Académique Documents
Professionnel Documents
Culture Documents
MARS – “Monitor, Analaysis and Response System” Correlates events going on between all security
devices to determine whats going on
SDM
One Step Lockdown CLI
In band and Out of band (OOB) Networks
Use trap to specify what type of messages you would like to receive.
Logging Levels
SNMP
You can use SNMP Managers like MRTG to get the load on a device.
Make sure to set SNMP SET to RO otherwise if you use RW then hackers can hack.
AAA
TACACS, ACS
Radius Server for authentication when there are too many cisco devices to add users to, centralizes it
ACS used when you what to give granular authorization for specific commands to certain users
Attach an ACS to Active Directory, LDAP, etc so that authentication can be updated like a spiderweb.
First go into conf t
Afterwards need to specify on the TACACS server who their clients are.
Afterwards you can start creating users for the database.
Afterwards, you need to specify how the router should authenticate. Here a file called MY_OWN is
created telling it to authenticate using TACACS and if that’s unavailable then to use local. You have
different options such as to use TACACS or Radius and after to use an alternate.
Login local does not exist once aaa new-model was typed.
After creating the authentication file like above you can apply it to the specific places like
Aaa debugging
See…messages came up
Here we are creating a specific view for a specific group/person
After you create the view you need to specify what type of commands that view can execute.
Once you type in commands, you will get a list of command types to use for a view.
Here configure command is being issued to another view and specific command types are being issued.
Once completed, you can go ahead and enable the view giving you the level of access.
Secure the flash and config from being erased by copying it to a hidden section in the flash…only way to
erase it is through console port. You do not necessarily need a PCMCIA card for this. You will need the
PCMCIA slot for the flash though because its big otherwise store it on a server somewhere.
This is how to backup the config/image to the hidden section and restore.
Access-Lists
Type ‘Reload in 5’ if you are telnetted in because after you apply the access-list you will lose
connectivity.
Standard access-list gets applied closer to destination and extended gets applied closer to
source…Remember this!
Established
Port Security
Here we can specify how many devices can connect to a port and set the actions for violations
committed.
Here we can specify a particular mac-address for a port or use sticky command to say whatever is
connected will be its home and no other deivces with different mac-address may connect.
If port is shutdown due to violation , you need to do a shut first then no shut.
Spanning-tree Security
Guard can prevent from any other switch from becoming root regardless of the ID#.
A malicious attack can be someone that makes a dhcp server and act like a man in the middle. To
prevent this activate snooping and make the ports that are connected to the DHCP server trusted ports
as well as the trunk/ports connected switch to switch trusted as well.
Limit DHCP requests on ports by typing
Use monitor session # the the interfaces you want to monitor followed by if you want send/receive or
both. Next line specify the destination port that you want this info directed to.
STORM-CONTROL
Lets you control the switchport in the event that the broadcast/multicast from a certain port exceeds
a certain level, so that it does not peg the router/switches processor and all resources.
Network Admission Control NAC
EAP is great…ex..it can check whether you have updated virus definitions, if not it can send you to a
separate VLAN to get updated.
CSA
Not like an antivirus where it waits for trouble to happen and make signatures but CSA rather acts like a
24hr watchman that looks for anomalies. It acts upon it like shutting it down. Headless means does it
and doesn’t report it, managed agents do report it.
Cisco Firewalls
CBAC
Cisco Zone based Firewall
You can filter traffic into classes to see which traffic has priority.
Above you see a class map named test that is filter for pop3 or smtp or imap.
Above, Jeremy has given the rule of 20% bandwidth of that interface.
Afterwards you need to apply it to the particular interface just like an ACL.
Associate a class-map
Finally you must create a zone pair
In the future when you want to add more rules, just create a map class first
Specify the file as tftp, use tftp32 and point the file, because cisco screwed up and does not accept any
of the other options.
Certificates
Certificates contain name of device + private key, authority from Certificate Authority who vouches for
the device and its own signature.
Certificate Process:
You can set pre-shared key on each device to obtain certificate then manually change it later.
CA’s of the Internet
Certificate Standards
IPSEC Negotiation Protocols
IKE Phase 1
Both routers will need to agree upon a policy, then exchange DH keys, then verify id by certificate or
pre-shared key etc.
In IKE Phase 2, the data exchange takes place using sym keys. You can set a lifetime of either time or
data size then depending on that a new set of keys will be generated depending on the lifetime of either
data size or time.
Setting up VPN
First setting up IKE Phase 1
Verify your setting
AFTERWARDS YOU MUST REPEAT THIS ON THE OTHER ROUTER. SAVE TIME BY COPY AND PASTE.
IKE Phase 2
1.
2.
3. Create a Mirrored ACL
Other Router
4. Create the Map.
STEPS OUTLINED….
More checking
Use SDM to make it easier