ios security reference manual ver. 0.9

8/10/2019 IOS Security Reference Manual Ver. 0.9

1/94

eference Manual ver. 1.0 (2012-14)

eated by Paul Nadstoga ([email protected])


2/94

Contents

SECURING THE EDGE ROUTER 1

AAA 22

ACLs 28

CLI BASED FIREWALLS 39

IPS & IDS 50

LAYER 2 SECURITY 60

IPSec 67APPENDIXES 8


3/94

SECURITY THEEDGE ROUTER

Administrative Access Security

Banners

Login Security

SSH

Securing the System Files

Clock Configuration

System Logging

Role-Based CLI

Privilege Levels

Enabling SDM Support

Routers Passwords Recovery Procedure

Security Audits

Sample Routing Hardening Configuration


4/94

BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14

ADMINISTRATIVE ACCESS SECURITY

STEP # COMMANDS COMMENTS

GLOBAL SETTINGS

CONFIGURE ENABLEPASSWORD enable secret- password restricts access to privilege

level 15 and it is always hashed in the config. using M

algorithm

The recommended min. password length is 10 characters.

The password encryption affects all the passwords created

after the command was issued passwords created prior t

activation are not affected.Type 7encryption is used (very weak algorithm).

Removing the command will keep already existing passwo

encrypted.

MIN. PASSWORD LENGTH

ENCRYPT PASSWORDS STOREDIN CONFIG FILE

CREATE LOCAL USER DATABASE 0indicates that plain text password will follow

5indicates that MD5 hashed password will follow

ADMINISTRATIVE PORTS

ACCESS LINES CONFIG MODE

CONFIGURE PASSWORDS The password has to be configured before trying to issue t

login | login localcommands.


5/94


ENABLE PASSWORD PROMPT

login enables the password prompt when trying to

access a given line; checks the password against

configured value

login local enables the username | password prom

when trying to access a given line; checks the userna

and password against entries in the local user databa

CONFIGURE IDLE TIMEOUT


6/94


BANNERS


CONFIGURE BANNERS

Banner types:

EXEC displayed when an EXEC process is created

INCOMING displayed when theres an incoming connection on a

terminal line

LOGIN displayed before username and password login prompts

MOTD displayed upon successful login

SLIP-PPP displayed when SLIP/PPP connection is made

Tokens:

$(hostname)

$(domain)

$(line)

$(line-desc)

&- delimiting character, indicates the beginning and end of the message

(cannot be part of the message itself)


7/94


LOGIN SECURITY


ENABLE LOGIN ENHANCEMENTS

Activates other login enhancements.

Starts in NORMAL(WATCH) mode during which the router

keeps track of number of failed logins.

The QUIETmode is initialized when number of failed login

attempts exceeds the defined limit. Blocks all login attemp

for a defined number of seconds.

An ACL can be applied to allow login attempts, while in the

QUIETmode, coming from permitted destinations.

Introduces a 1 sec. delay between login attempts.

The feature is helpful in mitigating DoS attacks.

CONFIGURE LOGIN DELAY

Delay in sec. between successive login attempts (both faile

and successful).

Helps mitigate dictionary attacks.

RECORD SUCCESSFUL LOGINS

To verify:

Logs every successful login attempt.

log - generates a syslog message

trap- generates a SNMP trap

RECORD FAILED LOGINS

Alternatively:


8/94


SSH (SECURE SHELL)


CONFIGURE HOSTNAME

CONFIGURE DOMAIN NAME

GENERATE 1-WAY SECRET KEY

To verify:

To erase:

A minimum recommended value is 1024 bits.

SSH ver. 1 is automatically enabled once keys are

generated.

CREATE LOCAL USER DATABASE ENTRY

ENABLE VTY INBOUND SSH SESSIONS

*SET SSH VERSION Version 2 provides better encryption and integrity

check than ver. 1.

*TUNE EXEC-TIMEOUT

*TUNE LOGIN ATTEMPTS LIMIT

TSHOOT show ip ssh

show ssh


9/94


SECURING THE SYSTEM FILES


TO SECURE THE IOS IMAGE + CONFIGURATION

SECURE THE IOS IMAGE Secure IOS Resiliencyfeature securely archives files in

persistent storage - the secured files dont appear in the

output of the dir or show flashcommands.

The feature will not prevent someone from viewing the file

or accessing files from ROMMON mode.

Denies all requests to copy, modify, or erase the files

secured.Only files run locally can be secured.

SECURE THE CONFIGURATION FILE

TSHOOT show secure bootset

TO RESTORE SYSTEM USING SECURED FILES:

RELOAD THE ROUTER

ENTER ROMMON MODE Hold the BREAKkey

VIEW FILES dir

BOOT WITH SECURED IOS boot (image name)

RESTORE CONFIGURATION


10/94


CLOCK CONFIGURATION


MANUAL

ISSUE CLOCKCOMMAND Even when NTP is used, the clock still needs to be configur

manually on the NTP server.

NTP

CONFIGURE NTP MASTER Sets the router as a NTP masterwith the number of hops

away from the authorative server.

CONFIGURE NTP SLAVE Sets the router as a NTP slavewith the IP address of the NT

master.

ENABLE NTP AUTHENTICATION

ntp authenticate - turns NTP authentication on.

The authentication is for the benefit of a client to ensure th

it is getting the time from an authenticated server.

Clients configured without authentication still get the time

from the server.

The difference is that these clients do not authenticate the

server as a secure source.

TSHOOT show ntp status

show ntp associations details


11/94


SYSTEM LOGGING


LOCATE LOGGING SERVER

*

source-interfaceis optional and can be useful in

situations where more than one link to the server exi

(normally, the router will use information in the rout

table to select the best path)

SET LOGGING SEVERITY FOR THE MESSAGES SENT TO THE :

LVL KEYWORD

0 EMERGENCIES

1 ALERTS

2 CRITICAL

3 ERRORS

4 WARNINGS

5 NOTIFICATIONS

6 INFORMATIONAL

7 DEBUGGING

o SERVER

o

CONSOLE

o BUFFER

o LINES

ENABLE LOGGING

logging on- enables logging on all outputs

Only the console logging is enabled by default.

Logging to specific destinations can be controlled individua

TSHOOT show logging


12/94


ROLE-BASED CLI


ENABLE AAA Using CLI roles requires enabling AAA first.

ACCESS ROOT VIEW

Equivalent to a level 15 privilege user.

Only Rootcan add / delete / modify views

The enable passwordis only required if it has been already

configured.

CREATE VIEWS

To switch between views:

To verify:

The password has to be configured before trying issuing an

other commands in the viewsub-configuration mode.

ADD COMMANDS TO A VIEW

Examples:

include adds a command to the view

exclude remove a command from the view

include-exclusive adds a command to the view and

prohibits it from being added to other views

all include all commands in a given mode that start

with the same keyword

SUPERVIEW

Superviewis a collection of individual views.

Commands cannot be added to a superview- they need to

added to one of subordinate views.

Deleting a superviewdoes not delete subordinate views.

ASSIGN A VIEW TO A USER


13/94


14/94


ENABLING SDM SUPPORT


CONFIGURE HOSTNAME

CONFIGURE DOMAIN NAME

ENABLE HTTP SERVICES ip http server - enables HTTP services

ENABLE HTTPS SERVICES ip http secure-server - enables SSL services

ENABLE AUTHENTICATION

Enables user authentication either via anAAA serve

or local user database.

CREATE A PRIVILEGE LVL 15 USER The user running SDM has to have unrestricted acce

to the routers resources.

TUNE HTTP CONNECTIONS

idle defines how long the connection will

remain open if no data is sent / received (defa

= 180 sec.)

life defines how long the connection will be

kept open to the server from the time it has

been established (default = 180 sec.)

requests the number of concurrent requests

processed on an existing connection

CONFIGURE VIRTUAL LINES:

o GRANT LVL 15 PRIVILEGES TO

ANY USER THAT LOGS IN ONTHE LINE

o ENABLE AUTHENTICATION

VIA THE LOCAL USER

DATABASE

o ENABLE SSH


15/94


ROUTERS PASSWORDS RECOVERY PROCEDURE


CONNECT TO THE ROUTER VIA CONSOLE PORTThe procedure requires physical access to the devic

and cannot be performed over a virtual connection

RECORD CURRENT REGISTER VALUE

() Configuration register is 0x2102

The register value dictates how the router acts dur

the bootup process e.g. how the router boots and

what options its using.

Relevant values:

0x2102

default setting enters ROM if booting fails

0x2142 ignores content of NVRAM

POWER ROUTER OFF / ON

ENTER THE ROMMON MODE Issue the breaksequence within 60 seconds of power up.

MODIFY THE REGISTER TO IGNORE THE STARTUP

CONFIGURATION DURING BOOTUP

rommon #1>confreg 0x2142

REBOOT THE ROUTER rommon #2>reset

COPY STARTUP CONFIGURATION TO NVRAM The command will override the default configuratio

the router booted up with.

VIEW THE STARTUP CONFIG

The purpose here is to view the startup configuratio

and try to recover the passwords

If the passwords are stored in an encrypted form an

cannot be recovered, new ones should be configure

RESTORE THE REGISTER VALUE Register is changed again to load the NVRAM conte

during boot up.


16/94


* DISABLE PASSWORD RECOVERY

To recover after the command was issued:

issue breakwithin 5 sec. of image being

decompressed

confirm to delete the startup config

the router will boot with default settings


17/94

SECURITY AUDITS

DISABLES ENABLES SETS

SDM SECURITY AUDIT WIZARD / CLI AUTO SECURE

SNMP

Finger

PAD

TCP Small Servers

UDP Small Servers

IP BootP

IDENT

CDP

IP Source Route

IP Redirects

IP Proxy ARP

IP Directed Broadcast

MOP

IP Unreachables

IP Mask Reply

password encryption

IP CEF

firewall rules on all outbound interfaces

unicast RPF on all outboundinterfaces

logging

minimum password length to 6 characters

local user database entries

ONE STEP LOCKDOWN

SNMP

Finger

PAD

TCP Small Servers

UDP Small Servers

IP BootP

IDENT

CDP IP Source Route

IP Redirects

IP Proxy ARP

IP Directed Broadcast

MOP

IP Unreachables

IP Mask Reply

password encryption

IP CEF

firewall rules on all outbound interfaces

unicast RPF on all outboundinterfaces

SSH

AAA

TCP Keepalives Inbound / Outbound

seq. # and timestamps on debugs

minimum password length to 6 characters

authentication failure rate


18/94


SAMPLE ROUTING HARDENING CONFIGURATION

GLOBAL

set hostname

set domain name

enable password encryption

set minimum password length = 7

set privilege EXEC password

SSH

generate a 1024 bit RSA key

enable SSH ver.2

set SSH timeout to 60

set SSH authentication retires limit to 2

create a userAdminwith lvl. 15 privileges and encrypted password


19/94


LOGIN

disable login for 60 sec. if there are 3 failed login attempts within 20 sec.

set login delayof 5 sec.

BANNERS

MOTD

LOGIN


20/94


21/94


DISABLE FEATURES AND SERVICES

GLOBALLY

o IP Source Routing o

o Finger o

o TCP Small Servers o

o UDP Small Servers o

o Cisco Discovery Protocol o

o BootP o

o TFTP Broadcast IOS o

o TFTP Broadcast Config. o

o DNS Lookup o

o IDENTD Services o

o X.25 PAD o

o Gratuitous ARPs o

o SNMP o


22/94


ON INTERFACES

o Proxy ARP o

o ICMP Redirects o

o ICMP Unreachables o

o ICMP Mask Reply o

o Maintenance Operation Protocol o

o Cisco Discovery Protocol o

o IP Directed Broadcast o

ENABLE FEATURES AND SERVICES

GLOBALLY

o TCP Keepalives IN o

o TCP Keepalives OUT o

o Sequence Numbers And Timestamps On Debugs o

o Sequence Numbers And Timestamps On Logs o

o TCP Synwait Time o


23/94

AAA

AAA Local Authentication

AAA Server Authentication (TACACS+)

AAA Server Authorization (TACACS+)

AAA Server Accounting (TACACS+)


24/94


AAA LOCAL AUTHENTICATION


ADD USERS TO THE LOCAL USER

DATABASE

ENABLE AAA

Disables all other forms for authentication on the router

LocalAAA Authenticationis similar to login localcommand

with the addition of fallback mechanisms.

DEFINE A LIST OF

AUTHENTICATION METHODS

EXAMPLE:

The list is sequential.

1-4 methods can be specified.

Next method is used only when theres no response or erro

from the previous method

The defaultlist is used for all authentication if no other list

were specifically assigned.

The default list contains only one method: local

On the console line, login succeeds without any

authentication checks if default is not set.

METHOD USES

enable enable password

line line password

local local user database

local-case local user database (case sensitive)

none no password required

ASSIGN A LIST TO LINES /

INTERFACES

Different lists can be assigned to different lines / interfaces


25/94


* DEFINE A LIMIT FOR FAILED

AUTHENTICATION ATTEMPTS

To view locked accounts:

To unlock an account:

If the threshold is exceeded the user is locked out and furt

attempts are only possible if the administrator unlocks the

account first.

* CONFIGURE BANNERS AND

PROMPTS

aaa authentication banner - overrides LOGINbanne

aaa authentication fail-message - text displayed upo

failed authentication

TSHOOT

show aaa user (all | username)

show aaa sessions

debug aaa authentication

EXAMPLE:

(* hardcoding a default method is not necessary)


26/94


27/94


AAA SERVER AUTHORIZATION (TACACS+)


CREATE A LEVEL 15 PRIVILEGE USER

When AAA authorization is not enabled, all users are allowe

full access.

After authentication is started, the default changes to allow

access.

This means that the administrator must create a user with f

access rights before authorization is enabled.

Failure to do so immediately locks the administrator out of

system the moment the aaa authorizationcommand is

entered.

To recover reboot the router.

ENABLE AAA

DEFINE TACACS+ SERVER

DEFINE A LIST OF AUTHORIZATION

METHODS

RESOURCE TYPE DESCRIPTION

networkauthorization for starting L2

connections

execverifies if a user has access to an

EXEC shell

commands level_#

verifies if a user has access to a

command at a specific privilege

level

TSHOOT debug aaa authorization

debug tacacs authorization


28/94


29/94


30/94


TSHOOT debug aaa accounting

debug tacacs accounting

EXAMPLE


31/94

ACLs

Standard ACLs

Extended ACLs

Misc ACL Featureso Sequencing

o Wildcards

o Port Operators

o TCP Established

o Reflexive ACLs

o Dynamic ACLs

o Time Based ACLs

o Turbo ACLsMisc ACL Features

ACLs Verification and Tshooting


32/94


STANDARD ACLs

RANGE 1 - 99

1300 - 1999

FILTER BASED ON SOURCE ADDRESS

POSITION AS CLOSE TO DESTINATION AS POSSIBLE

WORK AT L3 NETWORK LAYER

CONFIGRAUTION: STANDARD MODE

ELEMENT SYNTAX COMMENTS

REMARK Remarks are saved in routers NVRAM.

RULES

log generates a log entry every time a packet

matches the ACLs statement

Log messages are generated on the first match and

then at 5 min. intervals

Should only be used when the network is under atta

(very resources consuming)

ACTIVATION

EXAMPLE

deny host Sydney (192.168.0.1) from reaching host Perth (192.168.0.2)

allow all other traffic


33/94


CONFIGURATION: SUB-CONFIGURATION MODE


CREATE ACL

REMARK

RULES

ACTIVATION

The router doesnt evaluate traffic against outboun

set ACL if the traffic is originated by the router itself

e.g. routing protocol updates

EXAMPLE

deny host Sydney (192.168.0.1) from reaching host Perth (192.168.0.2)

allow all other traffic


34/94


EXTENDED ACLs

RANGE 100 - 199

2000 - 2699

FILTER BASED ON

DESTINATION ADDRESS

SOURCE ADDRESS

IP PROTOCOL (NAME / NUMBER)

PROTOCOL INFORMATION

o ICMP: message type

o TCP /UDP: source and/or destination port names and numbers

o TCP: flags

POSITION

AS CLOSE TO SOURCE AS POSSIBLE

WORK AT L3 NETWORK LAYER

L4 TRANSPORT LAYER

CONFIGRAUTION: STANDARD MODE


REMARK

RULES

ACTIVATION

EXAMPLE

allow all protocols used by IPSec suite originated by host Sydney (192.168.0.1) to reach host Perth (192.168.0.2)


35/94


CONFIGURATION: SUB-CONFIGURATION MODE


CREATE ACL

REMARK

RULES

ACTIVATION

EXAMPLE

allow all protocols used by IPSec suite originated by host Sydney (192.168.0.1) to reach host Perth (192.168.0.2)


36/94


MISC ACL FEATURES

ACLs are processed:

o top-down, from the first to the last statement

o until a packet matches a statement or the packet matches none of the statements

o once a match is found, no more statements are processed

the more restrictive statements should be at the t op of the list and the less restrictive ones at the bottom

by default, statements are added to the end of the list (can be overridden by using the sequence numbers)

there is an invisible deny 0.0.0.0 255.255.255.255statement at the end of the list that drops all traffic not explicitly permitted

oneACL per protocol, per interfaceand per directionis allowed

an empty ACL permits all traffic

an ACL needs to have at least one statement permitting traffic for the invisible deny anyto take effect

explicit deny ip any any statement should be put at the end of the ACL to be able to view hit counts for denied traffic

SEQUENCING

SYNTAX COMMENTS

To resequence:

Sequencing works only in sub-configuration mode (

both standard and extended ACLs).

Each entry is given a unique sequence number.

By default starts at 10 and increments by 10.

Not stored in NVRAM; the IOS adds them when rou

loads the startup config. into RAM.

If no sequence number is specified the number wil

the next increment (starting with 10).

WILDCARDS

SYNTAX COMMENTS

host A.A.A.A = A.A.A.A 0.0.0.0

access-list 100 permit ip 192.168.0.1 0.0.0.0 192.168.0.11 0.0.0.0 access-list 100 permit ip host 192.168.0.1 host 192.168.0.11

any = 0.0.0.0 255.255.255.255

access-list 10 permit 0.0.0.0 255.255.255.255 access-list 10 permit any

ip access-list 100 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ip access-list 100 permit ip any any

0 = match exactly

1 = ignore

If wildcard is omitted it defaults to 0.0.0.0 (only tru

for standard ACLs)


37/94


PORT OPERATORS

SYNTAX COMMENTS

Example:

allow only HTTP traffic from R1 (10.0.0.1) to the R2 server (10.0.0.2)

deny all incoming traffic on ports 10-25

OPERATOR MATCHES

eq match only packets on a given port

range match only packets in the range of ports

gt match only packets with a greater port number

lt match only packets with a lower port number

neq match only packets not on a given port number

TCP ESTABLISHEDPARAMETER

SYNTAX COMMENTS

Example:

allow any HTTPS traffic to host SYDNEY (10.0.0.3) as long as it was originated by SYDNEY.

Works only with extended ACLs.

Allows / denies traffic coming from the outside that was initiate

from the inside.

Does not maintain stateful information.

Checks TCP segments for the following flags (ACK or RST) and

permits the packets if these bits are have the flags set on.

Available only for TCP; UDP and ICMP can only be permitted ordenied.


38/94


REFLEXIVE ACLs

allow to perform session filtering for any type of IP traffic

remembers outgoing traffic by dynamically building ACL entries and permits returning traffic

allow the local device to initiate traffic to the remote devices and get response (but denies traffic initiated by remote devices)

SYNTAX COMMENTS

CREATE AN OUTBOUND ACL

reflect creates reflexive access list entry in the

reflexive ACL (name) with the source and

destination addresses swapped

timeout maximum time for the ACL to live

(default = 300 sec.)

reflexive ACLsare allowed on named ACLs only

CREATE AN INBOUND ACL

evaluate nests ACL within ACL

ASSIGN THE ACL TO AN INTERFACE

EXAMPLE

allow only TELNET and ICMP traffic into the local network as long as it was originated by HOME (98.174.249.99)

deny all traffic originated from the remote network

the ACLs need to be configured on the border router CLOUD on the outside interface s1/1


39/94


DYNAMIC ACLs (LOCK AND KEY)

opens a temporary door in the firewall and grants access to specified resources provided the user is authenticated using Telnet / SSH

the access request is put on hold until the user is authenticated using a Telnet / SSH connection

once authentication is complete the remote connection i s dropped and a single-entry dynamic ACL is added to the existing extended ACL

the traffic is permitted for specified period (idleand absolute timeouts)

only one policy can be configured for all dynamic ACL users and this single policy is applied to all the authenticated users

SYNTAX COMMENTS

CREATE LOCAL USER DATABASE ENTRY

Supported methods of authentication:

local user database

AAA server line password

CREATE A DYNAMIC ACCESS LIST

The first statement has to allow remote access

connections (Telnet or SSH)

dynamic- defines what resources are available /

prohibited once the authentication is successful

only one dynamic statement per an ACL is allowe

timeout (absolute timer) specifies the time

window during which the DYNAMIC ACL rules are

effect (in minutes)

ASSIGN THE ACL TO AN INTERFACE

CONFIGURE THE VTY LINES

autocommand- executes the command that foll

after successful authentication

access-enable creates a temporary ACL entry

host replaces the ACL entry any with the users

address (dependent on ACL direction)

idle idle timeout (overridden by the absolute

timer configured in the DYNAMIC ACL)


40/94


EXAMPLE

allow remote host JEREMY (172.30.2.11/24) to access 192.168.1.0/24 network upon successful authentication with REMOTE router (67.40.69.33/24)


41/94


TIME BASED ACLs

CREATE TIME RANGE

absolute single time period for which the time

range is valid; if start time is omitted it defaults t

current time on the router; if end time is omitted

defaults to 23:59 31 December 2035

periodic recurring time period for which the tim

range is valid; if the day of week parameter is

omitted, it defaults to the day of week configure

for the beginning time

APPLY TIME RANGE TO AN ACL

APPLY ACL TO AN INTERFACE

EXAMPLE

allow web surfing only on the weekdays between 17:00 6:00

TURBO ACLs

SYNTAX COMMENTS

To verify:

Reduces the ACL lookup time by compiling ACLs into a hash

table.

The lookup time is the same no matter which ACL command

being looked up

Can only be used on an ACL that has more than three entrie


42/94


43/94

CLI BASEDFIREWALLS

CBAC

Zone Based Firewall


44/94


CBAC (Context Based Access Control)

Cisco IOS based firewall that filters TCP and UDP packets based on their L7 Application Layer information

generates real time audits and trails

creates and maintains session table to bu ild dynamic ACL entries

CBAC CONFIGURATIONS


IDENTIFY INTERFACE ROLES

On what interfaces does the external traffic arrive?

What outbound interfaces are used to reach external networks?

INTERNAL interface on which sessions can b

initiated

EXTERNAL sessions initiated from external

interfaces will be blocked the ACL for the return traffic must be an

extended ACL

FILTER INGRESS TRAFFIC

USING ACLs

Example:

Allow protocols that are necessary for the network

be operational e.g. routing protocols.

Deny all external traffic that tries to access internal

network.

DEFINE INSPECTION RULES

Example:

alert on| off displays messages on the cons

line concerning CBAC operation e.g. DoS attac

(to globally disable alerts: no ip inspect alert-o

audit-trail on| off keeps track of the

connection inspected by CBAC (including valid

and invalid access attempts) e.g. displays

messages when CBAC adds / removes an entry

from the state table. By default outputs to the

console line but logging to a syslog server is

possible if enabled.

router-traffic inspects traffic generated by th

router itself

timeout- overrides the global TCP and UDP

timeouts but does not override the global

Domain Name Service (DNS) timeout


45/94


ASSIGN INSPECTION RULES

TO AN INTERFACE

in - on an INTERNAL interface

out - on an EXTERNAL interface

no ip inspect- removes all CBAC commands, t

state table, and all temporary ACL entries

created by CBAC.

It also resets all timeout and threshold values to the

factory defaults. After CBAC is removed, all inspecti

processes are no longer available, and the router us

only the current ACL implementations for filtering.

*TIMERS + THRESHOLDS

tcp synwait-time length of time CBAC waits

a new TCP session to reach established state

(default = 30 sec.)

tcp finwait-time length of time CBAC contin

to manage a TCP session after receiving a FIN

flag (default = 5 sec.)

tcp idle-time length of time CBAC continues

manage a TCP session with no activity

(default = 3600 sec.)

udp idle-time length of time CBAC continues

manage an UDP session with no activity

(default = 30 sec.)

max-incomplete high once the threshold fo

incomplete connections has been reached, CB

will actively begin to delete them (default = 5

sessions)

max-incomplete low if the threshold for

incomplete session have been breached, they

will be deleted until this value is reached

(default = 400 sessions)

one-minutehigh / low as above but over th

course of one minute

max-incomplete host threshold for incompl

TCP connections from a single host (default =

connections), and how long should connection

attempts be rejected if the threshold is reache

(default = 0)


46/94


EXAMPLE

the border Router, Cloud, has two active interfaces: s1/0 (INSIDE) and s1/1 (OUTSIDE)

the OUTSIDE traffic cannot initiate connection to the devices on the INSIDE and is dropped at the border router

RIP updates are excepted; their exchange is crucial for the network operation

device on the INSIDE can initiate connection to the OUTSIDE devices and the return traffic is permitted through the border router

allowed protocols: HTTP, ICMP, TELNET


47/94


CBAC VERIFICATION AND TSHOOTING

show ip inspect (parameter)

debug ip inspect detailed

debug ip inspect object-creation

debug ip inspect object-deletion

debug ip inspect function-trace

debug ip inspect events

debug ip inspect protocol (protocol)

COMMAND VERIFIES

show ip inspect (parameter)

PAREMTER DESCRIPTION

all all available information

config CBAC configuration

interfaces rules activated on interfaces

name rules details

sessions summary of inspections in the CBAC table

session details detailed information on inspection in the CBAC table

debug ip inspect detailed debugs information about all CBAC processes on the router

debug ip inspect timers debugs information related to CBAC timers e.g. idle timers expiration

debug ip inspect object-creation debugs information about added entry to the CBAC table

debug ip inspect object-deletion debugs information about removed entry from the CBAC table

debug ip inspect function-trace debugs information about the software function that CBAC calls

debug ip inspect events debugs CBAC events, including processing of packets


48/94


debug ip inspect protocol (protocol) debugs protocol related events


49/94


ZONE BASED FIREWALL

ZBF CONFIGURATION


CREATE ZONES

The zone cannot be named self or null.

Traffic flowing to and from the routers interfaces is excluded

from zone policies.

Traffic between a zone and self zoneis permitted by default (t

self zoneis the only exception to the default deny allpolicy).

A policy can be defined using the self zoneeither as the source

destination.

The self zonedoes not require any interfaces to be configured

members all the IP interfaces on the router are automaticall

assigned to the self zone.

ASSIGN INTERFACES

TO THE ZONES

Once an interface is a member of a zone all traffic to and from

that interface (except traffic going to the router or initiated by

the router) is dropped by default.

An interface can only belong to a single zone.

Traffic cannot flow between an interface with an zone

assignment and an interface without a zone assignment.

Traffic between interfaces in the same zone is never filtered.

Interfaces should be grouped together based on their security

requirements.

A zone must be created before interfaces can be assigned to it

If there is no need for the interface to be a member of a zone

may be necessary to put that interface into a zone and configu

a pass-all policy (dummy policy) between that zone and any

other zone to which traffic flow is desired.


50/94


CREATE CLASS MAPS

L3/4 TYPE

Example:

L3/4 maps classify traffic based on information in the L3/4

headers.

The order is significant since the statements are processed top

downfor a match.

Only stateful protocols supported by the router can be

inspected.

type inspect only maps defined with this parameter ca

be used with ZBF

match-any a match on any of the conditions in the clas

map satisfies the requirements

match all specifies that traffic needs to match all entr

in the class map to be considered a match.

match protocol specifies a particular protocol (only

stateful are allowed)

match access-group traffic matchingpermitstatement

in a given ACL will be included in the class map (stateme

matching an ACL denyrule are excluded).

match class-map includes (embeds) another class map

which allows for nesting.

CREATE POLICY MAPS

L3/4 TYPE

*


51/94


52/94


ZBF VERIFICAITON AND TSHOOTING

show zone security (*zone_name)

show zone-pair security (*source (source zone)) destination (destination zone))

show class-map type inspect (*class-map_name )

show policy-map type inspect (*policy-map_name)

show policy-map type inspect zone-pair sessions

(config)#ip inspect log drop-pkt

debug zone security events

COMMAND VERIFIES

show zone security (*zone_name)

zones configured

interfaces associated with zones

show zone-pair security (*source (source zone)) destination (destination zone)) source and destination zones

policy associated with zone pairs

show class-map type inspect (*class-map_name ) class maps configured on the router

show policy-map type inspect (*policy-map_name) policy maps configured on the router

show policy-map type inspect zone-pair sessions

ZBF state table (number of established sessions)

zone-pair and associated policy-map

policy-map and associated class-map

class-map and hits statistics

action to be taken with regards to packets that fall under class-map

default class-map characteristics

(config)#ip inspect log drop-pkt

packets dropped by the firewall

debug zone security events debugs events associated with ZBF


53/94


54/94

DOES THE POLICY INCLUDE

A CLASS MAP?

YES

NO

APPLY POLICY-MAP:

DROP

DOES THE TRAFFIC

MATCHES THE CLASS-MAP

ASSOCIATED WITH POLICY-

MAP?

YES

DROP

YES

HAS THE DEFAULT POLICY

BEEN MODIFIED?NO NO

YES

APPLY DEFAULT POLICY

POLICY STATEMENTS:

DROP

PASS

INSPECT


55/94

IDS & IPS

IDS vs IPS

IPS Implementations

IPS Signatures

IPS Management and Monitoring

ISP Configurations

IPS Verification and Tshooting


56/94


IDS vs IPS

IDS (Intrusion Detection System)

implemented to passively monitor network traffic

an IDS-enabled device (e.g. Switch) copies all traffic passing through on the port to which IDS is connected

the IDS appliance analyses traffic in an off-line manner by comparing it to a known malicious signatures

if a match is found the IDS sends a command to a device to deny access / block t raffic

PROS off-line implementation (promiscuous mode) ensures no impact on network performance

does not introduce latency, jitter or other traffic flow issues

CONS

IDS cannot stop malicious traffic from single-packet attacks from reaching the target system

IDS requires assistance from other networking devices (e.g. routers, firewalls) to respond to attack less helpful in stopping email viruses and automated attacks e.g. worms

more vulnerable to network evasion techniques

a well thought-out security policy is essential to successfully deploy an IDS

IPS (Intrusion Prevention System)

implemented in inline mode all ingress and egress traffic must flow through it for processing

no traffic is allowed into the trusted network without first being analyzed

IPS can drop the trigger packet, the packets in connection or packets from a source IP address

PROS if the traffic matches a signature the IDS can stop the attack immediately

IDS can use traffic normalization techniques to reduce or eliminate many of the network evasion capabilities

CONS

can negatively affect the packet flow of the forwarded traffic

must be appropriately sized and implemented so that time-sensitive applications e.g. VoIP are not negatively

affected

errors, failures and overrunning the IPS sensor with too much traffic

can introduce jitter and latency


57/94


IPS IMPLEMENTATIONS

HOST BASED IPS IMPLEMENTATION COMMENTS

installed on individual computers using HIPS (Host Intrusion Prevention System) e.g. CSA

HIPS audits host log files, file systems and resources

protect systems using policies that network administrators configure and deploy on agents

the agents check whether an action i s allowed or denied before any system resources are accessed and acted upon

can stop attacks by reacting in real time without any updates

CSA contains two components:

Management Center (installed o

central server)

Security Agents (installed on ho

PROS

can monitor OS processes and protect critical system resources including files that may exist only on that specific host

has access to traffic in unencrypted form

with HIPS the success or failur e of an attack can be readily determined

CONS

does not provide a complete network pictures and has difficulty coordinating the events happening across the entire

network

has to support multiple OS

NETWORK BASED IPS IMPLEMENTATION COMMENTS

analyze network-wide activity looking for malicious activity

sensors are deployed at designated network points that enable security managers to monitor network activity while it is occurring

(regardless of the location)

Sensors can be deployed as:

a module on a device

a dedicated appliance

a networking device with IPS

capabilities (e.g. router)

PROS

additional hosts can be deployed without requiring more sensors

can easily see attacks that are occurring across the entire network

does not need to support every type of OS

Additional sensors are only required w

their rated traffic capacities are excee

or their performance does not meet

current needs.

CONS does not know whether an attack was successful

cannot examine encrypted traffic


58/94


IPS SIGNATURES

malicious traffic displays distinct characteristics (signatures)

a set of rules that and IDS and IPS use to detect typical intrusive activity

ATOMIC SIGNATURES COMMENTS

consists of a single packet, activity or event that is examined to determine if it matches a configured signature

because they can be matched on a single event there is no need to maintain state information by the IPS

the entire inspection can be accomplished in an atomic operation that does not require knowledge of past / future activities

detecting atomic signatures require minimal resources (e.g. RAM) on the IPS /IDS device

easy to identify and understand because they are compared against a specific event or packet

an IDS is vulnerable to an atomic packet attacksbecause until it finds the attack malicious single packets are allowed into the network

an IPS prevents atomic packet attacksfrom entering the network

COMPOSITE (STATEFUL) SIGNATURES COMMENTS

the signature identifies a sequence of operations distributed across multiple hosts over a period of time

stateful properties of a composite signature usually require several pieces of data to match an attack signature

event horizon- the length of tim

that the signature must maintai

state (can be adjusted)

IPS SIGNATURE CHARACTERISTICS EXAMPLE

ATOMIC

signatures that examine simple packets ATOMIC.IP

ATOMIC.ICMP

ATOMIC.IPOPTIONS

ATOMIC.UDP

ATOMIC.TCP

SERVICE

signatures that examine service that are attacked SERVICE.DNS

SERVICE.HTTP

SERVICE.FTP

STRING

signatures that use regular expression-based patterns to detect intrusions STRING.TCP

STRING.UDP

STRING.ICMP

MULTI-STRING supports flexible pattern matching and Trend Labs signatures MULTI-STRING

OTHER internal engine that handles misc. signatures NORMALIZER


59/94


IPS SIGNATURES ALARMS COMMENTS

PATTERN BASED

simplest triggering mechanism

searches for a specific, pre-defined pattern

network traffic is compared to a database of known attacks and triggers alarm if a match is found

can be detected in a single packet (atomic) or in a sequence of packets (composite)

this technique helps to lessen the amount of inspection done on every packet

makes it more difficult for systems to deal with protocols and attacks that do not utilize well-defined ports

ANOMALY

also known as profile-based detection

triggers alarms upon detecting traffic that deviates from normal profile (requires base-lining first)

can detect new and unpublished attacks

alarms can be misleading because not every traffic deviating from normal means a malicious activity

the administrator must guarantee that network is free of attack during base-lining

might be difficult to correlate an alert back to a specific attack (because it only indicates that non-normal traffic

was detected)

POLICY the administrator defines behaviors that are suspicious based on historical analysis

enables a single signature to cover an entire class of activities without having to specify each individual situation

HONEYPOT uses a dummy server to attract attacks

IPS SIGNATURES ALARM TYPES COMMENTS

FALSE POSITIVE alarm generated in response to normal traffic

FALSE NEGATIVE alarm not generated in response to malicious traffic

TRUE POSITIVE alarm generated in response to malicious traffic

TRUE NEGATIVE

alarm generated in response to normal traffic


60/94


IPS SIGNATURE ACTIONS COMMENTS

GENERATE AN ALERT

ATOMIC ALERTS

- generated every time a signature is detected

- can be exploited by sending numerous bogus alerts against an IPS or applications

SUMMARY ALERTS

- a single alert that ind icates multiple occurrences of the same signature from the same source

- limit the number of alerts generated and make it difficult for an attacker to consume resources on the sensor

- can be configured to summarize atomic alerts as well

LOG THE ACTIVITY

by logging the alerts the administrator can perform analysis later and identify exactly what is taking place

and make a decision as to whether it should be allowed or denied in the future

DROP / PREVENT THE

ACTIVITY

enables the device to stop an attack before it has the chance to perform malicious activity

the analysis engine determines which packets should be forwarded and which should be dropped

the drop action can be expanded to drop all packets for a specific session or all packets from a specific host

for a specific amount of time

RESET TCP

CONNECTION

used to terminate TCP connections by generating a packet for the connection with the TCP RST flag set

an IPS can use the TCP reset action to abruptly end a TCP connection that is performing unwanted

operation

can be used with conjunction with deny packet / connection actions

BLOCK FUTURE

ACTIVITY

future traffic can be blocked by the IPS device update the ACL on one of the infrastructure devices

the ACL expires after defined amount of time

can be used with conjunction with other actions such as dropping unwanted traffic

the IPS can block traffic at multiple locations throughout the network

ALLOW THE ACTIVITY allows to configure exceptions


61/94


IPS MANAGEMENT AND MONITORING

MANAGEMENT

METHOD

sensors can be managed individually or centrally

in larger networks a centralized management system that allows to configure and manage all IPS devices

from a single device

LOCAL CENTRAL

SDM

IDM

IEV

CSM

MARS

EVEN CORRELATION

correlating attacks and other events that are happening simultaneously at different points across the

network

NTP should be used to ensure that all alerts are accurately time-stamped

a correlation tool can correlate the alerts based on the timestamps

a centralized monitoring facility allows for accurate even correlation

CISCO MARSallows for correlate not

IPS events but other events on the

network e.g. syslog messages and

NetFlow input.

SDEE(Secure Device Event Exchange)

an alternative to syslog

format was developed to impro

communication of events gener

by security devices

primarily communicates IDS eve

but the protocols is intended to

extensible and allows additiona

event types to be included as th

are defined

Cisco SDM can monitor sysloga

SDEE-generated events

SECURITY STAFF large enterprises require the appropriate security staff to analyze numerous alerts and to tune and

optimize IPS sensors

INCIDENT RESPONSE

PLAN

a response plan needs to be designed to restore the state of the syst em to the state before the attack

MANAGING

SIGNATURES

upgrading sensors will mean network downtime

automatic update rather than manual if the number of sensors is high

signature packs should be placed on a dedicated FTP server within the management network

the FTP server should be allowed only read-only access

a custom signature can be created if an update is not available

the FTP server should be queried periodically and an update time windows should be set


62/94


IPS CONFIGURATIONS

CONFIGURATION VIA CISCO CLI


DOWNLOAD IOS IPS FILES

Required files:

IOS-Sxxx-CLI.pkg

realm-cisco.pub.key.txt

In Cisco IOS software T-Train releases prior to

12.4(11)T, and in all Cisco IOS Software 12.4

Mainline releases, IPS signature selection invo

loading an XML file onto the router.

XML - called the signature definition file (SDF),

contains a detailed description of each selecte

signature in Cisco IPS Sensor software 4.x signa

format.

Starting with Cisco IOS release 12.4(11)T, there

no built-in (hard-coded) signatures within the

IOS software. Instead all signatures are stored

separate signature file and must be imported.

releases 12.4(11)T and later use the newer 5.x

format signature files, which can be can be

downloaded from Cisco.com

CREATE AN IPS CONFIGURATION

DIRECTORY IN FLASH

Any system location will be accepted as long th

is write access.

CONFIGURE AN IOS IPS CRYPTO KEY


63/94


exit>

To remove:


64/94


LOAD SIGNATURE PACKAGE TO THE

ROUTER

To verify:

Commonly a FTP or TFTP server is used.

MODIFYING IPS SIGNATURES

MODYFING A GROUP OF

SIGNATURES


65/94


IPS VERIFICATION AND TSHOOTING

show ip ips all

show ip ips configuration

show ip ips interfces

show ip ips signatures (detail)

show ip ips statistics

clear ip ips statistics

clear ip ips configuration

COMMAND VERIFIES

show ip ips all Displays all IPS configuration data

show ip ips configuration Displays additional configuration data that is not displayed with the show running-config

show ip ips interfaces interface configuration data

inbound / outbound rules

show ip ips signatures (detail) Vverifies the signatures configuration

show ip ips statistics Displays number of packets audited and the number of alarms set

clear ip ips statistics Resets statistics on packets analyzed and alarms set

clear ip ips configuration Removes all IPS configuration entries and releases dynamic resources


66/94

LAYER 2SECURITY

Layer 2 Attacks

Securing Layer 2o DTP Modes

o Switchport Security

o STP Security

o Misc


67/94


LAYER 2 ATTACKS

ATTACK HOW IT WORKS COMMENTS

MAC ADDRESSING SPOOFING

a rouge host masquerades or poses as another to receive otherwise inaccessible data or to

circumnavigate security appliances

performed by changing the MAC address of the rouge device to match another known MAC

address of a known device

the attacking hosts then sends a frame throughout the network with the newly configured MAC

address

when the switch receives the frame with new MAC address it removes the original entry and

assigns the new MAC address to the new port

when the target host sends traffic the switch receives and examines the frame, which results in the

MAC address table being rewritten

MAC ADDRESS TABLE

OVERFLOW

takes advantage of the MAC table limited size and bombards the switch with fake source MAC

addresses until the switch MAC table is full if enough entries are entered into MAC addresses

table before older entries expire, the table fills up to the point that no new entries are can be

accepted

when this happens the switch begins to flood all incoming traffic to all ports (effectively turning into

hub)

the attacker can see all of the frames sent from one host to another (but only within the local

VLAN)

If the intruder does not maintain the

flood of invalid source MAC address

the switch eventually ages out the o

MAC addresses from the table.

Most common protection would be

limit to dynamically learnt MAC

addresses.

macof this tool floods a switch wit

frames containing randomly genera

source MAC and IP addresses; as lon

it is running the switch acts as a hub

STP MANIPULATION ATTACKS

the attacker broadcasts BPDUs that contain false STP configuration and topology changes

aim to promote the rouge device to the rank of ROOT BRIDGE, which will result in the attacker

having access to otherwise inaccessible traffic

PortFast

ROOT guard

BPDU guard

LAN STORM ATTACKS

LAN Storm packets flood the LAN creating excessive traffic and hurting network performance

broadcasts and multicasts are flooded on all ports within the same VLAN

storms can increase the CPU utilization on a switch to 100%

May be caused by errors in stack

implementation, configuration or us

initiated DoS attacks.


68/94


VLAN ATTACKS

exploiting DTP (Dynamic Trunking Protocol)

double-tagging

Can be done by spoofing DTP messa

or using a rouge switch.

Works only if the rouge and trunk p

have the same native vlan configure


69/94


SECURING LAYER 2

DTP MODES

MODE OVERVIEW COMMENTS

TRUNK

starts as a TRUNKport

periodically sends DTP frames (advertisements) to the remote host

unconditional trunking state

To hardcode mode on an interface:

DYNAMIC AUTO

starts as anACCESSport

periodically sends DTP frames to the remote host

advertises that it is able to trunk

does not request remote host to go into trunking mode


< S1(config-if)#switchport mode dynamic auto>

DYNAMIC DESIRABLE (default)

starts as anACCESSport

periodically sends DTP frames to the remote host

advertises that is able to trunk

requests remote host to go into trunking mode


NON-NEGOTIATE

disables DTP protocol

use when connecting switch from different vendors



70/94


ACCESS TRUNK DYNAMIC AUTO DYNAMIC DESIRABLE NON-NEGOTIATE

ACCESS ACCESS MISMATCH ACCESS ACCESS MISMATCH

TRUNK MISMATCH TRUNK TRUNK TRUNK TRUNK

DYNAMIC AUTO ACCESS TRUNK ACCESS TRUNK MISMATCH

DYNAMIC DESIRABLE ACCESS TRUNK TRUNK TRUNK MISMATCH

NON-NEGOTIATE MISMATCH TRUNK MISMATCH MISMATCH TRUNK


71/94


SWITCHPORT SECURITY


SET PORT TO ACCESS MODE A port can only be secured if it is in explicit ACCE

mode.

ENABLE SWITCHPORT SECURITY None of the port security settings will take effec

until this command is issued.

MAXMIUM MAC ADDRESSESES Number of MAC addresses allowed on the port.

SECURITY VIOLATION MODE

To recover a port from err-disabledstate:

OR

protect blocks all MAC addresses above t

limit restrict as above + sends a syslog msg. +

sends a SNMP trap + increments violation

counter

shutdown puts port into err-disabledsta

MAC ADDRESS ENTRY

H.H.H.H enter MAC address manually

sticky learns the incoming MAC addresse

and adds them to the running configuratio

the command is later removed all sticky M

remain a part of the running conf. but are

removed from the MAC table

AGING

absolute - all secure addresses on this por

age out exactly after specified time and

removed from the secure address list

inactivity secure address on this port are

aged out only if there is no data traffic from

the secure source for the specified time pe

TSHOOT show port-security (interface)

show port-security address


72/94


STP SECURITY


PortFast

spanning-tree portfast default sets all n

trunking ports to PortFast

spanning-tree portfast sets given port to

PortFast (instant transition toACCESSmod

BPDU Guard

spanning-tree portfast bpduguard default

enable BPDU Guard on all PortFast ports

If a port with BPDU Guard enabled receives a BP

it will be blocked.

Should be enabled on all non-trunking ports.

BPDU Filter spanning-tree bpdufilter disable sending

receving of BPDUs

Root Guard

spanning-tree guard root enables root g

on a per-interface basis

If a port with Root Guard enabled receives a BPD

with a lower priority than those issued by the

current root bridge, that port is moved into root

inconsistentstate (STP listening state) - the port

recovers as soon as the offending BPDUs stop be

received.

Best deployed toward ports that connect to swit

that should never become the root bridge.


73/94


MISC

Storm Control

level (level-low)

bps (bps-low)

pps (pps-low)

To verify:

Allows to shutdown interfaces sending excessive

traffic.

The blocked port remains shut until the traffic d

below the falling threshold.

level (level-low) specifies the rising and

falling suppression levels as a % of total

bandwidth of the port:

level rising suppression (0.00 100.00);

flooding of storm packets is blocked when

value specified is reached

level-low falling suppression level (0.00 100.00); by default equals to the value of r

suppression

bps (bps-low) specifies the rising and fall

suppression levels as a rate in b its per seco

at which traffic is received on the port.

pps (pps-low) specifies the rising and fall

suppression levels as a rate in packets per

seconds at which traffic is received

action shutdown err-disabled status

action trap the switch sends a SNMP tra

when a storm occurs

SPAN Ports

To verify:

Forwards all the traffic received on port specifie

a specified destination port (mirrors the traffic)

further analysis (to an IPS / IDS).

RSPAN allows for mirroring traffic to a port on a

remote device.


74/94

IPSec

IPSec Configuration IKE Phase 1

IKE Phase 2

IPSec Verification and Tshooting

IPSec Configuration Example

IPSec Planning Template


75/94


IPSec CONFIGURATION

IKE PHASE 1

IKE - Internet Key Exchange

PHASE 1 is used:

o to exchange and agree on policy sets to be used

o to exchange DH keys

o to authenticate the peer

can run in MAINor AGGRESSIVE mode


*ENSURE IPsec TRAFFIC IS

ALLOWED

IPSec uses the following protocols:

ESP (IP 50)

AH (IP 51)

ISAKMP (UDP 500)

They have to be permitted i.e. not blocked on the interface

using IPSec (restrictive traffic policies are most likely to be

present on perimeter routers).

ENABLE ISAKMP The default state of isakmpwill differ depending on the IOS

version.


76/94


CREATE ISAKMP POLICY

To verify:

Each policy configured on a router is assigned a priority

number, which is only locally significant (the lower the num

the higher the priority).

The peer initiating the negotiation sends all of its policies t

remote peer, who compares them with the locally configu

until a match is found - the policies with higher priorities a

compared first (thats why the most secure policies should

have lower priorities).

For a match to be found, two policies have to use identical

following protocols:

AUTHENTICATION

ENCRYPTION

HASH

DH LEVEL

If a match is found ISAKMP will use DH algorithm to exchan

keys and authenticate the peers

If a match is not found ISAKMP refuses negotiation.

lifetime- specifies after what time the IKE Phase 1 tu

is torn down and re-established (the value does not h

to be identical on both ends and if a non-default valu

used the lower the value on either sides is used).

CREATE ISKAMP LOCAL ID

The router can ID itself when communicating with the rem

end using either its IP address or hostname (both ends nee

use the same form of authentication).

Hostname should only be used when the routers IP addre

a subject to frequent changes e.g. by the ISP.

If hostname is used a DNS server must be present to resolv

the hostname to its IP address.


77/94


CREATE PSKs

IF LOCAL ID = HOSTNAME

IF LOCAL ID = IP ADDRESS

To verify:

The PKS has to be identical on both ends.


78/94


IKE PHASE 2

PHASE 2 is used to:

o negotiates and establishes IPSec SA (Security Associations) parameters protected by the existing IKE SA

o periodically renegotiates IPSec SA to ensure security

o optionally performs an additional DH exchange (with PFS)


CREATE TRANSFORM SET

*

To verify:

transform set - groups together security protocols an

their protection methods and create security parame

that protect traffic traveling through the IPSec tunne

Multiple sets can be configured and multiple sets can be

specified in a crypto map

Each set is compared against each of the sets configured o

peer - at least one needs to m atch

There are four groups of transforms (only one transform fr

each category can be used):

o AU AUTHENTICATION (hashing)

o ESP AUTHENTICATION (hashing)

o ESP ENCRYPTION

o COMPRESSION

mode transport- protection of L2 and below

mode tunnel- protection of L3 and below

*TUNE IPSec SA

PARAMETERS


79/94


CREATE CRYPTO ACL

permit- encrypt data

deny- send in plain text

The ACL criteria are applied in the forward d irection to traf

exiting the router, and in the backward direction to the tra

entering the router (the outbound ACL source becomes the

inbound ACL destination).

CREATE CRYPTO MAP

*

Crypto map binds all the IPSec information together.

Only one crypto map can exist on an interface.

If no PKS are configured, the SA keys Phase 1 connection.

sequence number- used to prioritize multiple maps t

may exist on a router (the lower the number the highthe priority)

set pfs - (Perfect Forward Secrecy) performs a new D

exchange with each quick modeand provides key

material that has greater life and thereby greater

resistance to cryptographic attacks (increases CPU us

ASSIGN CRYPTO MAP TO

AN INTERFACE


80/94


IPSec VERIFICATION AND TSHOOTING

show crypto isakmp policy

show crypto ipsec transform-set

show crypto map

show crypto isakmp sa

show crypto ipsec sa

show crypto session detail

debug crypto isakmp

debug crypto ipsec

clear crypto isakmp (connection ID)

clear crypto sa

clear crypto sa peer

clear crypto sa map

clear crypto sa counters

COMMAND VERIFIES EXAMPLE

show crypto isakmp policy

Displays all of the isakmppolicies defined on the router:

policy number

encryption algorithm

hashing algorithm

authentication method

DH group

lifetime

show crypto ipsec transform-set

Displays all of the transform sets defined on the router:

transform set name

encryption algorithm hashing algorithm


81/94


show crypto map

Displays all of the crypto maps defined on the router:

maps name and sequence number

peer associated with the map

ACL defining interesting traffic associated

with the map

transform set associated with the map

interface associated with the map

show crypto isakmp sa

IKE Phase 1 Tunnel information:

source and destination

tunnels state (QM_IDLE desired)

tunnels status (ACTIVE desired)

MM = Main Mode

QM = Quick Mode

PHASE / STATE DESCRIPTION

MM_NO_STATE

AG_NO_STATE

The tunnel has been initialized but nothing

has been negotiated yet.

MM_SA_SETUPThe peers have negotiated IKE Phase 1

policies.

MM_KEY_EXCH DH has completed.

AG_INIT_EXCHThe peers have negotiated the Phase 1

policies and performed DH.

AG_AUTHThe Phase 1 authentication has completed.

QM_IDLEThe Phase 1 and/or Phase 2 sessions have

completed successfully.


82/94


83/94


show crypto session detail

Displays tunnels information and statistics

debug crypto isakmp Debugs the process of creating IKE Phase 1 tunnel

debug crypto ipsec Debugs the process of creating IKE Phase 2 tunnel

clear crypto isakmp (connection ID) Clears active ISAKMP connections

clear crypto sa Clears all data SA

clear crypto sa peer (IP Address |

hostname)Clears data SA associated with specific peer.

clear crypto sa map Clears all data SA associated with specific crypto map.

clear crypto sa counters Clears the counters in the output of the show crypto ipsec sa


84/94

Secure the traffic sent between 172.30.2.0 /24 and 192.168.1.0 /24

IKE PHASE 1: PLANNING

PEERS PEER 1: HOME PEER 2: REMOTE

LOCAL ID IP ADDRESS

IP ADDRESS 98.174.249.99 67.40.69.33

POLICY

NUMBER #10 #60

AUTHENTICATION PRE SHARED KEY

ENCRYPTION AES 128

HASHING SHA 1

DH LVL 2

LIFETIME 86,400

PRE SHARED KEY

NAME cbtkey

ACCEPTED FROM 67.40.69.33 98.174.249.99

IKE PHASE 2: PLANNING

TRANSFORM SET

NAME CBTVPN

AH HASHING N/A

ESP HASHING ESP-AES 123

ESP ENCRYPTION ESP-SHA-1-HMAC

COMPRESION N/A

IPSec CONFIGURATION EXAMPLE


85/94

CRYPTO ACL

NAME S2S-VPN-TRAFFIC S2S-VPN-TRAFFIC

INTERESTING TRAFFIC 172.30.2.0 /24192.168.1.0 /24

CRYPTO MAP

NAME S2S-VPN S2S-VPN

SEQUENCE # 100 200

INTERFACE s1/0 s1/1

IKE PHASE 1: CONFIGURATION

STEP # COMMANDS

1. ENABLE ISAKMP

2. CREATE ISAKMP POLICY

VERIFY:

3. CREATE ISAKMP LOCAL IDENTITY

4. CONFIGURE PRE-SHARED KEYS

VERIFY:


86/94

IKE PHASE 2: CONFIGURATION

STEP # COMMANDS

5. CREATE TRANSFORM SET

6. CREATE CRYPTO ACL


87/94


CONFIGURATION FILES

HOME REMOTE

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key cbtkey address 67.40.69.33

!

crypto ipsec transform-set CBTVPN esp-aes esp-sha-hmac

!

crypto map S2S-VPN 100 ipsec-isakmp

set peer 67.40.69.33

set transform-set CBTVPN

match address S2S-VPN-TRAFFIC

!

interface Serial1/0

ip address 98.174.249.99 255.255.255.0

serial restart-delay 0

crypto map S2S-VPN

!

!

ip access-list extended S2S-VPN-TRAFFIC

permit ip 172.30.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

!

crypto isakmp policy 60

encr aes

authentication pre-share

group 2

crypto isakmp key cbtkey address 98.174.249.99

!

crypto ipsec transform-set CBTVPN esp-aes esp-sha-hmac

!

crypto map S2S-VPN 100 ipsec-isakmp

set peer 98.174.249.99

set transform-set CBTVPN

match address S2S-VPN-TRAFFIC

!

interface Serial1/1

ip address 67.40.69.33 255.255.255.0

serial restart-delay 0

crypto map S2S-VPN

!

!

ip access-list extended S2S-VPN-TRAFFIC

permit ip 192.168.1.0 0.0.0.255 172.30.2.0 0.0.0.255

!


88/94

IPSec PLANNING TEMPLATE

IKE PHASE 1

PEER PEER 1 PEER 2

LOCAL ID

IP ADDRESS

POLICY

NUMBER

AUTHENTICATION

ENCRYPTION

HASHING

DH LVL

LIFETIME

PRE SHARED KEY

NAME

ACCEPTED FROM

IKE PHASE 2

TRANSFORM SET

NAME

AH HASHING

ESP HASHING

ESP ENCRYPTION

COMPRESION

CRYPTO ACL

NAME

INTERESTING TRAFFIC

CRYPTO MAP

NAME

SEQUENCE #

INTERFACE


89/94

APPENDIXES

IPv4 Subnetting

Common Ports

ACLs

Zone Based Firewall

IPSec


90/94

packetlife.

by Jeremy Stretch v

IOS IPV4 ACCESS LISTSStandard ACL Syntax

permit

Actions

deny

remark

evaluate

Allow matched packets

Deny matched packets

Record a configuration comment

Evaluate a reflexive ACL

Extended ACL Syntax

! Legacy syntaxaccess-list {permit | deny} [log]

! Modern syntaxip access-list standard { | }[] {permit | deny} [log]

ACL Numbers

TCP Options

1-991300-1999

IP standard

100-199

2000-2699 IP extended

200-299 Protocol

300-399 DECnet

400-499 XNS

ack Match ACK flag

fin Match FIN flag

psh Match PSH flag

rst Match RST flag

syn Match SYN flag

Troubleshooting

show access-lists [ | ]

show ip access-lists [ | ]

show ip access-lists interface

show ip access-lists dynamic

show ip interface []

show time-range []

! Legacy syntaxaccess-list {permit | deny} [] [] []

! Modern syntaxip access-list extended { | }[] {permit | deny} [] [] []

500-599 Extended XNS

600-699 Appletalk

700-799 Ethernet MAC

800-899 IPX standard

900-999 IPX extended

1000-1099 IPX SAP

1100-1199 MAC extended

1200-1299 IPX summary

urg

established

Match URG flag

Source/Destination Definitions

any Any address

host A single address

Any address matched by the wildcard mask

IP Options

dscp Match the specified IP DSCP

fragments Check non-initial fragments

option Match the specified IP option

precedence {0-7} Match the specified IP precedence

ttl Match the specified IP time to live (TTL)

TCP/UDP Port Definitions

eq Not equal to

lt Greater than

range Matches a range of port numbers

neq

gt

Equal to

Less than

Miscellaneous Options

reflect Create a reflexive ACL entry

time-range Enable rule only during the given time rang

Applying ACLs to Restrict Traffic

interface FastEthernet0/0

ip access-group { | } {in | out}

Match packets in anestablished session

Logging Options

log Log ACL entry matches

log-inputLog matches includingingress interface andsource MAC address


91/94

./

1

2021

22 /

2

2 2

/

0

0

102

110 3

11

11 ()

12

1

11

1 4

1112

1

1

201

2

1

1

1112

00

12

1

1

1 /

20

21 (6)

0

6

0

1

1

()

()

1

0

02

0

4

3

102

102102

100

100

11

121

121

111

1

11

112

1

101 2

12

12

11 2000

1

11211

1

1

2000

2002

20

20220

2100

2222

202

22

2 .

2

00

0

12

12 12

222

20

0

0

2

2

000

001

001

0000

00 !

00

10 /

22222 /

2

00

12

00

00+

000001 11

112 .

12

2

00

/

1

101

0

212

000

00 00

11

200

00

.

100

10110

11

00

/

10000

10000

10111011

111

120120

12

120121

1

111 /

122

1

20000

200

2

201

2 7

20

1

+

//..//


92/94

packetlife.

by Jeremy Stretch v

IOS IPV4 ACCESS LISTSStandard ACL Syntax

permit

Actions

deny

remark

evaluate

Allow matched packets

Deny matched packets

Record a configuration comment

Evaluate a reflexive ACL

Extended ACL Syntax

! Legacy syntaxaccess-list {permit | deny} [log]

! Modern syntaxip access-list standard { | }[] {permit | deny} [log]

ACL Numbers

TCP Options

1-991300-1999

IP standard

100-199

2000-2699 IP extended

200-299 Protocol

300-399 DECnet

400-499 XNS

ack Match ACK flag

fin Match FIN flag

psh Match PSH flag

rst Match RST flag

syn Match SYN flag

Troubleshooting

show access-lists [ | ]

show ip access-lists [ | ]

show ip access-lists interface

show ip access-lists dynamic

show ip interface []

show time-range []

! Legacy syntaxaccess-list {permit | deny} [] [] []

! Modern syntaxip access-list extended { | }[] {permit | deny} [] [] []

500-599 Extended XNS

600-699 Appletalk

700-799 Ethernet MAC

800-899 IPX standard

900-999 IPX extended

1000-1099 IPX SAP

1100-1199 MAC extended

1200-1299 IPX summary

urg

established

Match URG flag

Source/Destination Definitions

any Any address

host A single address

Any address matched by the wildcard mask

IP Options

dscp Match the specified IP DSCP

fragments Check non-initial fragments

option Match the specified IP option

precedence {0-7} Match the specified IP precedence

ttl Match the specified IP time to live (TTL)

TCP/UDP Port Definitions

eq Not equal to

lt Greater than

range Matches a range of port numbers

neq

gt

Equal to

Less than

Miscellaneous Options

reflect Create a reflexive ACL entry

time-range Enable rule only during the given time rang

Applying ACLs to Restrict Traffic

interface FastEthernet0/0

ip access-group { | } {in | out}

Match packets in anestablished session

Logging Options

log Log ACL entry matches

log-inputLog matches includingingress interface andsource MAC address


93/94

packetlife.

by Jeremy Stretch v

IOS ZONE-BASED FIREWALL

Troubleshooting

show zone security

show zone-pair security

Security Zones

show policy-map type inspect

show class-map type inspect

! Defining security zoneszone security Trusted

zone security Guestzone security Internet

! Assigning interfaces to security zonesinterface GigabitEthernet0/0zone-member security Trusted

!interface GigabitEthernet0/1zone-member security Internet

!interface GigabitEthernet0/2.10zone-member security Trusted

!interface GigabitEthernet0/2.20

zone-member security Guest

Zone Pair Configuration

! Service policies are applied to zone pairszone-pair security T2I source Trusted destination Internetservice-policy type inspect Trusted2Internet

zone-pair security G2I source Guest destination Internetservice-policy type inspect Guest2Internet

zone-pair security I2T source Internet destination Trustedservice-policy type inspect Internet2Trusted

Terminology

Security ZoneA group of interfaces which share a common level of security

Zone PairA unidirectional pairing of source and destination zones to which asecurity policy is applied

Inspection Policy

An inspect-type policy map used to statefully filter traffic bymatching one or more inspect-type class maps

Trusted Internet

Guest

Inspection Class Configuration

! Match by protocolclass-map type inspect match-any ByProtocomatch protocol tcpmatch protocol udpmatch protocol icmp

! Match by access list

ip access-list extended MyACLpermit ip 10.0.0.0 255.255.0.0 any

!class-map type inspect match-all ByAccessLmatch access-group name MyACL

Inspection Policy Actions

Drop Traffic is prevented from passing

Traffic is permitted to pass withoutstateful inspection

Pass

InspectTraffic is subjected to statefulinspection; legitimate return trafficpermitted in the opposite direction

Inspection Policy Configuration

policy-map type inspect MyInspectionPolicy! Pass permitted stateless trafficclass VPN-Tunnelpass

! Inspect permitted stateful trafficclass Allowed-Traffic1inspect

! Stateful inspection with a parameter maclass Allowed-Traffic2inspect MyParameterMap

! Drop and log unpermitted trafficclass class-default

drop log

Parameter MapAn optional configuration of protocol-specific parameters referencedby an inspection policy

debug zone security events

Parameter Map Configuration

parameter-map type inspect MyParameterMapalert onaudit-trail offdns-timeout 5max-incomplete low 20000max-incomplete high 25000

icmp idle-time 3tcp synwait-time 3

show parameter-map type inspec

MPLS WAN Internet

Corporate

LAN

Guest

Wireless LANG0/2.10 G0/2.20

G0/0 G0/1


94/94

packetlife.IPSECProtocols Encryption Algorithms

DES Symmetric 56

Type Key Length (Bits)

AES Symmetric

3DES Symmetric 168

Weak

Strengt

Medium

RSA Asymmetric

128/192/256

1024+

Strong

Strong

Hashing Algorithms

MD5 128

Length (Bits)

SHA-1 160

Medium

Strength

Strong

Internet Security Association and Key ManagementProtocol (ISAKMP)A framework for the negotiation and management ofsecurity associations between peers (traverses UDP/500)

Internet Key Exchange (IKE)Responsible for key agreement using asymmetric

cryptographyEncapsulating Security Payload (ESP)Provides data encryption, data integrity, and peerauthentication; IP protocol 50

Authentication Header (AH)Provides data integrity and peer authentication, but not dataencryption; IP protocol 51

IPsec Modes

ios security reference manual ver. 0.9

Documents