffic, such as email attachments. Because inline mode puts the IPS directly into the
traffic flow it makes packet-forwarding rates slower by adding latency. Inline mode
allows the sensor to stop attacks by dropping malicious traffic before it reaches the
intended target.
IPS on Cisco ISRs

 Enabling IPS functionality on routers at the branch level is a cost-effective way to

protect networks with a single device.
 The IPS detection and enforcement engine that ran on legacy router platforms was the
Cisco IOS IPS.
 However, the Cisco IOS IPS is no longer supported. For the 4000 Series ISR, the Cisco
Snort IPS has replaced the IOS IPS.
 Snort runs in a virtual container on the router hardware.
 The IPS function does not affect the traffic forwarding functions of the router.
 When running as an IPS, Snort monitors network traffic and analyses it against a
defined-rule set.
 Snort can classify attacks by type, and can perform actions against the traffic such as
sending alerts, logging events, and acting against traffic when attack signatures are
matched.
 Snort can be configured to automatically update its rules from an internet source such as
Cisco or snort.org. Problematic signatures can be disabled, and custom rules created.
 Snort is intended to be run on 4300 ISR and above. It requires 8 GB of DRAM and 8
GB of Flash to run. Resource profiles can be configured to control how Snort uses ISR
system resources.
Cisco Switched Port Analyser

 SPAN is a technology that enables network monitoring and IDS to function in

segmented networks.
 Network traffic is mirrored from source ports or VLANs to a destination port or VLAN
that is connected to the monitoring device or IDS.
  Traffic from the source ports is copied and sent to the destination port.
 Traffic that enters the switch is called ingress traffic, and traffic exits the switch is
called egress traffic.
 Source ports carry the traffic that is to be monitored, and destination ports are connected
to the monitoring devices. The monitored traffic is copied and sent out of the
destination port. The configuration of SPAN entails defining the source and destination
switchports.

MODULE 12
12.1 IPS SIGNATURES
12.1.1 IPS SIGNATURE ATTRIBUTES

 The network must be able to identify incoming malicious traffic in order to stop it.
Fortunately, malicious traffic displays distinct characteristics or “signatures”.
 Conceptually similar to the virus.dat file used by virus scanners, a signature is a set of
rules that an IDS and an IPS use to detect typical intrusion activity. Signatures uniquely
identify specific viruses, worms, protocol anomalies, and malicious traffic (e.g., a DoS
attacks).
 A malicious packet flow has a specific type of activity and signature. IPS sensors must
be tuned to look for matching signatures or abnormal traffic patterns.
 As sensors scan network packets, they use signatures to detect known attacks and
respond with predefined actions.
 An IDS or IPS sensor examines the data flow using many different signatures. A sensor
takes action when it matches a signature with a data flow, such as logging the event or
sending an alarm to the IDS or IPS management software.
 Signatures also have three distinctive attributes:
o Type - Atomic or Composite
o Trigger - Also called the alarm
o Action - What the IPS will do

12.1.2 TYPES OF SIGNATURES

 Some threats can be identified in one packet while other threats may require many
packets and their state information (i.e., IP addresses, port numbers, and more) to
identify a threat.
 There are two types of signatures:
o Atomic Signature - This is the simplest type of signature because a single
packet, activity, or event identifies an attack. The IPS does not need to maintain
state information and traffic analysis can usually be performed very quickly and
efficiently.
o Composite Signature - Also called a stateful signature because the IPS
requires several pieces of data to match an attack signature. The IPS must also
maintain state information, which is referred to as the event horizon. The length
of an event horizon varies from one signature to the next.
12.1.3 IPS SIGNATURE ALARMS
  The heart of any IPS signature is the signature alarm, which is often referred to as the
signature trigger. The signature alarm (i.e., trigger) for an IPS sensor could be anything
that can reliably signal an intrusion or security policy violation. A network-based IPS
might trigger a signature action if it detects a packet with a payload containing a
specific string that is going to a specific TCP port, for example.
 The IPS signature alarm is analogous to the alarm in a home security system. The
triggering mechanism for a burglar alarm could be a motion detector. When the burglar
alarm is enabled, the movement of an individual entering a room is detected. This
triggers the alarm.
 These triggering mechanisms can be applied to atomic and composite signatures. The
triggering mechanisms can be simple or complex. Every IPS incorporates signatures
that use one or more of these basic triggering mechanisms to trigger signature actions.
 There are four general IPS signature trigger categories as listed in the table.

Detection Type Advantages

 Also known as signature-based detection.
 Simplest triggering mechanism as it searches for a
specific and pre-defined atomic or composite
pattern.
Pattern-Based Detection
 A IPS sensor compares the network traffic to a
database of known attacks, and triggers an alarm or
prevents communication if a match is found.

 Also known as profile-based detection.

 Involves first defining a profile of what is considered
normal network or host activity.
 This normal profile is usually defined by monitoring
Anomaly-Based Detection traffic and establishing a baseline.
 Once defined, any activity beyond a specified
threshold in the normal profile will generate a
signature trigger and action.

 Also known as behaviour-based detection.

 Although similar to pattern-based detection, an
administrator manually defines behaviours that are
suspicious based on historical analysis.
Policy-Based Detection
 The use of behaviours enables a single signature to
cover an entire class of activities without having to
specify each individual situation.

 Honey pot-based detection uses a server as a

decoy server to attract attacks.
 The purpose of a decoy server is to lure attacks
away from production devices.
Honey Pot-Based Detection
 Allows administrators time to analyse incoming
attacks and malicious traffic patterns to tune their
sensor signatures.
12.1.4 IPS SIGNATURE ACTIONS

 When a signature detects the activity for which it is configured, the signature triggers
one or more actions.
 Depending on the IPS sensor, various actions can be enabled. The table lists some
actions that an IPS sensor may provide.
 Note: The available actions depend on the signature type and the platform.

Alert Category Specific Action Description

Produce alert The IPS sends events as alerts.
Generate an alert
Produce verbose alert The IPS sends a detailed event alert.
Logs packets from the attacker IP
Log attacker packets
address and sends an alert.
Logs packets from the victim and
Log the activity Log pair packets attacker IP addresses and sends an
alert.
Logs packets from the victim IP address
Log victim packets
and sends an alert.
Deny packet inline Terminates the packet.
Terminates the current packet and
Deny connection inline
future packets on this TCP flow.
Deny the activity
Terminates the current packet and
Deny attacker inline future packets from this attacker
address for a specified period of time.
Reset the TCP Sends TCP resets to hijack and
Reset TCP connection
connection terminate the TCP flow.
Sends a request to a blocking device to
Request block connection
block this connection.
Sends a request to a blocking device to
Request block host
Block future activity block this attacker host.
Sends a request to the notification
Request SNMP trap application component of the sensor to
perform SNMP notification.

12.1.5 EVALUATING ALERTS

 Triggering mechanisms can generate alarms that are false positives or false negatives.
These alarms must be addressed when implementing an IPS sensor.
 True positives and true negatives are desirable and indicate the IPS is functioning
properly. False positives and false negatives are undesirable and must be investigated.
 The table summarizes the following four types of alarms:
Alarm
Network Activity IPS Activity Outcome
Type
True
Attack traffic Alarm generated Ideal setting
positive
True
Normal user traffic No alarm generated Ideal setting
negative
False
Normal user traffic Alarm generated Tune alarm
positive
False
Attack traffic No alarm generated Tune alarm
negative

 Alerts can be classified as follows:

o True positive - (Desirable) This is used when the IPS generates an alarm
because it detected known attack traffic. The alert has been verified to be an
actual security incident and also indicates that the IPS rule worked correctly.
o True negative - (Desirable) This is used when the system is performing as
expected. No alerts are issued because the traffic that is passing through the
system is clear of threats.
o False positive - (Undesirable) This is used when an IPS generates an alarm
after processing normal user traffic that should not have triggered an alarm. The
IPS must be tuned to change these alarm types to true negatives. The alert does
not indicate an actual security incident. Benign activity that results in a false
positive is sometimes referred to as a benign trigger. False positives are costly
because they must be investigated.
o False negative - (Dangerous) This is used when an IPS fails to generate an
alarm and known attacks are not being detected. This means that exploits are
not being detected by the security systems that are in place. These incidents
could go undetected for a long time, and ongoing data loss and damage could
result. The goal is for these alarm types to generate true positive alarms.

12.2 CISCO SNORT IPTS

12.2.1 IPS SERVICE OPTIONS

 Intrusion prevention services were available on the first-generation Integrated Services

Routers (ISR G1) using the Cisco IOS IPS. Cisco IOS IPS monitored and prevented
intrusions by comparing traffic against signatures of known threats and blocking the
traffic when a threat was detected.
 Note: Support for Cisco IOS IPS discontinued in 2018. Therefore, IOS IPS is no longer
recommended on branch routers.
 Organizations now have three options available to provide intrusion prevention
services.
 o Cisco Firepower Next-Generation IPS (NGIPS) - These are dedicated in-line
threat prevention appliances that provide industry leading effectiveness against
both known and unknown threats.
o Cisco Snort IPS - This is an IPS service that can be enabled on a second
generation ISR (ISR G2) (i.e., ISR 4000s). Note that Cisco 4000 ISRs no longer
support Cisco IOS IPS.
o External Snort IPS Server - This is similar to the Cisco Snort IPS solution but
requires a promiscuous port (i.e., a SPAN switch port) and an external Snort
IDS/IPS.
12.2.2 NGIPS

 NGIPSs are dedicated IPS appliances. They are built on Snort's core open technology
and use vulnerability-focused IPS rules and embedded IP-, URL-, and DNS-based
security intelligence provided by Cisco Talos.
 NGIPS features include the following:
o IPS rules that identify and block attack traffic targeted at network
vulnerabilities.
o Tightly integrated defence against advanced malware by incorporating
advanced analysis of network and endpoint activity.
o Sandboxing technology that uses hundreds of behavioural indicators to identify
zero-day and evasive attacks.
o Also includes Application Visibility and Control (AVC), Cisco Advanced
Malware Protection (AMP) for Networks, and URL Filtering.
 Note: Further discussion of NGIPS appliances is out of scope for this course.
12.2.3 SNORT IPS

 Snort is an open-source network IPS that performs real-time traffic analysis and
generates alerts when threats are detected on IP networks. It can also perform protocol
analysis, content searching or matching, and detect a variety of attacks and probes (e.g.,
buffer overflows, stealth port scans, and more). Snort was inducted into the InfoWorld
Open Source Hall of Fame as one greatest pieces of open source software ever.
 The Snort engine can now run as a virtual container service on Cisco 4000 ISRs and
Cisco Cloud Services Router 1000v Series. It is ideal for smaller organizations looking
for a cost-effective routing and threat defence solution. For instance, an ISR G2 can
provide advanced routing capabilities and integrated threat defence security using Snort
IPS.
 Snort IPS can be implemented with other security features integrated into the 4000
Series ISRs, such as VPN, zone-based Cisco IOS firewalls, and Cisco Cloud Web
Security. This enables the ISR to provide comprehensive threat protection in a small
footprint. This is crucial for small branch locations that need to address security for the
local internet connection. Snort IPS integrated in an ISR is a cost-effective alternative
for branch office locations because a separate firewall device is not required.
 Snort IPS on the 4000 Series ISR provides the following functionalities:
o IDS and IPS mode - Configure threat detection or prevention mode. In
prevention mode, attack traffic will be dropped.
 o Three signature levels - Snort provides three levels of signature protection:
connectivity (least secure), balanced (middle option), and security (most
secure). The security level is the most secure as it enables the highest number of
signatures to be verified.
o An allowed list - This provides the ability to turn off certain signatures and
helps to avoid false positives such as legitimate traffic triggering an IPS action.
Up to 1000 entries can be supported in the allowed list.
o Snort health monitoring - Cisco IOS Software keeps track of the health of the
Snort engine that is running in the service container.
o Fail open and close - In the event of IPS engine failure, the router can be
configured to block the traffic flow or to bypass IPS checking until the Snort
engine recovers.
o Signature update - Automatic and manual updates are supported. Snort IPS
can download the signature package directly from cisco.com or a local resource
location over HTTP and HTTPS.
o Event logging - IPS logs can be sent to an independent log collector or
included along with the router syslog stream. Sending IPS logs separately helps
if the security event management tool is different from the regular syslog
server.
12.2.4 SNORT COMPONENTS AND RULES

 Snort IPS for 4000 Series ISRs consists of two components:

o Snort engine - This is the IPS detection and enforcement engine that is
included in the Security (SEC) license for 4000 Series ISRs.
o Snort rule software subscriptions for signature updates - Snort rule sets to
keep current with the latest threat protection are term-based subscriptions,
available for one or three years.

 To address the rapidly evolving threat landscape, it is important to ensure that

signatures are as up-to-date as possible.
 There are two types of term-based subscriptions:
o Community Rule Set - Available for free, this subscription offers limited
coverage against threats. The community rule set focuses on reactive response
to security threats versus proactive research work. There is also a 30-day
delayed access to updated signatures meaning that newest rule will be a
minimum of 30 days old. In addition, there is no Cisco customer support
available.
o Subscriber Rule Set - Available for a fee, this service provides the best
protection against threats. It includes coverage of advance exploits by using the
research work of the Cisco Talos security experts. The Subscriber Rule Set also
provides the fastest access to updated signatures in response to a security
incident or the proactive discovery of a new threat. This subscription is fully
supported by Cisco.
 Note: Contact Cisco Support to obtain the subscriber rule set license.
12.2.5 ISR CONTAINER APPLICATIONS
  Routers were initially packet processing devices. However, over the years, they have
evolved to perform many computing functions. Routers have acquired so much
processing power that server applications can now be hosted inside the router using
virtual machines called service containers.
 Applications such as Snort IPS can be uploaded and hosted on these routers. Service
containers are supported on most IOS XE platforms. IOS XE is based on the Linux
architecture and supports virtual machine hosting.
 The Snort engine runs as a Linux Service Container application on the ISR 4000 as
shown in the figure. This provides it with dedicated computing resources that run
independently of the data plane CPU load. It also makes it easier for the Snort engine to
be regularly updated.

 Specifically, the Snort engine on the 4000 Series ISR runs as a container application.
The 4000 Series ISR uses a multi-core CPU, and the Cisco IOS-XE has the ability to
allocate these cores for control-plane or data-plane functions. Computing resources
unused by control plane functions can be used for running other services. A Linux
container infrastructure hosts these applications. Applications running in this container
infrastructure can have a tighter integration with Cisco IOS Software.
12.2.6 SNORT IPS RULE ALARMS

 In Snort IPS, signatures are configured using “rules”. These rules serve as the signature
alarms by comparing incoming traffic to the Snort rules. Traffic matching a rule header
generates an action.
 A rule header is conceptually similar to an access control list (ACL) statement. It is a
one line statement that identifies malicious traffic.
 The basic rule header command syntax is:
o [action] [protocol] [sourceIP] [sourceport] -> [destIP] [destport] ([Rule
options])
 Note: The Rule options contain additional rule information.
 For example, the following sample header generates an alert whenever a TCP
connection for the hosts/ports identified in the rule header variables are going to the
identified destination hosts/ports variables:
o alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
 Refer to the figure for a detailed explanation of this example.

12.2.7 SNORT IPS RULE ACTIONS

 Snort can be enabled in IDS mode or in IPS mode.

 Snort IDS mode can perform the following three actions:
o Alert - Generate an alert using the selected alert method.
o Log - Log the packet.
o Pass - Ignore the packet.
 Snort IPS mode can perform all the IDS actions plus the following:
o Drop - Block and log the packet.
 o Reject - Block the packet, log it, and then send a TCP reset if the protocol is
TCP or an ICMP port unreachable message if the protocol is UDP.
o Sdrop - Block the packet but do not log it.

12.2.8 SNORT IPS HEADER RULE OPTIONS

 A Snort rule header also contains rule options (fields) to provide additional information
for the rule. Options are separated by semicolons (;) and the rule option keywords are
separated from their arguments using colons (:).
 The figure displays sample rule options for the alert tcp $EXTERNAL_NET
$HTTP_PORTS -> $HOME_NET any rule header.

 The table describes the common general rule and the detection rule options in the
sample rule header.
 Note: These are just a few of the different types of rule options. For more examples,
search the internet for "snort rule options"

Rule Option Specific Action

This is a simple text string that provides a meaningful message to
msg:
output when the rule matches.
flow: Specifies the direction of network traffic.
A detection rule option that allows the rule creator to set rules that
search for specific content in the packet payload and trigger
content:
response based on that data. This option data can contain mixed
text and binary data
Detection rule keywords that allow the rule creator to specify where
distance: / offset: to start searching relative to the beginning of the payload or the
beginning of a content match.
Detection rule keywords that allow the rule creator to specify how
within: / depth: far forward to search relative to the end of a previous content match
and, once that content match is found, how far to search for it.
A detection rule keyword that allows rules to be written using “perl
pcre compatible regular expressions” which allows for more complex
matches.
A detection rule keyword that allows a rule to test a number of bytes
byte_test
against a specific value in binary.
metadata: Allows a rule creator to embed additional information about the rule.
Allows rules to include references to external sources of
reference:
information.
classtype: Identifies the potential effect of what a successful attack would be.
The signature ID (sid) is a unique identifier for each rule making
sid / rev them easy to identify. It should be used with the rev (revision)
keyword to indicate the current version of the rule.
12.2.9 SNORT IPS OPERATION

 Packets arriving on Snort enabled interfaces are inspected as follows:

1. Cisco IOS Software forwards the packets to be inspected to the Snort IPS
engine using an internal virtual port group (VPG) interface.
2. Snort IPS inspects the traffic and takes necessary action.
3. Snort drops the packets associated with bad flows (IPS mode). Good flow
packets are returned back to the router for further processing.
 Packet exchange between the container applications and the IOS data plane is done
using VPG interfaces. These routed interfaces are connected through the router back
plane. The corresponding interface on the container side will appear as virtual Ethernet
ports.
 Snort IPS requires two VPG interfaces:
1. Management interface - This is the interface that is used to source logs to the
log collector and for retrieving signature updates from Cisco.com. For this
reason, this interface requires a routable IP address.
2. Data interface - This is the interface that is used to send user traffic between
the Snort virtual container service and the router forwarding plane.
 In the figure, VPG0 is used for Snort management traffic while VPG1 is used for user
traffic to be inspected. User traffic to be inspected is forwarded to the Snort engine
using VPG1 as shown. Traffic is then inspected and either rejected (dropped) or
forwarded back to the router as shown.

12.3 CONFIGURE SNORT IPS

12.3.1 SNORT IPS CONFIGURATION STEPS

 To deploy Snort IPS on supported devices, perform the following steps:

o Step 1. Download the Snort OVA file.
o Step 2. Install the OVA file.
o Step 3. Configure Virtual Port Group interfaces.
o Step 4. Activate the virtual services.
o Step 5. Configure Snort specifics.
o Step 6. Enable IPS globally or on desired interfaces.
o Step 7. Verify Snort IPS.
 Note: The Snort IPS functionality is available only in security K9-licensed IOS XE
version. The security license is required to enable the service. This feature is available
in Cisco IOS XE Release 3.16.1S, 3.17S, and later releases.
12.3.2 STEP 1: DOWNLOAD THE SNORT OVA FILE

 An Open Virtualization Archive (OVA) is a file that contains a compressed, installable

version of a virtual machine. The Snort service OVA file is not bundled with the Cisco
IOS XE Release images installed on the router. However, if the OVA file is be
preinstalled in the flash of the router, it is recommended that the latest OVA file be
downloaded from Cisco.com.
  For example, in the figure, the user is downloading the OVA file for an ISR 4321 router
using IOS Fuji-16.9.6.

 Note: CCO access is required to download files from Cisco.com.

12.3.3 STEP 2: INSTALL THE SNORT OVA FILE

 The OVA file must be downloaded and saved in a file location available to the ISR
router (e.g., Flash).
 To install the OVA file, use the virtual-service install name virtual-service-
name package file-url media file-system privilege EXEC command. The length of
the name is 20 characters and the complete path to the OVA file must be specified.
 An example configuration is shown below.
R1# virtual-service install name MYIPS package flash:iosxe-
utd.16.09.06.1.0.10_SV29130_XE_16_9.ova
Installing package 'bootflash:/iosxe-
utd.16.09.06.1.0.10_SV29130_XE_16_9.ova' for virtual-service
'MYIPS'. Once the install has finished, the VM may be activated.
Use 'show virtual-service list' for progress.

R1#
*Oct 5 08:07:45.953: %VMAN-5-PACKAGE_SIGNING_LEVEL_ON_INSTALL:
R0/0: vman: Package 'iosxe-utd.16.09.06.1.0.10_SV29130_XE_16_9.ova'
for service container 'MYIPS' is 'Cisco signed', signing level
cached on original install is 'Cisco signed'

R1#

 During the OVA file installation, the security license is checked and an error is reported
if the license is not present. Therefore, the Cisco IOS XE image must be enabled with
the security license. In the output, you can see that the OVA is Cisco signed.
 Use the show virtual-service list command to display the status of the installation of all
applications installed on the virtual service container.
12.3.4 STEP 3: CONFIGURE VIRTUAL PORT GROUP INTERFACES

 Two VirtualPortGroup (VPG) interfaces must then be configured along with their guest
IP addresses.
 In our example, the VPG interfaces will be configured as follows:
o VGP0 - This is for management traffic to exchange information with IPS
servers. The guest IP address needs to be routable to connect to the signature
update server and external log server. It is also used to log traffic to log
collectors.
o VPG1 - This is for user traffic marked for inspections. This should not be
routable and therefore use a non-routable private IP address.
 Note: Be sure to provide proper NAT and routing to enable the management VPG to
reach the log server as well as cisco.com to retrieve signature update files.
 The following is a sample configuration of VPG0 and VPG1.
R1# configure terminal
R1(config)# interface VirtualPortGroup0
R1(config-if)# description Management interface
R1(config-if)# ip address 209.165.201.1 255.255.255.252
R1(config-if)# exit
R1(config)#
*Oct 5 08:13:10.970: %LINEPROTO-5-UPDOWN: Line protocol on
Interface VirtualPortGroup0, changed state to up
R1(config)# interface VirtualPortGroup1
R1(config-if)# description Data interface
R1(config-if)# ip address 192.168.0.1 255.255.255.252
R1(config-if)# exit
R1(config)#
*Oct 5 08:13:12.921: %LINEPROTO-5-UPDOWN: Line protocol on
Interface VirtualPortGroup1, changed state to up
R1#

12.3.5 STEP 4: ACTIVATE VIRTUAL SERVICES

 The next step is to configure guest IPs on the same subnet for the container side and
activate the virtual service as shown in the output.
R1(config)# virtual-service MYIPS
R1(config-virt-serv)# vnic gateway VirtualPortGroup0
R1(config-virt-serv-vnic)# guest ip address 209.165.201.2
R1(config-virt-serv-vnic)# exit
R1(config-virt-serv)# vnic gateway VirtualPortGroup1
R1(config-virt-serv-vnic)# guest ip address 192.168.0.2
R1(config-virt-serv-vnic)# exit
R1(config-virt-serv)# activate

 The virtual-service virtual-service-name command configures the logical

name, MYIPS in the example, that is used to identify the virtual container service.
 The vnic gateway VirtualPortGroup interface-number command creates a virtual
network interface card (vNIC) gateway interface for the virtual container service. It also
maps the vNIC gateway interface to the virtual port group, and enters the virtual-service
vNIC configuration mode.
 The guest ip address ip-address command configures a guest vNIC address for the
vNIC gateway interface.
 Finally, the activate command activates the application installed in a virtual container
service.
12.3.6 STEP 5: CONFIGURE SNORT SPECIFICS

 Next is to configure how Snort is to be deployed (i.e. IPS or IDS mode), where the
Snort logs should be sent, the policy and profile to configure for Snort, and more.
 Refer to the sample command output.
R1(config)# utd engine standard
R1(config-utd-eng-std)# logging host 10.10.10.254
R1(config-utd-eng-std)# logging syslog
R1(config-utd-eng-std)#
R1(config-utd-eng-std)# threat-inspection
R1(config-utd-engstd-insp)# threat protection
R1(config-utd-engstd-insp)# policy balanced
R1(config-utd-engstd-insp)#
R1(config-utd-engstd-insp)# signature update occur-at daily 0 0
R1(config-utd-engstd-insp)# signature update server cisco username
Bob password class
R1(config-utd-engstd-insp)# logging level warning
R1(config-utd-engstd-insp)#
R1(config-utd-engstd-insp)# exit
R1(config-utd-eng-std)# exit
R1(config)#

 The utd engine standard command configures the UTD standard engine and enters
UTD standard engine configuration mode.
 The logging host and logging syslog commands enable the logging of emergency
messages to a server.
 The threat-inspection command configures threat inspection for the Snort engine.
From here you can specify which mode Snort will be in:
o threat protection - Snort will be in IPS mode.
o threat detection - Snort will be in IDS mode.
 The policy command specifies three security policies used by Snort and provided by
Cisco Talos, as shown in the following help facility example.
R1(config-utd-engstd-insp)# policy ?
balanced Set the policy to balanced (this is the default option)
connectivity Set the policy to connectivity (stresses on
connectivity over security)
security Set the policy to security (provide mode exhaustive
coverage)
R1(config-utd-engstd-insp)# policy

 The three policy settings in order from least protection to most protection are:
o connectivity - This provides the least protection as it prioritizes connectivity
over security. Approximately 1,000 rules are pre-loaded using this policy.
o balanced - This is the default policy. It is recommended for initial
deployments. This policy attempts to balance security needs and performance
characteristics of the network. Approximately 8,000 rules are pre-loaded using
this policy.
o security - This provides the most protection. It is designed for organizations
that are exceptionally concerned about security. Customers deploy this policy in
protected networks, that have a lower bandwidth requirements, but much higher
security requirements. Approximately 12,000 rules are pre-loaded using this
policy.
 Note: IPS system performance is negatively affected as more rules are enabled.
 The signature update command configures the signature update interval parameters. In
our sample output, Snort will update its signatures every night at midnight.
  The signature update server command configures the signature update server
parameters. You must specify the signature update parameters with the server details. If
you use Cisco.com for signature updates, you must provide the username and password.
If you use local server for signature updates, based on the server settings you can
provide the username and password. In our sample output, Snort updates its signature
file from cisco.com using the username Bob and password class.
 Finally the logging level command specifies the types of syslog messages that will be
generated.
12.3.7 STEP 6: ENABLE IPS GLOBALLY OR ON DESIRED INTERFACES

 Based on the organizational requirements, Snort can be enabled globally (i.e., on all the
interfaces) or on selected interfaces.
 The example in the output enables UTD globally on all interfaces and defines what to
do if the Snort engine fails.
R1(config)# utd
R1(config-utd)# all-interfaces
R1(config-utd)#
R1(config-utd)# engine standard
R1(config-engine-std)# fail close
R1(config-engine-std)# exit
R1(config-utd)# exit
R1(config)#

 The all-interfaces option configures unified threat defence (UTD) on all Layer 3
interfaces of the device.
 The engine standard command configures the Snort-based UTD engine and enters
standard engine configuration mode. From this mode, we can specify how Snort will
behave if there is a UTD engine failure.
 Specifically, Snort can be configured to:
o fail-open (default) - When there is a UTD engine failure, this option allows all
of the IPS/IDS traffic through without being inspected.
o fail-close - If enabled, this option drops all the IPS/IDS traffic when there is an
UTD engine failure. Therefore, no traffic will be allowed to leave.
 Alternatively, Snort could be enabled only on select interfaces as shown.
 Note: An error message will be displayed if the global configuration was first
configured.
R1(config)# interface G0/0/0
R1(config-if)# utd enable
R1(config-if)# exit
R1(config)# interface G0/0/1
R1(config-if)# utd enable
R1(config-if)# exit
R1(config)#

 You can also enable the UTD allowed list feature. This enables you to identify IPS
signature IDs to be suppressed (not used).
  For example, when an IPS is incorrectly identifying normal user traffic as a threat (i.e.,
a false positive), we can add those signatures to an allowed list. The IPS will not use
signatures in the allowlist.
 To do so, enter UTD allowed list configuration mode and identify signature IDs to be
excluded from inspection. After the allowed list signature ID is configured, Snort will
allow the flow to pass through the device without any alerts and drops.
 For example, assume that the IPS has incorrectly identified user traffic
from Branch1 as malicious and assigned it id 21555. This signature can be added to an
allowed list, as shown
R1(config)# utd threat-inspection whitelist
R1(config-utd-whitelist)# signature id 21555 comment traffic from
Branch 1
R1(config-utd-whitelist)#

12.3.8 STEP 7: VERIFY SNORT IPS

 After Snort IPS is implemented, it is necessary to verify the configuration to ensure

correct operation.
 There are several show commands that can be used to verify the Snort IPS
configuration and operation:
o show virtual-service list - The command displays an overview of resources
that are utilized by the applications.
o show virtual-service detail - The command displays a list of resources that are
committed to a specified application, including attached devices.
o show utd engine standard config - The command displays the UTD
configuration.
o show utd engine standard status - The command displays the status of the
UTD engine.
o show platform hardware qfp active feature utd stats - The command checks
the data plane. It verifies increments for encap, decap, redirect, and reinject and
displays a health of "Green".

12.4 IPS OPERATION AND IMPLEMENTATION SUMMARY

12.4.1 WHAT DID I LEARN IN THIS MODULE?
IPS Signatures

 IPS signatures have three attributes: type, trigger, and action.

 The signature type can be atomic or composite. The signature alarms can use pattern-
based detection, anomaly-based detection, policy-based detection, or honey pot-based
detection.
 The IPS signature actions include generate an alert, log the activity, deny the activity,
reset the TCP connection, and block future activity.
  Triggering mechanisms can generate results such as true positive, true positive, false
negatives, and false negatives.
Cisco Snort IPS

 Intrusion protection is provided in modern Cisco networks using either dedicated

NGIPS Firepower enabled devices, Snort IPS on ISR 4000 routers, or using an external
Snort IPS server.
 Snort IPS on ISR device can provide both IDS or IPS services. It has predefined
security levels (i.e., connectivity, balanced, and security). It can refer to a allowed list,
provide feedback on the health of the Snort engine, offer fail-open and fail-close
failover, and automated signature updates and logging.
 Snort IPS consists of a Snort engine and Snort rule set. There are community rules
available for free and subscriber rules available for a fee.
 Snort IPS runs in a Linux service container VM supported by ISR 4000 routers. Snort
IPS uses rules consisting of rule headers and rule options to identify malicious traffic.
Configure Snort IPS

 To configure Snort IPS on an ISR 4000 device, you must download the latest OVA file,
install it on the router, configure VPG interfaces, activate the virtual services, configure
Snort IPS specifics, and enable UTD. After Snort is configured and activated, show
commands allow verification of its operation.

MODULE 13
13.1 ENDPOINT SECURITY OVERVIEW
13.1.1 LAN ELEMENTS SECURITY

 News media commonly cover external network attacks on enterprise networks. These
are some examples of such attacks:
o DoS attacks on an organization’s network to degrade or even halt public access
to it
o Breach of an organization’s Web server to deface their web presence
 o Breach of an organization’s data servers and hosts to steal confidential
information
 Various network security devices are required to protect the network perimeter from
outside access.
 As shown in the figure, these devices could include a hardened ISR that is providing
VPN services, an ASA firewall appliance, an IPS, and a AAA server.

 Many attacks can, and do, originate from inside the network. Therefore, securing an
internal LAN is just as important as securing the outside network perimeter.
 Without a secure LAN, users within an organization are still susceptible to network
threats and outages that can directly affect an organization’s productivity and profit
margin.
 After an internal host is infiltrated, it can become a starting point for an attacker to gain
access to critical system devices, such as servers and the sensitive information they
contain.
 Specifically, there are two internal LAN elements to secure:
o Endpoints - Hosts commonly consist of laptops, desktops, servers, and IP
phones which are susceptible to malware-related attacks. Endpoints also include
video cameras, point-of-sale devices, and devices on the Internet of Things.
o Network infrastructure - LAN infrastructure devices interconnect endpoints
and typically include switches, wireless devices, and IP telephony devices.
Most of these devices are susceptible to LAN-related attacks including MAC
address table overflow attacks, spoofing attacks, DHCP related attacks, LAN
storm attacks, STP manipulation attacks, and VLAN attacks.
 This module focuses on security endpoints

13.1.2 TRADITIONAL ENDPOINT SECURITY

 Historically, employee endpoints were company-issued computers which resided within

a clearly defined LAN perimeter.
 These hosts were protected by firewalls and IPS devices which worked well with hosts
that were connected to the LAN and behind the firewall.
 The endpoints also used traditional host-based security measures:
o Antivirus/Antimalware Software - This is software installed on a host to
detect and mitigate viruses and malware. Companies that provide anti-virus
software include Norton, TotalAV, McAfee, MalwareBytes and many others.
o Host-based IPS - This is software that is installed on the local host to monitor
and report on the system configuration and application activity, provide log
analysis, event correlation, integrity checking, policy enforcement, rootkit
detection, and alerting. Examples include Snort IPS, OSSEC, and Malware
Defender, among others.
o Host-based firewall - This is software that is installed on a host that restricts
incoming and outgoing connections to those initiated by that host only. Some
firewall software can also prevent a host from becoming infected and stop
infected hosts from spreading malware to other hosts. Included in some
 operating systems such as Windows, or produced by companies such as
NetDefender, Zonealarm, Comodo Firewall, and many others.

13.1.3 THE BORDERLESS NETWORK

 The network has evolved to include traditional endpoints and new, lightweight,
portable, consumerized endpoints such as smartphones, tablets, wearables, and others.
 The new bring-your-own-device (BYOD) needs of workers require a different way of
approaching endpoint security.
 These new endpoints have blurred the network border because access to network
resources can be initiated by users from many locations using various connectivity
methods at any time.
 There are some problems with the traditional method of securing endpoints.
 In many networks, the network-based devices are disparate and typically do not share
information among themselves.
 Additionally, new endpoint devices are not good candidates for the traditional host-
based endpoint security solutions because of the variety of devices and the variety of
operating systems available on those devices.
 The challenge is allowing these heterogeneous devices to connect to enterprise
resources securely.

13.1.4 SECURITY FOR ENDPOINTS IN THE BORDERLESS NETWORK

 Larger organizations now require protection before, during, and after an attack. IT
administrators must be able to answer the following questions:
o Where did the attack come from?
o What was the exploit method and point of entry?
o What systems were affected?
o What did the exploit do?
o How do we recover from the exploit?
o How can we mitigate the vulnerability and root cause?
 Organizations must also protect their endpoints from new threats and provide the
protection measures that are outlined in the table below.

Measure Purpose
antimalware software Protect endpoints from malware.
spam filtering Prevent spam emails from reaching endpoints.
Prevent endpoints from connecting to websites with bad
blocklisting reputations by immediately blocking connections based
on the latest reputation intelligence.
data loss prevention (DLP) Prevent sensitive information from being lost or stolen.

13.1.5 NETWORK-BASED MALWARE PROTECTION

  New security architectures for the borderless network address security challenges by
having endpoints use network scanning elements.
 These devices provide many more layers of scanning than a single endpoint possibly
could. Network-based malware prevention devices are also capable of sharing
information among themselves to make better informed decisions.
 Protecting endpoints in a borderless network can be accomplished using network-based,
as well as host-based techniques, as shown in the figure.

 The following are examples of devices and techniques that implement host protections
at the network level.
o Advanced Malware Protection (AMP) – This provides endpoint protection
from viruses and malware.
o Email Security Appliance (ESA) – This provides filtering of SPAM and
potentially malicious emails before they reach the endpoint. An example is the
Cisco ESA.
o Web Security Appliance (WSA) – This provides filtering and blocking of
websites to prevent hosts from reaching dangerous locations on the web. The
Cisco WSA provides control over how users access the internet and can enforce
acceptable use policies, control access to specific sites and services, and scan
for malware.
o Network Admission Control (NAC) – This permits only authorized and
compliant systems to connect to the network.
 These technologies work in concert with each other to give more protection than host-
based suites can provide, as shown in the figure.

13.1.6 HARDWARE AND SOFTWARE ENCRYPTION OF LOCAL DATA

 Endpoints are also susceptible to data theft. For instance, if a corporate laptop is lost or
stolen, a thief could scour the hard drive for sensitive information, contact information,
personal information, and more.
 The solution is to locally encrypt the disk drive with a strong encryption algorithm such
as 256-bit AES encryption. The encryption protects the confidential data from
unauthorized access. The encrypted disk volumes can only be mounted for normal
read/write access with the authorized password.
 Operating systems such as MAC OSX natively provide encryption options. The
Microsoft Windows 10 operating system also provides encryption natively. Individual
files, folders, and drives can be configured to encrypt data. In Windows, BitLocker
provides drive encryption, as shown in the figure. Files can also be encrypted, but
because applications can create unencrypted back up files, the entire folder that the file
is stored in should be encrypted.

13.1.7 NETWORK ACCESS CONTROL

  The purpose of network access control (NAC) is to allow only authorized and compliant
systems, whether managed or unmanaged, to access the network.
 It unifies endpoint security technologies with user or device authentication and network
security policy enforcement.
 A NAC system can deny network access to noncompliant devices, place them in a
quarantined area, or give them only restricted access to computing resources, thus
keeping insecure nodes from infecting the network.
 NAC systems can have the following capabilities:
o Profiling and visibility - This recognizes and profiles users and their devices
before malicious code can cause damage.
o Guest network access - This manages guests through a customizable, self-
service portal that includes guest registration, guest authentication, guest
sponsoring, and a guest management portal.
o Security posture checking - This evaluates security-policy compliance by user
type, device type, and operating system.
o Incident response - This mitigates network threats by enforcing security
policies that block, isolate, and repair noncompliant machines without
administrator attention.
 NAC systems should extend NAC to all network access methods, including access
through LANs, remote-access gateways, and wireless access points.
 The Cisco Identity Services Engine (ISE) combines AAA and network device profiling
into a single system.

13.1.8 NAC FUNCTIONS

 The goal of NAC systems is to ensure that only hosts that are authenticated and have
had their security posture examined and approved are permitted onto the network.
 For example, company laptops used offsite for a period of time might not have received
current security updates or could have become infected from other systems. Those
systems cannot connect to the network until they are examined, updated, and approved.
 Network access devices can function as the enforcement layer, as shown in the figure.
They force the clients to query a RADIUS server for authentication and authorization.
The RADIUS server can query other devices, such as an antivirus server, and reply to
the network enforcers.

13.2 802.1X AUTHENTICATION

13.2.1 SECURITY USING 802.1X PORT-BASED AUTHENTICATION

 The IEEE 802.1X standard defines a port-based access control and authentication
protocol that restricts unauthorized workstations from connecting to a LAN through
publicly accessible switch ports.
 The authentication server authenticates each workstation that is connected to a switch
port before making available any services offered by the switch or the LAN.
 The figure shows that with 802.1X port-based authentication, the devices in the network
have specific roles.
 The 802.1x roles include:
o Supplicant (Client) - The device (workstation) that requests access to LAN
and switch services and then responds to requests from the switch. The
workstation must be running 802.1X-compliant client software. (The port that
the client is attached to is the supplicant [client] in the IEEE 802.1X
specification.)
o Authenticator (Switch) - This device controls physical access to the network
based on the authentication status of the client. The switch acts as an
intermediary (proxy) between the client (supplicant) and the authentication
server, requesting identifying information from the client, verifying that
information with the authentication server, and relaying a response to the client.
The switch uses a RADIUS software agent, which is responsible for
encapsulating and de-encapsulating the EAP (Extensible Authentication
Protocol) frames and interacting with the authentication server.
o Authentication server - This server performs the actual authentication of the
client. The authentication server validates the identity of the client and notifies
the switch whether the client is authorized to access the LAN and switch
services. Because the switch acts as the proxy, the authentication service is
transparent to the client. The RADIUS security system with EAP extensions is
the only supported authentication server.
 Until the workstation is authenticated, 802.1X access control enables only Extensible
Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and
Spanning Tree Protocol (STP) traffic through the port to which the workstation is
connected. After authentication succeeds, normal traffic can pass through the port.
 The switch port state determines whether the client is granted access to the network.
 When configured for 802.1X port-based authentication, the port starts in the
unauthorized state. While in this state, the port disallows all ingress and egress traffic
except for 802.1X protocol, STP, and CDP packets.
 When a client is successfully authenticated, the port transitions to the authorized state,
allowing all traffic for the client to flow normally. If the switch requests the client
identity (authenticator initiation) and the client does not support 802.1X, the port
remains in the unauthorized state, and the client is not granted access to the network.
 In contrast, when an 802.1X-enabled client connects to a port and the client initiates the
authentication process (supplicant initiation) by sending the EAPOL-start frame to a
switch that is not running the 802.1X protocol, no response is received, and the client
begins sending frames as if the port is in the authorized state.
 The figure shows the complete message exchange between the supplicant,
authenticator, and the authentication server. The encapsulation occurs as follows:
o Between the supplicant and the authenticator - EAP data is encapsulated in
EAPOL frames.
o Between the authenticator and the authentication server - EAP data is
encapsulated using RADIUS.
  If the client is successfully authenticated (the switch receives an “accept” frame from
the authentication server), the port state changes to authorized, and all frames from the
authenticated client are enabled through the port.
 If the authentication fails, the port remains in the unauthorized state, but authentication
can be retried. If the authentication server cannot be reached, the switch can retransmit
the request. If no response is received from the server after the specified number of
attempts, authentication fails, and network access is not granted.
 When a client logs out, it sends an EAPOL-logout message, causing the switch port to
transition to the unauthorized state.

13.2.2 CONTROL THE 802.1X AUTHORISATION STATE

 It may be necessary to configure a switch port to override the 802.1X authentication

process. To do this, use the authentication port-control interface configuration
command to control the port authorization state. The parameters for this command are
shown below. The individual port on the authenticator switch is configured with this
command, in this case, port F0/1 of S1. By default, a port is in the force-
authorized state meaning it can send and receive traffic without 802.1x authentication.
S1(config-if)# authentication port-control ?
auto PortState set to automatic
force-authorized PortState set to AUTHORIZED <--default
force-unauthorized PortState set to UnAuthorized

S1(config-if)# authentication port-control

Parameter Description
Enables 802.1X port-based authentication and causes the
port to begin in the unauthorized state. During this time only
auto EAPOL, STP, and CDP frames are the only type of frames
that can be sent or received through the port until the client
device has been authenticated.

force-authorized The port sends and receives normal traffic without 802.1x-
based authentication of the client. This is the default setting.
Causes the port to remain in the unauthorized state,
force-unauthorized ignoring all attempts by the client to authenticate. The
switch cannot provide authentication services to the client
through the port.

 The auto keyword must be entered to enable 802.1X authentication. Therefore, to

enable 802.1X on the port, use the authentication port-control auto interface
configuration command.
 If the client is successfully authenticated (receives an Accept frame from the
authentication server), the port state changes to authorized, and all frames from the
authenticated client are allowed through the port. If the authentication fails, the port
remains in the unauthorized state, but authentication can be retried. If the authentication
 server cannot be reached, the switch can resend the request. If no response is received
from the server after the specified number of attempts, authentication fails, and network
access is not granted.
 When a client logs off, it sends an EAPOL-logoff message, causing the switch port to
change to the unauthorized state.
 If the link state of a port changes from up to down, or if an EAPOL-logoff frame is
received, the port returns to the unauthorized state.

13.2.3 802.1X CONFIGURATION

 This scenario is implemented the same topology as above. A PC is attached to F0/1 on

the switch and the device is will be authenticated via 802.1X with a RADIUS server.
Unlike in previous AAA scenarios in which administrators were authenticated to the
router configuration lines, in this scenario, an endpoint is authenticated before access is
granted to the network.
 Configuring 802.1X requires a few basic steps:
o Step 1. Enable AAA using the aaa new-model command.
o Step 2. Designate the RADIUS server and configure its address and ports.
o Step 3. Create an 802.1X port-based authentication method list using the aaa
authentication dot1x command.
o Step 4. Globally enable 802.1X port-based authentication using the dot1x
system-auth-control command.
o Step 5. Enable port-based authentication on the interface using the
authentication port-control auto command.
o Step 6. Enable 802.1X authentication on the interface using the dot1x pae
command. The authenticator options sets the Port Access Entity (PAE) type so
the interface acts only as an authenticator and will not respond to any messages
meant for a supplicant.
 An example configuration is shown below.
S1(config)# aaa new-model
S1(config)# radius server NETSEC
S1(config-radius-server)# address ipv4 10.1.1.50 auth-port 1812
acct-port 1813
S1(config-radius-server)# key RADIUS-Pa55w0rd
S1(config-radius-server)# exit
S1(config)#
S1(config)# aaa authentication dot1x default group radius
S1(config)# dot1x system-auth-control
S1(config)#
S1(config)# interface F0/1
S1(config-if)# description Access Port
S1(config-if)# switchport mode access
S1(config-if)# authentication port-control auto
S1(config-if)# dot1x pae authenticator

13.3 ENDPOINT SECURITY SUMMARY

13.3.1 WHAT DID I LEARN IN THIS MODULE?
Introducing Endpoint Security

 Traditionally endpoints included PCs, servers, and printers. However, in today’s

network, endpoints also include phones, tablets, laptops, Internet of Things devices,
network video cameras and many other things.
 Endpoint security used to depend on host-based security measures such as antimalware
software, host-based IPS, and host-based firewall software. Many devices and
technologies enhance host-based endpoint protections. Some of them are email security
appliances, web security appliances, NAC, and the Cisco Identity Services Engine.
 Another way that endpoints can be protected from data loss is through the use of
encryption of local data at the file, folder, or drive level. Software such as BitLocker is
included with Microsoft Windows 10 for this purpose.
 Network Access Control is a system that can check whether endpoints that attempt to
the network comply with network security policies.
 It handles user authentication and can take action against devices that violate security
policies by having out date security software. It can even take action to bring devices up
to compliance standard before allowing access.
 NAC can also provide easy to manage methods of providing network access to guest
computers require connectivity to the network. Cisco ISE combines AAA and NAC and
into a single system.
802.1X Authentication

 802.1X provides a means by which authenticator network access switch can act as an
intermediary between a client and an authentication server.
 The switch forwards authentication information from the client to the server. If
authentication is successful, the client will be allowed to access the network through the
connected switch port.
 If authorization fails, the switch will not permit the client endpoint to connect to the
network.
 The system uses the EAP and EAPOL to carry authentication traffic between the switch
and the authenticator switch.
 The switch uses EAP and RADIUS to communicate with the authentication server.
 The 802.1X authentication process can be control by configuring the authenticator port
with the authentication port-control command. The port can be set carryout the
authentication process, provide authorized access, or to be in unauthorized state. In this
state no device will be able to connect to the network.
 802.1X port-based authentication is configured by first globally activating AAA and by
specifying the RADIUS server name, address, and ports. After that the authenticator
interface is configured with 802.1X parameters.

MODULE 14
14.1 LAYER 2 SECURITY THREATS
14.1.1 DESCRIBE LAYER 2 VULNERABILITES
  The OSI reference model is divided into seven layers which work independently of each
other. As shown in the figure, each layer performs a specific function and has core
elements that can be exploited.

 Network administrators routinely implement security solutions to protect the elements

in Layer 3 up through Layer 7 using VPNs, firewalls, and IPS devices. However, as
shown in the figure below, if Layer 2 is compromised, then all layers above it are also
affected. For example, if an employee or visitor with access to the internal network
could capture Layer 2 frames, then all of the security implemented on the layers above
would be useless. The employee could also wreak havoc on the Layer 2 LAN
networking infrastructure.

14.1.2 SWITCH ATTACK CATEGORIES

 Security is only as strong as the weakest link in the system, and Layer 2 is considered to
be that weakest link. This is because traditionally LANs were under the administrative
control of a single organization. We inherently trusted all persons and devices
connected to our LAN. Today, with BYOD and more sophisticated attacks, our LANs
have become more vulnerable to penetration. Therefore, in addition to protecting Layer
3 to Layer 7, network security professionals must also mitigate attacks to the Layer 2
LAN infrastructure.
 The first step in mitigating attacks on the Layer 2 infrastructure is to understand the
underlying operation of Layer 2 and the threats posed by the Layer 2 infrastructure.
 Attacks against the Layer 2 LAN infrastructure are highlighted in the table.
 Note: The focus of this module is on common Layer 2 attacks.

Type Description
Includes MAC table overflow (also called MAC Address
MAC Table Attacks
Flooding) Attacks.
Includes VLAN hopping and VLAN double-tagging attacks.
VLAN Attacks It also includes attacks between devices on a common
VLAN.
DHCP Attacks Includes DHCP starvation and DHCP spoofing attacks.
ARP Attacks Includes ARP spoofing and ARP poisoning attacks.
Address Spoofing Attacks Includes MAC Address and IP address spoofing attacks.
STP Attacks Includes Spanning Tree Protocol manipulation attacks.

 The figure below provides an overview of Cisco solutions that help mitigate Layer 2
attacks.
Topic Title Topic Objective
Port security prevents many types of attacks
Port Security including MAC table overflow attacks and DHCP
starvation attacks.
DHCP Snooping prevents DHCP starvation and
DHCP Snooping
DHCP spoofing attacks by rogue DHCP servers.
DAI prevents ARP spoofing and ARP poisoning
Dynamic ARP Inspection (DAI)
attacks.
IP Source Guard prevents MAC and IP address
IP Source Guard (IPSG)
spoofing attacks.

 These Layer 2 solutions will not be effective if the management protocols are not
secured. An example would be if attackers can easily telnet into a switch. Syslog,
SNMP, TFTP, telnet, FTP and most other common network management protocols are
insecure. Therefore, the following strategies are recommended:
o Always use secure variants of these protocols such as SSH, SCP, and SSL.
o Consider using out-of-band (OOB) management.
o Use a dedicated management VLAN where nothing but management traffic
resides.
o Use ACLs to filter unwanted access.

14.2 MAC TABLE ATTACKS

14.2.1 SWITCH FUNDAMENTALS

 A switch uses MAC addresses to forward (or discard) frames to other devices on a
network. If a switch just forwarded every frame it received out all ports, your network
would be so congested that it would probably come to a complete halt.
 A Layer 2 Ethernet switch uses Layer 2 MAC addresses to make forwarding decisions.
It is completely unaware of the data (protocol) being carried in the data portion of the
frame, such as an IPv4 packet, an ARP message, or an IPv6 ND packet. The switch
makes its forwarding decisions based solely on the Layer 2 Ethernet MAC addresses.
 An Ethernet switch examines its MAC address table to make a forwarding decision for
each frame, unlike legacy Ethernet hubs that repeat bits out all ports except the
incoming port. In the figure, the four-port switch was just powered on. The table shows
the MAC Address Table which has not yet learned the MAC addresses for the four
attached PCs.
 Note: MAC addresses are shortened throughout this topic for demonstration purposes.

 Note: The MAC address table is sometimes referred to as a content addressable

memory (CAM) table. While the term CAM table is fairly common, for the purposes of
this course, we will refer to it as a MAC address table.
14.2.2 SWITCH LEARNING AND FORWARDING

 The switch dynamically builds the MAC address table by examining the source MAC
address of the frames that are received on a port. The switch forwards frames by
searching for a match between the destination MAC address in the frame and an entry
in the MAC address table.
Learn

 Examine the Source MAC Address

 Every frame that enters a switch is checked for new information to learn. It does this by
examining the source MAC address of the frame and the port number where the frame
entered the switch. If the source MAC address does not exist, it is added to the table
along with the incoming port number. If the source MAC address does exist, the switch
updates the refresh timer for that entry in the table. By default, most Ethernet switches
keep an entry in the table for 5 minutes.
 In the figure for example, PC-A is sending an Ethernet frame to PC-D. The table shows
the switch adds the MAC address for PC-A to the MAC Address Table.
 Note: If the source MAC address does exist in the table but on a different port, the
switch treats this as a new entry. The entry is replaced using the same MAC address but
with the more current port number.
Forward

 Find the Destination MAC Address

 If the destination MAC address is a unicast address, the switch will look for a match
between the destination MAC address of the frame and an entry in its MAC address
table. If the destination MAC address is in the table, it will forward the frame out the
specified port. If the destination MAC address is not in the table, the switch will
forward the frame out all ports except the incoming port. This is called an unknown
unicast.
 As shown in the figure, the switch does not have the destination MAC address in its
table for PC-D, so it sends the frame out all ports except port 1.
 Note: If the destination MAC address is a broadcast or a multicast, the frame is also
flooded out all ports except the incoming port.

14.2.3 FILTERING FRAMES

 As a switch receives frames from different devices, it is able to populate its MAC
address table by examining the source MAC address of every frame. When the MAC
address table of the switch contains the destination MAC address, it is able to filter the
frame and forward out a single port.
PC-D to Switch

 In the figure, PC-D is replying back to PC-A. The switch sees the MAC address of PC-
D in the incoming frame on port 4. The switch then puts the MAC address of PC-D into
the MAC Address Table associated with port 4.
Switch to PC-A

 Next, because the switch has destination MAC address for PC-A in the MAC Address
Table, it will send the frame only out port 1, as shown in the figure.
PC-A to Switch to PC-D

 Next, PC-A sends another frame to PC-D, as shown in the figure. The MAC address
table already contains the MAC address for PC-A; therefore, the five-minute refresh
timer for that entry is reset. Next, because the switch table contains the destination
MAC address for PC-D, it sends the frame only out port 4.

14.2.4 MAC ADDRESS TABLE FLOODING

 All MAC tables have a fixed size and consequently, a switch can run out of resources in
which to store MAC addresses. MAC address flooding attacks take advantage of this
limitation by bombarding the switch with fake source MAC addresses until the switch
MAC address table is full.
 When this occurs, the switch treats the frame as an unknown unicast and begins to flood
all incoming traffic out all ports on the same VLAN without referencing the MAC table.
This condition now allows a threat actor to capture all of the frames sent from one host
to another on the local LAN or local VLAN.
 Note: Traffic is flooded only within the local LAN or VLAN. The threat actor can only
capture traffic within the local LAN or VLAN to which the threat actor is connected.
 The figure shows how a threat actor can easily use the network attack tool macof to
overflow a MAC address table.

 If the threat actor stops macof from running or is discovered and stopped, the switch
eventually ages out the older MAC address entries from the table and begins to act like
a switch again.

14.2.5 MAC ADDRESS TABLE ATTACK MITIGATION

 What makes tools such as macof so dangerous is that an attacker can create a MAC
table overflow attack very quickly. For instance, a Catalyst 6500 switch can store
132,000 MAC addresses in its MAC address table. A tool such as macof can flood a
switch with up to 8,000 bogus frames per second; creating a MAC address table
overflow attack in a matter of a few seconds. The example shows a sample output of
the macof command on a Linux host.
# macof -i eth1
36:a1:48:63:81:70 15:26:8d:4d:28:f8 0.0.0.0.26413 > 0.0.0.0.49492:
S 1094191437:1094191437(0) win 512
16:e8:8:0:4d:9c da:4d:bc:7c:ef:be 0.0.0.0.61376 > 0.0.0.0.47523: S
446486755:446486755(0) win 512
18:2a:de:56:38:71 33:af:9b:5:a6:97 0.0.0.0.20086 > 0.0.0.0.6728: S
105051945:105051945(0) win 512
e7:5c:97:42:ec:1 83:73:1a:32:20:93 0.0.0.0.45282 > 0.0.0.0.24898: S
1838062028:1838062028(0) win 512
62:69:d3:1c:79:ef 80:13:35:4:cb:d0 0.0.0.0.11587 > 0.0.0.0.7723: S
1792413296:1792413296(0) win 512
c5:a:b7:3e:3c:7a 3a:ee:c0:23:4a:fe 0.0.0.0.19784 > 0.0.0.0.57433: S
1018924173:1018924173(0) win 512
88:43:ee:51:c7:68 b4:8d:ec:3e:14:bb 0.0.0.0.283 > 0.0.0.0.11466: S
727776406:727776406(0) win 512
b8:7a:7a:2d:2c:ae c2:fa:2d:7d:e7:bf 0.0.0.0.32650 > 0.0.0.0.11324:
S 605528173:605528173(0) win 512
e0:d8:1e:74:1:e 57:98:b6:5a:fa:de 0.0.0.0.36346 > 0.0.0.0.55700: S
2128143986:2128143986(0) win 512

 Another reason why these attack tools are dangerous is because they not only affect the
local switch, they can also affect other connected Layer 2 switches. When the MAC
address table of a switch is full, it starts flooding out all ports including those connected
to other Layer 2 switches.
 To mitigate MAC address table overflow attacks, network administrators must
implement port security. Port security will only allow a specified number of source
MAC addresses to be learned on the port. Port security is further discussed later in this
module.

14.3 MITIGATE MAC TABLE ATTACKS

14.3.1 SECURE UNUSED PORTS

 Layer 2 devices are considered to be the weakest link in a company’s security

infrastructure. Layer 2 attacks are some of the easiest for hackers to deploy but these
threats can also be mitigated with some common Layer 2 solutions.
 All switch ports (interfaces) should be secured before the switch is deployed for
production use. How a port is secured depends on its function.
 A simple method that many administrators use to help secure the network from
unauthorized access is to disable all unused ports on a switch. For example, if a Catalyst
2960 switch has 24 ports and there are three Fast Ethernet connections in use, it is good
practice to disable the 21 unused ports. Navigate to each unused port and issue the
Cisco IOS shutdown command. If a port must be reactivated at a later time, it can be
enabled with the no shutdown command.
 To configure a range of ports, use the interface range command.
Switch(config)# interface range type module/first-number - last-
number
  For example, to shutdown ports for Fa0/8 through Fa0/24 on S1, you would enter the
following command.
S1(config)# interface range fa0/8 - 24
S1(config-if-range)# shutdown
%LINK-5-CHANGED: Interface FastEthernet0/8, changed state to
administratively down
(output omitted)
%LINK-5-CHANGED: Interface FastEthernet0/24, changed state to
administratively down
S1(config-if-range)#

14.3.2 MITIGATE MAC ADDRESS TABLE ATTACKS

 The simplest and most effective method to prevent MAC address table overflow attacks
is to enable port security.
 Port security limits the number of valid MAC addresses allowed on a port. It allows an
administrator to manually configure MAC addresses for a port or to permit the switch to
dynamically learn a limited number of MAC addresses. When a port that is configured
with port security receives a frame, the source MAC address of the frame is compared
to the list of secure source MAC addresses that were manually configured or
dynamically learned on the port.
 By limiting the number of permitted MAC addresses on a port to one, port security can
be used to control unauthorized access to the network, as shown in the figure.

14.3.3 ENABLE PORT SECURITY

 Notice in the example, the switchport port-security command was rejected. This is
because port security can only be configured on manually configured access ports or
manually configured trunk ports. By default, Layer 2 switch ports are set to dynamic
auto (trunking on). Therefore, in the example, the port is configured with
the switchport mode access interface configuration command.
 Note: Trunk port security is beyond the scope of this course.
S1(config)# interface f0/1
S1(config-if)# switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# end
S1#

 Use the show port-security interface command to display the current port security
settings for FastEthernet 0/1, as shown in the example below. Notice that port security
is enabled, and the port status is Secure-down, which means there are no devices
attached and no violation has occurred. Also, the violation mode is Shutdown, and the
maximum number of MAC addresses allowed is 1. If a device is connected to the port,
the switch port status would display Secure-up and the switch will automatically add the
 device’s MAC address as a secure MAC. In this example, no device is connected to the
port.
S1# show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
S1#

 Note: If an active port is configured with the switchport port-security command and
more than one device is connected to that port, the port will transition to the error-
disabled state. This condition is discussed later in this topic.
 After port security is enabled, other port security specifics can be configured, as shown
in the example.
S1(config-if)# switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
S1(config-if)# switchport port-security

14.3.4 LIMIT AND LEARN MAC ADDRESSES

 To set the maximum number of MAC addresses allowed on a port, use the following
command:

Switch(config-if)# switchport port-security maximum value

 The default port security value is 1. The maximum number of secure MAC addresses
that can be configured depends on the switch and the IOS. In this example, the
maximum is 8192.
S1(config)# interface f0/1
S1(config-if)# switchport port-security maximum ?
<1-8192> Maximum addresses
S1(config-if)# switchport port-security maximum

 The switch can be configured to learn about MAC addresses on a secure port in one of
three ways:
1. Manually Configured

 The administrator manually configures a static MAC address(es) by using the following
command for each secure MAC address on the port:

Switch(config-if)# switchport port-security mac-address mac-address

2. Dynamically Learned

 When the switchport port-security command is entered, the current source MAC for
the device connected to the port is automatically secured but is not added to the startup
configuration. If the switch is rebooted, the port will have to re-learn the device’s MAC
address.
3. Dynamically Learned – Sticky

 The administrator can enable the switch to dynamically learn the MAC address and
“stick” them to the running configuration by using the following command:
Switch(config-if)# switchport port-security mac-address sticky

 Saving the running configuration will commit the dynamically learned MAC address to
NVRAM.
 The following example demonstrates a complete port security configuration for
FastEthernet 0/1 with a host connected to port Fa0/1. The administrator specifies a
maximum of 2 MAC addresses, manually configures one secure MAC address, and
then configures the port to dynamically learn additional secure MAC addresses up to
the 2 secure MAC address maximum. Use the show port-security interface and
the show port-security address command to verify the configuration.
*Mar 1 00:12:38.179: %LINK-3-UPDOWN: Interface FastEthernet0/1,
changed state to up
*Mar 1 00:12:39.194: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/1, changed state to up
S1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
S1(config)#
S1(config)# interface fa0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 2
S1(config-if)# switchport port-security mac-address aaaa.bbbb.1234
S1(config-if)# switchport port-security mac-address sticky
S1(config-if)# end
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7272.676a:1
Security Violation Count : 0
S1# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
----------
Vlan Mac Address Type Ports
Remaining Age

(mins)
---- ----------- ---- -----
-------------
1 a41f.7272.676a SecureSticky Fa0/1 -
1 aaaa.bbbb.1234 SecureConfigured Fa0/1 -
-------------------------------------------------------------------
----------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 8192
S1#

 The output of the show port-security interface command verifies that port security is
enabled, there is a host connected to the port (i.e., Secure-up), a total of 2 MAC
addresses will be allowed, and S1 has learned one MAC address statically and one
MAC address dynamically (i.e., sticky).
 The output of the show port-security address command lists the two learned MAC
addresses.

14.3.5 PORT SECURITY AGING

 Port security aging can be used to set the aging time for static and dynamic secure
addresses on a port. Two types of aging are supported per port:
o Absolute - The secure addresses on the port are deleted after the specified
aging time.
o Inactivity - The secure addresses on the port are deleted only if they are
inactive for the specified aging time.
 Use aging to remove secure MAC addresses on a secure port without manually deleting
the existing secure MAC addresses. Aging time limits can also be increased to ensure
past secure MAC addresses remain, even while new MAC addresses are added. Aging
of statically configured secure addresses can be enabled or disabled on a per-port basis.
 Use the switchport port-security aging command to enable or disable static aging for
the secure port, or to set the aging time or type.
Switch(config-if)# switchport port-security aging { static | time
time | type {absolute | inactivity}}
Parameter Description
static Enable aging for statically configured secure addresses on this port.

time time Specify the aging time for this port. The range is 0 to 1440 minutes.
If the time is 0, aging is disabled for this port.
Set the absolute aging time. All the secure addresses on this port
type absolute age out exactly after the time (in minutes) specified and are
removed from the secure address list.
Set the inactivity aging type. The secure addresses on this port age
type inactivity out only if there is no data traffic from the secure source address for
the specified time period.

 Note: MAC addresses are shown as 24 bits for simplicity.

 The example shows an administrator configuring the aging type to 10 minutes of
inactivity and then using the show port-security interface command to verify the
configuration.
S1(config)# interface fa0/1
S1(config-if)# switchport port-security aging time 10
S1(config-if)# switchport port-security aging type inactivity
S1(config-if)# end
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7272.676a:1
Security Violation Count : 0
S1#

14.3.6 PORT SECURITY VIOLATION MODES

 If the MAC address of a device that is attached to the port differs from the list of secure
addresses, then a port violation occurs. By default, the port enters the error-disabled
state.
 To set the port security violation mode, use the following command:
Switch(config-if)# switchport port-security violation { protect |
restrict | shutdown}

 The following table describes the different switch modes.

Mode Description
The port transitions to the error-disabled state immediately, turns off
shutdown the port LED, and sends a syslog message. It increments the
violation counter. When a secure port is in the error-disabled state,
(default)
an administrator must re-enable it by entering
the shutdown and no shutdown commands.
The port drops packets with unknown source addresses until you
remove a sufficient number of secure MAC addresses to drop below
restrict the maximum value or increase the maximum value. This mode
causes the Security Violation counter to increment and generates a
syslog message.
This is the least secure of the security violation modes. The port
drops packets with unknown MAC source addresses until you
protect remove a sufficient number of secure MAC addresses to drop below
the maximum value or increase the maximum value. No syslog
message is sent.

 The following table shows how a switch reacts based on the configured violation mode.

Violation Discards Offending Sends Syslog Increase Violation Shuts Down

Mode Traffic Message Counter Port
Protect Yes No No No
Restrict Yes Yes Yes No
Shutdown Yes Yes Yes Yes

 The following example shows an administrator changing the security violation to

“restrict”. The output of the show port-security interface command confirms that the
change has been made.
S1(config)# interface f0/1
S1(config-if)# switchport port-security violation restrict
S1(config-if)# end
S1#
S1# show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7272.676a:1
Security Violation Count : 0
S1#
14.3.7 PORT IN ERROR-DISABLED STATE

 What happens when the port security violation is shutdown and a port violation occurs?
The port is physically shutdown and placed in the error-disabled state, and no traffic is
sent or received on that port.
 In the example, the port security violation is changed back to the default shutdown
setting. Then the host with MAC address a41f.7272.676a is disconnected and a new
host is plugged into Fa0/1.
 Notice that a series of port security related messages are generated on the console.
S1(config)# int fa0/1
S1(config-if)# switchport port-security violation shutdown
S1(config-if)# end
S1#
*Mar 1 00:24:15.599: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/1, changed state to down
*Mar 1 00:24:16.606: %LINK-3-UPDOWN: Interface FastEthernet0/1,
changed state to down
*Mar 1 00:24:19.114: %LINK-3-UPDOWN: Interface FastEthernet0/1,
changed state to up
*Mar 1 00:24:20.121: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/1, changed state to up
S1#
*Mar 1 00:24:32.829: %PM-4-ERR_DISABLE: psecure-violation error
detected on Fa0/1, putting Fa0/1 in err-disable state
*Mar 1 00:24:32.838: %PORT_SECURITY-2-PSECURE_VIOLATION: Security
violation occurred, caused by MAC address a41f.7273.018c on port
FastEthernet0/1.
*Mar 1 00:24:33.836: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/1, changed state to down
*Mar 1 00:24:34.843: %LINK-3-UPDOWN: Interface FastEthernet0/1,
changed state to down
S1#

 Note: The port protocol and link status are changed to down and the port LED is turned
off.
 In the example, the show interface command identifies the port status as err-disabled.
The output of the show port-security interface command now shows the port status as
Secure-shutdown instead of Secure-up. The Security Violation counter increments by 1.
S1# show interface fa0/1 | include down
FastEthernet0/18 is down, line protocol is down (err-disabled)
(output omitted)
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7273.018c:1
Security Violation Count : 1
S1#

 The administrator should determine what caused the security violation If an

unauthorized device is connected to a secure port, the security threat is eliminated
before re-enabling the port.
 In the next example, the first host is reconnected to Fa0/1. To re-enable the port, first
use the shutdown command, then, use the no shutdown command to make the port
operational, as shown in the example.
S1(config)# interface fa0/1
S1(config-if)# shutdown
S1(config-if)#
*Mar 1 00:39:54.981: %LINK-5-CHANGED: Interface FastEthernet0/1,
changed state to administratively down
S1(config-if)# no shutdown
S1(config-if)#
*Mar 1 00:40:04.275: %LINK-3-UPDOWN: Interface FastEthernet0/1,
changed state to up
*Mar 1 00:40:05.282: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/1, changed state to up
S1(config-if)#

14.3.8 VERIFY PORT SECURITY

 After configuring port security on a switch, check each interface to verify that the port
security is set correctly, and check to ensure that the static MAC addresses have been
configured correctly.
Port Security for All Interfaces

 To display port security settings for the switch, use the show port-security command.
The example indicates that only one port is configured with the switchport port-security
command.
S1# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation
Security Action
(Count) (Count) (Count)
-------------------------------------------------------------------
--------
Fa0/1 2 2 0
Shutdown
-------------------------------------------------------------------
--------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 8192
S1#

Port Security for a Specific Interface

 Use the show port-security interface command to view details for a specific interface,
as shown previously and in this example.
S1# show port-security interface fastethernet 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7273.018c:1
Security Violation Count : 0
S1#

Verify Learned MAC Addresses

 To verify that MAC addresses are “sticking” to the configuration, use the show
run command as shown in the example for FastEthernet 0/19.
S1# show run interface fa0/1
Building configuration...

Current configuration : 365 bytes

!
interface FastEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security mac-address sticky a41f.7272.676a
switchport port-security mac-address aaaa.bbbb.1234
switchport port-security aging time 10
switchport port-security aging type inactivity
switchport port-security
end

S1#

Verify Secure MAC Addresses

 To display all secure MAC addresses that are manually configured or dynamically
learned on all switch interfaces, use the show port-security address command as
shown in the example.
S1# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
----------
Vlan Mac Address Type Ports
Remaining Age

(mins)
---- ----------- ---- -----
-------------
1 a41f.7272.676a SecureSticky Fa0/1
-
1 aaaa.bbbb.1234 SecureConfigured Fa0/1
-
-------------------------------------------------------------------
----------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 8192
S1#

14.3.10 SNMP MAC ADDRESS NOTIFICATION

 Network managers need a way of monitoring who is using the network and what their
location is. For example, if port Fa0/1 is secure on a switch, an SNMP trap is generated
when a MAC address entry for that port disappears from the MAC table.
 The MAC address notification feature sends SNMP traps to the network management
station (NMS) whenever a new MAC address is added to, or an old address is deleted
from, the forwarding tables. MAC address notifications are generated only for dynamic
and secure MAC addresses.
 MAC address notification allows the network administrator to monitor MAC addresses
that are learned, as well as MAC addresses that age out and are removed from the
switch. For example, in the figure, the laptop with MAC C has disconnected from the
network. The switch will eventually timeout port Fa0/3 and send an SNMP trap
notification to the NMS Server.
 Use the mac address-table notification global configuration command to enable the
MAC address notification feature on a switch.

14.4 MITIGATE VLAN ATTACKS

14.4.1 VLAN HOPPING ATTACKS

 VLANs are used to create separate broadcast domains on switches. Endpoints that are
located in one VLAN are unable to communicate with endpoints that are on another
VLAN unless permitted to do so by a router or Layer 3 switch. VLANs can be used to
separate sensitive content from other network traffic. For example, a guest VLAN may
be created for guests to an organization. Those guests should not have access to
sensitive corporate content that is carried on other VLANs. VLAN attacks can
circumvent the intention of a VLAN design by allowing unauthorized users access to
 VLANs that they should not be able access. Two types of VLAN attacks are VLAN
hopping attacks and VLAN double-tagging attacks.
 A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN
without the aid of a router. In a basic VLAN hopping attack, the threat actor configures
a host to act like a switch to take advantage of the automatic trunking port feature
enabled by default on most switch ports.
 The threat actor configures the host to spoof 802.1Q signaling and Cisco-proprietary
Dynamic Trunking Protocol (DTP) signaling to trunk with the connecting switch. If
successful, the switch establishes a trunk link with the host, as shown in the figure. Now
the threat actor can access all the VLANs on the switch. The threat actor can send and
receive traffic on any VLAN, effectively hopping between VLANs.

14.4.2 VLAN DOUBLE-TAGGING ATTACK

 A threat actor in specific situations could embed a hidden 802.1Q tag inside the frame
that already has an 802.1Q tag. This tag allows the frame to go to a VLAN that the
original 802.1Q tag did not specify.
Step 1

 The threat actor sends a double-tagged 802.1Q frame to the switch. The outer header
has the VLAN tag of the threat actor, which is the same as the native VLAN of the
trunk port. For the purposes of this example, assume that this is VLAN 10. The inner
tag is the victim VLAN, in this example, VLAN 20.
Step 2

 The frame arrives on the first switch, which looks at the first 4-byte 802.1Q tag. The
switch sees that the frame is destined for VLAN 10, which is the native VLAN. The
switch forwards the packet out all VLAN 10 ports after stripping the VLAN 10 tag. The
frame is not retagged because it is part of the native VLAN. At this point, the VLAN 20
tag is still intact and has not been inspected by the first switch.
Step 3

 The frame arrives at the second switch which has no knowledge that it was supposed to
be for VLAN 10. Native VLAN traffic is not tagged by the sending switch as specified
in the 802.1Q specification. The second switch looks only at the inner 802.1Q tag that
the threat actor inserted and sees that the frame is destined for VLAN 20, the target
VLAN. The second switch sends the frame on to the target or floods it, depending on
whether there is an existing MAC address table entry for the target.
The steps are complete — back to our regularly scheduled programming…

 A VLAN double-tagging attack is unidirectional and works only when the attacker is
connected to a port residing in the same VLAN as the native VLAN of the trunk port.
The idea is that double tagging allows the attacker to send data to hosts or servers on a
VLAN that otherwise would be blocked by some type of access control configuration.
Presumably the return traffic will also be permitted, thus giving the attacker the ability
to communicate with devices on the normally blocked VLAN.
VLAN Attack Mitigation

 VLAN hopping and VLAN double-tagging attacks can be prevented by implementing

the following trunk security guidelines, as discussed in a previous module:
o Disable trunking on all access ports.
o Disable auto trunking on trunk links so that trunks must be manually enabled.
o Be sure that the native VLAN is only used for trunk links.

14.4.3 MITIGATING VLAN HOPPING ATTACKS

 Use the following steps to mitigate VLAN hopping attacks:

o Step 1: Disable DTP (auto trunking) negotiations on non-trunking ports by
using the switchport mode access interface configuration command.
o Step 2: Disable unused ports and put them in an unused VLAN. In the example
it is VLAN 1000.
o Step 3: Manually enable the trunk link on a trunking port by using the
switchport mode trunk command.
o Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using the
switchport nonegotiate command.
o Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the
switchport trunk native vlan vlan_number command.
 For example, assume the following:
o FastEthernet ports 0/1 through fa0/16 are active access ports
o FastEthernet ports 0/17 through 0/20 are not currently in use
o FastEthernet ports 0/21 through 0/24 are trunk ports.
 VLAN hopping can be mitigated by implementing the following configuration.
S1(config)# interface range fa0/1 - 16
S1(config-if-range)# switchport mode access
S1(config-if-range)# exit
S1(config)#
S1(config)# interface range fa0/17 - 20
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 1000
S1(config-if-range)# shutdown
S1(config-if-range)# exit
S1(config)#
S1(config)# interface range fa0/21 - 24
S1(config-if-range)# switchport mode trunk
S1(config-if-range)# switchport nonegotiate
S1(config-if-range)# switchport trunk native vlan 999
S1(config-if-range)# end
S1#

 FastEthernet ports 0/1 to 0/16 are access ports and therefore trunking is disabled by
explicitly making them access ports.
 FastEthernet ports 0/17 to 0/20 are unused ports and are disabled and assigned to an
unused VLAN.
  FastEthernet ports 0/21 to 0/24 are trunk links and are manually enabled as trunks with
DTP disabled. The native VLAN is also changed from the default VLAN 1 to VLAN
999.

14.4.5 PRIVATE VLANS

 VLANs are broadcast domains. However, in some situations, it may useful to break this
rule and allow only the minimum required L2 connectivity within the VLAN.
 Private VLANs (PVLAN) provide Layer 2 isolation between ports within the same
broadcast domain. There are three types of PVLAN ports:
 Promiscuous - A promiscuous port can talk to everyone. It can communicate with all
interfaces, including the isolated and community ports within a PVLAN.
 Isolated - An isolated port can only talk to promiscuous ports. An isolated port has
complete Layer 2 separation from the other ports within the same PVLAN, but not from
the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from
promiscuous ports. Traffic from an isolated port is forwarded only to promiscuous
ports.
 Community - Community ports can talk to other community and promiscuous ports.
These interfaces are separated at Layer 2 from all other interfaces in other communities
or isolated ports within their PVLAN.
 The example in the figure illustrates which ports can interconnect. The security
provided by a PVLAN can be bypassed by using the router as a proxy.

 For example, in the figure below, PC-A and PC-B are isolated from each other.
However, PC-A can initiate an attack against PC-B by sending packets that have the
source IP address and MAC address of PC-A, the destination IP address of PC-B, but
the destination MAC address of R1. S1 will forward the frame to R1 because F0/5 is
configured as a promiscuous port. R1 rebuilds the frame with PC-B's MAC address and
forwards it to S1. S1 then forwards the frame to PC-B.
 Note: PVLANs are used mainly in service provider co-location sites. Another typical
application can be found in hotels where each room would be connected on its own
isolated port.

 To mitigate this type of attack, configure an ACL that will deny traffic with a source
and destination IP address that belongs to the same subnet, as shown in in the
configuration below.
R1(config)# ip access-list extended PVLAN
R1(config-ext-nacl)# deny ip 172.16.0.0 0.0.0.255 172.16.0.0
0.0.0.255
R1(config-ext-nacl)# permit ip any any
R1(config-ext-nacl)# interface g0/0
R1(config-if)# ip access-group PVLAN in
R1(config-if)#
14.4.6 PVLAN EDGE FEATURE

 Some applications require that no traffic be forwarded at Layer 2 between ports on the
same switch so that one neighbour does not see the traffic generated by another
neighbour.
 In such an environment, the use of the PVLAN Edge feature ensures that there is no
exchange of unicast, broadcast, or multicast traffic between PVLAN edge ports on the
switch, as shown in the figure. The PLVAN Edge feature is also called Protected Ports.
 The PVLAN Edge feature has the following characteristics:
o A protected port does not forward any traffic, such as unicast, multicast, or
broadcast, to any other port that is also a protected port. Data traffic cannot be
forwarded between protected ports at Layer 2; only control traffic is forwarded
because these packets are processed by the CPU and forwarded in software. All
data traffic passing between protected ports must be forwarded through a Layer
3 device.
o Forwarding behaviour between a protected port and a non-protected port
proceeds as usual.
o The default is to have no protected ports defined.

14.4.7 CONFIGURE PVLAN EDGE

 To configure the PVLAN Edge feature, enter the switchport protected interface
configuration mode command.
 The PVLAN Edge feature can be configured on a physical interface or an EtherChannel
group. When the PVLAN Edge feature is enabled for a port channel, it is enabled for all
ports in the port-channel group. To disable protected port, use the no switchport
protected interface configuration mode command.
 To verify the configuration of the PVLAN Edge feature, use the show interfaces
interface-id switchport global configuration mode command, as shown in the example
below.
Switch# show interfaces gigabitethernet1/0/1 switchport
Name: G1/0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
(output omitted)

Operational private-vlan: none

Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled

Voice VLAN: none (Inactive)

Appliance trust: none

 The PVLAN edge is a feature that has only local significance to the switch, and there is
no isolation provided between two protected ports located on different switches. A
protected port does not forward any traffic (unicast, multicast, or broadcast) to any other
port that is also a protected port on the same switch. Traffic cannot be forwarded
between protected ports at Layer 2 (L2); all traffic passing between protected ports must
be forwarded through a Layer 3 (L3) device.

14.5 MITIGATE DHCP ATTACKS

14.5.1 DHCP ATTACKS

 Two types of DHCP attacks are DHCP starvation and DHCP spoofing. Both attacks are
mitigated by implementing DHCP snooping.
DHCP Starvation Attack

 The goal of the DHCP starvation attack is DoS for connecting clients. DHCP starvation
attacks require an attack tool such as Gobbler.
 Gobbler has the ability to look at the entire scope of leasable IP addresses and tries to
lease them all. Specifically, it creates DHCP discovery messages with bogus MAC
addresses.
DHCP Spoofing Attack

 A DHCP spoofing attack occurs when a rogue DHCP server is connected to the
network and provides false IP configuration parameters to legitimate clients. A rogue
server can provide a variety of misleading information:
o Wrong default gateway - The rogue server provides an invalid gateway, or its
own IP address, to create a man-in-the-middle attack. This may go entirely
undetected as the intruder intercepts the data flow through the network and then
forwards it on to the real default gateway.
o Wrong DNS server - The rogue server provides an incorrect DNS server
address that points the user to a nefarious website.
o Wrong IP address - The rogue server provides an invalid IP address which
effectively creates a DoS attack on the DHCP client.
An example and explanation of a DHCP spoofing attack now follows…
Step 1
Threat Actor Connects Rogue DHCP Server
  A threat actor successfully connects a rogue DHCP server to a switch port on the same
subnet and VLANs as the target clients. The goal of the rogue server is to provide
clients with false IP configuration information.
Step 2
Client Broadcasts DHCP Discovery Messages

 A legitimate client connects to the network and requires IP configuration parameters.

Therefore, the client broadcasts a DHCP Discovery request looking for a response from
a DHCP server. Both servers will receive the message and respond.
Step 3
Legitimate and Rogue DHCP Reply

 The legitimate DHCP server responds with valid IP configuration parameters. However,
the rogue server also responds with a DHCP offer containing IP configuration
parameters defined by the threat actor. The client will reply to the first offer received.
Step 4
Client Accepts Rogue DHCP Offer

 The rogue offer was received first, and therefore, the client broadcasts a DHCP request
accepting the IP parameters defined by the threat actor. The legitimate and rogue server
will receive the request.
Step 5
Rogue Server Acknowledges

 The rogue server unicasts a reply to the client to acknowledge its request. The
legitimate server will cease communicating with the client.
14.5.2 DHCP ATTACKS MITIGATION

 It is easy to mitigate DHCP starvation attacks by using port security. However,

mitigating DHCP spoofing attacks requires more protection.
 For instance, Gobbler uses a unique MAC address for each DHCP request and port
security. Port security could be configured to mitigate this. However, Gobbler can also
be configured to use the same interface MAC address with a different hardware address
for every request. This would render port security ineffective.
 DHCP spoofing attacks can be mitigated using DHCP snooping on trusted ports. DHCP
snooping also helps mitigate against DHCP starvation attacks by rate limiting the
number of DHCP discovery messages that an untrusted port can receive. DHCP
snooping builds and maintains a DHCP snooping binding database that the switch can
use to filter DHCP messages from untrusted sources. The DHCP snooping binding table
includes the client MAC address, IP address, DHCP lease time, binding type, VLAN
number, and interface information on each untrusted switchport or interface.
 Devices under your administrative control, such as switches, routers, and servers, are
trusted sources. Any device beyond the firewall or outside your network is an untrusted
 source. In addition, all access ports are generally treated as untrusted sources. The
figure shows an example of trusted and untrusted ports.

 Note: In a large network, the DHCP binding table may take time to build after it is
enabled. For example, it could take 2 days for DHCP snooping to complete the table if
DHCP lease time is 4 days.
 When DHCP snooping is enabled on an interface or VLAN, and a switch receives a
packet on an untrusted port, the switch compares the source packet information with
that held in the DHCP snooping binding table. The switch will deny packets containing
specific information:
o Unauthorized DHCP server messages from an untrusted port
o Unauthorized DHCP client messages not adhering to the snooping binding table
or rate limits
o DHCP relay-agent packets that include option-82 information on an untrusted
port
 Note: To counter Gobbler using the same MAC address, DHCP snooping also makes
the switch check the Client Hardware Address (CHADDR) field in the DHCP request.
This ensures that it matches the hardware MAC address in the DHCP snooping binding
table and the MAC address in the MAC table. If there is no match, the request is
dropped.
 Note: Similar mitigation techniques are available for DHCPv6 and IPv6 clients.
Because IPv6 devices can also receive their addressing information from the router’s
Router Advertisement (RA) message, there are also mitigation solutions to prevent any
rogue RA messages.

14.5.3 STEPS TO IMPLEMENT DHCP SNOOPING

 Use the following steps to enable DHCP snooping:

o Step 1. Enable DHCP snooping by using the ip dhcp snooping global
configuration command.
o Step 2. On trusted ports, use the ip dhcp snooping trust interface
configuration command.
o Step 3. Limit the number of DHCP discovery messages that can be received per
second on untrusted ports by using the ip dhcp snooping limit rate interface
configuration command.
o Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using
the ip dhcp snooping vlan global configuration command.

14.5.4 DHCP SNOOPING CONFIGURATION EXAMPLE

  The reference topology for this DHCP snooping example is shown in the figure. Notice
that F0/5 is an untrusted port because it connects to a PC. F0/1 is a trusted port because
it connects to the DHCP server.
 The following is an example of how to configure DHCP snooping on S1. Notice how
DHCP snooping is first enabled. Then the upstream interface to the DHCP server is
explicitly trusted. Next, the range of FastEthernet ports from F0/5 to F0/24 are untrusted
by default, so a rate limit is set to six packets per second. Finally, DHCP snooping is
enabled on VLANS 5, 10, 50, 51, and 52.
S1(config)# ip dhcp snooping
S1(config)# interface f0/1
S1(config-if)# ip dhcp snooping trust
S1(config-if)# exit
S1(config)# interface range f0/5 - 24
S1(config-if-range)# ip dhcp snooping limit rate 6
S1(config-if-range)# exit
S1(config)# ip dhcp snooping vlan 5,10,50-52
S1(config)# end
S1#

 Use the show ip dhcp snooping privileged EXEC command to verify DHCP snooping
and show ip dhcp snooping binding to view the clients that have received DHCP
information, as shown in the example.
 Note: DHCP snooping is also required by Dynamic ARP Inspection (DAI), which is the
next topic.
S1# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
5,10,50-52
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 0cd9.96d2.3f80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit
(pps)
----------------------- ------- ------------
----------------
FastEthernet0/1 yes yes unlimited
Custom circuit-ids:
FastEthernet0/5 no no 6
Custom circuit-ids:
FastEthernet0/6 no no 6
Custom circuit-ids:
S1# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN
Interface
------------------ --------------- ---------- ------------- ----
--------------------
00:03:47:B5:9F:AD 192.168.10.11 193185 dhcp-snooping 5
FastEthernet0/5

14.6 MITIGATE ARP ATTACKS

14.6.1 ARP ATTACKS

 Recall that hosts broadcast ARP Requests to determine the MAC address of a host with
a particular IPv4 address. This is typically done to discover the MAC address of the
default gateway. All hosts on the subnet receive and process the ARP Request. The host
with the matching IPv4 address in the ARP Request sends an ARP Reply.
 According to the ARP RFC, a client is allowed to send an unsolicited ARP Request
called a “gratuitous ARP.” When a host sends a gratuitous ARP, other hosts on the
subnet store the MAC address and IPv4 address contained in the gratuitous ARP in their
ARP tables.
 The problem is that an attacker can send a gratuitous ARP message containing a
spoofed MAC address to a switch, and the switch would update its MAC table
accordingly. Therefore, any host can claim to be the owner of any IP and MAC address
combination they choose. In a typical attack, a threat actor can send unsolicited ARP
Replies to other hosts on the subnet with the MAC Address of the threat actor and the
IPv4 address of the default gateway.
 There are many tools available on the internet to create ARP man-in-the-middle attacks
including dsniff, Cain & Abel, ettercap, Yersinia, and others. IPv6 uses ICMPv6
Neighbor Discovery Protocol for Layer 2 address resolution. IPv6 includes strategies to
mitigate Neighbor Advertisement spoofing, similar to the way IPv6 prevents a spoofed
ARP Reply.
 ARP spoofing and ARP poisoning are mitigated by implementing Dynamic ARP
Inspection (DAI).
Now follows an example and explanation of ARP spoofing and ARP poisoning
Step 1
Normal State with Converged MAC Tables

 Each device has an accurate MAC table with the correct IPv4 and MAC addresses for
the other devices on the LAN.
Step 2
ARP Spoofing Attack

 The threat actor sends two spoofed gratuitous ARP Replies in an attempt to replace R1
as the default gateway:
o 1. The first one informs all devices on the LAN that the threat actor’s MAC
address (CC:CC:CC) maps to R1’s IPv4 address, 10.0.0.1.
 o 2. The second one informs all devices on the LAN that the threat actor’s MAC
address (CC:CC:CC) maps to PC1’s IPv4 address, 10.0.0.11.
Step 3
ARP Poisoning Attack with Man-in-the-Middle Attack

 R1 and PC1 remove the correct entry for each other’s MAC address and replace it with
PC2’s MAC address. The threat actor has now poisoned the ARP caches of all devices
on the subnet. ARP poisoning leads to various man-in-the-middle attacks, posing a
serious security threat to the network.

14.6.2 VIDEO – ARP SPOOFING

14.6.3 DYNAMIC ARP INSPECTION

 In a typical ARP attack, a threat actor can send unsolicited ARP requests to other hosts
on the subnet with the MAC Address of the threat actor and the IP address of the default
gateway. To prevent ARP spoofing and the resulting ARP poisoning, a switch must
ensure that only valid ARP Requests and Replies are relayed.
 Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP
attacks by:
o Not relaying invalid or gratuitous ARP Requests out to other ports in the same
VLAN
o Intercepting all ARP Requests and Replies on untrusted ports
o Verifying each intercepted packet for a valid IP-to-MAC binding
o Dropping and logging ARP Requests coming from invalid sources to prevent
ARP poisoning
o Error-disabling the interface if the configured DAI number of ARP packets is
exceeded
14.6.4 DAI IMPLEMENTATION GUIDELINES

 To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI
implementation guidelines:
o Enable DHCP snooping globally.
o Enable DHCP snooping on selected VLANs.
o Enable DAI on selected VLANs.
o Configure trusted interfaces for DHCP snooping and ARP inspection.
 It is generally advisable to configure all access switch ports as untrusted and to
configure all uplink ports that are connected to other switches as trusted.
 The sample topology in the figure identifies trusted and untrusted ports.

14.6.5 DAI CONFIGURATION EXAMPLE

  In the previous topology, S1 is connecting two users on VLAN 10. DAI will be
configured to mitigate against ARP spoofing and ARP poisoning attacks.
 As shown in the example, DHCP snooping is enabled because DAI requires the DHCP
snooping binding table to operate. Next, DHCP snooping and ARP inspection are
enabled for the PCs on VLAN10. The uplink port to the router is trusted, and therefore,
is configured as trusted for DHCP snooping and ARP inspection.
S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping vlan 10
S1(config)# ip arp inspection vlan 10
S1(config)# interface fa0/24
S1(config-if)# ip dhcp snooping trust
S1(config-if)# ip arp inspection trust

 DAI can also be configured to check for both destination or source MAC and IP
addresses:
o Destination MAC - Checks the destination MAC address in the Ethernet
header against the target MAC address in the ARP packet body
o Source MAC - Checks the source MAC address in the Ethernet header against
the sender MAC address in the ARP packet body
o IP address - Checks the ARP packet body for invalid and unexpected IP
addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast
addresses
 The ip arp inspection validate {src-mac [dst-mac] [ip]} global configuration
command is used to configure DAI to drop ARP packets when the IP addresses are
invalid. It can be used when the MAC addresses in the body of the ARP packets do not
match the addresses that are specified in the Ethernet header. Notice in the following
example how only one command can be configured. Therefore, entering multiple ip arp
inspection validate commands overwrites the previous command. To include more
than one validation method, enter them on the same command line as shown and
verified in the following output.
S1(config)# ip arp inspection validate ?
dst-mac Validate destination MAC address
ip Validate IP addresses
src-mac Validate source MAC address
S1(config)# ip arp inspection validate src-mac
S1(config)# ip arp inspection validate dst-mac
S1(config)# ip arp inspection validate ip
S1(config)# do show run | include validate
ip arp inspection validate ip
S1(config)# ip arp inspection validate src-mac dst-mac ip
S1(config)# do show run | include validate
ip arp inspection validate src-mac dst-mac ip
S1(config)#

14.7 MITIGATE ADDRESS SPOOFING ATTACKS

14.7.1 ADDRESS SPOOFING ATTACKS
  MAC addresses and IP addresses can be spoofed for a variety of reasons. Spoofing
attacks occur when one host poses as another to receive otherwise inaccessible data, or
to circumvent security configurations.
 The method used by switches to populate the MAC address table leads to a
vulnerability known as MAC address spoofing. MAC address spoofing attacks occur
when attackers alter the MAC address of their host to match another known MAC
address of a target host, as shown in the figure. The attacking host then sends a frame
throughout the network with the newly-configured MAC address.

 When the switch receives the frame, it examines the source MAC address. The switch
overwrites the current MAC table entry and assigns the MAC address to the new port,
as shown in the figure below. It then inadvertently forwards frames destined for the
target host to the attacking host.

 When the switch changes the MAC table, the target host does not receive any traffic
until it sends traffic. When the target host sends traffic, the switch receives and
examines the frame, resulting in the MAC table being rewritten once more, realigning
the MAC address to the original port. To stop the switch from returning the spoofed
MAC address port assignments to their correct state, the attacking host can create a
program or script that will constantly send frames to the switch so that the switch
maintains the incorrect or spoofed information. There is no security mechanism at
Layer 2 that allows a switch to verify the source of MAC addresses, which is what
makes it so vulnerable to spoofing.
 IP address spoofing is when a rogue PC hijacks a valid IP address of a neighbor, or a
uses a random IP address. IP address spoofing is difficult to mitigate, especially when it
is used inside a subnet in which the IP belongs.

14.7.2 ADDRESS SPOOFING ATTACK MITIGATION

 To protect against MAC and IP address spoofing, configure the IP Source Guard
(IPSG) security feature. IPSG operates just like DAI, but it looks at every packet, not
just the ARP packets. Like DAI, IPSG also requires that DHCP snooping be enabled.
 Specifically, IPSG is deployed on untrusted Layer 2 access and trunk ports. IPSG
dynamically maintains per-port VLAN ACLs (PVACL) based on IP-to-MAC-to-
switch-port bindings. Initially, all IP traffic on the port is blocked, except for DHCP
packets that are captured by the DHCP snooping process. A PVACL is installed on the
port when a client receives a valid IP address from the DHCP server or when a static IP
source binding is configured by the user.
 This process restricts the client IP traffic to those source IP addresses that are
configured in the binding. Any IP traffic with a source IP address other than that in the
IP source binding will be filtered out. This filtering limits the ability of a host to attack
the network by claiming the IP address of a neighbor host.
 For each untrusted port, there are two possible levels of IP traffic security filtering:
 o Source IP address filter - IP traffic is filtered based on its source IP address
and only IP traffic with a source IP address that matches the IP source binding
entry is permitted. When a new IP source entry binding is created or deleted on
the port, the PVACL automatically adjusts itself to reflect the IP source binding
change.
o Source IP and MAC address filter - IP traffic is filtered based on its source IP
address in addition to its MAC address. Only IP traffic with source IP and
MAC addresses that match the IP source binding entry are permitted.

14.7.3 CONFIGURE IP SOURCE GUARD

 Examine the IP Source Guard reference topology that is shown in the figure.

 IP Source Guard is enabled on untrusted ports using the ip verify source command as
shown in the configuration below. Remember that the feature can only be configured on
a Layer 2 access or trunk port and that DHCP snooping is required to learn valid IP
address and MAC address pairs.
S1(config)# interface range fastethernet 0/1 - 2
S1(config-if-range)# ip verify source
S1(config-if-range)# end
S1#

 Use the show ip verify source command to verify the IP Source Guard configuration,
as shown below. In the example, the F0/1 and F0/2 ports are configured with IP Source
Guard. Each interface has one valid DHCP binding
S1# show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address
Vlan
--------- ----------- ----------- ---------------
----------------- ----
F0/1 ip active 192.168.10.10
10
F0/2 ip active 192.168.10.11
10
S1#

14.8 SPANNING TREE PROTOCOL

14.8.1 SPANNING TREE PROTOCOL

 Spanning Tree Protocol (STP) is a loop-prevention network protocol that allows for
redundancy while creating a loop-free Layer 2 topology. IEEE 802.1D is the original
IEEE MAC Bridging standard for STP.
 Watch the video to see STP in action.
14.8.2 STP RECALCULATION

 Watch the video to view an animation of STP recalculation when a failure occurs.

14.8.3 LAYER 2 LOOPS

 Without STP enabled, Layer 2 loops can form, causing broadcast, multicast and
unknown unicast frames to loop endlessly. This can bring down a network within a very
short amount of time, sometimes in just a few seconds. For example, broadcast frames,
such as an ARP Request are forwarded out all of the switch ports, except the original
ingress port. This ensures that all devices in a broadcast domain are able to receive the
frame. If there is more than one path for the frame to be forwarded out of, an endless
loop can result. When a loop occurs, the MAC address table on a switch will constantly
change with the updates from the broadcast frames, which results in MAC database
instability. This can cause high CPU utilization, which makes the switch unable to
forward frames.
 Broadcast frames are not the only type of frames that are affected by loops. Unknown
unicast frames sent onto a looped network can result in duplicate frames arriving at the
destination device. An unknown unicast frame is when the switch does not have the
destination MAC address in its MAC address table and must forward the frame out all
ports, except the ingress port.
 There is an animation.

14.8.4 STP PORT ROLES

 The spanning tree algorithm designates a single switch as the root bridge and uses it as
the reference point for all path calculations. In the figure, the root bridge (switch S1) is
chosen through an election process. All switches that participate in STP exchange
BPDU frames to determine which switch has the lowest bridge ID (BID) on the
network. The switch with the lowest BID automatically becomes the root bridge for the
spanning tree algorithm calculations.
 Note: For simplicity, assume until otherwise indicated that all ports on all switches are
assigned to VLAN 1. The switches are configured with the default PVST+. Each switch
has a unique MAC address associated with VLAN 1.

 A BPDU is a messaging frame that is exchanged by switches for STP. Each BPDU
contains a BID that identifies the switch that sent the BPDU. The BID contains a
priority value, the MAC address of the sending switch, and an optional extended system
ID. The lowest BID value is determined by the combination of these three fields.
 After the root bridge has been determined, the spanning tree algorithm calculates the
shortest path to it. Each switch uses the spanning tree algorithm to determine which
ports to block. While the spanning tree algorithm determines the best paths to the root
bridge for all switch ports in the broadcast domain, traffic is prevented from being
 forwarded through the network. The spanning tree algorithm considers both path and
port costs when determining which ports to block. The path costs are calculated using
port cost values associated with port speeds for each switch port along a given path. The
sum of the port cost values determines the overall path cost to the root bridge. If there is
more than one path to choose from, spanning tree algorithm chooses the path with the
lowest path cost.
 When the spanning tree algorithm has determined which paths are most desirable
relative to each switch, it assigns port roles to the participating switch ports. The STP
port roles are:
o Alternate - Alternate or backup ports are configured to be in a blocking state to
prevent loops. Alternate ports are selected only on trunk links where neither end
is a root port.
o Root - Root ports are switch ports that are closest to the root bridge.
o Designated - Designated ports are all non-root ports that STP permits to
forward traffic on the network. Designated ports are selected on a per-trunk
basis. If one end of a trunk is a root port, then the other end is a designated port.
All ports on the root bridge are designated ports
 The figure above shows the relationship of the port roles in the network to the root
bridge and whether they are allowed to forward traffic. In the figure, only one end of
Trunk2 is blocked. This allows for faster transition to a forwarding state when a change
in the network makes it necessary.
 Note: A port that is administratively shut down is referred to as a disabled port.

14.8.5 STP ROOT BRIDGE

 As shown in the figure, every spanning tree instance (switched LAN or broadcast
domain) has a switch designated as the root bridge. The root bridge serves as a
reference point for all spanning tree calculations to determine which redundant paths to
block.
 An election process determines which switch becomes the root bridge.
 The figure below shows the BID fields. The BID is made up of a priority value, an
extended system ID, and the MAC address of the switch.

 All switches in the broadcast domain participate in the election process. After a switch
boots, it begins to send out BPDU frames every two seconds. These BPDU frames
contain the switch BID and the root ID.
 As the switches forward their BPDU frames, switches in the broadcast domain read the
root ID information from the BPDU frames. If the root ID from a BPDU that has been
received is lower than the root ID on the receiving switch, then the receiving switch
updates its root ID, which identifies the adjacent switch as the root bridge. The switch
then forwards new BPDU frames with the lower root ID to the other switches.
Eventually, the switch with the lowest BID ends up being identified as the root bridge
for the spanning tree instance.
 There is a root bridge elected for each spanning tree instance. It is possible to have
multiple distinct root bridges. If all ports on all switches are members of VLAN 1, then
 there is only one spanning tree instance. The extended system ID plays a role in how
spanning tree instances are determined.

14.8.6 STP PATH COST

 When the root bridge has been elected for the spanning tree instance, the spanning tree
algorithm starts the process of determining the best paths to the root bridge from all
destinations in the broadcast domain. The path information is determined by summing
up the individual port costs along the path from the destination to the root bridge. Each
“destination” is actually a switch port.
 The default port costs are defined by the speed at which the port operates. As shown in
the table, 10 Gb/s Ethernet ports have a port cost of 2, 1 Gb/s Ethernet ports have a port
cost of 4, 100 Mb/s Fast Ethernet ports have a port cost of 19, and 10 Mb/s Ethernet
ports have a port cost of 100.

Link
Speed
Cost (Revised IEEE Specification) Cost (Previous IEEE Specification)
and
Name
10
2 1
Gb/s
1 Gb/s 4 1
100
19 10
Mb/s
10
100 100
Mb/s

 Note: As newer, faster Ethernet technologies become available, the path cost values
may change to accommodate the new speeds. The non-linear numbers in the table
accommodate some improvements to the older Ethernet standard. The values have
changed to accommodate the 10 Gb/s Ethernet standard. To illustrate the continued
change associated with high-speed networking, Catalyst 4500 and 6500 switches
support a longer path cost method; for example, 10 Gb/s has a 2000 path cost, 100 Gb/s
has a 200 path cost, and 1 Tb/s has a 20 path cost.
 Although switch ports have a default port cost associated with them, the port cost is
configurable. The ability to configure individual port costs gives the administrator the
flexibility to manually control the spanning tree paths to the root bridge.
 To configure the port cost of an interface enter the spanning-tree cost value command
in interface configuration mode. The value can be between 1 and 200,000,000.
 In the example below, switch port F0/1 has been configured with a port cost of 25 using
the spanning-tree cost 25 interface configuration mode command on the F0/1
interface.
S2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
S2(config)# interface f0/1
S2(config-if)# spanning-tree cost 25
S2(config-if# end
S2#

 To restore the port cost back to the default value of 19, enter the no spanning-tree
cost interface configuration mode command.
S2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
S2(config)# interface f0/1
S2(config-if)# no spanning-tree cost
S2(config-if)# end
S2#

 The path cost is equal to the sum of all the port costs along the path to the root bridge.
Paths with the lowest cost become preferred, and all other redundant paths are blocked.
In the example below, the path cost from S2 to the root bridge S1, over Path 1 is 19
(based on the IEEE-specified individual port cost), while the path cost over Path 2 is
two times 19, or 38. Because Path 1 has a lower overall path cost to the root bridge, it is
the preferred path. STP then configures the redundant path to be blocked, preventing a
loop from occurring.

 To verify the port and path cost to the root bridge, enter the show spanning-
tree command. The Cost field is the total path cost to the root bridge. This value
changes depending on how many switch ports must be traversed to get to the root
bridge. In the output below, each interface is also identified with an individual port cost
of 19.
S2# show spanning-tree

VLAN001
Spanning tree enabled protocol ieee
Root ID Priority 27577
Address 000A.0033.3333
Cost 19
Port 1
Hello Time 2 sec Max Age 20 sec Forward Delay 15
sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 000A.0011.1111
Hello time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

----------- ----- ---- ----- --------- -----------------
F0/1 Root FWD 19 128.1 Edge P2p
F0/2 Desg FWD 19 128.2 Edge P2p
14.8.7 SELECT THE ROOT BRIDGE

 When an administrator wants a specific switch to become a root bridge, the bridge
priority value must be adjusted to ensure it is lower than the bridge priority values of all
the other switches on the network. There are two different methods to configure the
bridge priority value on a Cisco Catalyst switch.
Now follow examples of the two methods of configuring bridge priority and how to verify that a
bridge is acting as root
Method 1

 To ensure that the switch has the lowest bridge priority value, use the spanning-tree
vlan vlan-id root primary command in global configuration mode. The priority for the
switch is set to the predefined value of 24,576 or to the highest multiple of 4,096, less
than the lowest bridge priority detected on the network.
 If an alternate root bridge is desired, use the spanning-tree vlan vlan-id root
secondary global configuration mode command. This command sets the priority for the
switch to the predefined value of 28,672. This ensures that the alternate switch becomes
the root bridge if the primary root bridge fails. This assumes that the rest of the switches
in the network have the default 32,768 priority value defined.
 In this example, S1 has been assigned as the primary root bridge using the spanning-
tree vlan 1 root primary command, and S2 has been configured as the secondary root
bridge using the spanning-tree vlan 1 root secondary command.
S1(config)# spanning-tree VLAN 1 root primary
S1(config)# end
-----------------------
S2(config)# spanning-tree root secondary
S2(config)# end

Method 2

 Another method for configuring the bridge priority value is using the spanning-tree
vlan vlan-id priority value global configuration mode command. This command gives
more granular control over the bridge priority value. The priority value is configured in
increments of 4,096 between 0 and 61,440.
 In the example, S3 has been assigned a bridge priority value of 24,576 for VLAN 1
using the spanning-tree vlan 1 priority 24576 command. This is the equivalent value
of the root primary setting.
S3(config)# spanning-tree VLAN 1 priority 24576

Verify Root Bridge

 To verify the bridge priority of a switch, use the show spanning-tree command. In
example in Method 2, the priority of the switch was set to 24,576. Also notice that the
switch is designated as the root bridge for the spanning tree instance.
S3# show spanning-tree
VLAN0001
 Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 00A.0033.3333
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address 000A.0033.3333
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

------------ ----- ---- ----- ---------- ------
Fa0/1 Desg FWD 4 128.1 p2p
Fa0/2 Desg FWD 4 128.2 p2p
S3#

14.9 MITIGATE STP ATTACKS

14.9.1 STP ATTACK

 Threat actors can manipulate the Spanning Tree Protocol (STP) to conduct an attack by
spoofing the root bridge and changing the topology of a network. Attackers can make
their hosts appear as root bridges; and therefore, capture all traffic for the immediate
switched domain.
 To conduct an STP manipulation attack, the attacking host broadcasts STP bridge
protocol data units (BPDUs) containing configuration and topology changes that will
force spanning-tree recalculations, as shown in the figure. The BPDUs that are sent by
the attacking host announce a lower bridge priority in an attempt to be elected as the
root bridge.
 Note: These issues can occur when someone adds an Ethernet switch to the network
without any malicious intent.

 If successful, the attacking host becomes the root bridge, as shown in the figure below,
and can now capture a variety of frames that would otherwise not be accessible.

 This STP attack is mitigated by implementing BPDU Guard on all access ports.

14.9.2 MITIGATING STP ATTACKS

 To mitigate STP manipulation attacks, use the Cisco STP stability mechanisms to
enhance the overall performance of the switches and to reduce the time that is lost
during topology changes.
 These are the STP stability mechanisms:
o PortFast - PortFast immediately brings an interface that is configured as an
access or trunk port to the forwarding state from a blocking state. This bypasses
 the listening and learning states. It should be applied to all end-user ports.
PortFast should only be configured when there is a host attached to the port,
and not another switch.
o BPDU Guard - BPDU guard immediately error disables a port that receives a
BPDU. It is typically used on PortFast enabled ports. Apply to all end-user
ports.
o Root Guard - Root guard prevents an inappropriate switch from becoming the
root bridge. Root guard limits the switch ports out of which the root bridge may
be negotiated. Apply to all ports which should not become root ports.
o Loop Guard - Loop guard prevents alternate or root ports from becoming
designated ports because of a failure that leads to a unidirectional link. Apply to
all ports that are or can become non-designated.
 These features enforce the placement of the root bridge in the network and enforce the
STP domain borders.
 The figure highlights the ports on which these features should be implemented.

14.9.3 CONFIGURE PORTFAST

 PortFast bypasses the STP listening and learning states to minimize the time that access
ports must wait for STP to converge. If PortFast is enabled on a port connecting to
another switch, there is a risk of creating a spanning-tree loop.
 PortFast can be enabled on an interface by using the spanning-tree portfast interface
configuration command. Alternatively, Portfast can be configured globally on all access
ports by using the spanning-tree portfast default global configuration command.
 To verify whether PortFast is enabled globally you can use either the show running-
config | begin span command or the show spanning-tree summary command. To
verify if PortFast is enabled on an interface, use the show running-config
interface type/number command, as shown in the following example.
The show spanning-tree interface type/number detail command can also be used for
verification.
 Notice the warning messages that are displayed when PortFast is enabled.
S1(config)# interface fa0/1
S1(config-if)# switchport mode access
S1(config-if)# spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a
single
host. Connecting hubs, concentrators, switches, bridges, etc... to
this
interface when portfast is enabled, can cause temporary bridging
loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/1 but will only
have effect when the interface is in a non-trunking mode.
S1(config-if)# exit
S1(config)# spanning-tree portfast default
%Warning: this command enables portfast by default on all
interfaces. You
 should now disable portfast explicitly on switched ports leading
to hubs,
switches and bridges as they may create temporary bridging loops.
S1(config)# exit
S1# show running-config | begin span
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
interface FastEthernet0/1
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
(output omitted)
S1#

14.9.4 CONFIGURE BPDU GUARD

 Even though PortFast is enabled, the interface will still listen for BPDUs. Unexpected
BPDUs might be accidental, or part of an unauthorized attempt to add a switch to the
network.
 If any BPDUs are received on a BPDU Guard enabled port, that port is put into error-
disabled state. This means the port is shut down and must be manually re-enabled or
automatically recovered through the errdisable recovery cause bpduguard global
command.
 BPDU Guard can be enabled on a port by using the spanning-tree bpduguard
enable interface configuration command. Alternatively, use the spanning-tree portfast
bpduguard default global configuration command to globally enable BPDU guard on
all PortFast-enabled ports.
 To display information about the state of spanning tree, use the show spanning-tree
summary command. In the example, PortFast default and BPDU Guard are both
enabled as the default state for ports that are configured in access mode.
 Note: Always enable BPDU Guard on all PortFast-enabled ports.
S1(config)# interface fa0/1
S1(config-if)# spanning-tree bpduguard enable
S1(config-if)# exit
S1(config)# spanning-tree portfast bpduguard default
S1(config)# end
S1# show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is enabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
(output omitted)
S1#

14.9.6 CONFIGURE ROOT GUARD

 There are some switches in a network that should never, under any circumstances,
become the STP root bridge. Root Guard provides a way to enforce the placement of
root bridges in the network by limiting which switch can become the root bridge.
 Root guard is best deployed on ports that connect to switches that should not be the root
bridge. If a root-guard-enabled port receives BPDUs that are superior to those that the
current root bridge is sending, that port is moved to a root-inconsistent state. This is
effectively equal to an STP listening state, and no data traffic is forwarded across that
port. Recovery occurs as soon as the offending device ceases to send superior BPDUs.
 Use the spanning-tree guard root interface configuration command to configure root
guard on an interface.
 In the figure, D1 is the root bridge. If D1 fails, only D2 switch should become the root
bridge. To ensure that S1 never becomes a root bridge, the F0/1 interfaces of D1 and D2
should be enabled for Root guard.

 To view Root Guard ports that have received superior BPDUs and are in a root-
inconsistent state, use the show spanning-tree inconsistent ports command.
 Note: Root guard may seem unnecessary because an administrator can manually set the
bridge priority of a switch to zero. However, this does not guarantee that this switch
will be elected as the root bridge. Another switch may still become the root if it also has
a priority of zero and a lower MAC address.

14.9.7 CONFIGURE LOOP GUARD

 Traffic on bidirectional links flows in both directions. If for some reason one-direction
traffic flow fails, this creates a unidirectional link which can result in a Layer 2 loop.
STP relies on continuous reception or transmission of BPDUs based on the port role.
The designated port transmits BPDUs, and the non-designated port receives BPDUs. A
Layer 2 loop is usually created when an STP port in a redundant topology stops
receiving BPDUs and erroneously transitions to the forwarding state.
 The STP Loop Guard feature provides additional protection against Layer 2 loops. If
BPDUs are not received on a non-designated Loop Guard-enabled port, the port
transitions to a loop-inconsistent blocking state, instead of the listening / learning /
forwarding state. Without the Loop Guard feature, the port would assume a designated
port role and create a loop.
  As shown here, Loop Guard is enabled on all non-Root Guard ports using
the spanning-tree guard loop interface configuration command.
 Note: Loop Guard can also be enabled globally using the spanning-tree loopguard
default global configuration command. This enables Loop Guard on all point-to-point
links.
14.10 LAYER 2 SECURITY CONSIDERATIONS SUMMARY
14.10.1 WHAT DID I LEARN IN THIS MODULE?
Layer 2 Security Threats

 Security is implemented at all layers of the OSI model. However, if Layer 2 is disrupted
by a cyber attack, all layers above it will be affected. There are a number of attacks that
can happen at Layer 2 including MAC table attacks, VLAN attacks, DHCP attacks,
ARP attacks, address spoofing attacks, and STP attacks. It is important to protect Layer
2 by always using secure variants of protocols such as SSH, SCP, and SSL. Using out-
of-band management whenever possible and creating a dedicated VLAN for
management traffic are also means to make successful Layer 2 attacks less likely. In
addition, ACLs should be used to filter unwanted access. Port security, DHCP
Snooping, DAI, and IP Source Guard are available on Cisco switches to directly
mitigate Layer 2 attacks.
MAC Table Attacks

 Layer 2 switches use MAC addresses to make forwarding decisions. The switch uses a
MAC table that maps MAC addresses to switchports. The switch looks for the
destination MAC address in the MAC table for the frames that it receives. It then
forwards the traffic to the corresponding port. If the switch does not recognize a
destination MAC address, it floods the frames for the unknown destination out of all
ports except the port from which the frames originated. These are called unknown
unicast messages. The switch dynamically learns MAC addresses from the source
addresses of the frames that originate on its ports. One type of Layer 2 attack floods the
switch with frames with random MAC source addresses. The switch attempts to add all
of these frames to the MAC table until the table is full. Subsequent frames are then
treated as unknown unicast messages and sent out all but the receiving port. Since these
frames are flooded, a threat actor can receive all traffic that is sent on the network.
Threat actor tools such as macof can quickly overwhelm the MAC table of a switch
causing a MAC table overflow exploit. Because the flooding of unknown unicast
addresses can include trunk ports to other switches, the exploit can cause widespread
disruptions.
Mitigate MAC Table Attacks

 Layer 2 devices are considered to be the weakest link in a company’s security

infrastructure because Layer 2 attacks are some of the easiest for hackers to deploy. For
this reason, Cisco has developed a number of Layer 2 security measures in the switch
IOS. A simple but effective way to prevent Layer 2 attacks is to shutdown all unused
ports. Port security is a simple way to directly address MAC address overflow attacks.
With port security, the number of MAC addresses that are allowed to be learned on a
port, and the way in which the addresses are learned can be controlled. Port security
 aging can be used to remove secure MAC addresses on a secure port without manually
deleting the existing secure MAC addresses. Aging time limits can also be increased to
ensure past secure MAC addresses remain, even while new MAC addresses are added.
When port security violations occur, the switchport can be configured
to shutdown, restrict frames from unknown MAC addresses from being forwarded and
issue a syslog message, or protect to drop frames from the unknown host but not issue
a syslog message. Protect is the least secure option. A port that has been shutdown by
port security is placed in the err-disabled state. The port must be manually re-enabled
with the shutdown and no shutdown commands in order to return to the Secure-up
state.
Mitigate VLAN Attacks

 VLANs may be used to separate sensitive traffic from other traffic. VLAN hopping and
VLAN double-tagging attacks enable threat actors to access VLANs that they are not
authorized to access. In VLAN hopping attacks, a threat actor connects a host computer
to a switch and then attempts to negotiate the switchport to become trunk using DTP.
The threat actor computer attempts to act as another switch that is connected by a trunk.
Trunks carry traffic for all VLANs by default, so if a threat actor can connect a
computer over a trunked link, all VLAN traffic can be intercepted. In VLAN double-
tagging attacks, a threat actor adds a false VLAN tag to malicious traffic in addition to
the legitimate tag. This can allow a threat actor to send unauthorized traffic into other
VLANs. VLAN hopping and double-tagging attacks can be mitigated by disabling
trunking and trunk negotiation on all switchports that are to be accessed by users, and
by ensuring that the native VLAN is only used on trunk links. Private VLAN
promiscuous ports can be vulnerable to PVLAN proxy attacks in which a threat actor
can spoof the destination MAC address of the default gateway router. The router will
then permit the unauthorized traffic to enter the target VLANs. PVLAN proxy attacks
can be mitigated through the use of access control lists.
Mitigate DHCP Attacks

 Two types of DHCP attacks are DHCP starvation and DHCP spoofing. Both attacks are
mitigated by implementing DHCP snooping. The goal of the DHCP starvation attack is
DoS for connecting clients. DHCP starvation attacks require an attack tool such as
Gobbler. A DHCP spoofing attack occurs when a rogue DHCP server is connected to
the network and provides false IP configuration parameters to legitimate clients. It is
easy to mitigate DHCP starvation attacks by using port security. DHCP spoofing attacks
can be mitigated using DHCP snooping on trusted ports. DHCP snooping also helps
mitigate DHCP starvation attacks by rate limiting the number of DHCP discovery
messages that an untrusted port can receive. DHCP snooping builds and maintains a
DHCP snooping binding database that the switch can use to filter DHCP messages from
untrusted sources. DHCP snooping is globally activated. Ports that are connected to
legitimate DHCP servers are then configured as trusted. In addition, untrusted ports can
be configured to rate limit DHCP requests.
Mitigate ARP Attacks

 According to the ARP RFC, a client can send gratuitous ARP requests. When other
hosts on the subnet receive a gratuitous ARP request, the hosts store the MAC address
 and IPv4 address contained in the gratuitous ARP in their ARP tables. An attacker can
send a gratuitous ARP message containing a spoofed MAC address to a switch, and the
switch would update its MAC table accordingly. Therefore, any host can claim to be the
owner of any IP and MAC address. In a typical attack, a threat actor can send
unsolicited ARP Replies to other hosts on the subnet with the MAC Address of the
threat actor and the IPv4 address of the default gateway. Address spoofing attacks occur
when threat actors craft packets that contain false IP or MAC addresses. MAC address
spoofing attacks occur when threat actors alter the MAC address of their host to match
another known MAC address of a target host. A spoofed MAC address can cause a
switch to send packets that are intended for another host to the threat actor PC. This can
be especially problematic when the spoofed MAC address is that of the default
gateway. DAI can mitigate ARP spoofing by ensuring that only valid ARP Requests
and Replies are sent into the network. DAI requires that DHCP snooping is globally
configured. DAI can be configured on trusted interfaces and VLANs.
Mitigate Address Spoofing Attacks

 Spoofing attacks occur when one host poses as another to receive otherwise
inaccessible data, or to circumvent security configurations. MAC address spoofing
attacks occur when attackers alter the MAC address of their host to match another
known MAC address of a target host. When a switch receives the spoofed frames, it
switch overwrites the current MAC table entry and assigns the MAC address to the new
port. A threat actor computer can now receive traffic that was intended for the host with
the spoofed address. IP address spoofing is when a rogue PC hijacks a valid IP address
of a neighbor, or a uses a random IP address. IP address spoofing is difficult to mitigate,
especially when it is used inside a subnet in which the IP belongs. To protect against
MAC and IP address spoofing, configure IPSG. IPSG operates like DAI, but it looks at
every packet, not just the ARP packets. Like DAI, IPSG also requires that DHCP
snooping be enabled. For each untrusted port, a source IP address or source IP and
MAC address filter can be configured.
Spanning Tree protocol

 STP is a loop-prevention network protocol that allows for redundancy while creating a
loop-free Layer 2 topology. Without STP enabled, Layer 2 loops can form, causing
broadcast, multicast and unknown unicast frames to loop endlessly. This can bring
down a network within a very short amount of time, sometimes in just a few seconds.
The spanning tree algorithm designates a single switch as the root bridge and uses it as
the reference point for path calculations. Spanning tree algorithm calculates the shortest
path to the root bridge and enables forwarding on trunks that form the best path.
Alternate ports are blocked. Designated ports are all non-root ports that spanning tree
permits to forward traffic. If a path become unavailable, spanning tree then enables the
alternate ports to forward traffic. Spanning tree uses bridge protocol data units to
communicate between switches in a spanning tree topology.
Mitigating STP Attacks

 Threat actors can manipulate the STP to conduct an attack by spoofing the root bridge
and changing the topology of a network. Attackers can make their hosts appear as root
bridges; and therefore, capture all traffic for the immediate switched domain. Cisco
 switches have a number of STP stability mechanisms such as PortFast, BPDU Guard,
Root Guard, and Loop Guard. PortFast enables access ports to go to spanning-tree
forwarding state without go through the transitional spanning-tree states. BPDU guard
immediately error disables a port that receives a BPDU. This is configured on non-
trunking ports that typically have PortFast enabled. Root Guard prevents an
inappropriate switch from becoming the root bridge. Loop guard prevents alternate or
root ports from becoming designated ports because of a failure that leads to a
unidirectional link.

MODULE 15
15.1 SECURE COMMUNICATIONS
15.1.1 AUTHENTICATION, INTEGRITY, AND CONFIDENTIALITY

 To ensure secure communications across both the public and private infrastructure, the
network administrator’s first goal is to secure the network infrastructure, including
routers, switches, servers, and hosts.
 This can be accomplished using device hardening, AAA access control, ACLs,
firewalls, monitoring threats using IPS, securing endpoints using Advanced Malware
Protection (AMP), and enforcing email and web security using the Cisco Email Security
Appliance (ESA) and Cisco Web Security Appliance (WSA).
  The figure shows an example of a secure network topology.

 The next goal is to secure the data as it travels across various links. This may include
internal traffic, but of greater concern is protecting the data that travels outside of the
organization to branch sites, telecommuter sites, and partner sites.
 There are three primary objectives of securing communications:
o Authentication - This guarantees that the message is not a forgery and actually
comes from the authentic source. Modern networks ensure authentication using
hash message authentication code (HMAC).
o Integrity - This guarantees that no one intercepted the message and altered it;
similar to a checksum function in a frame. This is provided by implementing
the SHA-2 or SHA-3 family of hash-generating algorithms.
o Confidentiality - This guarantees that if the message is captured, it cannot be
deciphered. This is provided using symmetric or asymmetric encryption
algorithms.
 Note: These primary objectives are similar but not identical to the three primary issues
in securing and maintaining a computer network which are confidentiality, integrity,
and availability.
 The most popular symmetric encryption algorithm is the Advanced Encryption
Standard (AES). Symmetric encryption algorithms are based on the premise that each
communicating party knows the pre-shared key.
 Data confidentiality can also be ensured using asymmetric algorithms, including Rivest,
Shamir, and Adleman (RSA) and the public key infrastructure (PKI). Asymmetric
encryption algorithms are based on the assumption that the two communicating parties
have not previously shared a secret and must establish a secure method to do so.

15.1.2 AUTHENTICATION

 There are two primary methods for validating a source in network communications:
authentication services and data nonrepudiation services.
 Authentication guarantees that a message comes from the source that it claims to come
from. Authentication is similar to entering a secure personal identification number
(PIN) for banking at an ATM, as shown in the figure. The PIN should only be known to
the user and the financial institution. The PIN is a shared secret that helps protect
against forgeries.

 In network communications, authentication can be accomplished using cryptographic

methods. This is especially important for applications or protocols, such as email or IP,
that do not have built-in mechanisms to prevent spoofing of the source.
 Data nonrepudiation is a similar service that allows the sender of a message to be
uniquely identified. With nonrepudiation services in place, a sender cannot deny having
been the source of that message. It might appear that the authenticity service and the
nonrepudiation service are fulfilling the same function. Although both address the
question of the proven identity of the sender, there is a difference between the two.
  The most important part of nonrepudiation is that a device cannot repudiate, or refute,
the validity of a message sent. Nonrepudiation relies on the fact that only the sender has
the unique characteristics or signature for how that message is treated. Not even the
receiving device can know how the sender treated this message to prove authenticity
because the receiver could then pretend to be the source.
 If the major concern is for the receiving device to validate the source and there is no
concern about the receiving device imitating the source, it does not matter whether the
sender and receiver both know how to treat a message to provide authenticity. An
example of authenticity versus nonrepudiation is a data exchange between two
computers of the same company versus a data exchange between a customer and an e-
commerce website. The two computers exchanging data within an organization do not
have to prove to the other which of them sent a message.
 This practice is not acceptable in business applications, such as when purchasing items
online. If the online store knows how a customer message was created to prove the
authenticity, then it could easily fake “authentic” orders. In such a scenario, the sender
must be the only party with the knowledge of how the message was created. The online
store can prove to others that the order was, in fact, sent by the customer, and the
customer cannot argue that the order is invalid.

15.1.3 DATA INTEGRITY

 Data integrity ensures that messages are not altered in transit. With data integrity, the
receiver can verify that the received message is identical to the sent message and that no
manipulation occurred.
 European nobility ensured the data integrity of documents by creating a wax seal to
close an envelope, as shown in the figure. The seal was often created using a signet
ring. These bore the family crest, initials, a portrait, or a personal symbol or motto of
the owner of the signet ring. An unbroken seal on an envelope guaranteed the integrity
of its contents. It also guaranteed authenticity based on the unique signet ring
impression.

15.1.4 DATA CONFIDENTIALITY

 Data confidentiality ensures privacy so that only the receiver can read the message. This
can be achieved through encryption. Encryption is the process of scrambling data so
that it cannot be easily read by unauthorized parties.
 When enabling encryption, readable data is called plaintext, or cleartext, while the
encrypted version is called encrypted text or ciphertext. In this course, we will use the
term ciphertext. The plaintext readable message is converted to ciphertext, which is the
unreadable, disguised message. Decryption reverses the process. A key is required to
encrypt and decrypt a message. The key is the link between the plaintext and ciphertext.
 Historically, various encryption algorithms and methods have been used. Julius Caesar
is said to have secured messages by putting two sets of the alphabet, side-by-side, and
then shifting one of them by a specific number of places. The number of places in the
shift serves as the key. He converted plaintext into ciphertext using this key, and only
his generals, who also had the key, knew how to decipher the messages. This method is
 now known as the Caesar cipher. An encoded message using the Caesar cipher is shown
in the figure.
Encoded Caesar Cipher Message

 Using a hash function is another way to ensure data confidentiality. A hash function
transforms a string of characters into a usually shorter, fixed-length value or key that
represents the original string. The difference between hashing and encryption is in how
the data is stored. With encrypted text, the data can be decrypted with a key. With the
hash function, after the data is entered and converted using the hash function, the
plaintext is gone. The hashed data is simply there for comparison. For example, when a
user enters a password, the password is hashed and then compared to the stored hashed
value. If the user forgets the password, it is impossible to decrypt the stored value, and
the password must be reset.
 The purpose of encryption and hashing is to guarantee confidentiality so that only
authorized entities can read the message

15.2 CRYPTOGRAPHY
15.2.1 CREATING CIPHER TEXT

 The history of cryptography starts in diplomatic circles thousands of years ago.

Messengers from a king’s court took encrypted messages to other courts. Occasionally,
other courts not involved in the communication, attempted to steal messages sent to a
kingdom they considered an adversary. Not long after, military commanders started
using encryption to secure messages.
Scytale

 A scytale is a device used to generate a transposition cipher. A strip of paper or other

material is wrapped around a rod of a known diameter, as shown in the figure. The
message is written on the paper across rows. When the strip is removed, the message is
unreadable until it is wrapped around another rod of the same diameter.
Caesar Cipher

 The Caesar Cipher is a type of substitution cipher in which each letter is replaced by
another letter that is a set number of places away in the alphabet. That number of places
is the key. In the figure, the key is 3.
Vigenère Cipher

 The Vigenère cipher is a type of polyalphabetic substitution cipher. It was considered

unbreakable until 1863. To use the cipher a key text is generated that repeats for the
length of the message to be encrypted. A combination of the plaintext letter and the
corresponding key letter are used to locate the ciphertext value for the letter in a table,
shown in the figure, or other device. In the table, the row value would be the key letter,
the plaintext would be located in the column. The location where the row and column
intersect is the ciphertext letter to be used.
Enigma Machine
  The Enigma machine was an electromechanical encryption device that was developed
and used by Nazi Germany during World War II. The device depended on the
distribution of pre-shared keys that were used to encrypt and decrypt messages. The
Enigma ciphers were broken by the Allies, and numerous Enigma-encoded messages
were decoded during the war. This provided a significant advantage to the Allies and is
estimated to have greatly shortened the war and saved many lives.

15.2.2 TRANSPOSITION CIPHERS

 In transposition ciphers, no letters are replaced; they are simply rearranged. An example
of this type of cipher is taking the FLANK EAST ATTACK AT DAWN message and
transposing it to read NWAD TA KCATTA TSAE KNALF. In this example, the key is
to reverse the letters.
 Another example of a transposition cipher is known as the rail fence cipher. In this
transposition, the words are spelled out as if they were a rail fence. They are staggered,
some in front, some in the middle and some in back, across several parallel lines.
 Modern encryption block cipher algorithms, such as AES and the legacy 3DES, still use
transposition as part of the algorithm.
The use of a simple transposition cipher is now discussed and displayed:
Plaintext Message

 The plaintext message will be encoded using a key of 3. This key value specifies that
three lines are required when creating the encrypted code.
Encryption Process

 A rail fence cipher is used with the key of 3.

Encrypted Message

 This is the encrypted text.

15.2.3 SUBSTITUTION CIPHERS

 Substitution ciphers substitute one letter for another. In their simplest form, substitution
ciphers retain the letter frequency of the original message.
 The Caesar cipher was a simple substitution cipher.
 Because the entire message relied on the same single key shift, the Caesar cipher is
referred to as a monoalphabetic substitution cipher. It is also fairly easy to crack. For
this reason, polyalphabetic ciphers, such as the Vigenère cipher, were invented. The
method was originally described by Giovan Battista Bellaso in 1553, but the scheme
was later misattributed to the French diplomat and cryptographer, Blaise de Vigenère.
A process involving a substitution cipher is now discussed and displayed:
Plaintext Message

 The plaintext message will be encoded with a key of 3.

Encryption Process

 Shift the top scroll over by the three characters (a key of 3) and A becomes D, B
becomes E, and so on. If the key used was 8, then A becomes I, B becomes J, and so on.
Then Encrypted Message

 The process is reversed to de-encrypt the message.

15.2.4 A MORE COMPLEX SUBSTITUTION CIPHER

 The Vigenère cipher is based on the Caesar cipher, except that it encrypts text by using
a different polyalphabetic key shift for every plaintext letter. The different key shift is
identified using a shared key between sender and receiver. The plaintext message can be
encrypted and decrypted using the Vigenère Cipher Table that is shown in the figure.
 To illustrate how the Vigenère Cipher Table works, suppose that a sender and receiver
have a shared secret key composed of these letters: SECRETKEY. The sender uses this
secret key to encode the plaintext FLANK EAST ATTACK AT DAWN:
o The F (FLANK) is encoded by looking at the intersection of column F and the
row starting with S (SECRETKEY), resulting in the cipher letter X.
o The L (FLANK) is encoded by looking at the intersection of column L and the
row starting with E (SECRETKEY), resulting in the cipher letter P.
o The A (FLANK) is encoded by looking at the intersection of column A and the
row starting with C (SECRETKEY), resulting in the cipher letter C.
o The N (FLANK) is encoded by looking at the intersection of column N and the
row starting with R (SECRETKEY), resulting in the cipher letter E.
o The K (FLANK) is encoded by looking at the intersection of column K and the
row starting with E (SECRETKEY), resulting in the cipher letter O.
 The process continues until the entire text message FLANK EAST ATTACK AT
DAWN is encrypted. The process can also be reversed. For instance, the F is still the
cipher letter X if encoded by looking at the intersection of row F (FLANK) and the
column starting with S (SECRETKEY).
 When using the Vigenère cipher, if the message is longer than the key, the key is
repeated. For example, SECRETKEYSECRETKEYSEC is required to encode FLANK
EAST ATTACK AT DAWN:
o Secret key: SECRETKEYSECRETKEYSEC
o Plaintext: FLANKEASTATTACKATDAWN
o Cipher text: XPCEOXKURSXVRGDKXBSAP
 Although the Vigenère cipher uses a longer key, it can still be cracked. For this reason,
a better cipher method was required.

15.2.5 ONE-TIME PAD CIPHERS

 Gilbert Vernam was an AT&T Bell Labs engineer who, in 1917, invented, and later
patented, the stream cipher. He also co-invented the one-time pad cipher. Vernam
proposed a teletype cipher in which a prepared key consisting of an arbitrarily long,
 non-repeating sequence of numbers was kept on paper tape, shown in the figure. It was
then combined character by character with the plaintext message to produce the
ciphertext.
 To decipher the ciphertext, the same paper tape key was again combined character by
character, producing the plaintext. Each tape was used only once; hence, the name one-
time pad. As long as the key tape does not repeat or is not reused, this type of cipher is
immune to cryptanalytic attack. This is because the available ciphertext does not display
the pattern of the key.
 Several difficulties are inherent in using one-time pads in the real world. One difficulty
is the challenge of creating random data. Computers, because they have a mathematical
foundation, are incapable of creating true random data. Additionally, if the key is used
more than once, it is easy to break. RC4 is an example of this type of cipher that is
widely used on the internet. Again, because the key is generated by a computer, it is not
truly random. In addition to these issues, key distribution is also challenging with this
type of cipher.

15.3 CRYPTANALYSIS
15.3.1 CRACKING CODE

 For as long as there has been cryptography, there has been cryptanalysis. Cryptanalysis
is the practice and study of determining the meaning of encrypted information (cracking
the code), without access to the shared secret key. This is also known as codebreaking.
 Throughout history, there have been many instances of cryptanalysis:
 The Vigenère cipher had been absolutely secure until it was broken in the 19th century
by English cryptographer Charles Babbage.
 Mary, Queen of Scots, was plotting to overthrow Queen Elizabeth I from the throne and
sent encrypted messages to her co-conspirators. The cracking of the code used in this
plot led to the beheading of Mary in 1587.
 The Enigma-encrypted communications were used by the Germans to navigate and
direct their U-boats in the Atlantic. Polish and British cryptanalysts broke the German
Enigma code.

15.3.2 METHODS OF CRACKING CODE

 Several methods are used in cryptanalysis:

o Brute-force method - The attacker tries every possible key knowing that
eventually one of them will work.
o Ciphertext method - The attacker has the ciphertext of several encrypted
messages but no knowledge of the underlying plaintext.
o Known-Plaintext method - The attacker has access to the ciphertext of several
messages and knows something about the plaintext underlying that ciphertext.
o Chosen-Plaintext method - The attacker chooses which data the encryption
device encrypts and observes the ciphertext output.
 o Chosen-Ciphertext method - The attacker can choose different ciphertext to
be decrypted and has access to the decrypted plaintext.
o Meet-in-the-Middle method - The attacker knows a portion of the plaintext
and the corresponding ciphertext.

 Note: Details of how these methods are implemented is beyond the scope of this course.
 The simplest method to understand is the brute-force method. For example, if a thief
attempted to steal a bicycle secured with the combination lock displayed in the figure,
they would have to attempt a maximum of 10,000 different possibilities (0000 to 9999).
All encryption algorithms are vulnerable to this attack. On average, a brute-force attack
succeeds about 50 percent of the way through the keyspace, which is the set of all
possible keys.
 The objective of modern cryptographers is to have a keyspace large enough that it takes
too much time and money to accomplish a brute-force attack.

15.3.3 CRACKING CODE EXAMPLE

 When choosing a cryptanalysis method, consider the Caesar cipher encrypted code. The
best way to crack the code is to use brute force. Because there are only 25 possible
rotations, the effort is relatively small to try all possible rotations and see which one
returns something that makes sense.
 A more scientific approach is to use the fact that some characters in the English
alphabet are used more often than others. This method is called frequency analysis. For
example, the graph in the figure below shows the frequency of letters in the English
language. The letters E, T, and A are the most popular letters used in the English
language. The letters J, Q, X, and Z are the least popular. Understanding this pattern can
help discover which letters are probably included in the cipher message.
 In the Caesar ciphered message IODQN HDVW DWWDFN DW GDZQ, shown in the
figure, the cipher letter D appears six times while the cipher letter W appears four times.
There is a good possibility that the cipher letters D and W represent either the plaintext
E, T or A. In this case, the D represents the letter A, and the W represents the letter T.
 An attacker would only have to replace the cipher letter D first with popular plaintext
letters including E, T, and finally A. Trying A would reveal the shift pattern of 3, and
the attacker could then decipher the entire message.

15.4 CRYPTOLOGY
15.4.1 MAKING AND BREAKING SECRET CODES
 Cryptology is the science of making and breaking secret codes. As shown in the figure,
cryptology combines two separate disciplines:
o Cryptography - the development and use of codes
o Cryptanalysis - the breaking of those codes
 There is a symbiotic relationship between the two disciplines because each makes the
other one stronger. National security organizations employ practitioners of both
disciplines and put them to work against each other.
 There have been times when one of the disciplines has been ahead of the other. For
example, during the Hundred Years War between France and England, the cryptanalysts
 were leading the cryptographers. France mistakenly believed that the Vigenère cipher
was unbreakable, and then the British cracked it. Some historians believe that the
successful cracking of encrypted codes and messages had a major impact on the
outcome of World War II. Currently, it is believed that cryptographers are in the lead.

15.4.2 CRYPTANALYSTS
 Cryptanalysis is often used by governments in military and diplomatic surveillance, by
enterprises in testing the strength of security procedures, and by malicious hackers in
exploiting weaknesses in websites.
 Cryptanalysts are individuals who perform cryptanalysis to crack secret codes. A
sample job description is displayed in the figure.
 While cryptanalysis is often linked to mischievous purposes, it is actually a necessity. It
is an ironic fact of cryptography that it is impossible to prove that any algorithm is
secure. It can only be proven that it is not vulnerable to known cryptanalytic attacks.
Therefore, there is a need for mathematicians, scholars, and security forensic experts to
keep trying to break the encryption methods.

15.4.3 THE SECRET IS IN THE KEYS

 In the world of communications and networking, authentication, integrity, and data
confidentiality are implemented in many ways using various protocols and algorithms.
The choice of protocol and algorithm varies based on the level of security required to
meet the goals of the network security policy.
 As an example, for message integrity, message-digest 5 (MD5) is faster than Secure
Hash Algorithm 2 (SHA2). However, MD5 but is now considered to be insecure.
Confidentiality can be implemented using the legacy 3DES or the more secure AES.
Again, the choice varies depending on the security requirements specified in the
network security policy document. Additional considerations are the computing power
that is required to encrypt and decrypt data, and the acceptance of the protocol in the
security community. The table lists some common cryptographic hashes, protocols, and
algorithms.

Integrity Authenticity Confidentiality

MD5 (legacy) HMAC-MD5 (legacy) 3DES (legacy)
SHA HMAC-SHA-256 AES
RSA and DSA

 Old encryption algorithms, such as the Caesar cipher or the Enigma machine, were
based on the secrecy of the algorithm to achieve confidentiality. With modern
technology, where reverse engineering is often simple, public-domain algorithms are
frequently used. With most modern algorithms, successful decryption requires
 knowledge of the appropriate cryptographic keys. This means that the security of
encryption lies in the secrecy of the keys, not the algorithm.

15.5 CRYPTOGRAPHIC SERVICES SUMMARY

15.5.1 WHAT DID I LEARN IN THIS MODULE?
Securing Communications
 In addition to ensuring that the network and network devices are secure and protected
from attack, network security personnel also ensure that data is protected during
transmission. The three primary objectives of securing communications are:
o Authentication - This guarantees that the message is not a forgery and actually
comes from the authentic source.
o Integrity - This guarantees that no one intercepted the message and altered it;
similar to a checksum function in a frame.
o Confidentiality - This guarantees that if the message is captured, it cannot be
deciphered.
 Authentication may be secured by HMAC. Integrity is ensured through the use of the
legacy MD5 or secure members of the SHA family of hash generating algorithms. Data
confidentiality is ensured through symmetric encryption algorithms, including the
legacy 3DES and AES. Symmetric encryption algorithms are based on the premise that
communicating parties both know a pre-shared key. Asymmetric algorithms, such RSA
and PKI, are based on the assumption that communicating parties do not know a pre-
shared key and must establish a secure means of key exchange.
 In network communications, authentication proves that a message actually comes from
a valid source. Data nonrepudiation is a similar service to authentication in that it allows
the sender of a message to be uniquely identified. Data integrity ensures that messages
are not altered in transit. Data confidentiality ensures privacy so that only the intended
receiver can read the message.
Cryptography
 Cryptography has been used to secure communications for thousands of years. Historic
ciphers include the scytale from ancient Greece, the Caesar cipher, and the Vigenère
cipher. The Vigenère cipher is a type of polyalphabetic substitution cipher that was
considered unbreakable until 1863. The Enigma Machine was an electro-mechanical
device that produced encoded messages that were very difficult to break during World
War II. Three types of cipher are:
o Transposition - The rearranged letters are used for the encoded text. In order
for the key to be sharable, the letters were shifted by a specific number of
characters.
o Substitution - This is when different letters are substituted for the letters in the
cleartext.
o One-time pad - This is a prepared key consisting of an arbitrarily long, non-
repeating sequence of numbers was kept on paper tape. It was then combined
character by character with the plaintext message to produce the ciphertext. The
keys were only used once and were pre-shared.
Cryptanalysis

 Cryptanalysis, or codebreaking, is the practice and study of determining the meaning of

encrypted information (cracking the code), without access to the shared secret key.
Several methods of cryptanalysis are:
o Brute-force method - The attacker tries every possible key knowing that
eventually one of them will work.
o Ciphertext method - The attacker has the ciphertext of several encrypted
messages but no knowledge of the underlying plaintext.
o Known-Plaintext method - The attacker has access to the ciphertext of several
messages and knows something about the plaintext underlying that ciphertext.
o Chosen-Plaintext method - The attacker chooses which data the encryption
device encrypts and observes the ciphertext output.
o Chosen-Ciphertext method - The attacker can choose different ciphertext to
be decrypted and has access to the decrypted plaintext.
o Meet-in-the-Middle method - The attacker knows a portion of the plaintext
and the corresponding ciphertext.
 The objective of modern cryptographers is to have a keyspace large enough that it takes
too much time and money to accomplish a brute-force attack. Analysis of the frequency
of letters in a language can help with breaking simple substitution and transposition
ciphers.

Cryptology
 Cryptology is the science of making and breaking secret codes. It combines
cryptography and cryptanalysis. In the world of communications and networking,
authentication, integrity, and data confidentiality are implemented in many ways using
various protocols and algorithms. The choice of algorithm varies depending on the
security requirements, the hardware resources that are available for encryption and
decryption, and the acceptance of the algorithm in the security community. Public-
domain algorithms are frequently used. With most modern algorithms, successful
decryption requires knowledge of the appropriate cryptographic keys. This means that
the security of encryption lies in the secrecy of the keys, not the algorithm.

MODULE 16
16.1 INTEGRITY AND AUTHENTICITY
16.1.1 SECURE COMMUNICATIONS

 Organizations must provide support to secure data as it travels across links. This may
include internal traffic, but it is even more important to protect data that travels outside
of the organization to branch sites, telecommuter sites, and partner sites.
 These are the four elements of secure communications:
o Data Integrity - Guarantees that the message was not altered. Any changes to
data in transit will be detected. Integrity is ensured by implementing either of
the Secure Hash Algorithms (SHA-2 or SHA-3). The MD5 message digest
 algorithm is still widely in use. However, it is inherently insecure and creates
vulnerabilities in a network. Note that MD5 should be avoided.
o Origin Authentication - Guarantees that the message is not a forgery and does
actually come from whom it states. Many modern networks ensure
authentication with algorithms such as hash-based message authentication code
(HMAC).
o Data Confidentiality - Guarantees that only authorized users can read the
message. If the message is intercepted, it cannot be deciphered within a
reasonable amount of time. Data confidentiality is implemented using
symmetric and asymmetric encryption algorithms.
o Data Non-Repudiation - Guarantees that the sender cannot repudiate, or
refute, the validity of a message sent. Nonrepudiation relies on the fact that only
the sender has the unique characteristics or signature for how that message is
treated.
 Cryptography can be used almost anywhere that there is data communication. In fact,
the trend is toward all communication being encrypted.

16.1.2 CRYPTOGRAPHIC HASH FUNCTIONS

 Hashes are used to verify and ensure data integrity. They are also used to verify
authentication. Hashing is based on a one-way mathematical function that is relatively
easy to compute, but significantly harder to reverse.
 Grinding coffee is a good analogy of a one-way function. It is easy to grind coffee
beans, but it is almost impossible to put all of the tiny pieces back together to rebuild
the original beans.
 As shown in the figure, a hash function takes a variable block of binary data, called the
message, and produces a fixed-length, condensed representation, called the hash. The
resulting hash is also sometimes called the message digest, digest, or digital fingerprint.

 With hash functions, it is computationally infeasible for two different sets of data to
come up with the same hash output. Furthermore, the hash value changes every time the
data is changed or altered. Because of this, cryptographic hash values are often called
“digital fingerprints”. These fingerprints can be used to detect duplicate data files, file
version changes, and similar applications. These values are used to guard against an
accidental or intentional change to the data, or accidental data corruption.
 The cryptographic hash function is applied in many different situations for entity
authentication, data integrity, and data authenticity purposes.

16.1.3 CRYPTOGRAPHIC HASH OPERATION

 Mathematically, the equation h= H(x) is used to explain how a hash algorithm operates.
As shown in the figure, a hash function H takes an input x and returns a fixed-size
string hash value h.
 The example in the figure summarizes the mathematical process. A cryptographic hash
function should have the following properties:
o The input can be any length.
o The output is always a fixed length.
 o H(x) is relatively easy to compute for any given x.
o H(x) is one way and not reversible.
o H(x) is collision free, meaning that two different input values will result in
different hash values.
 If a hash function is hard to invert, it is considered a one-way hash. Hard to invert
means that given a hash value of h, it is computationally infeasible to find an input
for x such that h=H(x).

16.1.4 MD5 AND SHA

 Hash functions are used to ensure the integrity of a message. They help ensure data has
not accidentally changed and that what was sent is indeed what was received.
 Note: Deliberate changes can be made by a threat actor.
 In the figure, the sender is sending a $100 money transfer to Alex. The sender wants to
ensure that the message is not accidentally altered on its way to the receiver.

 There are four well-known hash functions:

o MD5 with 128-bit digest - Developed by Ron Rivest and used in a variety of
internet applications, MD5 is a one-way function that produces a 128-bit hashed
message. MD5 is considered to be a legacy algorithm and should be avoided
and used only when no better alternatives are available. It is recommended that
SHA-2 or SHA-3 be used instead.
o SHA-1 - Developed by the U.S. National Security Agency (NSA) in 1995. It is
very similar to the MD5 hash functions. Several versions exist. SHA-1 creates a
160-bit hashed message and is slightly slower than MD5. SHA-1 has known
flaws and is a legacy algorithm.
o SHA-2 - Developed by the NSA. It includes SHA-224 (224 bit), SHA-256 (256
bit), SHA-384 (384 bit), and SHA-512 (512 bit). If you are using SHA-2, then
the SHA-256, SHA-384, and SHA-512 algorithms should be used whenever
possible.
o SHA-3 - SHA-3 is the newest hashing algorithm and was introduced by the
National Institute of Standards and Technology (NIST) as an alternative and
eventual replacement for the SHA-2 family of hashing algorithms. SHA-3
includes SHA3-224 (224 bit), SHA3-256 (256 bit), SHA3-384 (384 bit), and
SHA3-512 (512 bit). The SHA-3 family are next-generation algorithms and
should be used whenever possible.
 While hashing can be used to detect accidental changes, it cannot be used to guard
against deliberate changes that are made by a threat actor. There is no unique
identifying information from the sender in the hashing procedure. This means that
anyone can compute a hash for any data, as long as they have the correct hash function.
 For example, when the message traverses the network, a potential threat actor could
intercept the message, change it, recalculate the hash, and append it to the message. The
receiving device will only validate against whatever hash is appended.
 Therefore, hashing is vulnerable to man-in-the-middle attacks and does not provide
security to transmitted data. To provide integrity against man-in-the-middle attacks,
origin authentication is also required.

16.1.5 ORIGIN AUTHENTICATION

  To add origin authentication and integrity assurance, use a keyed-hash message
authentication code (HMAC). HMAC uses an additional secret key as input to the hash
function.
 Note: Other Message Authentication Code (MAC) methods are also used. However,
HMAC is used in many systems including SSL, IPsec, and SSH.
Now follows an illustration and explanation about origin authentication using HMAC
HMAC Hashing algorithm

 As shown in the figure, an HMAC is calculated using any cryptographic algorithm that
combines a cryptographic hash function with a secret key. Hash functions are the basis
of the protection mechanism of HMACs.
 Only the sender and the receiver know the secret key, and the output of the hash
function now depends on the input data and the secret key. Only parties who have
access to that secret key can compute the digest of an HMAC function. This defeats
man-in-the-middle attacks and provides authentication of the data origin.
 If two parties share a secret key and use HMAC functions for authentication, a properly
constructed HMAC digest of a message that a party has received indicates that the other
party was the originator of the message. This is because the other party possesses the
secret key.
Creating the HMAC Value

 As shown in the figure, the sending device inputs data (such as Terry Smith’s pay of
$100 and the secret key) into the hashing algorithm and calculates the fixed-length
HMAC digest. This authenticated digest is then attached to the message and sent to the
receiver.
Verifying the HMAC Value

 In the figure, the receiving device removes the digest from the message and uses the
plaintext message with its secret key as input into the same hashing function. If the
digest that is calculated by the receiving device is equal to the digest that was sent, the
message has not been altered. Additionally, the origin of the message is authenticated
because only the sender possesses a copy of the shared secret key. The HMAC function
has ensured the authenticity of the message.
Cisco Router HMAC Example

 The figure shows how HMACs are used by Cisco routers that are configured to use
Open Shortest Path First (OSPF) routing authentication.
 R1 is sending a link state update (LSU) regarding a route to network 10.2.0.0/16:
1. R1 calculates the hash value using the LSU message and the secret key.
2. The resulting hash value is sent with the LSU to R2.
3. R2 calculates the hash value using the LSU and its secret key. R2
accepts the update if the hash values match. If they do not match, R2
discards the update.

16.2 KEY MANAGEMENT

16.2.1 CHARACTERISTICS OF KEY MANAGEMENT

 Key management is often considered the most difficult part of designing a

cryptosystem. Many cryptosystems have failed because of mistakes in their key
management, and all modern cryptographic algorithms require key management
procedures. In practice, most attacks on cryptographic systems are aimed at the key
management level, rather than at the cryptographic algorithm itself.
 As shown in the table, there are several essential characteristics of key management to
consider.

Characteristic Description
Key Generation It was up to Caesar to choose the key of his
cipher. The Vigenère cipher key is also
chosen by the sender and receiver. In a
modern cryptographic system, key generation
is usually automated and not left to the end
user. The use of good random number
generators is needed to ensure that all keys
are equally generated so that the attacker
cannot predict which keys are more likely to
be used.
Key Verification Some keys are better than others. Almost all
cryptographic algorithms have some weak
keys that should not be used. With the help
of key verification procedures, weak keys
can be identified and regenerated to provide a
more secure encryption. With the Caesar
cipher, using a key of 0 or 25 does not
encrypt the message, so it should not be used.
Key Exchange Key management procedures should provide
a secure key exchange mechanism that
allows secure agreement on the keying
material with the other party, probably over
an untrusted medium.
Key Storage On a modern multi-user operating system
that uses cryptography, a key can be stored in
memory. This presents a possible problem
when that memory is swapped to the disk,
because a Trojan horse program installed on
the PC of a user could then have access to the
private keys of that user.
Key Lifetime Using short key lifetimes improves the
security of legacy ciphers that are used on
high-speed connections. In IPsec a 24-hour
lifetime is typical. However, changing the
lifetime to 30 minutes improves the security
of the algorithms.
Key Revocation and Destruction Revocation notifies all interested parties that
a certain key has been compromised and
should no longer be used. Destruction erases
old keys in a manner that prevents malicious
 attackers from recovering them.

16.2.2 KEY LENGTH AND KEYSPACE

 Two terms that are used to describe keys are:

o Key length - Also called the key size, this is the measure in bits. In this course,
we will use the term key length.
o Keyspace - This is the number of possibilities that can be generated by a
specific key length.
 As key length increase, the keyspace increases exponentially:
o A 2-bit (22) key length = a keyspace of 4 because there are four possible keys
(00, 01, 10, and 11).
o A 3-bit (23) key length = a keyspace of 8, because there are eight possible keys
(000, 001, 010, 011, 100, 101, 110, 111).
o A 4-bit (24) key length = a keyspace of 16 possible keys.
o A 40-bit (240) key length = a keyspace of 1,099,511,627,776 possible keys.
 The table displays the characteristics of the AES encryption algorithm. Notice how AES
uses long key lengths. This dramatically increases the keyspace which affects the time it
takes to crack the code.

Characteristic Description
Algorithm Full Name Advanced Encryption Standard
Timeline Official standard since 2001
Type of Algorithm Symmetric
Key Size (in bits) 128, 192, and 256
Speed High
Time to Crack
(assuming a computer could try 255 149 trillion years
keys per second)
Resource Consumption Low

16.2.3 THE KEYSPACE

 The keyspace of an algorithm is the set of all possible key values. A key that has n bits
produces a keyspace that has 2n possible key values. By adding one bit to the key, the
keyspace is effectively doubled.
 As shown in the table, DES with its 56-bit keys has a keyspace of more than
72,000,000,000,000,000 (256) possible keys. By adding one bit to the key length, the
keyspace doubles, and an attacker needs twice the amount of time to search the
keyspace. Adding an additional bit to a 57-bit key size means that it would now take an
attacker four times the amount of time to search the keyspace. Adding 4 more bits to
56-bits would create a 60-bit key. A 60-bit key would take 16 times longer to crack than
a 56-bit key.
DES Key Keyspace Approximate Number of
Possible Keys
56-bit 256 ~72,000,000,000,000,000
11111111 11111111 11111111
11111111 11111111 11111111 11111111

57-bit 257 ~144,000,000,000,000,000

11111111 11111111 11111111
11111111 11111111 11111111 11111111 1

58-bit 258 ~288,000,000,000,000,000

11111111 11111111 11111111
11111111 11111111 11111111 11111111 11

59-bit 259 ~576,000,000,000,000,000

11111111 11111111 11111111
11111111 11111111 11111111 11111111 111

60-bit 260 ~1,152,000,000,000,000,000

11111111 11111111 11111111
11111111 11111111 11111111 11111111 1111

 Note: Longer keys are more secure; however, they are also more resource intensive.
Caution should be exercised when choosing longer keys because handling them could
add a significant load to the processor in lower-end products.
 Almost every algorithm has some weak keys in its keyspace that enable an attacker to
break the encryption via a shortcut. Weak keys show the regularities in encryption. For
instance, DES has four keys for which encryption is the same as decryption. This means
that if one of these weak keys is used to encrypt plaintext, an attacker can use the weak
key to decrypt the ciphertext and reveal the plaintext.
 The DES weak keys are those that produce 16 identical subkeys. This occurs when the
key bits are:
o Alternating ones and zeros (0101010101010101)
o Alternating F and E (FEFEFEFEFEFEFEFE)
o E0E0E0E0F1F1F1F1
o 1F1F1F1F0E0E0E0E
 It is very unlikely that such keys would be chosen, but network administrators should
still verify all keys that are implemented and prevent weak keys from being used. With
manual key generation, take special care to avoid defining weak keys.
 Note: DES is a legacy encryption algorithm and should not be used. It is used here to
illustrate the concept of keyspace only.
16.2.4 TYPES OF CRYPTOGRAPHIC KEYS

 Several types of cryptographic keys can be generated:

o Symmetric keys - Can be exchanged between two routers supporting a VPN
o Asymmetric keys - Are used in secure HTTPS applications
 o Digital signatures - Are used when connecting to a secure website
o Hash keys - Are used in symmetric and asymmetric key generation, digital
signatures, and other types of applications
 Regardless of the key type, all keys share similar issues. Choosing a suitable key length
is one issue. If the cryptographic system is trustworthy, the only way to break it is with
a brute-force attack. If the keyspace is large enough, the search requires an enormous
amount of time, making such an exhaustive effort impractical. The table summarizes
the key length required to secure data for the indicated amount of time.

Length of Protection Symmetric Key Asymmetric Key Digital Signature Hash

3 years 80 1248 160 160
10 years 96 1776 192 192
20 years 112 2432 224 224
30 years 128 3248 256 256
Protection against
256 15424 512 512
quantum computers

 On average, an attacker has to search through half of the keyspace before the correct
key is found. The time that is needed to accomplish this search depends on the
computer power that is available to the attacker.
 Current key lengths can easily make any attempt insignificant because it takes millions
or billions of years to complete the search when a sufficiently long key is used.
 With modern algorithms that are trusted, the strength of protection depends solely on
the size of the key. Choose the key length so that it protects data confidentiality or
integrity for an adequate period of time. Data that is more sensitive and needs to be kept
secret longer must use longer keys.

16.2.5 CHOICE OF CRYPTOGRAPHIC KEYS

 Performance is another issue that can influence the choice of a key length. An
administrator must find a good balance between the speed and protective strength of an
algorithm, because some algorithms, such as the Rivest, Shamir, and Adleman (RSA)
algorithm, run slowly due to large key lengths. Strive for adequate protection, while
enabling communication over untrusted networks.
 The estimated funding of the attacker should also affect the choice of key length. When
assessing the risk of someone breaking the encryption algorithm, estimate the resources
of the attacker and how long the data must be protected. For example, classic DES can
be broken by a $1 million machine in a couple of minutes. If the data that is being
protected is worth significantly more than the $1 million dollars needed to acquire a
cracking device, then another algorithm should be used. In fact, DES is now considered
too weak to use for any application.
 Because of the rapid advances in technology and cryptanalytic methods, the key length
that is needed for a particular application is constantly increasing. Part of the strength of
 the RSA algorithm is the difficulty of factoring large numbers. For example, the factors
of 12 would be 1 x 12, 2 x 6, and 3 x 4. Therefore, a 1024-bit number is a very large
number with many factors. Increasing that number to a 2048-bit number creates even
more factors. Of course, this advantage is lost if an easy way to factor large numbers is
found, but cryptographers consider this possibility unlikely.
 The rule “the longer the key, the better” is valid, except for possible performance
reasons. Shorter keys equal faster processing, but are less secure. Longer keys equal
slower processing, but are more secure.

16.3 CONFIDENTIALITY
16.3.1 DATA CONFIDENTIALITY

 Asymmetric and symmetric encryption are the two classes of encryption used to
provide data confidentiality. These two classes differ in how they use keys.
 Symmetric encryption algorithms such as Data Encryption Standard (DES), 3DES, and
Advanced Encryption Standard (AES) are based on the premise that each
communicating party knows the pre-shared key. Data confidentiality can also be
ensured using asymmetric algorithms, including Rivest, Shamir, and Adleman (RSA)
and the public key infrastructure (PKI).
 Note: DES is a legacy algorithm and should not be used. 3DES should be avoided if
possible.
 The figure highlights some differences between symmetric and asymmetric encryption.

16.3.2 SYMMETRIC ENCRYPTION

 Symmetric algorithms use the same pre-shared key to encrypt and decrypt data. A pre-
shared key, also called a secret key, is known by the sender and receiver before any
encrypted communications can take place.
 To help illustrate how symmetric encryption works, consider an example where Alice
and Bob live in different locations and want to exchange secret messages with one
another through the mail system. In this example, Alice wants to send a secret message
to Bob.
 In the figure, Alice and Bob have identical keys to a single padlock. These keys were
exchanged prior to sending any secret messages. Alice writes a secret message and puts
 it in a small box that she locks using the padlock with her key. She mails the box to
Bob. The message is safely locked inside the box as the box makes its way through the
post office system. When Bob receives the box, he uses his key to unlock the padlock
and retrieve the message. Bob can use the same box and padlock to send a secret reply
back to Alice.

 Today, symmetric encryption algorithms are commonly used with VPN traffic. This is
because symmetric algorithms use less CPU resources than asymmetric encryption
algorithms. This allows the encryption and decryption of data to be fast when using a
VPN. When using symmetric encryption algorithms, like any other type of encryption,
the longer the key, the longer it will take for someone to discover the key. Most
encryption keys are between 112 and 256 bits. To ensure that the encryption is safe, a
minimum key length of 128 bits should be used. Use a longer key for more secure
communications.
 Symmetric encryption algorithms are sometimes classified as either a block cipher or a
stream cipher. Click the buttons to learn about these two cipher modes.
Block Ciphers

 Block ciphers transform a fixed-length block of plaintext into a common block of

ciphertext of 64 or 128 bits. Common block ciphers include DES with a 64-bit block
size and AES with a 128-bit block size.

Stream Ciphers

 Stream ciphers encrypt plaintext one byte or one bit at a time. Stream ciphers are
basically a block cipher with a block size of one byte or bit. Stream ciphers are typically
faster than block ciphers because data is continuously encrypted. Examples of stream
ciphers include RC4 and A5 which is used to encrypt GSM cell phone communications.
Now back to the rest

 Well-known symmetric encryption algorithms are described in the table.

Symmetric Encryption Algorithms Description

This is a legacy symmetric encryption algorithm. It uses a short key
Data Encryption Standard (DES)
length that makes it insecure for most current uses.
The is the replacement for DES and repeats the DES algorithm
3DES (Triple DES) process three times. It should be avoided if possible as it is scheduled
to be retired in 2023. If implemented, use very short key lifetimes.
AES is a popular and recommended symmetric encryption algorithm.
Advanced Encryption Standard
It offers combinations of 128-, 192-, or 256-bit keys to encrypt 128,
(AES)
192, or 256 bit-long data blocks.
Software-Optimized Encryption SEAL is a faster alternative symmetric encryption algorithm to AES.
Algorithm (SEAL) SEAL is a stream cypher that uses a 160-bit encryption key and has a
lower impact on the CPU compared to other software-based
Symmetric Encryption Algorithms Description
algorithms.
This algorithm was developed by Ron Rivest. Several variations have
been developed, but RC4 was the most prevalent in use. RC4 is a
Rivest ciphers (RC) series
stream cipher that was used to secure web traffic. It has been found
algorithms
to have multiple vulnerabilities which have made it insecure. RC4
should not be used.

16.3.3 ASYMMETRIC ENCRYPTION

 Asymmetric algorithms, also called public-key algorithms, are designed so that the key
that is used for encryption is different from the key that is used for decryption, as shown
in the figure. The decryption key cannot, in any reasonable amount of time, be
calculated from the encryption key and vice versa.
 Asymmetric algorithms use a public key and a private key. Both keys are capable of the
encryption process, but the complementary paired key is required for decryption. The
process is also reversible. Data that is encrypted with the public key requires the private
key to decrypt. Asymmetric algorithms achieve confidentiality and authenticity by
using this process.
 Because neither party has a shared secret, very long key lengths must be used.
Asymmetric encryption can use key lengths between 512 to 4,096 bits. Key lengths
greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter
are considered insufficient.
 Examples of protocols that use asymmetric key algorithms include:
o Internet Key Exchange (IKE) - This is a fundamental component of IPsec
VPNs.
o Secure Socket Layer (SSL) - This is now implemented as IETF standard
Transport Layer Security (TLS).
o Secure Shell (SSH) - This protocol provides a secure remote access connection
to network devices.
o Pretty Good Privacy (PGP) - This computer program provides cryptographic
privacy and authentication. It is often used to increase the security of email
communications.
 Asymmetric algorithms are substantially slower than symmetric algorithms. Their
design is based on computational problems, such as factoring extremely large numbers
or computing discrete logarithms of extremely large numbers.
 Because they are slow, asymmetric algorithms are typically used in low-volume
cryptographic mechanisms, such as digital signatures and key exchange. However, the
key management of asymmetric algorithms tends to be simpler than symmetric
algorithms, because usually one of the two encryption or decryption keys can be made
public.
 Common examples of asymmetric encryption algorithms are described in the table.

Asymmetric
Key Length Description
Encryption Algorithm

The Diffie-Hellman algorithm allows two parties

Diffie-Hellman (DH) 512, 1024, 2048, 3072, 4096
to agree on a key that they can use to encrypt
Asymmetric
Key Length Description
Encryption Algorithm
messages they want to send to each other. The
security of this algorithm depends on the
assumption that it is easy to raise a number to a
certain power, but difficult to compute which
power was used given the number and the
outcome.
DSS specifies DSA as the algorithm for digital
Digital Signature
signatures. DSA is a public key algorithm based
Standard (DSS) and
512 - 1024 on the ElGamal signature scheme. Signature
Digital Signature
creation speed is similar to RSA, but is 10 to 40
Algorithm (DSA)
times slower for verification.
RSA is for public-key cryptography that is based
on the current difficulty of factoring very large
numbers. It is the first algorithm known to be
Rivest, Shamir, and
suitable for signing, as well as encryption. It is
Adleman encryption 512 to 2048
widely used in electronic commerce protocols
algorithms (RSA)
and is believed to be secure given sufficiently
long keys and the use of up-to-date
implementations.
An asymmetric key encryption algorithm for
public-key cryptography which is based on the
Diffie-Hellman key agreement. A disadvantage
of the ElGamal system is that the encrypted
EIGamal 512 - 1024
message becomes very big, about twice the
size of the original message and for this reason
it is only used for small messages such as
secret keys.
Elliptic curve cryptography can be used to adapt
many cryptographic algorithms, such as Diffie-
Elliptic curve
224 or higher Hellman or ElGamal. The main advantage of
techniques
elliptic curve cryptography is that the keys can
be much smaller.

16.3.4 ASYMMETRIC ENCRYPTION – CONFIDENTIALITY

 Asymmetric algorithms are used to provide confidentiality without pre-sharing a

password. The confidentiality objective of asymmetric algorithms is initiated when the
encryption process is started with the public key.
 The process can be summarized using the formula:
o Public Key (Encrypt) + Private Key (Decrypt) = Confidentiality
 When the public key is used to encrypt the data, the private key must be used to decrypt
the data. Only one host has the private key; therefore, confidentiality is achieved.
 If the private key is compromised, another key pair must be generated to replace the
compromised key.
  Click the buttons to view how the private and public keys can be used to provide
confidentiality to the data exchange between Bob and Alice.
Alice acquires Bob’s public key

 Alice requests and obtains Bob’s public key.

Alice uses the public key

 Alice uses Bob’s public key to encrypt a message using an agreed-upon algorithm.
Alice sends the encrypted message to Bob.
Bob decrypts message with private key

 Bob then uses his private key to decrypt the message. Since Bob is the only one with
the private key, Alice's message can only be decrypted by Bob and thus confidentiality
is achieved.

16.3.5 ASYMMETRIC ENCRYPTION – AUTHENTICATION

 The authentication objective of asymmetric algorithms is initiated when the encryption

process is started with the private key.
 The process can be summarized using the formula:
o Private Key (Encrypt) + Public Key (Decrypt) = Authentication
 When the private key is used to encrypt the data, the corresponding public key must be
used to decrypt the data. Because only one host has the private key, only that host could
have encrypted the message, providing authentication of the sender. Typically, no
attempt is made to preserve the secrecy of the public key, so any number of hosts can
decrypt the message. When a host successfully decrypts a message using a public key, it
is trusted that the private key encrypted the message, which verifies who the sender is.
This is a form of authentication.
 Click the buttons to view how the private and public keys can be used to provide
authentication to the data exchange between Bob and Alice.
Alice uses her private key

 Alice encrypts a message using her private key. Alice sends the encrypted message to
Bob. Bob needs to authenticate that the message did indeed come from Alice.
Bob requests the public key

 In order to authenticate the message, Bob requests Alice’s public key.

Bob decrypts using the public key

 Bob uses Alice’s public key to decrypt the message.

16.3.6 ASYMMETRIC ENCRYPTION – INTEGRITY

  Combining the two asymmetric encryption processes provides message confidentiality,
authentication, and integrity.
 The following example will be used to illustrate this process. In this example, a
message will be ciphered using Bob’s public key and a ciphered hash will be encrypted
using Alice’s private key to provide confidentiality, authenticity, and integrity.
Alice uses Bob’s public key

 Alice wants to send a message to Bob ensuring that only Bob can read the document. In
other words, Alice wants to ensure message confidentiality. Alice uses the public key of
Bob to cipher the message. Only Bob will be able to decipher it using his private key.
Alice encrypts a hash using her private key

 Alice also wants to ensure message authentication and integrity. Authentication ensures
Bob that the document was sent by Alice, and integrity ensures that it was not modified
Alice uses her private key to cipher a hash of the message. Alice sends the encrypted
message with its encrypted hash to Bob.
Bob uses Alice’s public key to decrypt the hash

 Bob uses Alice’s public key to verify that the message was not modified. The received
hash is equal to the locally determined hash based on Alice’s public key. Additionally,
this verifies that Alice is definitely the sender of the message because nobody else has
Alice’s private key.
Bob uses his private key to decrypt the message

 Bob uses his private key to decipher the message.

16.3.7 DIFFIE-HELLMAN

 Diffie-Hellman (DH) is an asymmetric mathematical algorithm that allows two

computers to generate an identical shared secret without having communicated before.
The new shared key is never actually exchanged between the sender and receiver.
However, because both parties know it, the key can be used by an encryption algorithm
to encrypt traffic between the two systems.
 Here are two examples of instances when DH is commonly used:
o Data is exchanged using an IPsec VPN
o SSH data is exchanged
 To help illustrate how DH operates, refer to the figure.
 The colors in the figure will be used instead of complex long numbers to simplify the
DH key agreement process. The DH key exchange begins with Alice and Bob agreeing
on an arbitrary common color that does not need to be kept secret. The agreed-on color
in our example is yellow.
 Next, Alice and Bob will each select a secret color. Alice chose red while Bob chose
blue. These secret colors will never be shared with anyone. The secret color represents
the chosen secret private key of each party.
  Alice and Bob now mix the shared common color (yellow) with their respective secret
color to produce a public color. Therefore, Alice will mix the yellow with her red color
to produce a public color of orange. Bob will mix the yellow and the blue to produce a
public color of green.
 Alice sends her public color (orange) to Bob and Bob sends his public color (green) to
Alice.
 Alice and Bob each mix the color they received with their own, original secret color
(Red for Alice and blue for Bob.). The result is a final brown color mixture that is
identical to the partner’s final color mixture. The brown color represents the resulting
shared secret key between Bob and Alice.
 The security of DH is based on the fact that it uses very large numbers in its
calculations. For example, a DH 1024-bit number is roughly equal to a decimal number
of 309 digits. Considering that a billion is 10 decimal digits (1,000,000,000), one can
easily imagine the complexity of working with not one, but multiple 309-digit decimal
numbers.
 Diffie-Hellman uses different DH groups to determine the strength of the key that is
used in the key agreement process. The higher group numbers are more secure, but
require additional time to compute the key. The following identifies the DH groups
supported by Cisco IOS Software and their associated prime number value:
o DH Group 1: 768 bits
o DH Group 2: 1024 bits
o DH Group 5: 1536 bits
o DH Group 14: 2048 bits
o DH Group 15: 3072 bits
o DH Group 16: 4096 bits
 Note: A DH key agreement can also be based on elliptic curve cryptography. DH
groups 19, 20, and 24, which are based on elliptic curve cryptography, are also
supported by Cisco IOS Software.
 Unfortunately, asymmetric key systems are extremely slow for any sort of bulk
encryption. This is why it is common to encrypt the bulk of the traffic using a
symmetric algorithm, such as 3DES or AES and use the DH algorithm to create keys
that will be used by the encryption algorithm.

16.4. BASIC INTEGRITY AND AUTHENTICITY SUMMARY

16.4.1 WHAT DID I LEARN IN THIS MODULE?
Integrity and Authenticity

 These are the four elements of secure communications: data integrity, origin
authentication, data confidentiality, and data non-repudiation. Cryptography can be
used almost anywhere that there is data communication. Hashes are used to verify and
ensure data integrity. Hashing is based on a one-way mathematical function that is
relatively easy to compute, but significantly harder to reverse. The cryptographic
hashing function can also be used to verify authentication. A hash function takes a
variable block of binary data, called the message, and produces a fixed-length,
condensed representation, called the hash. The resulting hash is also sometimes called
 the message digest, digest, or digital fingerprint. Mathematically, the equation h=
H(x) is used to explain how a hash algorithm operates. A hash function H takes an
input x and returns a fixed-size string hash value h. A cryptographic hash function
should have the following properties:
o The input can be any length.
The output has a fixed length.
H(x) is relatively easy to compute for any given x.
H(x) is one way and not reversible.
H(x) is collision free, meaning that two different input values will result in
different hash values.
 The four well-known hash functions are MD5 with 128 bit digest, SHA-1, SHA-2, and
SHA-3. While hashing can be used to detect accidental changes, it cannot be used to
guard against deliberate changes that are made by a threat actor in a man-in-the-middle
attack. Origin authentication is also required to provide protection.
 To add origin authentication and integrity assurance, use a keyed-hash message
authentication code (HMAC). HMAC uses an additional secret key as input to the hash
function. Other Message Authentication Code (MAC) methods are also used. However,
HMAC is used in many systems including SSL, IPsec, and SSH.

Key Management

 Key management is often considered the most difficult part of designing a

cryptosystem. Most attacks on cryptographic systems are aimed at the key management
level, rather than at the cryptographic algorithm itself.
 The essential characteristics of key management are key generation, key verification,
key exchange, key storage, key lifetime, and key revocation and destruction.
 Two terms that are used to describe keys are key length and keyspace. As key length
increases, the keyspace increases exponentially.
 The keyspace of an algorithm is the set of all possible key values. A key that has n bits
produces a keyspace that has 2^n possible key values. By adding one bit to the key, the
keyspace is effectively doubled. Almost every algorithm has some weak keys in its
keyspace that enable an attacker to break the encryption via a shortcut. Weak keys show
the regularities in encryption.
 Several types of cryptographic keys that can be generated include symmetric keys,
asymmetric keys, digital signatures, and hash keys. With modern algorithms that are
trusted, the strength of protection depends solely on the size of the key.
 Choose the key length so that it protects data confidentiality or integrity for an adequate
period of time. Data that is more sensitive and needs to be kept secret longer must use
longer keys.
 Performance is another issue that can influence the choice of a key length. An
administrator must find a good balance between the speed and protective strength of an
algorithm, because some algorithms, such as the Rivest, Shamir, and Adleman (RSA)
algorithm, run slowly due to large key lengths.
Confidentiality

 There are two classes of encryption used to provide data confidentiality: asymmetric
and symmetric. These two classes differ in how they use keys.
 Symmetric encryption algorithms such as Data Encryption Standard (DES), 3DES, and
Advanced Encryption Standard (AES) are based on the premise that each
communicating party knows the pre-shared key. Data confidentiality can also be
ensured using asymmetric algorithms, including Rivest, Shamir, and Adleman (RSA)
and the public key infrastructure (PKI).
 Symmetric algorithms use the same pre-shared key to encrypt and decrypt data. A pre-
shared key, also called a secret key, is known by the sender and receiver before any
encrypted communications can take place. Symmetric encryption algorithms are
commonly used with VPN traffic because symmetric algorithms use less CPU resources
than asymmetric encryption algorithms. To ensure that the encryption is safe, a
minimum key length of 128 bits should be used. Use a longer key for more secure
communications.
 Symmetric encryption algorithms are sometimes classified as either a block cipher or a
stream cipher.
o Block ciphers transform a fixed-length block of plaintext into a common block
of ciphertext of 64 or 128 bits.
o Stream ciphers encrypt plaintext one byte or one bit at a time. Stream ciphers
are basically a block cipher with a block size of one byte or bit. Stream ciphers
are typically faster than block ciphers because data is continuously encrypted.
 Asymmetric algorithms, also called public-key algorithms, are designed so that the key
that is used for encryption is different from the key that is used for decryption.
Asymmetric encryption can use key lengths between 512 to 4,096 bits. Key lengths
greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter
are considered insufficient. Examples of protocols that use asymmetric key algorithms
include Internet Key Exchange (IKE), Secure Socket Layer (SSL), Secure Shell (SSH),
and Pretty Good Privacy (PGP). The process can be summarized using the formula:
Private Key (Encrypt) + Public Key (Decrypt) = Authentication. Diffie-Hellman (DH)
is an asymmetric mathematical algorithm that allows two computers to generate an
identical shared secret without having communicated before. The new shared key is
never actually exchanged between the sender and receiver. DH is commonly used when
data is exchanged using an IPsec VPN and SSH data is exchanged.
MODULE 11
11.1 IDS AND IPS CHARACTERISTICS
11.1.1 ZERO-DAY ATTACKS

 Malware can spread across the world in a matter of minutes. A network must instantly
recognize and mitigate malware threats. Firewalls can only do so much and cannot
provide protection against all malware and zero-day attacks.
 A zero-day attack, sometimes referred to as a zero-day threat, is a cyberattack that tries
to exploit software vulnerabilities that are unknown or undisclosed by the software
vendor, as shown in the figure. The term zero-day describes the moment when a
previously unknown threat is identified.

 During the time it takes the software vendor to develop and release a patch, the network
is vulnerable to these exploits, as shown in the figure. Defending against these fast-
moving attacks requires network security professionals to adopt a more sophisticated
view of the network architecture. It is no longer possible to contain intrusions at a few
points in the network.
Microsoft Internet Explorer Zero-Day Vulnerability

11.1.2 MONTIOR FOR ATTACKS

  One approach to prevent malware exploits is for an administrator to continuously
monitor the network and analyse the log files generated by network devices.
 Security operations center (SOC) tools, such as security information and event
management (SIEM) and security orchestration, automation, and response (SOAR)
systems automate the log file gathering and analysis process.
 It has become an accepted fact that malware will enter the network despite the best
defences. For this reason, a multilayered approach to malware protection must be
employed.
 Logfiles generated by devices at each layer will help to identify whether an exploit has
occurred, the diagnostic features of the exploit, and the extent of the damage within the
enterprise.
 The information gathered in logfiles will also help to inform measures taken in response
to the exploit, such as containment and mitigation.

 Intrusion Detection Systems (IDS) were implemented to passively monitor the traffic on
a network. The figure shows that an IDS-enabled device copies the traffic stream and
analyses the copied traffic rather than the actual forwarded packets.

Intrusion Detection System Operation

 Working offline, the IDS compares the captured traffic stream with known malicious
signatures, similar to software that checks for viruses. Working offline means several
things:
o The IDS works passively.
o The IDS device is physically positioned in the network so that traffic must be
mirrored in order to reach it.
o Network traffic does not pass through the IDS unless it is mirrored.
o Very little latency is added to network traffic flow.
 Although the traffic is monitored, logged, and perhaps reported, no action is taken on
packets by the IDS. This offline IDS implementation is referred to as promiscuous
mode.
 The advantage of operating with a copy of the traffic is that the IDS does not negatively
affect the packet flow of the forwarded traffic. The disadvantage of operating on a copy
of the traffic is that the IDS cannot stop malicious single-packet attacks from reaching
the target. An IDS often requires assistance from other networking devices, such as
routers and firewalls, to respond to an attack.
 A better solution is to use a device that can immediately detect and stop an attack. An
Intrusion Prevention System (IPS) performs this function.
11.1.3 INTRUSION PREVENTION AND DETECTION DEVICES

 A networking architecture paradigm shift is required to defend against fast-moving and

evolving attacks. This must include cost-effective detection and prevention systems,
such as intrusion detection systems (IDS) or the more scalable intrusion prevention
systems (IPS). The network architecture integrates these solutions into the entry and
exit points of the network.
  When implementing IDS or IPS, it is important to be familiar with the types of systems
available, host-based and network-based approaches, the placement of these systems,
the role of signature categories, and possible actions that a Cisco IOS router can take
when an attack is detected.
 The figure shows how an IPS device handles malicious traffic.
IDS and IPS Characteristics

 IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor can be in
the form of several different devices:
o A router configured with IPS software
o A device specifically designed to provide dedicated IDS or IPS services
o A hardware module installed in an adaptive security appliance (ASA), switch,
or router
 IDS and IPS technologies use signatures to detect patterns in network traffic. A
signature is a set of rules that an IDS or IPS uses to detect malicious activity. Signatures
can be used to detect severe breaches of security, to detect common network attacks,
and to gather information. IDS and IPS technologies can detect atomic signature
patterns (single-packet) or composite signature patterns (multi-packet).
11.1.4 ADVANTAGES AND DISADVANTAGES OF IDS AND IPS

 The table summarizes the advantages and disadvantages of IDS and IPS:

Solution Advantages Disadvantages

 No impact on network  Response action cannot stop
(latency, jitter) trigger packets
 No network impact if there  Correct tuning required for
IDS is a sensor failure response actions
 No network impact if there  More vulnerable to network
is sensor overload security evasion techniques

 Sensor issues might affect

network traffic
 Stops trigger packets
 Sensor overloading impacts
 Can use stream
IPS the network
normalization techniques
 Some impact on network
(latency, jitter)

IDS Advantages and Disadvantages

 Advantages: An IDS is deployed in offline mode and therefore:

o The IDS does not impact network performance. Specifically, it does not
introduce latency, jitter, or other traffic flow issues.
o The IDS does not affect network functionality if the sensor fails. It only affects
the ability of the IDS to analyse the data.
 Disadvantages:
 o An IDS sensor cannot stop the packets that have triggered an alert and are less
helpful in detecting email viruses and automated attacks, such as worms.
o Tuning IDS sensors to achieve expected levels of intrusion detection can be
very time-consuming. Users deploying IDS sensor response actions must have a
well-designed security policy and a good operational understanding of their IDS
deployments.
o An IDS implementation is more vulnerable to network security evasion
techniques because it is not inline.
IPS Advantages and Disadvantages

 Advantages:
o An IPS sensor can be configured to drop the trigger packets, the packets
associated with a connection, or packets from a source IP address.
o Because IPS sensors are inline, they can use stream normalization. Stream
normalization is a technique used to reconstruct the data stream when the attack
occurs over multiple data segments.
 Disadvantages:
o Because it is deployed inline, errors, failure, and overwhelming the IPS sensor
with too much traffic can have a negative effect on network performance.
o An IPS sensor can affect network performance by introducing latency and jitter.
o An IPS sensor must be appropriately sized and implemented so that time-
sensitive applications, such as VoIP, are not adversely affected.
Deployment Considerations

 You can deploy both an IPS and an IDS. Using one of these technologies does not
negate the use of the other. In fact, IDS and IPS technologies can complement each
other.
 For example, an IDS can be implemented to validate IPS operation because the IDS can
be configured for deeper packet inspection offline. This allows the IPS to focus on
fewer but more critical traffic patterns inline.
 Deciding which implementation to use is based on the security goals of the organization
as stated in their network security policy.

11.2 IPS IMPLEMENTATION

11.2.1 TYPES OF IPS

 There are two primary kinds of IPS available: host-based IPS and network-based IPS
Host-based IPS

 Host-based IPS (HIPS) is software installed on a host to monitor and analyze suspicious
activity.
 A significant advantage of HIPS is that it can monitor and protect operating system and
critical system processes that are specific to that host.
 With detailed knowledge of the operating system, HIPS can monitor abnormal activity
and prevent the host from executing commands that do not match typical behavior. This
 suspicious or malicious behavior might include unauthorized registry updates, changes
to the system directory, executing installation programs, and activities that cause buffer
overflows. Network traffic can also be monitored to prevent the host from participating
in a denial-of-service (DoS) attack or being part of an illicit FTP session.
 HIPS can be thought of as a combination of antivirus software, antimalware software,
and a firewall. An example of a HIPS is Windows Defender. It provides a range of
protection measures for Windows hosts. Combined with a network-based IPS, HIPS is
an effective tool in providing additional protection for the host.
 A disadvantage of HIPS is that it operates only at a local level. It does not have a
complete view of the network, or coordinated events that might be happening across the
network. To be effective in a network, HIPS must be installed on every host and have
support for every operating system. The table lists the advantages and disadvantages of
HIPS.

Advantages Disadvantages
 Provides protection specific to a
host operating system
 Provides operating system and  Operating system dependent
application level protection  Must be installed on all hosts
 Protects the host after the
message is decrypted

Network-based IPS

 A network-based IPS can be implemented using a dedicated or non-dedicated IPS

device such as a router. Network-based IPS implementations are a critical component of
intrusion prevention. Host-based IDS/IPS solutions must be integrated with a network-
based IPS implementation to ensure a robust security architecture.
 Sensors detect malicious and unauthorized activity in real time and can take action
when required. As shown in the figure, sensors are deployed at designated network
points. This enables security managers to monitor network activity while it is occurring,
regardless of the location of the attack target.
Sample IPS Sensor Deployment

11.2.2 NETWORK-BASED IPS

 Network-based IPS Sensors can be implemented in several ways:

o On a Cisco Firepower appliance
o On an ASA firewall device
o On an ISR router
o As a virtual Next-Generation IPS (NGIPSv) for VMware
 An example of a network-based IPS is the Cisco Firepower NGIPS. It is tuned for
intrusion prevention analysis. The underlying operating system of the platform is
 stripped of unnecessary network services, and essential services are secured. This is
known as hardening.
 The hardware of all network-based sensors includes three components:
o NIC - The network-based IPS must be able to connect to any network, such as
Ethernet, Fast Ethernet, and Gigabit Ethernet.
o Processor - Intrusion prevention requires CPU power to perform intrusion
detection analysis and pattern matching.
o Memory - Intrusion detection analysis is memory-intensive. Memory directly
affects the ability of a network-based IPS to efficiently and accurately detect an
attack.
 Network-based IPS gives security managers real-time security insight into their
networks regardless of growth.
 Additional hosts can be added to protected networks without requiring more sensors.
Additional sensors are only required when their rated traffic capacity is exceeded, when
their performance does not meet current needs, or when a revision in security policy or
network design requires additional sensors to help enforce security boundaries. When
new networks are added, additional sensors are easy to deploy.
11.2.3 MODES OF DEPLOYMENT

 IDS and IPS sensors can operate in inline mode (also known as inline interface pair
mode) or promiscuous mode (also known as passive mode).
 As shown in the figure, packets do not flow through the sensor in promiscuous mode.
The sensor analyses a copy of the monitored traffic, not the actual forwarded packet.
The advantage of operating in promiscuous mode is that the sensor does not affect the
packet flow with the forwarded traffic.
 The disadvantage of operating in promiscuous mode is that the sensor cannot stop
malicious traffic from reaching its intended target for certain types of attacks, such as
atomic attacks (single-packet attacks).
 The response actions implemented by promiscuous sensor devices are post-event
responses and often require assistance from other networking devices (for example,
routers and firewalls) to respond to an attack.
 Such response actions can prevent some classes of attacks. However, in atomic attacks
the single packet has the chance of reaching the target system before the promiscuous-
based sensor can apply an ACL modification on a managed device (such as a firewall,
switch, or router). In the figure, Switched Port Analyzer (SPAN) is used to mirror the
traffic entering, going to, and coming from the host.
Promiscuous Mode

 As shown in the figure below, operating in inline mode puts the IPS directly into the
traffic flow and makes packet-forwarding rates slower by adding latency. Inline mode
allows the sensor to stop attacks by dropping malicious traffic before it reaches the
intended target, thus providing a protective service.
 Not only is the inline device processing information on Layers 3 and 4, but it is also
analysing the contents and payload of the packets for more sophisticated embedded
attacks (Layers 3 to 7).
  This deeper analysis lets the system identify and stop or block attacks that would pass
through a traditional firewall device. An IDS sensor could also be deployed inline. The
IDS would be configured so that it only sends alerts and does not drop any packets.
Inline Mode

11.3 IPS ON CISCO ISRs

11.3.1 IPS COMPONENTS

 An IPS sensor has two components:

o IPS detection and enforcement engine - To validate traffic, the detection
engine compares incoming traffic with known attack signatures that are
included in the IPS attack signature package.
o IPS attack signatures package - This is a list of known attack signatures that
are contained in one file. The signature pack is updated frequently as new
attacks are discovered. Network traffic is analysed for matches to these
signatures.
 As shown in the figure, the IPS detection and enforcement engine that can be
implemented depends on the router platform:
o Cisco IOS Intrusion Prevention System (IPS) - This is available on older
Cisco 800, 1900, 2900, and 3900 Series ISRs. IOS IPS is no longer supported
and should not be used.
o Cisco Snort IPS - This is available on the Cisco 4000 Series ISRs and Cisco
Cloud Services Routers in the 1000v Series.
 The Cisco Snort IPS delivers traditional intrusion detection and prevention by
comparing network traffic to continually updated databases of known malware and
threat signatures. The Cisco IOS IPS signatures are no longer updated.
Cisco IPS Options

11.3.2 CISCO IOS IPS

 Enabling a router to work as an IPS is a cost-effective way to protect branch office

networks. Rather than purchasing a router and a dedicated IPS device, combining the
functionalities in one device not only saves money but also simplifies network designs
and administration.
 In the past, a Cisco ISR could be enabled as an IPS sensor that scanned packets and
sessions to match any of the Cisco IOS IPS signatures. The legacy Cisco IOS IPS
operated in RAM as illustrated in the figure. This means that it shared device memory
with other Cisco IOS features.
 When Cisco IOS IPS detected suspicious activity, it responded before network security
could be compromised. It logged the event as Cisco IOS syslog messages or through
Security Device Event Exchange (SDEE).
 The network administrator could configure the Cisco IOS IPS to choose the appropriate
response to various threats. For example, when packets in a session matched a
signature, Cisco IOS IPS could be configured to respond as follows:
 o Send an alarm to a syslog server or a centralized management interface
o Drop the packet
o Reset the connection
o Deny traffic from the source IP address of the threat for a specified amount of
time
o Deny traffic on the connection for which the signature was seen for a specified
amount of time
Cisco IOS IPS

11.3.3 SNORT IPS

 Many of the devices that supported Cisco IOS IPS are no longer available, or no longer
supported. The newer Cisco 4000 Series Integrated Services Routers (ISR) no longer
support IOS IPS. Instead, they provide IPS services using the Snort IPS feature. Snort
IPS complements existing network security features of the 4000 Series without the need
to deploy a second appliance at branch locations.
 Snort is the most widely deployed IPS solution in the world. It is an open source
network IPS that performs real-time traffic analysis and generates alerts when threats
are detected on IP networks. It can also perform protocol analysis, content searching or
matching, and detect a variety of attacks and probes, such as buffer overflows, stealth
port scans, and so on.
 The Snort engine runs in a virtual service container on Cisco 4000 Series ISRs. A
virtual service container is a virtual machine that runs on the ISR router operating
system. Service containers are applications that can be hosted directly on Cisco IOS XE
routing platforms. These apps use the Linux aspects of the IOS XE operating system to
host both Linux Virtual Containers (LXC) and Kernel virtual machines (KVM). The
Snort container is distributed as an Open Virtualization Appliance (OVA) file that is
installed on the router.
 Unlike IOS IPS, Snort IPS can use the computer power of the service container to scale
security with the platform without affecting routing capabilities or other data plane
functionality. The virtual service supports three resource profiles that indicate how the
Snort container uses system CPU, RAM, and Flash or disk resources.
Snort IPS

11.3.4 SNORT OPERATION

 Snort IPS signatures are delivered automatically to the ISR by Cisco Talos. There are
currently more than 30,000 signatures in the Snort rule set. It also supports the ability to
customize rule sets and provides centralized deployment and management capabilities
for 4000 Series ISRs.
 Snort can be enabled in either of the following modes:
o IDS mode - Snort inspects the traffic and reports alerts, but does not take any
action to prevent attacks.
 o IPS mode - In addition to intrusion detection, actions are taken to prevent
attacks.
 In the network intrusion detection and prevention mode, Snort performs the following
actions:
o Monitors network traffic and analyses against a defined rule set.
o Performs attack classification.
o Invokes actions against matched rules.
 The Snort IPS monitors the traffic and reports events to an external log server or the
IOS syslog. Enabling logging to the IOS syslog may impact performance due to the
potential volume of log messages. External third-party monitoring tools that support
Snort logs can be used for log collection and analysis.
11.3.5 SNORT FEATURES

 The table lists the features and benefits of Snort IPS:

Feature Benefit
Signature-based intrusion Snort open-source IPS, capable of performing real-time
detection system (IDS) and traffic analysis and packet logging on IP networks, runs on
intrusion prevention system the 4000 Series ISR service container without the need to
(IPS) deploy an additional device at the branch.
Snort rule set updates for 4000 Series ISRs are generated
by Cisco Talos, a group of leading-edge network security
Snort rule set updates experts who work around the clock to proactively discover,
assess, and respond to the latest trends in hacking
activities, intrusion attempts, malware, and vulnerabilities.
The router will be able to download rule sets directly from
Snort rule set pull cisco.com or snort.org to a local server, using one-time
commands or periodic automated updates.
A centralized management tool can push the rule sets
Snort rule set push based on preconfigured policy, instead of the router directly
downloading on its own.
Allowed listing allows the disabling of certain signatures
Signature allowed listing from the rule set. Disabled signatures can be reenabled at
any time.

11.3.6 SNORT SYSTEM REQUIREMENTS

 To run the service container infrastructure with IDS/IPS functionality, Snort IPS
requires an ISR 4000 (i.e., 4300 or higher) with a minimum of 8 GB of memory
(DRAM) and 8 GB of flash.
 Note: The Cisco 4200 series ISR does not support the default Snort IPS
implementation.
 A security K9 license (SEC) is required to activate Snort IPS functionality. Customers
also need to purchase a yearly subscription for the signature package distributed on
cisco.com. To keep current with the latest threat protection, Snort rule sets are term-
based subscriptions, available for one or three years.
  There are two types of term-based subscriptions:
o Community Rule Set - This set offers limited coverage against threats,
focusing on reactive response to security threats versus proactive research
work. There is 30-day delayed access to updated signatures in the Community
Rule Set, and this subscription does not entitle the customer to Cisco support.
o Subscriber Rule Set - This set offers the best protection against threats. It
includes coverage in advance of exploits by using the research work of the
Cisco Talos security experts. The Subscriber Rule Set also provides the fastest
access to updated signatures in response to a security incident or the proactive
discovery of a new threat. This subscription is fully supported by Cisco.
 PulledPork is a rule management application that can be used to automatically
download Snort rule updates. In order to use PulledPork, you must obtain an
authorization code, called an oinkcode, from your snort.org account. The oinkcode is
free with registration.

11.4 CISCO SWITCHED PORT ANALYSER

11.4.1 NETWORK MONITORING METHODS

 The day-to-day operation of a network consists of common patterns of traffic flow,

bandwidth usage, and resource access. Together, these patterns identify normal network
behaviour. Security analysts must be intimately familiar with normal network behaviour
because abnormal network behaviour typically indicates a problem.
 To determine normal network behaviour, network monitoring must be implemented.
Various tools are used to help discover normal network behaviour including IDS,
packet analysers, SNMP, NetFlow, and others.
 Some of these tools require captured network data. There are two common methods
used to capture traffic and send it to network monitoring devices:
o Network taps, sometimes known as test access points (TAPs)
o Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring
approaches
11.4.2 NETWORK TAPS

 A network tap is typically a passive splitting device implemented inline between a

device of interest and the network. A tap forwards all traffic, including physical layer
errors, to an analysis device while also allowing the traffic to reach its intended
destination.
 The figure displays a sample topology displaying a tap installed between a network
firewall and the internal router.

 Notice how the tap simultaneously sends both the transmit (TX) data stream from the
internal router and the receive (RX) data stream to the internal router on separate,
dedicated channels. This ensures that all data arrives at the monitoring device in real
time. Therefore, network performance is not affected or degraded by monitoring the
connection.
  Taps are also typically fail-safe, which means if a tap fails or loses power, traffic
between the firewall and internal router is not affected.
 Search the internet for information on NetScout Taps for copper UTP Ethernet, fiber
Ethernet, and serial links.
11.4.3 TRAFFIC MIRRORING AND SPAN

 Network switches segment the network by design. This limits the amount of traffic that
is visible to network monitoring devices.
 Because capturing data for network monitoring requires all traffic to be captured,
special techniques must be employed to bypass the network segmentation imposed by
network switches.
 Port mirroring is one of these techniques. Supported by many enterprise switches, port
mirroring enables the switch to copy frames that are received on one or more ports to a
Switch Port Analyzer (SPAN) port that is connected to an analysis device.
 The table identifies and describes terms used by the SPAN feature:

SPAN Term Description

Ingress traffic Traffic that enters the switch.
Egress traffic Traffic that leaves the switch.
Source (SPAN) Source ports are monitored as traffic entering them is replicated
port (mirrored) to the destination ports.
Destination A port that mirrors source ports. Destination SPAN ports often connect
(SPAN) port to analysis devices such as a packet analyser or an IDS.

 The figure shows a switch that interconnects two hosts and mirrors traffic to an
intrusion detection device (IDS) and network management server.
SPAN

 The switch will forward ingress traffic on F0/1 and egress traffic on F0/2 to the
destination SPAN port G0/1 that connects to an IDS.
 The association between source ports and a destination port is called a SPAN session. In
a single session, one or multiple ports can be monitored. On some Cisco switches,
session traffic can be copied to more than one destination port. Alternatively, a source
VLAN can be specified in which all ports in the source VLAN become sources of
SPAN traffic. Each SPAN session can have ports or VLANs as sources, but not both.
 Note: A variation of SPAN called Remote SPAN (RSPAN) enables a network
administrator to use the flexibility of VLANs to monitor traffic on remote switches.
11.4.4 CONFIGURE CISCO SPAN

 The SPAN feature on Cisco switches sends a copy of each frame entering the source
port out the destination port and toward the packet analyser or IDS.
 A session number is used to identify a SPAN session. The examples show the monitor
session command, which is used to associate a source port and a destination port with a
 SPAN session. A separate monitor session command is used for each session. A
VLAN can be specified instead of a physical port.

Switch(config)# monitor session number source [interface interface

| vlan vlan]

Switch(config)# monitor session number destination [interface

interface | vlan vlan]

 In the figure below, PCA is connected to F0/1 and an IDS is connected to F0/2. The
objective is to capture all the traffic that is sent or received by PCA on port F0/1 and
send a copy of those frames to the IDS (or a packet analyser) on port F0/2. The SPAN
session on the switch will copy all the traffic that it sends and receives on source port
F0/1 to the destination port F0/2.
Cisco SPAN Configuration
S1(config)# monitor session 1 source interface fastethernet 0/1
S1(config)# monitor session 1 destination interface fastethernet
0/2

 The show monitor command is used to verify the SPAN session. The command
displays the type of the session, the source ports for each traffic direction, and the
destination port. In the example below, the session number is 1, the source port for both
traffic directions is F0/1, and the destination port is F0/2. The ingress SPAN is disabled
on the destination port, so only traffic that leaves the destination port is copied to that
port.
S1# show monitor
Session 1
---------
Type : Local Session
Source Ports :
Both : Fa0/1
Destination Ports : Fa0/2
Encapsulation : Native
Ingress : Disabled

S1#

 Note: Remote SPAN (RSPAN) can be used when the packet analyser or IDS is on a
different switch than the traffic being monitored.
 RSPAN extends SPAN by enabling remote monitoring of multiple switches across the
network. The traffic for each RSPAN session is carried over a user-specified RSPAN
VLAN that is dedicated (for that RSPAN session) in all participating switches.
IPS TECHNOLOGIES SUMMARY
11.5.1 WHAT DID I LEARN IN THIS MODULE?
IDS and IPS Characteristics

 Malware is an ever-increasing threat to network security. New network attacks occur

daily. The threat landscape is constantly evolving.
 Monitoring network logs is one way to know that an exploit has occurred. But by then it
is too late.
 IDS and IPS make up part of a multi-layered approach to network security.
 IDS work offline to detect malicious traffic through traffic mirroring.
 IDS can alert security personnel about a potential attack.
 While the IDS does nothing to stop network attacks, it has no effect on network
performance.
 IPS devices work inline to prevent network attacks, however they can add latency and
slow network performance.
 IDS and IPS devices can be routers equipped with IPS software, dedicated devices, or
hardware modules installed in adaptive security appliances, switches or routers.
IPS Implementations

 Intrusion prevention systems can be host-based or network-based.

 HIPS are installed on network hosts. They monitor activity on the host and can prevent
attacks and log suspicious activity.
 HIPS are like a combination of antimalware and firewall software.
 HIPS have mostly a local view of the network and are only an effective solution if they
are used on all hosts. In addition, they should not be the only security measure taken in
a network, but instead are just one layer of security.

 NIPS can be implemented using a dedicated device or a router with IPS software.
 Network-based IPS act in real time to block malicious software and network attacks.
 Network-based IPS can be deployed in two modes.
 In promiscuous mode, they function as IDS by monitoring mirrored traffic. While they
can’t stop network attacks, they can alert personnel and log information when attacks
occur.
 An inline mode IPS processes all traffic that enters a network and checks that traffic at
Layers 3 to 7. IPS can also check the contents of payloads that are carried in network
traffic, such as email attachments. Because inline mode puts the IPS directly into the
traffic flow it makes packet-forwarding rates slower by adding latency. Inline mode
allows the sensor to stop attacks by dropping malicious traffic before it reaches the
intended target.
IPS on Cisco ISRs

 Enabling IPS functionality on routers at the branch level is a cost-effective way to

protect networks with a single device.
  The IPS detection and enforcement engine that ran on legacy router platforms was the
Cisco IOS IPS.
 However, the Cisco IOS IPS is no longer supported. For the 4000 Series ISR, the Cisco
Snort IPS has replaced the IOS IPS.
 Snort runs in a virtual container on the router hardware.
 The IPS function does not affect the traffic forwarding functions of the router.
 When running as an IPS, Snort monitors network traffic and analyses it against a
defined-rule set.
 Snort can classify attacks by type, and can perform actions against the traffic such as
sending alerts, logging events, and acting against traffic when attack signatures are
matched.
 Snort can be configured to automatically update its rules from an internet source such as
Cisco or snort.org. Problematic signatures can be disabled, and custom rules created.
 Snort is intended to be run on 4300 ISR and above. It requires 8 GB of DRAM and 8
GB of Flash to run. Resource profiles can be configured to control how Snort uses ISR
system resources.
Cisco Switched Port Analyser

 SPAN is a technology that enables network monitoring and IDS to function in

segmented networks.
 Network traffic is mirrored from source ports or VLANs to a destination port or VLAN
that is connected to the monitoring device or IDS.
 Traffic from the source ports is copied and sent to the destination port.
 Traffic that enters the switch is called ingress traffic, and traffic exits the switch is
called egress traffic.
 Source ports carry the traffic that is to be monitored, and destination ports are connected
to the monitoring devices. The monitored traffic is copied and sent out of the
destination port. The configuration of SPAN entails defining the source and destination
switchports.

MODULE 12
12.1 IPS SIGNATURES
12.1.1 IPS SIGNATURE ATTRIBUTES

 The network must be able to identify incoming malicious traffic in order to stop it.
Fortunately, malicious traffic displays distinct characteristics or “signatures”.
 Conceptually similar to the virus.dat file used by virus scanners, a signature is a set of
rules that an IDS and an IPS use to detect typical intrusion activity. Signatures uniquely
identify specific viruses, worms, protocol anomalies, and malicious traffic (e.g., a DoS
attacks).
 A malicious packet flow has a specific type of activity and signature. IPS sensors must
be tuned to look for matching signatures or abnormal traffic patterns.
 As sensors scan network packets, they use signatures to detect known attacks and
respond with predefined actions.
  An IDS or IPS sensor examines the data flow using many different signatures. A sensor
takes action when it matches a signature with a data flow, such as logging the event or
sending an alarm to the IDS or IPS management software.
 Signatures also have three distinctive attributes:
o Type - Atomic or Composite
o Trigger - Also called the alarm
o Action - What the IPS will do

12.1.2 TYPES OF SIGNATURES

 Some threats can be identified in one packet while other threats may require many
packets and their state information (i.e., IP addresses, port numbers, and more) to
identify a threat.
 There are two types of signatures:
o Atomic Signature - This is the simplest type of signature because a single
packet, activity, or event identifies an attack. The IPS does not need to maintain
state information and traffic analysis can usually be performed very quickly and
efficiently.
o Composite Signature - Also called a stateful signature because the IPS
requires several pieces of data to match an attack signature. The IPS must also
maintain state information, which is referred to as the event horizon. The length
of an event horizon varies from one signature to the next.
12.1.3 IPS SIGNATURE ALARMS

 The heart of any IPS signature is the signature alarm, which is often referred to as the
signature trigger. The signature alarm (i.e., trigger) for an IPS sensor could be anything
that can reliably signal an intrusion or security policy violation. A network-based IPS
might trigger a signature action if it detects a packet with a payload containing a
specific string that is going to a specific TCP port, for example.
 The IPS signature alarm is analogous to the alarm in a home security system. The
triggering mechanism for a burglar alarm could be a motion detector. When the burglar
alarm is enabled, the movement of an individual entering a room is detected. This
triggers the alarm.
 These triggering mechanisms can be applied to atomic and composite signatures. The
triggering mechanisms can be simple or complex. Every IPS incorporates signatures
that use one or more of these basic triggering mechanisms to trigger signature actions.
 There are four general IPS signature trigger categories as listed in the table.

Detection Type Advantages

 Also known as signature-based detection.
 Simplest triggering mechanism as it searches for a
specific and pre-defined atomic or composite
pattern.
Pattern-Based Detection
 A IPS sensor compares the network traffic to a
database of known attacks, and triggers an alarm or
prevents communication if a match is found.
Detection Type Advantages
 Also known as profile-based detection.
 Involves first defining a profile of what is considered
normal network or host activity.
 This normal profile is usually defined by monitoring
Anomaly-Based Detection traffic and establishing a baseline.
 Once defined, any activity beyond a specified
threshold in the normal profile will generate a
signature trigger and action.

 Also known as behaviour-based detection.

 Although similar to pattern-based detection, an
administrator manually defines behaviours that are
suspicious based on historical analysis.
Policy-Based Detection
 The use of behaviours enables a single signature to
cover an entire class of activities without having to
specify each individual situation.

 Honey pot-based detection uses a server as a

decoy server to attract attacks.
 The purpose of a decoy server is to lure attacks
away from production devices.
Honey Pot-Based Detection
 Allows administrators time to analyse incoming
attacks and malicious traffic patterns to tune their
sensor signatures.

12.1.4 IPS SIGNATURE ACTIONS

 When a signature detects the activity for which it is configured, the signature triggers
one or more actions.
 Depending on the IPS sensor, various actions can be enabled. The table lists some
actions that an IPS sensor may provide.
 Note: The available actions depend on the signature type and the platform.

Alert Category Specific Action Description

Produce alert The IPS sends events as alerts.
Generate an alert
Produce verbose alert The IPS sends a detailed event alert.
Logs packets from the attacker IP
Log attacker packets
address and sends an alert.
Logs packets from the victim and
Log the activity Log pair packets attacker IP addresses and sends an
alert.
Logs packets from the victim IP address
Log victim packets
and sends an alert.
Alert Category Specific Action Description
Deny packet inline Terminates the packet.
Terminates the current packet and
Deny connection inline
future packets on this TCP flow.
Deny the activity
Terminates the current packet and
Deny attacker inline future packets from this attacker
address for a specified period of time.
Reset the TCP Sends TCP resets to hijack and
Reset TCP connection
connection terminate the TCP flow.
Sends a request to a blocking device to
Request block connection
block this connection.
Sends a request to a blocking device to
Request block host
Block future activity block this attacker host.
Sends a request to the notification
Request SNMP trap application component of the sensor to
perform SNMP notification.

12.1.5 EVALUATING ALERTS

 Triggering mechanisms can generate alarms that are false positives or false negatives.
These alarms must be addressed when implementing an IPS sensor.
 True positives and true negatives are desirable and indicate the IPS is functioning
properly. False positives and false negatives are undesirable and must be investigated.
 The table summarizes the following four types of alarms:

Alarm
Network Activity IPS Activity Outcome
Type
True
Attack traffic Alarm generated Ideal setting
positive
True
Normal user traffic No alarm generated Ideal setting
negative
False
Normal user traffic Alarm generated Tune alarm
positive
False
Attack traffic No alarm generated Tune alarm
negative

 Alerts can be classified as follows:

o True positive - (Desirable) This is used when the IPS generates an alarm
because it detected known attack traffic. The alert has been verified to be an
actual security incident and also indicates that the IPS rule worked correctly.
 o True negative - (Desirable) This is used when the system is performing as
expected. No alerts are issued because the traffic that is passing through the
system is clear of threats.
o False positive - (Undesirable) This is used when an IPS generates an alarm
after processing normal user traffic that should not have triggered an alarm. The
IPS must be tuned to change these alarm types to true negatives. The alert does
not indicate an actual security incident. Benign activity that results in a false
positive is sometimes referred to as a benign trigger. False positives are costly
because they must be investigated.
o False negative - (Dangerous) This is used when an IPS fails to generate an
alarm and known attacks are not being detected. This means that exploits are
not being detected by the security systems that are in place. These incidents
could go undetected for a long time, and ongoing data loss and damage could
result. The goal is for these alarm types to generate true positive alarms.

12.2 CISCO SNORT IPTS

12.2.1 IPS SERVICE OPTIONS

 Intrusion prevention services were available on the first-generation Integrated Services

Routers (ISR G1) using the Cisco IOS IPS. Cisco IOS IPS monitored and prevented
intrusions by comparing traffic against signatures of known threats and blocking the
traffic when a threat was detected.
 Note: Support for Cisco IOS IPS discontinued in 2018. Therefore, IOS IPS is no longer
recommended on branch routers.
 Organizations now have three options available to provide intrusion prevention
services.
o Cisco Firepower Next-Generation IPS (NGIPS) - These are dedicated in-line
threat prevention appliances that provide industry leading effectiveness against
both known and unknown threats.
o Cisco Snort IPS - This is an IPS service that can be enabled on a second
generation ISR (ISR G2) (i.e., ISR 4000s). Note that Cisco 4000 ISRs no longer
support Cisco IOS IPS.
o External Snort IPS Server - This is similar to the Cisco Snort IPS solution but
requires a promiscuous port (i.e., a SPAN switch port) and an external Snort
IDS/IPS.
12.2.2 NGIPS

 NGIPSs are dedicated IPS appliances. They are built on Snort's core open technology
and use vulnerability-focused IPS rules and embedded IP-, URL-, and DNS-based
security intelligence provided by Cisco Talos.
 NGIPS features include the following:
o IPS rules that identify and block attack traffic targeted at network
vulnerabilities.
o Tightly integrated defence against advanced malware by incorporating
advanced analysis of network and endpoint activity.
 o Sandboxing technology that uses hundreds of behavioural indicators to identify
zero-day and evasive attacks.
o Also includes Application Visibility and Control (AVC), Cisco Advanced
Malware Protection (AMP) for Networks, and URL Filtering.
 Note: Further discussion of NGIPS appliances is out of scope for this course.
12.2.3 SNORT IPS

 Snort is an open-source network IPS that performs real-time traffic analysis and
generates alerts when threats are detected on IP networks. It can also perform protocol
analysis, content searching or matching, and detect a variety of attacks and probes (e.g.,
buffer overflows, stealth port scans, and more). Snort was inducted into the InfoWorld
Open Source Hall of Fame as one greatest pieces of open source software ever.
 The Snort engine can now run as a virtual container service on Cisco 4000 ISRs and
Cisco Cloud Services Router 1000v Series. It is ideal for smaller organizations looking
for a cost-effective routing and threat defence solution. For instance, an ISR G2 can
provide advanced routing capabilities and integrated threat defence security using Snort
IPS.
 Snort IPS can be implemented with other security features integrated into the 4000
Series ISRs, such as VPN, zone-based Cisco IOS firewalls, and Cisco Cloud Web
Security. This enables the ISR to provide comprehensive threat protection in a small
footprint. This is crucial for small branch locations that need to address security for the
local internet connection. Snort IPS integrated in an ISR is a cost-effective alternative
for branch office locations because a separate firewall device is not required.
 Snort IPS on the 4000 Series ISR provides the following functionalities:
o IDS and IPS mode - Configure threat detection or prevention mode. In
prevention mode, attack traffic will be dropped.
o Three signature levels - Snort provides three levels of signature protection:
connectivity (least secure), balanced (middle option), and security (most
secure). The security level is the most secure as it enables the highest number of
signatures to be verified.
o An allowed list - This provides the ability to turn off certain signatures and
helps to avoid false positives such as legitimate traffic triggering an IPS action.
Up to 1000 entries can be supported in the allowed list.
o Snort health monitoring - Cisco IOS Software keeps track of the health of the
Snort engine that is running in the service container.
o Fail open and close - In the event of IPS engine failure, the router can be
configured to block the traffic flow or to bypass IPS checking until the Snort
engine recovers.
o Signature update - Automatic and manual updates are supported. Snort IPS
can download the signature package directly from cisco.com or a local resource
location over HTTP and HTTPS.
o Event logging - IPS logs can be sent to an independent log collector or
included along with the router syslog stream. Sending IPS logs separately helps
if the security event management tool is different from the regular syslog
server.
12.2.4 SNORT COMPONENTS AND RULES
  Snort IPS for 4000 Series ISRs consists of two components:
o Snort engine - This is the IPS detection and enforcement engine that is
included in the Security (SEC) license for 4000 Series ISRs.
o Snort rule software subscriptions for signature updates - Snort rule sets to
keep current with the latest threat protection are term-based subscriptions,
available for one or three years.

 To address the rapidly evolving threat landscape, it is important to ensure that

signatures are as up-to-date as possible.
 There are two types of term-based subscriptions:
o Community Rule Set - Available for free, this subscription offers limited
coverage against threats. The community rule set focuses on reactive response
to security threats versus proactive research work. There is also a 30-day
delayed access to updated signatures meaning that newest rule will be a
minimum of 30 days old. In addition, there is no Cisco customer support
available.
o Subscriber Rule Set - Available for a fee, this service provides the best
protection against threats. It includes coverage of advance exploits by using the
research work of the Cisco Talos security experts. The Subscriber Rule Set also
provides the fastest access to updated signatures in response to a security
incident or the proactive discovery of a new threat. This subscription is fully
supported by Cisco.
 Note: Contact Cisco Support to obtain the subscriber rule set license.
12.2.5 ISR CONTAINER APPLICATIONS

 Routers were initially packet processing devices. However, over the years, they have
evolved to perform many computing functions. Routers have acquired so much
processing power that server applications can now be hosted inside the router using
virtual machines called service containers.
 Applications such as Snort IPS can be uploaded and hosted on these routers. Service
containers are supported on most IOS XE platforms. IOS XE is based on the Linux
architecture and supports virtual machine hosting.
 The Snort engine runs as a Linux Service Container application on the ISR 4000 as
shown in the figure. This provides it with dedicated computing resources that run
independently of the data plane CPU load. It also makes it easier for the Snort engine to
be regularly updated.

 Specifically, the Snort engine on the 4000 Series ISR runs as a container application.
The 4000 Series ISR uses a multi-core CPU, and the Cisco IOS-XE has the ability to
allocate these cores for control-plane or data-plane functions. Computing resources
unused by control plane functions can be used for running other services. A Linux
container infrastructure hosts these applications. Applications running in this container
infrastructure can have a tighter integration with Cisco IOS Software.
12.2.6 SNORT IPS RULE ALARMS
  In Snort IPS, signatures are configured using “rules”. These rules serve as the signature
alarms by comparing incoming traffic to the Snort rules. Traffic matching a rule header
generates an action.
 A rule header is conceptually similar to an access control list (ACL) statement. It is a
one line statement that identifies malicious traffic.
 The basic rule header command syntax is:
o [action] [protocol] [sourceIP] [sourceport] -> [destIP] [destport] ([Rule
options])
 Note: The Rule options contain additional rule information.
 For example, the following sample header generates an alert whenever a TCP
connection for the hosts/ports identified in the rule header variables are going to the
identified destination hosts/ports variables:
o alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
 Refer to the figure for a detailed explanation of this example.

12.2.7 SNORT IPS RULE ACTIONS

 Snort can be enabled in IDS mode or in IPS mode.

 Snort IDS mode can perform the following three actions:
o Alert - Generate an alert using the selected alert method.
o Log - Log the packet.
o Pass - Ignore the packet.
 Snort IPS mode can perform all the IDS actions plus the following:
o Drop - Block and log the packet.
o Reject - Block the packet, log it, and then send a TCP reset if the protocol is
TCP or an ICMP port unreachable message if the protocol is UDP.
o Sdrop - Block the packet but do not log it.

12.2.8 SNORT IPS HEADER RULE OPTIONS

 A Snort rule header also contains rule options (fields) to provide additional information
for the rule. Options are separated by semicolons (;) and the rule option keywords are
separated from their arguments using colons (:).
 The figure displays sample rule options for the alert tcp $EXTERNAL_NET
$HTTP_PORTS -> $HOME_NET any rule header.

 The table describes the common general rule and the detection rule options in the
sample rule header.
 Note: These are just a few of the different types of rule options. For more examples,
search the internet for "snort rule options"

Rule Option Specific Action

This is a simple text string that provides a meaningful message to
msg:
output when the rule matches.
Rule Option Specific Action
flow: Specifies the direction of network traffic.
A detection rule option that allows the rule creator to set rules that
search for specific content in the packet payload and trigger
content:
response based on that data. This option data can contain mixed
text and binary data
Detection rule keywords that allow the rule creator to specify where
distance: / offset: to start searching relative to the beginning of the payload or the
beginning of a content match.
Detection rule keywords that allow the rule creator to specify how
within: / depth: far forward to search relative to the end of a previous content match
and, once that content match is found, how far to search for it.
A detection rule keyword that allows rules to be written using “perl
pcre compatible regular expressions” which allows for more complex
matches.
A detection rule keyword that allows a rule to test a number of bytes
byte_test
against a specific value in binary.
metadata: Allows a rule creator to embed additional information about the rule.
Allows rules to include references to external sources of
reference:
information.
classtype: Identifies the potential effect of what a successful attack would be.
The signature ID (sid) is a unique identifier for each rule making
sid / rev them easy to identify. It should be used with the rev (revision)
keyword to indicate the current version of the rule.

12.2.9 SNORT IPS OPERATION

 Packets arriving on Snort enabled interfaces are inspected as follows:

1. Cisco IOS Software forwards the packets to be inspected to the Snort IPS
engine using an internal virtual port group (VPG) interface.
2. Snort IPS inspects the traffic and takes necessary action.
3. Snort drops the packets associated with bad flows (IPS mode). Good flow
packets are returned back to the router for further processing.
 Packet exchange between the container applications and the IOS data plane is done
using VPG interfaces. These routed interfaces are connected through the router back
plane. The corresponding interface on the container side will appear as virtual Ethernet
ports.
 Snort IPS requires two VPG interfaces:
1. Management interface - This is the interface that is used to source logs to the
log collector and for retrieving signature updates from Cisco.com. For this
reason, this interface requires a routable IP address.
2. Data interface - This is the interface that is used to send user traffic between
the Snort virtual container service and the router forwarding plane.
  In the figure, VPG0 is used for Snort management traffic while VPG1 is used for user
traffic to be inspected. User traffic to be inspected is forwarded to the Snort engine
using VPG1 as shown. Traffic is then inspected and either rejected (dropped) or
forwarded back to the router as shown.

12.3 CONFIGURE SNORT IPS

12.3.1 SNORT IPS CONFIGURATION STEPS

 To deploy Snort IPS on supported devices, perform the following steps:

o Step 1. Download the Snort OVA file.
o Step 2. Install the OVA file.
o Step 3. Configure Virtual Port Group interfaces.
o Step 4. Activate the virtual services.
o Step 5. Configure Snort specifics.
o Step 6. Enable IPS globally or on desired interfaces.
o Step 7. Verify Snort IPS.
 Note: The Snort IPS functionality is available only in security K9-licensed IOS XE
version. The security license is required to enable the service. This feature is available
in Cisco IOS XE Release 3.16.1S, 3.17S, and later releases.
12.3.2 STEP 1: DOWNLOAD THE SNORT OVA FILE

 An Open Virtualization Archive (OVA) is a file that contains a compressed, installable

version of a virtual machine. The Snort service OVA file is not bundled with the Cisco
IOS XE Release images installed on the router. However, if the OVA file is be
preinstalled in the flash of the router, it is recommended that the latest OVA file be
downloaded from Cisco.com.
 For example, in the figure, the user is downloading the OVA file for an ISR 4321 router
using IOS Fuji-16.9.6.

 Note: CCO access is required to download files from Cisco.com.

12.3.3 STEP 2: INSTALL THE SNORT OVA FILE

 The OVA file must be downloaded and saved in a file location available to the ISR
router (e.g., Flash).
 To install the OVA file, use the virtual-service install name virtual-service-
name package file-url media file-system privilege EXEC command. The length of
the name is 20 characters and the complete path to the OVA file must be specified.
 An example configuration is shown below.
R1# virtual-service install name MYIPS package flash:iosxe-
utd.16.09.06.1.0.10_SV29130_XE_16_9.ova
Installing package 'bootflash:/iosxe-
utd.16.09.06.1.0.10_SV29130_XE_16_9.ova' for virtual-service
'MYIPS'. Once the install has finished, the VM may be activated.
Use 'show virtual-service list' for progress.
R1#
*Oct 5 08:07:45.953: %VMAN-5-PACKAGE_SIGNING_LEVEL_ON_INSTALL:
R0/0: vman: Package 'iosxe-utd.16.09.06.1.0.10_SV29130_XE_16_9.ova'
for service container 'MYIPS' is 'Cisco signed', signing level
cached on original install is 'Cisco signed'

R1#

 During the OVA file installation, the security license is checked and an error is reported
if the license is not present. Therefore, the Cisco IOS XE image must be enabled with
the security license. In the output, you can see that the OVA is Cisco signed.
 Use the show virtual-service list command to display the status of the installation of all
applications installed on the virtual service container.
12.3.4 STEP 3: CONFIGURE VIRTUAL PORT GROUP INTERFACES

 Two VirtualPortGroup (VPG) interfaces must then be configured along with their guest
IP addresses.
 In our example, the VPG interfaces will be configured as follows:
o VGP0 - This is for management traffic to exchange information with IPS
servers. The guest IP address needs to be routable to connect to the signature
update server and external log server. It is also used to log traffic to log
collectors.
o VPG1 - This is for user traffic marked for inspections. This should not be
routable and therefore use a non-routable private IP address.
 Note: Be sure to provide proper NAT and routing to enable the management VPG to
reach the log server as well as cisco.com to retrieve signature update files.
 The following is a sample configuration of VPG0 and VPG1.
R1# configure terminal
R1(config)# interface VirtualPortGroup0
R1(config-if)# description Management interface
R1(config-if)# ip address 209.165.201.1 255.255.255.252
R1(config-if)# exit
R1(config)#
*Oct 5 08:13:10.970: %LINEPROTO-5-UPDOWN: Line protocol on
Interface VirtualPortGroup0, changed state to up
R1(config)# interface VirtualPortGroup1
R1(config-if)# description Data interface
R1(config-if)# ip address 192.168.0.1 255.255.255.252
R1(config-if)# exit
R1(config)#
*Oct 5 08:13:12.921: %LINEPROTO-5-UPDOWN: Line protocol on
Interface VirtualPortGroup1, changed state to up
R1#

12.3.5 STEP 4: ACTIVATE VIRTUAL SERVICES

 The next step is to configure guest IPs on the same subnet for the container side and
activate the virtual service as shown in the output.
R1(config)# virtual-service MYIPS
R1(config-virt-serv)# vnic gateway VirtualPortGroup0
R1(config-virt-serv-vnic)# guest ip address 209.165.201.2
R1(config-virt-serv-vnic)# exit
R1(config-virt-serv)# vnic gateway VirtualPortGroup1
R1(config-virt-serv-vnic)# guest ip address 192.168.0.2
R1(config-virt-serv-vnic)# exit
R1(config-virt-serv)# activate

 The virtual-service virtual-service-name command configures the logical

name, MYIPS in the example, that is used to identify the virtual container service.
 The vnic gateway VirtualPortGroup interface-number command creates a virtual
network interface card (vNIC) gateway interface for the virtual container service. It also
maps the vNIC gateway interface to the virtual port group, and enters the virtual-service
vNIC configuration mode.
 The guest ip address ip-address command configures a guest vNIC address for the
vNIC gateway interface.
 Finally, the activate command activates the application installed in a virtual container
service.
12.3.6 STEP 5: CONFIGURE SNORT SPECIFICS

 Next is to configure how Snort is to be deployed (i.e. IPS or IDS mode), where the
Snort logs should be sent, the policy and profile to configure for Snort, and more.
 Refer to the sample command output.
R1(config)# utd engine standard
R1(config-utd-eng-std)# logging host 10.10.10.254
R1(config-utd-eng-std)# logging syslog
R1(config-utd-eng-std)#
R1(config-utd-eng-std)# threat-inspection
R1(config-utd-engstd-insp)# threat protection
R1(config-utd-engstd-insp)# policy balanced
R1(config-utd-engstd-insp)#
R1(config-utd-engstd-insp)# signature update occur-at daily 0 0
R1(config-utd-engstd-insp)# signature update server cisco username
Bob password class
R1(config-utd-engstd-insp)# logging level warning
R1(config-utd-engstd-insp)#
R1(config-utd-engstd-insp)# exit
R1(config-utd-eng-std)# exit
R1(config)#

 The utd engine standard command configures the UTD standard engine and enters
UTD standard engine configuration mode.
 The logging host and logging syslog commands enable the logging of emergency
messages to a server.
 The threat-inspection command configures threat inspection for the Snort engine.
From here you can specify which mode Snort will be in:
o threat protection - Snort will be in IPS mode.
 o threat detection - Snort will be in IDS mode.
 The policy command specifies three security policies used by Snort and provided by
Cisco Talos, as shown in the following help facility example.
R1(config-utd-engstd-insp)# policy ?
balanced Set the policy to balanced (this is the default option)
connectivity Set the policy to connectivity (stresses on
connectivity over security)
security Set the policy to security (provide mode exhaustive
coverage)
R1(config-utd-engstd-insp)# policy

 The three policy settings in order from least protection to most protection are:
o connectivity - This provides the least protection as it prioritizes connectivity
over security. Approximately 1,000 rules are pre-loaded using this policy.
o balanced - This is the default policy. It is recommended for initial
deployments. This policy attempts to balance security needs and performance
characteristics of the network. Approximately 8,000 rules are pre-loaded using
this policy.
o security - This provides the most protection. It is designed for organizations
that are exceptionally concerned about security. Customers deploy this policy in
protected networks, that have a lower bandwidth requirements, but much higher
security requirements. Approximately 12,000 rules are pre-loaded using this
policy.
 Note: IPS system performance is negatively affected as more rules are enabled.
 The signature update command configures the signature update interval parameters. In
our sample output, Snort will update its signatures every night at midnight.
 The signature update server command configures the signature update server
parameters. You must specify the signature update parameters with the server details. If
you use Cisco.com for signature updates, you must provide the username and password.
If you use local server for signature updates, based on the server settings you can
provide the username and password. In our sample output, Snort updates its signature
file from cisco.com using the username Bob and password class.
 Finally the logging level command specifies the types of syslog messages that will be
generated.
12.3.7 STEP 6: ENABLE IPS GLOBALLY OR ON DESIRED INTERFACES

 Based on the organizational requirements, Snort can be enabled globally (i.e., on all the
interfaces) or on selected interfaces.
 The example in the output enables UTD globally on all interfaces and defines what to
do if the Snort engine fails.
R1(config)# utd
R1(config-utd)# all-interfaces
R1(config-utd)#
R1(config-utd)# engine standard
R1(config-engine-std)# fail close
R1(config-engine-std)# exit
R1(config-utd)# exit
R1(config)#

 The all-interfaces option configures unified threat defence (UTD) on all Layer 3
interfaces of the device.
 The engine standard command configures the Snort-based UTD engine and enters
standard engine configuration mode. From this mode, we can specify how Snort will
behave if there is a UTD engine failure.
 Specifically, Snort can be configured to:
o fail-open (default) - When there is a UTD engine failure, this option allows all
of the IPS/IDS traffic through without being inspected.
o fail-close - If enabled, this option drops all the IPS/IDS traffic when there is an
UTD engine failure. Therefore, no traffic will be allowed to leave.
 Alternatively, Snort could be enabled only on select interfaces as shown.
 Note: An error message will be displayed if the global configuration was first
configured.
R1(config)# interface G0/0/0
R1(config-if)# utd enable
R1(config-if)# exit
R1(config)# interface G0/0/1
R1(config-if)# utd enable
R1(config-if)# exit
R1(config)#

 You can also enable the UTD allowed list feature. This enables you to identify IPS
signature IDs to be suppressed (not used).
 For example, when an IPS is incorrectly identifying normal user traffic as a threat (i.e.,
a false positive), we can add those signatures to an allowed list. The IPS will not use
signatures in the allowlist.
 To do so, enter UTD allowed list configuration mode and identify signature IDs to be
excluded from inspection. After the allowed list signature ID is configured, Snort will
allow the flow to pass through the device without any alerts and drops.
 For example, assume that the IPS has incorrectly identified user traffic
from Branch1 as malicious and assigned it id 21555. This signature can be added to an
allowed list, as shown
R1(config)# utd threat-inspection whitelist
R1(config-utd-whitelist)# signature id 21555 comment traffic from
Branch 1
R1(config-utd-whitelist)#

12.3.8 STEP 7: VERIFY SNORT IPS

 After Snort IPS is implemented, it is necessary to verify the configuration to ensure

correct operation.
  There are several show commands that can be used to verify the Snort IPS
configuration and operation:
o show virtual-service list - The command displays an overview of resources
that are utilized by the applications.
o show virtual-service detail - The command displays a list of resources that are
committed to a specified application, including attached devices.
o show utd engine standard config - The command displays the UTD
configuration.
o show utd engine standard status - The command displays the status of the
UTD engine.
o show platform hardware qfp active feature utd stats - The command checks
the data plane. It verifies increments for encap, decap, redirect, and reinject and
displays a health of "Green".

12.4 IPS OPERATION AND IMPLEMENTATION SUMMARY

12.4.1 WHAT DID I LEARN IN THIS MODULE?
IPS Signatures

 IPS signatures have three attributes: type, trigger, and action.

 The signature type can be atomic or composite. The signature alarms can use pattern-
based detection, anomaly-based detection, policy-based detection, or honey pot-based
detection.
 The IPS signature actions include generate an alert, log the activity, deny the activity,
reset the TCP connection, and block future activity.
 Triggering mechanisms can generate results such as true positive, true positive, false
negatives, and false negatives.
Cisco Snort IPS

 Intrusion protection is provided in modern Cisco networks using either dedicated

NGIPS Firepower enabled devices, Snort IPS on ISR 4000 routers, or using an external
Snort IPS server.
 Snort IPS on ISR device can provide both IDS or IPS services. It has predefined
security levels (i.e., connectivity, balanced, and security). It can refer to a allowed list,
provide feedback on the health of the Snort engine, offer fail-open and fail-close
failover, and automated signature updates and logging.
 Snort IPS consists of a Snort engine and Snort rule set. There are community rules
available for free and subscriber rules available for a fee.
 Snort IPS runs in a Linux service container VM supported by ISR 4000 routers. Snort
IPS uses rules consisting of rule headers and rule options to identify malicious traffic.
Configure Snort IPS

 To configure Snort IPS on an ISR 4000 device, you must download the latest OVA file,
install it on the router, configure VPG interfaces, activate the virtual services, configure
 Snort IPS specifics, and enable UTD. After Snort is configured and activated, show
commands allow verification of its operation.

MODULE 13
13.1 ENDPOINT SECURITY OVERVIEW
13.1.1 LAN ELEMENTS SECURITY

 News media commonly cover external network attacks on enterprise networks. These
are some examples of such attacks:
o DoS attacks on an organization’s network to degrade or even halt public access
to it
o Breach of an organization’s Web server to deface their web presence
o Breach of an organization’s data servers and hosts to steal confidential
information
 Various network security devices are required to protect the network perimeter from
outside access.
 As shown in the figure, these devices could include a hardened ISR that is providing
VPN services, an ASA firewall appliance, an IPS, and a AAA server.

 Many attacks can, and do, originate from inside the network. Therefore, securing an
internal LAN is just as important as securing the outside network perimeter.
 Without a secure LAN, users within an organization are still susceptible to network
threats and outages that can directly affect an organization’s productivity and profit
margin.
 After an internal host is infiltrated, it can become a starting point for an attacker to gain
access to critical system devices, such as servers and the sensitive information they
contain.
 Specifically, there are two internal LAN elements to secure:
o Endpoints - Hosts commonly consist of laptops, desktops, servers, and IP
phones which are susceptible to malware-related attacks. Endpoints also include
video cameras, point-of-sale devices, and devices on the Internet of Things.
 o Network infrastructure - LAN infrastructure devices interconnect endpoints
and typically include switches, wireless devices, and IP telephony devices.
Most of these devices are susceptible to LAN-related attacks including MAC
address table overflow attacks, spoofing attacks, DHCP related attacks, LAN
storm attacks, STP manipulation attacks, and VLAN attacks.
 This module focuses on security endpoints

13.1.2 TRADITIONAL ENDPOINT SECURITY

 Historically, employee endpoints were company-issued computers which resided within

a clearly defined LAN perimeter.
 These hosts were protected by firewalls and IPS devices which worked well with hosts
that were connected to the LAN and behind the firewall.
 The endpoints also used traditional host-based security measures:
o Antivirus/Antimalware Software - This is software installed on a host to
detect and mitigate viruses and malware. Companies that provide anti-virus
software include Norton, TotalAV, McAfee, MalwareBytes and many others.
o Host-based IPS - This is software that is installed on the local host to monitor
and report on the system configuration and application activity, provide log
analysis, event correlation, integrity checking, policy enforcement, rootkit
detection, and alerting. Examples include Snort IPS, OSSEC, and Malware
Defender, among others.
o Host-based firewall - This is software that is installed on a host that restricts
incoming and outgoing connections to those initiated by that host only. Some
firewall software can also prevent a host from becoming infected and stop
infected hosts from spreading malware to other hosts. Included in some
operating systems such as Windows, or produced by companies such as
NetDefender, Zonealarm, Comodo Firewall, and many others.

13.1.3 THE BORDERLESS NETWORK

 The network has evolved to include traditional endpoints and new, lightweight,
portable, consumerized endpoints such as smartphones, tablets, wearables, and others.
 The new bring-your-own-device (BYOD) needs of workers require a different way of
approaching endpoint security.
 These new endpoints have blurred the network border because access to network
resources can be initiated by users from many locations using various connectivity
methods at any time.
 There are some problems with the traditional method of securing endpoints.
 In many networks, the network-based devices are disparate and typically do not share
information among themselves.
 Additionally, new endpoint devices are not good candidates for the traditional host-
based endpoint security solutions because of the variety of devices and the variety of
operating systems available on those devices.
 The challenge is allowing these heterogeneous devices to connect to enterprise
resources securely.
13.1.4 SECURITY FOR ENDPOINTS IN THE BORDERLESS NETWORK

 Larger organizations now require protection before, during, and after an attack. IT
administrators must be able to answer the following questions:
o Where did the attack come from?
o What was the exploit method and point of entry?
o What systems were affected?
o What did the exploit do?
o How do we recover from the exploit?
o How can we mitigate the vulnerability and root cause?
 Organizations must also protect their endpoints from new threats and provide the
protection measures that are outlined in the table below.

Measure Purpose
antimalware software Protect endpoints from malware.
spam filtering Prevent spam emails from reaching endpoints.
Prevent endpoints from connecting to websites with bad
blocklisting reputations by immediately blocking connections based
on the latest reputation intelligence.
data loss prevention (DLP) Prevent sensitive information from being lost or stolen.

13.1.5 NETWORK-BASED MALWARE PROTECTION

 New security architectures for the borderless network address security challenges by
having endpoints use network scanning elements.
 These devices provide many more layers of scanning than a single endpoint possibly
could. Network-based malware prevention devices are also capable of sharing
information among themselves to make better informed decisions.
 Protecting endpoints in a borderless network can be accomplished using network-based,
as well as host-based techniques, as shown in the figure.

 The following are examples of devices and techniques that implement host protections
at the network level.
o Advanced Malware Protection (AMP) – This provides endpoint protection
from viruses and malware.
o Email Security Appliance (ESA) – This provides filtering of SPAM and
potentially malicious emails before they reach the endpoint. An example is the
Cisco ESA.
o Web Security Appliance (WSA) – This provides filtering and blocking of
websites to prevent hosts from reaching dangerous locations on the web. The
Cisco WSA provides control over how users access the internet and can enforce
 acceptable use policies, control access to specific sites and services, and scan
for malware.
o Network Admission Control (NAC) – This permits only authorized and
compliant systems to connect to the network.
 These technologies work in concert with each other to give more protection than host-
based suites can provide, as shown in the figure.

13.1.6 HARDWARE AND SOFTWARE ENCRYPTION OF LOCAL DATA

 Endpoints are also susceptible to data theft. For instance, if a corporate laptop is lost or
stolen, a thief could scour the hard drive for sensitive information, contact information,
personal information, and more.
 The solution is to locally encrypt the disk drive with a strong encryption algorithm such
as 256-bit AES encryption. The encryption protects the confidential data from
unauthorized access. The encrypted disk volumes can only be mounted for normal
read/write access with the authorized password.
 Operating systems such as MAC OSX natively provide encryption options. The
Microsoft Windows 10 operating system also provides encryption natively. Individual
files, folders, and drives can be configured to encrypt data. In Windows, BitLocker
provides drive encryption, as shown in the figure. Files can also be encrypted, but
because applications can create unencrypted back up files, the entire folder that the file
is stored in should be encrypted.

13.1.7 NETWORK ACCESS CONTROL

 The purpose of network access control (NAC) is to allow only authorized and compliant
systems, whether managed or unmanaged, to access the network.
 It unifies endpoint security technologies with user or device authentication and network
security policy enforcement.
 A NAC system can deny network access to noncompliant devices, place them in a
quarantined area, or give them only restricted access to computing resources, thus
keeping insecure nodes from infecting the network.
 NAC systems can have the following capabilities:
o Profiling and visibility - This recognizes and profiles users and their devices
before malicious code can cause damage.
o Guest network access - This manages guests through a customizable, self-
service portal that includes guest registration, guest authentication, guest
sponsoring, and a guest management portal.
o Security posture checking - This evaluates security-policy compliance by user
type, device type, and operating system.
o Incident response - This mitigates network threats by enforcing security
policies that block, isolate, and repair noncompliant machines without
administrator attention.
 NAC systems should extend NAC to all network access methods, including access
through LANs, remote-access gateways, and wireless access points.
  The Cisco Identity Services Engine (ISE) combines AAA and network device profiling
into a single system.

13.1.8 NAC FUNCTIONS

 The goal of NAC systems is to ensure that only hosts that are authenticated and have
had their security posture examined and approved are permitted onto the network.
 For example, company laptops used offsite for a period of time might not have received
current security updates or could have become infected from other systems. Those
systems cannot connect to the network until they are examined, updated, and approved.
 Network access devices can function as the enforcement layer, as shown in the figure.
They force the clients to query a RADIUS server for authentication and authorization.
The RADIUS server can query other devices, such as an antivirus server, and reply to
the network enforcers.

13.2 802.1X AUTHENTICATION

13.2.1 SECURITY USING 802.1X PORT-BASED AUTHENTICATION

 The IEEE 802.1X standard defines a port-based access control and authentication
protocol that restricts unauthorized workstations from connecting to a LAN through
publicly accessible switch ports.
 The authentication server authenticates each workstation that is connected to a switch
port before making available any services offered by the switch or the LAN.
 The figure shows that with 802.1X port-based authentication, the devices in the network
have specific roles.

 The 802.1x roles include:

o Supplicant (Client) - The device (workstation) that requests access to LAN
and switch services and then responds to requests from the switch. The
workstation must be running 802.1X-compliant client software. (The port that
the client is attached to is the supplicant [client] in the IEEE 802.1X
specification.)
o Authenticator (Switch) - This device controls physical access to the network
based on the authentication status of the client. The switch acts as an
intermediary (proxy) between the client (supplicant) and the authentication
server, requesting identifying information from the client, verifying that
information with the authentication server, and relaying a response to the client.
The switch uses a RADIUS software agent, which is responsible for
encapsulating and de-encapsulating the EAP (Extensible Authentication
Protocol) frames and interacting with the authentication server.
o Authentication server - This server performs the actual authentication of the
client. The authentication server validates the identity of the client and notifies
the switch whether the client is authorized to access the LAN and switch
services. Because the switch acts as the proxy, the authentication service is
 transparent to the client. The RADIUS security system with EAP extensions is
the only supported authentication server.
 Until the workstation is authenticated, 802.1X access control enables only Extensible
Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and
Spanning Tree Protocol (STP) traffic through the port to which the workstation is
connected. After authentication succeeds, normal traffic can pass through the port.
 The switch port state determines whether the client is granted access to the network.
 When configured for 802.1X port-based authentication, the port starts in the
unauthorized state. While in this state, the port disallows all ingress and egress traffic
except for 802.1X protocol, STP, and CDP packets.
 When a client is successfully authenticated, the port transitions to the authorized state,
allowing all traffic for the client to flow normally. If the switch requests the client
identity (authenticator initiation) and the client does not support 802.1X, the port
remains in the unauthorized state, and the client is not granted access to the network.
 In contrast, when an 802.1X-enabled client connects to a port and the client initiates the
authentication process (supplicant initiation) by sending the EAPOL-start frame to a
switch that is not running the 802.1X protocol, no response is received, and the client
begins sending frames as if the port is in the authorized state.
 The figure shows the complete message exchange between the supplicant,
authenticator, and the authentication server. The encapsulation occurs as follows:
o Between the supplicant and the authenticator - EAP data is encapsulated in
EAPOL frames.
o Between the authenticator and the authentication server - EAP data is
encapsulated using RADIUS.

 If the client is successfully authenticated (the switch receives an “accept” frame from
the authentication server), the port state changes to authorized, and all frames from the
authenticated client are enabled through the port.
 If the authentication fails, the port remains in the unauthorized state, but authentication
can be retried. If the authentication server cannot be reached, the switch can retransmit
the request. If no response is received from the server after the specified number of
attempts, authentication fails, and network access is not granted.
 When a client logs out, it sends an EAPOL-logout message, causing the switch port to
transition to the unauthorized state.

13.2.2 CONTROL THE 802.1X AUTHORISATION STATE

 It may be necessary to configure a switch port to override the 802.1X authentication

process. To do this, use the authentication port-control interface configuration
command to control the port authorization state. The parameters for this command are
shown below. The individual port on the authenticator switch is configured with this
command, in this case, port F0/1 of S1. By default, a port is in the force-
authorized state meaning it can send and receive traffic without 802.1x authentication.
S1(config-if)# authentication port-control ?
auto PortState set to automatic
 force-authorized PortState set to AUTHORIZED <--default
force-unauthorized PortState set to UnAuthorized

S1(config-if)# authentication port-control

Parameter Description
Enables 802.1X port-based authentication and causes the
port to begin in the unauthorized state. During this time only
auto EAPOL, STP, and CDP frames are the only type of frames
that can be sent or received through the port until the client
device has been authenticated.

force-authorized The port sends and receives normal traffic without 802.1x-
based authentication of the client. This is the default setting.
Causes the port to remain in the unauthorized state,
force-unauthorized ignoring all attempts by the client to authenticate. The
switch cannot provide authentication services to the client
through the port.

 The auto keyword must be entered to enable 802.1X authentication. Therefore, to

enable 802.1X on the port, use the authentication port-control auto interface
configuration command.
 If the client is successfully authenticated (receives an Accept frame from the
authentication server), the port state changes to authorized, and all frames from the
authenticated client are allowed through the port. If the authentication fails, the port
remains in the unauthorized state, but authentication can be retried. If the authentication
server cannot be reached, the switch can resend the request. If no response is received
from the server after the specified number of attempts, authentication fails, and network
access is not granted.
 When a client logs off, it sends an EAPOL-logoff message, causing the switch port to
change to the unauthorized state.
 If the link state of a port changes from up to down, or if an EAPOL-logoff frame is
received, the port returns to the unauthorized state.

13.2.3 802.1X CONFIGURATION

 This scenario is implemented the same topology as above. A PC is attached to F0/1 on

the switch and the device is will be authenticated via 802.1X with a RADIUS server.
Unlike in previous AAA scenarios in which administrators were authenticated to the
router configuration lines, in this scenario, an endpoint is authenticated before access is
granted to the network.
 Configuring 802.1X requires a few basic steps:
o Step 1. Enable AAA using the aaa new-model command.
o Step 2. Designate the RADIUS server and configure its address and ports.
o Step 3. Create an 802.1X port-based authentication method list using the aaa
authentication dot1x command.
 o Step 4. Globally enable 802.1X port-based authentication using the dot1x
system-auth-control command.
o Step 5. Enable port-based authentication on the interface using the
authentication port-control auto command.
o Step 6. Enable 802.1X authentication on the interface using the dot1x pae
command. The authenticator options sets the Port Access Entity (PAE) type so
the interface acts only as an authenticator and will not respond to any messages
meant for a supplicant.
 An example configuration is shown below.
S1(config)# aaa new-model
S1(config)# radius server NETSEC
S1(config-radius-server)# address ipv4 10.1.1.50 auth-port 1812
acct-port 1813
S1(config-radius-server)# key RADIUS-Pa55w0rd
S1(config-radius-server)# exit
S1(config)#
S1(config)# aaa authentication dot1x default group radius
S1(config)# dot1x system-auth-control
S1(config)#
S1(config)# interface F0/1
S1(config-if)# description Access Port
S1(config-if)# switchport mode access
S1(config-if)# authentication port-control auto
S1(config-if)# dot1x pae authenticator

13.3 ENDPOINT SECURITY SUMMARY

13.3.1 WHAT DID I LEARN IN THIS MODULE?
Introducing Endpoint Security

 Traditionally endpoints included PCs, servers, and printers. However, in today’s

network, endpoints also include phones, tablets, laptops, Internet of Things devices,
network video cameras and many other things.
 Endpoint security used to depend on host-based security measures such as antimalware
software, host-based IPS, and host-based firewall software. Many devices and
technologies enhance host-based endpoint protections. Some of them are email security
appliances, web security appliances, NAC, and the Cisco Identity Services Engine.
 Another way that endpoints can be protected from data loss is through the use of
encryption of local data at the file, folder, or drive level. Software such as BitLocker is
included with Microsoft Windows 10 for this purpose.
 Network Access Control is a system that can check whether endpoints that attempt to
the network comply with network security policies.
 It handles user authentication and can take action against devices that violate security
policies by having out date security software. It can even take action to bring devices up
to compliance standard before allowing access.
 NAC can also provide easy to manage methods of providing network access to guest
computers require connectivity to the network. Cisco ISE combines AAA and NAC and
into a single system.
802.1X Authentication

 802.1X provides a means by which authenticator network access switch can act as an
intermediary between a client and an authentication server.
 The switch forwards authentication information from the client to the server. If
authentication is successful, the client will be allowed to access the network through the
connected switch port.
 If authorization fails, the switch will not permit the client endpoint to connect to the
network.
 The system uses the EAP and EAPOL to carry authentication traffic between the switch
and the authenticator switch.
 The switch uses EAP and RADIUS to communicate with the authentication server.
 The 802.1X authentication process can be control by configuring the authenticator port
with the authentication port-control command. The port can be set carryout the
authentication process, provide authorized access, or to be in unauthorized state. In this
state no device will be able to connect to the network.
 802.1X port-based authentication is configured by first globally activating AAA and by
specifying the RADIUS server name, address, and ports. After that the authenticator
interface is configured with 802.1X parameters.

MODULE 14
14.1 LAYER 2 SECURITY THREATS
14.1.1 DESCRIBE LAYER 2 VULNERABILITES

 The OSI reference model is divided into seven layers which work independently of each
other. As shown in the figure, each layer performs a specific function and has core
elements that can be exploited.

 Network administrators routinely implement security solutions to protect the elements

in Layer 3 up through Layer 7 using VPNs, firewalls, and IPS devices. However, as
shown in the figure below, if Layer 2 is compromised, then all layers above it are also
affected. For example, if an employee or visitor with access to the internal network
could capture Layer 2 frames, then all of the security implemented on the layers above
would be useless. The employee could also wreak havoc on the Layer 2 LAN
networking infrastructure.

14.1.2 SWITCH ATTACK CATEGORIES

 Security is only as strong as the weakest link in the system, and Layer 2 is considered to
be that weakest link. This is because traditionally LANs were under the administrative
control of a single organization. We inherently trusted all persons and devices
connected to our LAN. Today, with BYOD and more sophisticated attacks, our LANs
have become more vulnerable to penetration. Therefore, in addition to protecting Layer
 3 to Layer 7, network security professionals must also mitigate attacks to the Layer 2
LAN infrastructure.
 The first step in mitigating attacks on the Layer 2 infrastructure is to understand the
underlying operation of Layer 2 and the threats posed by the Layer 2 infrastructure.
 Attacks against the Layer 2 LAN infrastructure are highlighted in the table.
 Note: The focus of this module is on common Layer 2 attacks.

Type Description
Includes MAC table overflow (also called MAC Address
MAC Table Attacks
Flooding) Attacks.
Includes VLAN hopping and VLAN double-tagging attacks.
VLAN Attacks It also includes attacks between devices on a common
VLAN.
DHCP Attacks Includes DHCP starvation and DHCP spoofing attacks.
ARP Attacks Includes ARP spoofing and ARP poisoning attacks.
Address Spoofing Attacks Includes MAC Address and IP address spoofing attacks.
STP Attacks Includes Spanning Tree Protocol manipulation attacks.

 The figure below provides an overview of Cisco solutions that help mitigate Layer 2
attacks.

Topic Title Topic Objective

Port security prevents many types of attacks
Port Security including MAC table overflow attacks and DHCP
starvation attacks.
DHCP Snooping prevents DHCP starvation and
DHCP Snooping
DHCP spoofing attacks by rogue DHCP servers.
DAI prevents ARP spoofing and ARP poisoning
Dynamic ARP Inspection (DAI)
attacks.
IP Source Guard prevents MAC and IP address
IP Source Guard (IPSG)
spoofing attacks.

 These Layer 2 solutions will not be effective if the management protocols are not
secured. An example would be if attackers can easily telnet into a switch. Syslog,
SNMP, TFTP, telnet, FTP and most other common network management protocols are
insecure. Therefore, the following strategies are recommended:
o Always use secure variants of these protocols such as SSH, SCP, and SSL.
o Consider using out-of-band (OOB) management.
o Use a dedicated management VLAN where nothing but management traffic
resides.
o Use ACLs to filter unwanted access.
14.2 MAC TABLE ATTACKS
14.2.1 SWITCH FUNDAMENTALS

 A switch uses MAC addresses to forward (or discard) frames to other devices on a
network. If a switch just forwarded every frame it received out all ports, your network
would be so congested that it would probably come to a complete halt.
 A Layer 2 Ethernet switch uses Layer 2 MAC addresses to make forwarding decisions.
It is completely unaware of the data (protocol) being carried in the data portion of the
frame, such as an IPv4 packet, an ARP message, or an IPv6 ND packet. The switch
makes its forwarding decisions based solely on the Layer 2 Ethernet MAC addresses.
 An Ethernet switch examines its MAC address table to make a forwarding decision for
each frame, unlike legacy Ethernet hubs that repeat bits out all ports except the
incoming port. In the figure, the four-port switch was just powered on. The table shows
the MAC Address Table which has not yet learned the MAC addresses for the four
attached PCs.
 Note: MAC addresses are shortened throughout this topic for demonstration purposes.

 Note: The MAC address table is sometimes referred to as a content addressable

memory (CAM) table. While the term CAM table is fairly common, for the purposes of
this course, we will refer to it as a MAC address table.

14.2.2 SWITCH LEARNING AND FORWARDING

 The switch dynamically builds the MAC address table by examining the source MAC
address of the frames that are received on a port. The switch forwards frames by
searching for a match between the destination MAC address in the frame and an entry
in the MAC address table.
Learn

 Examine the Source MAC Address

 Every frame that enters a switch is checked for new information to learn. It does this by
examining the source MAC address of the frame and the port number where the frame
entered the switch. If the source MAC address does not exist, it is added to the table
along with the incoming port number. If the source MAC address does exist, the switch
updates the refresh timer for that entry in the table. By default, most Ethernet switches
keep an entry in the table for 5 minutes.
 In the figure for example, PC-A is sending an Ethernet frame to PC-D. The table shows
the switch adds the MAC address for PC-A to the MAC Address Table.
 Note: If the source MAC address does exist in the table but on a different port, the
switch treats this as a new entry. The entry is replaced using the same MAC address but
with the more current port number.
Forward
  Find the Destination MAC Address
 If the destination MAC address is a unicast address, the switch will look for a match
between the destination MAC address of the frame and an entry in its MAC address
table. If the destination MAC address is in the table, it will forward the frame out the
specified port. If the destination MAC address is not in the table, the switch will
forward the frame out all ports except the incoming port. This is called an unknown
unicast.
 As shown in the figure, the switch does not have the destination MAC address in its
table for PC-D, so it sends the frame out all ports except port 1.
 Note: If the destination MAC address is a broadcast or a multicast, the frame is also
flooded out all ports except the incoming port.

14.2.3 FILTERING FRAMES

 As a switch receives frames from different devices, it is able to populate its MAC
address table by examining the source MAC address of every frame. When the MAC
address table of the switch contains the destination MAC address, it is able to filter the
frame and forward out a single port.
PC-D to Switch

 In the figure, PC-D is replying back to PC-A. The switch sees the MAC address of PC-
D in the incoming frame on port 4. The switch then puts the MAC address of PC-D into
the MAC Address Table associated with port 4.
Switch to PC-A

 Next, because the switch has destination MAC address for PC-A in the MAC Address
Table, it will send the frame only out port 1, as shown in the figure.
PC-A to Switch to PC-D

 Next, PC-A sends another frame to PC-D, as shown in the figure. The MAC address
table already contains the MAC address for PC-A; therefore, the five-minute refresh
timer for that entry is reset. Next, because the switch table contains the destination
MAC address for PC-D, it sends the frame only out port 4.

14.2.4 MAC ADDRESS TABLE FLOODING

 All MAC tables have a fixed size and consequently, a switch can run out of resources in
which to store MAC addresses. MAC address flooding attacks take advantage of this
limitation by bombarding the switch with fake source MAC addresses until the switch
MAC address table is full.
 When this occurs, the switch treats the frame as an unknown unicast and begins to flood
all incoming traffic out all ports on the same VLAN without referencing the MAC table.
This condition now allows a threat actor to capture all of the frames sent from one host
to another on the local LAN or local VLAN.
  Note: Traffic is flooded only within the local LAN or VLAN. The threat actor can only
capture traffic within the local LAN or VLAN to which the threat actor is connected.
 The figure shows how a threat actor can easily use the network attack tool macof to
overflow a MAC address table.

 If the threat actor stops macof from running or is discovered and stopped, the switch
eventually ages out the older MAC address entries from the table and begins to act like
a switch again.

14.2.5 MAC ADDRESS TABLE ATTACK MITIGATION

 What makes tools such as macof so dangerous is that an attacker can create a MAC
table overflow attack very quickly. For instance, a Catalyst 6500 switch can store
132,000 MAC addresses in its MAC address table. A tool such as macof can flood a
switch with up to 8,000 bogus frames per second; creating a MAC address table
overflow attack in a matter of a few seconds. The example shows a sample output of
the macof command on a Linux host.
# macof -i eth1
36:a1:48:63:81:70 15:26:8d:4d:28:f8 0.0.0.0.26413 > 0.0.0.0.49492:
S 1094191437:1094191437(0) win 512
16:e8:8:0:4d:9c da:4d:bc:7c:ef:be 0.0.0.0.61376 > 0.0.0.0.47523: S
446486755:446486755(0) win 512
18:2a:de:56:38:71 33:af:9b:5:a6:97 0.0.0.0.20086 > 0.0.0.0.6728: S
105051945:105051945(0) win 512
e7:5c:97:42:ec:1 83:73:1a:32:20:93 0.0.0.0.45282 > 0.0.0.0.24898: S
1838062028:1838062028(0) win 512
62:69:d3:1c:79:ef 80:13:35:4:cb:d0 0.0.0.0.11587 > 0.0.0.0.7723: S
1792413296:1792413296(0) win 512
c5:a:b7:3e:3c:7a 3a:ee:c0:23:4a:fe 0.0.0.0.19784 > 0.0.0.0.57433: S
1018924173:1018924173(0) win 512
88:43:ee:51:c7:68 b4:8d:ec:3e:14:bb 0.0.0.0.283 > 0.0.0.0.11466: S
727776406:727776406(0) win 512
b8:7a:7a:2d:2c:ae c2:fa:2d:7d:e7:bf 0.0.0.0.32650 > 0.0.0.0.11324:
S 605528173:605528173(0) win 512
e0:d8:1e:74:1:e 57:98:b6:5a:fa:de 0.0.0.0.36346 > 0.0.0.0.55700: S
2128143986:2128143986(0) win 512

 Another reason why these attack tools are dangerous is because they not only affect the
local switch, they can also affect other connected Layer 2 switches. When the MAC
address table of a switch is full, it starts flooding out all ports including those connected
to other Layer 2 switches.
 To mitigate MAC address table overflow attacks, network administrators must
implement port security. Port security will only allow a specified number of source
MAC addresses to be learned on the port. Port security is further discussed later in this
module.
14.3 MITIGATE MAC TABLE ATTACKS
14.3.1 SECURE UNUSED PORTS

 Layer 2 devices are considered to be the weakest link in a company’s security

infrastructure. Layer 2 attacks are some of the easiest for hackers to deploy but these
threats can also be mitigated with some common Layer 2 solutions.
 All switch ports (interfaces) should be secured before the switch is deployed for
production use. How a port is secured depends on its function.
 A simple method that many administrators use to help secure the network from
unauthorized access is to disable all unused ports on a switch. For example, if a Catalyst
2960 switch has 24 ports and there are three Fast Ethernet connections in use, it is good
practice to disable the 21 unused ports. Navigate to each unused port and issue the
Cisco IOS shutdown command. If a port must be reactivated at a later time, it can be
enabled with the no shutdown command.
 To configure a range of ports, use the interface range command.
Switch(config)# interface range type module/first-number - last-
number
 For example, to shutdown ports for Fa0/8 through Fa0/24 on S1, you would enter the
following command.
S1(config)# interface range fa0/8 - 24
S1(config-if-range)# shutdown
%LINK-5-CHANGED: Interface FastEthernet0/8, changed state to
administratively down
(output omitted)
%LINK-5-CHANGED: Interface FastEthernet0/24, changed state to
administratively down
S1(config-if-range)#

14.3.2 MITIGATE MAC ADDRESS TABLE ATTACKS

 The simplest and most effective method to prevent MAC address table overflow attacks
is to enable port security.
 Port security limits the number of valid MAC addresses allowed on a port. It allows an
administrator to manually configure MAC addresses for a port or to permit the switch to
dynamically learn a limited number of MAC addresses. When a port that is configured
with port security receives a frame, the source MAC address of the frame is compared
to the list of secure source MAC addresses that were manually configured or
dynamically learned on the port.
 By limiting the number of permitted MAC addresses on a port to one, port security can
be used to control unauthorized access to the network, as shown in the figure.
14.3.3 ENABLE PORT SECURITY

 Notice in the example, the switchport port-security command was rejected. This is
because port security can only be configured on manually configured access ports or
manually configured trunk ports. By default, Layer 2 switch ports are set to dynamic
auto (trunking on). Therefore, in the example, the port is configured with
the switchport mode access interface configuration command.
 Note: Trunk port security is beyond the scope of this course.
S1(config)# interface f0/1
S1(config-if)# switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# end
S1#

 Use the show port-security interface command to display the current port security
settings for FastEthernet 0/1, as shown in the example below. Notice that port security
is enabled, and the port status is Secure-down, which means there are no devices
attached and no violation has occurred. Also, the violation mode is Shutdown, and the
maximum number of MAC addresses allowed is 1. If a device is connected to the port,
the switch port status would display Secure-up and the switch will automatically add the
device’s MAC address as a secure MAC. In this example, no device is connected to the
port.
S1# show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
S1#

 Note: If an active port is configured with the switchport port-security command and
more than one device is connected to that port, the port will transition to the error-
disabled state. This condition is discussed later in this topic.
 After port security is enabled, other port security specifics can be configured, as shown
in the example.
S1(config-if)# switchport port-security ?
aging Port-security aging commands
 mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
S1(config-if)# switchport port-security

14.3.4 LIMIT AND LEARN MAC ADDRESSES

 To set the maximum number of MAC addresses allowed on a port, use the following
command:

Switch(config-if)# switchport port-security maximum value

 The default port security value is 1. The maximum number of secure MAC addresses
that can be configured depends on the switch and the IOS. In this example, the
maximum is 8192.
S1(config)# interface f0/1
S1(config-if)# switchport port-security maximum ?
<1-8192> Maximum addresses
S1(config-if)# switchport port-security maximum

 The switch can be configured to learn about MAC addresses on a secure port in one of
three ways:
1. Manually Configured

 The administrator manually configures a static MAC address(es) by using the following
command for each secure MAC address on the port:

Switch(config-if)# switchport port-security mac-address mac-address

2. Dynamically Learned

 When the switchport port-security command is entered, the current source MAC for
the device connected to the port is automatically secured but is not added to the startup
configuration. If the switch is rebooted, the port will have to re-learn the device’s MAC
address.
3. Dynamically Learned – Sticky

 The administrator can enable the switch to dynamically learn the MAC address and
“stick” them to the running configuration by using the following command:
Switch(config-if)# switchport port-security mac-address sticky

 Saving the running configuration will commit the dynamically learned MAC address to
NVRAM.
 The following example demonstrates a complete port security configuration for
FastEthernet 0/1 with a host connected to port Fa0/1. The administrator specifies a
 maximum of 2 MAC addresses, manually configures one secure MAC address, and
then configures the port to dynamically learn additional secure MAC addresses up to
the 2 secure MAC address maximum. Use the show port-security interface and
the show port-security address command to verify the configuration.
*Mar 1 00:12:38.179: %LINK-3-UPDOWN: Interface FastEthernet0/1,
changed state to up
*Mar 1 00:12:39.194: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/1, changed state to up
S1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
S1(config)#
S1(config)# interface fa0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 2
S1(config-if)# switchport port-security mac-address aaaa.bbbb.1234
S1(config-if)# switchport port-security mac-address sticky
S1(config-if)# end
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7272.676a:1
Security Violation Count : 0
S1# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
----------
Vlan Mac Address Type Ports
Remaining Age

(mins)
---- ----------- ---- -----
-------------
1 a41f.7272.676a SecureSticky Fa0/1 -
1 aaaa.bbbb.1234 SecureConfigured Fa0/1 -
-------------------------------------------------------------------
----------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 8192
S1#

 The output of the show port-security interface command verifies that port security is
enabled, there is a host connected to the port (i.e., Secure-up), a total of 2 MAC
 addresses will be allowed, and S1 has learned one MAC address statically and one
MAC address dynamically (i.e., sticky).
 The output of the show port-security address command lists the two learned MAC
addresses.

14.3.5 PORT SECURITY AGING

 Port security aging can be used to set the aging time for static and dynamic secure
addresses on a port. Two types of aging are supported per port:
o Absolute - The secure addresses on the port are deleted after the specified
aging time.
o Inactivity - The secure addresses on the port are deleted only if they are
inactive for the specified aging time.
 Use aging to remove secure MAC addresses on a secure port without manually deleting
the existing secure MAC addresses. Aging time limits can also be increased to ensure
past secure MAC addresses remain, even while new MAC addresses are added. Aging
of statically configured secure addresses can be enabled or disabled on a per-port basis.
 Use the switchport port-security aging command to enable or disable static aging for
the secure port, or to set the aging time or type.
Switch(config-if)# switchport port-security aging { static | time
time | type {absolute | inactivity}}

Parameter Description
static Enable aging for statically configured secure addresses on this port.

time time Specify the aging time for this port. The range is 0 to 1440 minutes.
If the time is 0, aging is disabled for this port.
Set the absolute aging time. All the secure addresses on this port
type absolute age out exactly after the time (in minutes) specified and are
removed from the secure address list.
Set the inactivity aging type. The secure addresses on this port age
type inactivity out only if there is no data traffic from the secure source address for
the specified time period.

 Note: MAC addresses are shown as 24 bits for simplicity.

 The example shows an administrator configuring the aging type to 10 minutes of
inactivity and then using the show port-security interface command to verify the
configuration.
S1(config)# interface fa0/1
S1(config-if)# switchport port-security aging time 10
S1(config-if)# switchport port-security aging type inactivity
S1(config-if)# end
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7272.676a:1
Security Violation Count : 0
S1#

14.3.6 PORT SECURITY VIOLATION MODES

 If the MAC address of a device that is attached to the port differs from the list of secure
addresses, then a port violation occurs. By default, the port enters the error-disabled
state.
 To set the port security violation mode, use the following command:
Switch(config-if)# switchport port-security violation { protect |
restrict | shutdown}

 The following table describes the different switch modes.

Mode Description
The port transitions to the error-disabled state immediately, turns off
shutdown the port LED, and sends a syslog message. It increments the
violation counter. When a secure port is in the error-disabled state,
(default)
an administrator must re-enable it by entering
the shutdown and no shutdown commands.
The port drops packets with unknown source addresses until you
remove a sufficient number of secure MAC addresses to drop below
restrict the maximum value or increase the maximum value. This mode
causes the Security Violation counter to increment and generates a
syslog message.
This is the least secure of the security violation modes. The port
drops packets with unknown MAC source addresses until you
protect remove a sufficient number of secure MAC addresses to drop below
the maximum value or increase the maximum value. No syslog
message is sent.

 The following table shows how a switch reacts based on the configured violation mode.
Violation Discards Offending Sends Syslog Increase Violation Shuts Down
Mode Traffic Message Counter Port
Protect Yes No No No
Restrict Yes Yes Yes No
Shutdown Yes Yes Yes Yes

 The following example shows an administrator changing the security violation to

“restrict”. The output of the show port-security interface command confirms that the
change has been made.
S1(config)# interface f0/1
S1(config-if)# switchport port-security violation restrict
S1(config-if)# end
S1#
S1# show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7272.676a:1
Security Violation Count : 0
S1#

14.3.7 PORT IN ERROR-DISABLED STATE

 What happens when the port security violation is shutdown and a port violation occurs?
The port is physically shutdown and placed in the error-disabled state, and no traffic is
sent or received on that port.
 In the example, the port security violation is changed back to the default shutdown
setting. Then the host with MAC address a41f.7272.676a is disconnected and a new
host is plugged into Fa0/1.
 Notice that a series of port security related messages are generated on the console.
S1(config)# int fa0/1
S1(config-if)# switchport port-security violation shutdown
S1(config-if)# end
S1#
*Mar 1 00:24:15.599: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/1, changed state to down
*Mar 1 00:24:16.606: %LINK-3-UPDOWN: Interface FastEthernet0/1,
changed state to down
*Mar 1 00:24:19.114: %LINK-3-UPDOWN: Interface FastEthernet0/1,
changed state to up
*Mar 1 00:24:20.121: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/1, changed state to up
S1#
*Mar 1 00:24:32.829: %PM-4-ERR_DISABLE: psecure-violation error
detected on Fa0/1, putting Fa0/1 in err-disable state
*Mar 1 00:24:32.838: %PORT_SECURITY-2-PSECURE_VIOLATION: Security
violation occurred, caused by MAC address a41f.7273.018c on port
FastEthernet0/1.
*Mar 1 00:24:33.836: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/1, changed state to down
*Mar 1 00:24:34.843: %LINK-3-UPDOWN: Interface FastEthernet0/1,
changed state to down
S1#

 Note: The port protocol and link status are changed to down and the port LED is turned
off.
 In the example, the show interface command identifies the port status as err-disabled.
The output of the show port-security interface command now shows the port status as
Secure-shutdown instead of Secure-up. The Security Violation counter increments by 1.
S1# show interface fa0/1 | include down
FastEthernet0/18 is down, line protocol is down (err-disabled)
(output omitted)
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7273.018c:1
Security Violation Count : 1
S1#

 The administrator should determine what caused the security violation If an

unauthorized device is connected to a secure port, the security threat is eliminated
before re-enabling the port.
 In the next example, the first host is reconnected to Fa0/1. To re-enable the port, first
use the shutdown command, then, use the no shutdown command to make the port
operational, as shown in the example.
S1(config)# interface fa0/1
S1(config-if)# shutdown
S1(config-if)#
*Mar 1 00:39:54.981: %LINK-5-CHANGED: Interface FastEthernet0/1,
changed state to administratively down
S1(config-if)# no shutdown
S1(config-if)#
*Mar 1 00:40:04.275: %LINK-3-UPDOWN: Interface FastEthernet0/1,
changed state to up
*Mar 1 00:40:05.282: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/1, changed state to up
S1(config-if)#

14.3.8 VERIFY PORT SECURITY

 After configuring port security on a switch, check each interface to verify that the port
security is set correctly, and check to ensure that the static MAC addresses have been
configured correctly.
Port Security for All Interfaces

 To display port security settings for the switch, use the show port-security command.
The example indicates that only one port is configured with the switchport port-security
command.
S1# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation
Security Action
(Count) (Count) (Count)
-------------------------------------------------------------------
--------
Fa0/1 2 2 0
Shutdown
-------------------------------------------------------------------
--------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 8192
S1#

Port Security for a Specific Interface

 Use the show port-security interface command to view details for a specific interface,
as shown previously and in this example.
S1# show port-security interface fastethernet 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 1
Last Source Address:Vlan : a41f.7273.018c:1
Security Violation Count : 0
S1#

Verify Learned MAC Addresses

 To verify that MAC addresses are “sticking” to the configuration, use the show
run command as shown in the example for FastEthernet 0/19.
S1# show run interface fa0/1
Building configuration...

Current configuration : 365 bytes

!
interface FastEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security mac-address sticky a41f.7272.676a
switchport port-security mac-address aaaa.bbbb.1234
switchport port-security aging time 10
switchport port-security aging type inactivity
switchport port-security
end

S1#

Verify Secure MAC Addresses

 To display all secure MAC addresses that are manually configured or dynamically
learned on all switch interfaces, use the show port-security address command as
shown in the example.
S1# show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
----------
Vlan Mac Address Type Ports
Remaining Age

(mins)
---- ----------- ---- -----
-------------
1 a41f.7272.676a SecureSticky Fa0/1
-
1 aaaa.bbbb.1234 SecureConfigured Fa0/1
-
-------------------------------------------------------------------
----------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 8192
S1#

14.3.10 SNMP MAC ADDRESS NOTIFICATION

  Network managers need a way of monitoring who is using the network and what their
location is. For example, if port Fa0/1 is secure on a switch, an SNMP trap is generated
when a MAC address entry for that port disappears from the MAC table.
 The MAC address notification feature sends SNMP traps to the network management
station (NMS) whenever a new MAC address is added to, or an old address is deleted
from, the forwarding tables. MAC address notifications are generated only for dynamic
and secure MAC addresses.
 MAC address notification allows the network administrator to monitor MAC addresses
that are learned, as well as MAC addresses that age out and are removed from the
switch. For example, in the figure, the laptop with MAC C has disconnected from the
network. The switch will eventually timeout port Fa0/3 and send an SNMP trap
notification to the NMS Server.
 Use the mac address-table notification global configuration command to enable the
MAC address notification feature on a switch.

14.4 MITIGATE VLAN ATTACKS

14.4.1 VLAN HOPPING ATTACKS

 VLANs are used to create separate broadcast domains on switches. Endpoints that are
located in one VLAN are unable to communicate with endpoints that are on another
VLAN unless permitted to do so by a router or Layer 3 switch. VLANs can be used to
separate sensitive content from other network traffic. For example, a guest VLAN may
be created for guests to an organization. Those guests should not have access to
sensitive corporate content that is carried on other VLANs. VLAN attacks can
circumvent the intention of a VLAN design by allowing unauthorized users access to
VLANs that they should not be able access. Two types of VLAN attacks are VLAN
hopping attacks and VLAN double-tagging attacks.
 A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN
without the aid of a router. In a basic VLAN hopping attack, the threat actor configures
a host to act like a switch to take advantage of the automatic trunking port feature
enabled by default on most switch ports.
 The threat actor configures the host to spoof 802.1Q signaling and Cisco-proprietary
Dynamic Trunking Protocol (DTP) signaling to trunk with the connecting switch. If
successful, the switch establishes a trunk link with the host, as shown in the figure. Now
the threat actor can access all the VLANs on the switch. The threat actor can send and
receive traffic on any VLAN, effectively hopping between VLANs.

14.4.2 VLAN DOUBLE-TAGGING ATTACK

 A threat actor in specific situations could embed a hidden 802.1Q tag inside the frame
that already has an 802.1Q tag. This tag allows the frame to go to a VLAN that the
original 802.1Q tag did not specify.
Step 1
  The threat actor sends a double-tagged 802.1Q frame to the switch. The outer header
has the VLAN tag of the threat actor, which is the same as the native VLAN of the
trunk port. For the purposes of this example, assume that this is VLAN 10. The inner
tag is the victim VLAN, in this example, VLAN 20.
Step 2

 The frame arrives on the first switch, which looks at the first 4-byte 802.1Q tag. The
switch sees that the frame is destined for VLAN 10, which is the native VLAN. The
switch forwards the packet out all VLAN 10 ports after stripping the VLAN 10 tag. The
frame is not retagged because it is part of the native VLAN. At this point, the VLAN 20
tag is still intact and has not been inspected by the first switch.
Step 3

 The frame arrives at the second switch which has no knowledge that it was supposed to
be for VLAN 10. Native VLAN traffic is not tagged by the sending switch as specified
in the 802.1Q specification. The second switch looks only at the inner 802.1Q tag that
the threat actor inserted and sees that the frame is destined for VLAN 20, the target
VLAN. The second switch sends the frame on to the target or floods it, depending on
whether there is an existing MAC address table entry for the target.
The steps are complete — back to our regularly scheduled programming…

 A VLAN double-tagging attack is unidirectional and works only when the attacker is
connected to a port residing in the same VLAN as the native VLAN of the trunk port.
The idea is that double tagging allows the attacker to send data to hosts or servers on a
VLAN that otherwise would be blocked by some type of access control configuration.
Presumably the return traffic will also be permitted, thus giving the attacker the ability
to communicate with devices on the normally blocked VLAN.
VLAN Attack Mitigation

 VLAN hopping and VLAN double-tagging attacks can be prevented by implementing

the following trunk security guidelines, as discussed in a previous module:
o Disable trunking on all access ports.
o Disable auto trunking on trunk links so that trunks must be manually enabled.
o Be sure that the native VLAN is only used for trunk links.

14.4.3 MITIGATING VLAN HOPPING ATTACKS

 Use the following steps to mitigate VLAN hopping attacks:

o Step 1: Disable DTP (auto trunking) negotiations on non-trunking ports by
using the switchport mode access interface configuration command.
o Step 2: Disable unused ports and put them in an unused VLAN. In the example
it is VLAN 1000.
o Step 3: Manually enable the trunk link on a trunking port by using the
switchport mode trunk command.
 o Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using the
switchport nonegotiate command.
o Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the
switchport trunk native vlan vlan_number command.
 For example, assume the following:
o FastEthernet ports 0/1 through fa0/16 are active access ports
o FastEthernet ports 0/17 through 0/20 are not currently in use
o FastEthernet ports 0/21 through 0/24 are trunk ports.
 VLAN hopping can be mitigated by implementing the following configuration.
S1(config)# interface range fa0/1 - 16
S1(config-if-range)# switchport mode access
S1(config-if-range)# exit
S1(config)#
S1(config)# interface range fa0/17 - 20
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 1000
S1(config-if-range)# shutdown
S1(config-if-range)# exit
S1(config)#
S1(config)# interface range fa0/21 - 24
S1(config-if-range)# switchport mode trunk
S1(config-if-range)# switchport nonegotiate
S1(config-if-range)# switchport trunk native vlan 999
S1(config-if-range)# end
S1#

 FastEthernet ports 0/1 to 0/16 are access ports and therefore trunking is disabled by
explicitly making them access ports.
 FastEthernet ports 0/17 to 0/20 are unused ports and are disabled and assigned to an
unused VLAN.
 FastEthernet ports 0/21 to 0/24 are trunk links and are manually enabled as trunks with
DTP disabled. The native VLAN is also changed from the default VLAN 1 to VLAN
999.

14.4.5 PRIVATE VLANS

 VLANs are broadcast domains. However, in some situations, it may useful to break this
rule and allow only the minimum required L2 connectivity within the VLAN.
 Private VLANs (PVLAN) provide Layer 2 isolation between ports within the same
broadcast domain. There are three types of PVLAN ports:
 Promiscuous - A promiscuous port can talk to everyone. It can communicate with all
interfaces, including the isolated and community ports within a PVLAN.
 Isolated - An isolated port can only talk to promiscuous ports. An isolated port has
complete Layer 2 separation from the other ports within the same PVLAN, but not from
the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from
promiscuous ports. Traffic from an isolated port is forwarded only to promiscuous
ports.
  Community - Community ports can talk to other community and promiscuous ports.
These interfaces are separated at Layer 2 from all other interfaces in other communities
or isolated ports within their PVLAN.
 The example in the figure illustrates which ports can interconnect. The security
provided by a PVLAN can be bypassed by using the router as a proxy.

 For example, in the figure below, PC-A and PC-B are isolated from each other.
However, PC-A can initiate an attack against PC-B by sending packets that have the
source IP address and MAC address of PC-A, the destination IP address of PC-B, but
the destination MAC address of R1. S1 will forward the frame to R1 because F0/5 is
configured as a promiscuous port. R1 rebuilds the frame with PC-B's MAC address and
forwards it to S1. S1 then forwards the frame to PC-B.
 Note: PVLANs are used mainly in service provider co-location sites. Another typical
application can be found in hotels where each room would be connected on its own
isolated port.

 To mitigate this type of attack, configure an ACL that will deny traffic with a source
and destination IP address that belongs to the same subnet, as shown in in the
configuration below.
R1(config)# ip access-list extended PVLAN
R1(config-ext-nacl)# deny ip 172.16.0.0 0.0.0.255 172.16.0.0
0.0.0.255
R1(config-ext-nacl)# permit ip any any
R1(config-ext-nacl)# interface g0/0
R1(config-if)# ip access-group PVLAN in
R1(config-if)#

14.4.6 PVLAN EDGE FEATURE

 Some applications require that no traffic be forwarded at Layer 2 between ports on the
same switch so that one neighbour does not see the traffic generated by another
neighbour.
 In such an environment, the use of the PVLAN Edge feature ensures that there is no
exchange of unicast, broadcast, or multicast traffic between PVLAN edge ports on the
switch, as shown in the figure. The PLVAN Edge feature is also called Protected Ports.
 The PVLAN Edge feature has the following characteristics:
o A protected port does not forward any traffic, such as unicast, multicast, or
broadcast, to any other port that is also a protected port. Data traffic cannot be
forwarded between protected ports at Layer 2; only control traffic is forwarded
because these packets are processed by the CPU and forwarded in software. All
data traffic passing between protected ports must be forwarded through a Layer
3 device.
o Forwarding behaviour between a protected port and a non-protected port
proceeds as usual.
o The default is to have no protected ports defined.
14.4.7 CONFIGURE PVLAN EDGE

 To configure the PVLAN Edge feature, enter the switchport protected interface
configuration mode command.
 The PVLAN Edge feature can be configured on a physical interface or an EtherChannel
group. When the PVLAN Edge feature is enabled for a port channel, it is enabled for all
ports in the port-channel group. To disable protected port, use the no switchport
protected interface configuration mode command.
 To verify the configuration of the PVLAN Edge feature, use the show interfaces
interface-id switchport global configuration mode command, as shown in the example
below.
Switch# show interfaces gigabitethernet1/0/1 switchport
Name: G1/0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
(output omitted)

Operational private-vlan: none

Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled

Voice VLAN: none (Inactive)

Appliance trust: none

 The PVLAN edge is a feature that has only local significance to the switch, and there is
no isolation provided between two protected ports located on different switches. A
protected port does not forward any traffic (unicast, multicast, or broadcast) to any other
port that is also a protected port on the same switch. Traffic cannot be forwarded
between protected ports at Layer 2 (L2); all traffic passing between protected ports must
be forwarded through a Layer 3 (L3) device.

14.5 MITIGATE DHCP ATTACKS

14.5.1 DHCP ATTACKS
  Two types of DHCP attacks are DHCP starvation and DHCP spoofing. Both attacks are
mitigated by implementing DHCP snooping.
DHCP Starvation Attack

 The goal of the DHCP starvation attack is DoS for connecting clients. DHCP starvation
attacks require an attack tool such as Gobbler.
 Gobbler has the ability to look at the entire scope of leasable IP addresses and tries to
lease them all. Specifically, it creates DHCP discovery messages with bogus MAC
addresses.
DHCP Spoofing Attack

 A DHCP spoofing attack occurs when a rogue DHCP server is connected to the
network and provides false IP configuration parameters to legitimate clients. A rogue
server can provide a variety of misleading information:
o Wrong default gateway - The rogue server provides an invalid gateway, or its
own IP address, to create a man-in-the-middle attack. This may go entirely
undetected as the intruder intercepts the data flow through the network and then
forwards it on to the real default gateway.
o Wrong DNS server - The rogue server provides an incorrect DNS server
address that points the user to a nefarious website.
o Wrong IP address - The rogue server provides an invalid IP address which
effectively creates a DoS attack on the DHCP client.
An example and explanation of a DHCP spoofing attack now follows…
Step 1
Threat Actor Connects Rogue DHCP Server

 A threat actor successfully connects a rogue DHCP server to a switch port on the same
subnet and VLANs as the target clients. The goal of the rogue server is to provide
clients with false IP configuration information.
Step 2
Client Broadcasts DHCP Discovery Messages

 A legitimate client connects to the network and requires IP configuration parameters.

Therefore, the client broadcasts a DHCP Discovery request looking for a response from
a DHCP server. Both servers will receive the message and respond.
Step 3
Legitimate and Rogue DHCP Reply

 The legitimate DHCP server responds with valid IP configuration parameters. However,
the rogue server also responds with a DHCP offer containing IP configuration
parameters defined by the threat actor. The client will reply to the first offer received.
Step 4
Client Accepts Rogue DHCP Offer
  The rogue offer was received first, and therefore, the client broadcasts a DHCP request
accepting the IP parameters defined by the threat actor. The legitimate and rogue server
will receive the request.
Step 5
Rogue Server Acknowledges

 The rogue server unicasts a reply to the client to acknowledge its request. The
legitimate server will cease communicating with the client.
14.5.2 DHCP ATTACKS MITIGATION

 It is easy to mitigate DHCP starvation attacks by using port security. However,

mitigating DHCP spoofing attacks requires more protection.
 For instance, Gobbler uses a unique MAC address for each DHCP request and port
security. Port security could be configured to mitigate this. However, Gobbler can also
be configured to use the same interface MAC address with a different hardware address
for every request. This would render port security ineffective.
 DHCP spoofing attacks can be mitigated using DHCP snooping on trusted ports. DHCP
snooping also helps mitigate against DHCP starvation attacks by rate limiting the
number of DHCP discovery messages that an untrusted port can receive. DHCP
snooping builds and maintains a DHCP snooping binding database that the switch can
use to filter DHCP messages from untrusted sources. The DHCP snooping binding table
includes the client MAC address, IP address, DHCP lease time, binding type, VLAN
number, and interface information on each untrusted switchport or interface.
 Devices under your administrative control, such as switches, routers, and servers, are
trusted sources. Any device beyond the firewall or outside your network is an untrusted
source. In addition, all access ports are generally treated as untrusted sources. The
figure shows an example of trusted and untrusted ports.

 Note: In a large network, the DHCP binding table may take time to build after it is
enabled. For example, it could take 2 days for DHCP snooping to complete the table if
DHCP lease time is 4 days.
 When DHCP snooping is enabled on an interface or VLAN, and a switch receives a
packet on an untrusted port, the switch compares the source packet information with
that held in the DHCP snooping binding table. The switch will deny packets containing
specific information:
o Unauthorized DHCP server messages from an untrusted port
o Unauthorized DHCP client messages not adhering to the snooping binding table
or rate limits
o DHCP relay-agent packets that include option-82 information on an untrusted
port
 Note: To counter Gobbler using the same MAC address, DHCP snooping also makes
the switch check the Client Hardware Address (CHADDR) field in the DHCP request.
This ensures that it matches the hardware MAC address in the DHCP snooping binding
table and the MAC address in the MAC table. If there is no match, the request is
dropped.
  Note: Similar mitigation techniques are available for DHCPv6 and IPv6 clients.
Because IPv6 devices can also receive their addressing information from the router’s
Router Advertisement (RA) message, there are also mitigation solutions to prevent any
rogue RA messages.

14.5.3 STEPS TO IMPLEMENT DHCP SNOOPING

 Use the following steps to enable DHCP snooping:

o Step 1. Enable DHCP snooping by using the ip dhcp snooping global
configuration command.
o Step 2. On trusted ports, use the ip dhcp snooping trust interface
configuration command.
o Step 3. Limit the number of DHCP discovery messages that can be received per
second on untrusted ports by using the ip dhcp snooping limit rate interface
configuration command.
o Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using
the ip dhcp snooping vlan global configuration command.

14.5.4 DHCP SNOOPING CONFIGURATION EXAMPLE

 The reference topology for this DHCP snooping example is shown in the figure. Notice
that F0/5 is an untrusted port because it connects to a PC. F0/1 is a trusted port because
it connects to the DHCP server.
 The following is an example of how to configure DHCP snooping on S1. Notice how
DHCP snooping is first enabled. Then the upstream interface to the DHCP server is
explicitly trusted. Next, the range of FastEthernet ports from F0/5 to F0/24 are untrusted
by default, so a rate limit is set to six packets per second. Finally, DHCP snooping is
enabled on VLANS 5, 10, 50, 51, and 52.
S1(config)# ip dhcp snooping
S1(config)# interface f0/1
S1(config-if)# ip dhcp snooping trust
S1(config-if)# exit
S1(config)# interface range f0/5 - 24
S1(config-if-range)# ip dhcp snooping limit rate 6
S1(config-if-range)# exit
S1(config)# ip dhcp snooping vlan 5,10,50-52
S1(config)# end
S1#

 Use the show ip dhcp snooping privileged EXEC command to verify DHCP snooping
and show ip dhcp snooping binding to view the clients that have received DHCP
information, as shown in the example.
  Note: DHCP snooping is also required by Dynamic ARP Inspection (DAI), which is the
next topic.
S1# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
5,10,50-52
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 0cd9.96d2.3f80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit
(pps)
----------------------- ------- ------------
----------------
FastEthernet0/1 yes yes unlimited
Custom circuit-ids:
FastEthernet0/5 no no 6
Custom circuit-ids:
FastEthernet0/6 no no 6
Custom circuit-ids:
S1# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN
Interface
------------------ --------------- ---------- ------------- ----
--------------------
00:03:47:B5:9F:AD 192.168.10.11 193185 dhcp-snooping 5
FastEthernet0/5

14.6 MITIGATE ARP ATTACKS

14.6.1 ARP ATTACKS

 Recall that hosts broadcast ARP Requests to determine the MAC address of a host with
a particular IPv4 address. This is typically done to discover the MAC address of the
default gateway. All hosts on the subnet receive and process the ARP Request. The host
with the matching IPv4 address in the ARP Request sends an ARP Reply.
 According to the ARP RFC, a client is allowed to send an unsolicited ARP Request
called a “gratuitous ARP.” When a host sends a gratuitous ARP, other hosts on the
subnet store the MAC address and IPv4 address contained in the gratuitous ARP in their
ARP tables.
 The problem is that an attacker can send a gratuitous ARP message containing a
spoofed MAC address to a switch, and the switch would update its MAC table
accordingly. Therefore, any host can claim to be the owner of any IP and MAC address
combination they choose. In a typical attack, a threat actor can send unsolicited ARP
 Replies to other hosts on the subnet with the MAC Address of the threat actor and the
IPv4 address of the default gateway.
 There are many tools available on the internet to create ARP man-in-the-middle attacks
including dsniff, Cain & Abel, ettercap, Yersinia, and others. IPv6 uses ICMPv6
Neighbor Discovery Protocol for Layer 2 address resolution. IPv6 includes strategies to
mitigate Neighbor Advertisement spoofing, similar to the way IPv6 prevents a spoofed
ARP Reply.
 ARP spoofing and ARP poisoning are mitigated by implementing Dynamic ARP
Inspection (DAI).
Now follows an example and explanation of ARP spoofing and ARP poisoning
Step 1
Normal State with Converged MAC Tables

 Each device has an accurate MAC table with the correct IPv4 and MAC addresses for
the other devices on the LAN.
Step 2
ARP Spoofing Attack

 The threat actor sends two spoofed gratuitous ARP Replies in an attempt to replace R1
as the default gateway:
o 1. The first one informs all devices on the LAN that the threat actor’s MAC
address (CC:CC:CC) maps to R1’s IPv4 address, 10.0.0.1.
o 2. The second one informs all devices on the LAN that the threat actor’s MAC
address (CC:CC:CC) maps to PC1’s IPv4 address, 10.0.0.11.
Step 3
ARP Poisoning Attack with Man-in-the-Middle Attack

 R1 and PC1 remove the correct entry for each other’s MAC address and replace it with
PC2’s MAC address. The threat actor has now poisoned the ARP caches of all devices
on the subnet. ARP poisoning leads to various man-in-the-middle attacks, posing a
serious security threat to the network.

14.6.2 VIDEO – ARP SPOOFING

14.6.3 DYNAMIC ARP INSPECTION

 In a typical ARP attack, a threat actor can send unsolicited ARP requests to other hosts
on the subnet with the MAC Address of the threat actor and the IP address of the default
gateway. To prevent ARP spoofing and the resulting ARP poisoning, a switch must
ensure that only valid ARP Requests and Replies are relayed.
 Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP
attacks by:
 o Not relaying invalid or gratuitous ARP Requests out to other ports in the same
VLAN
o Intercepting all ARP Requests and Replies on untrusted ports
o Verifying each intercepted packet for a valid IP-to-MAC binding
o Dropping and logging ARP Requests coming from invalid sources to prevent
ARP poisoning
o Error-disabling the interface if the configured DAI number of ARP packets is
exceeded
14.6.4 DAI IMPLEMENTATION GUIDELINES

 To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI
implementation guidelines:
o Enable DHCP snooping globally.
o Enable DHCP snooping on selected VLANs.
o Enable DAI on selected VLANs.
o Configure trusted interfaces for DHCP snooping and ARP inspection.
 It is generally advisable to configure all access switch ports as untrusted and to
configure all uplink ports that are connected to other switches as trusted.
 The sample topology in the figure identifies trusted and untrusted ports.

14.6.5 DAI CONFIGURATION EXAMPLE

 In the previous topology, S1 is connecting two users on VLAN 10. DAI will be
configured to mitigate against ARP spoofing and ARP poisoning attacks.
 As shown in the example, DHCP snooping is enabled because DAI requires the DHCP
snooping binding table to operate. Next, DHCP snooping and ARP inspection are
enabled for the PCs on VLAN10. The uplink port to the router is trusted, and therefore,
is configured as trusted for DHCP snooping and ARP inspection.
S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping vlan 10
S1(config)# ip arp inspection vlan 10
S1(config)# interface fa0/24
S1(config-if)# ip dhcp snooping trust
S1(config-if)# ip arp inspection trust

 DAI can also be configured to check for both destination or source MAC and IP
addresses:
o Destination MAC - Checks the destination MAC address in the Ethernet
header against the target MAC address in the ARP packet body
o Source MAC - Checks the source MAC address in the Ethernet header against
the sender MAC address in the ARP packet body
o IP address - Checks the ARP packet body for invalid and unexpected IP
addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast
addresses
  The ip arp inspection validate {src-mac [dst-mac] [ip]} global configuration
command is used to configure DAI to drop ARP packets when the IP addresses are
invalid. It can be used when the MAC addresses in the body of the ARP packets do not
match the addresses that are specified in the Ethernet header. Notice in the following
example how only one command can be configured. Therefore, entering multiple ip arp
inspection validate commands overwrites the previous command. To include more
than one validation method, enter them on the same command line as shown and
verified in the following output.
S1(config)# ip arp inspection validate ?
dst-mac Validate destination MAC address
ip Validate IP addresses
src-mac Validate source MAC address
S1(config)# ip arp inspection validate src-mac
S1(config)# ip arp inspection validate dst-mac
S1(config)# ip arp inspection validate ip
S1(config)# do show run | include validate
ip arp inspection validate ip
S1(config)# ip arp inspection validate src-mac dst-mac ip
S1(config)# do show run | include validate
ip arp inspection validate src-mac dst-mac ip
S1(config)#

14.7 MITIGATE ADDRESS SPOOFING ATTACKS

14.7.1 ADDRESS SPOOFING ATTACKS

 MAC addresses and IP addresses can be spoofed for a variety of reasons. Spoofing
attacks occur when one host poses as another to receive otherwise inaccessible data, or
to circumvent security configurations.
 The method used by switches to populate the MAC address table leads to a
vulnerability known as MAC address spoofing. MAC address spoofing attacks occur
when attackers alter the MAC address of their host to match another known MAC
address of a target host, as shown in the figure. The attacking host then sends a frame
throughout the network with the newly-configured MAC address.

 When the switch receives the frame, it examines the source MAC address. The switch
overwrites the current MAC table entry and assigns the MAC address to the new port,
as shown in the figure below. It then inadvertently forwards frames destined for the
target host to the attacking host.

 When the switch changes the MAC table, the target host does not receive any traffic
until it sends traffic. When the target host sends traffic, the switch receives and
examines the frame, resulting in the MAC table being rewritten once more, realigning
the MAC address to the original port. To stop the switch from returning the spoofed
MAC address port assignments to their correct state, the attacking host can create a
 program or script that will constantly send frames to the switch so that the switch
maintains the incorrect or spoofed information. There is no security mechanism at
Layer 2 that allows a switch to verify the source of MAC addresses, which is what
makes it so vulnerable to spoofing.
 IP address spoofing is when a rogue PC hijacks a valid IP address of a neighbor, or a
uses a random IP address. IP address spoofing is difficult to mitigate, especially when it
is used inside a subnet in which the IP belongs.

14.7.2 ADDRESS SPOOFING ATTACK MITIGATION

 To protect against MAC and IP address spoofing, configure the IP Source Guard
(IPSG) security feature. IPSG operates just like DAI, but it looks at every packet, not
just the ARP packets. Like DAI, IPSG also requires that DHCP snooping be enabled.
 Specifically, IPSG is deployed on untrusted Layer 2 access and trunk ports. IPSG
dynamically maintains per-port VLAN ACLs (PVACL) based on IP-to-MAC-to-
switch-port bindings. Initially, all IP traffic on the port is blocked, except for DHCP
packets that are captured by the DHCP snooping process. A PVACL is installed on the
port when a client receives a valid IP address from the DHCP server or when a static IP
source binding is configured by the user.
 This process restricts the client IP traffic to those source IP addresses that are
configured in the binding. Any IP traffic with a source IP address other than that in the
IP source binding will be filtered out. This filtering limits the ability of a host to attack
the network by claiming the IP address of a neighbor host.
 For each untrusted port, there are two possible levels of IP traffic security filtering:
o Source IP address filter - IP traffic is filtered based on its source IP address
and only IP traffic with a source IP address that matches the IP source binding
entry is permitted. When a new IP source entry binding is created or deleted on
the port, the PVACL automatically adjusts itself to reflect the IP source binding
change.
o Source IP and MAC address filter - IP traffic is filtered based on its source IP
address in addition to its MAC address. Only IP traffic with source IP and
MAC addresses that match the IP source binding entry are permitted.

14.7.3 CONFIGURE IP SOURCE GUARD

 Examine the IP Source Guard reference topology that is shown in the figure.

 IP Source Guard is enabled on untrusted ports using the ip verify source command as
shown in the configuration below. Remember that the feature can only be configured on
a Layer 2 access or trunk port and that DHCP snooping is required to learn valid IP
address and MAC address pairs.
S1(config)# interface range fastethernet 0/1 - 2
S1(config-if-range)# ip verify source
S1(config-if-range)# end
S1#

 Use the show ip verify source command to verify the IP Source Guard configuration,
as shown below. In the example, the F0/1 and F0/2 ports are configured with IP Source
Guard. Each interface has one valid DHCP binding
S1# show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address
Vlan
--------- ----------- ----------- ---------------
----------------- ----
F0/1 ip active 192.168.10.10
10
F0/2 ip active 192.168.10.11
10
S1#

14.8 SPANNING TREE PROTOCOL

14.8.1 SPANNING TREE PROTOCOL

 Spanning Tree Protocol (STP) is a loop-prevention network protocol that allows for
redundancy while creating a loop-free Layer 2 topology. IEEE 802.1D is the original
IEEE MAC Bridging standard for STP.
 Watch the video to see STP in action.

14.8.2 STP RECALCULATION

 Watch the video to view an animation of STP recalculation when a failure occurs.

14.8.3 LAYER 2 LOOPS

 Without STP enabled, Layer 2 loops can form, causing broadcast, multicast and
unknown unicast frames to loop endlessly. This can bring down a network within a very
short amount of time, sometimes in just a few seconds. For example, broadcast frames,
such as an ARP Request are forwarded out all of the switch ports, except the original
ingress port. This ensures that all devices in a broadcast domain are able to receive the
frame. If there is more than one path for the frame to be forwarded out of, an endless
loop can result. When a loop occurs, the MAC address table on a switch will constantly
change with the updates from the broadcast frames, which results in MAC database
instability. This can cause high CPU utilization, which makes the switch unable to
forward frames.
 Broadcast frames are not the only type of frames that are affected by loops. Unknown
unicast frames sent onto a looped network can result in duplicate frames arriving at the
destination device. An unknown unicast frame is when the switch does not have the
 destination MAC address in its MAC address table and must forward the frame out all
ports, except the ingress port.
 There is an animation.

14.8.4 STP PORT ROLES

 The spanning tree algorithm designates a single switch as the root bridge and uses it as
the reference point for all path calculations. In the figure, the root bridge (switch S1) is
chosen through an election process. All switches that participate in STP exchange
BPDU frames to determine which switch has the lowest bridge ID (BID) on the
network. The switch with the lowest BID automatically becomes the root bridge for the
spanning tree algorithm calculations.
 Note: For simplicity, assume until otherwise indicated that all ports on all switches are
assigned to VLAN 1. The switches are configured with the default PVST+. Each switch
has a unique MAC address associated with VLAN 1.

 A BPDU is a messaging frame that is exchanged by switches for STP. Each BPDU
contains a BID that identifies the switch that sent the BPDU. The BID contains a
priority value, the MAC address of the sending switch, and an optional extended system
ID. The lowest BID value is determined by the combination of these three fields.
 After the root bridge has been determined, the spanning tree algorithm calculates the
shortest path to it. Each switch uses the spanning tree algorithm to determine which
ports to block. While the spanning tree algorithm determines the best paths to the root
bridge for all switch ports in the broadcast domain, traffic is prevented from being
forwarded through the network. The spanning tree algorithm considers both path and
port costs when determining which ports to block. The path costs are calculated using
port cost values associated with port speeds for each switch port along a given path. The
sum of the port cost values determines the overall path cost to the root bridge. If there is
more than one path to choose from, spanning tree algorithm chooses the path with the
lowest path cost.
 When the spanning tree algorithm has determined which paths are most desirable
relative to each switch, it assigns port roles to the participating switch ports. The STP
port roles are:
o Alternate - Alternate or backup ports are configured to be in a blocking state to
prevent loops. Alternate ports are selected only on trunk links where neither end
is a root port.
o Root - Root ports are switch ports that are closest to the root bridge.
o Designated - Designated ports are all non-root ports that STP permits to
forward traffic on the network. Designated ports are selected on a per-trunk
basis. If one end of a trunk is a root port, then the other end is a designated port.
All ports on the root bridge are designated ports
 The figure above shows the relationship of the port roles in the network to the root
bridge and whether they are allowed to forward traffic. In the figure, only one end of
Trunk2 is blocked. This allows for faster transition to a forwarding state when a change
in the network makes it necessary.
  Note: A port that is administratively shut down is referred to as a disabled port.

14.8.5 STP ROOT BRIDGE

 As shown in the figure, every spanning tree instance (switched LAN or broadcast
domain) has a switch designated as the root bridge. The root bridge serves as a
reference point for all spanning tree calculations to determine which redundant paths to
block.
 An election process determines which switch becomes the root bridge.
 The figure below shows the BID fields. The BID is made up of a priority value, an
extended system ID, and the MAC address of the switch.

 All switches in the broadcast domain participate in the election process. After a switch
boots, it begins to send out BPDU frames every two seconds. These BPDU frames
contain the switch BID and the root ID.
 As the switches forward their BPDU frames, switches in the broadcast domain read the
root ID information from the BPDU frames. If the root ID from a BPDU that has been
received is lower than the root ID on the receiving switch, then the receiving switch
updates its root ID, which identifies the adjacent switch as the root bridge. The switch
then forwards new BPDU frames with the lower root ID to the other switches.
Eventually, the switch with the lowest BID ends up being identified as the root bridge
for the spanning tree instance.
 There is a root bridge elected for each spanning tree instance. It is possible to have
multiple distinct root bridges. If all ports on all switches are members of VLAN 1, then
there is only one spanning tree instance. The extended system ID plays a role in how
spanning tree instances are determined.

14.8.6 STP PATH COST

 When the root bridge has been elected for the spanning tree instance, the spanning tree
algorithm starts the process of determining the best paths to the root bridge from all
destinations in the broadcast domain. The path information is determined by summing
up the individual port costs along the path from the destination to the root bridge. Each
“destination” is actually a switch port.
 The default port costs are defined by the speed at which the port operates. As shown in
the table, 10 Gb/s Ethernet ports have a port cost of 2, 1 Gb/s Ethernet ports have a port
cost of 4, 100 Mb/s Fast Ethernet ports have a port cost of 19, and 10 Mb/s Ethernet
ports have a port cost of 100.

Link
Speed
Cost (Revised IEEE Specification) Cost (Previous IEEE Specification)
and
Name
10 2 1
Link
Speed
Cost (Revised IEEE Specification) Cost (Previous IEEE Specification)
and
Name
Gb/s
1 Gb/s 4 1
100
19 10
Mb/s
10
100 100
Mb/s

 Note: As newer, faster Ethernet technologies become available, the path cost values
may change to accommodate the new speeds. The non-linear numbers in the table
accommodate some improvements to the older Ethernet standard. The values have
changed to accommodate the 10 Gb/s Ethernet standard. To illustrate the continued
change associated with high-speed networking, Catalyst 4500 and 6500 switches
support a longer path cost method; for example, 10 Gb/s has a 2000 path cost, 100 Gb/s
has a 200 path cost, and 1 Tb/s has a 20 path cost.
 Although switch ports have a default port cost associated with them, the port cost is
configurable. The ability to configure individual port costs gives the administrator the
flexibility to manually control the spanning tree paths to the root bridge.
 To configure the port cost of an interface enter the spanning-tree cost value command
in interface configuration mode. The value can be between 1 and 200,000,000.
 In the example below, switch port F0/1 has been configured with a port cost of 25 using
the spanning-tree cost 25 interface configuration mode command on the F0/1
interface.
S2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
S2(config)# interface f0/1
S2(config-if)# spanning-tree cost 25
S2(config-if# end
S2#

 To restore the port cost back to the default value of 19, enter the no spanning-tree
cost interface configuration mode command.
S2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
S2(config)# interface f0/1
S2(config-if)# no spanning-tree cost
S2(config-if)# end
S2#

 The path cost is equal to the sum of all the port costs along the path to the root bridge.
Paths with the lowest cost become preferred, and all other redundant paths are blocked.
 In the example below, the path cost from S2 to the root bridge S1, over Path 1 is 19
(based on the IEEE-specified individual port cost), while the path cost over Path 2 is
two times 19, or 38. Because Path 1 has a lower overall path cost to the root bridge, it is
the preferred path. STP then configures the redundant path to be blocked, preventing a
loop from occurring.

 To verify the port and path cost to the root bridge, enter the show spanning-
tree command. The Cost field is the total path cost to the root bridge. This value
changes depending on how many switch ports must be traversed to get to the root
bridge. In the output below, each interface is also identified with an individual port cost
of 19.
S2# show spanning-tree

VLAN001
Spanning tree enabled protocol ieee
Root ID Priority 27577
Address 000A.0033.3333
Cost 19
Port 1
Hello Time 2 sec Max Age 20 sec Forward Delay 15
sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 000A.0011.1111
Hello time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

----------- ----- ---- ----- --------- -----------------
F0/1 Root FWD 19 128.1 Edge P2p
F0/2 Desg FWD 19 128.2 Edge P2p

14.8.7 SELECT THE ROOT BRIDGE

 When an administrator wants a specific switch to become a root bridge, the bridge
priority value must be adjusted to ensure it is lower than the bridge priority values of all
the other switches on the network. There are two different methods to configure the
bridge priority value on a Cisco Catalyst switch.
Now follow examples of the two methods of configuring bridge priority and how to verify that a
bridge is acting as root
Method 1

 To ensure that the switch has the lowest bridge priority value, use the spanning-tree
vlan vlan-id root primary command in global configuration mode. The priority for the
switch is set to the predefined value of 24,576 or to the highest multiple of 4,096, less
than the lowest bridge priority detected on the network.
  If an alternate root bridge is desired, use the spanning-tree vlan vlan-id root
secondary global configuration mode command. This command sets the priority for the
switch to the predefined value of 28,672. This ensures that the alternate switch becomes
the root bridge if the primary root bridge fails. This assumes that the rest of the switches
in the network have the default 32,768 priority value defined.
 In this example, S1 has been assigned as the primary root bridge using the spanning-
tree vlan 1 root primary command, and S2 has been configured as the secondary root
bridge using the spanning-tree vlan 1 root secondary command.
S1(config)# spanning-tree VLAN 1 root primary
S1(config)# end
-----------------------
S2(config)# spanning-tree root secondary
S2(config)# end

Method 2

 Another method for configuring the bridge priority value is using the spanning-tree
vlan vlan-id priority value global configuration mode command. This command gives
more granular control over the bridge priority value. The priority value is configured in
increments of 4,096 between 0 and 61,440.
 In the example, S3 has been assigned a bridge priority value of 24,576 for VLAN 1
using the spanning-tree vlan 1 priority 24576 command. This is the equivalent value
of the root primary setting.
S3(config)# spanning-tree VLAN 1 priority 24576

Verify Root Bridge

 To verify the bridge priority of a switch, use the show spanning-tree command. In
example in Method 2, the priority of the switch was set to 24,576. Also notice that the
switch is designated as the root bridge for the spanning tree instance.
S3# show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 00A.0033.3333
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address 000A.0033.3333
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

------------ ----- ---- ----- ---------- ------
Fa0/1 Desg FWD 4 128.1 p2p
Fa0/2 Desg FWD 4 128.2 p2p
S3#
14.9 MITIGATE STP ATTACKS
14.9.1 STP ATTACK

 Threat actors can manipulate the Spanning Tree Protocol (STP) to conduct an attack by
spoofing the root bridge and changing the topology of a network. Attackers can make
their hosts appear as root bridges; and therefore, capture all traffic for the immediate
switched domain.
 To conduct an STP manipulation attack, the attacking host broadcasts STP bridge
protocol data units (BPDUs) containing configuration and topology changes that will
force spanning-tree recalculations, as shown in the figure. The BPDUs that are sent by
the attacking host announce a lower bridge priority in an attempt to be elected as the
root bridge.
 Note: These issues can occur when someone adds an Ethernet switch to the network
without any malicious intent.

 If successful, the attacking host becomes the root bridge, as shown in the figure below,
and can now capture a variety of frames that would otherwise not be accessible.

 This STP attack is mitigated by implementing BPDU Guard on all access ports.

14.9.2 MITIGATING STP ATTACKS

 To mitigate STP manipulation attacks, use the Cisco STP stability mechanisms to
enhance the overall performance of the switches and to reduce the time that is lost
during topology changes.
 These are the STP stability mechanisms:
o PortFast - PortFast immediately brings an interface that is configured as an
access or trunk port to the forwarding state from a blocking state. This bypasses
the listening and learning states. It should be applied to all end-user ports.
PortFast should only be configured when there is a host attached to the port,
and not another switch.
o BPDU Guard - BPDU guard immediately error disables a port that receives a
BPDU. It is typically used on PortFast enabled ports. Apply to all end-user
ports.
o Root Guard - Root guard prevents an inappropriate switch from becoming the
root bridge. Root guard limits the switch ports out of which the root bridge may
be negotiated. Apply to all ports which should not become root ports.
o Loop Guard - Loop guard prevents alternate or root ports from becoming
designated ports because of a failure that leads to a unidirectional link. Apply to
all ports that are or can become non-designated.
 These features enforce the placement of the root bridge in the network and enforce the
STP domain borders.
 The figure highlights the ports on which these features should be implemented.
14.9.3 CONFIGURE PORTFAST

 PortFast bypasses the STP listening and learning states to minimize the time that access
ports must wait for STP to converge. If PortFast is enabled on a port connecting to
another switch, there is a risk of creating a spanning-tree loop.
 PortFast can be enabled on an interface by using the spanning-tree portfast interface
configuration command. Alternatively, Portfast can be configured globally on all access
ports by using the spanning-tree portfast default global configuration command.
 To verify whether PortFast is enabled globally you can use either the show running-
config | begin span command or the show spanning-tree summary command. To
verify if PortFast is enabled on an interface, use the show running-config
interface type/number command, as shown in the following example.
The show spanning-tree interface type/number detail command can also be used for
verification.
 Notice the warning messages that are displayed when PortFast is enabled.
S1(config)# interface fa0/1
S1(config-if)# switchport mode access
S1(config-if)# spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a
single
host. Connecting hubs, concentrators, switches, bridges, etc... to
this
interface when portfast is enabled, can cause temporary bridging
loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/1 but will only
have effect when the interface is in a non-trunking mode.
S1(config-if)# exit
S1(config)# spanning-tree portfast default
%Warning: this command enables portfast by default on all
interfaces. You
should now disable portfast explicitly on switched ports leading
to hubs,
switches and bridges as they may create temporary bridging loops.
S1(config)# exit
S1# show running-config | begin span
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
interface FastEthernet0/1
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
(output omitted)
S1#

14.9.4 CONFIGURE BPDU GUARD

 Even though PortFast is enabled, the interface will still listen for BPDUs. Unexpected
BPDUs might be accidental, or part of an unauthorized attempt to add a switch to the
network.
 If any BPDUs are received on a BPDU Guard enabled port, that port is put into error-
disabled state. This means the port is shut down and must be manually re-enabled or
automatically recovered through the errdisable recovery cause bpduguard global
command.
 BPDU Guard can be enabled on a port by using the spanning-tree bpduguard
enable interface configuration command. Alternatively, use the spanning-tree portfast
bpduguard default global configuration command to globally enable BPDU guard on
all PortFast-enabled ports.
 To display information about the state of spanning tree, use the show spanning-tree
summary command. In the example, PortFast default and BPDU Guard are both
enabled as the default state for ports that are configured in access mode.
 Note: Always enable BPDU Guard on all PortFast-enabled ports.
S1(config)# interface fa0/1
S1(config-if)# spanning-tree bpduguard enable
S1(config-if)# exit
S1(config)# spanning-tree portfast bpduguard default
S1(config)# end
S1# show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is enabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
(output omitted)
S1#

14.9.6 CONFIGURE ROOT GUARD

 There are some switches in a network that should never, under any circumstances,
become the STP root bridge. Root Guard provides a way to enforce the placement of
root bridges in the network by limiting which switch can become the root bridge.
 Root guard is best deployed on ports that connect to switches that should not be the root
bridge. If a root-guard-enabled port receives BPDUs that are superior to those that the
 current root bridge is sending, that port is moved to a root-inconsistent state. This is
effectively equal to an STP listening state, and no data traffic is forwarded across that
port. Recovery occurs as soon as the offending device ceases to send superior BPDUs.
 Use the spanning-tree guard root interface configuration command to configure root
guard on an interface.
 In the figure, D1 is the root bridge. If D1 fails, only D2 switch should become the root
bridge. To ensure that S1 never becomes a root bridge, the F0/1 interfaces of D1 and D2
should be enabled for Root guard.

 To view Root Guard ports that have received superior BPDUs and are in a root-
inconsistent state, use the show spanning-tree inconsistent ports command.
 Note: Root guard may seem unnecessary because an administrator can manually set the
bridge priority of a switch to zero. However, this does not guarantee that this switch
will be elected as the root bridge. Another switch may still become the root if it also has
a priority of zero and a lower MAC address.

14.9.7 CONFIGURE LOOP GUARD

 Traffic on bidirectional links flows in both directions. If for some reason one-direction
traffic flow fails, this creates a unidirectional link which can result in a Layer 2 loop.
STP relies on continuous reception or transmission of BPDUs based on the port role.
The designated port transmits BPDUs, and the non-designated port receives BPDUs. A
Layer 2 loop is usually created when an STP port in a redundant topology stops
receiving BPDUs and erroneously transitions to the forwarding state.
 The STP Loop Guard feature provides additional protection against Layer 2 loops. If
BPDUs are not received on a non-designated Loop Guard-enabled port, the port
transitions to a loop-inconsistent blocking state, instead of the listening / learning /
forwarding state. Without the Loop Guard feature, the port would assume a designated
port role and create a loop.
 As shown here, Loop Guard is enabled on all non-Root Guard ports using
the spanning-tree guard loop interface configuration command.
 Note: Loop Guard can also be enabled globally using the spanning-tree loopguard
default global configuration command. This enables Loop Guard on all point-to-point
links.
14.10 LAYER 2 SECURITY CONSIDERATIONS SUMMARY
14.10.1 WHAT DID I LEARN IN THIS MODULE?
Layer 2 Security Threats

 Security is implemented at all layers of the OSI model. However, if Layer 2 is disrupted
by a cyber attack, all layers above it will be affected. There are a number of attacks that
can happen at Layer 2 including MAC table attacks, VLAN attacks, DHCP attacks,
ARP attacks, address spoofing attacks, and STP attacks. It is important to protect Layer
2 by always using secure variants of protocols such as SSH, SCP, and SSL. Using out-
of-band management whenever possible and creating a dedicated VLAN for
 management traffic are also means to make successful Layer 2 attacks less likely. In
addition, ACLs should be used to filter unwanted access. Port security, DHCP
Snooping, DAI, and IP Source Guard are available on Cisco switches to directly
mitigate Layer 2 attacks.
MAC Table Attacks

 Layer 2 switches use MAC addresses to make forwarding decisions. The switch uses a
MAC table that maps MAC addresses to switchports. The switch looks for the
destination MAC address in the MAC table for the frames that it receives. It then
forwards the traffic to the corresponding port. If the switch does not recognize a
destination MAC address, it floods the frames for the unknown destination out of all
ports except the port from which the frames originated. These are called unknown
unicast messages. The switch dynamically learns MAC addresses from the source
addresses of the frames that originate on its ports. One type of Layer 2 attack floods the
switch with frames with random MAC source addresses. The switch attempts to add all
of these frames to the MAC table until the table is full. Subsequent frames are then
treated as unknown unicast messages and sent out all but the receiving port. Since these
frames are flooded, a threat actor can receive all traffic that is sent on the network.
Threat actor tools such as macof can quickly overwhelm the MAC table of a switch
causing a MAC table overflow exploit. Because the flooding of unknown unicast
addresses can include trunk ports to other switches, the exploit can cause widespread
disruptions.
Mitigate MAC Table Attacks

 Layer 2 devices are considered to be the weakest link in a company’s security

infrastructure because Layer 2 attacks are some of the easiest for hackers to deploy. For
this reason, Cisco has developed a number of Layer 2 security measures in the switch
IOS. A simple but effective way to prevent Layer 2 attacks is to shutdown all unused
ports. Port security is a simple way to directly address MAC address overflow attacks.
With port security, the number of MAC addresses that are allowed to be learned on a
port, and the way in which the addresses are learned can be controlled. Port security
aging can be used to remove secure MAC addresses on a secure port without manually
deleting the existing secure MAC addresses. Aging time limits can also be increased to
ensure past secure MAC addresses remain, even while new MAC addresses are added.
When port security violations occur, the switchport can be configured
to shutdown, restrict frames from unknown MAC addresses from being forwarded and
issue a syslog message, or protect to drop frames from the unknown host but not issue
a syslog message. Protect is the least secure option. A port that has been shutdown by
port security is placed in the err-disabled state. The port must be manually re-enabled
with the shutdown and no shutdown commands in order to return to the Secure-up
state.
Mitigate VLAN Attacks

 VLANs may be used to separate sensitive traffic from other traffic. VLAN hopping and
VLAN double-tagging attacks enable threat actors to access VLANs that they are not
authorized to access. In VLAN hopping attacks, a threat actor connects a host computer
to a switch and then attempts to negotiate the switchport to become trunk using DTP.
 The threat actor computer attempts to act as another switch that is connected by a trunk.
Trunks carry traffic for all VLANs by default, so if a threat actor can connect a
computer over a trunked link, all VLAN traffic can be intercepted. In VLAN double-
tagging attacks, a threat actor adds a false VLAN tag to malicious traffic in addition to
the legitimate tag. This can allow a threat actor to send unauthorized traffic into other
VLANs. VLAN hopping and double-tagging attacks can be mitigated by disabling
trunking and trunk negotiation on all switchports that are to be accessed by users, and
by ensuring that the native VLAN is only used on trunk links. Private VLAN
promiscuous ports can be vulnerable to PVLAN proxy attacks in which a threat actor
can spoof the destination MAC address of the default gateway router. The router will
then permit the unauthorized traffic to enter the target VLANs. PVLAN proxy attacks
can be mitigated through the use of access control lists.
Mitigate DHCP Attacks

 Two types of DHCP attacks are DHCP starvation and DHCP spoofing. Both attacks are
mitigated by implementing DHCP snooping. The goal of the DHCP starvation attack is
DoS for connecting clients. DHCP starvation attacks require an attack tool such as
Gobbler. A DHCP spoofing attack occurs when a rogue DHCP server is connected to
the network and provides false IP configuration parameters to legitimate clients. It is
easy to mitigate DHCP starvation attacks by using port security. DHCP spoofing attacks
can be mitigated using DHCP snooping on trusted ports. DHCP snooping also helps
mitigate DHCP starvation attacks by rate limiting the number of DHCP discovery
messages that an untrusted port can receive. DHCP snooping builds and maintains a
DHCP snooping binding database that the switch can use to filter DHCP messages from
untrusted sources. DHCP snooping is globally activated. Ports that are connected to
legitimate DHCP servers are then configured as trusted. In addition, untrusted ports can
be configured to rate limit DHCP requests.
Mitigate ARP Attacks

 According to the ARP RFC, a client can send gratuitous ARP requests. When other
hosts on the subnet receive a gratuitous ARP request, the hosts store the MAC address
and IPv4 address contained in the gratuitous ARP in their ARP tables. An attacker can
send a gratuitous ARP message containing a spoofed MAC address to a switch, and the
switch would update its MAC table accordingly. Therefore, any host can claim to be the
owner of any IP and MAC address. In a typical attack, a threat actor can send
unsolicited ARP Replies to other hosts on the subnet with the MAC Address of the
threat actor and the IPv4 address of the default gateway. Address spoofing attacks occur
when threat actors craft packets that contain false IP or MAC addresses. MAC address
spoofing attacks occur when threat actors alter the MAC address of their host to match
another known MAC address of a target host. A spoofed MAC address can cause a
switch to send packets that are intended for another host to the threat actor PC. This can
be especially problematic when the spoofed MAC address is that of the default
gateway. DAI can mitigate ARP spoofing by ensuring that only valid ARP Requests
and Replies are sent into the network. DAI requires that DHCP snooping is globally
configured. DAI can be configured on trusted interfaces and VLANs.
Mitigate Address Spoofing Attacks
  Spoofing attacks occur when one host poses as another to receive otherwise
inaccessible data, or to circumvent security configurations. MAC address spoofing
attacks occur when attackers alter the MAC address of their host to match another
known MAC address of a target host. When a switch receives the spoofed frames, it
switch overwrites the current MAC table entry and assigns the MAC address to the new
port. A threat actor computer can now receive traffic that was intended for the host with
the spoofed address. IP address spoofing is when a rogue PC hijacks a valid IP address
of a neighbor, or a uses a random IP address. IP address spoofing is difficult to mitigate,
especially when it is used inside a subnet in which the IP belongs. To protect against
MAC and IP address spoofing, configure IPSG. IPSG operates like DAI, but it looks at
every packet, not just the ARP packets. Like DAI, IPSG also requires that DHCP
snooping be enabled. For each untrusted port, a source IP address or source IP and
MAC address filter can be configured.
Spanning Tree protocol

 STP is a loop-prevention network protocol that allows for redundancy while creating a
loop-free Layer 2 topology. Without STP enabled, Layer 2 loops can form, causing
broadcast, multicast and unknown unicast frames to loop endlessly. This can bring
down a network within a very short amount of time, sometimes in just a few seconds.
The spanning tree algorithm designates a single switch as the root bridge and uses it as
the reference point for path calculations. Spanning tree algorithm calculates the shortest
path to the root bridge and enables forwarding on trunks that form the best path.
Alternate ports are blocked. Designated ports are all non-root ports that spanning tree
permits to forward traffic. If a path become unavailable, spanning tree then enables the
alternate ports to forward traffic. Spanning tree uses bridge protocol data units to
communicate between switches in a spanning tree topology.
Mitigating STP Attacks

 Threat actors can manipulate the STP to conduct an attack by spoofing the root bridge
and changing the topology of a network. Attackers can make their hosts appear as root
bridges; and therefore, capture all traffic for the immediate switched domain. Cisco
switches have a number of STP stability mechanisms such as PortFast, BPDU Guard,
Root Guard, and Loop Guard. PortFast enables access ports to go to spanning-tree
forwarding state without go through the transitional spanning-tree states. BPDU guard
immediately error disables a port that receives a BPDU. This is configured on non-
trunking ports that typically have PortFast enabled. Root Guard prevents an
inappropriate switch from becoming the root bridge. Loop guard prevents alternate or
root ports from becoming designated ports because of a failure that leads to a
unidirectional link.
MODULE 15
15.1 SECURE COMMUNICATIONS
15.1.1 AUTHENTICATION, INTEGRITY, AND CONFIDENTIALITY

 To ensure secure communications across both the public and private infrastructure, the
network administrator’s first goal is to secure the network infrastructure, including
routers, switches, servers, and hosts.
 This can be accomplished using device hardening, AAA access control, ACLs,
firewalls, monitoring threats using IPS, securing endpoints using Advanced Malware
Protection (AMP), and enforcing email and web security using the Cisco Email Security
Appliance (ESA) and Cisco Web Security Appliance (WSA).
 The figure shows an example of a secure network topology.

 The next goal is to secure the data as it travels across various links. This may include
internal traffic, but of greater concern is protecting the data that travels outside of the
organization to branch sites, telecommuter sites, and partner sites.
 There are three primary objectives of securing communications:
o Authentication - This guarantees that the message is not a forgery and actually
comes from the authentic source. Modern networks ensure authentication using
hash message authentication code (HMAC).
o Integrity - This guarantees that no one intercepted the message and altered it;
similar to a checksum function in a frame. This is provided by implementing
the SHA-2 or SHA-3 family of hash-generating algorithms.
o Confidentiality - This guarantees that if the message is captured, it cannot be
deciphered. This is provided using symmetric or asymmetric encryption
algorithms.
  Note: These primary objectives are similar but not identical to the three primary issues
in securing and maintaining a computer network which are confidentiality, integrity,
and availability.
 The most popular symmetric encryption algorithm is the Advanced Encryption
Standard (AES). Symmetric encryption algorithms are based on the premise that each
communicating party knows the pre-shared key.
 Data confidentiality can also be ensured using asymmetric algorithms, including Rivest,
Shamir, and Adleman (RSA) and the public key infrastructure (PKI). Asymmetric
encryption algorithms are based on the assumption that the two communicating parties
have not previously shared a secret and must establish a secure method to do so.

15.1.2 AUTHENTICATION

 There are two primary methods for validating a source in network communications:
authentication services and data nonrepudiation services.
 Authentication guarantees that a message comes from the source that it claims to come
from. Authentication is similar to entering a secure personal identification number
(PIN) for banking at an ATM, as shown in the figure. The PIN should only be known to
the user and the financial institution. The PIN is a shared secret that helps protect
against forgeries.

 In network communications, authentication can be accomplished using cryptographic

methods. This is especially important for applications or protocols, such as email or IP,
that do not have built-in mechanisms to prevent spoofing of the source.
 Data nonrepudiation is a similar service that allows the sender of a message to be
uniquely identified. With nonrepudiation services in place, a sender cannot deny having
been the source of that message. It might appear that the authenticity service and the
nonrepudiation service are fulfilling the same function. Although both address the
question of the proven identity of the sender, there is a difference between the two.
 The most important part of nonrepudiation is that a device cannot repudiate, or refute,
the validity of a message sent. Nonrepudiation relies on the fact that only the sender has
the unique characteristics or signature for how that message is treated. Not even the
receiving device can know how the sender treated this message to prove authenticity
because the receiver could then pretend to be the source.
 If the major concern is for the receiving device to validate the source and there is no
concern about the receiving device imitating the source, it does not matter whether the
sender and receiver both know how to treat a message to provide authenticity. An
example of authenticity versus nonrepudiation is a data exchange between two
computers of the same company versus a data exchange between a customer and an e-
commerce website. The two computers exchanging data within an organization do not
have to prove to the other which of them sent a message.
 This practice is not acceptable in business applications, such as when purchasing items
online. If the online store knows how a customer message was created to prove the
authenticity, then it could easily fake “authentic” orders. In such a scenario, the sender
must be the only party with the knowledge of how the message was created. The online
 store can prove to others that the order was, in fact, sent by the customer, and the
customer cannot argue that the order is invalid.

15.1.3 DATA INTEGRITY

 Data integrity ensures that messages are not altered in transit. With data integrity, the
receiver can verify that the received message is identical to the sent message and that no
manipulation occurred.
 European nobility ensured the data integrity of documents by creating a wax seal to
close an envelope, as shown in the figure. The seal was often created using a signet
ring. These bore the family crest, initials, a portrait, or a personal symbol or motto of
the owner of the signet ring. An unbroken seal on an envelope guaranteed the integrity
of its contents. It also guaranteed authenticity based on the unique signet ring
impression.

15.1.4 DATA CONFIDENTIALITY

 Data confidentiality ensures privacy so that only the receiver can read the message. This
can be achieved through encryption. Encryption is the process of scrambling data so
that it cannot be easily read by unauthorized parties.
 When enabling encryption, readable data is called plaintext, or cleartext, while the
encrypted version is called encrypted text or ciphertext. In this course, we will use the
term ciphertext. The plaintext readable message is converted to ciphertext, which is the
unreadable, disguised message. Decryption reverses the process. A key is required to
encrypt and decrypt a message. The key is the link between the plaintext and ciphertext.
 Historically, various encryption algorithms and methods have been used. Julius Caesar
is said to have secured messages by putting two sets of the alphabet, side-by-side, and
then shifting one of them by a specific number of places. The number of places in the
shift serves as the key. He converted plaintext into ciphertext using this key, and only
his generals, who also had the key, knew how to decipher the messages. This method is
now known as the Caesar cipher. An encoded message using the Caesar cipher is shown
in the figure.
Encoded Caesar Cipher Message

 Using a hash function is another way to ensure data confidentiality. A hash function
transforms a string of characters into a usually shorter, fixed-length value or key that
represents the original string. The difference between hashing and encryption is in how
the data is stored. With encrypted text, the data can be decrypted with a key. With the
hash function, after the data is entered and converted using the hash function, the
plaintext is gone. The hashed data is simply there for comparison. For example, when a
user enters a password, the password is hashed and then compared to the stored hashed
value. If the user forgets the password, it is impossible to decrypt the stored value, and
the password must be reset.
 The purpose of encryption and hashing is to guarantee confidentiality so that only
authorized entities can read the message
15.2 CRYPTOGRAPHY
15.2.1 CREATING CIPHER TEXT

 The history of cryptography starts in diplomatic circles thousands of years ago.

Messengers from a king’s court took encrypted messages to other courts. Occasionally,
other courts not involved in the communication, attempted to steal messages sent to a
kingdom they considered an adversary. Not long after, military commanders started
using encryption to secure messages.
Scytale

 A scytale is a device used to generate a transposition cipher. A strip of paper or other

material is wrapped around a rod of a known diameter, as shown in the figure. The
message is written on the paper across rows. When the strip is removed, the message is
unreadable until it is wrapped around another rod of the same diameter.
Caesar Cipher

 The Caesar Cipher is a type of substitution cipher in which each letter is replaced by
another letter that is a set number of places away in the alphabet. That number of places
is the key. In the figure, the key is 3.
Vigenère Cipher

 The Vigenère cipher is a type of polyalphabetic substitution cipher. It was considered

unbreakable until 1863. To use the cipher a key text is generated that repeats for the
length of the message to be encrypted. A combination of the plaintext letter and the
corresponding key letter are used to locate the ciphertext value for the letter in a table,
shown in the figure, or other device. In the table, the row value would be the key letter,
the plaintext would be located in the column. The location where the row and column
intersect is the ciphertext letter to be used.
Enigma Machine

 The Enigma machine was an electromechanical encryption device that was developed
and used by Nazi Germany during World War II. The device depended on the
distribution of pre-shared keys that were used to encrypt and decrypt messages. The
Enigma ciphers were broken by the Allies, and numerous Enigma-encoded messages
were decoded during the war. This provided a significant advantage to the Allies and is
estimated to have greatly shortened the war and saved many lives.

15.2.2 TRANSPOSITION CIPHERS

 In transposition ciphers, no letters are replaced; they are simply rearranged. An example
of this type of cipher is taking the FLANK EAST ATTACK AT DAWN message and
transposing it to read NWAD TA KCATTA TSAE KNALF. In this example, the key is
to reverse the letters.
  Another example of a transposition cipher is known as the rail fence cipher. In this
transposition, the words are spelled out as if they were a rail fence. They are staggered,
some in front, some in the middle and some in back, across several parallel lines.
 Modern encryption block cipher algorithms, such as AES and the legacy 3DES, still use
transposition as part of the algorithm.
The use of a simple transposition cipher is now discussed and displayed:
Plaintext Message

 The plaintext message will be encoded using a key of 3. This key value specifies that
three lines are required when creating the encrypted code.
Encryption Process

 A rail fence cipher is used with the key of 3.

Encrypted Message

 This is the encrypted text.

15.2.3 SUBSTITUTION CIPHERS

 Substitution ciphers substitute one letter for another. In their simplest form, substitution
ciphers retain the letter frequency of the original message.
 The Caesar cipher was a simple substitution cipher.
 Because the entire message relied on the same single key shift, the Caesar cipher is
referred to as a monoalphabetic substitution cipher. It is also fairly easy to crack. For
this reason, polyalphabetic ciphers, such as the Vigenère cipher, were invented. The
method was originally described by Giovan Battista Bellaso in 1553, but the scheme
was later misattributed to the French diplomat and cryptographer, Blaise de Vigenère.
A process involving a substitution cipher is now discussed and displayed:
Plaintext Message

 The plaintext message will be encoded with a key of 3.

Encryption Process

 Shift the top scroll over by the three characters (a key of 3) and A becomes D, B
becomes E, and so on. If the key used was 8, then A becomes I, B becomes J, and so on.
Then Encrypted Message

 The process is reversed to de-encrypt the message.

15.2.4 A MORE COMPLEX SUBSTITUTION CIPHER

 The Vigenère cipher is based on the Caesar cipher, except that it encrypts text by using
a different polyalphabetic key shift for every plaintext letter. The different key shift is
 identified using a shared key between sender and receiver. The plaintext message can be
encrypted and decrypted using the Vigenère Cipher Table that is shown in the figure.
 To illustrate how the Vigenère Cipher Table works, suppose that a sender and receiver
have a shared secret key composed of these letters: SECRETKEY. The sender uses this
secret key to encode the plaintext FLANK EAST ATTACK AT DAWN:
o The F (FLANK) is encoded by looking at the intersection of column F and the
row starting with S (SECRETKEY), resulting in the cipher letter X.
o The L (FLANK) is encoded by looking at the intersection of column L and the
row starting with E (SECRETKEY), resulting in the cipher letter P.
o The A (FLANK) is encoded by looking at the intersection of column A and the
row starting with C (SECRETKEY), resulting in the cipher letter C.
o The N (FLANK) is encoded by looking at the intersection of column N and the
row starting with R (SECRETKEY), resulting in the cipher letter E.
o The K (FLANK) is encoded by looking at the intersection of column K and the
row starting with E (SECRETKEY), resulting in the cipher letter O.
 The process continues until the entire text message FLANK EAST ATTACK AT
DAWN is encrypted. The process can also be reversed. For instance, the F is still the
cipher letter X if encoded by looking at the intersection of row F (FLANK) and the
column starting with S (SECRETKEY).
 When using the Vigenère cipher, if the message is longer than the key, the key is
repeated. For example, SECRETKEYSECRETKEYSEC is required to encode FLANK
EAST ATTACK AT DAWN:
o Secret key: SECRETKEYSECRETKEYSEC
o Plaintext: FLANKEASTATTACKATDAWN
o Cipher text: XPCEOXKURSXVRGDKXBSAP
 Although the Vigenère cipher uses a longer key, it can still be cracked. For this reason,
a better cipher method was required.

15.2.5 ONE-TIME PAD CIPHERS

 Gilbert Vernam was an AT&T Bell Labs engineer who, in 1917, invented, and later
patented, the stream cipher. He also co-invented the one-time pad cipher. Vernam
proposed a teletype cipher in which a prepared key consisting of an arbitrarily long,
non-repeating sequence of numbers was kept on paper tape, shown in the figure. It was
then combined character by character with the plaintext message to produce the
ciphertext.
 To decipher the ciphertext, the same paper tape key was again combined character by
character, producing the plaintext. Each tape was used only once; hence, the name one-
time pad. As long as the key tape does not repeat or is not reused, this type of cipher is
immune to cryptanalytic attack. This is because the available ciphertext does not display
the pattern of the key.
 Several difficulties are inherent in using one-time pads in the real world. One difficulty
is the challenge of creating random data. Computers, because they have a mathematical
foundation, are incapable of creating true random data. Additionally, if the key is used
more than once, it is easy to break. RC4 is an example of this type of cipher that is
widely used on the internet. Again, because the key is generated by a computer, it is not
 truly random. In addition to these issues, key distribution is also challenging with this
type of cipher.

15.3 CRYPTANALYSIS
15.3.1 CRACKING CODE

 For as long as there has been cryptography, there has been cryptanalysis. Cryptanalysis
is the practice and study of determining the meaning of encrypted information (cracking
the code), without access to the shared secret key. This is also known as codebreaking.
 Throughout history, there have been many instances of cryptanalysis:
 The Vigenère cipher had been absolutely secure until it was broken in the 19th century
by English cryptographer Charles Babbage.
 Mary, Queen of Scots, was plotting to overthrow Queen Elizabeth I from the throne and
sent encrypted messages to her co-conspirators. The cracking of the code used in this
plot led to the beheading of Mary in 1587.
 The Enigma-encrypted communications were used by the Germans to navigate and
direct their U-boats in the Atlantic. Polish and British cryptanalysts broke the German
Enigma code.

15.3.2 METHODS OF CRACKING CODE

 Several methods are used in cryptanalysis:

o Brute-force method - The attacker tries every possible key knowing that
eventually one of them will work.
o Ciphertext method - The attacker has the ciphertext of several encrypted
messages but no knowledge of the underlying plaintext.
o Known-Plaintext method - The attacker has access to the ciphertext of several
messages and knows something about the plaintext underlying that ciphertext.
o Chosen-Plaintext method - The attacker chooses which data the encryption
device encrypts and observes the ciphertext output.
o Chosen-Ciphertext method - The attacker can choose different ciphertext to
be decrypted and has access to the decrypted plaintext.
o Meet-in-the-Middle method - The attacker knows a portion of the plaintext
and the corresponding ciphertext.

 Note: Details of how these methods are implemented is beyond the scope of this course.
 The simplest method to understand is the brute-force method. For example, if a thief
attempted to steal a bicycle secured with the combination lock displayed in the figure,
they would have to attempt a maximum of 10,000 different possibilities (0000 to 9999).
All encryption algorithms are vulnerable to this attack. On average, a brute-force attack
succeeds about 50 percent of the way through the keyspace, which is the set of all
possible keys.
 The objective of modern cryptographers is to have a keyspace large enough that it takes
too much time and money to accomplish a brute-force attack.
15.3.3 CRACKING CODE EXAMPLE
 When choosing a cryptanalysis method, consider the Caesar cipher encrypted code. The
best way to crack the code is to use brute force. Because there are only 25 possible
rotations, the effort is relatively small to try all possible rotations and see which one
returns something that makes sense.
 A more scientific approach is to use the fact that some characters in the English
alphabet are used more often than others. This method is called frequency analysis. For
example, the graph in the figure below shows the frequency of letters in the English
language. The letters E, T, and A are the most popular letters used in the English
language. The letters J, Q, X, and Z are the least popular. Understanding this pattern can
help discover which letters are probably included in the cipher message.
 In the Caesar ciphered message IODQN HDVW DWWDFN DW GDZQ, shown in the
figure, the cipher letter D appears six times while the cipher letter W appears four times.
There is a good possibility that the cipher letters D and W represent either the plaintext
E, T or A. In this case, the D represents the letter A, and the W represents the letter T.
 An attacker would only have to replace the cipher letter D first with popular plaintext
letters including E, T, and finally A. Trying A would reveal the shift pattern of 3, and
the attacker could then decipher the entire message.

15.4 CRYPTOLOGY
15.4.1 MAKING AND BREAKING SECRET CODES
 Cryptology is the science of making and breaking secret codes. As shown in the figure,
cryptology combines two separate disciplines:
o Cryptography - the development and use of codes
o Cryptanalysis - the breaking of those codes
 There is a symbiotic relationship between the two disciplines because each makes the
other one stronger. National security organizations employ practitioners of both
disciplines and put them to work against each other.
 There have been times when one of the disciplines has been ahead of the other. For
example, during the Hundred Years War between France and England, the cryptanalysts
were leading the cryptographers. France mistakenly believed that the Vigenère cipher
was unbreakable, and then the British cracked it. Some historians believe that the
successful cracking of encrypted codes and messages had a major impact on the
outcome of World War II. Currently, it is believed that cryptographers are in the lead.

15.4.2 CRYPTANALYSTS
 Cryptanalysis is often used by governments in military and diplomatic surveillance, by
enterprises in testing the strength of security procedures, and by malicious hackers in
exploiting weaknesses in websites.
 Cryptanalysts are individuals who perform cryptanalysis to crack secret codes. A
sample job description is displayed in the figure.
 While cryptanalysis is often linked to mischievous purposes, it is actually a necessity. It
is an ironic fact of cryptography that it is impossible to prove that any algorithm is
 secure. It can only be proven that it is not vulnerable to known cryptanalytic attacks.
Therefore, there is a need for mathematicians, scholars, and security forensic experts to
keep trying to break the encryption methods.

15.4.3 THE SECRET IS IN THE KEYS

 In the world of communications and networking, authentication, integrity, and data
confidentiality are implemented in many ways using various protocols and algorithms.
The choice of protocol and algorithm varies based on the level of security required to
meet the goals of the network security policy.
 As an example, for message integrity, message-digest 5 (MD5) is faster than Secure
Hash Algorithm 2 (SHA2). However, MD5 but is now considered to be insecure.
Confidentiality can be implemented using the legacy 3DES or the more secure AES.
Again, the choice varies depending on the security requirements specified in the
network security policy document. Additional considerations are the computing power
that is required to encrypt and decrypt data, and the acceptance of the protocol in the
security community. The table lists some common cryptographic hashes, protocols, and
algorithms.

Integrity Authenticity Confidentiality

MD5 (legacy) HMAC-MD5 (legacy) 3DES (legacy)
SHA HMAC-SHA-256 AES
RSA and DSA

 Old encryption algorithms, such as the Caesar cipher or the Enigma machine, were
based on the secrecy of the algorithm to achieve confidentiality. With modern
technology, where reverse engineering is often simple, public-domain algorithms are
frequently used. With most modern algorithms, successful decryption requires
knowledge of the appropriate cryptographic keys. This means that the security of
encryption lies in the secrecy of the keys, not the algorithm.

15.5 CRYPTOGRAPHIC SERVICES SUMMARY

15.5.1 WHAT DID I LEARN IN THIS MODULE?
Securing Communications
 In addition to ensuring that the network and network devices are secure and protected
from attack, network security personnel also ensure that data is protected during
transmission. The three primary objectives of securing communications are:
o Authentication - This guarantees that the message is not a forgery and actually
comes from the authentic source.
 o Integrity - This guarantees that no one intercepted the message and altered it;
similar to a checksum function in a frame.
o Confidentiality - This guarantees that if the message is captured, it cannot be
deciphered.
 Authentication may be secured by HMAC. Integrity is ensured through the use of the
legacy MD5 or secure members of the SHA family of hash generating algorithms. Data
confidentiality is ensured through symmetric encryption algorithms, including the
legacy 3DES and AES. Symmetric encryption algorithms are based on the premise that
communicating parties both know a pre-shared key. Asymmetric algorithms, such RSA
and PKI, are based on the assumption that communicating parties do not know a pre-
shared key and must establish a secure means of key exchange.
 In network communications, authentication proves that a message actually comes from
a valid source. Data nonrepudiation is a similar service to authentication in that it allows
the sender of a message to be uniquely identified. Data integrity ensures that messages
are not altered in transit. Data confidentiality ensures privacy so that only the intended
receiver can read the message.
Cryptography
 Cryptography has been used to secure communications for thousands of years. Historic
ciphers include the scytale from ancient Greece, the Caesar cipher, and the Vigenère
cipher. The Vigenère cipher is a type of polyalphabetic substitution cipher that was
considered unbreakable until 1863. The Enigma Machine was an electro-mechanical
device that produced encoded messages that were very difficult to break during World
War II. Three types of cipher are:
o Transposition - The rearranged letters are used for the encoded text. In order
for the key to be sharable, the letters were shifted by a specific number of
characters.
o Substitution - This is when different letters are substituted for the letters in the
cleartext.
o One-time pad - This is a prepared key consisting of an arbitrarily long, non-
repeating sequence of numbers was kept on paper tape. It was then combined
character by character with the plaintext message to produce the ciphertext. The
keys were only used once and were pre-shared.
Cryptanalysis

 Cryptanalysis, or codebreaking, is the practice and study of determining the meaning of

encrypted information (cracking the code), without access to the shared secret key.
Several methods of cryptanalysis are:
o Brute-force method - The attacker tries every possible key knowing that
eventually one of them will work.
o Ciphertext method - The attacker has the ciphertext of several encrypted
messages but no knowledge of the underlying plaintext.
o Known-Plaintext method - The attacker has access to the ciphertext of several
messages and knows something about the plaintext underlying that ciphertext.
o Chosen-Plaintext method - The attacker chooses which data the encryption
device encrypts and observes the ciphertext output.
 o Chosen-Ciphertext method - The attacker can choose different ciphertext to
be decrypted and has access to the decrypted plaintext.
o Meet-in-the-Middle method - The attacker knows a portion of the plaintext
and the corresponding ciphertext.
 The objective of modern cryptographers is to have a keyspace large enough that it takes
too much time and money to accomplish a brute-force attack. Analysis of the frequency
of letters in a language can help with breaking simple substitution and transposition
ciphers.

Cryptology
 Cryptology is the science of making and breaking secret codes. It combines
cryptography and cryptanalysis. In the world of communications and networking,
authentication, integrity, and data confidentiality are implemented in many ways using
various protocols and algorithms. The choice of algorithm varies depending on the
security requirements, the hardware resources that are available for encryption and
decryption, and the acceptance of the algorithm in the security community. Public-
domain algorithms are frequently used. With most modern algorithms, successful
decryption requires knowledge of the appropriate cryptographic keys. This means that
the security of encryption lies in the secrecy of the keys, not the algorithm.

MODULE 16
16.1 INTEGRITY AND AUTHENTICITY
16.1.1 SECURE COMMUNICATIONS

 Organizations must provide support to secure data as it travels across links. This may
include internal traffic, but it is even more important to protect data that travels outside
of the organization to branch sites, telecommuter sites, and partner sites.
 These are the four elements of secure communications:
o Data Integrity - Guarantees that the message was not altered. Any changes to
data in transit will be detected. Integrity is ensured by implementing either of
the Secure Hash Algorithms (SHA-2 or SHA-3). The MD5 message digest
algorithm is still widely in use. However, it is inherently insecure and creates
vulnerabilities in a network. Note that MD5 should be avoided.
o Origin Authentication - Guarantees that the message is not a forgery and does
actually come from whom it states. Many modern networks ensure
authentication with algorithms such as hash-based message authentication code
(HMAC).
o Data Confidentiality - Guarantees that only authorized users can read the
message. If the message is intercepted, it cannot be deciphered within a
reasonable amount of time. Data confidentiality is implemented using
symmetric and asymmetric encryption algorithms.
o Data Non-Repudiation - Guarantees that the sender cannot repudiate, or
refute, the validity of a message sent. Nonrepudiation relies on the fact that only
the sender has the unique characteristics or signature for how that message is
treated.
  Cryptography can be used almost anywhere that there is data communication. In fact,
the trend is toward all communication being encrypted.

16.1.2 CRYPTOGRAPHIC HASH FUNCTIONS

 Hashes are used to verify and ensure data integrity. They are also used to verify
authentication. Hashing is based on a one-way mathematical function that is relatively
easy to compute, but significantly harder to reverse.
 Grinding coffee is a good analogy of a one-way function. It is easy to grind coffee
beans, but it is almost impossible to put all of the tiny pieces back together to rebuild
the original beans.
 As shown in the figure, a hash function takes a variable block of binary data, called the
message, and produces a fixed-length, condensed representation, called the hash. The
resulting hash is also sometimes called the message digest, digest, or digital fingerprint.

 With hash functions, it is computationally infeasible for two different sets of data to
come up with the same hash output. Furthermore, the hash value changes every time the
data is changed or altered. Because of this, cryptographic hash values are often called
“digital fingerprints”. These fingerprints can be used to detect duplicate data files, file
version changes, and similar applications. These values are used to guard against an
accidental or intentional change to the data, or accidental data corruption.
 The cryptographic hash function is applied in many different situations for entity
authentication, data integrity, and data authenticity purposes.

16.1.3 CRYPTOGRAPHIC HASH OPERATION

 Mathematically, the equation h= H(x) is used to explain how a hash algorithm operates.
As shown in the figure, a hash function H takes an input x and returns a fixed-size
string hash value h.
 The example in the figure summarizes the mathematical process. A cryptographic hash
function should have the following properties:
o The input can be any length.
o The output is always a fixed length.
o H(x) is relatively easy to compute for any given x.
o H(x) is one way and not reversible.
o H(x) is collision free, meaning that two different input values will result in
different hash values.
 If a hash function is hard to invert, it is considered a one-way hash. Hard to invert
means that given a hash value of h, it is computationally infeasible to find an input
for x such that h=H(x).

16.1.4 MD5 AND SHA

 Hash functions are used to ensure the integrity of a message. They help ensure data has
not accidentally changed and that what was sent is indeed what was received.
 Note: Deliberate changes can be made by a threat actor.
  In the figure, the sender is sending a $100 money transfer to Alex. The sender wants to
ensure that the message is not accidentally altered on its way to the receiver.

 There are four well-known hash functions:

o MD5 with 128-bit digest - Developed by Ron Rivest and used in a variety of
internet applications, MD5 is a one-way function that produces a 128-bit hashed
message. MD5 is considered to be a legacy algorithm and should be avoided
and used only when no better alternatives are available. It is recommended that
SHA-2 or SHA-3 be used instead.
o SHA-1 - Developed by the U.S. National Security Agency (NSA) in 1995. It is
very similar to the MD5 hash functions. Several versions exist. SHA-1 creates a
160-bit hashed message and is slightly slower than MD5. SHA-1 has known
flaws and is a legacy algorithm.
o SHA-2 - Developed by the NSA. It includes SHA-224 (224 bit), SHA-256 (256
bit), SHA-384 (384 bit), and SHA-512 (512 bit). If you are using SHA-2, then
the SHA-256, SHA-384, and SHA-512 algorithms should be used whenever
possible.
o SHA-3 - SHA-3 is the newest hashing algorithm and was introduced by the
National Institute of Standards and Technology (NIST) as an alternative and
eventual replacement for the SHA-2 family of hashing algorithms. SHA-3
includes SHA3-224 (224 bit), SHA3-256 (256 bit), SHA3-384 (384 bit), and
SHA3-512 (512 bit). The SHA-3 family are next-generation algorithms and
should be used whenever possible.
 While hashing can be used to detect accidental changes, it cannot be used to guard
against deliberate changes that are made by a threat actor. There is no unique
identifying information from the sender in the hashing procedure. This means that
anyone can compute a hash for any data, as long as they have the correct hash function.
 For example, when the message traverses the network, a potential threat actor could
intercept the message, change it, recalculate the hash, and append it to the message. The
receiving device will only validate against whatever hash is appended.
 Therefore, hashing is vulnerable to man-in-the-middle attacks and does not provide
security to transmitted data. To provide integrity against man-in-the-middle attacks,
origin authentication is also required.

16.1.5 ORIGIN AUTHENTICATION

 To add origin authentication and integrity assurance, use a keyed-hash message

authentication code (HMAC). HMAC uses an additional secret key as input to the hash
function.
 Note: Other Message Authentication Code (MAC) methods are also used. However,
HMAC is used in many systems including SSL, IPsec, and SSH.
Now follows an illustration and explanation about origin authentication using HMAC
HMAC Hashing algorithm

 As shown in the figure, an HMAC is calculated using any cryptographic algorithm that
combines a cryptographic hash function with a secret key. Hash functions are the basis
of the protection mechanism of HMACs.
  Only the sender and the receiver know the secret key, and the output of the hash
function now depends on the input data and the secret key. Only parties who have
access to that secret key can compute the digest of an HMAC function. This defeats
man-in-the-middle attacks and provides authentication of the data origin.
 If two parties share a secret key and use HMAC functions for authentication, a properly
constructed HMAC digest of a message that a party has received indicates that the other
party was the originator of the message. This is because the other party possesses the
secret key.
Creating the HMAC Value

 As shown in the figure, the sending device inputs data (such as Terry Smith’s pay of
$100 and the secret key) into the hashing algorithm and calculates the fixed-length
HMAC digest. This authenticated digest is then attached to the message and sent to the
receiver.
Verifying the HMAC Value

 In the figure, the receiving device removes the digest from the message and uses the
plaintext message with its secret key as input into the same hashing function. If the
digest that is calculated by the receiving device is equal to the digest that was sent, the
message has not been altered. Additionally, the origin of the message is authenticated
because only the sender possesses a copy of the shared secret key. The HMAC function
has ensured the authenticity of the message.
Cisco Router HMAC Example

 The figure shows how HMACs are used by Cisco routers that are configured to use
Open Shortest Path First (OSPF) routing authentication.
 R1 is sending a link state update (LSU) regarding a route to network 10.2.0.0/16:
1. R1 calculates the hash value using the LSU message and the secret key.
2. The resulting hash value is sent with the LSU to R2.
3. R2 calculates the hash value using the LSU and its secret key. R2
accepts the update if the hash values match. If they do not match, R2
discards the update.

16.2 KEY MANAGEMENT

16.2.1 CHARACTERISTICS OF KEY MANAGEMENT

 Key management is often considered the most difficult part of designing a

cryptosystem. Many cryptosystems have failed because of mistakes in their key
management, and all modern cryptographic algorithms require key management
procedures. In practice, most attacks on cryptographic systems are aimed at the key
management level, rather than at the cryptographic algorithm itself.
 As shown in the table, there are several essential characteristics of key management to
consider.

Characteristic Description
Key Generation It was up to Caesar to choose the key of his
 cipher. The Vigenère cipher key is also
chosen by the sender and receiver. In a
modern cryptographic system, key generation
is usually automated and not left to the end
user. The use of good random number
generators is needed to ensure that all keys
are equally generated so that the attacker
cannot predict which keys are more likely to
be used.
Key Verification Some keys are better than others. Almost all
cryptographic algorithms have some weak
keys that should not be used. With the help
of key verification procedures, weak keys
can be identified and regenerated to provide a
more secure encryption. With the Caesar
cipher, using a key of 0 or 25 does not
encrypt the message, so it should not be used.
Key Exchange Key management procedures should provide
a secure key exchange mechanism that
allows secure agreement on the keying
material with the other party, probably over
an untrusted medium.
Key Storage On a modern multi-user operating system
that uses cryptography, a key can be stored in
memory. This presents a possible problem
when that memory is swapped to the disk,
because a Trojan horse program installed on
the PC of a user could then have access to the
private keys of that user.
Key Lifetime Using short key lifetimes improves the
security of legacy ciphers that are used on
high-speed connections. In IPsec a 24-hour
lifetime is typical. However, changing the
lifetime to 30 minutes improves the security
of the algorithms.
Key Revocation and Destruction Revocation notifies all interested parties that
a certain key has been compromised and
should no longer be used. Destruction erases
old keys in a manner that prevents malicious
attackers from recovering them.

16.2.2 KEY LENGTH AND KEYSPACE

 Two terms that are used to describe keys are:

o Key length - Also called the key size, this is the measure in bits. In this course,
we will use the term key length.
o Keyspace - This is the number of possibilities that can be generated by a
specific key length.
 As key length increase, the keyspace increases exponentially:
 o A 2-bit (22) key length = a keyspace of 4 because there are four possible keys
(00, 01, 10, and 11).
o A 3-bit (23) key length = a keyspace of 8, because there are eight possible keys
(000, 001, 010, 011, 100, 101, 110, 111).
o A 4-bit (24) key length = a keyspace of 16 possible keys.
o A 40-bit (240) key length = a keyspace of 1,099,511,627,776 possible keys.
 The table displays the characteristics of the AES encryption algorithm. Notice how AES
uses long key lengths. This dramatically increases the keyspace which affects the time it
takes to crack the code.

Characteristic Description
Algorithm Full Name Advanced Encryption Standard
Timeline Official standard since 2001
Type of Algorithm Symmetric
Key Size (in bits) 128, 192, and 256
Speed High
Time to Crack
(assuming a computer could try 255 149 trillion years
keys per second)
Resource Consumption Low

16.2.3 THE KEYSPACE

 The keyspace of an algorithm is the set of all possible key values. A key that has n bits
produces a keyspace that has 2n possible key values. By adding one bit to the key, the
keyspace is effectively doubled.
 As shown in the table, DES with its 56-bit keys has a keyspace of more than
72,000,000,000,000,000 (256) possible keys. By adding one bit to the key length, the
keyspace doubles, and an attacker needs twice the amount of time to search the
keyspace. Adding an additional bit to a 57-bit key size means that it would now take an
attacker four times the amount of time to search the keyspace. Adding 4 more bits to
56-bits would create a 60-bit key. A 60-bit key would take 16 times longer to crack than
a 56-bit key.

DES Key Keyspace Approximate Number of

Possible Keys
56-bit 256 ~72,000,000,000,000,000
11111111 11111111 11111111
11111111 11111111 11111111 11111111

57-bit 257 ~144,000,000,000,000,000

11111111 11111111 11111111
11111111 11111111 11111111 11111111 1

58-bit 258 ~288,000,000,000,000,000

 11111111 11111111 11111111
11111111 11111111 11111111 11111111 11

59-bit 259 ~576,000,000,000,000,000

11111111 11111111 11111111
11111111 11111111 11111111 11111111 111

60-bit 260 ~1,152,000,000,000,000,000

11111111 11111111 11111111
11111111 11111111 11111111 11111111 1111

 Note: Longer keys are more secure; however, they are also more resource intensive.
Caution should be exercised when choosing longer keys because handling them could
add a significant load to the processor in lower-end products.
 Almost every algorithm has some weak keys in its keyspace that enable an attacker to
break the encryption via a shortcut. Weak keys show the regularities in encryption. For
instance, DES has four keys for which encryption is the same as decryption. This means
that if one of these weak keys is used to encrypt plaintext, an attacker can use the weak
key to decrypt the ciphertext and reveal the plaintext.
 The DES weak keys are those that produce 16 identical subkeys. This occurs when the
key bits are:
o Alternating ones and zeros (0101010101010101)
o Alternating F and E (FEFEFEFEFEFEFEFE)
o E0E0E0E0F1F1F1F1
o 1F1F1F1F0E0E0E0E
 It is very unlikely that such keys would be chosen, but network administrators should
still verify all keys that are implemented and prevent weak keys from being used. With
manual key generation, take special care to avoid defining weak keys.
 Note: DES is a legacy encryption algorithm and should not be used. It is used here to
illustrate the concept of keyspace only.
16.2.4 TYPES OF CRYPTOGRAPHIC KEYS

 Several types of cryptographic keys can be generated:

o Symmetric keys - Can be exchanged between two routers supporting a VPN
o Asymmetric keys - Are used in secure HTTPS applications
o Digital signatures - Are used when connecting to a secure website
o Hash keys - Are used in symmetric and asymmetric key generation, digital
signatures, and other types of applications
 Regardless of the key type, all keys share similar issues. Choosing a suitable key length
is one issue. If the cryptographic system is trustworthy, the only way to break it is with
a brute-force attack. If the keyspace is large enough, the search requires an enormous
amount of time, making such an exhaustive effort impractical. The table summarizes
the key length required to secure data for the indicated amount of time.
Length of Protection Symmetric Key Asymmetric Key Digital Signature Hash
3 years 80 1248 160 160
10 years 96 1776 192 192
20 years 112 2432 224 224
30 years 128 3248 256 256
Protection against
256 15424 512 512
quantum computers

 On average, an attacker has to search through half of the keyspace before the correct
key is found. The time that is needed to accomplish this search depends on the
computer power that is available to the attacker.
 Current key lengths can easily make any attempt insignificant because it takes millions
or billions of years to complete the search when a sufficiently long key is used.
 With modern algorithms that are trusted, the strength of protection depends solely on
the size of the key. Choose the key length so that it protects data confidentiality or
integrity for an adequate period of time. Data that is more sensitive and needs to be kept
secret longer must use longer keys.

16.2.5 CHOICE OF CRYPTOGRAPHIC KEYS

 Performance is another issue that can influence the choice of a key length. An
administrator must find a good balance between the speed and protective strength of an
algorithm, because some algorithms, such as the Rivest, Shamir, and Adleman (RSA)
algorithm, run slowly due to large key lengths. Strive for adequate protection, while
enabling communication over untrusted networks.
 The estimated funding of the attacker should also affect the choice of key length. When
assessing the risk of someone breaking the encryption algorithm, estimate the resources
of the attacker and how long the data must be protected. For example, classic DES can
be broken by a $1 million machine in a couple of minutes. If the data that is being
protected is worth significantly more than the $1 million dollars needed to acquire a
cracking device, then another algorithm should be used. In fact, DES is now considered
too weak to use for any application.
 Because of the rapid advances in technology and cryptanalytic methods, the key length
that is needed for a particular application is constantly increasing. Part of the strength of
the RSA algorithm is the difficulty of factoring large numbers. For example, the factors
of 12 would be 1 x 12, 2 x 6, and 3 x 4. Therefore, a 1024-bit number is a very large
number with many factors. Increasing that number to a 2048-bit number creates even
more factors. Of course, this advantage is lost if an easy way to factor large numbers is
found, but cryptographers consider this possibility unlikely.
 The rule “the longer the key, the better” is valid, except for possible performance
reasons. Shorter keys equal faster processing, but are less secure. Longer keys equal
slower processing, but are more secure.
16.3 CONFIDENTIALITY
16.3.1 DATA CONFIDENTIALITY

 Asymmetric and symmetric encryption are the two classes of encryption used to
provide data confidentiality. These two classes differ in how they use keys.
 Symmetric encryption algorithms such as Data Encryption Standard (DES), 3DES, and
Advanced Encryption Standard (AES) are based on the premise that each
communicating party knows the pre-shared key. Data confidentiality can also be
ensured using asymmetric algorithms, including Rivest, Shamir, and Adleman (RSA)
and the public key infrastructure (PKI).
 Note: DES is a legacy algorithm and should not be used. 3DES should be avoided if
possible.
 The figure highlights some differences between symmetric and asymmetric encryption.

16.3.2 SYMMETRIC ENCRYPTION

 Symmetric algorithms use the same pre-shared key to encrypt and decrypt data. A pre-
shared key, also called a secret key, is known by the sender and receiver before any
encrypted communications can take place.
 To help illustrate how symmetric encryption works, consider an example where Alice
and Bob live in different locations and want to exchange secret messages with one
another through the mail system. In this example, Alice wants to send a secret message
to Bob.
 In the figure, Alice and Bob have identical keys to a single padlock. These keys were
exchanged prior to sending any secret messages. Alice writes a secret message and puts
it in a small box that she locks using the padlock with her key. She mails the box to
Bob. The message is safely locked inside the box as the box makes its way through the
post office system. When Bob receives the box, he uses his key to unlock the padlock
and retrieve the message. Bob can use the same box and padlock to send a secret reply
back to Alice.
  Today, symmetric encryption algorithms are commonly used with VPN traffic. This is
because symmetric algorithms use less CPU resources than asymmetric encryption
algorithms. This allows the encryption and decryption of data to be fast when using a
VPN. When using symmetric encryption algorithms, like any other type of encryption,
the longer the key, the longer it will take for someone to discover the key. Most
encryption keys are between 112 and 256 bits. To ensure that the encryption is safe, a
minimum key length of 128 bits should be used. Use a longer key for more secure
communications.
 Symmetric encryption algorithms are sometimes classified as either a block cipher or a
stream cipher. Click the buttons to learn about these two cipher modes.
Block Ciphers

 Block ciphers transform a fixed-length block of plaintext into a common block of

ciphertext of 64 or 128 bits. Common block ciphers include DES with a 64-bit block
size and AES with a 128-bit block size.

Stream Ciphers

 Stream ciphers encrypt plaintext one byte or one bit at a time. Stream ciphers are
basically a block cipher with a block size of one byte or bit. Stream ciphers are typically
faster than block ciphers because data is continuously encrypted. Examples of stream
ciphers include RC4 and A5 which is used to encrypt GSM cell phone communications.
Now back to the rest

 Well-known symmetric encryption algorithms are described in the table.

Symmetric Encryption Algorithms Description

This is a legacy symmetric encryption algorithm. It uses a short key
Data Encryption Standard (DES)
length that makes it insecure for most current uses.
The is the replacement for DES and repeats the DES algorithm
3DES (Triple DES) process three times. It should be avoided if possible as it is scheduled
to be retired in 2023. If implemented, use very short key lifetimes.
AES is a popular and recommended symmetric encryption algorithm.
Advanced Encryption Standard
It offers combinations of 128-, 192-, or 256-bit keys to encrypt 128,
(AES)
192, or 256 bit-long data blocks.
SEAL is a faster alternative symmetric encryption algorithm to AES.
Software-Optimized Encryption SEAL is a stream cypher that uses a 160-bit encryption key and has a
Algorithm (SEAL) lower impact on the CPU compared to other software-based
algorithms.
This algorithm was developed by Ron Rivest. Several variations have
been developed, but RC4 was the most prevalent in use. RC4 is a
Rivest ciphers (RC) series
stream cipher that was used to secure web traffic. It has been found
algorithms
to have multiple vulnerabilities which have made it insecure. RC4
should not be used.
 16.3.3 ASYMMETRIC ENCRYPTION

 Asymmetric algorithms, also called public-key algorithms, are designed so that the key
that is used for encryption is different from the key that is used for decryption, as shown
in the figure. The decryption key cannot, in any reasonable amount of time, be
calculated from the encryption key and vice versa.
 Asymmetric algorithms use a public key and a private key. Both keys are capable of the
encryption process, but the complementary paired key is required for decryption. The
process is also reversible. Data that is encrypted with the public key requires the private
key to decrypt. Asymmetric algorithms achieve confidentiality and authenticity by
using this process.
 Because neither party has a shared secret, very long key lengths must be used.
Asymmetric encryption can use key lengths between 512 to 4,096 bits. Key lengths
greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter
are considered insufficient.
 Examples of protocols that use asymmetric key algorithms include:
o Internet Key Exchange (IKE) - This is a fundamental component of IPsec
VPNs.
o Secure Socket Layer (SSL) - This is now implemented as IETF standard
Transport Layer Security (TLS).
o Secure Shell (SSH) - This protocol provides a secure remote access connection
to network devices.
o Pretty Good Privacy (PGP) - This computer program provides cryptographic
privacy and authentication. It is often used to increase the security of email
communications.
 Asymmetric algorithms are substantially slower than symmetric algorithms. Their
design is based on computational problems, such as factoring extremely large numbers
or computing discrete logarithms of extremely large numbers.
 Because they are slow, asymmetric algorithms are typically used in low-volume
cryptographic mechanisms, such as digital signatures and key exchange. However, the
key management of asymmetric algorithms tends to be simpler than symmetric
algorithms, because usually one of the two encryption or decryption keys can be made
public.
 Common examples of asymmetric encryption algorithms are described in the table.

Asymmetric
Key Length Description
Encryption Algorithm
The Diffie-Hellman algorithm allows two parties
to agree on a key that they can use to encrypt
messages they want to send to each other. The
security of this algorithm depends on the
Diffie-Hellman (DH) 512, 1024, 2048, 3072, 4096
assumption that it is easy to raise a number to a
certain power, but difficult to compute which
power was used given the number and the
outcome.
Digital Signature 512 - 1024 DSS specifies DSA as the algorithm for digital
Standard (DSS) and signatures. DSA is a public key algorithm based
Digital Signature on the ElGamal signature scheme. Signature
Algorithm (DSA) creation speed is similar to RSA, but is 10 to 40
Asymmetric
Key Length Description
Encryption Algorithm
times slower for verification.
RSA is for public-key cryptography that is based
on the current difficulty of factoring very large
numbers. It is the first algorithm known to be
Rivest, Shamir, and
suitable for signing, as well as encryption. It is
Adleman encryption 512 to 2048
widely used in electronic commerce protocols
algorithms (RSA)
and is believed to be secure given sufficiently
long keys and the use of up-to-date
implementations.
An asymmetric key encryption algorithm for
public-key cryptography which is based on the
Diffie-Hellman key agreement. A disadvantage
of the ElGamal system is that the encrypted
EIGamal 512 - 1024
message becomes very big, about twice the
size of the original message and for this reason
it is only used for small messages such as
secret keys.
Elliptic curve cryptography can be used to adapt
many cryptographic algorithms, such as Diffie-
Elliptic curve
224 or higher Hellman or ElGamal. The main advantage of
techniques
elliptic curve cryptography is that the keys can
be much smaller.

16.3.4 ASYMMETRIC ENCRYPTION – CONFIDENTIALITY

 Asymmetric algorithms are used to provide confidentiality without pre-sharing a

password. The confidentiality objective of asymmetric algorithms is initiated when the
encryption process is started with the public key.
 The process can be summarized using the formula:
o Public Key (Encrypt) + Private Key (Decrypt) = Confidentiality
 When the public key is used to encrypt the data, the private key must be used to decrypt
the data. Only one host has the private key; therefore, confidentiality is achieved.
 If the private key is compromised, another key pair must be generated to replace the
compromised key.
 Click the buttons to view how the private and public keys can be used to provide
confidentiality to the data exchange between Bob and Alice.
Alice acquires Bob’s public key

 Alice requests and obtains Bob’s public key.

Alice uses the public key

 Alice uses Bob’s public key to encrypt a message using an agreed-upon algorithm.
Alice sends the encrypted message to Bob.
Bob decrypts message with private key
  Bob then uses his private key to decrypt the message. Since Bob is the only one with
the private key, Alice's message can only be decrypted by Bob and thus confidentiality
is achieved.

16.3.5 ASYMMETRIC ENCRYPTION – AUTHENTICATION

 The authentication objective of asymmetric algorithms is initiated when the encryption

process is started with the private key.
 The process can be summarized using the formula:
o Private Key (Encrypt) + Public Key (Decrypt) = Authentication
 When the private key is used to encrypt the data, the corresponding public key must be
used to decrypt the data. Because only one host has the private key, only that host could
have encrypted the message, providing authentication of the sender. Typically, no
attempt is made to preserve the secrecy of the public key, so any number of hosts can
decrypt the message. When a host successfully decrypts a message using a public key, it
is trusted that the private key encrypted the message, which verifies who the sender is.
This is a form of authentication.
 Click the buttons to view how the private and public keys can be used to provide
authentication to the data exchange between Bob and Alice.
Alice uses her private key

 Alice encrypts a message using her private key. Alice sends the encrypted message to
Bob. Bob needs to authenticate that the message did indeed come from Alice.
Bob requests the public key

 In order to authenticate the message, Bob requests Alice’s public key.

Bob decrypts using the public key

 Bob uses Alice’s public key to decrypt the message.

16.3.6 ASYMMETRIC ENCRYPTION – INTEGRITY

 Combining the two asymmetric encryption processes provides message confidentiality,

authentication, and integrity.
 The following example will be used to illustrate this process. In this example, a
message will be ciphered using Bob’s public key and a ciphered hash will be encrypted
using Alice’s private key to provide confidentiality, authenticity, and integrity.
Alice uses Bob’s public key

 Alice wants to send a message to Bob ensuring that only Bob can read the document. In
other words, Alice wants to ensure message confidentiality. Alice uses the public key of
Bob to cipher the message. Only Bob will be able to decipher it using his private key.
Alice encrypts a hash using her private key
  Alice also wants to ensure message authentication and integrity. Authentication ensures
Bob that the document was sent by Alice, and integrity ensures that it was not modified
Alice uses her private key to cipher a hash of the message. Alice sends the encrypted
message with its encrypted hash to Bob.
Bob uses Alice’s public key to decrypt the hash

 Bob uses Alice’s public key to verify that the message was not modified. The received
hash is equal to the locally determined hash based on Alice’s public key. Additionally,
this verifies that Alice is definitely the sender of the message because nobody else has
Alice’s private key.
Bob uses his private key to decrypt the message

 Bob uses his private key to decipher the message.

16.3.7 DIFFIE-HELLMAN

 Diffie-Hellman (DH) is an asymmetric mathematical algorithm that allows two

computers to generate an identical shared secret without having communicated before.
The new shared key is never actually exchanged between the sender and receiver.
However, because both parties know it, the key can be used by an encryption algorithm
to encrypt traffic between the two systems.
 Here are two examples of instances when DH is commonly used:
o Data is exchanged using an IPsec VPN
o SSH data is exchanged
 To help illustrate how DH operates, refer to the figure.
 The colors in the figure will be used instead of complex long numbers to simplify the
DH key agreement process. The DH key exchange begins with Alice and Bob agreeing
on an arbitrary common color that does not need to be kept secret. The agreed-on color
in our example is yellow.
 Next, Alice and Bob will each select a secret color. Alice chose red while Bob chose
blue. These secret colors will never be shared with anyone. The secret color represents
the chosen secret private key of each party.
 Alice and Bob now mix the shared common color (yellow) with their respective secret
color to produce a public color. Therefore, Alice will mix the yellow with her red color
to produce a public color of orange. Bob will mix the yellow and the blue to produce a
public color of green.
 Alice sends her public color (orange) to Bob and Bob sends his public color (green) to
Alice.
 Alice and Bob each mix the color they received with their own, original secret color
(Red for Alice and blue for Bob.). The result is a final brown color mixture that is
identical to the partner’s final color mixture. The brown color represents the resulting
shared secret key between Bob and Alice.
 The security of DH is based on the fact that it uses very large numbers in its
calculations. For example, a DH 1024-bit number is roughly equal to a decimal number
of 309 digits. Considering that a billion is 10 decimal digits (1,000,000,000), one can
 easily imagine the complexity of working with not one, but multiple 309-digit decimal
numbers.
 Diffie-Hellman uses different DH groups to determine the strength of the key that is
used in the key agreement process. The higher group numbers are more secure, but
require additional time to compute the key. The following identifies the DH groups
supported by Cisco IOS Software and their associated prime number value:
o DH Group 1: 768 bits
o DH Group 2: 1024 bits
o DH Group 5: 1536 bits
o DH Group 14: 2048 bits
o DH Group 15: 3072 bits
o DH Group 16: 4096 bits
 Note: A DH key agreement can also be based on elliptic curve cryptography. DH
groups 19, 20, and 24, which are based on elliptic curve cryptography, are also
supported by Cisco IOS Software.
 Unfortunately, asymmetric key systems are extremely slow for any sort of bulk
encryption. This is why it is common to encrypt the bulk of the traffic using a
symmetric algorithm, such as 3DES or AES and use the DH algorithm to create keys
that will be used by the encryption algorithm.

16.4. BASIC INTEGRITY AND AUTHENTICITY SUMMARY

16.4.1 WHAT DID I LEARN IN THIS MODULE?
Integrity and Authenticity

 These are the four elements of secure communications: data integrity, origin
authentication, data confidentiality, and data non-repudiation. Cryptography can be
used almost anywhere that there is data communication. Hashes are used to verify and
ensure data integrity. Hashing is based on a one-way mathematical function that is
relatively easy to compute, but significantly harder to reverse. The cryptographic
hashing function can also be used to verify authentication. A hash function takes a
variable block of binary data, called the message, and produces a fixed-length,
condensed representation, called the hash. The resulting hash is also sometimes called
the message digest, digest, or digital fingerprint. Mathematically, the equation h=
H(x) is used to explain how a hash algorithm operates. A hash function H takes an
input x and returns a fixed-size string hash value h. A cryptographic hash function
should have the following properties:
o The input can be any length.
The output has a fixed length.
H(x) is relatively easy to compute for any given x.
H(x) is one way and not reversible.
H(x) is collision free, meaning that two different input values will result in
different hash values.
 The four well-known hash functions are MD5 with 128 bit digest, SHA-1, SHA-2, and
SHA-3. While hashing can be used to detect accidental changes, it cannot be used to
guard against deliberate changes that are made by a threat actor in a man-in-the-middle
attack. Origin authentication is also required to provide protection.
  To add origin authentication and integrity assurance, use a keyed-hash message
authentication code (HMAC). HMAC uses an additional secret key as input to the hash
function. Other Message Authentication Code (MAC) methods are also used. However,
HMAC is used in many systems including SSL, IPsec, and SSH.

Key Management

 Key management is often considered the most difficult part of designing a

cryptosystem. Most attacks on cryptographic systems are aimed at the key management
level, rather than at the cryptographic algorithm itself.
 The essential characteristics of key management are key generation, key verification,
key exchange, key storage, key lifetime, and key revocation and destruction.
 Two terms that are used to describe keys are key length and keyspace. As key length
increases, the keyspace increases exponentially.
 The keyspace of an algorithm is the set of all possible key values. A key that has n bits
produces a keyspace that has 2^n possible key values. By adding one bit to the key, the
keyspace is effectively doubled. Almost every algorithm has some weak keys in its
keyspace that enable an attacker to break the encryption via a shortcut. Weak keys show
the regularities in encryption.
 Several types of cryptographic keys that can be generated include symmetric keys,
asymmetric keys, digital signatures, and hash keys. With modern algorithms that are
trusted, the strength of protection depends solely on the size of the key.
 Choose the key length so that it protects data confidentiality or integrity for an adequate
period of time. Data that is more sensitive and needs to be kept secret longer must use
longer keys.
 Performance is another issue that can influence the choice of a key length. An
administrator must find a good balance between the speed and protective strength of an
algorithm, because some algorithms, such as the Rivest, Shamir, and Adleman (RSA)
algorithm, run slowly due to large key lengths.
Confidentiality

 There are two classes of encryption used to provide data confidentiality: asymmetric
and symmetric. These two classes differ in how they use keys.
 Symmetric encryption algorithms such as Data Encryption Standard (DES), 3DES, and
Advanced Encryption Standard (AES) are based on the premise that each
communicating party knows the pre-shared key. Data confidentiality can also be
ensured using asymmetric algorithms, including Rivest, Shamir, and Adleman (RSA)
and the public key infrastructure (PKI).
 Symmetric algorithms use the same pre-shared key to encrypt and decrypt data. A pre-
shared key, also called a secret key, is known by the sender and receiver before any
encrypted communications can take place. Symmetric encryption algorithms are
commonly used with VPN traffic because symmetric algorithms use less CPU resources
than asymmetric encryption algorithms. To ensure that the encryption is safe, a
 minimum key length of 128 bits should be used. Use a longer key for more secure
communications.
 Symmetric encryption algorithms are sometimes classified as either a block cipher or a
stream cipher.
o Block ciphers transform a fixed-length block of plaintext into a common block
of ciphertext of 64 or 128 bits.
o Stream ciphers encrypt plaintext one byte or one bit at a time. Stream ciphers
are basically a block cipher with a block size of one byte or bit. Stream ciphers
are typically faster than block ciphers because data is continuously encrypted.
 Asymmetric algorithms, also called public-key algorithms, are designed so that the key
that is used for encryption is different from the key that is used for decryption.
Asymmetric encryption can use key lengths between 512 to 4,096 bits. Key lengths
greater than or equal to 2,048 bits can be trusted, while key lengths of 1,024 or shorter
are considered insufficient. Examples of protocols that use asymmetric key algorithms
include Internet Key Exchange (IKE), Secure Socket Layer (SSL), Secure Shell (SSH),
and Pretty Good Privacy (PGP). The process can be summarized using the formula:
Private Key (Encrypt) + Public Key (Decrypt) = Authentication. Diffie-Hellman (DH)
is an asymmetric mathematical algorithm that allows two computers to generate an
identical shared secret without having communicated before. The new shared key is
never actually exchanged between the sender and receiver. DH is commonly used when
data is exchanged using an IPsec VPN and SSH data is exchanged.
MODULE 18
18.1 VPN OVERVIEW
18.1.1 VIRTUAL PRIVATE NETWORKS

 To secure network traffic between sites and users, organizations use virtual private
networks (VPNs) to create end-to-end private network connections. A VPN is virtual in
that it carries information within a private network, but that information is actually
transported over a public network. A VPN is private in that the traffic is encrypted to
keep the data confidential while it is transported across the public network.
 The figure shows a collection of various types of VPNs managed by an enterprise’s
main site. The tunnel enables remote sites and users to access the main site’s network
resources securely.
 The first types of VPNs were strictly IP tunnels that did not include authentication or
encryption of the data. For example, Generic Routing Encapsulation (GRE) is a
tunnelling protocol developed by Cisco and which does not include encryption services.
It is used to encapsulate IPv4 and IPv6 traffic inside an IP tunnel to create a virtual
point-to-point link.

18.1.2 VPN BENEFITS

 Modern VPNs now support encryption features, such as Internet Protocol Security
(IPsec) and Secure Sockets Layer (SSL) to secure network traffic between sites.
 Major benefits of VPNs are shown in the table.

Benefit Description
With the advent of cost-effective, high-bandwidth technologies,
Cost Savings organizations can use VPNs to reduce their connectivity costs while
simultaneously increasing remote connection bandwidth.
VPNs provide the highest level of security available, by using
Security advanced encryption and authentication protocols that protect data
from unauthorized access.
VPNs allow organizations to use the internet, making it easy to add
Scalability
new users without adding significant infrastructure.
VPNs can be implemented across a wide variety of WAN link
options including all the popular broadband technologies. Remote
Compatibility
workers can take advantage of these high-speed connections to
gain secure access to their corporate networks.
18.2 VPN TOPOLOGIES
18.2.1 SITE-TO-SITE AND REMOTE-ACCESS VPNs

 VPNs are commonly deployed in one of the following configurations: site-to-site or

remote-access.
Site-to-Site VPN

 A site-to-site VPN is created when VPN terminating devices, also called VPN
gateways, are preconfigured with information to establish a secure tunnel. VPN traffic
is only encrypted between these devices. Internal hosts have no knowledge that a VPN
is being used.
Remote-Access VPN

 A remote-access VPN is dynamically created to establish a secure connection between a

client and a VPN terminating device. For example, a remote access SSL VPN is used
when you check your banking information online.

18.2.2 REMOTE-ACCESS VPNs

 In the previous topic you learned about the basics of a VPN. Here you will learn about
the types of VPNs.
 VPNs have become the logical solution for remote-access connectivity for many
reasons. As shown in the figure, remote-access VPNs let remote and mobile users
securely connect to the enterprise by creating an encrypted tunnel. Remote users can
securely replicate their enterprise security access including email and network
applications. Remote-access VPNs also allow contractors and partners to have limited
access to the specific servers, web pages, or files as required. This means that these
users can contribute to business productivity without compromising network security.
 Remote-access VPNs are typically enabled dynamically by the user when required.
Remote access VPNs can be created using either IPsec or SSL. As shown in the figure,
a remote user must initiate a remote access VPN connection.
 The figure displays two ways that a remote user can initiate a remote access VPN
connection: clientless VPN and client-based VPN.

18.2.3 SSL VPNs

 When a client negotiates an SSL VPN connection with the VPN gateway, it actually
connects using Transport Layer Security (TLS). TLS is the newer version of SSL and is
sometimes expressed as SSL/TLS. However, both terms are often used interchangeably.
 SSL uses the public key infrastructure and digital certificates to authenticate peers. Both
IPsec and SSL VPN technologies offer access to virtually any network application or
resource. However, when security is an issue, IPsec is the superior choice. If support
and ease of deployment are the primary issues, consider SSL. The type of VPN method
 implemented is based on the access requirements of the users and the organization’s IT
processes. The table compares IPsec and SSL remote access deployments.

Feature IPsec SSL

Limited - Only web-based
Extensive - All IP-based
Applications supported applications and file sharing
applications are supported.
are supported.
Strong - Uses two-way
Moderate - Using one-way
Authentication strength authentication with shared
or two-way authentication.
keys or digital certificates.
Moderate to strong - With
Strong - Uses key lengths
Encryption strength key lengths from 40 bits to
from 56 bits to 256 bits.
256 bits.
Medium - Because it
Low - It only requires a web
Connection complexity requires a VPN client pre-
browser on a host.
installed on a host.
Limited - Only specific
Extensive - Any device with
Connection option devices with specific
a web browser can connect.
configurations can connect.

 It is important to understand that IPsec and SSL VPNs are not mutually exclusive.
Instead, they are complementary; both technologies solve different problems, and an
organization may implement IPsec, SSL, or both, depending on the needs of its
telecommuters.

18.2.4 SITE-TO-SITE IPsec VPNs

 Site-to-site VPNs are used to connect networks across another untrusted network such
as the internet. In a site-to-site VPN, end hosts send and receive normal unencrypted
TCP/IP traffic through a VPN-terminating device. The VPN-terminating device is
typically called a VPN gateway. A VPN gateway device could be a router or a firewall,
as shown in the figure. For example, the Cisco Adaptive Security Appliance (ASA)
shown on the right side of the figure is a standalone firewall device that combines
firewall, VPN concentrator, and intrusion prevention functionality into one software
image.
 The VPN gateway encapsulates and encrypts outbound traffic. It then sends the traffic
through a VPN tunnel over the internet to a VPN gateway at the target site. Upon
receipt, the receiving VPN gateway strips the headers, decrypts the content, and relays
the packet toward the target host inside its private network.
 Site-to-site VPNs are typically created and secured using IP security (IPsec).

18.3 IPsec OVERVIEW

18.3.1 VIDEO – IPsec CONCEPTS
18.3.2 IPsec TECHNOLOGIES

 IPsec is an IETF standard (RFC 2401-2412) that defines how a VPN can be secured
across IP networks. IPsec protects and authenticates IP packets between source and
destination. IPsec can protect traffic from Layer 4 through Layer 7.
 Using the IPsec framework, IPsec provides these essential security functions:
o Confidentiality - IPsec uses encryption algorithms to prevent cybercriminals
from reading the packet contents.
o Integrity - IPsec uses hashing algorithms to ensure that packets have not been
altered between source and destination.
o Origin authentication - IPsec uses the Internet Key Exchange (IKE) protocol
to authenticate source and destination. Methods of authentication include the
use of pre-shared keys (passwords), digital certificates, or RSA certificates.
o Diffie-Hellman - Secure key exchange typically using various groups of the
DH algorithm.
 IPsec is not bound to any specific rules for secure communications. This flexibility of
the framework allows IPsec to easily integrate new security technologies without
updating the existing IPsec standards. The currently available technologies are aligned
to their specific security function. The open slots shown in the IPsec framework in the
figure can be filled with any of the choices that are available for that IPsec function to
create a unique security association (SA).
 The security functions are listed in the table.

IPsec Function Description

The choices for IPsec Protocol include Authentication Header (AH)
or Encapsulation Security Protocol (ESP). AH authenticates the
IPsec Protocol Layer 3 packet. ESP encrypts the Layer 3 packet. Note: ESP+AH is
rarely used as this combination will not successfully traverse a NAT
device.
Encryption ensures confidentiality of the Layer 3 packet. Secure
choices include Advanced Encryption Standard (AES) or Software-
Confidentiality Optimized Encryption Algorithm (SEAL). Legacy algorithms that
should avoided include Data Encryption Standard (DES) and Triple
DES (3DES).
Integrity ensures that data arrives unchanged at the destination by
using a hash algorithm. Examples include Secure Hash Algorithm
(SHA) and message-digest 5 (MD5). MD5 is insecure and should be
Integrity avoided. There are several versions of SHA. SHA-1 is the original
version and should be avoided. Instead, SHA-256 is recommended
to protect sensitive information. SHA-384 and SHA-512 are required
to protect classified information of higher importance.
IPsec uses Internet Key Exchange (IKE) to authenticate users and
devices that can carry out communication independently. IKE uses
Authentication several types of authentication, including username and password,
one-time password, biometrics, pre-shared keys (PSKs), and digital
certificates using the Rivest, Shamir, and Adleman (RSA) algorithm.
IPsec Function Description
IPsec uses the DH algorithm to provide a public key exchange
method for two peers to establish a shared secret key. There are
several DH algorithm groups to choose from. However, do not use
Diffie-Hellman DH groups 1, 2 and 5 as they are no longer recommended. Instead,
DH groups 14, 15, or 16 are considered secure and the Elliptic
Curve DH groups 19, 20, 21, and 24 are considered to be the most
secure.

 The figure shows examples of SAs for two different implementations. An SA is the
basic building block of IPsec. When establishing a VPN link, the peers must share the
same SA to negotiate key exchange parameters, establish a shared key, authenticate
each other, and negotiate the encryption parameters. Notice that SA Example 1 is using
no encryption.

18.3.3 IPsec PROTOCOL ENCAPSULATION

 Choosing the IPsec protocol encapsulation is the first building block of the framework.
IPsec encapsulates packets using Authentication Header (AH) or Encapsulation
Security Protocol (ESP). The choice of AH or ESP establishes which other building
blocks are available.

18.3.4 CONFIDENTIALITY

 Confidentiality is achieved by encrypting the data, as shown in the figure. The degree of
confidentiality depends on the encryption algorithm and the length of the key used in
the encryption algorithm. If someone tries to hack the key through a brute-force attack,
the number of possibilities to try is a function of the length of the key. The time to
process all the possibilities is a function of the computer power of the attacking device.
The shorter the key, the easier it is to break. A 64-bit key can take approximately one
year to break with a relatively sophisticated computer. A 128-bit key with the same
machine can take roughly 1019 or 10 quintillion years to decrypt.

 The encryption algorithms highlighted in the figure are all symmetric key
cryptosystems.

18.3.5 INTEGRITY

 Data integrity means that the data that is received is exactly the same data that was sent.
Potentially, data could be intercepted and modified. For example, in the figure, assume
that a check for $100 is written to Alex. The check is then mailed to Alex, but it is
intercepted by a threat actor. The threat actor changes the name on the check to Jeremy
 and the amount on the check to $1,000 and attempts to cash it. Depending on the quality
of the forgery in the altered check, the attacker could be successful.

 Because VPN data is transported over the public internet, a method of proving data
integrity is required to guarantee that the content has not been altered. A hashing
algorithm guarantees the integrity of the message using a hash value. The figure
highlights the two most common hashing algorithms.
 Note: Cisco now rates SHA-1 as legacy and recommends at least SHA-256 for
integrity.

18.3.6 AUTHENTICATION

 When conducting business long distance, you must know who is at the other end of the
phone, email, or fax. The same is true of VPN networks. The device on the other end of
the VPN tunnel must be authenticated before the communication path is considered
secure. The figure highlights the two peer authentication methods.

 The figure shows an example of PSK authentication. At the local device, the
authentication key and the identity information are sent through a hash algorithm to
form the hash for the local peer (Hash_L). One-way authentication is established by
sending Hash_L to the remote device. If the remote device can independently create the
same hash, the local device is authenticated. After the remote device authenticates the
local device, the authentication process begins in the opposite direction, and all steps
are repeated from the remote device to the local device.

 The figure below shows an example of RSA authentication. At the local device, the
authentication key and identity information are sent through the hash algorithm to form
the hash for the local peer (Hash_L). Then the Hash_L is encrypted using the local
device’s private encryption key. This creates a digital signature. The digital signature
and a digital certificate are forwarded to the remote device. The public encryption key
for decrypting the signature is included in the digital certificate. The remote device
verifies the digital signature by decrypting it using the public encryption key. The result
is Hash_L. Next, the remote device independently creates Hash_L from stored
information. If the calculated Hash_L equals the decrypted Hash_L, the local device is
authenticated. After the remote device authenticates the local device, the authentication
process begins in the opposite direction and all steps are repeated from the remote
device to the local device.

18.3.7 SECURE KEY EXCHANGE WITH DIFFIE-HELLMAN

 Encryption algorithms require a symmetric, shared secret key to perform encryption and
decryption. How do the encrypting and decrypting devices get the shared secret key?
 The easiest key exchange method is to use a public key exchange method, such as
Diffie-Hellman (DH), as shown in the figure.
 DH provides a way for two peers to establish a shared secret key that only they know,
even though they are communicating over an insecure channel. Variations of the DH
key exchange are specified as DH groups:
o DH groups 1, 2, and 5 should no longer be used. These groups support a key
size of 768 bits, 1024 bits, and 1536 bits, respectively.
o DH groups 14, 15, and 16 use larger key sizes with 2048 bits, 3072 bits, and
4096 bits, respectively, and are recommended for use until 2030.
o DH groups 19, 20, 21 and 24 with respective key sizes of 256 bits, 384 bits, 521
bits, and 2048 bits support Elliptical Curve Cryptography (ECC), which
reduces the time needed to generate keys. DH group 24 is the preferred next
generation encryption.
 The DH group you choose must be strong enough, or have enough bits, to protect the
IPsec keys during negotiation. For example, if you choose AES 128-bit key, use group
14, 19, 20 or 24. However, if you choose AES-256 or higher, use the DH group 21 or
24.

18.3.8 VIDEO – IPsec TRANSPORT AND TUNNEL MODES

18.4 IPsec PROTOCOLS

18.4.1 IPsec PROTOCOL OVERVIEW

 The two main IPsec protocols are Authentication Header (AH) and Encapsulation
Security Protocol (ESP). The IPsec protocol is the first building block of the
framework. The choice of AH or ESP establishes which other building blocks are
available.
 AH uses IP protocol 51 and is appropriate only when confidentiality is not required or
permitted. It provides data authentication and integrity, but it does not provide data
confidentiality (encryption). All text is transported unencrypted.
 ESP uses IP protocol 50 and provides both confidentiality and authentication. It
provides confidentiality by performing encryption on the IP packet. ESP provides
authentication for the inner IP packet and ESP header. Authentication provides data
origin authentication and data integrity. Although both encryption and authentication
are optional in ESP, at a minimum, one of them must be selected.

18.4.2 AUTHENTICATION HEADER

 AH achieves authenticity by applying a keyed one-way hash function to the packet to

create a hash or message digest. The hash is combined with the text and is transmitted
in plaintext, as shown in in the figure. The receiver detects changes in any part of the
packet that occur during transit by performing the same one-way hash function on the
received packet and comparing the result to the value of the message digest that the
 sender supplied. Authenticity is assured because the one-way hash also employs a
shared secret key between the two systems.
 The AH function is applied to the entire packet, except for any IP header fields that
normally change in transit. Fields that normally change during transit are called mutable
fields. For example, the Time to Live (TTL) field is considered mutable because routers
modify this field.
 The AH process occurs in this order:
o 1. The IP header and data payload are hashed using the shared secret key.
o 2. The hash builds a new AH header, which is inserted into the original packet,
as shown in the figure below.
o 3. The new packet is transmitted to the IPsec peer router.
o 4. The peer router hashes the IP header and data payload using the shared secret
key, extracts the transmitted hash from the AH header, and compares the two
hashes, as shown in the figure below.
 The hashes must match exactly. If one bit is changed in the transmitted packet, the hash
output on the received packet changes and the AH header will not match.
 AH supports MD5 and SHA algorithms. AH may not work if the environment uses
NAT.

18.4.3 ENCAPSULATION SECURITY PROTOCOL

 If ESP is selected as the IPsec protocol, an encryption algorithm must also be selected.
Cisco products support 3DES, AES, and SEAL. However, 3DES should be avoided. If
3DES must be implemented, then configure short key lifetimes.
 ESP can also provide integrity and authentication. First, the payload is encrypted. Next,
the encrypted payload is sent through a hash algorithm, such as SHA-256 or higher. The
hash provides authentication and data integrity for the data payload. Note that MD5 and
SHA-1 should be avoided.
 Optionally, ESP can also enforce anti-replay protection. Anti-replay protection verifies
that each packet is unique and is not duplicated. This protection ensures that a hacker
cannot intercept packets and insert changed packets into the data stream. Anti-replay
works by keeping track of packet sequence numbers and using a sliding window on the
destination end.
 When a connection is established between a source and destination, their counters are
initialized at zero. Each time a packet is sent, a sequence number is appended to the
packet by the source. The destination uses the sliding window to determine which
sequence numbers are expected. The destination verifies that the sequence number of
the packet is not duplicated and is received in the correct order.
 For example, if the sliding window on the destination is set to one, the destination is
expecting to receive the packet with the sequence number one. After it is received, the
sliding window moves to two. When detection of a replayed packet occurs, such as the
destination receiving a second packet with the sequence number of one, an error
message is sent, the replayed packet is discarded, and the event is logged.
 Anti-replay is typically used in ESP, but it is also supported in AH.
18.4.4 ESP ENCRYPTS AND AUTHENTICATES

 When both authentication and encryption are selected, encryption is performed first.
One reason for this order of processing is that it facilitates rapid detection and rejection
of replayed or bogus packets by the receiving device. Prior to decrypting the packet, the
receiver can authenticate inbound packets. By doing this, it can quickly detect problems
and potentially reduce the impact of DoS attacks. To reiterate, ESP provides
confidentiality with encryption and provides integrity with authentication.
 Up to this point, the discussion of IPsec has focused on IPv4. However, IPsec was
initially established to provide security for IPv6 packets. Therefore, the IPsec
implementations for IPv4 and IPv6 are similar as far as the standards are concerned. In
IPv4, AH and ESP are IP protocol headers. IPv6 uses the extension headers with a next-
header value of 50 for ESP and 51 for AH.

18.4.5 TRANSPORT AND TUNNEL MODES

 ESP and AH can be applied to IP packets in two different modes, transport mode and
tunnel mode, as shown in the figure below.
Transport Mode

 In transport mode, security is provided only for the transport layer of the OSI model and
above. Transport mode protects the payload of the packet but leaves the original IP
address in plaintext. The original IP address is used to route the packet through the
internet. ESP transport mode is used between hosts.
Tunnel Mode

 Tunnel mode provides security for the complete original IP packet. The original IP
packet is encrypted and then it is encapsulated in another IP packet. This is known as
IP-in-IP encryption. The IP address on the outside IP packet is used to route the packet
through the internet.
Back to regularly scheduled programming

 ESP tunnel mode is used between a host and a security gateway, or between two
security gateways, as shown in the figure.
 For host-to-gateway applications, a home office might not have a router to perform the
IPsec encapsulation and encryption. In this case, an IPsec client running on the PC
performs the IPsec IP-in-IP encapsulation and encryption. For gateway-to-gateway
applications, rather than load IPsec on all of the computers at the remote and corporate
offices, it is easier to have the security gateways perform the IP-in-IP encryption and
encapsulation. At the corporate office, the router de-encapsulates and decrypts the
packet.
 As shown in the figure, AH transport mode provides authentication and integrity for the
entire packet. It does not encrypt the data, but it is protected from modification. AH
tunnel mode encapsulates the IP packet with an AH and a new IP header, and signs the
entire packet for integrity and authentication.
18.5 INTERNET KEY EXCHANGE
18.5.1 THE IKE PROTOCOL

 The Internet Key Exchange (IKE) protocol is a key management protocol standard. IKE
is used in conjunction with the IPsec standard. As shown in the figure, IKE
automatically negotiates IPsec security associations and enables IPsec secure
communications. IKE enhances IPsec by adding features and simplifies configuration
for the IPsec standard. Without IKE in place, IPsec configuration would be a complex,
manual configuration process that would not scale well.
 IKE is a hybrid protocol that implements key exchange protocols inside the Internet
Security Association Key Management Protocol (ISAKMP) framework. ISAKMP
(pronounced “Ice-a-camp”) defines the message format, the mechanics of a key
exchange protocol, and the negotiation process to build an SA for IPsec.
 Instead of transmitting keys directly across a network, IKE calculates shared keys based
on the exchange of a series of data packets. This disables a third party from decrypting
the keys even if the third party captured all of the exchanged data that was used to
calculate the keys. IKE uses UDP port 500 to exchange IKE information between the
security gateways. UDP port 500 packets must be permitted on any IP interface that is
connecting a security gateway peer.

18.5.2 PHASE 1 AND 2 KEY NEGOTIATION

 IKE uses ISAKMP for phase 1 and phase 2 of key negotiation. Phase 1 negotiates a
security association (a key) between two IKE peers. The key negotiated in phase 1
enables IKE peers to communicate securely in phase 2. During phase 2 negotiation, IKE
establishes keys (security associations) for other applications, such as IPsec.
 In Phase 1, two IPsec peers perform the initial negotiation of SAs. The basic purpose of
Phase 1 is to negotiate ISAKMP policy, authenticate the peers, and set up a secure
tunnel between the peers. This tunnel will then be used in Phase 2 to negotiate the IPsec
policy, as shown in the figure.
 Note: The phrases IKE policy and ISAKMP policy are equivalent. The phrase ISAKMP
policy is used in this course to better match the commands (crypto isakmp
policy, show isakmp policy, etc.) as well as to clarify that the ISAKMP policy applies
to the IKE Phase 1 tunnel.
 Phase 1 can be implemented in main mode or aggressive mode. When main mode is
used, the identities of the two IKE peers are hidden. Aggressive mode takes less time
than main mode to negotiate keys between peers. However, since the authentication
hash is sent unencrypted before the tunnel is established, aggressive mode is vulnerable
to brute-force attacks.
 Note: In Cisco IOS software, the default action for IKE authentication is to initiate main
mode. However, Cisco IOS software will respond in aggressive mode to an IKE peer
that initiates aggressive mode.
18.5.3 PHASE 2: NEGOTIATING SAs

 The purpose of IKE Phase 2 is to negotiate the IPsec security parameters that will be
used to secure the IPsec tunnel, as shown in the figure. IKE Phase 2 is called quick
mode and can only occur after IKE has established a secure tunnel in Phase 1. SAs are
negotiated by the IKE process ISAKMP on behalf of IPsec, which needs encryption
keys for operation. Quick mode negotiates the IKE Phase 2 SAs. In this phase, the SAs
that IPsec uses are unidirectional; therefore, a separate key exchange is required for
each data flow.
 Quick mode also renegotiates a new IPsec SA when the IPsec SA lifetime expires.
Basically, quick mode refreshes the keying material that creates the shared secret key.
This is based on the keying material that is derived from the DH exchange in Phase 1.
 IKE version 2, a next-generation key management protocol based on RFC 5996, is an
enhancement of the IKE protocol. IKE version 2 supports NAT detection and NAT
Traversal (NAT-T) during Phase 1. If both VPN devices are NAT-T capable, and if they
detect that they are connecting to each other through a NAT device, NAT-T is auto
detected and auto negotiated. NAT-T encapsulates ESP packets inside UDP and assigns
both the Source and Destination ports as 4500. Now ESP packets can traverse NAT.

18.5.4 VIDEO – IKE PHASE 1 AND PHASE 2

18.6 VPN SUMMARY

18.6.1 WHAT DID I LEARN IN THIS MODULE
VPN Overview

 Organizations use virtual private networks (VPNs) to create end-to-end private network
connections that are transported over a public network. A VPN is private in that the
traffic is encrypted to keep the data confidential while it is transported across the public
network.
 Modern VPNs now support encryption features, such as Internet Protocol Security
(IPsec) and Secure Sockets Layer (SSL) to secure network traffic between sites.
Benefits include:
o Cost savings
o Security
o Scalability
o Compatibility

VPN Topologies

 There are two types of VPN topologies:

o Site-to-site VPNs - Created when VPN gateways are preconfigured with
information to establish a secure tunnel. VPN traffic is only encrypted between
these devices. Internal hosts have no knowledge that a VPN is being used.
 o Remote access VPNs - These VPNs enable remote and mobile users to
securely connect to the enterprise by creating an encrypted tunnel.
 Remote access connections can be:
o Clientless – The connection is secured using a web browser SSL connection.
SSL uses the public key infrastructure and digital certificates to authenticate
peers.
o Client-based – The connection is secured using a client application such as the
Cisco AnyConnect Secure Mobility Client on the host.
IPsec Overview

 IPsec is a framework used to define how a VPN connection will ensure confidentiality,
integrity, and origin authentication. It is not bound to any specific protocols enabling it
to integrate using new security technologies. When establishing a VPN link, the peers
must share the same SA to negotiate key exchange parameters, establish a shared key,
authenticate each other, and negotiate the encryption parameters.
 IPsec provides:
o Confidentiality - Using symmetric encryption protocols (i.e., AES, SEAL,
3DES, and DES).
o Integrity – Using Hashed Message Authentication Code (HMAC) hashing
algorithms (i.e., SHA or MD5).
o Authentication – Using a pre-shared secret or RSA.
 DH provides a way for two peers to establish a shared secret key that only they know,
even though they are communicating over an insecure channel.
IPsec Protocols

 The two main IPsec protocols are:

o Authentication Header (AH) – IP protocol 51 that only provides
authentication.
o Encapsulation Security Protocol (ESP) – IP protocol 50 that provides
authentication and encryption.
 ESP and AH can be applied to IP packets using transport mode or tunnel mode.
Internet Key Exchange

 The Internet Key Exchange (IKE) protocol is a key management protocol standard that
is used to automatically negotiate IPsec security associations and enable IPsec secure
communications. IKE uses UDP port 500 to exchange IKE information between the
security gateways.
 IKE uses ISAKMP for phase 1 and phase 2 of key negotiation. Phase 1 negotiates a
security association (a key) between two IKE peers. The key negotiated in phase 1
enables IKE peers to communicate securely in phase 2. During phase 2 negotiation, IKE
establishes keys (security associations) for other applications, such as IPsec.
MODULE 19
19.1 CONFIGURE A SITE-TO-SITE IPsec VPN
19.1.1 IPsec NEGOTIATION

 In order for an IPsec VPN tunnel to become operational, IPsec negotiation must first
occur. The IPsec negotiation process to establish a VPN involves five steps, which
include IKE Phase 1 and Phase 2.
Step 1

 An Internet Security Association Key Management Protocol (ISAKMP) tunnel is

initiated when host A sends “interesting” traffic to host B. Traffic is considered
interesting when it travels between the peers and meets the criteria that are defined in an
ACL.
Step 2

 IKE Phase 1 begins. The peers negotiate the ISAKMP SA policy. When the peers agree
on the policy and are authenticated, a secure tunnel is created.
Step 3

 IKE Phase 2 begins. The IPsec peers use the authenticated secure tunnel to negotiate the
IPsec SA policy. The negotiation of the shared policy determines how the IPsec tunnel
is established.
Step 4

 The IPsec tunnel is created, and data is transferred between the IPsec peers based on the
IPsec SAs.
Step 5

 The IPsec tunnel terminates when the IPsec SAs are manually deleted, or when their
lifetime expires.

19.1.2 SITE-TO-SITE IPsec VPN TOPOLOGY

 Implementing a site-to-site VPN requires configuring settings for both IKE Phase 1 and
Phase 2. In the phase 1 configuration, the two sites are configured with the necessary
ISAKMP security associations to ensure that an ISAKMP tunnel can be created. In the
phase 2 configuration, the two sites are configured with the IPsec security associations
to ensure that an IPsec tunnel is created within the ISAKMP tunnel. Both tunnels will
be created only when interesting traffic is detected.
 The topology in the figure for XYZCORP will be used in this section to demonstrate a
site-to-site IPsec VPN implementation. Both routers are configured with IP addressing
and static routing. An extended ping on R1 verifies that routing between the LANs is
operational.
 The interface and default routing configurations for R1 and R2 are shown in the
example.
R1# show run
<output omitted>
!
interface GigabitEthernet0/0
ip address 10.0.1.1 255.255.255.0
!
interface Serial0/0/0
ip address 172.30.2.1 255.255.255.0
!
ip route 192.168.1.0 255.255.255.0 Serial0/0/0

!=========================================

R2# show run

<output omitted>
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
!
interface Serial0/0/0
ip address 172.30.2.2 255.255.255.0
!
ip route 10.0.1.0 255.255.255.0 Serial0/0/0
!

 An extended ping on R1 verifies that routing between the LANs is operational, as

shown in the example output.
R1# ping 192.168.1.1 source 10.0.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2
seconds:
Packet sent with a source address of 10.0.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4
ms
R1#

19.1.3 IPsec VPN CONFIGURATION TASKS

Security Policy Requirements

 All XYZCORP VPNs should be implemented using the following security policy:
o Encrypt traffic with AES 256 and SHA.
o Authenticate with PSK.
o Exchange keys with DH group 14.
o ISAKMP tunnel lifetime is 1 hour.
o IPsec tunnel uses ESP with a 15-minute lifetime.

Configure Tasks:
  The configuration tasks required to meet this policy are:
o Task 1: Configure the ISAKMP Policy for IKE Phase 1
o Task 2: Configure the IPsec Policy for IPsec Phase 2
o Task 3: Configure a Crypto Map for the IPsec Policy
o Task 4: Apply the IPsec Policy
o Task 5: Verify that the IPsec Tunnel is Operational

19.1.4 EXISTING ACL CONFIGURATIONS

 Although XYZCORP does not have an existing ACL configuration, this would not be
the case in a production network. Perimeter routers typically implement a restrictive
security policy, blocking all traffic except for traffic specifically allowed. Prior to
implementing a site-to-site IPsec VPN, ensure that the existing ACLs do not block
traffic necessary for IPsec negotiations. The ACL command syntax to permit ISAKMP,
ESP, and AH traffic is shown here.
Router(config)# ip access-list extended name
Router(config-ext-nacl)# permit udp source wildcard destination
wildcard eq isakmp
Router(config-ext-nacl)# permit esp source wildcard destination
wildcard
Router(config-ext-nacl)# permit ahp source wildcard destination
wildcard

 The example below demonstrates an ACL configuration that allows the traffic
necessary for IPsec negotiations. R2 would have a similar configuration.
R1(config)# ip access-list extended INBOUND
R1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 10.0.1.0
0.0.0.255
R1(config-ext-nacl)# permit icmp host 172.30.2.2 host 172.30.2.1
R1(config-ext-nacl)# permit udp host 172.30.2.2 host 172.30.2.1 eq
isakmp
R1(config-ext-nacl)# permit esp host 172.30.2.2 host 172.30.2.1
R1(config-ext-nacl)# permit ahp host 172.30.2.2 host 172.30.2.1
R1(config-ext-nacl)# deny ip any any
R1(config-ext-nacl)# exit
R1(config)# interface serial0/0/0
R1(config-if)# ip access-group INBOUND in

19.1.5 HANDLING BROADCAST AND MULTICAST TRAFFIC

 The XYZCORP topology uses static routing, so there is no multicast or broadcast traffic
that needs to be routed through the tunnel. But what if XYZCORP decided to
implement EIGRP or OSPF? These routing protocols use multicast addresses to
exchange routing information with neighbors. IPsec only supports unicast traffic. To
enable routing protocol traffic, the peers in a site-to-site IPsec VPN implementation
would need to be configured with a Generic Routing Encapsulation (GRE) tunnel for
the multicast traffic.
  GRE supports multiprotocol tunneling, as shown in the figure. It can encapsulate
multiple OSI Layer 3 protocol packet types inside an IP tunnel. Adding an additional
GRE header between the payload and the tunneling IP header provides the
multiprotocol functionality. GRE also supports IP multicast tunneling. Routing
protocols that are used across the tunnel enable dynamic exchange of routing
information in the virtual network. GRE does not provide encryption. GRE
configuration is beyond the scope of this course.

19.2 ISAKMP POLICY

19.2.1 THE DEFAULT ISAKMP POLICIES

 The first task is to configure the ISAKMP policy for IKE Phase 1. The ISAKMP policy
lists the SAs that the router is willing to use to establish the IKE Phase 1 tunnel. The
Cisco IOS comes with default ISAKMP policies already in place. To view the default
policies, enter the show crypto isakmp default policy command, as shown in the
example after the figure.
R1# show crypto isakmp default policy

Default IKE policy

Default protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption
Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65508
encryption algorithm: AES - Advanced Encryption
Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65509
encryption algorithm: AES - Advanced Encryption
Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65510
encryption algorithm: AES - Advanced Encryption
Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65511
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
 authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65512
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65513
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65514
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit

 R1 has eight default ISAKMP policies ranging from the most secure (policy 65507) to
the least secure (policy 65514). If no other policy has been defined by the administrator,
R1 will attempt to use the most secure default policy. If R2 has a matching policy, then
R1 and R2 can successfully negotiate the IKE Phase 1 ISAKMP tunnel without any
configuration by the administrator. Eight default policies allow for flexibility in the
negotiations. If there is no agreement to use the most secure default policy, R1 will
attempt to use the next most secure policy.
 In this example, none of the default policies match the security policy for XYZCORP.
So a new ISAKMP policy will have to be configured.

19.2.2 SYNTAX TO CONFIGURE A NEW ISAKMP POLICY

 To configure a new ISAKMP policy, use the crypto isakmp policy command, as
shown in the figure. The only argument for the command is to set a priority for the
policy (from 1 to 10000). Peers will attempt to negotiate using the policy with the
lowest number (highest priority). Peers do not require matching priority numbers.
 When in ISAKMP policy configuration mode, the SAs for the IKE Phase 1 tunnel can
be configured. Use the mnemonic HAGLE to remember the five SAs to configure:
o Hash
o Authentication
o Group
o Lifetime
o Encryption
R1(config)# crypto isakmp policy ?
<1-1000> Priority of protection suite
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# ?

ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration
mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults]]>

19.2.3 ISAKMP POLICY CONFIGURATION

 To meet the security policy requirements for XYZCORP, configure the ISAKMP policy
with the following SAs:
o Hash is SHA
o Authentication is pre-shared key
o Group is 14
o Lifetime is 3600 seconds
o Encryption is AES
 The example shows the ISAKMP policy configuration. Use the show crypto isakmp
policy command to verify the configuration. R2 has an equivalent configuration.
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# hash sha
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 24
R1(config-isakmp)# lifetime 3600
R1(config-isakmp)# end
R1# show crypto isakmp policy

Global IKE policy

Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard
(256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #24 (2048 bit, 256 bit subgroup)
lifetime: 3600 seconds, no volume limit
R1#

19.2.4 PRE-SHARED KEY CONFIGURATION

 The XYZCORP security policy requires that a pre-shared key be used for authentication
between the peers. The administrator can either specify a host name or an IP address for
the peer. The command syntax is shown below.
Router(config)# crypto isakmp key keystring address peer-address
Router(config)# crypto isakmp key keystring hostname peer-hostname

 XYZCORP uses the key phrase cisco12345 and the IP address of the peer as shown in
the examples after the figure.
R1# conf t
R1(config)# crypto isakmp key cisco12345 address 172.30.2.2
R1(config)#

R2# conf t
R2(config)# crypto isakmp key cisco12345 address 172.30.2.1
R2(config)#

19.3 IPsec POLICY

19.3.1 DEFINE INTERESTING TRAFFIC

 Although the ISAKMP policy for the IKE Phase 1 tunnel is configured, the tunnel does
not yet exist. This is verified with the show crypto isakmp sa command in the figure
below. Interesting traffic must be detected before IKE Phase 1 negotiations can begin.
For the XYXCORP site-to-site VPN, interesting traffic is any permitted
communications between the Site 1 and Site 2 LANs.
R1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

R1#

 To define interesting traffic, configure each router with an ACL to permit traffic from
the local LAN to the remote LAN, as shown in the following examples for R1 and R2.
The ACL will be used in the crypto map configuration to specify what traffic will
trigger the start of IKE Phase 1.
R1# conf t
R1(config)# access-list 101 permit ip 10.0.1.0 0.0.0.255
192.168.1.0 0.0.0.255
R1(config)#

R2# conf t
R2(config)# access-list 102 permit ip 192.168.1.0 0.0.0.255
10.0.1.0 0.0.0.255
R2(config)#

19.3.2 CONFIGURE IPsec TRANSFORM SET

  The next step is to configure the set of encryption and hashing algorithms that will be
used to transform the data sent through the IPsec tunnel. This is called the transform set.
During IKE Phase 2 negotiations, the peers agree on the IPsec transform set to be used
for protecting interesting traffic.
 Configure a transform set using the crypto ipsec transform-set command, as shown
here. First, specify a name for the transform set (R1-R2, in the example).
R1(config)# crypto ipsec transform-set ?
WORD Transform set tag

R1(config)# crypto ipsec transform-set R1-R2 ?

ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression
algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-gcm ESP transform using GCM cipher
esp-gmac ESP transform using GMAC cipher
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth

 After the transform set is named, the encryption and hashing algorithm can be
configured in either order. The examples show the transform set configuration for R1
and R2.
R1(config)# crypto ipsec transform-set R1-R2 esp-aes esp-sha-hmac
R1(config)#

R2(config)# crypto ipsec transform-set R1-R2 esp-aes esp-sha-hmac

R2(config)#

19.4 CRYPTO MAP

19.4.1 SYNTAX TO CONFIGURE A CRYPTO MAP

 Now that the interesting traffic is defined, and an IPsec transform set is configured, it is
time to bind those configurations with the rest of the IPsec policy in a crypto map. The
syntax to start a crypto map set is shown below. The sequence number is important
when configuring multiple crypto map entries. XYZCORP will only need one crypto
map entry to match traffic and account for the remaining SAs. Although the ipsec-
manual option is shown, its use is beyond the scope of this course.
Router(config)# crypto map map-name seq-num { ipsec-isakmp | ipsec-
manual }

Parameter Description
map-name Identifies the crypto map set.
Sequence number you assign to the crypto map entry. Use
seq-num the crypto map map-name seq-num command without any
keyword to modify the existing crypto map entry or profile.

ipsec-isakmp Indicates that IKE will be used to establish the IPsec for protecting
the traffic specified by this crypto map entry.

ipsec-manual Indicates that IKE will not be used to establish the IPsec SAs for
protecting the traffic specified by this crypto map entry.

 The available configurations for a crypto map entry when you are in crypto map
configuration mode are shown below. The map name is R1-R2_MAP, and the sequence
number is 10.
R1(config)# crypto map R1-R2_MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)# ?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
disable Disable this crypto-map-statement.
exit Exit from crypto map configuration mode
match Match values.
no Negate a command or set its defaults
qos Quality of Service related commands
reverse-route Reverse Route Injection.
set Set values for encryption/decryption

19.4.2 CRYPTO MAP CONFIGURATION

 To finish the configuration to meet the IPsec security policy for XYZCORP, complete
the following:
o Step 1. Bind the ACL and the transform set to the map.
o Step 2. Specify the peer’s IP address.
o Step 3. Configure the DH group.
o Step 4. Configure the IPsec tunnel lifetime.
 The crypto map configurations for R1 and R2 are shown below.
R1(config)# crypto map R1-R2_MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)# match address 101
R1(config-crypto-map)# set transform-set R1-R2
R1(config-crypto-map)# set peer 172.30.2.2
R1(config-crypto-map)# set pfs group24
R1(config-crypto-map)# set security-association lifetime seconds
900
R1(config-crypto-map)# exit
R1(config)#

R2(config)# crypto map R1-R2_MAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)# match address 102
R2(config-crypto-map)# set transform-set R1-R2
R2(config-crypto-map)# set peer 172.30.2.1
R2(config-crypto-map)# set pfs group24
R2(config-crypto-map)# set security-association lifetime seconds
900
R2(config-crypto-map)# exit
R2(config)#

 Use the show crypto map command to verify the crypto map configuration, as shown
below for R1. All the required SAs should be in place. Notice that the output shows that
no interfaces are currently using the crypto map.
R1# show crypto map
Crypto Map IPv4 "R1-R2_MAP" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 101
access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.1.0
0.0.0.255
Security association lifetime: 4608000 kilobytes/900 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group24
Mixed-mode : Disabled
Transform sets={
R1-R2: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map R1-R2_MAP:

R1#

19.4.3 APPLY AND VERIFY THE CRYPTO MAP

 To apply the crypto map, enter interface configuration mode for the outbound interface
and configure the crypto map map-name command. Below is the configuration for
XYZCORP. Notice the show crypto map output now displays that the Serial 0/0/0
interface is using the crypto map. R2 is configured with the same command on its Serial
0/0/0 interface.
R1(config)# interface serial0/0/0
R1(config-if)# crypto map R1-R2_MAP
R1(config-if)#
*Mar 19 19:36:36.273: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)# end
R1# show crypto map
Crypto Map IPv4 "R1-R2_MAP" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 101
access-list 101 permit ip 10.0.1.0 0.0.0.255
192.168.1.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/900
seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group24
Mixed-mode : Disabled
Transform sets={
R1-R2: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map R1-R2_MAP:
Serial0/0/0

19.5 IPsec VPN

19.5.1 SEND INTERESTING TRAFFIC

 Now that both the ISAKMP and IPsec policies are configured, and the crypto map is
applied to the appropriate outbound interfaces, test the two tunnels by sending
interesting traffic across the link.
 Traffic from the LAN interface on R1 that is destined for the LAN interface on R2 is
considered interesting traffic because it matches the ACLs configured on both routers.
An extended ping from R1 will effectively test the VPN configuration. The
extended ping command syntax and results are shown below. The first ping failed
because it takes a few milliseconds to establish the ISAKMP and IPsec tunnels.
R1# ping 192.168.1.1 source 10.0.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2
seconds:
Packet sent with a source address of 10.0.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R1#

19.5.2 VERIFY THE ISAKMP AND IPsec TUNNELS

 Sending interesting traffic does not actually mean that the tunnels are established. R1
and R2 will route traffic between the two LANs even if the ISAKMP and IPsec policy
configurations are wrong. To verify that tunnels have been established, use the show
crypto isakmp sa and show crypto ipsec sa commands. In the output below, notice
that the tunnel is active between the two peers, 172.30.2.1 and 172.30.2.2, and that they
are using the R1-R2_MAP crypto map.
R1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.30.2.2 172.30.2.1 QM_IDLE 1005 ACTIVE

IPv6 Crypto ISAKMP SA

R1#

R1# show crypto ipsec sa

interface: Serial0/0/0
Crypto map tag: R1-R2_MAP, local addr 172.30.2.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0)
current_peer 172.30.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.30.2.1, remote crypto endpt.:

172.30.2.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb
Serial0/0/0
current outbound spi: 0xD3E56A5F(3555027551)
PFS (Y/N): Y, DH group: group24

inbound esp sas:

spi: 0x5D620493(1566704787)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2019, flow_id: Onboard VPN:19, sibling_flags
80004040, crypto map: R1-R2_MAP
sa timing: remaining key lifetime (k/sec): (4155730/802)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xD3E56A5F(3555027551)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
 conn id: 2020, flow_id: Onboard VPN:20, sibling_flags
80004040, crypto map: R1-R2_MAP
sa timing: remaining key lifetime (k/sec): (4155730/802)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

R1#

19.5.4 VIDEO – SITE-TO-SITE IPsec VPN CONFIGURATION

19.6 IMPLEMENT SITE-TO-SITE IPsec VPNs SUMMARY

19.6.1 WHAT DID I LEARN IN THIS MODULE?
Configure a Site-to-Site VPN

 IPsec negotiation to establish a VPN involves five steps, which include IKE Phase 1
and Phase 2.
 An ISAKMP tunnel is initiated when host A sends “interesting” traffic to host B.
Traffic is considered interesting when it travels between the peers and meets the criteria
that are defined in an ACL. IKE Phase 1 begins. The peers negotiate the ISAKMP SA
policy.
 When the peers agree on the policy and are authenticated, and a secure tunnel is created.
IKE Phase 2 begins.
 The IPsec peers use the authenticated secure tunnel to negotiate the IPsec SA policy.
The negotiation of the shared policy determines how the IPsec tunnel is established.
 The IPsec tunnel is created, and data is transferred between the IPsec peers based on the
IPsec SAs. The IPsec tunnel terminates when the IPsec SAs are manually deleted, or
when their lifetime expires. Implementing a site-to-site VPN requires configuring
settings for both IKE Phase 1 and Phase 2. In the Phase 1 configuration, the two sites
are configured with the necessary ISAKMP security associations to ensure that an
ISAKMP tunnel can be created. In the Phase 2 configuration, the two sites are
configured with the IPsec security associations to ensure that an IPsec tunnel is created
within the ISAKMP tunnel.
 Both tunnels will be created only when interesting traffic is detected. IPsec only
supports unicast traffic. To enable multicast routing protocol traffic, the peers in a site-
to-site IPsec VPN implementation would need to be configured with a Generic Routing
Encapsulation (GRE) tunnel for the multicast traffic. GRE supports multiprotocol
tunneling. It can encapsulate multiple OSI Layer 3 protocol packet types inside an IP
tunnel. The addition of an additional GRE header between the payload and the
tunneling IP header provides the multiprotocol functionality. GRE also supports IP
multicast tunneling. Routing protocols that are used across the tunnel enable dynamic
exchange of routing information in the virtual network. GRE does not provide
encryption.
ISAKMP Policy

 The ISAKMP policy lists the SAs that the router is willing to use to establish the IKE
Phase 1 tunnel. The Cisco IOS comes with default ISAKMP policies already in place.
To view the default policies, enter the show crypto isakmp default policy command.
The router will attempt to use the most secure default policy if no other policy was
defined by the administrator. To configure a new ISAKMP policy, use the crypto
isakmp policy command. The five SAs to configure are hash, authentication, group,
lifetime, and encryption (HAGLE).
IPsec Policy

 Although the ISAKMP policy for the IKE Phase 1 tunnel is configured, the tunnel does
not yet exist. This is verified with the show crypto isakmp sa command. To define
interesting traffic, configure each router with an ACL to permit traffic from the local
LAN to the remote LAN. The ACL will be used in the crypto map configuration to
specify what traffic will trigger the start of IKE Phase 1. Configure the set of encryption
and hashing algorithms that will be used to transform the data that is sent through the
IPsec tunnel. Configure a transform set using the crypto ipsec transform-
set command.
Crypto Map

 Now that the interesting traffic is defined, and an IPsec transform set is configured, it is
time to bind those configurations with the rest of the IPsec policy in a crypto map. To
finish the configuration to meet the IPsec security policy you must bind the ACL and
the transform set to the map, specify the peer’s IP address, configure the DH group, and
configure the IPsec tunnel lifetime. Use the show crypto map command to verify the
crypto map configuration. To apply the crypto map, enter interface configuration mode
for the outbound interface and configure the crypto map map-name command.
IPsec VPN

 After the ISAKMP and IPsec policies are configured, and the crypto map is applied to
the appropriate outbound interfaces, test the two tunnels by sending interesting traffic
across the link. An extended ping will effectively test the VPN configuration. To verify
that tunnels have been established, use the show crypto isakmp sa and show crypto
ipsec sa commands.
MODULE 20: INTRODUCTION TO THE ASA
20.1 ASA SOLUTIONS
20.1.1 ASA FIREWALL MODELS

 An IOS router firewall solution is appropriate for small branch deployments and for
administrators who are experienced with Cisco IOS. However, an IOS firewall solution
does not scale well and typically cannot meet the needs of a large enterprise.
 The Cisco ASA with FirePOWER Services family of products provides dedicated
firewall services in one device. These are next-generation firewall (NGFW) devices that
deliver integrated threat defence across the entire attack continuum.
 There are several ASA models addressing the needs of various organizations. Cisco
ASA devices scale to meet a range of requirements and network sizes. The choice of
ASA model depends on an organization’s requirements, such as maximum throughput,
maximum connections per second, and budget.
 The following figures display these models and their stateful inspection throughput.
 All models provide advanced stateful firewall features and VPN functionality. The
biggest difference between the models is the maximum traffic throughput handled by
each model and the number and types of interfaces.
o Cisco Firepower 1000: This model is suitable for small office and home office
(SOHO) and small business.
o Cisco Firepower 2100: These models that are intended for the Internet edge of
medium to large businesses.
o Cisco Firepower 4100: This figure displays a 4100 series ASA that is intended
for large campus and data center use.
o Cisco Firepower 9300: Designed for service providers and high-performance
data centres, the 9300 appliance delivers carrier-grade performance in a
modular chassis. It creates separate logical firewalls for deployment flexibility,
quickly inspects encrypted traffic, gains application visibility, detects and
blocks network intrusions, deploys scalable VPNs, and provides integrated
protection against DDoS attacks. Devices can be clustered for performance and
high availability.
 Cisco also supports the virtualization of computing infrastructure by taking advantage
of the increased power availability of modern x86 servers. The Cisco Adaptive Security
Virtual Appliance (ASAv) brings the power of ASA appliances to the virtual domain. A
server hypervisor can create a virtual switch capable of supporting many types of virtual
machines (VMs). The Cisco ASAv operates as a VM using the server’s interfaces to
process traffic.
 Like the physical Cisco ASA devices, the ASAv also supports site-to-site VPN, remote-
access VPN, and clientless VPN functionalities.
 Note: The ASAv does not support clustering and multiple contexts.
 To provide a suitable fit for customer needs, Cisco ASAv is available in five models:
o Cisco ASAv5 - This appliance requires 2 GB of memory and delivers up to 100
Mbps of stateful inspection throughput.
 o Cisco ASAv10 - This appliance requires 4 GB of memory and delivers up to 1
Gbps of stateful inspection throughput.
o Cisco ASAv30 - This appliance requires 8 GB of memory and delivers up to 2
Gbps of stateful inspection throughput.
o Cisco ASAv50 - This appliance requires 16 GB of memory and delivers up to
10 Gbps of stateful inspection throughput.
o Cisco ASAv100 - This appliance requires 32 GB of memory and delivers up to
20 Gbps of stateful inspection throughput.
 Note: The focus of this module will be on the ASA 5506-X which is designed for small
business, branch office, and enterprise teleworker implementations.

20.1.2 VIDEO – CISCO ASA NEXT-GENERATION FIREWALL APPLIANCES

20.1.3 ADVANCED ASA FIREWALL FEATURES

ASA virtualisation

 As illustrated, a single ASA can be partitioned into multiple virtual devices. Each
virtual device is called a security context. Each context is an independent device, with
its own security policy, interfaces, and administrators. Multiple contexts are similar to
having multiple standalone devices. Many features are supported in multiple context
modes, including routing tables, firewall features, IPS, and management. Some features
are not supported, including VPN and dynamic routing protocols.
High availability with failover

 As shown here, two identical ASAs can be paired into an active / standby failover
configuration to provide device redundancy. Both platforms must be identical in
software, licensing, memory, and interfaces, including the Security Services Module
(SSM). In the example, ASA-1 is the primary/active forwarding device and traffic
leaving PC-1 takes the preferred path using ASA-1. ASA-1 and ASA-2 monitor each
other using the LAN failover link. If ASA-1 fails, then ASA-2 would immediately
assume the primary role and become active.
Identity Firewall

 The ASA provides optional, granular access control based on an association of IP

addresses to Windows Active Directory login information. For example, in the figure,
when a client attempts to access the server resources, it must first be authenticated using
the Microsoft Active Directory Identity-based firewall services. These services enhance
the existing access control and security policy mechanisms by allowing users, or
groups, to be specified in place of source IP addresses. Identity-based security policies
can be interleaved without restriction between traditional IP address-based rules.
Threat control and containment services

 All ASA models support basic IPS features. However, advanced IPS features can only
be provided by integrating special hardware modules with the ASA architecture. IPS
 capability is available using the Advanced Inspection and Prevention (AIP) modules.
Antimalware capabilities can be deployed by integrating the Content Security and
Control (CSC) module. The Cisco Advanced Inspection and Prevention Security
Services Module (AIP-SSM) and Cisco Advanced Inspection and Prevention Security
Services Card (AIP-SSC) deliver protection against tens of thousands of known
exploits. They also protect against millions of other unknown exploit variants using
specialized IPS detection engines and thousands of signatures. Cisco Services for IPS
provides signature updates through a global intelligence team that is working 24 hours a
day to help ensure protection against the latest threats.

20.1.4 CISCO FIREPOWER SERIES

 Traditionally, organizations used dedicated devices to protect their network. The Cisco
next-generation firewall (NGFW) combines proven firewall technology with advanced
threat and malware detection capabilities.
 These NGFWs consolidate multiple security layers into a single platform, eliminating
the cost of buying and managing multiple solutions. This integrated approach combines
best-in-class security technology with multilayer protection that is integrated into a
single device.
 The Cisco ASA 5500-X with FirePOWER Services devices are part of the new Cisco
NGFWs. Designed for small to medium branch offices, the ASA 5500-X with
FirePOWER Services merges the ASA 5500 stateful firewall features with some of the
following advanced threat and malware detection capabilities:
o Next-generation IPS (NGIPS)
o Advanced Malware Protection (AMP)
o Application control and URL filtering
 Note: “FirePOWER” refers to the Firepower services running on an ASA while
“Firepower” refers to Cisco Firepower series of NGFW devices.

20.1.5 VIDEO – CISCO FTD: THREAT CENTRIC NGFW

20.1.6 REVIEW OF FIREWALLS IN NETWORK DESIGN

 When discussing networks that are connected to a firewall, there are some general terms
to consider:
o Outside network - The network/zone that is outside the protection of the
firewall.
o Inside network - The network/zone that is protected and behind the firewall.
o DMZ - The demilitarized zone that allows both inside and outside users access
to protected network resources.
 Firewalls protect inside networks from unauthorized access by users who are on an
outside network. They also protect inside network users from each other. For example,
by creating zones, an administrator can keep the network that is hosting the accounting
servers separate from other networks in an organization.
  The figure illustrates how these zones interact for permitted traffic:
o Traffic originating from the inside network going to the outside network is
permitted.
o Traffic originating from the inside network going to the DMZ network is
permitted.
o Traffic originating from the outside network going to the DMZ network is
selectively permitted.
 The figure below illustrates how these zones interact for denied traffic:
o Traffic originating from the outside network going to the inside network is
denied.
o Traffic originating from the DMZ network going to the inside network is
denied.
 Cisco ISRs can provide firewall features by using either the Zone-Based Policy Firewall
(ZPF) or by using the older context-based access control (CBAC) feature. An ASA
provides the same features, but the configuration differs considerably from the IOS
router configuration of the ZPF.
 The ASA is a dedicated firewall appliance. By default, it treats a defined inside
interface as the trusted network and any defined outside interfaces as untrusted
networks.
 Each interface has an associated security level. These security levels enable the ASA to
implement security policies. For example, inside users can access outside networks
based on certain addresses, by requiring authentication or authorization, or by
coordinating with an external URL filtering server.
 Note: Security levels are sometimes called trust levels. In this course, we will use the
term security levels.
 Network resources that are needed by outside users, such as a web or FTP server, can
be located in a DMZ. The firewall allows limited access to the DMZ while protecting
the inside network from outside users.

20.1.7 ASA FIREWALL MODES OF OPERATION

 There are two firewall interface modes of operation available on ASA devices: routed
mode and transparent mode.
Routed Mode

 In routed mode, two or more interfaces separate Layer 3 networks (i.e., domains). In the
figure, the ASA is considered to be a router hop in the network and can perform NAT
between connected networks. Routed mode supports multiple interfaces. Each interface
is on a different subnet and requires an IP address on that subnet. The ASA applies
policies to flows as they transit the firewall.
 Note: The focus of this module is on the routed mode.
Transparent Mode

 An ASA in transparent mode is often referred to as a “bump in the wire,” or a “stealth

firewall” because the ASA functions like a Layer 2 device and is not considered a router
hop. In the figure below, the ASA is only assigned an IP address on the local network
 for management purposes. This mode is useful to simplify a network configuration, or
when the existing IP addressing cannot be altered. However, the drawbacks include no
support for dynamic routing protocols, VPNs, QoS, or DHCP Relay.
20.1.8 ASA LICENSING REQUIREMENTS

 A license specifies the options that are enabled on a given ASA. Most ASA appliances
come pre-installed with either a Base license or a Security Plus license. For example,
the Cisco ASA 5506-X model comes with a Base license and the option to upgrade to
the Security Plus license. The Security Plus upgrade license enables the Cisco ASA
5506-X to scale to support a higher connection capacity and up to 50 IPsec VPN users.
It adds full DMZ support and integrates into switched network environments through
VLAN trunking support. Furthermore, the Security Plus license enables support for
redundant ISP connections and stateless active/standby high-availability services. This
feature helps to ensure business continuity.
 To provide more features to the ASA, additional time-based or optional licenses can be
purchased. For example, an administrator can install a Botnet Traffic Filter time-based
license that is valid for one year. Another example would be if the ASA must handle a
short-term surge in the number of concurrent SSL VPN users. In this case, an optional
AnyConnect Premium license can be purchased.
 Combining these additional licenses to the pre-installed licenses creates a permanent
license. The permanent license is then activated by installing a permanent activation key
using the activation-key command. The permanent activation key includes all licensed
features in a single key. A product activation key can be purchased from a Cisco
account representative.
 Note: Only one permanent license key can be installed. After it is installed, it is referred
to as the running license.
 To verify the license information on an ASA device, use the show activation-key
command, as shown below, or the show version command.
NETSEC-ASA# show activation-key

Serial Number: JAD242301E6

Running Permanent Activation Key: 0x1e14e468 0x7c715e6b 0xcc71d1f4
0x9de81084 0x4e143eb6

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual

This platform has a Base license.

The flash permanent activation key is the SAME as the running

permanent key.
NETSEC-ASA#

20.2 THE ASA 5506-X WITH FirePOWER SERVICES

20.2.1 OVERVIEW OF ASA 5506-X

 The Cisco ASA 5506-X is a full-featured security appliance for small businesses,
branch offices, and enterprise teleworker environments. It delivers a high-performance
firewall, SSL VPN, IPsec VPN, and rich networking services in a modular, plug-and-
play appliance.
 The figure illustrates the front panel of the ASA 5506-X.
 The figure below illustrates the back panel of the Cisco ASA 5506-X. The default
DRAM memory is 4 GB and the default internal flash memory is 8 GB. In a failover
configuration, the two units must be identical models with the same hardware
configuration, the same number and types of interfaces, and the same amount of RAM.
Failover is available with the Security Plus license.

 The figure below shows the inside components of the Cisco ASA 5506-X.
 Note: Unlike the ASA 5506-X that uses routed interfaces and IP addresses, the ASA
5505 used switchports and VLANs similar to a Layer 2 switch.
20.2.2 ASA SECURITY LEVELS

 The ASA assigns security levels to distinguish between inside and outside networks.
Security levels define the level of trustworthiness of an interface. The higher the level,
the more trusted the interface. The security level numbers range from 0 (untrustworthy)
to 100 (very trustworthy). Each operational interface must have a name and a security
level from 0 (lowest) to 100 (highest) assigned.
 As shown in the figure below, level 100 should be assigned to the most secure network,
such as the inside network. Level 0 can be assigned to the outside network, which is
connected to the Internet. DMZs and other networks can be assigned a security level
between 0 and 100. When traffic moves from an interface with a higher security level to
an interface with a lower security level, it is considered outbound traffic. Conversely,
traffic moving from an interface with a lower security level to an interface with a higher
security level is considered inbound traffic.
 Security levels help to control many aspects of network traffic as shown in the table
below.

Aspect Effect
By default, there is an implicit permit from a higher security interface
to a lower security interface (outbound). Hosts on the higher
security interface can access hosts on a lower security interface.
Network Access
Multiple interfaces can be assigned the same security level. If
communication is enabled for interfaces with the same security
level, there is an implicit permit for traffic between the interfaces.
Some application inspection engines are dependent on the security
Inspection Engines level. When interfaces have the same security level, the ASA
inspects traffic in either direction.
Application Filtering HTTPS and FTP filtering applies only for outbound connections that
are from a higher level to a lower level. If communication is enabled
Aspect Effect
for interfaces with the same security level, traffic can be filtered in
either direction.

 Outbound traffic is allowed and inspected by default. Returning traffic is allowed

because of stateful packet inspection. For example, internal users on the inside interface
can easily access resources on the DMZ. They can also initiate connections to the
Internet with no restrictions and without the need for an additional policy or additional
commands. However, traffic that is coming from the outside network and going into
either the DMZ or the inside network, is denied by default. Return traffic, originating on
the inside network and returning via the outside interface, would be allowed. Any
exception to this default behaviour requires configuration of an ACL to explicitly
permit traffic from an interface with a lower security level to an interface with a higher
security level, for example outside to inside.

20.2.3 ASA 5506-X DEPLOYMENT SCENARIOS

 The ASA 5506-X is commonly used as an edge security device. It connects a small
business to an ISP device, such as a DSL or cable modem, for access to the internet. It
can be deployed to interconnect and protect several workstations, network printers, and
IP phones.
 In a small branch, a common deployment would include an inside network with security
level 100 and an outside network with security level 0, as shown in the figure below.

 In the small business, as shown below, the ASA 5506-X can be deployed with two
different protected network segments. One segment is the inside network, which
connects workstations and IP phones. The other segment is the DMZ, which connects a
company web server. The outside interface is used to connect to the internet.

 In an enterprise deployment, as shown here, the ASA 5506-X can be used by

telecommuters and home users to connect to a centralized location using a VPN.

20.3 INTRODUCTION TO THE ASA SUMMARY

20.3.1 WHAT DID I LEARN IN THIS MODULE?
ASA Solutions

 The Cisco ASA with FirePOWER Services family of products provides dedicated
firewall services in one device. These are NGFW devices that deliver integrated threat
defence across the entire attack continuum. The choice of ASA model depends on an
organization’s requirements, such as maximum throughput, maximum connections per
 second, and budget. The Cisco ASAv brings the power of ASA appliances to the virtual
domain. When discussing networks connected to a firewall, there are some general
terms to consider: outside network, inside network, and the DMZ.
 There are two firewall interface modes of operation available on ASA devices: routed
mode and transparent mode. In routed mode, two or more interfaces separate Layer 3
networks, i.e. domains. An ASA in transparent mode is often referred to as a “bump in
the wire,” or a “stealth firewall” because the ASA functions like a Layer 2 device and is
not considered a router hop. Advanced ASA firewall features include ASA
virtualization, high availability with failover, identity firewall, and threat control and
containment services. Most ASA appliances come pre-installed with either a Base
license or a Security Plus license.
The ASA 5506-X with FirePOWER Services

 The Cisco ASA 5506-X is a full-featured security appliance for small businesses,
branch offices, and enterprise teleworker environments. It delivers a high-performance
firewall, SSL VPN, IPsec VPN, and rich networking services in a plug-and-play
appliance. The ASA assigns security levels to distinguish between inside and outside
networks. The security level numbers range from 0 (untrustworthy) to 100 (very
trustworthy). Outbound traffic is allowed and inspected by default. Returning traffic is
allowed because of stateful packet inspection. The ASA 5506-X is commonly used as
an edge security device. It connects a small business to an ISP device, such as a DSL or
cable modem, for access to the internet.

MODULE 21: ASA FIREWALL CONFIGURATION

21.1 FIREWALL ASA FIREWALL CONFIGURATION
21.1.1 BASIC ASA SETTINGS

 The ASA command line interface (CLI) is a proprietary OS, which has a similar look
and feel to the router IOS. For example, the ASA CLI contains command prompts
similar to that of a Cisco IOS router, as shown in the figure. Also, like the IOS CLI, the
ASA CLI also recognizes the following:
o Abbreviation of commands and keywords
o Use of the Tab key to complete a partial command
o Use of the help key (?) after a command to view additional syntax
 However, the ASA CLI also has different commands. The table contrasts common IOS
router and ASA commands:

IOS Router Command Equivalent ASA Command

enable secret password enable password password
line vty 0 4
password password passwd password
login
ip route route if_name
show ip interface brief show interface ip brief
show ip route show route
show ip nat translations show xlate
copy running-config startup-config write [memory]
erase startup-config write erase

 ASA CLI commands can be executed regardless of the current configuration mode
prompt. The IOS command do is not required nor recognized. The following examples
display some features unique to the ASA.
  Note: All ASA models can be configured and managed using either the CLI or the
Adaptive Security Device Manager (ASDM). The focus of this module is on ASA CLI.
ASDM is discussed in an optional topic at the end of this module.

21.1.2 ASA DEFAULT CONFIGURATION

 The ASA 5506-X with FirePOWER Services ships with a default configuration that, in
most instances, is sufficient for a basic SOHO deployment.
 Note: The ASA can be restored to its factory default configuration by using the
configure factory-default global configuration mode command.
 The default hostname is ciscoasa. By default, the privileged EXEC and console line
passwords are not configured. All interfaces are shutdown and unnamed. The default
configuration is partially displayed in the example. These settings can be changed by:
o Manually using the CLI
o Interactively using the CLI Setup Initialization wizard
o Using the ASDM Startup wizard
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
no mac-address auto

!
interface GigabitEthernet1/1
shutdown
no nameif
 no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
<output omitted>

interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00
icmp 0:00:02

<output omitted>

21.1.3 ASA INTERACTIVE SETUP INITIALISATION WIZARD

 The ASA provides an interactive setup initialization wizard to simplify the initial
configuration of the device. The wizard guides the administrator to configure basic
settings using interactive prompts.
 The wizard is displayed when there is no startup configuration, or if the startup
configuration is erased and the ASA is rebooted using the write
erase and reload privileged EXEC commands.
 When the device is rebooted, the ASA wizard displays the prompt “Pre-configure
Firewall now through interactive prompts [yes]?” To cancel and display the ASA
default user EXEC mode prompt, enter no. Otherwise, enter yes or simply
press Enter to accept the default [yes]. This initiates the wizard and the ASA
interactively guides an administrator to configure the default settings.
 The following shows an example of an interactive configuration.
 Note: The security appliance displays the default values in brackets ([ ]) before
prompting the user to accept or change them. To accept the default input, press Enter.
Pre-configure Firewall now through interactive prompts [yes]?
<Enter>
Firewall Mode [Routed]: <Enter>
Enable password [<use current password>]: cisco
Allow password recovery [yes]? <Enter>
Clock (UTC):
Year [2021]:
Month [Feb]:
Day [9]:
Time [11:21:11]:
Management IP address: 192.168.1.1
Management network mask: 255.255.255.0
Host name: NETSEC-ASA
Domain name: netsec.com
IP address of host running Device Manager: 192.168.1.100

The following configuration will be used:

Enable password: cisco
Allow password recovery: yes
Clock (UTC): 11:21:11 Feb 9 2021
Firewall Mode: Routed
Management IP address: 192.168.1.1
Management network mask: 255.255.255.0
Host name: NETSEC-ASA
Domain name: netsec.com
IP address of host running Device Manager: 192.168.1.100

Use this configuration and save to flash? [yes]<Enter>

 After the interactive portion of the wizard is completed, the security appliance displays
the summary of the new configuration and prompts the user to save or reject the
settings. Answering yes saves the configuration to flash and displays the configured
hostname prompt. Answering no restarts the Setup Initialization wizard from the
beginning with any changes that had been made as the new default settings. This
enables the administrator to correct a misconfigured setting.
 Although the wizard provides the basic configuration settings, most administrators
prefer to manually configure the device using the CLI commands.

21.2 CONFIGURE MANAGEMENT SETTINGS AND SERVICES

21.2.1 ENTER GLOBAL CONFIGURATION MODE

 The default ASA user prompt of ciscoasa> is displayed when an ASA configuration is
erased, the device is rebooted, and the user does not use the interactive setup wizard.
 To enter privileged EXEC mode, use the enable user EXEC mode command. Initially,
an ASA does not have a password configured; therefore, when prompted, leave the
enable password prompt blank and press Enter.
 The ASA date and time should be set either manually or by using Network Time
Protocol (NTP). To set the date and time, use the clock set privileged EXEC command.
 Enter global configuration mode using the configure terminal privileged EXEC
command. The first time that global configuration mode is accessed, a message
pertaining to the Smart Call Home feature appears. This allows activation of the
anonymous error reporting to Cisco regarding the status and health of device. Other
 Smart Call Home features are accessed in call-home configuration mode. These
features offer proactive diagnostics and real-time alerts on select Cisco devices, which
provides higher network availability and increased operational efficiency. To
participate, a cisco.com ID is required, and the ASA device must be registered under a
Cisco SMARTnet Service contract.
 Search the internet to learn more about Cisco Smart Call Home.
 An example of entering privileged EXEC and global configuration mode is shown
below. A simple configuration is entered, and the anonymous Smart Call Home prompt
is shown.
ciscoasa> enable
Password:
ciscoasa#
ciscoasa# clock set 12:00:00 1 April 2020
ciscoasa#
ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,

which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve

the product? [Y]es, [N]o, [A]sk later: A
You will be reminded again in 7 days.

If you would like to enable this feature, issue the command

"call-home reporting anonymous".

Please remember to save your configuration.

ciscoasa(config)#

21.2.2 CONFIGURE BASIC SETTINGS

 An ASA must be configured with basic management settings. The table displays the
commands to accomplish this task.

ASA Command Description

 Specifies a hostname up to 63
characters.
 A hostname must start and end
hostname name with a letter or digit, and have
as interior characters only
letters, digits, or a hyphen.

domain-name name Sets the default domain name.

ASA Command Description
 Sets the enable password for
privileged EXEC mode.
 Sets the password as a case-
sensitive string of 3 to 32
enable password password
alphanumeric and special
characters (not including a
question mark or a space).

Provides legal notification and

banner motd message configures the system to display a
message-of-the-day banner when
connecting to the ASA.
 Sets the passphrase between 8
and 128 character long.
key config-key password-encryption
 Used to generate the encryption
[ new-pass [ old-pass ]]
key.

password encryption aes Enables password encryption and

encrypts all user passwords.

 The example displays a basic configuration on an ASA 5506-X.

 Like the IOS CLI, legal notification is provided using the banner motd command.
However, the command is configured somewhat differently than the IOS version. To
configure a banner with several lines, the banner motd must be entered multiple times.
To remove a line(s), use the no banner motd message command.
 The privileged EXEC password is automatically encrypted using MD5. However,
stronger encryption using AES should be enabled. To do so, a primary passphrase must
be configured, and AES encryption must be enabled.
ciscoasa(config)# hostname NETSEC-ASA
NETSEC-ASA(config)# domain-name netsec.com
NETSEC-ASA(config)# enable password Cisco#123
NETSEC-ASA(config)#
NETSEC-ASA(config)# banner motd
-----------------------------------------------
NETSEC-ASA(config)# banner motd Authorized access only!
NETSEC-ASA(config)# banner motd You have logged into a secure
device.
NETSEC-ASA(config)# banner motd
-----------------------------------------------
NETSEC-ASA(config)# banner motd
NETSEC-ASA(config)# exit
NETSEC-ASA# exit

Logoff

---------------------------------------------------------
Authorized access only!
 You have logged into a secure device.
---------------------------------------------------------

Type help or '?' for a list of available commands.

NETSEC-ASA>

 The example displays a sample configuration for encrypting all user passwords.
 To change the Primary passphrase, use the key config-key password-
encryption command. To determine if password encryption is enabled, use the show
password encryption command.
NETSEC-ASA> enable
Password: *********
NETSEC-ASA# show password encryption
Password Encryption: Disabled
Master key hash: Not set(saved)
NETSEC-ASA#
NETSEC-ASA# configure terminal
NETSEC-ASA(config)# key config-key password-encryption cisco123
NETSEC-ASA(config)# password encryption aes
NETSEC-ASA(config)# exit
NETSEC-ASA#
NETSEC-ASA# show password encryption
Password Encryption: Enabled
Master key hash: 0x45ebef8e 0x77a0f287 0x90247f80 0x2a184246
0xe85cbcc4(not saved)
NETSEC-ASA# write
Building configuration...
Cryptochecksum: c2cb4c42 66ed8038 c81a3d7f c5df996e

6781 bytes copied in 0.260 secs

[OK]
NETSEC-ASA#

21.2.4 CONFIGURE INTERFACES

 The backplane of the ASA-5506-X is shown in the figure.

 The ASA-5506-X has eight Gigabit Ethernet interfaces that can be configured to carry
traffic from different networks. The G1/1 interface is used by convention as the outside
interface to the internet or other outside network. It is set to receive its IP address over
DHCP by default, because it is assumed that the interface will be configured to an ISP
that uses DHCP to address attached interfaces.
 The remaining interfaces, G1/2-G1/8, can be assigned to inside networks or DMZs. In
addition, a Gigabit Ethernet port (labelled GE MGMT in the figure) is dedicated to in-
band management of the ASA Fire POWER module. During configuration, it is
designated as Management1/1. Configuration of the ASA FirePOWER module is
beyond the scope of this course.
 In software versions 9.7 and later, individual ports can be combined into bridge groups
that make them act like switch ports on the same logical network. In this way, multiple
devices can be connected directly to the ASA 5506-X in the DMZ and inside logical
 networks. This is done by configuring the ports in bridged virtual interfaces (BVI). The
BVI is then configurated with a name, security-level, IP address and mask, and other
settings. In order to permit devices on different physical interfaces, the same-security-
traffic permit inter-interface global configuration command must be configured. A
drawback to using BVIs is that many commands, such as no shutdown, must be
configured on the individual interfaces. In addition, if an access list is to be used on the
BVI, the list must be grouped with each physical interface individually.
 The IP address of an interface can be configured using one of the following options:
o Manually - Commonly used to assign an IP address and mask to the interface.
o DHCP - Used when an interface is connecting to an upstream device providing
DHCP services. The interface can be a DHCP client and discover its IP address
and DHCP-related information from the upstream device.
o PPPoE - Used when an interface is connecting to an upstream DSL device
providing point-to-point connectivity over Ethernet services. The interface can
be a PPPoE client and discover its IP address from an upstream PPPoE DSL
device.
 The table lists the commands to configure an IP address on an interface:

To Configure ASA Command Description

Assigns an IP address to the
Manually ip address ip-add netmask
interface.
The interface will request an IP
Using DHCP ip address dhcp address configuration from the
upstream device.
Used to have the interface
ip address dhcp setroute request and install a default
route to the upstream device.
Interface configuration mode
command that requests an IP
Using PPP0E ip address pppoe
address from the upstream
device.
Same command but it also
ip address pppoe setroute requests and installs a default
route to the upstream device.

 Each interface must have a security level from 0 (lowest) to 100 (highest). For example,
you should assign your most secure network, such as the inside host network, to level
100. While the outside network connected to the Internet can be level 0. Other
networks, such as DMZs can be in between. You can assign interfaces to the same
security level.
 The example displays a sample configuration. Notice how default security level values
are assigned to the inside interface and outside interfaces. Note that the DMZ interface
is assigned the same security level as the outside untrusted network. Therefore, the
security-level command is really only required if an administrator chooses to change
those values. Any other interface should be assigned a security level value.
  The security level default behaviour is to implicitly permit traffic from a higher security
interface to a lower security interface outbound. Traffic is implicitly permitted between
interfaces with the same security level if the ASA has been configured to globally
permit this behaviour. Traffic from interfaces with lower security levels is implicitly
denied to interfaces with higher security levels.
 In the example, the outside interface is manually configured with an IP address.
However, many ISPs use DHCP to provide addresses to customer networks. In that case
use the ip address dhcp command to configure the outside interface.
 The commands below are used to configure basic interface parameters:

ASA Command Description

 Names the interface using a text string of up to 48
characters.
 The name is not case-sensitive.
 You can change the name by re-entering this
nameif if_name command with a new value.
 Do not enter the no form, because that command
causes all commands that refer to that name to be
deleted.

security-level value Sets the security level, where number is an integer between
0 (lowest) and 100 (highest).
no shutdown Activate the interface.

NETSEC-ASA(config)# interface g1/1

NETSEC-ASA(config-if)# nameif OUTSIDE
INFO: Security level for "OUTSIDE" set to 0 by default.
NETSEC-ASA(config-if)# security-level 0
NETSEC-ASA(config-if)# ip address 209.165.200.225 255.255.255.252
NETSEC-ASA(config-if)# no shutdown
NETSEC-ASA(config-if)# interface g1/2
NETSEC-ASA(config-if)# nameif INSIDE
INFO: Security level for "INSIDE" set to 100 by default.
NETSEC-ASA(config-if)# security-level 100
NETSEC-ASA(config-if)# ip address 192.168.1.1 255.255.255.0
NETSEC-ASA(config-if)# no shutdown
NETSEC-ASA(config-if)# interface g1/3
NETSEC-ASA(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
NETSEC-ASA(config-if)# security-level 50
NETSEC-ASA(config-if)# ip address 192.168.2.1 255.255.255.0
NETSEC-ASA(config-if)# no shutdown
NETSEC-ASA(config-if)# exit
NETSEC-ASA(config)#
  Verify the interface addressing and status with the show interface ip brief command as
shown below. Note that the show command does not need to be entered in User EXEC
mode.
NETSEC-ASA(config-if)# show interface ip brief
Interface IP-Address OK? Method Status
Protocol
Virtual0 127.1.0.1 YES unset up
up
GigabitEthernet1/1 209.165.200.225 YES manual down
down
GigabitEthernet1/2 192.168.1.1 YES manual up
up
GigabitEthernet1/3 192.168.2.1 YES manual up
up
GigabitEthernet1/4 unassigned YES unset
administratively down down
GigabitEthernet1/5 unassigned YES unset
administratively down down
GigabitEthernet1/6 unassigned YES unset
administratively down down
GigabitEthernet1/7 unassigned YES unset
administratively down down
GigabitEthernet1/8 unassigned YES unset
administratively down down
Internal-Control1/1 unassigned YES unset down
down
Internal-Data1/1 unassigned YES unset down
down
Internal-Data1/2 unassigned YES unset down
down
Internal-Data1/3 unassigned YES unset up
up
Internal-Data1/4 169.254.1.1 YES unset up
up
Management1/1 unassigned YES unset
administratively down down
NETSEC-ASA(config-if)#

21.2.6 CONFIGURE A DEFAULT STATIC ROUTE

 If an ASA is configured as a DHCP client, then it can receive and install a default route
from the upstream device. Otherwise, a default static route must be configured using
the route interface-name 0.0.0.0 0.0.0.0 next-hop-ip-address command. To verify the
route entry, use the show route command.
 The example shows the configuration and verification of a default static route.
NETSEC-ASA(config)# route OUTSIDE 0.0.0.0 0.0.0.0 209.165.200.226
NETSEC-ASA(config)#
NETSEC-ASA(config)# show route | begin Gateway
Gateway of last resort is 209.165.200.226 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 209.165.200.226, OUTSIDE

C 192.168.1.0 255.255.255.0 is directly connected, INSIDE
L 192.168.1.1 255.255.255.255 is directly connected, INSIDE
C 192.168.2.0 255.255.255.0 is directly connected, DMZ
L 192.168.2.1 255.255.255.255 is directly connected, DMZ
C 209.165.200.224 255.255.255.252 is directly connected,
OUTSIDE
L 209.165.200.225 255.255.255.255 is directly connected,
OUTSIDE

NETSEC-ASA(config)#

21.2.8 CONFIGURE REMOTE ACCESS SERVICES

 Telnet or SSH is required to manage the ASA 5506-X remotely, using the CLI. To
enable the Telnet service, use the commands listed in the table.
 Note: The aaa authentication telnet console LOCAL command overrides the
password set with the password command and authenticates the Telnet access against
the local database.

ASA Command Description

{passwd | password} Sets the login password up to 80 characters in length for
password Telnet.
 Identifies which inside host or network can Telnet to
telnet {ipv4_add mask | the ASA interface.
ipv6_add/prefix}  Use the clear configure telnet command to
if_name remove the Telnet connection

 By default, Telnet sessions left idle for five minutes

are closed by the ASA.
telnet timeout minutes  The command alters the default exec timeout of five
minutes.

 Configures Telnet to refer to the local database for

authentication.
aaa authentication
 The LOCAL keyword is case sensitive and is a
telnet console LOCAL
predefined server tag.

clear configure telnet Removes the Telnet connection from the configuration.

 The configuration in the example enables Telnet on an ASA 5506-X. In the example,
only the inside host with IP address 192.168.1.3 would be permitted to access the ASA.
The ASA will close the Telnet session if it is left idle for three minutes.
NETSEC-ASA(config)# password cisco
NETSEC-ASA(config)# telnet 192.168.1.3 255.255.255.255 INSIDE
NETSEC-ASA(config)# telnet timeout 3
NETSEC-ASA(config)#
NETSEC-ASA(config)# show run telnet
telnet 192.168.1.3 255.255.255.255 INSIDE
telnet timeout 3
NETSEC-ASA(config)#

 Telnet communications send everything in plaintext, including passwords. SSH traffic

is encrypted in a tunnel which helps protect passwords and other sensitive configuration
commands from interception. Therefore, for security reasons, remote access should
always be enabled using SSH. To enable SSH access, use the commands that are listed
in the table. To verify the SSH configuration, use the show ssh command.

ASA Command Description

username name password
password Creates a local database entry.

 Configures SSH to refer to the local database for

authentication.
aaa authentication ssh
 The LOCAL keyword is case sensitive and is a
console LOCAL
predefined server tag.

 Generates the RSA key required for SSH

encryption.
crypto key generate rsa  The modulus_size (in bits) can be 512, 768, 1024,
modulus modulus_size 2048, 3072, or 4096.
 A value of at least 2048 is recommended.

 Identifies which inside host or network can SSH to

the ASA interface.
 Multiple commands can be in the configuration.
ssh { ip_address mask |
 If the if_name is not specified, SSH is enabled on all
ipv6_address/prefix}
if_name interfaces except the outside interface.
 Use the clear configure ssh command to remove the
SSH connection.

 (Optional) By default, the ASA allows both SSH

Version 1 (less secure) and Version 2 (more
ssh version secure).
version_number  Enter this command in order to restrict the
connections to a specific version.

ssh timeout minutes Alters the default exec timeout of five minutes.
clear configure ssh Removes the SSH connection from the configuration.

 In the example, SSH access is enabled on an ASA 5506-X. AAA authentication is

enabled and references the local user database. The RSA crypto key is generated using
 2048 bits. Two inside hosts and an outside host are being permitted to access the ASA
and SSH version 2 is enabled.
NETSEC-ASA(config)# username ADMIN password class
NETSEC-ASA(config)# aaa authentication ssh console LOCAL
NETSEC-ASA(config)# crypto key generate rsa modulus 2048
WARNING: You have a RSA keypair already defined named <Default-RSA-
Key>.

Do you really want to replace them? [yes/no]: y

Keypair generation process begin. Please wait...
NETSEC-ASA(config)# ssh 192.168.1.3 255.255.255.255 INSIDE
NETSEC-ASA(config)# ssh 192.168.1.4 255.255.255.255 INSIDE
NETSEC-ASA(config)# ssh 172.16.1.3 255.255.255.255 OUTSIDE
NETSEC-ASA(config)# ssh version 2
NETSEC-ASA(config)# show ssh
Timeout: 5 minutes
Version allowed: 2
Cipher encryption algorithms enabled: aes256-ctr aes256-cbc
aes192-ctraes192-cbc aes128-ctr aes128-cbc
Cipher integrity algorithms enabled: hmac-sha2-256

Hosts allowed to ssh into the system:

172.16.1.3 255.255.255.255 OUTSIDE
192.168.1.3 255.255.255.255 INSIDE
192.168.1.4 255.255.255.255 INSIDE
NETSEC-ASA(config)#

21.2.11 CONFIGURE NETWORK TIME PROTOCOL SERVICES

 Network Time Protocol (NTP) services can be enabled on an ASA to obtain the date
and time from an NTP server. To enable NTP, use the global configuration mode
commands listed in the table.
 To verify the NTP configuration and status, use the show ntp status and show ntp
associations commands.

ASA Command Description

ntp authenticate Enables authentication with an NTP server.
Specifies an authentication key ID to be a trusted
ntp trusted-key key_id key, which is required for authentication with an
NTP server.
ntp authentication-key key_id
md5 key Sets a key to authenticate with an NTP server.

ntp server ip_address [ key

key_id ] Identifies an NTP server.

 The example shows how to enable NTP with authentication on an ASA 5506-X. The
configuration assumes that the NTP server has been configured with an authentication
key.
NETSEC-ASA(config)# ntp authenticate
NETSEC-ASA(config)# ntp trusted-key 1
NETSEC-ASA(config)# ntp authentication-key 1 sha-256 cisco123
NETSEC-ASA(config)# ntp server 192.168.1.254
NETSEC-ASA(config)#

21.2.13 CONFIGURE DHCP SERVICES

 An ASA can be configured to be a DHCP server to provide IP addresses and DHCP-

related information to hosts. To enable an ASA as a DHCP server and provide DHCP
services to hosts, use the commands listed in the table.

ASA Command Description

 Creates a DHCP address pool in
which IP_address1 is the start of the pool
and IP_address2 is the end of the pool,
dhcpd address IP_address1 [ -
separated by a hyphen.
IP_address2 ] if_name
 The address pool must be on the same
subnet as the ASA interface.

dhcpd dns dns1 [ dns2 ] (Optional) Specifies the IP address(es) of the DNS
server(s).
 (Optional) Changes the lease length
granted to the client which is the amount of
time in seconds that the client can use its
allocated IP address before the lease
dhcpd lease lease_length expires.
 The lease_length defaults to 3600 seconds
(1 hour) but can be a value from 0 to
1,048,575 seconds.

dhcpd domain domain_name (Optional) Specifies the domain name assigned to

the client.

dhcpd enable if_name Enables the DHCP server service (daemon) on the
interface (typically the inside interface) of the ASA.

 The example enables the DHCP service for inside clients on an ASA 5506-X.
 Note: If the ASA outside interface was configured as a DHCP client, then the dhcpd
auto_config OUTSIDE global configuration mode command can be used to pass the
DHCP-obtained information to the DHCP inside clients.
 To verify DHCP settings, use the following commands:
o show dhcpd state - Displays the current DHCP state for inside and outside
interfaces.
o show dhcpd binding - Displays the current DHCP bindings of inside users.
o show dhcpd statistics - Displays the current DHCP statistics.
  To clear the DHCP bindings or statistics, use the clear dhcpd binding or clear dhcpd
statistics command.
NETSEC-ASA(config)# dhcpd address 10.0.0.1-10.0.1.255 INSIDE
Warning, DHCP pool range is limited to 256 addresses, set address
range as: 10.0.0.1-10.0.1.0
Address range subnet 10.0.0.1 or 10.0.1.0 is not the same as INSIDE
interface subnet 192.168.1.1
NETSEC-ASA(config)# dhcpd address 192.168.1.10-192.168.1.250 INSIDE
NETSEC-ASA(config)# dhcpd lease 1800
NETSEC-ASA(config)#

21.3 OBJECT GROUPS

21.3.1 INTRODUCTION TO OBJECTS AND OBJECT GROUPS

 Objects are reusable components for use in configurations. Objects can be defined and
used in Cisco ASA configurations in the place of inline IP addresses, services, names,
and so on. Objects make it easy to maintain configurations because an object can be
modified in one place and the change will be reflected in all other places that are
referencing it. Without objects, the parameters for every feature would need to be
modified instead of just once. For example, if a network object defines an IP address
and subnet mask, and you want to change the address, you only need to change it in the
object definition, not in every feature that refers to that IP address. The advantage is that
when an object is modified, the change is automatically applied to all rules that use the
specified object. Therefore, objects make it easy to maintain configurations.
 There are two types of objects that can be configured:
o Network object - A network object can contain a host, a network IP address, a
range of IP addresses, or a fully qualified domain name (FQDN). A network
object is configured using the object network command.
o Service object - Contains a protocol and optional source and/or destination
port. A service object is configured using the object service command.
 Note: A network object is required to configure NAT in ASA image versions 8.3 and
higher.
 Network object groups can contain multiple network objects as well as inline networks
or hosts. Network object groups can include a mix of both IPv4 and IPv6 addresses.
Objects can be attached or detached from one or more object groups when needed,
ensuring that the objects are not duplicated, but can be re-used wherever needed. These
objects can be used in NAT, access lists, and object groups. Network objects are a vital
part of configuring NAT and can greatly simplify ACLs.
 The ASA supports objects and object groups, as shown in the output in the following
example.
NETSEC-ASA(config)# object ?

configure mode commands/options:

network Specifies a host, subnet or range IP addresses
service Specifies a protocol/port
NETSEC-ASA(config)#
NETSEC-ASA(config)# object-group ?
configure mode commands/options:
icmp-type Specifies a group of ICMP types, such as echo
network Specifies a group of host or subnet IP addresses
protocol Specifies a group of protocols, such as TCP, etc
security Specifies identity attributes such as security-group
service Specifies a group of TCP/UDP ports/services
user Specifies single user, local or import user group
NETSEC-ASA(config)#

21.3.2 CONFIGURE NETWORK OBJECTS

 To create a network object, use the object network object-name global configuration
mode command. The prompt changes to network object configuration mode.
 Network objects can consist of the following:
o host - a host address
o fqdn - a fully-qualified domain name
o range - a range of IP addresses
o subnet - an entire IP network or subnet
 Commands available in network object configuration mode are shown in the table.
 Use the no form of any of these commands to remove a network object value. To erase
all network objects, use the clear config object network command. This command
clears all network objects.

ASA Command Description

attribute attribute-agent Defined and used to filter traffic associated with
attribute-type attribute-value one or more virtual machines.

description Enter a description of the object up to 200

characters in length.
A fully-qualified domain name such as the
name of a host, such as www.example.com.
fqdn Specify v4 to limit the address to IPv4, and v6
for IPv6. If you do not specify an address type,
IPv4 is assumed.
host ip-address The IPv4 or IPv6 address of a single host.

range start_add end_add A range of addresses. You can specify IPv4 or

IPv6 ranges. Do not include masks or prefixes.
subnet {ipv4_add ipv4_mask |
ipv6_add/ipv6_prefix} Assigns a network subnet to the named object.

 The example displays a sample network object configuration. To verify, use the show
running-config object command. Notice that the configuration of range overwrites the
previous configuration of host.
NetSec-ASA(config)# object network EXAMPLE-1
NetSec-ASA(config-network-object)# host 192.168.1.3
NetSec-ASA(config-network-object)# exit
NetSec-ASA(config)# show run object
object network EXAMPLE-1
host 192.168.1.3
NetSec-ASA(config)# object network EXAMPLE-1
NetSec-ASA(config-network-object)# range 192.168.1.10 192.168.1.20
NetSec-ASA(config-network-object)# exit
NetSec-ASA(config)# show run object
object network EXAMPLE-1
range 192.168.1.10 192.168.1.20
NetSec-ASA(config)#

21.3.3 CONFIGURE SERVICE OBJECTS

 To create a service object, use the object service object-name global configuration
mode command. The prompt changes to service object configuration mode. The service
object can contain a protocol, ICMP, ICMPv6, TCP, or UDP port (or port ranges).
 The example displays service options available.
NETSEC-ASA(config)# object service EXAMPLE-2
NETSEC-ASA(config-service-object)#
NETSEC-ASA(config-service-object)# service ?

service-object mode commands/options:

<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
ospf
pcp
pim
pptp
sctp
snp
tcp
udp

configure mode commands/options:

call-home Enable or disable Smart Call-Home
internal Advanced settings (use only under Cisco
supervision)
password-recovery Password recovery configuration
resetinbound Send reset to a denied inbound TCP packet
resetoutbound Send reset to a denied outbound TCP packet
 resetoutside Send reset to a denied TCP packet to outside
interface
sw-reset-button Configure software reset button
NETSEC-ASA(config-service-object)#

 The table provides an overview of common service options available. Optional

keywords are used to identify source port or destination port, or both. Operators such
as eq (equal), neq (not equal), lt (less than), gt (greater than), and range, support
configuring a port for a given protocol. If no operator is specified, the default operator
is eq.
 Use the no form of the command to remove a service object. To erase all service
objects, use the clear config object service command.

ASA Command Description

service protocol Specifies an IP protocol name or

number.
service tcp [source operator port] Specifies that the service object is
[destination operator port] for the TCP protocol.
service udp [source operator port] Specifies that the service object is
[destination operator port] for the UDP protocol.

service icmp [icmp-type [icmp_code]] Specifies that the service object is

for the ICMP protocol.

service icmp6 [icmp-type [icmp_code]] Specifies that the service object is

for the ICMPv6 protocol.

 The example displays a sample service object configuration. A service object name can
only be associated with one protocol and port (or ports). If an existing service object is
configured with a different protocol and port, the new configuration replaces the
existing protocol and port with the new ones.
 To verify, use the show running-config object service command.
NETSEC-ASA(config)# object service SERV-1
NETSEC-ASA(config-service-object)# service tcp destination eq ftp
NETSEC-ASA(config-service-object)# service tcp destination eq www
NETSEC-ASA(config-service-object)# exit
NETSEC-ASA(config)# show run object service
object service SERV-1
service tcp destination eq www
NETSEC-ASA(config)#

21.3.4 OBJECT GROUPS

 Objects can be grouped together to create an object group. By grouping like objects
together, an object group can be used in an access control entry (ACE) instead of
having to enter an ACE for each object separately.
  Note: A protocol object group can also be created. However, it is not recommended,
and the use of a service object-group should be used instead.
 The following guidelines and limitations apply to object groups:
o Objects and object groups share the same name space.
o Object groups must have unique names.
o An object group cannot be removed or emptied if it is used in a command.
o The ASA does not support IPv6 nested object groups.
 There are five types of object groups.
o Network - A network-based object group specifies a list of IP host, subnet, or
network addresses.
o User - Locally created, as well as imported Active Directory user groups can be
defined for use in features that support the identity firewall.
o Service - A service-based object group is used to group TCP, UDP, or TCP and
UDP ports into an object. The ASA enables the creation of a service object
group that can contain a mix of TCP services, UDP services, ICMP-type
services, and any protocol, such as ESP, GRE, and TCP.
o ICMP-Type - The ICMP protocol uses unique types to send control messages
(RFC 792). The ICMP-type object group can group the necessary types
required to meet an organization’s security needs, such as to create an object
group called ECHO to group echo and echo-reply.
o Security - A security group object group can be used in features that support
Cisco TrustSec by including the group in an extended ACL, which in turn can
be used in an access rule.

21.3.5 CONFIGURE COMMON OBJECT GROUPS

 To configure a network object group, use the object-group network grp-name global
configuration mode command. After entering the command, add network objects to the
network group using the network-object and group-object commands.
 Note: A network object group cannot be used to implement NAT. A network object is
required to implement NAT.
 To configure an ICMP object group, use the object-group icmp-type grp-name global
configuration mode command. After entering the command, add ICMP objects to the
ICMP object group using the icmp-object and group-object commands.
 The example displays a sample network object group configuration.
NETSEC-ASA(config)# object-group network ADMIN-HOST
NETSEC-ASA(config-network-object-group)# description Administrative
hosts
NETSEC-ASA(config-network-object-group)# network-object host
192.168.1.3
NETSEC-ASA(config-network-object-group)# network-object host
192.168.1.4
NETSEC-ASA(config-network-object-group)# exit
NETSEC-ASA(config)# object-group network ALL-HOSTS
NETSEC-ASA(config-network-object-group)# description All inside
hosts
NETSEC-ASA(config-network-object-group)# network-object
192.168.1.32 255.255.255.240
NETSEC-ASA(config-network-object-group)# group-object ADMIN-HOST
NETSEC-ASA(config-network-object-group)# exit
NETSEC-ASA(config)# show run object-group
object-group network ADMIN-HOST
description Administrative host IP addresses
network-object host 192.168.1.3
network-object host 192.168.1.4
object-group network ALL-HOSTS
network-object 192.168.1.32 255.255.255.240
group-object ADMIN-HOST
NETSEC-ASA(config)#

 The example displays a sample ICMP-type object group configuration.

NETSEC-ASA(config)# object-group icmp-type ICMP-ALLOWED
NETSEC-ASA(config-icmp-object-group)# icmp-object echo
NETSEC-ASA(config-icmp-object-group)# icmp-object time-exceeded
NETSEC-ASA(config-icmp-object-group)# exit
NETSEC-ASA(config)# show running-config object-group id ICMP-
ALLOWED
object-group icmp-type ICMP-ALLOWED
icmp-object echo
icmp-object time-exceeded
NETSEC-ASA(config)#

 To configure a service object group, use the object-group service grp-name global
configuration mode command. The service object group can define a mix of TCP
services, UDP services, ICMP-type services, and any protocol. After entering
the object-group service command, add service objects to the service group using
the service-object and group-object commands.
 To configure a service object group for TCP, UDP, or TCP and UDP, specify the option
in the object-group service grp-name [tcp | udp | tcp-udp] global configuration mode
command. When tcp, udp, or tcp-udp is optionally specified on the command line,
service defines a standard service object group of TCP/UDP port specifications, such as
"eq smtp" and "range 2000 2010." After entering the command, add port objects to the
service group with the port-object and group-object commands.
 To remove all the object groups from the configuration, use the clear configure object-
group global configuration mode command.
 To verify group object configurations, use the show running-config object-
group command.
 Practical examples of object groups will be presented when configuring ACLs and
NAT. The ASA does not support IPv6 nested object groups.
 The example displays a sample service object group configuration.
NETSEC-ASA(config)# object-group service SERVICES-1
NETSEC-ASA(config-service-object-group)# service-object tcp
destination eq www
NETSEC-ASA(config-service-object-group)# service-object tcp
destination eq https
NETSEC-ASA(config-service-object-group)# service-object tcp
destination eq pop3
NETSEC-ASA(config-service-object-group)# service-object udp
destination eq ntp
NETSEC-ASA(config-service-object-group)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# object-group service SERVICES-2 tcp
NETSEC-ASA(config-service-object-group)# port-object eq www
NETSEC-ASA(config-service-object-group)# port-object eq smtp
NETSEC-ASA(config-service-object-group)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# object-group service SERVICES-3 tcp
NETSEC-ASA(config-service-object-group)# group-object SERVICES-2
NETSEC-ASA(config-service-object-group)# port-object eq ftp
NETSEC-ASA(config-service-object-group)# port-object range 2000
2005
NETSEC-ASA(config-service-object-group)# exit
NETSEC-ASA(config)#

21.4 ASA ACLs

21.4.1 ASA ACLs

 The Cisco ASA 5506-X provides basic traffic filtering capabilities with ACLs. ACLs
control access in a network by preventing defined traffic from entering or exiting. In
addition, an ACL can be used to select traffic to which a feature will apply, thereby
performing a matching service rather than a control service.
 There are many similarities between ASA ACLs and IOS ACLs. For example, both are
made up of ACEs, processed sequentially from the top down, and there is an implicit
deny any at the bottom. Additionally, the rule of only one ACL per interface, per
protocol, per direction, still applies.
 ASA ACLs differ from IOS ACLs in that they use a network mask (e.g., 255.255.255.0)
instead of a wildcard mask (e.g. 0.0.0.255). Also most ASA ACLs are named instead of
numbered.
 These are the similarities between ASA ACLs and IOS ACLs:
o ACLs are made up of one or more ACEs. ACEs are applied to a protocol, a
source and destination IP address, a network, or the source and destination
ports.
o ACLs are processed sequentially from top down.
o A criteria match will cause the ACL to be exited.
o There is an implicit deny any at the bottom.
o Remarks can be added per ACE or ACL.
o Only one access list can be applied per interface, per protocol, per direction.
o ACLs can be enabled/disabled based on time ranges.
 These the differences between ASA ACLs and IOS ACLs:
o The ASA uses a network mask (e.g., 255.255.255.0) and not a wildcard mask
(e.g. 0.0.0.255).
o ACLs are always named instead of numbered.
 o By default, interface security levels apply access control without an ACL
configured.

21.4.2 TYPES OF ASA ACL FILTERING

 ACLs on a security appliance can be used not only to filter packets that are passing
through the appliance but also to filter packets destined for the appliance.
o Through-traffic filtering - Traffic that is passing through the security
appliance from one interface to another interface. The configuration is
completed in two steps. The first step is to set up an ACL. The second step is to
apply that ACL to an interface.
o To-the-box-traffic filtering - Also known as a management access rule, to-the-
box-traffic filtering applies to traffic that terminates at the ASA. They are
created to filter traffic that is destined for the control plane of the ASA. They
are completed in one step but require an additional set of rules to implement
access control.
 ASA devices differ from their router counterparts because of interface security levels.
By default, security levels apply access control without an ACL configured. For
instance, traffic from a more secure interface, such as security level 100, is allowed to
access less secure interfaces, such as level 0. Traffic from a less secure interface is
blocked from accessing more secure interfaces.
 For example, a host from the inside network with security level 100 can access the
outside interface with security level 0 as shown below.
 However, a host from an outside interface with security level 0 cannot access the inside
higher-level interface, as shown below. Less secure interfaces are blocked from
accessing more secure interfaces. If required, an ACL would have to be explicitly
configured to permit traffic from a lower security level to a higher security level.
 To allow connectivity between interfaces with the same security levels, the same-
security-traffic permit inter-interface global configuration mode command is
required. To enable traffic to enter and exit the same interface, such as when encrypted
traffic enters an interface and is then routed out the same interface unencrypted, use
the same-security-traffic permit intra-interface global configuration mode command

21.4.3 TYPES OF ASA ACLs

 The ASA supports five types of access lists:

o Extended access list - The most common type of ACL. Contains one or more
ACEs to specify source and destination addresses and protocol, ports (for TCP
or UDP), or the ICMP type (for ICMP). They are used to filter traffic and to
identify traffic that that should be handled by various features.
o Standard access list - Unlike IOS where a standard ACL identifies the source
host/network, ASA standard ACLs are used to identify the destination IP
addresses. They are typically only used for OSPF routes and can be used in a
route map for OSPF redistribution. Standard access lists cannot be applied to
interfaces to control traffic.
 oEtherType access list - An EtherType ACL can be configured only if the
security appliance is running in transparent mode.
o Webtype access list - Used for filtering for clientless SSL VPN traffic. These
ACLs can deny access based on URLs or destination addresses.
o IPv6 access list - Used to determine which IPv6 traffic to block and which
traffic to forward at router interfaces.
 Use the help access-list privileged EXEC command to display the syntax for all of the
ACLs supported on an ASA platform.
 Note: The focus of this module is on extended ACLs.
 The tables below provide examples for the use of extended, standard, and IPv6 ACLs,
respectively.
 The table provides examples of the uses of extended ACLs:

ACL Use Description

The ASA does not allow any traffic from a lower security
Control network access for IP
interface to a higher security interface unless it is explicitly
traffic
permitted by an extended access list.
Identify traffic for AAA rules AAA rules use access lists to identify traffic.
Policy NAT lets you identify local traffic for address
Identify addresses for NAT translation by specifying the source and destination
addresses in an extended access list.
Establish VPN access Extended access list can be used in VPN commands.
 Access lists can be used to identify traffic in a class
map, which is used for features that support MPF.
Identify traffic for Modular
 Features that support MPF include TCP, general
Policy Framework (MPF)
connection settings, and inspection.

 The table provides examples of uses of standard ACLs.

ACL Use Description

 Standard access lists include only the destination
address.
Identify OSPF destination
 It can be used to control the redistribution of OSPF
network in route maps
routes.

Filter traffic for LAN-to-LAN (L2L), Cisco VPN Client, and

VPN filters
the Cisco AnyConnect Secure Mobility Client traffic.

 The table provides an example for the use of IPv6 ACLs.

ACL Use Description
Control network access for Can be used to add and apply access lists to control traffic
IPv6 networks in IPv6 networks.

21.4.4 SYNTAX FOR CONFIGURING AN ASA ACL

 The ACL configuration syntax options for the ASA can be a little overwhelming
considering the number of parameters supported, as shown in the partial output of
the help access-list command output shown in the example. These parameters not only
give an administrator full control over what to inspect, but also provide full logging
capabilities in order to analyse traffic flows at a later time.
NETSEC-ASA(config)# help access-list

USAGE:

Extended access list:

Use this to configure policy for IP traffic through the
firewall

[no] access-list <id> [line <line_num>] [extended] {deny | permit}

{<protocol> | object-group
{<service_obj_grp_id> |
<protocol_obj_grp_id>} | object
<service_object_name>}
[user-group
[<domain_nickname>\\]<user_group_name> |
user [<domain_nickname>\]<user_name> |
object-group-user < object_group_user_name>]
[security-group {name <sgname> | tag <sgt>} |
object-group-security
<security_obj_grp_id>]
{host <sip> | <sip> <smask> | <sip-prefix> |
interface <ifc> | any | any4 | any6
object-group <network_obj_grp_id> |
object <network_obj_name>}
[<operator> <port> [<port>] |
object-group <service_obj_grp_id>]
[security-group {name <sgname> | tag <sgt>} |
object-group-security
<security_obj_grp_id>]
{host <dip> | <dip> <dmask> | <dip-prefix> |
interface <ifc> | any | any4 |any6
object-group <network_obj_grp_id> |
object <network_obj_name>}
[<operator> <port> [<port>] |
object-group <service_obj_grp_id>]
- More -
  There are many options that can be used with ACLs. However, for most needs, a more
useful and condensed version of the syntax is shown below.

 IOS and ASA ACLs have similar elements, but some options vary with the ASA. The
table describes elements of an ASA ACL.
 Note: Explanation of all ACL syntax is beyond the scope of this module and is not
explored further.

Element Description
The name of the ACL. It can be any alphanumeric name up
ACL id
to 241 characters.
Action Can be permit or deny.
Can be IP for all traffic, or the name / IP protocol number (0-
Protocol number - Source 250) including icmp ( 1), tcp ( 6), udp ( 17), or a protocol
object-group.
 Identifies the source and can be any, a host, a
network, or a network object group.
Source  For to-the-box-traffic filtering, the interface keyword
is used to specify the source interface of the ASA.

 (Optional) Operand is used in conjunction with the

source port.
 Valid operands include lt (less than), gt (greater
Source port operator
than), eq (equal), neq (not equal), and range for an
inclusive range.

(Optional) Can be the actual TCP or UDP port number,

Source port
select port names, or service object group.
Element Description
 Identifies the destination and like the source, it can
be any, a host, a network, or a network object
group.
Destination  For to-the-box-traffic filtering, the interface keyword
is used to specify the destination interface of the
ASA.

 (Optional) Operand is used in conjunction with the

destination port.
Destination port operator  Valid operands are the same as the source port
operands.

(Optional) Can be the actual TCP or UDP port number,

Destination port
select port names, or service object group.
Can set elements for syslog including severity level and log
Log
interval.
Time range (Optional) Specify a time range for the ACE.

21.4.5 SYNTAX FOR APPLYING AN ASA ACL

 After the ACL is configured, the next step is to apply it to an interface in either the
inbound or the outbound direction. Applying an ACL is done in global configuration
mode.
 The example displays the command syntax and parameter description for applying the
ACL to an interface using the access-group command syntax.

ciscoasa(config)# access-group id { in | out } interface if_name [

per-user-override | control-plane ]

Syntax Description
access-group Keyword used to apply an ACL to an interface.
id The name of the actual ACL to be applied to an interface.
in The ACL will filter inbound packets.
out The ACL will filter outbound packets.
interface Keyword to specify the interface to which to apply the ACL.
if_name The name of the interface to which to apply an ACL.
per-user- Option that allows downloadable ACLs to override the entries on the
override interface ACL.

control-plane Keyword to specify whether the applied ACL analyzes traffic destined to
ASA for management purposes.
  To verify ACLs, use the show access-list and show running-config access-
list commands.
 To erase a configured ACL, use the clear configure access-list id command.

21.4.6 ASA ACL EXAMPLES

ACL Example #1
NETSEC-ASA(config)# access-list ACL-IN extended permit ip any any
NETSEC-ASA(config)# access group ACL-IN in interface INSIDE

 ACL allows all hosts on the inside network to go through the ASA.
 By default, all other traffic is denied unless explicitly permitted.
ACL Example #2
NETSEC-ASA(config)# access-list ACL-IN extended deny ip 192.168.1.0
255.255.255.0 209.165.201.0 255.255.255.224
NETSEC-ASA(config)# access-list ACL-IN extended permit ip any any
NETSEC-ASA(config)# access-group ACL-IN in interface INSIDE

 ACL prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27 network.

 Internal hosts are permitted access to all other addresses.
 All other traffic is implicitly denied.
ACL Example #3
NETSEC-ASA(config)# access-list ACL-IN extended permit ip
192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224
NETSEC-ASA(config)# access-group ACL-IN in interface INSIDE

 ACL allows hosts on 192.168.1.0/24 to access the 209.165.201.0/27 network.

 By default, all other traffic is denied unless explicitly permitted.
ACL Example #4
NETSEC-ASA(config)# access-list ACL-IN extended deny tcp any host
209.165.201.29 eq www
NETSEC-ASA(config)# access-list ACL-IN extended permit ip any any
NETSEC-ASA(config)# access-group ACL-IN in interface INSIDE

 ACL prevents all inside hosts from accessing a web service at 209.165.201.29.
 Internal hosts are permitted to access all other services at 209.165.201.29.
 Internal hosts are permitted access to all other addresses.
 All other traffic is implicitly denied.

21.4.7 ACLs AND OBJECT GROUPS

  Consider the sample topology in the figure in which access from two trusted, remote
hosts, PC1 and PC2, should be allowed to the two internal for web and email servers.
All other traffic attempting to pass through the ASA should be dropped and logged.

 The ACL displayed in the example below would require two ACEs for each PC to
accomplish the task. The implicit deny any drops and logs any packets that do not
match email or web services. As shown in the example, ACLs should always be
thoroughly documented using the remark command.
NETSEC-ASA(config)# access-list ACL-IN remark Permit PC-1 -> Server
A for HTTP / SMTP
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host
209.165.201.1 host 209.165.202.131 eq http
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host
209.165.201.1 host 209.165.202.131 eq smtp
NETSEC-ASA(config)# access-list ACL-IN remark Permit PC-1 -> Server
B for HTTP / SMTP
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host
209.165.201.1 host 209.165.202.132 eq http
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host
209.165.201.1 host 209.165.202.132 eq smtp
NETSEC-ASA(config)# access-list ACL-IN remark Permit PC-2 -> Server
A for HTTP / SMTP
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host
209.165.201.2 host 209.165.202.131 eq http
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host
209.165.201.2 host 209.165.202.131 eq smtp
NETSEC-ASA(config)# access-list ACL-IN remark Permit PC-2 -> Server
B for HTTP / SMTP
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host
209.165.201.2 host 209.165.202.132 eq http
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp host
209.165.201.2 host 209.165.202.132 eq smtp
NETSEC-ASA(config)# access-list ACL-IN extended deny ip any any log
NETSEC-ASA(config)# access-group ACL-IN in interface OUTSIDE

 To verify the ACL syntax, use the show running-config access-list and show access-
list commands, as shown in the example.
NETSEC-ASA(config)# show running-config access-list
access-list ACL-IN remark Permit PC-1 -> Server A for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.131 eq www
access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.131 eq smtp
access-list ACL-IN remark Permit PC-1 -> Server B for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.132 eq www
access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.132 eq smtp
access-list ACL-IN remark Permit PC-2 -> Server A for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.131 eq www
access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.131 eq smtp
access-list ACL-IN remark Permit PC-2 -> Server B for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.132 eq www
access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.132 eq smtp
access-list ACL-IN extended deny ip any any log
NETSEC-ASA(config)#
NETSEC-ASA(config)# show access-list ACL-IN brief
access-list ACL-IN; 9 elements; name hash: 0x44d1c580
NETSEC-ASA(config)#

21.4.8 ACL USING OBJECT GROUPS EXAMPLES

 Object grouping is a way to group similar items together to reduce the number of ACEs.
By grouping like objects together, object groups can be used in an ACL instead of
having to enter an ACE for each object separately. Without object grouping, the
security appliance configuration may contain thousands of lines of ACEs, which can
become difficult to manage.
 The example displays a condensed ACL syntax to use with the object groups example
on this page.
 The security appliance follows the multiplication factor rule when ACEs are defined.
For example, if two outside hosts need to access two internal servers running HTTP and
SMTP services, the ASA will have eight host-based ACEs. They should be calculated
as follows:
 Number of ACEs = (2 outside hosts) x (2 internal servers) x (2 services) = 8
 Object grouping can cluster network objects into one group and outside hosts into
another, as shown in the following syntax. The security appliance can also combine
both TCP services into a service object group.
ciscoasa(config)# access-list id extended { deny | permit }
protocol object-group source_net-obj-grp_id object-group dest_net-
obj-grp_id object-group service-obj-grp_id

 For example, consider the reference topology in the figure below. In the extended ACL
example on the previous page, this topology required a total of nine ACL ACEs, the
eight permit ACEs, and the implicit deny ACE. Creating the following objects can help
simplify the actual ACL to one ACE. For example, the following object groups are
created:
o Network object group named NET-HOSTS - Identifies two external hosts.
o Network object group named SERVERS - Identifies servers providing email
and web services.
o Service object group HTTP-SMTP - Identifies SMTP and HTTP protocols.

 The example displays the configuration that accomplishes the same result as the
extended ACL on the previous page using object groups.
 Note The previous ACL-IN ACE statements have been removed with the no access-
list command.
NETSEC-ASA(config)# object-group network NET-HOSTS
NETSEC-ASA(config-network-object-group)# description OG matches PC-
A and PC-B
NETSEC-ASA(config-network-object-group)# network-object host
209.165.201.1
NETSEC-ASA(config-network-object-group)# network-object host
209.165.201.2
NETSEC-ASA(config-network-object-group)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# object-group network SERVERS
NETSEC-ASA(config-network-object-group)# description OG matches Web
/ Email Servers
NETSEC-ASA(config-network-object-group)# network-object host
209.165.202.131
NETSEC-ASA(config-network-object-group)# network-object host
209.165.202.132
NETSEC-ASA(config-network-object-group)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# object-group service HTTP-SMTP tcp
NETSEC-ASA(config-service-object-group)# description OG matches
SMTP / WEB traffic
NETSEC-ASA(config-service-object-group)# port-object eq smtp
NETSEC-ASA(config-service-object-group)# port-object eq www
NETSEC-ASA(config-service-object-group)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# access-list ACL-IN remark Only permit PC-A /
PC-B -> Internal Servers
NETSEC-ASA(config)# access-list ACL-IN extended permit tcp object-
group NET-HOSTS object-group SERVERS object-group HTTP-SMTP

 After object groups have been configured, they can be used in any ACL and multiple
ACLs. A single ACE could be used to allow trusted hosts to make specific service
requests to a group of internal servers.
 Although the configuration of object groups may seem tedious, the advantage is that
these objects can be reused in other ASA commands, and they can easily be altered. For
instance, if a new internal mail server needs to be added, then all that is required is to
edit the SERVERS object group.
 Note: Object groups can also be nested in other object groups.
 The example displays the final ACL configuration in the running configuration.
NETSEC-ASA(config)# show running-config access-list
access-list ACL-IN remark Only permit PC-A / PC-B -> Internal
Servers
access-list ACL-IN extended permit tcp object-group NET-HOSTS
object-group SERVERS object-group HTTP-SMTP

21.5 NAT SERVICES ON AN ASA

21.5.1 ASA NAT OVERVIEW

 Like IOS routers, the ASA supports Network Address Translation (NAT). NAT is
typically used to translate private IP network addresses into public IP addresses.
 NAT can be deployed using one of the methods:
 Inside NAT - The typical NAT deployment method is when a host from a higher-
security interface has traffic destined for a lower-security interface and the ASA
translates the internal host address into a global address. The ASA then restores the
original inside IP address for return traffic.
 Outside NAT - This method is used when traffic from a lower-security interface that is
destined for a host on the higher-security interface must be translated. This method may
be useful to make an enterprise host located on the outside of the internal network
appear as one from a known internal IP address.
 Bidirectional NAT - Indicates that both inside NAT and outside NAT are used
together.
 The figure illustrates how inside NAT and outside NAT flow.
  Specifically, the Cisco ASA supports the following common types of NAT:
o Dynamic PAT - This is a many-to-one translation. This is also known as NAT
with overload. Usually an inside pool of private addresses overloading an
outside interface or outside address.
o Static NAT - This is a one-to-one translation. Usually an outside address
mapping to an internal server.
o Policy NAT - Policy-based NAT is based on a set of rules. These rules can
specify that only certain source addresses that are intended for specific
destination addresses and/or specific ports will be translated.
o Identity NAT - A real address is statically translated to itself, essentially
bypassing NAT. You might want to configure NAT this way when you want to
translate a large group of addresses, but then want to exempt a smaller subset of
addresses.
 These types of NAT are referred to as network object NAT because the configuration
requires network objects to be configured.
 Note: Another ASA NAT feature is called Twice-NAT. Twice-NAT identifies both the
source and destination address in a single rule (nat command). Twice-NAT is used
when configuring remote-access IPsec and SSL VPNs. Twice-NAT is beyond the scope
of the module and is not explored further.

21.5.2 CONFIGURE DYNAMIC NAT

 To configure network object dynamic NAT, two network objects are required:
o A network object identifying the pool of public IP addresses into which internal
addresses are translated. These are identified using range or subnet network
object commands.
o The second network object identifies the internal addresses to be translated and
then binds the two objects together. These are identified using the range or
subnet network object commands.
 The two network objects are then bound together
using nat [(real_if_name,mapped_if_name)] dynamic mapped_obj [interface [ipv6]] [
dns] network object command. The real_if_name is the prenat interface.
 The mapped_if_name is the postnat interface. Notice that there is no space after the
comma in the command syntax.
 For example, the figure displays the NAT reference topology that will be used to
configure dynamic NAT, dynamic PAT, and static NAT.
 In this dynamic NAT example, the inside hosts on the 192.168.1.0/27 network will be
dynamically assigned a range of public IP addresses from 209.165.200.240 to
209.165.200.248.

 The example displays a sample dynamic NAT configuration to accomplish this task.
The PUBLIC network object identifies the public IP addresses to be translated to while
the DYNAMIC-NAT object identifies the internal addresses to be translated and is
bound to the PUBLIC network object with the nat command.
NETSEC-ASA(config)# object network PUBLIC
NETSEC-ASA(config-network-object)# range 209.165.200.240
209.165.200.248
NETSEC-ASA(config-network-object)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# object network DYNAMIC-NAT
NETSEC-ASA(config-network-object)# subnet 192.168.1.0
255.255.255.224
NETSEC-ASA(config-network-object)# nat (INSIDE,OUTSIDE) dynamic
PUBLIC
NETSEC-ASA(config-network-object)# end
NETSEC-ASA#

 To allow inside hosts to ping outside hosts, you can use a policy map to permit ICMP
messages to return through the external interface. The example shows the configuration
to allow return ICMP traffic from outside hosts through the OUTSIDE interface.
NETSEC-ASA(config)# policy-map global_policy
NETSEC-ASA(config-pmap)# class inspection_default
NETSEC-ASA(config-pmap-c)# access-list ICMPACL extended permit icmp
any any
NETSEC-ASA(config)# access-group ICMPACL in interface OUTSIDE
NETSEC-ASA(config)#
  After the inside host pings the outside host, verify the network address translation using
the show xlate command, as shown in the example. Additional information can be
gathered using the show nat and show nat detail commands.
NETSEC-ASA(config)# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, I - dynamic, r -
portmap,
s - static, T - twice, N - net-to-net

NAT from INSIDE:192.168.1.3 to OUTSIDE:209.165.200.242 flags I idle

0:00:02 timeout 3:00:00
NETSEC-ASA(config)#
NETSEC-ASA(config)# show nat

Auto NAT Policies (Section 2)

1 (INSIDE) to (OUTSIDE) source dynamic DYNAMIC-NAT PUBLIC
translate_hits = 1, ntranslated_hits = 1
NETSEC-ASA(config)#
NETSEC-ASA(config)# show nat detail

Auto NAT Policies (Section 2)

1 (INSIDE) to (OUTSIDE) source dynamic DYNAMIC-NAT PUBLIC
translate_hits = 1, ntranslated_hits = 1
Source - Origin: 192.168.1.0/27, Translated: 209.165.200.240-
209.165.200.248
NETSEC-ASA(config)#

21.5.4 CONFIGURE DYNAMIC PAT

 A variation of this configuration is called Dynamic PAT. This is when an actual

external IP address is configured and overloaded instead of the ASA interface IP
address.
 Only one network object is required when overloading the outside interface. To enable
inside hosts to overload the outside address,
use nat [(real_if_name,mapped_if_name)] dynamic interface command.
 The example displays a dynamic PAT configuration for the same reference topology.
NETSEC-ASA(config)# object network INSIDE-NET
NETSEC-ASA(config-network-object)# subnet 192.168.1.0
255.255.255.224
NETSEC-ASA(config-network-object)# nat (INSIDE,OUTSIDE) dynamic
interface
NETSEC-ASA(config-network-object)# end
NETSEC-ASA#

 After the inside host pings the outside host, verify the network address translation using
the show xlate command. The example displays the resulting translation.
NETSEC-ASA# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, I - dynamic, r -
portmap,
s - static, T - twice, N - net-to-net

ICMP PAT from INSIDE:192.168.1.3/1 to OUTSIDE:209.165.200.226/1

flags ri idle
0:00:02 timeout 0:00:30
NETSEC-ASA#

21.5.5 CONFIGURE STATIC NAT

 Static NAT is configured when an inside address is mapped to an outside address. For
instance, static NAT can be used when a server must be accessible from the outside.
 To configure static NAT, use the nat [(real_if_name,mapped_if_name)] static mapped-
inline-host-ip network object command.
 The figure displays the NAT reference topology that will be used to configure the DMZ
interface and static NAT.

 The example below displays the configuration that is used to enable static NAT. In this
example, outside hosts can reach the internal server with the IP address 192.168.2.3
using the external IP address 209.165.200.227.
 An ACL is required for the translation to be successful.
NETSEC-ASA(config)# object network DMZ-SERVER
NETSEC-ASA(config-network-object)# host 192.168.2.3
NETSEC-ASA(config-network-object)# nat (DMZ,OUTSIDE) static
209.165.200.227
NETSEC-ASA(config-network-object)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# access-list OUTSIDE-DMZ extended permit ip any
host 192.168.2.3
NETSEC-ASA(config)# access-group OUTSIDE-DMZ in interface OUTSIDE
NETSEC-ASA(config)#
NETSEC-ASA(config)# policy-map global_policy
NETSEC-ASA(config-pmap)# class inspection_default
NETSEC-ASA(config-pmap-c)# access-list ICMPACL extended permit icmp
any any
NETSEC-ASA(config)# access-group ICMPACL in interface DMZ
NETSEC-ASA(config)#
  Use the show xlate and show nat detail commands to verify translations, as shown in
the example. It may be necessary to use the clear nat counters command when testing
NAT.
NETSEC-ASA(config)# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, I - dynamic, r -
portmap,
s - static, T - twice, N - net-to-net
NAT from DMZ:192.168.2.3 to OUTSIDE:209.165.200.227
flags s idle 0:00:21 timeout 0:00:00

NAT from INSIDE:192.168.1.3 to OUTSIDE:209.165.200.242 flags I idle

0:09:06 timeout
3:00:00
NETSEC-ASA(config)#
NETSEC-ASA(config)# show nat detail

Auto NAT Policies (Section 2)

1 (DMZ) to (OUTSIDE) source static DMZ-SERVER 209.165.200.227
translate_hits = 1, ntranslated_hits = 1
Source - Origin: 192.168.2.3/32, Translated: 209.165.200.227/32
2 (INSIDE) to (OUTSIDE) source dynamic DYNAMIC-NAT PUBLIC
translate_hits = 1, ntranslated_hits = 1
Source - Origin: 192.168.1.0/27, Translated: 209.165.200.240-
209.165.200.248
NETSEC-ASA(config)#

21.6 AAA
21.6.1 AAA REVIEW

 Authentication, authorization, and accounting (AAA) provides an extra level of

protection and user control. Using AAA only, authenticated and authorized users can be
permitted to connect through the ASA.
 Authentication can be used alone or with authorization and accounting. Authorization
always requires a user to be authenticated first. Accounting can be used alone, or with
authentication and authorization.
 AAA is conceptually similar to using a credit card, as shown in the figure.
Authentication controls access by requiring valid user credentials, which are usually a
username and password. The ASA can authenticate all administrative connections to the
ASA, including Telnet, SSH, console, ASDM using HTTPS, and privileged EXEC.
 Authorization controls access, per user, after users are authenticated. Authorization
controls the services and commands that are available to each authenticated user.
Without authorization enabled, authentication alone would provide the same access to
services for all authenticated users. The ASA can authorize management commands,
network access, and VPN access.
 Accounting tracks traffic that passes through the ASA, enabling administrators to have
a record of user activity. Accounting information includes session start and stop times,
 usernames, the number of bytes that pass through the ASA for the session, the service
used, and the duration of each session.

21.6.2 LOCAL DATABASE AND SERVERS

 Cisco ASA can be configured to authenticate using a local user database or an external
server for authentication or both.
 Local AAA uses a local database for authentication. This method stores usernames and
passwords locally on the ASA, and users authenticate against the local database. Local
AAA is ideal for small networks that do not need a dedicated AAA server.
 Note: Unlike the ISR, ASA devices do not support local authentication without using
AAA.
 Use the username name password password [privilege priv-level] command to create
local user accounts. To erase a user from the local database, use the clear config
username [name] command. To view all user accounts, use the show running-config
username command.
 Server-based AAA authentication is a far more scalable method than local AAA
authentication. Server-based AAA authentication uses an external database server by
leveraging the RADIUS or TACACS+ protocols. If there are multiple networking
devices, server-based AAA is more appropriate.
 To configure a TACACS+ or RADIUS server, use the commands listed in the table.

ASA
Description
Command
aaa-server
server-tag
protocol Creates a TACACS+ or RADIUS AAA server group.
protocol
aaa-server  Configures a AAA server as part of a AAA server group.
ASA
Description
Command
server-tag
[(if_name)]
host  Also configures AAA server parameters that are host-specific.
{server-ip
| name } [
key ]

 To erase all AAA server configurations, use the clear config aaa-server command. To
view all user accounts, use the show running-config aaa-server command.
 The example shows configuration of a AAA TACACS+ server on an ASA 5506-X.
NETSEC-ASA(config)# username Admin password class privilege 15
NETSEC-ASA(config)# show run username
username Admin password ***** pbkdf2 privilege 15
NETSEC-ASA(config)# aaa-server TACACS-SVR protocol tacacs+
NETSEC-ASA(config-aaa-server-group)# aaa-server TACACS-SVR (DMZ)
host 192.168.2.3
NETSEC-ASA(config-aaa-server-host)# exit
NETSEC-ASA(config)# show run aaa-server
aaa-server TACACS-SVR protocol tacacs+
aaa-server TACACS-SVR (DMZ) host 192.168.2.3
NETSEC-ASA(config)#

21.6.3 AAA CONFIGURATION

 To authenticate users who access the ASA CLI over a console (serial), SSH, HTTPS
(ASDM), or Telnet connection, or to authenticate users who access privileged EXEC
mode using the enable command, use the aaa authentication enable
console command in global configuration mode. The command syntax is as follows:

ciscoasa(config)# aaa authentication { serial | enable | telnet |

ssh | http } console { LOCAL | server-group [ LOCAL ]}

 To erase all AAA parameters, use the clear config aaa command. To view all user
accounts, use the show running-config username command.
 The example provides a sample AAA configuration that is then verified and tested.
NETSEC-ASA(config)# aaa authentication serial console TACACS-SVR
LOCAL
NETSEC-ASA(config)# aaa authentication ssh console TACACS-SVR LOCAL
NETSEC-ASA(config)# aaa authentication http console TACACS-SVR
LOCAL
NETSEC-ASA(config)# aaa authentication telnet console TACACS-SVR
LOCAL
NETSEC-ASA(config)# aaa authentication enable console TACACS-SVR
LOCAL
NETSEC-ASA(config)#
NETSEC-ASA(config)# show run aaa
aaa authentication serial console TACACS-SVR LOCAL
aaa authentication ssh console TACACS-SVR LOCAL
aaa authentication http console TACACS-SVR LOCAL
aaa authentication telnet console TACACS-SVR LOCAL
aaa authentication enable console TACACS-SVR LOCAL
aaa authentication login-history
NETSEC-ASA(config)# exit
NETSEC-ASA# exit

Logoff

Username: Admin
Password: *****
-----------------------------------------------
Authorized access only!
You have logged into a secure device.
-----------------------------------------------

User Admin logged in to NETSEC-ASA

Logins over the last 2 days: 4. Last login: 10:14:48 UTC Feb 11
2021 from console
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
NETSEC-ASA>

21.7 SERVICE POLICIES ON AN ASA

21.7.1 OVERVIEW OF MPF

 A Modular Policy Framework (MPF) configuration defines a set of rules for applying
firewall features, such as traffic inspection and QoS, to the traffic that traverses the
ASA. MPF allows granular classification of traffic flows, which enables the application
of different advanced policies to different flows. MPF is used with hardware modules to
redirect traffic granularly from the ASA to the modules that use Cisco MPF. MPF can
be used for advanced application layer inspection of traffic by classifying at Layers 5
through 7. Rate limiting and QoS features can also be implemented using MPF.
 Cisco MPF uses three configuration objects to define modular, object-oriented,
hierarchical policies.
Class Maps

 What are we looking for?

o Classify traffic.
o Identify traffic on which to perform MPF.
o Create layer 3 and 4 class maps that can contain multiple match criteria.
ciscoasa(config)# class-map class-name

Policy Maps

 What shall we do with it?

o Define actions
o Define a policy for the traffic at Layers 3 to 7.
 o Create a policy map that can contain multiple class maps with associated
actions.
ciscoasa(config)# policy-map policy-name

Service Policy

 Where do we do it?
o Activate the policy map on interfaces.
o Create a service policy that applies a policy map to an interface or all interfaces.
ciscoasa(config)# service-policy serv-name [ global | interface if-
name ]

And now back to our regularly scheduled programming…

 Although the MPF syntax is similar to the ISR IOS Cisco Modular QoS CLI (MQC)
syntax or the Cisco Common Classification Policy Language (C3PL) syntax, the
configurable parameters differ. The ASA platform provides more configurable actions
as compared to an ISR for Cisco IOS ZPF. The ASA supports Layer 5 to Layer 7
inspections using a richer set of criteria for application-specific parameters. For
instance, the ASA MPF feature can be used to match HTTP URLs and request methods,
prevent users from surfing to specific sites during specific times, or even prevent users
from downloading music (MP3) and video files via HTTP/FTP or HTTPS/SFTP.
 There are four steps to configure MPF on an ASA:
o Step 1. (Optional) Configure extended ACLs to identify granular traffic that
can be specifically referenced in the class map. For example, ACLs can be used
to match TCP traffic, UDP traffic, HTTP traffic, or all traffic to a specific
server.
o
o Step 2. Configure the class map to identify traffic.
o
o Step 3. Configure a policy map to apply actions to those class maps.
o
o Step 4. Configure a service policy to attach the policy map to an interface.

21.7.2 CONFIGURE CLASS MAPS

 Class maps are configured to identify Layer 3 and 4 traffic (also called layer 3/4). To
create a class map and enter class-map configuration mode, use the class-map class-
map-name global configuration mode command. The names “class-default” and any
name that begins with “_internal” or “_default” are reserved. The class map name must
be unique and can be up to 40 characters in length. The name should also be
descriptive.
 Note: A variation of the class-map command is used for management traffic that is
destined for the ASA. In this case, use the class-map type management class-map-
name command.
  When in class-map configuration mode, a description explaining the purpose of the
class map should be configured using the description command.
 Next, traffic to match should be identified using the match any (matches all traffic)
or match access-list access-list-name commands to match traffic specified by an
extended access list.
 Note: Unless otherwise specified, only include one match command in the class map.
 The example provides a sample class map configuration.
NETSEC-ASA(config)# access-list UDP permit udp any any
NETSEC-ASA(config)# access-list TCP permit tcp any any
NETSEC-ASA(config)# access-list SERVER permit ip any host 10.1.1.1
NETSEC-ASA(config)#
NETSEC-ASA(config)# class-map ALL-TCP
NETSEC-ASA(config-cmap)# description This class-map matches all TCP
traffic
NETSEC-ASA(config-cmap)# match access-list TCP
NETSEC-ASA(config-cmap)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# class-map ALL-UDP
NETSEC-ASA(config-cmap)# description This class-map matches all UDP
traffic
NETSEC-ASA(config-cmap)# match access-list UDP
NETSEC-ASA(config-cmap)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# class-map ALL-HTTP
NETSEC-ASA(config-cmap)# description This class-map matches all
HTTP traffic
NETSEC-ASA(config-cmap)# match port TCP eq http
NETSEC-ASA(config-cmap)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# class-map TO-SERVER
NETSEC-ASA(config-cmap)# description Class map matches traffic
10.1.1.1
NETSEC-ASA(config-cmap)# match access-list SERVER
NETSEC-ASA(config-cmap)# exit
NETSEC-ASA(config)#

 The ASA also automatically defines a default Layer 3/4 class map identified in the
configuration by class-map inspection_default. Identified in this class map is
the match default-inspection-traffic which matches the default ports for all
inspections. When used in a policy map, this class map ensures that the correct
inspection is applied to each packet, based on the destination port of the traffic. For
example, when UDP traffic for port 69 reaches the ASA, the ASA applies the TFTP
inspection. In this case only, multiple inspections can be configured for the same class
map. Normally, the ASA does not use the port number to determine which inspection to
apply. This provides flexibility to apply inspections to non-standard ports.
 To display information about the class map configuration, use the show running-config
class-map command.
 To remove all class maps, use the clear configure class-map command in global
configuration mode.
21.7.3 DEFINE AND ACTIVATE A POLICY

 Policy maps are used to bind class maps with actions. Use the policy-map policy-map-
name global configuration mode command, to apply actions to the Layer 3 and 4 traffic.
The policy map name must be unique and up to 40 characters in length. The name
should also be descriptive.
 In policy-map configuration mode, config-pmap, use the following commands:
o description - Add description text.
o class class-map-name - Identify a specific class map on which to perform
actions.
 The maximum number of policy maps is 64. There can be multiple Layer ¾ class maps
in one policy map, and multiple actions can be assigned from one or more feature types
to each class map.
 Note: The configuration includes a default Layer ¾ policy map that the ASA uses in the
default global policy. It is called global_policy and performs an inspection on the
default inspection traffic. There can only be one global policy. Therefore, to alter the
global policy, either edit it or replace it.
 These are the three most common commands available in policy map configuration
mode:
o set connection - Sets connection values.
o inspect - Provides protocol inspection servers.
o police - Sets rate limits for traffic in this class.
 Actions are applied to traffic bidirectionally or unidirectionally depending on the
feature.
 To display information about the policy map configuration, use the show running-
config policy-map command.
 Use the clear configure policy-map command in global configuration mode, to remove
all policy maps.
 Configure the Service Policy
 To activate a policy map globally on all interfaces or on a targeted interface, use
the service-policy policy-map-name [ global | interface intf ] global configuration
mode command to enable a set of policies on an interface.
 The example configures the policy map. Its associated service policy is applied
globally.
NETSEC-ASA(config)# access-list TFTP-TRAFFIC permit udp any any eq
69
NETSEC-ASA(config)#
NETSEC-ASA(config)# class-map CLASS-TFTP
NETSEC-ASA(config-cmap)# match access-list TFTP-TRAFFIC
NETSEC-ASA(config-cmap)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# policy-map POLICY-TFTP
NETSEC-ASA(config-pmap)# class CLASS-TFTP
NETSEC-ASA(config-pmap-c)# inspect tftp
NETSEC-ASA(config-pmap-c)# exit
NETSEC-ASA(config-pmap)# exit
NETSEC-ASA(config)#
NETSEC-ASA(config)# service-policy POLICY-TFTP global
NETSEC-ASA(config)#

21.8 ASA FIREWALL CONFIGURATION SUMMARY

21.8 WHAT DID I LEARN IN THIS MODULE?
Basic ASA Firewall Configuration

 The ASA command line interface (CLI) is a proprietary OS, which has a similar look
and feel to the router IOS. For example, the ASA CLI contains command prompts
similar to that of a Cisco IOS router. Also, like the IOS CLI, the ASA CLI also supports
abbreviation of commands and keywords, use of the Tab key to complete a partial
command, and use of the help key (?) after a command to view additional syntax. Many
commands are similar to those in other versions of IOS, however many differences also
exist.
 The ASA 5506-X with FirePOWER Services ships with a default configuration that, in
most instances, is sufficient for a basic SOHO deployment. Configuration changes can
be made manually using the CLI, interactively using the CLI Setup Initialization
wizard, and by using the Adaptive Security Device Manager (ASDM) setup wizard.
 The ASA can be restored to its factory default configuration by using the configure
factory-default global configuration mode command.
Configure Management Services and Settings

 The ASA 5506-X is configured by entering privileged EXEC mode with the enable
command and then using configure terminal to enter global configuration mode. When
entering global configuration mode for the first time, you are offered the option of
participating in the Cisco Smart Call Home program. When approved and other
qualifications are met, the ASA will communicate with Cisco in order to send and
receive proactive diagnostics and real-time alerts.
 The privileged EXEC password is automatically encrypted using MD5. However,
stronger encryption using AES should be enabled. To do so, a primary passphrase must
be configured, and AES encryption must be enabled. To change the primary passphrase,
use the key config-key password-encryption command.
 The ASA 5506-X has eight Gigabit Ethernet interfaces that can be configured to carry
traffic on different Layer 3 networks. The G1/1 interface is frequently configured as the
outside interface to the ISP. Basic configuration of interfaces includes IP addressing,
naming, and setting the security level. Interfaces can be grouped together as bridged
virtual interfaces (BVI). A BVI can be configured with a single name and IP address
although other settings may need to be configured on the individual component
interfaces. Interfaces can be configured with addresses manually, by DHCP, or over
PPPoE. If the interface is configured with DHCP, a default route from an upstream
device can automatically be configured on the ASA. Otherwise, a default route must be
manually configured.
  For remote management, the ASA can be configured to accept connections over Telnet
or SSH. SSH is strongly preferred. Authorization can be made from the local user
database.
 Other network services such as NTP and DHCP can be configured on the ASA. The
ASA can be configured to receive NTP information from authenticated servers. DHCP
services can also be configured to provide addresses to internal hosts.
Object Groups

 Objects are reusable components for use in configurations. Objects can be defined and
used in Cisco ASA configurations in the place of inline IP addresses, services, names,
and so on. Objects make it easy to maintain configurations because an object can be
modified in one place and the change will be reflected in all other places that are
referencing it. For example, a network object can be created to hold the IP address of a
syslog server. If the address of the server changes, the object can be changed, and that
change will be reflected in every configuration command that references the object.
There are two types of objects, network objects and service objects. Network objects
can include host addresses, subnets, ranges of addresses, and FQDNs. Service objects
can refer to different network services and protocols. Object groups are collections of
objects that are related. Network object groups can also be used in configurations
including ACLs and NAT. There are five types of object groups. Where objects can
hold only one value, object groups can hold multiple values including in-line values as
well as previously created objects.
ASA ACLs

 The Cisco ASA 5506-X provides basic traffic filtering capabilities with ACLs. ACLs
control access in a network by preventing defined traffic from entering or exiting. In
addition, an ACL can be used to select traffic to which a feature will apply, thereby
performing a matching service rather than a control service. ASA ACLs differ from IOS
ACLs in that they use a network mask (e.g., 255.255.255.0) instead of a wildcard mask
(e.g. 0.0.0.255). There are five types of ASA ACLs including the familiar standard and
extended types. All ASA ACLs are named. ASA standard and extended ACL syntax is
similar to that used on ISRs. ASA ACLs must be grouped with an interface in order to
go into effect. Object groups can be used with ASA ACLs to limit the number of ACEs
that are required in a list.
NAT Services on an ASA

 NAT can be configured on ASAs as is done with routers. For ASAs there are three
deployment methods. The first is inside NAT which is used for translating inside
addresses on secure networks to outside addresses on less secure networks. In outside
NAT, traffic from a lower security network is translated for a higher security network.
This is used to make internal enterprise hosts available to outside users. Bidirectional
NAT uses both inside and outside NAT together. The ASA supports four types of NAT,
dynamic NAT with overload, static NAT, policy NAT, and identity NAT. Network
objects must be used to configure NAT. They are used to represent pools of IP
addresses to be used in translation and the internal IP addresses that are permitted to be
translated.
AAA

 Cisco ASAs can be configured to authenticate access using a local user database or an
external server for authentication or both. Unlike the ISR, ASA devices do not support
local authentication without using AAA. Server-based AAA authentication uses an
external database server by leveraging the RADIUS or TACACS+ protocols.
 To authenticate users who access the ASA CLI over a console, SSH, HTTPS (ASDM),
or Telnet connection, or to authenticate users who access privileged EXEC mode using
the enable command, use the aaa authentication enable console command in global
configuration mode.
Service Policies on an ASA

 A Modular Policy Framework (MPF) configuration defines a set of rules for applying
firewall features, such as traffic inspection and QoS, to the traffic that traverses the
ASA. MPF allows granular classification of traffic flows, to apply different advanced
policies to different flows. Cisco MPF uses three configuration objects to define
modular, object-oriented, hierarchical policies. Class maps are used to identify the
traffic that will be processed by MPF. Policy maps define what will be done to the
identified traffic. Service policies identify which interfaces the policy map should be
applied to.
 The ASA supports Layer 5 to Layer 7 inspections using a richer set of criteria for
application-specific parameters. For instance, the ASA MPF feature can be used to
match HTTP URLs and request methods, prevent users from surfing to specific sites
during specific times, or even prevent users from downloading music (MP3) and video
files via HTTP/FTP or HTTPS/SFTP.

21.9 INTRODUCTION TO ASDM (OPTIONAL)

21.9.1 OVERVIEW OF ASDM

 The Cisco ASA can be configured and managed using either the command line
interface (CLI) or by using the graphical user interface (GUI) Adaptive Security Device
Manager (ASDM). The CLI is fast, but requires more time to learn. ASDM is intuitive
and simplifies the ASA configuration.
 Specifically, Cisco ASDM is a Java-based GUI tool that facilitates the setup,
configuration, monitoring, and troubleshooting of Cisco ASAs. The application hides
the complexity of commands from administrators and allows streamlined configurations
without requiring extensive knowledge of the ASA CLI. It works with SSL to ensure
secure communication with the ASA. It also provides quick-configuration wizards and
logging and monitoring functionality that is not available using the CLI.
 In order to access the advanced features of the Cisco ASA FirePOWER module that is
included with the ASA 5506-X, Firepower Management Center (FMC) is
recommended.
 Note: Cisco Adaptive Security Manager (ASDM) requires Java to be installed on the
host that is used for ASDM configuration of the ASA. Because of changes to the Oracle
Java License, we can no longer require download and installation of a Java runtime
environment (JRE) in order to run the ASDM labs.
21.9.2 PREPARE FOR ASDM

 To enable access to the ASDM, the ASA requires some minimal configuration.
Specifically, ASDM is accessed using a Secure Socket Layer (SSL) web browser
connection to the ASA Web Server. SSL encrypts the traffic between the client and the
ASA Web Server.
 At a minimum, the ASA requires that a management interface be configured in order to
run ASDM. The management interface depends on the model of ASA. On an ASA
5506-X, the management interface can be any inside interface (G1/2 - G1/8).
 Specifically, to prepare for ASDM access on an ASA 5506-X, the following must be
configured, as shown in the example:
o Selected inside physical port - complete a basic configuration on the port
including a management IP address and security level
o Enable the ASA Web Server - Enable the ASA HTTP server.
o Permit access to the ASA Web Server - By default, the ASA operates in a
closed policy; therefore, all connections to the HTTP server are denied. A
network statement that specifies the hosts that are permitted to access the HTTP
server must be configured.
 The example configures the chosen management inside interface (G1/2) with IP address
192.168.1.1. It enables the interface, enables the ASA HTTP server, and permits access
from any inside host on the 192.168.1.0/24 network.
 After configuring the ASA, verify connectivity by pinging it from the authorized host.
ciscoasa# conf t
ciscoasa(config)# interface g1/2
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# nameif INSIDE
INFO: Security level for "INSIDE" set to 100 by default.
ciscoasa(config-if)# no shutdown
ciscoasa(config)# exit
ciscoasa(config)#
ciscoasa(config)# http server enable
ciscoasa(config)# http 192.168.1.0 255.255.255.0 inside
ciscoasa(config)#

21.9.4 START ASDM

 To start ASDM, enter the management IP address of the ASA in a web browser from a
permitted host. The permitted host must establish a connection through a browser to the
inside interface IP address using the HTTPS protocol.
 Click to disregard the initial security certificate warning and to launch the ASDM
window.
 The initial ASDM window is displayed, as shown in the figure. It provides two options
for preparing your computer to access the ASDM GUI:
o Run Cisco ASDM as a local application - This provides the Install ASDM
Launcher option to connect to the ASA from the host’s desktop using SSL.
 The advantage of doing so is that one application can be used to manage several
ASA devices, and a web browser is not required to start ASDM.
o Run Cisco ASDM as a Java Web Start application - This provides the
Install Java Web Start option to enable a browser to run launch ASDM. A web
browser is required to establish a connection. ASDM is not installed on the
local host.
 After selecting an option, the installation process will begin. Note: Your computer
requires a version of the Java runtime in order for either of these options to work.
 In this example, Install ASDM Launcher is selected. The application installer will
download to your computer. Run the installer and follow the prompts to install the
software. When installation is complete, the Cisco ASDM-IDM Launcher window will
appear as shown in the figure. Provide the enable password and click OK.
 Finally, the ASDM Home page displays, as shown in the figure.

MODULE 22
22.1 NETWORK SECURITY TESTING TECHNIQUES
22.1.1 OPERATIONS SECURITY

 Operations security is concerned with the day-to-day practices necessary to first deploy
and later maintain a secure system. All networks are vulnerable to attack if the
planning, implementation, operations, and maintenance of the network do not adhere to
operational security practices.
 Operations security starts with the planning and implementation process of a network.
During these phases, the operations team analyses designs, identifies risks and
vulnerabilities, and makes the necessary adaptations. The actual operational tasks begin
after the network is set up and include the continual maintenance of the environment.
These activities enable the environment, systems, and applications to continue to run
correctly and securely.
 Some security testing techniques are predominantly manual, and others are highly
automated. Regardless of the type of testing, the staff that sets up and conducts the
security testing should have significant security and networking knowledge in these
areas:
o Operating systems
o Basic programming
o Networking protocols, such as TCP/IP
o Network vulnerabilities and risk mitigation
o Device hardening
o Firewalls
o IPSs

22.1.2 TESTING AND EVALUATING NETWORK SECURITY

 The effectiveness of an operations security solution can be tested without waiting for a
real threat to take place. Network security testing makes this possible. Network security
testing is performed on a network to ensure all security implementations are operating
as expected. Typically, network security testing is conducted during the implementation
and operational stages, after the system has been developed, installed, and integrated.
 Security testing provides insight into various administrative tasks, such as risk analysis
and contingency planning. It is important to document the results of security testing and
make them available for staff involved in other IT areas.
 During the implementation stage, security testing is conducted on specific parts of the
network. After a network is fully integrated and operational, a Security Test and
Evaluation (ST&E) is performed. An ST&E is an examination of the protective
measures that are placed on an operational network.
 Objectives of ST&E include the following:
o Uncover design, implementation, and operational flaws that could lead to the
violation of the security policy.
o Determine the adequacy of security mechanisms, assurances, and device
properties to enforce the security policy.
o Assess the degree of consistency between the system documentation and its
implementation.
  Tests should be repeated periodically and whenever a change is made to the system. For
security systems that protect critical information or protect hosts that are exposed to
constant threat, security testing should be conducted more frequently.

22.1.3 TYPES OF NETWORK TESTS

 After a network is operational, you must access its security status. Many security tests
can be conducted to assess the operational status of the network:
o Penetration testing - Network penetration tests, or pen testing, simulate attacks
from malicious sources. The goal is to determine the feasibility of an attack and
possible consequences if one were to occur. Some pen testing may involve
accessing a client’s premises and using social engineering skills to test their
overall security posture.
o Network scanning - Includes software that can ping computers, scan for
listening TCP ports, and display which types of resources are available on the
network. Some scanning software can also detect usernames, groups, and
shared resources. Network administrators can use this information to strengthen
their networks.
o Vulnerability scanning - This includes software that can detect potential
weaknesses in the tested systems. These weaknesses can include
misconfiguration, blank or default passwords, or potential targets for DoS
attacks. Some software allows administrators to attempt to crash the system
through the identified vulnerability.
o Password cracking - This includes software that is used to test and detect weak
passwords that should be changed. Password policies must include guidelines to
prevent weak passwords.
o Log review - System administrators should review security logs to identify
potential security threats. Filtering software to scan lengthy log files should be
used to help discover abnormal activity to investigate.
o Integrity checkers - An integrity checking system detects and reports on
changes in the system. Most of the monitoring is focused on the file system.
However, some checking systems can report on login and logout activities.
o Virus detection - Virus or antimalware detection software should be used to
identify and remove computer viruses and other malware.
 Note: Other tests, including Wardialing and Wardriving, are considered to be legacy,
but should still be accounted for in network testing.

22.1.4 APPLYING NETWORK TEST RESULTS

 Network security testing results can be used in several ways:

o To define mitigation activities to address identified vulnerabilities
o As a benchmark to trace the progress of an organization in meeting security
requirements
o To assess the implementation status of system security requirements
o To conduct cost and benefit analysis for improvements to network security
 o To enhance other activities, such as risk assessments, certification and
authorization (C&A), and performance improvement efforts
o As a reference point for corrective action

22.2 NETWORK SECURITY TESTING TOOLS

22.2.1 NETWORK TESTING TOOLS

 There are many tools available to test the security of systems and networks. Some of
these tools are open source while others are commercial tools that require licensing.
 Software tools that can be used to perform network testing include:
o Nmap/Zenmap - This is used to discover computers and their services on a
network, therefore creating a map of the network.
o SuperScan - This port scanning software is designed to detect open TCP and
UDP ports, determine what services are running on those ports, and to run
queries, such as whois, ping, traceroute, and hostname lookups.
o SIEM (Security Information Event Management) - This is a technology used
in enterprise organizations to provide real time reporting and long-term analysis
of security events.
o GFI LANguard - This is a network and security scanner which detects
vulnerabilities.
o Tripwire - This tool assesses and validates IT configurations against internal
policies, compliance standards, and security best practices.
o Nessus - This is a vulnerability scanning software, focusing on remote access,
misconfigurations, and DoS against the TCP/IP stack.
o L0phtCrack - This is a password auditing and recovery application.
o Metasploit - This tool provides information about vulnerabilities and aids in
penetration testing and IDS signature development.
 Note: Network testing tools evolve at a rapid pace. The preceding list includes legacy
tools, and its intent is to provide an awareness of the different types of tools available.

22.2.2 NMAP AND ZENMAP

 Nmap is a commonly used, low-level scanner that is available to the public. It has an
array of excellent features which can be used for network mapping and reconnaissance.
 The basic functionality of Nmap allows the user to accomplish several tasks, as follows:
o Classic TCP and UDP port scanning -This searches for different services on
one host.
o Classic TCP and UDP port sweeping - This searches for the same service on
multiple hosts.
o Stealth TCP and UDP port scans and sweeps - This is similar to classic scans
and sweeps, but harder to detect by the target host or IPS.
o Remote operating system identification - This is also known as OS
fingerprinting.
  Advanced features of Nmap include protocol scanning, known as Layer 3 port
scanning. This feature identifies Layer 3 protocol support on a host. Examples of
protocols that can be identified include GRE and OSPF.
 While Nmap can be used for security testing, it can also be used for malicious purposes.
Nmap has an additional feature that allows it to use decoy hosts on the same LAN as the
target host, to mask the source of the scan.
 Nmap has no application layer features and runs on UNIX, Linux, Windows, and OS X.
Both console and graphical versions are available. The Nmap program and Zenmap
GUI can be downloaded from the internet.

22.2.3 SUPERSCAN

 SuperScan is a Microsoft Windows port scanning tool. It runs on most versions of

Windows and requires administrator privileges.
 SuperScan version 4 has a number of useful features:
o Adjustable scanning speed
o Support for unlimited IP ranges
o Improved host detection using multiple ICMP methods
o TCP SYN scanning
o UDP scanning (two methods)
o Simple HTML report generation
o Source port scanning
o Fast hostname resolution
o Extensive banner grabbing capabilities
o Massive built-in port list description database
o IP and port scan order randomization
o A selection of useful tools, such as ping, traceroute, and whois
o Extensive Windows host enumeration capability
 Tools, such as Nmap and SuperScan, can provide effective penetration testing on a
network and determine network vulnerabilities while helping to anticipate possible
attack mechanisms. However, network testing cannot prepare a network administrator
for every security problem.

22.2.4 SIEM

 Security Information Event Management (SIEM) is a technology used in enterprise

organizations to provide real time reporting and long-term analysis of security events.
SIEM evolved from two previously separate products: Security Information
Management (SIM) and Security Event Management (SEM). SIEM can be
implemented as software, integrated with Cisco Identity Services Engine (ISE) or as a
managed service.
 SIEM combines the essential functions of SIM and SEM to provide:
o Correlation - Examines logs and events from disparate systems or applications,
speeding detection of and reaction to security threats.
 o Aggregation - Aggregation reduces the volume of event data by consolidating
duplicate event records.
o Forensic analysis - The ability to search logs and event records from sources
throughout the organization provides more complete information for forensic
analysis.
o Retention - Reporting presents the correlated and aggregated event data in real-
time monitoring and long-term summaries.
 SIEM provides details on the source of suspicious activity, including:
o User information (name, authentication status, location, authorization group,
quarantine status)
o Device information (manufacturer, model, OS version, MAC address, network
connection method, location)
o Posture information (device compliance with corporate security policy,
antivirus version, OS patches, compliance with mobile device management
policy)
 Using this information, network security engineers can quickly and accurately assess
the significance of any security event and answer the critical questions:
o Who is associated with this event?
o Is it an important user with access to intellectual property or sensitive
information?
o Is the user authorized to access that resource?
o Does the user have access to other sensitive resources?
o What kind of device is being used?
o Does this event represent a potential compliance issue?

22.3 NETWORK SECURITY TESTING SUMMARY

22.3.1 WHAT DID I LEARN IN THIS MODULE?
Network Security Testing Techniques

 Operations security starts with the planning and implementation process of a network.
During these phases, the operations team analyzes designs, identifies risks and
vulnerabilities, and makes the necessary adaptations.
 The actual operational tasks begin after the network is set up and include the continual
maintenance of the environment.
 The staff that sets up and conducts the security testing should have significant security
and networking knowledge in these areas: device hardening, firewalls, IPSs, operating
systems, basic programming, networking protocols, such as TCP/IP, and network
vulnerabilities and risk mitigation.
 An ST&E is an examination of the protective measures that are placed on an
operational network.
 Many security tests can be conducted to assess the operational status of the network and
include: penetration testing, network scanning, vulnerability scanning, password
cracking, log review, integrity checkers, and virus detection.
Network Security Testing Tools
 There are many tools available to test the security of systems and networks including:
Nmap/Zenmap, SuperScan, SIEM, GFI LANguard, Tripwire, Nessus, L0phtCrack, and
Metasploit. Nmap and Zenmap (its graphical frontend) are commonly used and free
low-level scanners.
 SuperScan is also a free Microsoft Windows port scanning tool.
 Security Information Event Management (SIEM) is a technology used in enterprise
organizations to provide real time reporting and long-term analysis of security events.
SIEMs provide correlation, aggregation, forensic analysis, and retention.