CCNA Security

How a hacker hacks

Security in layers

Security is better implemented in layers

NIPS – Network Intrusion Prevention system

HIPS – Host Intrusion prevention System

MARS – “Monitor, Analaysis and Response System” Correlates events going on between all security
devices to determine whats going on
SDM
One Step Lockdown CLI
In band and Out of band (OOB) Networks

Keep Management Network separate from Corp Network

Logging messages to a file

Show log will bring up whats been buffered

Use Syslog to Centralize the messages

To setup logging to the syslog server

Use trap to specify what type of messages you would like to receive.
Logging Levels

SNMP
You can use SNMP Managers like MRTG to get the load on a device.

Make sure to set SNMP SET to RO otherwise if you use RW then hackers can hack.

Setting SNMP via CLI

This is for SNMP version 1 & 2

SSH

AAA
TACACS, ACS

Local Database on router itself

Radius Server for authentication when there are too many cisco devices to add users to, centralizes it

ACS used when you what to give granular authorization for specific commands to certain users

Attach an ACS to Active Directory, LDAP, etc so that authentication can be updated like a spiderweb.
First go into conf t

aaa new model

Setting up TACACS via CLI

Single-connection is good to prevent overhead.

Need to setup a key for authentication

you can specify it to one host or multiple TACACS hosts.

Afterwards need to specify on the TACACS server who their clients are.
Afterwards you can start creating users for the database.
Afterwards, you need to specify how the router should authenticate. Here a file called MY_OWN is
created telling it to authenticate using TACACS and if that’s unavailable then to use local. You have
different options such as to use TACACS or Radius and after to use an alternate.

Login local does not exist once aaa new-model was typed.

After creating the authentication file like above you can apply it to the specific places like

Line vty ports.

To setup default for local database authentication

Aaa debugging

See…messages came up
Here we are creating a specific view for a specific group/person

After you create the view you need to specify what type of commands that view can execute.
Once you type in commands, you will get a list of command types to use for a view.

You can make this granular as you like….

Here configure command is being issued to another view and specific command types are being issued.

Once completed, you can go ahead and enable the view giving you the level of access.

Finally create a user and password and link it to a created view.

Create a superview which can combine views and add more commands.

Type enable ‘view’ to add it

Logon Security

Secure the flash and config from being erased by copying it to a hidden section in the flash…only way to
erase it is through console port. You do not necessarily need a PCMCIA card for this. You will need the
PCMCIA slot for the flash though because its big otherwise store it on a server somewhere.
This is how to backup the config/image to the hidden section and restore.

You can verify it too

Restore it when disaster hits

Access-Lists
Type ‘Reload in 5’ if you are telnetted in because after you apply the access-list you will lose
connectivity.

Be the Router – Bruce Lee, know if you want inbound or outbound

Standard access-list to permit one traffic going out a port

Permitting telnet or snmp from one network only.

Configuring extended access-list to permit http, https, and ftp access to a specific device

Standard access-list gets applied closer to destination and extended gets applied closer to
source…Remember this!
Established

Resequence an access-list when needed

Finally apply to appropriate place such as

Conf )# ip access-group ‘name of access-list” in/out * this is for interfaces

Access-class for vty

SWITCH SECURITY

Port Security

Here we can specify how many devices can connect to a port and set the actions for violations
committed.
Here we can specify a particular mac-address for a port or use sticky command to say whatever is
connected will be its home and no other deivces with different mac-address may connect.

If port is shutdown due to violation , you need to do a shut first then no shut.

Use “Cisco Works LMS” to track mac-addresses to see who violated.

The above shows a security violation on a particular interface.

Spanning-tree Security
Guard can prevent from any other switch from becoming root regardless of the ID#.

Turn on BPDUGUARD on all ports that have pc/host plugged into it

Prevent Rogue DHCP from entering your environment.

A malicious attack can be someone that makes a dhcp server and act like a man in the middle. To
prevent this activate snooping and make the ports that are connected to the DHCP server trusted ports
as well as the trunk/ports connected switch to switch trusted as well.
Limit DHCP requests on ports by typing

Make a switch port analyzer interface on the switch.

Use monitor session # the the interfaces you want to monitor followed by if you want send/receive or
both. Next line specify the destination port that you want this info directed to.
STORM-CONTROL

Lets you control the switchport in the event that the broadcast/multicast from a certain port exceeds
a certain level, so that it does not peg the router/switches processor and all resources.
Network Admission Control NAC

EAP is great…ex..it can check whether you have updated virus definitions, if not it can send you to a
separate VLAN to get updated.
CSA

Not like an antivirus where it waits for trouble to happen and make signatures but CSA rather acts like a
24hr watchman that looks for anomalies. It acts upon it like shutting it down. Headless means does it
and doesn’t report it, managed agents do report it.
Cisco Firewalls

CBAC
Cisco Zone based Firewall

Zone Firewall guidelines

Zone based firewall config
QoS Match Statements

Match-any is an ‘or’ statement, match-all is an ‘and’ statement.

You can filter traffic into classes to see which traffic has priority.

Above you see a class map named test that is filter for pop3 or smtp or imap.

Class Maps can be arranged according to access-list/interface/NBAR(application aka protocol)

After you create a class-map then create a policy map and hook it to the class-map

Afterwards you have options on what you want to do to that traffic.

Above, Jeremy has given the rule of 20% bandwidth of that interface.

Afterwards you need to apply it to the particular interface just like an ACL.

Creating Zones via cli

Creating zones via SDM, DMZ created here.

Create Class Map Via SDM after

The Any conditions = or statement All conditions=and statement

CLI commands to be delivered.

Next create a policy

Associate a class-map
Finally you must create a zone pair
In the future when you want to add more rules, just create a map class first

After just edit the existing Policy map

IDS vs IPS
IPS Reporting
Configuring IPS via SDM
You need to get the public key from a text in cisco.com under ips , paste the key in there as well as the
public key name which is in the same text file.

Specify the file as tftp, use tftp32 and point the file, because cisco screwed up and does not accept any
of the other options.
Certificates

Certificates contain name of device + private key, authority from Certificate Authority who vouches for
the device and its own signature.

Certificate Process:

CA forms a trust relation with device.

Certificate installed on devices:

You can set pre-shared key on each device to obtain certificate then manually change it later.
CA’s of the Internet

Certificate Standards
IPSEC Negotiation Protocols

IPSEC Negotiation Process

Interesting Traffic send using ACL:

IKE Phase 1

Both routers will need to agree upon a policy, then exchange DH keys, then verify id by certificate or
pre-shared key etc.
In IKE Phase 2, the data exchange takes place using sym keys. You can set a lifetime of either time or
data size then depending on that a new set of keys will be generated depending on the lifetime of either
data size or time.
Setting up VPN
First setting up IKE Phase 1
Verify your setting

AFTERWARDS YOU MUST REPEAT THIS ON THE OTHER ROUTER. SAVE TIME BY COPY AND PASTE.
IKE Phase 2

1.

Copy the line to other router.

2.
3. Create a Mirrored ACL

Other Router
4. Create the Map.

STEPS OUTLINED….

Creating Site-to-Site VPNs with Pre-Shared

Keys
Documentation:
1. Document your IKE Phase 1 negotiation criteria (example below)
Encryption algorithm: AES-128
Hashing: SHA-1
Authentication: pre-shared
Key exchange: Diffie-Hellman Group 2
2. Document your IPSec (IKE Phase 2) negotiation criteria (example below)
Encryption algorithm: esp-aes 128
Authentication: esp-sha-hmac
Configuring IKE Phase 1:
1. Enable ISAKMP: Router(config)#crypto isakmp enable
2. Create ISAKMP Policy: Router(config)#crypto isakmp policy <1-10000>
Router(config)#crypto isakmp policy 100
o Router(config-isakmp)#encryption aes 128
o Router(config-isakmp)#authentication pre-share
o Router(config-isakmp)#group 2
o Router(config-isakmp)#hash sha
3. Configure ISAKMP Identity: Router(config)#crypto isakmp identity
<address/hostname>
4. Configure pre-shared keys: Router(config)#crypto isakmp key <key> address
<remote_ip>
Configuring IKE Phase 2:
1. Create transform sets: Router(config)#crypto ipsec transform-set <name> <methods>
Router(config)#crypto ipsec transform-set JEREMY esp-aes 128 esp-sha-hmac
2. (optional) Configure IPSec lifetime: : Router(config)#crypto ipsec <seconds/kilobytes>
<value>
3. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be received encrypted
4. Set up IPSec crypto-map: Router(config)#crypto isakmp map <name> <seq> ipsec-
isakmp
Router(config)#crypto map MAP 100 ipsec-isakmp
o Router(config-crypto-map)#match address <acl>
o Router(config-crypto-map)#set peer <remote_ip>
o Router(config-crypto-map)#set pfs <group1/2/5>
o Router(config-crypto-map)#set transform-set <set>
Verify:
show crypto isakmp policy
show crypto ipsec transform-set
show crypto ipsec sa
show crypto map
debug crypto isakmp
debug crypto ipsec

FINALLY APPLY THE MAP TO THEREQUIRED INTERFACE

Verify again….command not in Jeremy’s doc

This is what you want to see

QM_IDLE means good anything else bad.

More checking
Use SDM to make it easier