CCNP SECURITY

Firewall:
In computing, a firewall is a network security system that monitors
and controls the incoming and outgoing network traffic based on
predetermined security rules

Firewalls are often categorized as either network firewalls or host-

based firewalls
Network firewalls filter traffic between two or more networks
Host-based firewalls controls network traffic in and out of that single
machine.
Popular Network firewall vendors

Checkpoint Cisco systems Fortinet

Juniper Mcafee Sonicwall
Watchguard
Cisco ASA:
ASA Features and Services
1. Packet filtering
 Represents an access list
 Supports both standard and extended access list

2. Stateful filtering
 maintains the state of packet passing through the ASA to allow
reply traffic.

3. Application inspection
 ASA can listen conversation b/w devices on one side and devices
on other side and can pay attention on the application layer
information
 For example FTP

4. Network Address Translation (NAT)

5. DHCP
 Can act as DHCP server or client or both
6. Routing
 Support routing protocols
 also supports static routing

7. Layer 3 or Layer 2 implementation

can be implemented in Routed mode or transparent mode
8. VPN support
can operate as head-end or remote-end device for VPN tunnels
Site-to-Site VPN, Remote VPN

9. High availability:
 Active-Standby Failover
 Active-Active Failover

10. AAA support

11. Modular Policy Framework

12. Security Context

Firewall modes
1. Routed firewall mode
2. Transparent firewall mode

Routed Firewall mode

Default mode of cisco ASA
ASA is considered to a router hop in the network
Almost support all the features of ASA such as NAT and Dynamic
routing protocol

Transparent mode:
Introduced after software version 7.0
Can be deployed as secure bridging mode, as a layer 2
Acts like bump in the wire and is not considered as router hop
Static routes are only used for traffic originating from the appliance
Only layer 3 addressing required is management IP address and
must be of same subnet as connected network

Configuring an ASA interface:

1. Enable the interface with no shutdown command
2. Configure an IP address with ip address command
3. Give a logical name with nameif command
4. Define a security level with security-level command
Nameif: it is logical name of the interface, which is used when
configuring any policy on that interface
Security-level
 it a number b/w 0 to 100 that defines the trustworthiness of the
interface

Default behavior of cisco ASA

Higher S.L. to lower S.L. Everything is allowed
Lower S.L. to higher S.L everything is denied; can be permitted by
applying access-list on interface
Same-security-traffic is denied by default
By default ASA inspect all TCP and UDP traffic passing through the
firewall
TCP and UDP reply traffic is always permitted through the firewall

ASA Management:
 ASA can be managed remotely via Telnet, SSH, HTTPs
 By default, ASA cannot be managed remotely
 To check the open ports on ASA :

1. SSH:

 Maximum 5 concurrent SSH sessions are allowed in single mode.

 To use SSH, you must configure AAA authentication using the
aaa authentication ssh console LOCAL command.

Steps:

a. Generate an RSA key pair

b. Create a user in the local database that can be used for SSH
access

c. Enable local authentication for SSH access

 d. Identify the IP addresses from which the ASA accepts
connections for each address or subnet, and the interface on
which you can use SSH

e. Set the duration for how long a SSH session can be idle before
the ASA disconnects the session

2. Telnet:

 Maximum 5 concurrent telnet sessions allowed in single mode

 If more than one interface is configured, you cannot use Telnet
to the lowest security level interface unless you use Telnet inside
a VPN tunnel.
 If only one interface is configured, its security level must be 100.

Steps:
a. Identify the IP addresses from which the ASA accepts
connections for each address or subnet, and the interface on
which you can use telnet.
b. Set the duration for how long a Telnet session can be idle before
the ASA disconnects the session

c. Set telnet password (default is “cisco”)

d. Optional ( authentication session using username instead of

telnet password)

HTTPs (using ASDM):

 Maximum 5 concurrent HTTPs sessions allowed in single mode

Steps:
a. Check whether ASDM file is in flash or not

b. If not copy it to the flash (make sure remote host is reachable

from ASA)

c. Tell ASA where asdm file is located

d. Enable HTTPs service

e. Identify the IP addresses from which the ASA accepts

connections for each address or subnet, and the interface on
which you can use HTTPs.
 The default factory configuration configures the following:

1. Management interface
2. Ip address – the management IP address is 192.168.1.1/24
3. DHCP server – so that a user connecting to management
interface receives an address between 192.168.1.2 and
192.168.1.254.
4. ASDM access – management hosts allowed

Routing:
Routing involves two basic activities:
 Determining optimal routing paths
 Transporting packets through a network

ASA determines the egress interface in one of the following ways:

1. Uses the NAT rule to determine the egress interface
 2. If interface is not configured in the NAT rule, then ASA uses a
route lookup to determine the egress interface

ASA supports:
1. Static route
2. RIP
3. EIGRP
4. OSPF
5. IS-IS
6. BGP
7. Multicast Routing
RIP:

EIGRP:

OSPF:

BGP:
It is an exterior gateway protocol. It uses TCP port 179.

On ASA, you can run only 1 instance of RIP, EIGRP, BGP each and 2
instance of OSPF

Access-control List:
Access control lists (ACLs) identify traffic flows by one or more
characteristics, including source and destination IP address, IP
protocol, ports, EtherType, and other parameters, depending on
the type of ACL.
 ACL supported by ASA:

1.Extended ACL
 Can be used in routed and transparent mode
 Main type of ACL which is used on ASA
 Can be used to permit or deny traffic through the device
 Can be used match traffic for many features like service policies,
AAA rules, WCCP, Botnet Traffic filter, VPN etc.

2. Ethertype ACL:
 Can be used in transparent mode
 Can be used permit or drop traffic based on the Ethertype value
in the layer-2 packet

3.Webtype ACLs
 Webtype ACLs are used for filtering clientless SSL VPN traffic
 Supported in routed mode only

4.Standard ACLs
 Supported in routed and transparent mode
 Cannot be applied to an interface
 Can be used in route filtering and redistribution

5. Time-based ACL
 Can apply time range objects to extended and Webtype ACE so
that rule are active for a specific period.
Points to remember:
 1. When a new ACE is added to an existing ACL, it is appended to
the end of the ACL. If you want to add a new ACE in middle or
at top use “line” keyword when configuring ACL.
2. By default, you do not need to define an ACE to permit traffic
from higher security level to lower security level
3. An access-list can be applied to an interface or globally (on all
interfaces)
4. ACL can even be used to filter to the box traffic by using
“control-plane” at the end of “access-group” command
5. ACL can be temporarily disabled by using “inactive” keyword.
If you have an interface acl and global acl together.
 ASA will match traffic with interface acl first.
 if traffic is matching with interface acl, ASA will not check the
global ACL
if traffic is not matching with interface ACL, then it will be
checked as per global ACL.

Object:
Objects make configuring and maintaining your configuration
easy because you can modify an object in place and have it be
reflected in all other places that are referencing it.

Two objects are available:

1. Network object:
 A network object can contain a host, a network IP address, a
range of IP addresses, or a fully qualified domain name (FQDN)
 You can also enable NAT rules on the object
 2. Service object:
 Can contain a single protocol specification

Network object is mostly used in NAT rules, it may be used while

configuring an access-list.

Object Group: there are 6 types of object-groups available

1. Object-group Network:
 Network object groups can contain multiple network objects
 Network object groups can include a mix of both IPv4 and IPv6
addresses.

2. Object-group Service:
 A service object group includes a mix of protocols

3. Object-group icmp-type:
 A icmp-type object group includes various icmp types

4. Object-group protocol:
 Can be used to include IP protocols into one object

5. Object-group user:
 Can be used to support the identity firewall

6. Object-group security:
 Can be used to support Cisco TrustSec.
NAT: Network Address Translation
Why to use NAT:
1. To access internet from private network
2. To hide the real IP address
3. Resolve IP routing problems, such as overlapping subnets
NAT is composed of two steps:
a. the process by which a real address is translated into a mapped
address
b. the process to undo translation for returning traffic

 The ASA translates an address when a NAT rule matches the

traffic, if no NAT rule matches, processing for the packet
continues. The exception is when you enable NAT control
 NAT control requires that packets traversing from a higher
security interface (inside) to a lower security interface (outside)
match a NAT rule

Command to check NAT control

 Command to enable Nat control

 Regular NAT can only consider the source addresses, not the
destination address

Types of NAT:
1. Dynamic NAT
2. Dynamic PAT
3. Static NAT
4. Static PAT

Dynamic NAT
 Translates a group of real(private) addresses to public IP address
drawn from a pool of registered(public) addresses that are routable to
destination
network
 Address are handed out on first come, first server basis
 Used for unidirectional communication only
 Default timeout is 3 hours can be changed

Dynamic PAT
 Translates a group of real (private) addresses that are mapped to a
single mapped IP address by using a combination of mapped IP
address and source port number
 Unidirectional communication only
 Default timeout is 30 seconds and cannot be changed

Static NAT
 Creates a fixed translation (one-to-one) of real address to mapped
address
 Allows bi-directional communication
 Entry will remain permanent in nat translation table

Static PAT
 Static PAT is similar to static NAT, with exception that it allows for
specifying the layer 4 port information for the real and mapped
address
 Entry will remain permanent in nat translation table

Policy NAT
 Similar to static NAT, but it allow for defining a conditional
criterion to check for source address and destination address to
determine address translation
Policy NAT with different destination ports

Bypassing NAT:
1.Identity NAT (nat 0 command)
 If you configure Identity NAT for a source address, ASA will bypass
NAT no matter what is the egress interface
 Identity NAT allows unidirectional communication
2.Static identity NAT (static command)
 With static NAT you translate the real IP address into its own IP
address
 Allows bidirectional communication

3.NAT exemption (nat 0 access-list command)

 Similar to identity NAT but allows bidirectional communication
 Traffic is exempted from address translation (no xlate maintained)
ASA NAT order:
1. NAT exemption (using nat 0 access-list)
2. Policy NAT (using static with access-list)
3. Static NAT
4. Static PAT
5. Policy NAT (using nat with access-list)
6. Dynamic NAT
7. Dynamic PAT

DNS Doctoring:
DNS Doctoring is used on the Adaptive Security Appliance (ASA) to
change the embedded IP addresses in Domain Name System (DNS)
responses so that clients can connect to the correct IP address of
servers. ASA re-writes DNS A record information.
DNS doctoring requires:
1. Configuration of NAT on ASA with “dns” keyword

2. DNS inspection must be enabled

NAT on ASA 8.4:

Section 2 NAT: (configured under object network without “source”

keyword)
Section 1 NAT: (configured in global configuration mode)
Security context:
 You can partition a single ASA into multiple virtual devices, known
as security contexts
 Each context acts as an independent device, with its own security
policy, interfaces, and administrators
 It is similar to having multiple standalone devices

Why??
1. If you are a service provider and want to sell security services to
many customers.
2. If you are a large enterprise or a college campus and want to keep
departments completely separate.
3. You have any network that requires more than one ASA.
Command to boot ASA in multiple mode (Changing the ASA mode
requires rebooting the firewall)

Command to check security context

Context configuration files:

  For each context, the ASA includes a configuration that identifies
the security policy, interfaces, and all the options you can
configure on a standalone device.
 You can store context configurations in flash memory, or you can
download them from a TFTP, FTP, or HTTP(S) server.
Steps for configuring multiple mode and contexts;
1. Enable multiple context mode (be aware of what happens when it
is enabled!)
2. No shut the physical interfaces to be used under the contexts
3. Configure security context
4. Allocate interfaces to context
5. Specify the location of the config file for the context in the internal
flash
6. (Optional) Automatically assign MAC addresses to context
interface
7. Configure classes and reference it under the context config for
managing resources for each security context

System configuration:
 System context is only used for configuring multiple security
contexts in a multiple mode
 This is the place from where you add and manages contexts by
configuring
a. Configuration location
b. Allocated interface
c. Configure failover
  You cannot configure any network interface or network setting for
system configuration.
 If you are allocating any interface to security context, make sure
you enable that interface from system configuration

Admin context configuration:

 If admin context is not created you cannot create a security
context.
 Just like any other context, except that when a user logs in to the
admin context, that user has system administrator rights and can
access the system and all other contexts.
 Can be used as a regular context.
 The admin context must reside on flash memory, and not
remotely.
  If you convert from single mode, the admin context is created
automatically as a file on the internal flash memory called
admin.cfg

Command to create admin context

Command to change to security context CLI

If you want to come back to system configuration, use below
command:

You can directly jump from one security context to other security
context

You can share an interface in more than one security context, if sharing
then each interface should have a unique MAC address.

Unique MAC address can be generated in two ways

1. Automatic generation

2. Manual configuration:
How the ASA Classifies Packets to determine to which security context
to send a packet.
1.Unique interface
 If only one context is associated with the ingress interface, the
ASA classifies the packet into that context.

2.Unique MAC address

 If multiple contexts share an interface, then the classifier uses
unique MAC addresses assigned to the interface in each context.

3.NAT configuration
 If you do not enable use of unique MAC addresses, then the ASA
uses the mapped addresses in your NAT
configuration to classify packets.
 Recommended is you use MAC address instead of NAT
Resource Management:
 By default, all security contexts have unlimited access to the
resources of the ASA, except where maximum
limits per context are enforced

Resource Class:
 The ASA manages resources by assigning contexts to resource
classes
 Each context uses the resource limits set by the class
 All contexts belong to the default class if they are not assigned to
another class
 A context can only be assigned to one resource class
Default Class:
 All contexts belong to the default class if they are not assigned to
another class
 If a context belongs to a class other than the default class, those
class settings always override the default class settings
 If the other class has any settings that are not defined, then the
member context uses the default class for those limits
 The default class provides unlimited access to resources for all
context, except for the following
Configuring a class:

Call a class to security context

Transparent Firewall:
 Configuring transparent firewall on ASA 8.0 and 8.4 is different.
 A transparent firewall, on the other hand, is a Layer 2 firewall that
acts like a “bump in the wire,” or a “stealth firewall,” and is not
seen as a router hop to connected devices
 The ASA connects the same network on its inside and outside
interfaces, because ASA is not a router hop.
  ARPs are allowed through the transparent firewall in both
directions without an access list which can be controlled by
enabling arp-inspection
 Static routes are only used for traffic originating from the
appliance
 Only layer 3 addressing required is management IP address and
must be of same subnet as connected network
 Routing protocol to the device is not supported, but through the
device is allowed.
 BPDUs are passed by default. Use Ethertype ACL to deny them
 The Egress interface of a packet is determined by performing MAC
address lookup instead of route lookup.
 Route lookup is used for the traffic originating through the device.
 Broadcast and multicast packets are not permitted by default;
explicit ACL rules are
required
 You can configure only two interfaces.

The following MAC addresses are allowed through the firewall.

Unsupported features:
1. DHCP relay
2. Dynamic routing protocols
3. QoS
 4. VPN termination for through traffic

Configuration on ASA 8.0.

Command to change the firewall type. (Save the configuration before
changing the firewall type)

Then, configure the IP address in global configuration mode

Enable and assign nameif to the interfaces

Configuration on ASA 8.4

On ASA software version 9.6, you can create up to 250 Bridge-groups
Command to change the firewall type. (Save the configuration before
changing the firewall type)
Configure IP address to a bridge-group

Enable, assign nameif, and call bridge-group to the interface

ARP Inspection:
 ARP inspection prevents malicious users from impersonating
other hosts or routers (known as ARP spoofing).
 ARP spoofing can enable a “man-in-the-middle” attack.
 ARP inspection ensures that an attacker cannot send an ARP
response with the attacker MAC address.
When you enable ARP inspection, the ASA compares the MAC address,
IP address, and source interface in all ARP packets to static entries in
the ARP table, and takes the following actions
 If the IP address, MAC address, and source interface match an
ARP entry, the packet is passed through.
 If there is a mismatch between the MAC address, the IP address,
or the interface, then the ASA drops the packet.
 If the ARP packet does not match any entries in the static ARP
table, then you can set the ASA to either forward the packet out
all interfaces (flood which is default action), or to drop the packet.

Configure ARP inspection

1. Add static ARP entries

2. Enable ARP inspection

Customizing the MAC address table
 The ASA learns and builds a MAC address table in a similar way as
a normal bridge or switch
 You can add static MAC addresses to the MAC address table to
guard against MAC spoofing

1. Add a static MAC address

2. Set the MAC address timeout (default is 5 Minutes)

 3. Disable MAC address learning

Failover:
 Configuring failover requires two identical ASAs connected to
each other through a dedicated failover link
 Both units must have a same number and types of interface, same
model, same RAM installed.
 Both units must be in same operating mode
 They must have same major and minor number (can use different
version of software during an upgrade process)
 Units do not need to have identical licenses
ASA supports two types of failover
1. Active/Standby Failover
 Only one unit passes the traffic while other unit waits in a standby
state
 Available in both single mode and multiple context mode
 2. Active/Active Failover
 Both unit can pass the traffic
 Available only if units are running in multiple context mode
Failover link:
 You can use any unused interface on the devices as the failover
link
 The failover link interface is not configured as a normal
networking interface (only for failover)
 Can also be used as Stateful failover link

The two units in a failover pair constantly communicate over a failover

link to determine the operating status of each unit. The following
information is communicated over the failover link:
1. The unit state (active or standby)
2. Hello messages (keep-alives)
3. Network link status
 4. MAC address exchange
5. Configuration replication and synchronization

Stateless (regular) and Stateful failover:

Stateless Failover:
 When a failover occurs, all active connections are dropped
 Clients need to reestablish connections when the new active unit
takes over
Stateful Failover:
 The active unit continually passes per-connection state
information to the standby unit
 After a failover occurs, the same connection information is
available at the new active unit.
State information passed to standby unit:
 NAT translation table
 TCP connection states
 UDP connection states
 The ARP table
 The Layer 2 bridge table (when running in transparent firewall
mode)
 The HTTP connection states (if HTTP replication is enabled)
 The ISAKMP and IPsec SA table
 ICMP connection state
State information not passed to standby unit:
 The HTTP connection table (unless HTTP replication is enabled).
  The user authentication (uauth) table.
 DHCP server address leases

For Stateful failover, Stateful failover link is used.

Stateful failover link:
 You can use a dedicated Ethernet interface for the Stateful
Failover link
 You can share the failover link
 You can share a regular data interface, such as the inside
interface. However, this option is not recommended

Failover health monitoring:

1. Unit health monitoring
2. Interface health monitoring

Unit health monitoring:

 The ASA determines the health of the other unit by monitoring
the failover link
 When a unit does not receive three consecutive hello messages
on the failover link, the unit sends interface hello messages on
each interface, including the failover interface, to validate
whether or not the peer interface is responsive.
 The action that the ASA takes depends upon the response from
the other unit. Possible actions are:
a. If the ASA receives a response on the failover interface, then

it does not fail over

 b. If the ASA does not receive a response on the failover link,
but it does receive a response on another interface, then the
unit does not failover. The failover link is marked as failed.
c. If the ASA does not receive a response on any interface,
then the standby unit switches to active
mode and classifies the other unit as failed.

Interface Monitoring:
 You can monitor up to 250 interfaces divided between all contexts

When a unit does not receive hello messages on a monitored

interface for half of the configured hold time, it runs the following
tests:
1.Link Up/Down test:
 A test of the interface status. If the Link Up/Down test indicates
that the interface is operational, then the ASA performs network
tests

2.Network Activity test:

 The unit counts all received packets for up to 5 seconds. If any
packets are received at any time during this interval, the interface
is considered operational and testing stops
 If no traffic is received, the ARP test begins

3.ARP test:
 A reading of the unit ARP cache for the 2 most recently acquired
entries
  The unit sends ARP requests to these machines
 After each request, the unit counts all received traffic for up to 5
seconds. If traffic is received, the interface is considered
operational
 If no traffic has been received, the ping test begins

4.Ping test:
 A ping test that consists of sending out a broadcast ping request.
 The unit then counts all received packets for up to 5 seconds
 If all network tests fail for an interface, but this interface on the
other unit continues to successfully pass traffic, then the interface
is considered to be failed
Failover is triggered if:
1. The unit has a hardware failure or a power failure.
2. Too many monitored interfaces fail.
3. You force a failover

Configuring Active/Standby Failover

 Enables you to use a standby ASA to take over the functionality of
a failed unit
 For each interface you configure one active/primary IP address
and one standby/secondary IP address.
 The primary unit MAC addresses are always coupled with the
active IP addresses. Exception is only for failover link
 Configurations are always synchronized from the active unit to
the standby unit
  Standby unit clears its running configuration except failover
commands and active unit sends its entire configuration to the
standby unit.

The active unit is determined by the following:

 If a unit boots and detects a peer already running as active, it
becomes the standby unit.
 If a unit boots and does not detect a peer, it becomes the active
unit.
 If both units start up at the same time the primary unit always
becomes the active

Configuring Primary unit:

Configuring Secondary unit:

Configuring Active/Active Failover:

 You divide the security contexts on the ASA into failover groups.
 A failover group is simply a logical group of one or more security
contexts
 You can create a maximum of two failover groups
 The admin context is always a member of failover group 1. Any
unassigned security contexts are also members of failover group 1
by default.
 A failover group failing on a unit does not mean that the unit has
failed. The unit may still have another failover group passing
traffic on it.
 Failover group preemption causes the failover group to
automatically become active if it becomes available
Configuring primary unit:
Configuring Secondary unit:

ASA Troubleshooting:
1. Packet flow:
Packet flow (before ASA 8.3)

Whenever a packet comes to an ingress interface

1. ASA checks its connection table
2. If it is an existing connection, Access-list and security-level
check is bypassed
3. If it is new connection, TCP state of the packet is verified and
processed for
Access-list check
4. Packet is processed as per interface Access-list. If no access-list
is configured
on interface then packet is processed as per default behavior
5. Packet is verified for translation on NAT rules
6. Packet is subjected to inspection check
 7. IP header information is changed as per NAT/PAT rule
8. Packet is forwarded to egress interface

Packet capture:

Packet Tracer:
TCP Ping:
Accelerated Security Path:
 The Accelerated Security Path (ASP) on the ASA appliance
comprises of 2 components
 The Fast Path and The Session Management Path

Session Management Path:

 When a new connection reaches the ASA gateway the first packet
is sent to the “Session Management Path”. This path is
responsible for
a. Performing the access list checks
b. Performing route lookups
c. Allocating NAT translations (xlates)
d. Establishing sessions in the "fast path"

Fast Path:
  If the connection is already established, the security appliance
does not need to re-check packets and the packets are sent to the
Fast Path. The Fast Path is responsible for the following tasks:
a. IP checksum verification
b. Session lookup
c. TCP sequence number check
d. NAT translations based on existing sessions
e. Layer 3 and Layer 4 header adjustments

Control Path:
 Some packets which require adjustments or changes to be made
to the packets headers at a Layer 7 level such as FTP are passed to
control plane path

The show asp drop command shows the packets or connections

dropped by the accelerated security path, which might help you
troubleshoot a problem

State table:
ASA is a Stateful packet filtering device, so whenever a packet is
inspecting by firewall it maintains the state of the packet. ASA
maintains two tables
1. Connection table:
2. Local host table:
DHCP Services:
ASA can be configured as DHCP server, DHCP relay agent, and as a
DHCP client

Configuring ASA as a DHCP server:

 ASA as a DHCP Relay Agent:

In above configuration
 DHCP server is connected on outside interface of ASA
 DHCP clients are connected on inside interface of ASA
 DHCP pool must be of same subnet as of ASA’s inside interface
subnet
Modular policy framework

 Class Map  Identify

 Policy Map  Set Policy
 Service Policy  Application

Advanced Cisco ASA Access Policies Overview

 Different traffic flows may require network policies to control
traffic beyond ACLs
 Cisco MPF provides granularity and flexibility when you
implement advanced access policies:
a. Define traffic flows that require advanced access policies
b. Associates network policies with traffic flows
c. Enables network policies on specific interface or globally
Examples:
 To tune OSI layer 3-4 stateful inspection
 To configure support for dynamic application
 Enable application inspection for HTTP and FTP traffic
 Configure traffic QoS

Cisco MPF Overview

Cisco MPF consists of the following components:
 Class maps :
  OSI Layers 3-4 class map : Identifies Layer 3 and Layer 4 traffic to
which you want to apply a network policy
 OSI Layers 5-7 class map : Identifies Layer 5 through Layer 7 traffic
to which you want to apply an application-specific policy

 Policy maps:
 OSI Layers 3-4 policy map: Defines policy for Layer 3 and Layer 4
traffic
 OSI Layers 5-7 policy map: Defines policy for Layer 5 through
Layer 7 traffic

 Service policy: Activates a policy map on an interface or globally

on all interfaces

OSI Layer 3-4 Policies Overview

 You use OSI Layer 3 and Layer 4 policies to apply actions to traffic
that is identified at OSI layer 3 and layer 4
 Policies are composed of the following
a. Class maps: Identifies traffic based on OSI layer 3 and layer 4
information
b. Policy maps: Specifies actions to apply to traffic that is defined
in class maps
c. Service policy: Applies policy maps to an interface or globally to
all interfaces

OSI Layer 3-4 Class Maps

  To identify traffic
 Specify a name for a class map
 Defines matching attributes
a. Access list
b. Any packet
c. IP DSCP
d. IP flow
e. TCP and UDP ports
f. IP precedence
g. RTP port numbers
h. VPN tunnel group
i. Default inspection traffic
OSI layer 3-4 Policy map
To apply actions to traffic:
 Specify a name for a policy map
 Refer to class maps, where traffic is identified
 Assign actions to each traffic class:
a. Protocol inspection
b. Send traffic to Cisco IPs or Cisco ASA CX module
c. Configure advanced connection settings
d. QoS prioritize, police, or shape traffic
e. Send Netflow information
 1 global policy map and 1 per interface

Service Policy:
 Applies a policy map to an interface, or globally to all interfaces
  Policy directionality depends on the policy map application
a. Per interface: Classification and actions are applied in both
direction
b. Globally: Classification and actions are applied to all interfaces
in the inbound direction
c. Exceptions for policing, shaping, and prioritizing

Default OSI layer 3-4 Stateful Tracking

 The Cisco ASA will by default statefully track TCP and UDP flows
 ICMP PING and ESP stateful tracking is disabled by default, and
may be enabled

Session Timers
 Sessions are deleted from the connection table based on TCP
connection close events, or idle timeouts
 The connection table performs periodic garbage collection for TCP
connections based on additional timeouts
 These timeouts may be too aggressive for specific applications
TCP Timer Default Description
Embryonic 30 Defines the time the ASA will wait
connection timeout seconds for a SYN/ACK reply to a SYN
Half-closed 10 Defines the time a TCP connection
connection timeout minutes can be FIN-closed in one direction
Connection timeout 1 hour Defines the time a TCP connection
can be idle
IP TTL Handling
  The Cisco ASA does not by default decrement the IP TTL field
 As a consequence, ASA is invisible in traceroute outputs
 You may enable TTL decrementing for specific or all flows

Configuration Example:

Support for Dynamic Protocols

Dynamic Protocols are those that negotiate additional sessions on
negotiated transport-layer ports:
 The Cisco ASA will by default snoop on many dynamic protocols to
automatically permit these sessions
 In ACLs, you only need to permit the initial session
Application Layer Policies Overview
Application layer access control can perform these functions:
 Provide defense-in-depth by filtering traffic to exposed client and
server application
 Prevent malicious content from being delivered to endpoints
 Prevent covert tunneling
OSI layers 5-7 policies are used to apply actions to traffic that is
identified on OSI layers 5 to 7
These policies are composed of the following:
 Class maps: Identify traffic based on OSI layers 5-7 information
(match attributes are specified to an application)
 Policy maps: Specify special actions (such as drop, reset, and log)
for inspected application traffic
 They control application inspection only

OSI layer 5-7 class maps:

To classify traffic inside a specific application
 Name a class map
 Specify inspected application type (DNS, FTP, H.323, HTTP, IM)
 Specify single or multiple matching attributes
 Specify matching type (“match any” or “match all” attributes)
 Negative matching can be used
 Regular expressions can be used as match criteria
 Layer 5-7 class maps are optional (match criteria can be
configured within the layer 5-7 policy map)
Regular Expressions
 Some match conditions allow you to identify text in a packet using
regular expressions
 Regular expressions match data patterns:
a. Literally as an exact data string
b. By using metacharacters, which enable you to match multiple
variants of a data pattern
 Regular expressions can be grouped into regular expression class
map

OSI layer 5-7 policy maps

 To apply actions to traffic inside a specific application
 Specify a name for a policy map
 Specify an inspected application type
 Refer to a class map
 Assign action to the traffic class:
a. Drop connection
b. Reset connection
c. Log
 Optionally, specify parameters that affect the behavior of the
inspection engine

 A layer 5-7 policy map is enabled by nesting it inside a layer3-4

policy map
 A layer 5-7 policy map is applied as an additional attribute when
you are specifying traffic inspection action
 The application inspection type in a layer 3-4 policy map has to
match the type of a layer 5-7 class map and policy map
 For example, a layer 5-7 policy map that filters specific data inside
HTTP should be applied to a layer3-4 policy that matches HTTP
traffic and applies HTTP inspection to the traffic

HTTP Inspector Overview

 The Cisco ASA security appliance HTTP AIC inspector can
granularly parse HTTP requests and responses and allow specific
values and regular expressions matching inside these containers
 Additionally, the inspector can verify adherence to the HTTP
protocol (protocol verification), log accessed URIs, and perform
URL filtering. It also includes several built-in signatures
HTTP Request and Response
 HTTP Request and Response Details

HTTP Request Field Type of match

Request method Specific values
Request URI Regular expressions
Request Length Numeric (greater than)
Request Arguments Regular expressions
Request header field (names and Specific values or regular
values) expressions
Request header field length Numeric (greater than)
Request field count Numeric (greater than)
Request header count Numeric (greater than)
Request header length Numeric (greater than)
Request header Non-ASCII Boolean (true or false)

HTTP Response field Type of match

Response status line Regular expressions
Response body Java, ActiveX, regular expressions
Response body length Numeric (greater than)
Response header field (names Specific values or regular
and values) expression
Response header field count Numeric (greater than)
Response header field length Numeric (greater than)
Response header count Numeric (greater than)
Response header length Numeric (greater than)
Response header Non-ASCII Boolean (true or false)

Configure HTTP inspection

1. Create an HTTP inspection policy map
2. Optionally, configure HTTP protocol minimization
3. Optionally, configure HTTP payload minimization
4. Optionally, configure HTTP signatures
5. Optionally, configure HTTP protocol verification
6. Apply the HTTP inspection policy map

FTP Inspector Overview

 The Cisco ASA FTP inspector will:
 Parse some FTP commands and allow specific-value-based and
regular-expression-based matching inside these containers
 Verify adherence to the FTP protocol, and log accessed URIs
What is Botnet?
 Botnet is a number of internet computers that, although their
owners are unaware of it, have been set up to forward
transmissions(spam or virus) to other computer on the internet
through a communication channel such IRC or HTTP.
 Any such computer is referred to as bot or robot.
 A bot is often created through an internet port that has been left
open and through which a small Trojan horse program can be left
for future activation.

Overview of Cisco Botnet Traffic Filter

 Feature is available in 5505 and 5500-X series firewalls with 8.2 or

later software release requires a 3DES/AES license to download
the dynamic database
 A temporary license is required to enable this and that is valid for
1 years
 The Botnet traffic filter is a reputation-based mechanism used to
prevent traffic to and from known bot-infected hosts by using
domain names and IP address
 The botnet traffic filter compares the source and destination IP
address of each connection to the following:
a. Dynamic Cisco SIO database, updated by Cisco
b. Static database, which can be populated manually
 When traffic matches an entry in either database, a syslog
message is logged and traffic can be dropped
Dynamic Database
 A dynamic database of known bad hostnames is downloaded
from the cisco SIO to the cisco ASA and is constantly updated
 DNS replies for bad hostnames are cached on the appliance in a
DNS reverse-lookup cache
 When a new connection is initiated, its source and destination IP
address are compared with entries in the DNS reverse-lookup
caches

Static Database
 You can manually add bad or good hostnames and IP addresses to
the static database
 Bad names are added to the blacklist; good names are added to
the whitelist
 The cisco ASA performs a DNS lookup for all statically added
names, and adds mappings to the DNS caches
 When a new connection is initiated, its source and destination IP
addresses are compared with entries in the DNS host cache

Configure Botnet Traffic Filter

1. Enable lookups to the dynamic database
2. Optionally, add entries to the static database
3. Enable DNS inspection (DNS snooping)
4. Enable the Botnet Traffic Filter to detect bot traffic
5. Optionally, enable the Botnet Traffic Filter to drop bot traffic
Verify the Cisco Botnet Traffic Filter

Command Description
Show dynamic-filter data Displays dynamic database
information
Show dynamic-filter dns-snoop Displays the DNS reverse-lookup
cache
Show dynamic-filter statistics Displays how many connections
were classified with the Botnet
Traffic Filter
Show dynamic-filter reports top Generate reports on the top 10
malware-sites malware sites
Static route tracking:
 One problem with the use of static routes is that no inherent
mechanism exists that can determine whether the route is up or
down. The route remains in the routing table even if the next hop
gateway becomes unavailable
 Static route tracking allows the ASA to use an inexpensive
connection to a secondary ISP in the event that the primary
leased line becomes unavailable. In order to achieve this
redundancy, the ASA associates a static route with a monitoring
target that you define. The Service Level Agreement (SLA)
operation monitors the target with periodic ICMP echo requests.
If an echo reply is not received, then the object is considered
down, and the associated route is removed from the routing
table. A previously configured backup route is used in place of the
route that is removed. While the backup route is in use, the SLA
monitor operation continues its attempts to reach the monitoring
target. Once the target is available again, the first route is
replaced in the routing table, and the backup route is removed.

Configuration:
Step1: enter below command to track a static route
Step2: define the backup route to use when tracked object is not
available

Step3: configure SLA monitor in which you specify the monitoring

protocol and the target IP address whose availability you want to
monitor

Step4: Schedule the monitoring process

Step5: associate a tracked static route with the SLA monitoring

process

Step6: show commands used for verification

BGP through firewall:
BGP MD5 authentication generate and check MD5 digest of every
segment sent on the TCP connection.
By default, PIX/ASA version 7.x and later rewrites any TCP MD5 option
included on a TCP datagram that goes through the device and replaces
the option kind, size and value with NOP option bytes. This effectively
breaks BGP MD5 authentication
In order for a BGP session with MD5 authentication to be successfully
established, these three issues must be resolved:
Inspecting ICMP traffic through ASA using access-list

Traceroute through firewall:

 Linux and Cisco devices will send UDP port range 33434 to 33534
 Traceroute works by sending packets with gradually increasing
TTL value

url blocking:

Remove match request header regex command

 VPN

Vpn definition
 VPNs protect data that is transmitted over a public or shared
infrastructure such as the internet from threats such as man-in-
the-middle attacks
Virtual Logical network association, independent of
physical architecture

Private Indicating a level of security and confidentiality

 Network To indicate interconnected computers, devices,
and resources grouped to share information

VPNs have the following benefits:

 Cost savings
 Scalability
 Flexibility
 Security

Key threats to WANs and Remote Access

 The key threats to data privacy:
a. Eavesdropping attacks
b. Masquerading attacks
c. Man-in-the-middle attacks

 WAN and remote access introduces an increased level of threat to

our security
 Common application (Microsoft Word, FTP, HTTP, SMTP)
communicate using clear text. Clear text is communication of the
raw data back and forth between the two participant of the
communication process
 Clear text communication can be easily attacked by
a. Compromise data confidentiality
b. Interrupt data integrity
c. Data theft
 d. Exposure to risk

Eavesdropping attacks
 A packet sniffer is a software application that uses a network
adapter card in promiscuous mode to capture all network packets
 Packet sniffers exploit information passed in clear text. Protocols
that pass information in the clear text include the following:
 Telnet, FTP, SNMP, POP, HTTP
 Several solutions for man-in-the-middle attacks are
a. A firewall system randomizes TCP sequence numbers
b. Implement a VPN with encryption
Masquerading attacks:
 A masquerading attack is where as individual hides their identity,
possibly even assuming someone else’s identity, example: IP
spoofing
 IP spoofing occurs when a hacker inside or outside a network
impersonates the conversation of a trusted computer
 A man-in-the-middle attack is implemented using the following
two general techniques are used during IP spoofing:
a. A hacker uses an IP address that is within the range of trusted
IP
b. A hacker uses an authorized external IP address that is trusted
 The most common solution is to use a packet integrity check
system, which is implemented with a hashing function

Man-In-The-Middle
  A man-in-the-middle attack requires that the hacker have access
to network packets that come across a network
 A man-in-the-middle attack is implemented using the following:
a. Network packet sniffers
b. Routing and transport protocols
 Several solutions for man-in-the-middle attacks are:
a. A firewall system randomizes TCP sequence numbers
b. VPNs provide three tools to combat man-in-the-middle attacks:
device authentication, packet integrity checking, and
encryption

VPN Types

Site-to-Site VPNs
Remote Access VPNs

Host machines at the remote office don’t need additional client

software or hardware parameters in order to reach the shared
resources

VPN components:
 Authentication
a. Device
b. User
 Encapsulation method
  Data encryption
 Packet integrity
 Key management
 Non-repudiation
 Application and protocol support
 Address management
CRYPTOGRAPHIC ALGORITHMS INTEGRITY ALGORITHMS
DES MD5
Triple DES SHA
AES

 Cryptography provides fundamental components of security for

VPNs:
a. Confidentiality
b. Integrity
c. Authentication
d. Nonrepudiation
e. Key management

 Cryptography provides this security by using several types of

cryptographic algorithms:
a. Symmetric encryption
b. Asymmetric encryption
c. Hashing

 These technologies can be used in various ways to provide the

fundamental components of security
  Symmetric key cryptography also known as secret key or
preshared key cryptography
 Examples are DES, 3DES, AES

 Asymmetric key cryptography also known as public key

cryptography
 Examples are: DSA, RSA, DH

Hash algorithm: Digital fingerprinting algorithms

 One way encryption
 Not meant to encrypt
 Examples are SHA-1, MD5, SHA-256
  HMAC = Hash function + shared secret key
 HMAC-MD5 older, use HMAC-SHA1 or HMAC-256 if supported

Confidentiality:
 Provided by encryption
 Encryption is the process of converting clear text to cipher text
 Decryption is the process of converting cipher text to clear text

Some characteristics of symmetric algorithms:

  Efficient and fast, simple to accelerate in hardware
 Suitable for real-time bulk encryption
 Key length of several tens to several hundred bits
 Key management can be a problem
 Examples: DES, 3DES, AES, RC4, SEAL, and Blowfish

Some characteristics of asymmetric algorithms:

 Very slow compared with symmetric algorithms
 Used for digital signatures or a key exchange
 Typical key lengths in thousands of bits (RSA) or hundreds of bits
(ECC)
 Simpler key management
 Examples: RSA and ECC

Integrity:
 Hashing is a mechanism that is used for integrity assurance
 It provides a one-way, fast transformation of arbitrary-length
input data into a fixed-length digest (hash)
 Examples of hash functions are MD5, SHA-1, SHA-256, SHA-384,
SHA-512
 Use larger key-sized algorithm when possible
HMAC:
 An enhancement of the hash function
 Used for integrity assurance
 Uses a secret key (that is shared between trusted parties as part
of input)
Comparison
Digital signatures:
 Asymmetric digital signature algorithms also provide integrity:
a. The sender generates a digital signature over data by using a
private (signing) key and appends it to the data
b. The receiver verifies the signature by using a public
(verification) key
 Digital signatures use a combination of hash algorithm (such as
SHA-1) with an asymmetric algorithm (such as RSA)

Cryptographic authentication is used for the following:

 Subject authentication: authenticate subjects using cryptographic
authentication protocols
 Data authentication: authenticate data received over an
untrusted network. Data authentication is usually performed with
the following
a. Symmetric HMAC algorithms, where high performance is
desired without nonrepudiation (for example SSL/TLS or IPSEC)
 b. Digital signatures, where performance is not a factor and
nonrepudiation is required as well (for example application
layer transactions or XML messages)
 In an IPSEC VPN, we use an HMAC algorithm to authenticate every
packet that comes through an IPSEC tunnel

Nonrepudiation: Proof of integrity of origin of the data

 Used to provide cryptographic proof of transaction
 Digital signatures are used
 The signature can be generated by only the private key owner
 The signature is stored by the receiver as proof

Next-Generation Encryption
 Some older algorithms (and key sizes) do not provide adequate
protection from modern threats.
 NGE provides security and scalability requirements for the next
two decades (AES-GCM mode, SHA-2, ECDH-384, ECDSA-384)
 Older algorithms NSA Suite B
DES GCM
3DES GMAC
RSA ECDSA
MD5 SHA-256
SHA-384
SHA-512
SHA-1 ECDH

Keys in cryptography
 Keys are used for all of these three critical VPN functions:
Encryption, Packet Integrity Checking, Authentication
 Key management deals with the secure generation, verification,
exchange, storage, revocation, and destruction of keys
 Key generation is the process of generating keys for cryptography.
A key is used to encrypt and decrypt whatever data is being
encrypted/decrypted
 The security of a symmetric cryptosystem is a function of two
things; the strength of the algorithm and the length of the key
 Key exchange (also known as “key establishment”) is any method
in cryptography by which cryptographic keys are exchanged
between users, allowing use of a cryptographic algorithm
 However distributed, keys must be stored securely to maintain
communication security
Public Key Infrastructure
 Public key cryptosystems can provide strong authentication
services
 Entities need public keys of other entities before using any RSA-
based service:
 Over untrusted channels, public keys must be exchanged securely
 Public keys must not be intercepted and changed during a key
exchange
 Authenticity of the public keys of other entities is paramount




 

Cryptographic Control Guidelines

 Use NGE strong algorithms
 Use keys that are long enough
 Make sure that all cryptographic control algorithms are set at the
same security level
 Examples:
a. Encryption: AES-GCM mode
b. Key exchange: ECDH-384
c. Integrity: SHA-256
Site-to-Site VPN Technologies
 Connect sites as a replacement for a classic WAN
 Use peer (site) authentication and cryptographic path protection
 Require basic network traffic controls
 Frequently use IPSEC for its cryptographic security services
 Often work over controlled network (MPLS) or Internet backbones
 Often require high availability and performance guarantees (QoS)
 Can be configured to function in several different ways

IPSEC VPN Overview

IKE/IKEV2 Provides a framework for policy
negotiation and key
management
AH Provides an encapsulation for
authentication of user traffic.
Mostly obsolete
ESP Provides an encapsulation for
encryption and authentication of
user traffic

 Security Associations are identified as a secure connection

between two endpoints
 Security Association is a simple description of protection
parameters
Perfect Forward Secrecy (PFS)
 PFS negotiates a new keying material for the “Phase 2 IPSec SA”
independent of the IKE derived key

IKEv2:
 Documented in RFC 4306
 Runs over UDP to destination port 500
 There are two to five messages for basic exchange
 IKEv2 creates the child SAs within the same negotiation, instead
of using a phased approach
  Uses a cookie mechanism to prevent DoS attacks from forged
source addresses
 Requires fewer round-trip exchanges compared to IKEv1
 Has built-in DPD
 Has built-in configuration payload and user authentication mode
(EAP)
 Uses unidirectional authentication methods
 Has built-in NAT traversal
 Provides better rekeying and collision handling

Encapsulating Security Payload

 Documented in RFC 4303
 Uses IP protocol 50
 Supports both IPv4 and IPv6
 Offers Confidentiality, Authentication, Integrity & Anti-replay
protection
 Encrypts, sequences and authenticates the data
Overview of Cisco IOS VTIs
 The simplest form of Cisco IOS software tunnel-based site-to-site
IPSec VPN configuration
 It replaces cryptographic-map-based configuration
 It is more intuitive to configure and integrate better with other
Cisco IOS software features
Classic IPSEC limitations:
 Rigid configuration
 Egress traffic must be tested
 Traffic management feature are difficult to apply
 Difficult for broadcast and multicast to traverse
 Cannot establish routing peer relationship
 NAT and PAT are difficult to implement

Virtual Tunnel Interfaces

 VTIs are Cisco IOS Software virtual interfaces
  A VTI interface locally represents one site-to-site ISPEC tunnel
 Their encapsulation is IPSEC ESP or AH
 They behave intuitively like other tunnel interfaces (GRE)
 Their line protocol depends on the state of the VPN tunnel (IPSEC
SAs)

VTI limitation and benefit

Benefits Limitations
Simplified configuration No multiprotocol support – IP only
Flexible interface feature No Cisco IOS Software stateful IPSEC
support failover support
Multicast support
Improved scalability (fewer
security associations)
Simple routing protocol
integration for scalability and
redundancy

Deployment Choices

Deployment choice Criteria

Use static or dynamic VTI tunnels Use dynamic VTI tunnels for the
hub in large hub-and-spoke
networks. Otherwise, use static
VTI tunnels
Use static or dynamic routing Use a dynamic routing protocol in
protocol over VTI tunnels large network and to provide path
or peer redundancy with multiple
VTI tunnels.
Otherwise, use static routing over
VTI tunnels.

Configuring Basic IKE Peering

 Configuring basic IKE peering using PSKs
 Is the first task for deploying VTI-based point-to-point IPSEC VPNs
 Involves setting up an IKE security association between two peers:
 Using PSKs for mutual authentication
 Using an encryption and hashing algorithm to
guarantee confidentiality and integrity of the key
management session
 Using a DH exchange of an appropriate strength
(group) to provide keying material to IKE and IPSEC
 Using appropriate session lifetimes
 Requires you to create a PSK and bind it to the name or IP address
of the VPN peer

Cisco IOS Software Default IKE PSK-Based Policies

 Cisco IOS Release 12.4(20)T introduced default IKE policies
  Avoid policies that use MD5
 Avoid policies that use DH group 2
 Use the highest priority PSK-based default policy (65508) for
optimal security
Priority Authentication Encryption Hash DH group
algorithm algorithm algorithm
65508 PSK AES SHA 5
65510 PSK AES MD5 5
65512 PSK 3DES SHA 2
65514 PSK 3DES MD5 2

Configuration choice

Configuration Choice Criteria

Configure a The default policies provide adequate
nondefault IKE security for most environments. You may
(ISAKMP) policy want to choose a stronger DH group for
additional protection, at the expense of
tunnel set-up rate performance
Tune default IKE Default lifetimes are very conservative: for
(ISAKMP) policies systems that will not agree on them properly
during negotiation, change the lifetime to an
acceptable value
  You may want to choose a stronger DH group to match the
strength of the algorithm and key lengths for longer term
protection
 The higher the DH groups will required higher computational
effort of the devices so performance will be effected somewhat

Configure Static VTI Point-to-Point Tunnels

 Configure IKE peering between VPN endpoints
 Optionally, configure an IPSEC transform-set
 Configure an IPSEC protection profile
 Configure a VTI tunnel interface
 Enable IPSEC encapsulation and apply the protection profile to the
tunnel interface
 Configure routing into the VTI tunnel

Overview of Dynamic VTI Point-to-Point tunnels

 Dynamic VTI tunnels
 Are used to provision hubs in hub-and-spoke VPNs
 Substantially simplify the configuration complexity of
the VPN hub router
 Are initiated (created) by the statically configured
spoke peer
 Spoke peer configured with a normal static VTI tunnel
 Dynamic VTIs are represented as virtual-access
interfaces
  These are cloned from manually configured virtual
template interfaces
 A virtual template defines common settings for
dynamic VTIs
 All other dynamic parameters are filled in by the hub
as the remote peer connects

Configuring Dynamic VTI

For hub router
 Configure IKE peering using PSK keyrings
 Optionally, configure an ISPEC transform set
 Configure an IPSEC protection profile
  Configure a VTI, enable IPSEC encapsulation, and apply the
protection profile to the VTI
 Configure an ISAKMP profile to map peers to a VTI

Over of GRE:
 Simple tunneling protocol with minimum overhead
 IETF standard
 IP protocol 47 define GRE packets
 GRE header fields:
a. GRE version number
b. Payload protocol type
c. Checksum (optional), Tunnel Key (optional), Sequence Number
(optional)

Features and Limitations

Features Limitations
Standard protocol – vendor Does not include the usage of
interoperability in its basic point- cryptographic mechanism
to-point implementation
Multiprotocol and multicast No standard control protocol to
support maintain GRE tunnels (proprietary
 tunnel keepalive available;
routing protocols are typically
used)
Multipoint tunneling possible Tunneling possibly CPU-intensive
QoS capabilities MTU and IP fragmentation issues

GRE implementation options

Point-to-Point vs. Point-to-Multipoint GRE Tunnels

Point-to-Point GRE mGRE
Used on point-to-point tunnels or Typically used on the hub in hub-
on spokes in hub-and-spoke VPNs and-spoke VPNs
One tunnel interface for each A single interface on each router
peer for all (m)GRE peers
Does not required NHRP; all other Requires NHRP to build tunnels to
peers statically configured other peers
Supports unicast, multicast, and Support unicast, multicast, and
broadcast broadcast

GRE over IPSEC

  in GRE Over IPSec, IPSec should brought up first and Traffic
Destined through the GRE Will Pass through the IPSec VPN and
the traffic cab be plain text or Encrypted based on VPN
requirement and can have additional Encapsulation if tunnel
mode in IPSec is used.
IPSEC over GRE
 In IPSec over GRE, GRE Tunnel should brought up first and IPSEC
Negotiations will takes Place over the GRE Tunnel. All IPSec Traffic
will be Encapsulated with GRE Header’

Gre over IP
R2 configuration

R4 configuration
GRE over IPsec
R2 configuration
R4 configuration:

Vpn with overlapping subnets:

There are two ways:

1. You have control of both peers (nat on both devices)
2. If you have control of only one peer (nat on one peer)

1. Nat on both peers.

If nat and vpn are configured on a device. First router will check
nat then vpn

R2 configuration

R4 configuration
2. Access of only one device( nat on only one peer)

Only modification are captured.

On R2

On R4
VRF aware IPsec:
Virtual Routing and Forwarding
 A VRF is a Virtual Routing and forwarding instance, it's basically
a virtualization technique for IOS routers. Each VRF has its own
interfaces (you cannot put a L3 interface in 2 different VRFs), it
has its own routing table and everything.
 Most commonly VRF is associated with MPLS service provider
 In cisco terminologies, deployment of VRF without MPLS is VRF
lite.

Configuration
Command to configure VRF:

Assign VRF to interface

Note: When an interface is assigned to a VRF, its IP address
configuration is lost and must be
reconfigured

Add a static or default route in VRF (if required)

Command to check routing table for a particular VRF

Ping from VRF

Check routing table of vrf

Configure router EIGRP for vrf

IPsec over GRE
R2 configuration

R4 configuration:
Overview of Cisco IOS DMVPN
 DMVPN provides fully meshed connectivity with simple
configuration of hub and spoke
 Supports dynamically addressed spokes
 Facilitates zero-touch configuration for addition of new spokes
 Features automatic IPSEC triggering for building and IPSEC tunnel
Building blocks of DMVPN
(m)GRE NHRP IKE + IPSEC
Provides a scalable Provides dynamic Provides key
multiprotocol mutual discovery of management and
tunneling framework spokes transmission
with optional protection
dynamic routing
All DMVPN members Spokes use NHRP to GRE tunnels use IPSEC
use GRE or mGRE inform the hub about encapsulation; spokes
interfaces to build their inner (tunnel) have permanent IKE
GRE tunnels between and outer (physical sessions with the hub
devices interface) IP and on-demand
addresses and query sessions between
about the mapping of themselves
other spokes
DMVPN Deployment Models

NHRP
 NHRP provides a mechanism to dynamically learn the IP addresses
of the spokes
 A client-server protocol: the hub acts as the server and spokes are
clients
 The hub maintains a database of all external (physical) and
internal (tunnel) addresses of the spokes
 Each spoke registers its addresses when it boots
(m)GRE-NHRP integration
 mGRE (and IPSEC in DMVPN) uses NHRP to create dynamic
tunnels
 the hub learns the spoke addresses in order to create GRE tunnels
to them
 spokes query the server to resolve external addresses of other
spokes and create dynamic GRE tunnels to them

DMVPN operations
DMVPN initial state
 Initially, all spokes register with the hub
 Hub has a static physical IP address
 Spokes can be statically or dynamically (physically) addressed
 NHRP mappings are created
 Spoke-to-hub GRE and IPSEC tunnels are created
 All traffic from the spoke is forwarded
Dynamic Spoke-to-Spoke Tunnel Creation
 1. A PC (192.168.2.10) inside the left spoke network wants to
communicate with a server (192.168.3.10) inside the right spoke
network. It sends a packet toward the server
2. The left spoke router finds the destination network
(192.168.3.0/24) reachable over the 10.1.1.3 next hop on its
mGRE interface
3. The left spoke router does not find a mapping for the 10.1.1.3
next hop in its NHRP cache and consults the NHRP server
4. The hub resolves the 10.1.1.3 tunnel next hop to the 17217.3.34
physical interface address of the right spoke (based on its NHRP
registration)
5. The response triggers the creation of dynamic GRE/IPSEC tunnel
between spoke physical addresses. The answer from the NHRP
server is cached on the spoke
6. Now that the tunnel has been built, traffic can flow directly
between left spoke network and right spoke network. Note that
traffic cannot flow directly flow in other direction yet.
7. When the web server replies to the client traffic, the same
sequence of NHRP and GRE/ISPEC processes occur. Because there
is already a GRE/IPSEC tunnel in place, a duplicate tunnel is
avoided
8. After a configurable timeout value, NHRP entries on the spoke
routers time out, causing the dynamic spoke-to-spoke tunnel to
be torn down

Types of Authentication
 Pre-shared keys
 PKI-based IKE authentication
Deployment Choice:
 In a hub-and-spoke DMVPN, either choice is acceptable
 In fully meshed DMVPNs, PKI-based authentication is highly
recommended

Configure DMVPN on Hub

 (optional) Configure an IKE policy
 Generate or configure spoke authentication credentials
 Configure an IPSEC profile with an optional transform set
 Create an mGRE tunnel interface
 Configure an NHRP server in the mGRE interface
 Associate an NHRP server in the mGRE interface
 Configure an IP address, and IP fragmentation and TCP
segmentation parameters on the mGRE interface

Configure DMVPN on Spoke

 (optional) Configure an IKE policy
 Generate or configure hub authentication credentials
 Configure an IPSEC profile with an optional transform set
 Create an mGRE tunnel interface
 Configure an NHRP client in the mGRE interface
 Associate the IPSEC profile with the mGRE interface
 Configure an IP address, and IP fragmentation and TCP
segmentation parameters on the mGRE interface

Configure Routing in DMVPN

  Routing protocols usually need additional configuration
 The DMVPN cloud is an NBMA network
 Routing protocol peering occurs only between the spoke and the
hub
 Tuning the routing protocol on the hub specifies whether the
network will be hub-and-spoke or a full mesh

Verify DMVPN
Command Description
Show interface tunnel Verifies the state of GRE tunnels
Show ip nhrp Displays NHRP mapping information
on a device
Show ip nhrp nhs detail Displays NHRP next-hop server
information
Show dmvpn detail Verifies proper operation of DMVPN
control functions
Show ip route Verifies routing in the DMVPN
network

GETVPN:
Hardware client:

Cisco IOS FlexVPN overview

  It is a new framework to configure IPSEC VPN using IKEv2 on Cisco
IOS
 Flex VPN combines multiple approaches such as crypto maps,
ezvpn, dmvpn into a single command line interface

FlexVPN Architecture
 Single configuration approach for all VPN types
 IKEv2
 Major protocol update
 No backward compatibility with IKEv1
 Provides many improvements
 Per-peer features (QoS, firewall, policies, VRF reinjection)
 Service aggregations (remote access, site-to-site)
 Improved service management (AAA)
 Multitenancy
 Recommended for the future

IKEv2
IKEv2 message overview

IKEv2 DoS Prevention

  Anti-clogging cookies
 Option DoS countermeasure
 May increase the number of initial messages
 Upon receipt of an IKE_SA_init, responder can take these actions:
 Proceed with setting up the SA, or
 Instruct initiator to send another IKE_SA_init, with the
supplied cookie

IKEv1 and IKEv2 Comparison

Feature IKEv1 IKEv2
Authorization Maximum 6 messages Open-ended
messages
First IPSEC SA Minimum 9 messages Minimum 4 to 6 messages
Authentication Pubkey-sig, pubkey-encr, Pubkey-sig, PSK, EAP, hybrid
PSK
Anti-DoS Not effective Effective
IKE rekey Requires reauthorization No reauthorization
(PFS)
Notifies Unacknowledged Acknowledged

FlexVPN Use Cases

FlexVPN Configuration Blocks

To minimize FlexVPN configuration, you can use an IKEv2 feature called
smart defaults, which includes default setting for all configuration
blocks except the IKEv2 profile and keyring

IKEv2 Smart Default

Preconfigured Construct Attributes
Crypto ikev2 proposal Encryption: AES-CBC
256/192/128, 3DES
Integrity: SHA-512/384,256; SHA-
1, MD5
DH: group 5/2
Crypto ikev2 policy Match any
Crypto ipsec transform-set Encryption: AES-128, 3DES
Integrity: SHA, MD5
Crypto ipsec profile default Default transform set, SA lifetime
Cisco Clientless SSL VPN

Secure Sockets Layer and Transport Layer Security Overview

 Originally developed in 1994 by Netscape Communications to
protect web transactions:
 IETF enhanced SSL and name it TLS
 TLSv1.0 is an evolution of SSLv3.0
 TLSv1.0 is described in RFC 2246
 SSL/TLS is designed to do the following
 Authenticate server to client by using X.509 certificate
 Authenticate client to server by using X.509 certificate
(optional)
 Select common cryptographic algorithms and generate
shared secrets
  Establish a protected SSL/TLS tunnel for TCP or UDP
connections or applications data

SSL/TLS session establishment phases:

 Negotiation of parameters between client and server
 One-way or mutual authentication between client and server
 Server authentication (required)
 Client authentication (optional)
 Creation of session key and activation of cipher suite

SSL Server Authentication

SSL Client Authentication
SSL Transmission Protection
 SSL/TLS record protocol:
 Partitions data stream into records
 Each record is protected separately
 Each record consists of header, data, and HMAC
 Data and HMAC are encrypted
 Support TCP or UDP (DTLS) transport
Cisco ASA Remote Access Configuration Concept
 Separate configuration of pre-login access methods and post-login
policies offers:
 Flexibility: network setting and security policies can be
applied to any user or group
 Scalability: configuration of similar policies do not
require configuration duplication; achieved through
modularity and inheritance
Cisco ASA Connection Profiles
 Separate remote users into groups based on login AAA
requirements
 Select a post-login policy

Cisco ASA connection profile selection

 Connection profile is selected before authentication
 Based on a connection profile URL when entering ASA hostname
 Based on a connection profile alias selection in drop-down menu
 Based on a certificate to connection profile mapping when using
certificates for authentication
Default Connection Profile
 If you do not define any criteria for mapping remote users to
connection profiles, the cisco ASA maps the user to a default
connection profile
 DefaultRAgroup is used for full-tunnel IPSEC IKEv1 VPN remote
access clients
 DefaultWEBVPNGroup is used for AnyConnect SSL and IPSEC
IKEv2, and clientless SSL VPN remote access clients
 Both default connection profiles are fully customizable

Cisco ASA Group Policies:

 Group policies defines post-login policies that are applied to VPN
session
 Group policies are reusable policy objects that you can apply to
the following:
 Connection profiles or user profiles
 Multiple connection profiles or users, to enable reuse
 Group policies simplify configuration where reuse is required
Default Group Policy
 The Cisco ASA by default includes a policy named DfltGrpPolicy
 DfltGrpPolicy is applied to the default DefaultRAgroup and
DefaultWEBVPNGroup connection profiles
 The DfltGrpPolicy is fully customizable
 Newly created group policies inherit settings from the
DfltGrpPolicy

Basic Cisco Clientless SSL VPN on ASA uses:

 Self-signed or CA-signed identity certificate to authenticate SSL
VPN server to clients
 Local user database no Cisco ASA to authenticate clients
 Manual URL entry or bookmarks on the clientless web portal to
navigate to protected resources

Cisco ASA SSL Server Authentication

 Cisco ASA requires identity certificate to authenticate to SSL VPN
clients
 Temporary self-signed certificate generated by default
  Configurable persistent self-signed certificate
 PKI-provisioned certificate recommended

SSL VPN Clients Authentication

 The simplest client authentication uses local passwords
 Local user database
 Locally configured static passwords

Clientless SSL VPN URL Entry and Bookmarks

 In clientless SSL VPN portal the following applications are
supported by default:
 Web browsing using HTTP/HTTPS
 File share using CIFS and FTP
Configuration Tasks:
 Enable clientless SSL VPN on ASA:
 Enable SSL VPN access on an interface
 Select identity certificate
 Edit default connection profile or create a custom one:
 Select authentication method
 Allow the users to select a connection profile from the
login page or create a group URL
 Edit default group policy or create a custom one
 Create a bookmark list and apply it to the group policy
 Apply the custom group policy to the custom connection profile
 Create a user account in the local user database

Cisco Clientless SSL VPN Application Access Methods

 Application plug-ins:
 Access from the browser
 Recommended approach
 Limited range of applications
 Smart tunnels:
 Support for native application clients
 Recommended for all applications without plug-ins
 Port forwarding:
 Older technology
 Recommended for Linux and earlier Cisco ASA
software versions
Application Plug-Ins
 Lightweight client applications executed inside the browser
 Downloaded on demand as Java or Active X applets from the SSL
VPN gateway
 Provided by Cisco and downloadable form http://www.cisco.com

Application Plug-Ins Available on Cisco ASA

Plug-in Supported Application servers

SSH Telnet, SSH servers
RDP Microsoft Terminal Services
servers
RDP2 Newer Microsoft Terminal
Services (Windows 2003 R2,
Windows Vista, Windows 7)
servers
ICA Citrix ICA servers
VNC VNC servers

Smart Tunnels
 A lightweight connection broker applet:
 Downloaded from the SSL VPN gateway
 Intercepts sessions from designated applications
 Forwards them across the SSL VPN session
 Native applications on the client are unaware of the VPN session
 No reconfiguration required on the client
 For applications with native clients:
 Create smart tunnel list
  Assign smart tunnel list to a group policy or user profile
 For web-based applications:
 Add bookmark to bookmark list
 Enable bookmark for smart tunnel access
 Bind bookmark list to group policy or user profile

Troubleshoot Clientless SSL VPN

 Common problems
 Clientless SSL VPN not enabled on interface
 Mismatch between SSL port on client- and server-side
 Mismatch between supported SSL ciphers
 Certificate issues:
 Incorrect issued use of the VPN server certificate
 Must be ‘Web server’ to be accepted by browsers
 Other profiles, such as ‘User’ will be rejected
 Certificate FQDN different from the URL
 CA root certificate not installed in the trusted
certificate store on the client
 Authentication, when off-loaded to external database
 Authorization blocks access to resources

Basic Cisco AnyConnect SSL VPN on Cisco ASA

  Basic Cisco AnyConnect SSL VPN on ASA uses:
 Self-signed or CA-signed identity certificate to authenticate SSL
VPN server to clients
 Local user database on Cisco ASA to authenticate clients
 Local address pool on Cisco ASA to assign IP address to clients
 Split tunneling on Cisco ASA to provide control to resources that
are access over SSL VPN

Cisco ASA SSL Server Authentication

 Cisco ASA requires identity certificate to authenticate to SSL VPN
clients
 Temporary self-signed certificate generated by default
 Configurable persistent self-signed certificate
 PKI-provisioned certificate recommended

SSL VPN Clients Authentication

 The simplest client authentication uses local passwords
 Local user database
 Locally configured static passwords
 AnyConnect full-tunnel password-based users
  May be permitted to select connection profile from the selection
menu or group URL
 DefaultWEBVPNGroup used by default which uses local
authentication

SSL VPN Clients IP Address Assignment

 Full tunneling SSL VPNs need to assign an IP address to a client
 Can be private
 Need to be routed to the ASA
 Basic IP address assignment options:
 Using a connection profile local pool
 Using a local pool in a group policy
 Per-user in the local AAA user database

SSL VPN Split Tunneling

 Split tunneling policy is pushed from the Cisco ASA
 Allows some traffic to bypass the tunnel (for example, direct
connectivity to Internet destinations)
 Increases performance
 No access control for non-tunneled destinations

Configuration Tasks:
 Install the Cisco AnyConnect client image
 Enable Cisco AnyConnect SSL VPN on ASA
 Enable SSL VPN access on an interface
 Select identity certificate
  Define an IP address pool
 All assignment methods enabled by default
 Authorization attribute obtained from AAA server
 DHCP
 IP address pools
 Configure identity NAT for client access
 Edit the default group policy or create a custom one:
 Enable AnyConnect SSL VPN access
 Optionally, configure split tunneling
 Edit the default connection profile or create a custom one:
 Select authentication method
 Select the client address pool

DTLS Overview
 Datagram Transport Layer Security
 Standard protocol (RFC 4347), based on TLS
 Equivalent security to TLS
 UDP transport
 Mitigates latency and bandwidth problems
 Enabled by default
 If enabled, takes precedence over SSL

Parallel DTLS and TLS Tunnels

DTLS enabled:
  It allows two simultaneous tunnels: TLS and DTLS
 TLS is used to negotiate and establish the DTLS connection
(control messages and key exchange)
 DPD provides automatic fallback to TLS if the DTLS tunnel fails
DTLS disabled:
 Clients connect only with an SSL VPN tunnel

Cisco AnyConnect Client Configuration Management

Feature Description
Cisco AnyConnect Software  Offline install or web launch
management  Manual or automatic uninstall
 Optional software persistence
 Automatic updates
XML configuration profiles  Optional enhancements of Cisco
AnyConnect client configuration control
 Deployed using specific group policies
 Can allow the user to control some
settings
 Three editing options:
a. Standalone editor installed on the PC
 b. Editor accessed from the Cisco ASDM
interface
c. Text editor for manual XML file
configuration

Cisco AnyConnect Client Operating System Integration Options

Integration Description
option
TND  Automatically starts Cisco AnyConnect when the user
is outside the corporate network
 Disconnects the tunnel if the user is in the trusted
network
 Network identified by:
 Domain name
 DNS servers
 Configured in the client profile
Client scripting  Scripts run at login (OnConnect) and at logout
(OnDisconnect)
 Can perform many functions:
 Refresh Active Directory GPOs
 Map and unmap network drives
 Automatically start user applications

SSL modes:
Clientless mode:

Thin client mode:

Thick client mode:

SSL Requirements:

NAT-traversal:
he need for NAT Traversal is, due to AH and ESP Protocols running on
the end user desktop, the Firewall will not know how to PAT or NAT
These packets, NAT Traversal performs two tasks: Detects if both
ends support NAT-T Detects NAT devices along the transmission path
(NAT-Discovery) Step one occurs in ISAKMP Main Mode messages one
and two. If both devices support NAT-T, then NAT-Discovery is
performed in ISKAMP Main Mode messages (packets) three and
four. The NAT-D payload sent is a hash of the original IP address and
port. Devices exchange two NAT-D packets, one with source IP and
port, and another with destination IP and port. The receiving device
recalculates the hash and compares it with the hash it received; if they
don't match a NAT device exists. If a NAT device has been
determined to exist, NAT-T will change the ISAKMP transport with
ISAKMP Main Mode messages five and six, at which point all ISAKMP
packets change from UDP port500 to UDP port4500. NAT-T
encapsulates the Quick Mode (IPsec Phase2) exchange inside UDP4500
as well. After Quick Mode completes data that gets encrypted on the
IPsec Security Association is encapsulated inside UDP port4500 as well,
thus providing a port to be used in the PAT device for translation.

Configuration:
On R3 (configure nat)

On r2:

On r4:
Site-to-Site-vpn with ASA as ISP
ASA as ISP:
There will be no change on vpn peer configuration
Inspecting ESP traffic

Vpn with aggressive mode

Hardware Series
 Cisco Web Security Appliance:

Overview:
It is an enterprise class web proxy that provides a rich set of security
control features
These features includes
1. Web proxy incl. caching
 (http, https, ftp, ftp over http)
2. Reputation filtering
3. Malware scanning
4. URL filtering
5. Application visibility & control
6. HTTPS inspection
7. Authentication
8. Reporting and tracking
9. Layer 4 traffic monitoring

Cisco WSA deployment options

WSA Architecture:
Cisco WSA run on cisco proprietary Async OS and it provides a rich set
of management and reporting features
The software feature components installed on the WSA are enabled by
licenses referred to as feature keys. These features keys are term-based
subscriptions of one, three, or five years and they based on the range of
users, not devices
Four web security licenses available:
1. Cisco Web Security Essentials
 Threat intelligence via Cisco SIO
 Layer 4 traffic monitoring
 Application visibility and control
 Policy management
 URL filtering
 Third party DLP integration
 2. Cisco Anti-Malware
 Allows real time malware scanning

3. Cisco Web Security Premium

 Cisco Web Security Essentials and cisco Anti-Malware scanning
combined into one license

4. Anti-Malware (Sophos or Macafee)

 Allows Sophos or Macafee real time malware scanning
Cisco Web-Based Reputation Score
 Used to judge the trustworthiness of a given URL.
 Used to determine the likelihood that it contains URL based
malware
 Uses WSA uses URL reputation scores to identifies suspicious
activities and stop malware attacks before they occur

Cisco WSA Acceptable Use Policy:

 It is a listing of types of websites, specific URL domain names of
websites, IP addresses of websites that the users are permitted to
access via their corporate owned assets or PC
  WSA does have a database of URLs and keep track of all the URLs
that cisco feeds it. By default cisco WSA will update its internal
copy of this database every five minutes

Cisco WSA includes these policy types:

1. Identities
2. SaaS policies
3. Decryption policies
4. Routing policies
 5. Access policies
6. Overall bandwidth limits
7. Cisco Ironport data security
8. External data loss prevention
9. SOCKS policies (Socket Secure)

Identities:
 Used to classify the traffic and transctions into different groups,
so the different policies can be applied on the basis of identities
 Identities also determine if user authentication is required for the
transaction
 Identities are matched before authentication is done
SaaS policies:
 Used to control access to third software service providers as
google apps and webex

Decryption policies:
 Used to determine how to treat https traffic

Routing policies:
 Used to determine which traffic should be sent to which upstream
proxy
Access policies:
  Determine whether to allow, block, warn or redirect traffic based
on Acceptable use policy, web reputation, anti-malware and many
more
 Always processed in top-down order
 These are the final action except the monitor action

Overall bandwidth limits:

 Can be used to define an overall limit for all users in the network
for a specific type of application
 It might use it for streaming media sites

Cisco Ironport Data security and External data loss prevention:

 Used to restrict outbound traffic

Outbound Malware Scanning:

 Used to determine which outbound traffic should be scanned for
malware and which action to take if the malware is detected

SOCKS proxy policies:

 It is to process SOCKS traffic which is equivalent of access policies
Deploying Cisco WSA:
Feature Explicit mode Transparent mode
Traffic flow Client directs traffic Client directs traffic
to proxy server to target web server
Network Requires no network Network
infrastructure infrastructure to infrastructure
redirect client request redirects client
request to proxy
server. WCCP is a
common solution
Target server Proxy resolves Client resolves
resolution hostname of target hostname of target
web server web server
Client configuration Client browser must None
be set up. Several
options are available

Explicit proxy mode:

1. Use Web proxy Autodiscovery protocol (WPAD)
2. Use proxy autoconfiguration (PAC) files
3. Enter proxy server address

Use WPAD:
1. DHCP:
 Higher priority than DNS
 Ip DHCP provides the WPAD URL, no DNS lookup is performed
 Passed as option 252 in the DHCP lease
 2. DNS:
 Example: client FQDN is praveen.trainers.networkbulls.local
 Client browser will try the following URLs in order
 http://wpad.trainers.networkbulls.local/wpad.dat
 http://wpad.networkbulls.local./wpad.dat
 http://wpad.local/wpad.dat

PAC Files:
 It defines how web browser and other user agents can
automatically choose appropriate proxy server for fetching a
given URL
 It contains a java script function
 You might use it if your network is likely to change in future, you
can easily add, edit, or delete proxy servers in pac file and have
the change automatically effect all browsers
 Can do failover, load balancing
 PAC file can be located on a local machine which can be used for
testing the pac file before deploying it to the entire organization.
PAC file can also be hosted on a web server. You can also host the
pac file on the WSA

Traffic redirection in transparent mode:

1. WCCP
 Available on many switches, routers, and firewalls

2. PBR
 Resource-intensive for the router (performed in software)
 Not available on cisco ASA
 3. Layer 4 switch:
 Redirects traffic based on port number and IP address
 Can do simple load balancing and failover

4. Layer 7 switch
 Like layer 4 switch, but can also redirect traffic based on URL
 Can do load balancing and failover

Acceptable Use Controls

 Application Visibility and Control
 Enable deeper control to particular applications
 Control the amount of bandwidth used for particular application
types
 AVC engine enables you to apply deeper controls to particular
application types.
 You can control application activity on the network without
having to fully understand technology of each application
 Applications can be detected by signatures downloaded
dynamically via regular signature updates from cisco security
intelligence operations
 The AVC engines supports applications types such as Facebook,
file sharing, google+, instant messaging, iTunes, LinkedIn, Media,
and others.

 URL Filtering
 Cisco Ironport web usage control must be enabled
  Control user access based on the URL category
 Over 80 predefined URL categories (gambling, hacking, etc.)
 Can create user-defined custom URL categories

URL categorizing process

Phase1:
 The request URLs are looked up in the local WSA URL category
database. Database contains many categories that are used to
classify web content.
 Database is updated by cisco SIO every 5 minutes by default

Phase2:
 If a category of a website can’t be determined in 1st phase, then
the WSA performs the URL keyword analysis to determine the
URL category

Phase3:
 Dynamic content analysis engine can be used to dynamically
categorize a URL
 It is recommended to have DCA feature enabled on cisco WSA for
best results
Streaming Media bandwidth control
 The cisco AVC engine allows administrator to control the amount
of bandwidth used for particular application types
 You can limit the bandwidth usage for the media application type
 Two limit types:
 Overall bandwidth limit
 User bandwidth limit
 If both are configured, the most restrictive option applies

WSA Data Security

 Control of data leaving the network (HTTP, HTTPS, FTP)
 Configure on the cisco WSA using data security filters and policies
 Policy actions based on file metadata
 File type, size, and name
 WBRS
 URL category
 Applies to all POST and PUT requests over 4 KB by default
 Evaluated before access policies HTTP responses
 Alternatively achieved by integration with third-party DLP systems

Data Security Policies

 Users URL Filtering, Web Reputation, and Content blocking
configurations when evaluating the upload request
 A monitor action will not block the transaction and will proceed to
the content checks
 A block action will block the transaction immediately, the
transaction will not be further evaluated against the External DLP
policies if configured or the access policies

External Data Loss Prevention

 Provides integration with:
 Vontu DLP
 RSA Tablus DLP
 Uses ICAP
 Standard for integrating off-box scanning with web proxies
 ICAP client: Cisco Web Security Appliance
 ICAP server: Vontu / RSA Tablus
 ICAP server provides reporting, logging, and quarantine features
 Multiple DLP servers supported for load balancing and failover
 Applies to all POST and PUT requests above 4 KB by default
 Layer 2 Security

Switch Security issues

 The enterprise campus is protected by security functions in the

enterprise edge:
 If security at the enterprise edge fails, the enterprise campus is
vulnerable.
 The potential attacker can gain physical access to the enterprise
campus.
  All vital elements in the enterprise campus must be protected
independently.

Recommended practices for Switch Security

 Configure secure passwords:
 Use enable secret rather than enable password
 Use service password-encryption to secure all passwords.
 Use external AAA authentication whenever possible.

 Use system banners:

 Use the banner login command to warn unauthorized users that
their activities could be grounds for persecution.

 Secure console access.

 Secure vty access
 Configure passwords on all vty lines and restrict source IPs by
using an access list.

 Secure web interface:

 Disable web access to the switch if you do not need it
 If you use web access, use HTTPS

 Use SSH, not Telnet:

 Use SSH version 2 if it is available.

 Secure SNMP access:

 Disable “write” access to the devices if you do not need it.

 Secure STP operation:

  Configure BPDU guard on access ports.
 Do not use BPDU filter.

 Secure Cisco Discovery Protocol

 Disable it on the ports that connect to outside networks.

 Secure unused switch ports

 Shut down all unused ports
 Disable dynamic trunking protocol negotiation on switch ports by
using the switchport mode access interface configuration
command
 Put all unused ports into an isolated VLAN

Rogue network devices are unauthorized:

 Switches
 Wireless access points
 Hubs
Rogue devices can connect to port on access switches
Rogue devices can connect devices such as laptops and printers

Switch attack categories

MAC address-based attacks
 MAC address flooding
VLAN attacks
 VLAN hopping

Spoofing attacks
 Spoofing of DHCP, ARP, and MAC addressing

Attack on switch devices

 Cisco Discovery Protocol
 Management Protocols

MAC flooding attack

 Port Security:
 Port security limits MAC flooding attacks and locks down the port
 Allowed frames are forwarded
 The switch responds to nonallowed frames
 New MAC addresses over the limit are not allowed

Security violations:
1.Shutdown
 Put the switchport in error-disable mode (shutdown mode)
 Legitimate and unsecure MAC address’s traffic is dropped
 Administrator needs to manually shut and no shut the interface in
order to recover the interface or can use “errdisable recovery
cause psecure-violation” global configuration mode command.
 A log message is also generated about the event

2. Restrict
  Restrict means that it will allow secure MAC addresses to use the
interface but will disallow any other mac addresses
 Port doesn’t go in error-disabled state
 A log message is also generated about the event

3. Protect
 The only difference between the protect mode and restrict mode
is that protect does not log any cli message about the violation

Sticky MAC address

 Configuring a sticky address enables the switch port to learn the
mac address dynamically

Port Access Lists

 Applied on Layer 2 ports
 Applied on ingress traffic only
 Does not affect layer 2 control packets (CDP, VTP, DTP, STP, etc.)
 Two types of PACLs:
1. IP ACL (IPv4, IPv6)
2. MAC ACL (does not filter IP, ARP, or MPLS)
 Two mode of interaction with other ACLs
1. Prefer port mode (overrides other ACLs)
2. Merge mode (PACL is merged with VACL and ACL)

Storm control
 Prevent unicast, multicast, or broadcast storms
  Monitors incoming traffic and block ports if thresholds are
breached
 Can shut down a stormed port and send SNMP traps

Strom control can be configured on an interface with the following

characteristics:
1. Percentage rising and falling thresholds
2. Packets per second rising and falling threshold
3. Bits per second rising threshold

DHCP Spoofing Attacks

 An attacker activates a DHCP server on the subnet of the client
 Attacker replies to a valid client DHCP request
 Attacker assigns IP configuration information that establishes a
rogue device as the default gateway for the client
DHCP snooping
 DHCP snooping is a cisco switch feature that is designed to
prevent DHCP spoofing
 If DHCP snooping is enabled on a switch, all the switchport
automatically goes in untrusted state
 DHCP replies cannot be sourced from untrusted ports
 DHCP trust ports are configured on the uplinks to a DHCP server
 DHCP trust is not configured on client ports
 Builds IP to MAC mapping on a per interface basis

IP source Guard
  Tracks IP addresses to port associations, in order to protect
against spoofed IP addresses.
 DHCP snooping must be configured to verify source IP addresses
 It verifies source IP and MAC addresses
 IP source guard should be configured on layer 2 untrusted ports

ARP Spoofing
 It is another type of man-in-the-middle attack similar which we
seen in DHCP snooping, but it exploits the process of ARP
 Attacker sends gratuitous ARP reply
Dynamic ARP Inspection
 DAI tracks IP-to-MAC bindings from DHCP transactions to protect
against ARP poisoning
 DAI associates each interface with a trusted state or an untrusted
state
 Trusted interfaces bypass DAI
 Untrusted interfaces undergo DAI validation
 DHCP snooping is required to build a table with MAC-to-IP
bindings for DAI validation

Switch spoofing
 Switch ports are configured as “dynamic auto” by default
 The attacker presents itself as a switch and exploits DTP
 The attacker gains access to all VLANs

Protecting against Switch Spoofing

 Static configure access ports
 Shutdown unused switch ports
 Specify allowed VLANs on a trunk

VLAN Hopping
VLAN Hopping is possible when the following occurs:
 An attacker is connected to an access switch port
 An attacker send a double-tagged frame to a switch
 The switch accepts 802.1Q tagged frames on an access port
 The switch must have an 802.1Q trunk, and its native VLAN must
match the access VLAN of the attacker

Protecting against VLAN Hopping

 Configure the native VLAN on all trunks to an unused value
 Prune the native VLAN off both ends of the trunk
 Tag the native VLAN

VLAN Access Lists

 Applied on a VLAN
 Affects all traffic being bridged within a VLAN or routed in or out
of a VLAN
 Configured through access maps
 Multiple matches
 Single action
 Two types of VACLS
 IP ACL (IPv4, IPv6)
 MAC ACL (does not filter IP)

Private VLAN (PVLAN)

 A PVLAN is a VLAN inside a VLAN
 Devices in different PVLANSs belong to the same IP subnet
  No layer communication is possible between different PVLANs
 Uses the concept of primary VLAN and secondary VLANs, requires
secondary VLANs attached to the primary VLAN
 Based on VTP version
 In VTP version 2, transparent mode is required
 In VTP version 3, all modes are supported, PVLAN
configuration is replicated

PVLAN Secondary VLAN types

1. Isolated
 can communicate only with promiscuous ports
2. Community
 can communicate with community and promiscuous
ports

PVLAN port types

1. Promiscuous port
 usually connected to router, the default gateway on
the segment
2. Host ports
 connect to end hosts
 either isolated or community ports

Protected Port Feature

 Also known as PVLAN edge
 Alternative to PVLAN, when the PVLAN feature is not available
  Protected ports cannot communicate with protected ports on the
same switch
 Protected ports can communicate with all non-protected ports

Control Plane Security:

Protection mechanism classification
1. Device centric
a. CoPP / CPPr
b. Device firewalls / ACLs implemented on each network device

2. Infrastructure-based
a. Infrastructure ACLs
 Applied at the network edge and so help to protect the entire
infrastructure
 Typically applied as an inbound ACL to limit network users or
external networks
 Easy to configure if you have well organized ip addressing schema

Control Plane Policing

 Most of the traffic on a device a data traffic which is hardware
processed via CEF
  Other packets are software processed by the CPU such as
management and control traffic and certain types of data plane
traffic that cannot be processed by CEF
 CoPP applies QoS policies to a virtual CPU bound queue called as
control plane interface
 CoPP can permit, drop, or rate-limit traffic to the CPU regardless
of the physical interface on which packet arrives they must pass
through CoPP to get to the CPU
 A limitation of CoPP is that it process all traffic via a single control
plane interface
Control Plane Protection (CPPr)
 Extends CoPP functionality by automatically classifying all CPU
bound traffic into three subinterfaces
 Each subinterface processes a specific type of CPU bound traffic
using a separate traffic policy

1. Control plane host subinterface

 The host subinterface receives traffic destined to the router itself
 This includes management traffic and routing protocols

2. Control plane transit subinterface

 Receives all data plane traffic that must be processed by software
such as non-termination tunnel traffic

3. Control plane CEF-Exception

 Receives traffic that cannot be handled via CEF
 Includes ARP, LDP, L2 keep-alive and non IP host traffic
Cisco Traffic Telemetry Methods
Telemetry is a technology that allows data measurements to be made
at a distance. The word is derived from the Greek roots: tele = remote,
and metron = measure.” So, network telemetry solutions provide a
remote network data monitoring capability
Traffic telemetry is implemented using various mechanism such as
1. Time synchronization using NTP
2. Notification about network devices status using logging or SNMP
traps
3. Notifications about unusual network activity using logging
4. Exporting of network traffic flows using Netflow
Device and Network Event logging
Logging of device and network events can be used for
 1. Device failure notifications
2. Network telemetry and forensics
3. Security audit

The cisco devices, such as Cisco IOS software routers and switches and
Cisco ASA support the following logging destination
1. Console
2. Telnet or SSH
3. The internal in-memory buffer
4. Remote syslog server
5. Remote network management server (SNMP trap)
6. Cisco ASA GUI (ASA)
7. Email System (ASA)

Message severity levels

 Each system message is assigned a message severity that indicates
its importance. Possible values are:
0. Emergencies
1. Alert
2. Critical
3. Error
4. Warning
5. Notification
6. Informational
7. Debugging
A typical syslog message consists of following items:
1. A timestamp
2. A device ID
3. A message identifier
4. The message text

Guidelines when implementing system logging:

1. Create a log retention policy
2. It is better to log to log too much than too little
3. Use multiple logging destinations for reliability
4. Access to device logging subsytem must be limited so that
attackers cannot disable logging without detection.

Simple Network Management Protocol

 An application layer protocol that provides a standardized
framework that is used for monitoring and managing devices in
the network
 It uses UDP port 162

SNMP consists of 3 items

1. SNMP Manager
 Also known as network management system
 A software that runs on the device of the network administrator
or it can be a dedicated device to monitor the network
2. SNMP agent
 A software that runs on network devices that we want to monitor
(router, switch, ASA...)

3. Management Information Base (MIB)

 A virtual information storage location that contains collection of
managed objects that makes sure data exchanged between the
manager and agent is proper (structured)
 Commonly shared between the agent and manager
SNMP Recommendations
 Restrict access to read-only
 Setup SNMP views to restrict the manager to access only the
needed set MIBs
 Configure ACLs to restrict SNMP access to only known managers
 Use SNMPv3 authentication, encryption, and integrity if possible
Layer 3 data plane security
Attack Layer 3 infrastructure
countermeasure
IP spoofing Infrastructure ACLs, uRPF, IP
source guard
Denial-of-service attacks Infrastructure ACLs
Traffic flooding QoS rate limiting

Infrastructure Antispoofing ACLs

Ingress Antispoofing ACLs
 It prevents external networks from sending spoofed traffic into a
network
 It can also filter other networks that are known to be invalid

Egress Antispoofing ACL

 It prevents a network from sending spoofed traffic to other
networks
 It permits the valid local network as the source and denies
everything else

uRPF : unicast Reverse Path Forwarding

 Automatically checks source IP addresses of packets against the
FIB
Strict uRPF:
 Prevents IP spoofing of known addresses, based on known
network localtion
  A scalable alternative to egress and ingress antispoofing ACLs

Loose uRPF:
 Prevents IP spoofing from “bogon” (invalid) networks

ISE

Authentication:
 Determines the identity of an endpoint (device or user or both)
 802.1x
  MAC Authentication Bypass (MAB)
 Web Authentication
 VPN Authentication
Authorization:
 dACL and Named ACL
 For example, give employee permit access, and deny access to
contractor to sensitive subnets
 No IP address change needed
 Source Address replaced with the endpoint IP in ACL

 VLANs
 For example, VLAN 10 for Guests, VLAN 20 for Employees
 No ACL required
 Less recommended than ACL or Security Group Access

 Security Group Access

 Uses a Security Group Tags (SGT)
 SGT defines what authenticated user is allowed to access
 It simplifies ACL management
 Uniformly enforces policy independent of topology
ISE Deployment:
Identity Sources
 Used to validate credentials for authentication functions
 Used to retrieve group information for use in authorization
policies
 Identities can be grouped into identity source sequences
 Internal or external
 External : RADIUS, AD, LDAP, token servers
ISE Portals
Application Description
Admin portal Facilitates configuration of global policies for the
sponsor and guest user
Sponsor portal Facilitates creating and managing guest user
accounts
Guest user Facilitates the guest user login and consists of the
portal folollowing elements
 Guest user login screen
 Accept use policy screen
 Required password change screen
 Allow password change screen
 Self-registration screen
 Device registration
In distributed deployment:
 Admin portal can be accessed using PAN
 Sponsor and guest portal can be accessed using PSN
 Wireless Lan Controller

Joining process of AP with WLC

 Firepower

Modern Malware:
 Malware evolves quickly and is mode difficult to detect
a. Traditional software used today for malware detection has
about a 40% detection success rate
b. Polymorphism accounts for much of this since similar classes of
malware can morph just enough to go undetected by the
original signature
 Another reason is that legitimate user are easily enticed into
executing malicious code. Examples include spam, phising, spear
phishing
 Attacker sophistication has increased as well and they are well
funded
a. State sponsored
b. Organized crime

Why defenses fail:

 Modern malware is resilient and stealthy
 Detection techniques are well known
a. Anti-virus software
b. Sandboxes
c. Others
  Attackers can craft code to work around them

Sandbox evasion techniques

 Code the malware to check the environment prior to executing
a. Malware checks to see if it is running in a virtual environment.
If yes, lie dormant for a period of time to execute after the
analysis window
b. Monitor for user activity to see if a human is operating the host

Advanced Malware protection:

Attacks now a days is becoming very agile and attackers are improving
their approaches for attacks.
It all started with virus, virus is a piece of malware that infected other
computers. Then worms, spyware, phishing emails.
 We put technologies like firewall, antivirus, and vpn to build wall
around our data. These defensive solution were bypassed by email, and
web attacks by poking a hole in the firewall and cisco email and web
security appliance defend against an active attack. Recently, there has
been interest in new technologies like sandboxing. If security is
improving, obviously attackers have changed their way to get rid of
those security improvements.
Amp platform provides visibility for both the network and endpoint to
defend against an attack as well as speed up remediation, find the root
cause, and is able to report that cause.
Retrospective alerting: able to go back in time and block files, that are
bad.
Device and file trajectory provides all the information of movement of
files
AMP makes sure to provide the most accurate contextual information
to enhance the defense before an attack occurs and make intelligent
decisions during the attack and have the visibility into how an attack
occurred to remediate after breach
Amp is a combination of technologies which includes the next
generation IPS, network AMP and endpoint AMP
Cisco uses a big data analytics to provide continuous analysis and allows
rapid remediation.
Retrospective security: it is unique to sourcefire this uses a continuous
analysis capability and big data analytics to aggregate data and events
across the extended network for consistent file tracking and analysis
Trajectory: allows the customers to determine the cause of an
outbreak and to be able to track malware or suspicious files across the
network.
The existing malware detection technologies such as antivirus and
sandboxing products only look at the file once. If the file in unknown or
is just not malware, the file is let through and if later discover that the
file is bad, there is no record of it.
In source fire, continually monitor the files and knows where the file is
and even if the file is originally unknown and is able to roll back in time
and retrospectively block it and alerting to the customer about the
threat.

AMP for Endpoints

 It is a cloud-managed endpoint security solution that provides the
visibility, context and control to not only prevent cyber-attacks,
but also rapidly detect, contain, and remediate advanced threats
if they evade front-line defenses and get inside—all cost-
effectively, without affecting operational efficiency, and before
damage can be done.
 AMP for Endpoints continuously monitors and records all file
activity to quickly detect malicious behavior, retrospectively alert
security teams, and then provide deep visibility and a detailed
recorded history of the malware’s behavior over time – where it
came from, where it’s been, and what its doing.

 Benefits:
a. The client connector is lightweight
b. Most of the detection processing done in the cloud
 Historical perspective of malware activity
a. File Trajectory: shows the hosts where files were seen

b. Device Trajectory: shows actions files performed on a given

host

 Retrospective security
a. Ability to look back in time and trace processes

 Blocking of malicious network connections based on:

a. Security Intelligence (lists of known malicious IP addresses)
 b. Custom IP blacklists

 The ability to trace and identify the root cause of an infection

 The ability to customize detection
 Robust management and reporting
AMP Architecture:
 AMP consists of two major components
1. AMP connector: The piece of software that you install on the
endpoints that you wish to protect with the AMP product
2. AMP cloud: The cloud is where all of the major detections
components reside.

AMP for network:

 AMP protection can be extended to other cisco security products
that have the ability to monitor file movement over network
protocols
 AMP for networks is the integration of AMP technology with cisco
Firepower, NGIPS technology, ESA, WSA

AMP connector Architecture:

AMP windows connector platform support
 Windows XP SP3+
 Windows Server 2003
 Windows Vista SP2+
 Windows 7
 Windows Server 2008
  Windows Server 2012 (connector version 3.19 or greater)
 Windows 8 (connector version 3.19 or greater)
 Windows 10

Connector installation options

1. Direct download
2. Email

Role of AMP cloud:

 Detection publishing
 Custom signatures pushed to the endpoint connectors
 Cross referencing of files and signatures is done in the cloud
 Large scale data procesing
 Collective intelligence and decision making in real-time

IPS vs. NGIPS

Traditional IPS
 IPS rules built to trigger on specific threats without regard to
other factors in the environment

NGIPS:
 Builds on classic IPS technology
 Adds environmental awareness to IPS detection or contextual
awareness
Next-generation Firewall:
 Combine the capabilities of traditional firewall like packet
filtering, NAT, VPN, QoS and features not traditionally found in
firewall products like IPS, reputation-based malware, application
aware
Cisco Firepower
Sourcefire Company was acquired by cisco in 2013.
Sourcefire was founded in 2001 and developed network security
hardware and software like firepower, AMP, Snort.
Firepower: Primarily designed to combine functionalities of different
security devices (NGIPS, NGFW, URL filtering, Malware protection).
Advanced Malware Protection: Offers malware analysis and protection
of networks and endpoints by using big data analytics to discover,
understand and block advanced malware outbreaks. Basically, it works
by doing continuous analysis and retrospective alerting.
Snort: An open source network IPS which uses signatures, protocols
and anomaly based inspection
So these were the main devices developed by cisco.
After acquiring Sourcefire, Cisco came on the top of NGIPS
Unified Threat Management (UTM):
 A term introduced in 2004 that describes a category of security
devices which integrate a range of security features into a single
device
 Combines firewall, gateway, antivirus and IPS capabilities
 Main disadvantage is single point of failure
Cisco ASA with Firepower can provides services like cisco ASA
firewalling, AVC, URL filtering, NGIPS, and AMP.
 Available on Cisco Firepower 4100 and 9300, Cisco ASA 5500-X
NGFW platforms with a Security Service Processor SSP
 Software version must be 9.2.2 and later
 Cisco Firepower Management Center and Cisco Security Manager
are used to manage Cisco ASA with Firepower services
 On some of the appliances (5500-X, 5508-X, 5516-X), ASDM 7.3.x
can be used to manage single instance.

ASA Firepower module licenses:

1. Protection license:
 Includes IPS, IDS, file control, and Security Intelligence filtering.
 IPS analyses network traffic for any intrusions or exploits and, can
optionally drop packets.
 File Control detect and, optionally block users from
uploading(sending) or downloading(receiving) files of specific
types over specific application protocols
 Security Intelligence filtering blacklists(deny traffic to and from)
specific IP addresses, before traffic is subjected to analysis by
access control rules
 Protection license is default included in purchase of Control
license

2. Control license:
 Can implement user and application conditions to access control
rules
 Default included in the purchase of an ASA Firepower module
3. URL Filtering:
 Allows to configure access control rules that determine traffic that
traverses network based on URLs requested by monitored hosts

4. Malware:
 With this, you can enable advanced malware protection, that is
used to detect and block malware in files transmitted over the
network

FireSIGHT components
 1. FireSIGHT Management Center
 Gathers and presents event data
 Runs Correlation processes
 Provides tools to manage the system
2. Managed Device
 Provides detection and discovery services
 Report events to the FMC
 Used as NGFW or NGIPS

 FireSIGHT devices are available as hardware-based devices or

virtual devices
 You can have both hardware-based devices and virtual devices in
you FireSIGHT system installation

Cisco FireSIGHT System Components

 Cisco provides several types of system components to meet your
specific needs
 Cisco FireSIGHT equipment comes in both hardware and virtual
form factors

Managed Device:
 Firepower managed device hardware:
 Can run as NGIPS or NGFW
 Device model numbers in the 7000 and 8000 range
 Sometimes referred to as Series 3 devices
 ASA with FirePOWER services:
 Cisco ASA device configured with a FirePOWER Service
Module
  All ASA models except the 5585 implement the
services module in software
 The services module in the 5585 is a blade you insert in
the 5585’s chassis
 The ASA retains all of it’s functionality
 You can continue to manage it with the same software
you always used
 The firepower service module is managed from the
FireSIGHT management center like any other firepower
device
 Virtual NGIPS
 Can only function as an NGIPS
 Because it’s virtual, it doesn’t have the hardware
required to perform NGFW services
 It does have the full functionality in detection and
blocking capability
 Firesight management center
 All managed devices report to the firesight
management center (FMC)
 It performs the following functions:
- Gathers event data from devices
- Correlates event data
- Provides tools to manage and administer the
system
Firepower management center:
 Provides unique management of NGFW, NGIPS, and NGAMP
 Can be deployed using physical or logical appliance
In order to deal with their biggest challenges, customer need a simple,
scalable and threat focused solution model

Configuring Cisco Firesight system devices

 Cisco firesight system configuration id done through a series of
policies

 System policy
 Contains general system setting
 You can apply these settings to both firesight
management center and managed devices
 Some examples of what you would configure here
include the following:
- Device access list
- Database limits
- Time synchronization

 Health policy
 Lets you configure system health monitoring
 The health sub-system consists of a series of modules
that monitor various aspects of system performance
 Some examples of what you would configure here
include the following:
- CPU and memory utilization
- Disk utilization
 - Interface status

 NAT policy
 Controls you network address translation configuration
 This is only available to use on firepower devices
 On ASA with firepower services, NAT is configured
through the ASA’s user interface

 Correlation policy
 Allows you to use data from events as correlation rule
criteria
 When the rule conditions you configure are met, a
correlation event is generated
 Some examples of event data you can draw from
include the following:
- Intrusion events
- Connection events
- User discovery events

 IPS policy
 Lets you manage IPS rules
 You can configure IPS rule state
- Generate events
- Drop and generate events
- Disable
 You can also configure automatic rule selection
 Network analysis policy
 You can manage IPS preprocessor configurations
 You can select a network analysis policy to be the
default or use custom network analysis policies to
target specific networks

 File policy
 Lets you control file-type detection
 Some examples of file-types you can detect include the
following:
- Executables
- Multimedia (audio / video / graphics)
- Documents (MS Office / PDF)
 You can choose to block or log detected files
 You can configure malware detection with a malware
license

 SSL policy
 You can configure rules to manage SSL sessions to
decrypt
 You can also identify SSL traffic to pass undecrypted

 Access control policy

 Lets you set up rules to configure what traffic should
be allowed through the device or what to block
  Access control policy also allows you to implement
detection policies such as IPS policy and File policy

Policy Relationships
 The firesight system is configured through a series of policies
 Some policies have relationships with other policies and some
stand alone
1. Stand-alone policies
 System policy
 Health policy
 Nat policy
2. Policies related to each other
 Access control policy
- IPS policy
- File policy
- Network analysis
- SSL policy
- Network discovery
- Correlation policy

Traffic flows through managed devices

Security intelligence  SSL Policy  Network Analysis  Access
Control  Network Discovery  File Policy  IPS policy

Managed Device Registration

What is registration?
 The process of connecting a managed device to the management
center
 First-time installations can take over an hour

Interface Configuration
 Interface configuration demonstration for firepower devices
 The firepower device offers the full set of configuration
options available
 Other managed devices have limits on their interface
configuration options if they are not running firepower
hardware
- Virtual IPS
- ASA with Firepower Services

Aggregate Interfaces
 Create a logical entity known as a Link Aggregation Group or LAG

 Things to consider when implementing Link Aggregation:

 Only available on firepower devices
 Can be done on ASA but it’s not configured in the
firesight management center
 Important points
 Firepower devices support up to 14 LAGs
- Numbered 0 through 13
  Minimum of 2 interfaces in a LAG and a maximum of 8
 Once an interface is assigned to a LAG, it cannot be
used for anything else
 You can use interfaces from other network modules in
a device but your interface selection can’t span over
multiple devices

Logical Interfaces
 Logical interfaces support the following modes
 Switched
 Routed
 Hybrid
- Switched and routed mode interfaces allow you
to create sub-interfaces that you can associate
with a VLAN
- Hybrid logical interfaces are used to bridge a
virtual switch to a virtual router

 Firepower interface modes

- None
- Passive
- Inline
- Switched
- Routed
- HA (High Availability)

 Passive mode
 - Used in IDS deployments
- It is deployed out of band and has no impact on
production network traffic
- It can alert you but not block suspicious traffic
- Typically connected by way of a SPAN port or
Network Tap

 Inline mode
- Used in IPS
- Inline interfaces work in pairs
- Production traffic does pass through the device
- Can issue alerts and block traffic

 Switched and Routed modes

- Allows you to deploy switched or routed mode
interfaces in virtual switches or virtual routers
- Ports in either of these modes can allow traffic to
enter the device and be inspected by the device’s
detection processes

 HA mode
- Used to configure clustered devices
- HA interfaces transmit connection and state
information to the clustered peer

Virtual Devices
  Virtual entities that use your physical device interfaces to perform
network tasks
 You can configure the following virtual devices
- Inline interface sets
- Virtual switches
- Virtual routers
 Virtual switches
- Use switched mode interfaces
- When configured, the virtual switch performs like
a layer 2 physical switch
- Virtual switches support spanning tree protocol
 Virtual routers
- Use routed interfaces
- When configured, the virtual provides the same
functionality as physical router
- Virtual router support both static and dynamic
routing protocols
Object Management:
 Objects are item or value pairs of elements in your environment
 They are used as rule matching criteria in the policies use
throughout the system
 They are reusable and streamline the rule creating and
management process

Variable sets
 Variables are components of IPS rules to identify addresses and
ports
  Be as specific as possible and make sure variable configurations
are reflective of your environment

File lists
 File lists work with the file policy exclusively
 File policy is used for file-type detection and network-
based malware detection
 File lists leverage features of network-based malware
detection
 File lists required a malware license
 Network-based malware detection uses cloud lookups for file
disposition information
 The managed device calculated the SHA-256 hash of a
file detected in a network connection
 The hash is sent to the cloud for evaluation
 The cloud returns a disposition for the file: clean,
malicious or unknown
 Consider these scenarios
 The cloud returns a disposition of malicious for a file
you think has been wrongly convicted
 The cloud returns a disposition of clean for a file you
believe is malicious or a file you don’t want to allow in
your environment
 There are two file list objects you can use
 Clean list: used to set a file’s disposition to clean
regardless of the disposition set by the cloud
 Custom detection list: used to set a file’s disposition to
malicious regardless of the disposition set by the cloud
  To add file to each of these list, you enter each files
SHA-256 hash into the list

ESA: Email Security Appliance

Email:
 Electronic mail, or email, is a method of exchanging digital
messages between people using digital devices such as
computers, tablets and mobile phones

Email Providers:
Email Protocols:
1. POP3: Post Office Protocol
By default POP3 works on two ports:

IMAP: Internet Message Access Protocol

SMTP: Simple Mail Transfer Protocol

 SMTP Terminologies

MTA: Mail Transfer Agent:

 Email gateway or software agent that transfers mail from one
system to another. The cisco ESA is an MTA

DNS Mail eXchanger (MX) record:

 Record that specifies how emails are routed. MX records point to
the servers that should receive an email

DNS A record:
 Used to locate the IP address of the MTA specified by the MX
record
Groupware Server:
 Server that accepts, forwards, delivers, and stores messages on
behalf of users

SMTP Client:
 Initiates connection to an SMTP server

SMTP Server:
 Receives connection requests from the SMTP client

Mail User Agent:

 Software client application like Outlook that accesses a groupware
server to send or receive mail.

ESA Services Overview:

Reputation filters:
 Used to set up sender groups

Message Filters:
 Custom rules that can compare any part of a message using
regular expression (only available using CLI)
  Identifies message based on the message or attachment content,
information about the network, message envelope, message
headers, or message body

Antispam:
 Uses preventive and reactive antispam applications to ensure
maximum spam prevention

Antivirus:
 Uses multiple virus protection software applications to ensure
maximum virus protection

Outbreak Filters:
 Quarantines suspicious email messages and holds the message
until an updated virus signature is available

Content Filters:
 Similar to message filter but are applied after the message has
undergone message filters, anti-spam, and anti-virus scanning
 Limited to scanning either incoming or outgoing messages

Encryption:
 Supports using a cloud-based managed encryption service to
secure inbound and outbound email
Data Loss Prevention:
 Prevents confidential data from leaving the customer networks

ESA software licenses:

 All licenses are term based subscriptions of length of 1, 3, or 5
years
1. Cisco Email Security Inbound Bundle
 Antispam scanning
 Sophos Antivirus solution
 Virus outbreak filters
 Clustering

2. Cisco Email Security Outbound Bundle

 DLP compliance
 Email encryption
 Clustering

3. Cisco Email Security Premium Bundle

 Antispam scanning
 Sophos Antivirus solution
 Virus outbreak filters
 DLP compliance
 Email encryption
 Clustering
Incoming Mail Processing overview:
 Inbound security is provided by the incoming mail policy. The
policy includes six layers of filters

1. Threat prevention with Reputation Filters

 First layer of spam protection allowing you to control messages
that come through the email gateway based on sender
trustworthiness as determined by the cisco senderbase reputation
service

2. Policy enforcement with Message Filters

 Special rules describing how to process messages and
attachments as they are received using a script like interface with
regular expression (only available in the CLI)

3. Spam detection with Anti-spam and contect adaptive scanning

engine
 Email reputation: who is sending this message?
 Message content: what content is included in this message?
 Message structure: how was this message constructed?
 Web reputation: where does the call to action take you?

4. Virus detection with Sophos and/or McAfee Antivirus:

 Antivirus provides a virus detection engine that scans for viruses,
trojan horses, and worms
 5. Content filters:
 These filter can be used to filter special file types or content

6. Outbreak filters:
 Newly released viruses that do not have a published ID can be
blocked by stopping files with the infected file’s characterstics.
 Provides zero day protection

Outgoing Mail Policy Overview

 Anti-spam, content filters and outbreak filters are disabled by
default
 Provides an additional DLP function to the process to ensure
unsuitable or unauthorized information does not leak out of the
company
 DLP can only be performed on outgoing messages

ESA Listener Overview

 The listener on the Cisco ESA is an SMTP daemon that manages
the mail processing services
a. You can use one listener to manage all the incoming and
outgoing mail processing
b. Or you can use one (public) listener to manage the mail
processing services from the Internet and another (private)
listener to manage the mail processing services from the
internal email servers
 A listener describes an email processing service that is configured
on a particular Cisco ESA interface and port
  The SMTP clients connect to a listener to send mail

ESA Listener Type: Private and Public

 A public listener receives connections from internet and directs
messages to a limited number of internal groupware servers
 Public listeners contain default characterstics for receiving
incoming mails from the internet to the internal mail servers
 Private listeners are intended to be used for the private internal
networks to relay outgoing mails form the internal mail server to
the internet
 When using a single listener, the listener type should be public
 Network > Listeners > Edit (Add) Listener
Cisco ESA Listener Major Components: HAT and RAT

Incoming Mails from the internet to the internal mail servers:

1. HAT (Host Access Table)
 Defines which remote hosts are allowed to connect to the listener
and defines a set of rules that control the incoming connections
from the remote hosts

2. RAT (Recipient Access Table)

 Specifies a list of the local domains for which the Cisco ESA will
accept incoming email for

Outgoing Mails from the internal mail servers to the internet:

  The HAT controls which internal mail servers can relay outgoing
mails to the ESA
 Internal mail servers specified in the HAT (using the RELAYLIST
sendergroup configurations in the HAT)

Pre-defined Sendergroups
1. RELAYLIST
 Outgoing mail will be relayed if the mail server IP address is
specified on the RELAYLIST
 Uses RELAYED mail flow policy

2. WHITELIST
 Add senders you trust to the WHITELIST sender group
 Uses TRUSTED mail flow policy

3. BLACKLIST
 Senders in the BLACKLIST sender group are rejected
 Uses BLOCKED mail flow policy

4. SUSPECTLIST
 This sender group uses the THROTTLED mail flow policy that
throttles, or slows, the rate of incoming mails
 Uses THROTTLED mail flow policy

5. UNKNOWNLIST
  This sender group is useful if you are not sure about the mail flow
policy you should use for a given sender.
 ACCEPTED mail flow policy is used

6. ALL
 Default sender group that applies to all other sender
 Uses ACCEPTED mail flow policy

Mail Flow Policy:

 It is referenced in each sender group to define whether the
remote host are allowed to connect to the listener and under
what conditions
 It is used to control or rate limit the flow of email messages from
a sender to the listener
 Every message received by the Cisco ESA is classified as incoming
or outgoing mail. Every message that is accepted is considered
incoming mail. Every message that is relayed is considered
outgoing mail
 Each mail flow policy can have one of the following action

1. Accept
 The connection will be accepted and SMTP conversation will start
 The sender is limited to the recipients in the domains specified in
the RAT

2. Reject
  The TCP connection is accepted, but the cisco ESA sends the
sender an SMTP 554 banner to indicate that they are not
welcome

3. TCP Refuse
 The TCP connection is closed. Cisco ESA issues a FIN to the sender
to indicate the connection is over before it even start

4. Relay
 The connection will be accepted and the SMTP conversation will
start
 The sender is not limited to the recipients in the domains
specified in the RAT. RAT is not checked at all
Anti-Spam Overview
 Reputation Filters: Prevent spam from being accepted
 Anti-Spam: Processed the Reputation filters and Message Filters

Anti-Spam Configuration
The Context Adaptive Scanning Engine assigns the mail a score between
1 and 100 based on four main data points
 Who is sending the message?
 How the message was constructed?
 What the message contains?
 Where is the URL for a website with a low web reputation?
You need to configure how to handle mail that is scored as, for example
 Positive spam (by default for messages with score >90)
 Suspect spam (by default for messages with score: 50< score <89)
 Mail Policies > Incoming Mail Policies (or Outgoing Incoming Mail
Policies), click on Anti-spam for the desired policy name
 Enable Marketing Email Scanning: Marketing messages can be
legitimate bulk email that users may or may not want
 You can change the default Positively Identified and Suspected
Spam score settings

Anti-Virus Overview
 Includes integrated virus scanning engines from third party
companies: Sophos and McAfee
 Sophos and McAfee Anti-Virus provide a detection engine that
scans files for viruses and malware
 Checks for Sophos and McAfee virus definitions updates every 5
minutes by default

Anti-Virus Configuration
 Obtain license keys for the Cisco ESA to scan messages for viruses
using one or both of these virus scanning engines
 Configure the ESA to scan messages for viruses based on the
matching incoming or outgoing mail policy
 If a virus if found, perform different actions on the message:
a. Repairing the message of viruses
b. Modifying the subject header
c. Adding an X-header
 d. Sending the message to an alternate address or mailhost
e. Archiving the message
 Mail Policies > Incoming Policies (or Outgoing incoming Mail
Policies), click on Anti-Virus for the desired policy name

Content Filters Configuration

 Configure the content filter to be applied to the mail policies
 Mail policies > incoming content filters and mail policies >
outgoing content Filters, add filter

Data loss prevention overview:

 Data loss prevention feature is applied at the end of the outgoing
mail processing queue
 DLP secures your organization’s intellectual property by
preventing users from emailing sensitive data from your network
 DLP is enabled on the cisco ESA with technology from RSA
 Requires a feature to enable and use DLP
Uses two engines for in-depth scanning and reducing false positives:
1. Content classifier
a. Determines the content type such as credit card numbers
b. Scans against various classifiers
c. Customer-independent
2. Policy engine
a. Determines action for the message
b. Uses category engine results, message/attachment metadata
c. Customer-specific
 d. DLP policies consist of a set of conditions and actions create
using the DLP Policy Manager
e. Includes many built-in DLP policy templates which can be
customized

ASA Cut-through Proxy (Authentication Proxy)

 It is a feature on the ASA platforms that allows a network
adminsitrator to force users to authentication to the ASA before
users are allowed access through device
 The ASA can authenticatie these users using Radius, Tacacs, or
local user database

To understand ipv6 you must know how to convert binary into

hexadecimal or vice versa
Binary
 Binary is also known as Base 2
 There can only be two values for a specific digit; either a 0 = OFF
or a 1 = ON.
 You cannot have a number represented as 22 in binary notation.
The decimal number 22 is represended in binary as 00010110
 All the number representing 0 are not counted, however numbers
representing 1 are counted
Hexadecimal
 It is also known as Base 16.
 In this numbers are counted from 0 to 9, then letters A to F,
before adding any digit.
 The letters A through F represent decimal numbers 10 through 15
resp.
 To convert a value from hexadecimal to binary, you merely
translate each hexadecimal into its 4-bit binary equivalent.
 Use below chart for conversion
Decimal Hexadecimal Binary
0 0 0000
1 1 0001
2 2 0010
3 3 0011
4 4 0100
5 5 0101
6 6 0110
7 7 0111
8 8 1000
9 9 1001
10 A 1010
11 B 1011
12 C 1100
13 D 1101
14 E 1110
15 F 1111

IPv6

 It is a 128 bit long address

 It is represented in hexadecimal
 It has 8 blocks
 Each block have 16 bits
 1 character of hexadecimal is represented by 4 bits into binary

01A2:0001:100B:C001:DFEC:ABCD:100D:A002

 First 3 blocks will represent global prefix

 4th block is used represent the subnet ID
 Last 4 block is used to represent Interface-id

 Two basic rule to shorten an IPv6 address:

1. Remove the leading 0s.
2. If more than two or more consecutive set of all hex 0s, replace
that set with a double colon. Double colon can be used once only.
  Uses prefix length, similar to IPv4 subnet masks.
 IPv6 does not use any concept like the classful network concept
used by IPv4

Two types of IPv6 address:

1. Unicast
2. Multicast

1. Unicast

a. Unique Local Address

 Private addresses in ipv6
 Always start with FC00::/7 or with FD if 8th bit is set
 /7 means that you cannot modify first 7 bits in the address

b. Global Unicast Address

 Public addresses in ipv6
 Always start with 2000::/3 or with 3000 if 4th bit is set
 /3 means that you cannot modify first 3 bits in the address

c. Link Local Address

 NDP uses link local address which replaces the function of
IPv4’ARP
 Used for communication within a single broadcast domain
 Routers never populates Link local address in its routing table
  Always start with FE80::/10 or FE90 if 12th bit is set, or FEA0 if 11th
bit set, or FEB0 if both 11th & 12th bit is set
 Automatically configured on all interfaces or can be configured
manaully as well

2. Multicast
 Always start with FF00::/8
 IPv6 does not use any concept like the classful network concept
used by IPv4
 It always used prefix length, similar to IPv4 subnet masks

Configuring IPv6
 IPv6 unicast routing needs to be enabled
 With IPv6 routers typically use static IPv6 addresses, while user
use DHCP or Stateless Address Auto Configuration (SLAAC) to
dynamically learn the IPv6 address

Two ways to configure a static IPv6 address on interface of router:

1. Use IPv6 address command to define complete 128-bit address
2. Use IPv6 address command to configure only the 64-bit IPv6
prefix and let the router automatically generate a uniqure
interface ID
 It is also known as EUI-64 (extended unique identifier)
EUI-64
The routers generates the interface ID by using EUI-64 rules
1. Divide the 6-byte(12 hex digit) MAC address in two halves (6 hex
digit each)
2. Insert FFFE in between the two, making the interface ID of 16 hex
(64 bits)
3. Invert the 7th bit of the interface ID

Two ways by which cisco routers can dynamically learn an IPv6

address
1. Stateful DHCP
Ipv6 address dhcp
2. Stateless Address Autoconfiguration (SLAAC)
Ipv6 address autoconfig

IPv6 Neighbor Discovery

 A protocol which is used to determine
a. The link layer address of neigbor on the same network
b. Verify reachability of a neighbor
c. Keeps track of neigbor devices

 IPv6 ND uses ICMP messages and solicited-node multicast address

 IPV6 ND messages
1. IPv6 Neighbor Solicitation message
2. IPv6 Router Advertisement message
3. IPv6 Neighbor Redirect Message

IPv6 Neighbor Solicitation message:

 Uses a value of 135 in the type field of ICMP packet header
 Sent when the node wants to determine the link-layer address of
any other node on the same local link
 Source IPv6 address in NS message is IPv6 address of the sending
node
 Desination address is the solicited-node multicast address
 NS message can also be used to verify the reachability of a
neighbor. In this case the message is unicast message
 A neighbor is considered reachable only if a positive
acknowledgement is returned

IPv6 Neighbor Advertisement Message:

 A reply of neighbor solicitation message
 Uses a value of 136 in the type field of ICMP packet header
 Source address is IPv6 address of the node interface
 Destination address is IPv6 address of the node that sent the NS
message

IPv6 Router Solicitation message:

 Uses a value of 133 in type field of ICMP packet header
  Sent when interface gets enabled
 Hosts sends RS(multicasted) requesting routers to generate RA
immediately rather than at their next scheduled time

IPv6 Router Advertisement message:

 Uses a value of 134 in type filed of ICMP packet header
 Are periodically send out each configured interface of an IPv6
device
 Contain prefixes that are used for determining whether another
address shares the same link or address configuration etc.

IPv6 Neighbor Redirect Message:

 Uses a value of 137 in the type field of the ICMP packet header
 Used to inform hosts of better first hop nodes on the path to a
destination

Neighbor Reachability States

IPv6 RA Guard
 Prevents router spoofing on the segment
 Prevents prefix spoofing on the segment
 Policy can be applied at VLAN or port level
Policy Types:
1. Router: inspects NDP and allows inbound RA messages
2. Host: inspects NDP and drops inbound RA messages
3. Trusted: RA Guard is disabled on the port

SeND: Secure Neighbor Discovery

• A protocol that enhances NDP with these three capabilities.
• Prevents
• Man-in-the-Middle attack during neighbor solicitation/advertisement.
• Denial of Service attack using a Rogue Router.
• Denial of service with IP conflicts or neighbor floods.
1. Address ownership proof:
 Makes stealing IPv6 addresses impossible.
 Used in router discovery, address resolution.
 Based on Cryptographically Generated Addresses (CGAs).
2. Message protection:
 Message integrity protection.
 Replay protection.
 Used in all NDP messages.
3. Router authorization:
 Authorizes routers to act as default gateways.
 Specifies prefixes that routers are authorized to announce on link.
 SeND is not a new protocol, it is just an extension to NDP with a
set of new attributes.

New network discovery options:

 CGA, Nonce, Timestamp, and RSA.
New network discovery messages:
CPS (Certificate Path Solicitation), CPA(Certificate Path Advertisement)
• Things to configure before implementing SeND:
1. An RSA key pair which is used to generate CGA on the interface.
2. A SeND modifier that is computed using the RSA key pair.
3. CGAs on the SeND interface.
4. A PKI trustpoint.
Cryptographically Generated Addresses
• Generated from the cryptographic hash of a public key and auxiliary
parameters. CGA is formed by replacing the least-significant 64 bits of
the 128-bit IPv6 address with cryptographic hash of the public key of
the address owner
• Securely associate a cryptographic public key with an IPv6 address.
• A valid CGA cannot be spoofed, because it is always signed with the
private key that matches the public key used for CGA generation.
Identity Based Firewall
 With IBF, you can configure access-list and allow/restrict
permission based on users and/or groups that exist in the Active
Directory Domain
 ASA must be running minimum 8.4.2 code to configure IBF
 The ad-agent must be installed on Windows server that is
accessible to the ASA
 You must configure ASA ad-agent to obtain information from the
Active Directory Servers.
 Configure ad-agent to communicate with the ASA

IBF components:

1. On ASA, configure the local user groups and IBF policies

2. The ASA sends an LDAP query for the Active Directory groups
configured on the AD server. ASA uses the Active Directory groups
 and applies access rules and MPF security policies based on user
identity
3. Depending on the IBF configuration, the ASA downloads the IP-
user database or sends a RADIUS request to the AD Agent
querying the user’s IP address
4. The client logs onto the network through Microsoft Active
Directory. The AD Server authenticates users and generates user
logon security logs
5. Based on the policies configured on the ASA, it grants or denies
access to the client
6. Periodically or on-demand, the AD Agent monitor the AD Server
security event log file via WMI for client login and logoff events

Cisco Flexible Packet Matching:

 It is a next generation packet filtering feature introduced in Cisco
IOS Software Release 12.4(4)T.
 Using FPM you can match any string, byte or even bit at any
position in the IP packet which can be help in identifying and
blocking network attacks using static patterns found in the attack
traffic.

Limitations:
 Is is stateless, it cannot keep track of port numbers being used by
protocols that dynamically negotiate ports
 You cannot apply FPM to the control-plane traffic, as the feature
is implemented in CEF switching layer
  Inspects only unicast packets, does not apply to MPLS
encapsulated packets

Configuring an FPM filter

1. Loading protocol headers
2. Defining a protocol stack
3. Defining a traffic filter
4. Applying the policy and verifying

1. Loading a PHDF
 Packet Header Definition File uses XML syntax and define the
structure of various packet headers, such as Ethernet, IP, TCP,
UDP
 With PHDF, we can filter traffic based on the header field names
and their values, instead of matching fixed offsets

2. Defining a protocol stack

 You can define protocol stack using the command class-map type
stack
 Uses the PDHFs loaded previously and allows specifying the
protocol headers found in the traffic you want to inspect
 This allows for filtering based on header field values and
specifying offsets in the packet relative to the header fields

3. Defining a traffic filter

  Traffic filter is defined by means of special class-map of type
“access-control” and configuring a respective policy-map of the
same type
 In addition to matching the protocol header fields, you can match
the packet payload at a fixed offset against a pre-defined value,
value range, string or regular expression

4. Applying the traffic filtering policy

 Access-control policy map can be applied to an interface either
inbound or outbound using the interface-level command

Access Control List

 An ACL is essentially a list of permit or deny statements that

control network access to enforce a security policy.

Including traffic filtering, ACLs have many applications.

1. Filtering routing information received from or sent to the
adjacent neighbor(s)
2. Controlling interactive access to prevent unauthorized access to
the devices in the network for example telnet or SSH access.
3. Controlling traffic flow and network access through devices.
 4. Defining interesting traffic for IPsec virtual private network (VPN)
encryption.
5. Extensive use in security techniques such as IOS firewall.

 If access control lists are not configured, all packets passing

through the router would be allowed onto all parts of the
network.

ACL Examples:
1. ACLs can allow one host to access the internet and prevent
another host from accessing the internet
2. All HTTP traffic can be permitted, while FTP traffic can be
blocked.

When to configure ACLs

 ACLs can be used on a device as the first line of defense for the
network. This can be achieved using an ACL on routers, switches,
or firewall that are placed between an internal network
(protected zone) and an external network (unprotected zone),
such as Internet. Another alternative is to use ACLs to filter
inbound traffic or outbound traffic on a device, or both. ACL
should be used on a per-protocol and per source/destination/port
basis to achieve more control on various types of traffic

Direction of ACL
 1. OUT: Traffic that has already been processed through the router
and is exiting the router interface i.e. egress traffic.
2. In : Traffic that arrives on the router interface i.e. ingress traffic

Guidelines for implementing ACLs

1. ACLs can be applied to multiple interfaces on a device.
2. Only one ACL is allowed per protocol per interface per direction.
i.e. you can have two ACLs per interface - one inbound and one
outbound.
3. ACLs are processed from the top down. That’s why the order of
the access-list entries needs to be planned carefully. More
specific entries must appear first.
4. There is an implicit deny for traffic that is not permitted.
5. An outbound ACL applied to a router interface checks only for
traffic traversing through the router i.e traffic going through the
router and not traffic originating from the router.

Types of Access Lists

1. Standard ACLs
2. Extended ACLs
3. IP named ACLs
4. Lock and key (Dynamic ACLs)
5. Reflexive ACLs
6. Established ACLs
 7. Time-based ACLs using time ranges
8. Infrastructure ACLs

Standard ACLs:
 Standard ACLs are the oldest and one of the most basic types of
ACLs. Standard ACLs inspect traffic by comparing the source
address of the IP packets to the addresses configured in the ACL.
 A standard ACL can be defined to permit or deny specific source IP
addresses only.

The command syntax format to define a numbered standard ACL is :

Access-list access-list number {deny | permit } source [source-
wildcard] [log]

 The keyword log causes an informational logging message when

the packet matches the accesslist statement. The message
includes the ACL number, a notification of whether the packet
was permitted or denied, the source address, and the number of
packets.
 standard ACL range : 1 to 99 and 1300 to 1999.

Extended ACL:
  Extended ACLs are used to filter more-specific traffic based on the
source address, the destination address, and specific protocols,
ports.
 Extended ACL range : 101 to 199 and 2000 to 2699.

IP named ACLs:
 Cisco IOS software also added the capability to use a name in the
ACL. This allows standard and extended ACLs to be given names
instead of numbers, all other parameters remain same

Lock and key (dynamic ACLs):

 Lock and key allows you to set up a dynamic access that will allow
per-user access control to a particular source/destination using an
authentication mechanism.
 Depends on the following items: the Telnet protocol, an
authentication process, and an extended ACL.

Process of Lock and key access

1. Configure an extended ACL to block traffic through the router,

except the ability to telnet to the router from any host, as user
needs to telnet to the router to open dynamic access entry.
 2. Users who want to pass traffic through the lock and key router
must initiate a Telnet to the router and authenticate successfully
with valid credentials.
3. Either the local router or remote authentication performs the
authentication process using TACACS+ or Radius.
4. When the telnet process completes, the router then disconnects
the telnet connection, and a dynamic entry permits traffic for a
particular period.

Steps:
1. Configure a local username for authentication.
2. Under the vty lines, configure login local.

- To automatically invoke the access-enable command and set the

timeout parameter, use one of the following method.
1. Configure the access-enable command and associate the timeout
with the user allowing control on a per-user basis.

username test autocommand access-enable host timeout 10

2. Configure a global timeout value for all users who telnet in , all have
same timeout.
line vty 0 4
login local
autocommand access-enable host timeout 10

3. Configure an extended ACL that is applied when a user logs in to the

router and the accessenable command is invoked.

access-list 102 dynamic myacl timeout 15 permit tcp any host

192.168.1.1 eq ssh
access-list 102 permit tcp any host 101.1.1.100 eq telnet

Apply this acl to the interface on which the user is connected.

Reflexive ACLs:
 Reflexive ACLs allow IP packets to be filtered based on upper-layer
session information. Reflexive
 ACLs are generally used to allow outbound traffic and to limit
inbound traffic in response to sessions originating inside the
router.

 Reflexive ACLs can only be used in conjunction with an extended-

named IP ACL.
Example:
interface fa 0/0
ip address 101.1.1.100 255.255.255.0
ip access-group inbound_acl in
ip access-group outbound_acl out
!
ip access-list extended inbound_acl
permit icmp any any
evaluate tcp_reflect
!
ip access-list extended outbound_acl
permit icmp any any
permit tcp 192.168.1.0 0.0.0.255 101.1.1.10 0.0.0.255 reflect
tcp_reflect

Established ACLs:
 The “established” keyword in a TCP extended ACL validates that a
packet belongs to an existing connection from an ongoing TCP
session initiated earlier and checks whether the TCP datagram has
the acknowledgment (ACK) or reset (RST) bit set
 This mechanism allows only internal networks to initiate a TCP
session outbound through the device.
 Any TCP connection originated from the external network
inbound are dropped.
Time-Based ACLs
 Time-based ACLs are similar to the extended ACLs in function;
they provide the additional feature of controlling access based on
the time.
 The time range relies on the router’s system clock
 Works best with NTP

MACSec

 IEEE 802.1AE standard

 MACSec (IEEE 802.1AE) provides layer 2 encryption on the LAN.
 The encryption also encapsulates and protects the Cisco Meta
Data (CMD) field, which carriers the Security Group Tag (SGT)
 Keying mechanism which is used for encryption is 128-bit AES-
GCM symmetric encryption
  Two protocols which are used for encryption are
a. Security Association Protocol (SAP)
 Used between Cisco switches
b. MAC Security Key Agreement (MKA)
 Currently used between endpoints and Cisco switches

Downlink MACSec
 It is the term used to describe the encrypted link between an
endpoint and the switch
Uplink MACSec
 Describes encrypting the link between the switches with 802.1AE
Network Device Admission Control
 Authenticating the switch via 802.1x
 Once the device is allowed to join the network infrastructure, the
communication on the links between devices is secured with
MACSec