ios security reference manual ver. 0.9
TRANSCRIPT
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
1/94
eference Manual ver. 1.0 (2012-14)
eated by Paul Nadstoga ([email protected])
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
2/94
Contents
SECURING THE EDGE ROUTER 1
AAA 22
ACLs 28
CLI BASED FIREWALLS 39
IPS & IDS 50
LAYER 2 SECURITY 60
IPSec 67APPENDIXES 8
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
3/94
SECURITY THEEDGE ROUTER
Administrative Access Security
Banners
Login Security
SSH
Securing the System Files
Clock Configuration
System Logging
Role-Based CLI
Privilege Levels
Enabling SDM Support
Routers Passwords Recovery Procedure
Security Audits
Sample Routing Hardening Configuration
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
4/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
ADMINISTRATIVE ACCESS SECURITY
STEP # COMMANDS COMMENTS
GLOBAL SETTINGS
CONFIGURE ENABLEPASSWORD enable secret- password restricts access to privilege
level 15 and it is always hashed in the config. using M
algorithm
The recommended min. password length is 10 characters.
The password encryption affects all the passwords created
after the command was issued passwords created prior t
activation are not affected.Type 7encryption is used (very weak algorithm).
Removing the command will keep already existing passwo
encrypted.
MIN. PASSWORD LENGTH
ENCRYPT PASSWORDS STOREDIN CONFIG FILE
CREATE LOCAL USER DATABASE 0indicates that plain text password will follow
5indicates that MD5 hashed password will follow
ADMINISTRATIVE PORTS
ACCESS LINES CONFIG MODE
CONFIGURE PASSWORDS The password has to be configured before trying to issue t
login | login localcommands.
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
5/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
ENABLE PASSWORD PROMPT
login enables the password prompt when trying to
access a given line; checks the password against
configured value
login local enables the username | password prom
when trying to access a given line; checks the userna
and password against entries in the local user databa
CONFIGURE IDLE TIMEOUT
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
6/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
BANNERS
STEP # COMMANDS COMMENTS
CONFIGURE BANNERS
Banner types:
EXEC displayed when an EXEC process is created
INCOMING displayed when theres an incoming connection on a
terminal line
LOGIN displayed before username and password login prompts
MOTD displayed upon successful login
SLIP-PPP displayed when SLIP/PPP connection is made
Tokens:
$(hostname)
$(domain)
$(line)
$(line-desc)
&- delimiting character, indicates the beginning and end of the message
(cannot be part of the message itself)
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
7/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
LOGIN SECURITY
STEP # COMMANDS COMMENTS
ENABLE LOGIN ENHANCEMENTS
Activates other login enhancements.
Starts in NORMAL(WATCH) mode during which the router
keeps track of number of failed logins.
The QUIETmode is initialized when number of failed login
attempts exceeds the defined limit. Blocks all login attemp
for a defined number of seconds.
An ACL can be applied to allow login attempts, while in the
QUIETmode, coming from permitted destinations.
Introduces a 1 sec. delay between login attempts.
The feature is helpful in mitigating DoS attacks.
CONFIGURE LOGIN DELAY
Delay in sec. between successive login attempts (both faile
and successful).
Helps mitigate dictionary attacks.
RECORD SUCCESSFUL LOGINS
To verify:
Logs every successful login attempt.
log - generates a syslog message
trap- generates a SNMP trap
RECORD FAILED LOGINS
Alternatively:
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
8/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
SSH (SECURE SHELL)
STEP # COMMANDS COMMENTS
CONFIGURE HOSTNAME
CONFIGURE DOMAIN NAME
GENERATE 1-WAY SECRET KEY
To verify:
To erase:
A minimum recommended value is 1024 bits.
SSH ver. 1 is automatically enabled once keys are
generated.
CREATE LOCAL USER DATABASE ENTRY
ENABLE VTY INBOUND SSH SESSIONS
*SET SSH VERSION Version 2 provides better encryption and integrity
check than ver. 1.
*TUNE EXEC-TIMEOUT
*TUNE LOGIN ATTEMPTS LIMIT
TSHOOT show ip ssh
show ssh
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
9/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
SECURING THE SYSTEM FILES
STEP # COMMANDS COMMENTS
TO SECURE THE IOS IMAGE + CONFIGURATION
SECURE THE IOS IMAGE Secure IOS Resiliencyfeature securely archives files in
persistent storage - the secured files dont appear in the
output of the dir or show flashcommands.
The feature will not prevent someone from viewing the file
or accessing files from ROMMON mode.
Denies all requests to copy, modify, or erase the files
secured.Only files run locally can be secured.
SECURE THE CONFIGURATION FILE
TSHOOT show secure bootset
TO RESTORE SYSTEM USING SECURED FILES:
RELOAD THE ROUTER
ENTER ROMMON MODE Hold the BREAKkey
VIEW FILES dir
BOOT WITH SECURED IOS boot (image name)
RESTORE CONFIGURATION
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
10/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
CLOCK CONFIGURATION
STEP # COMMANDS COMMENTS
MANUAL
ISSUE CLOCKCOMMAND Even when NTP is used, the clock still needs to be configur
manually on the NTP server.
NTP
CONFIGURE NTP MASTER Sets the router as a NTP masterwith the number of hops
away from the authorative server.
CONFIGURE NTP SLAVE Sets the router as a NTP slavewith the IP address of the NT
master.
ENABLE NTP AUTHENTICATION
ntp authenticate - turns NTP authentication on.
The authentication is for the benefit of a client to ensure th
it is getting the time from an authenticated server.
Clients configured without authentication still get the time
from the server.
The difference is that these clients do not authenticate the
server as a secure source.
TSHOOT show ntp status
show ntp associations details
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
11/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
SYSTEM LOGGING
STEP # COMMANDS COMMENTS
LOCATE LOGGING SERVER
*
source-interfaceis optional and can be useful in
situations where more than one link to the server exi
(normally, the router will use information in the rout
table to select the best path)
SET LOGGING SEVERITY FOR THE MESSAGES SENT TO THE :
LVL KEYWORD
0 EMERGENCIES
1 ALERTS
2 CRITICAL
3 ERRORS
4 WARNINGS
5 NOTIFICATIONS
6 INFORMATIONAL
7 DEBUGGING
o SERVER
o
CONSOLE
o BUFFER
o LINES
ENABLE LOGGING
logging on- enables logging on all outputs
Only the console logging is enabled by default.
Logging to specific destinations can be controlled individua
TSHOOT show logging
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
12/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
ROLE-BASED CLI
STEP # COMMANDS COMMENTS
ENABLE AAA Using CLI roles requires enabling AAA first.
ACCESS ROOT VIEW
Equivalent to a level 15 privilege user.
Only Rootcan add / delete / modify views
The enable passwordis only required if it has been already
configured.
CREATE VIEWS
To switch between views:
To verify:
The password has to be configured before trying issuing an
other commands in the viewsub-configuration mode.
ADD COMMANDS TO A VIEW
Examples:
include adds a command to the view
exclude remove a command from the view
include-exclusive adds a command to the view and
prohibits it from being added to other views
all include all commands in a given mode that start
with the same keyword
SUPERVIEW
Superviewis a collection of individual views.
Commands cannot be added to a superview- they need to
added to one of subordinate views.
Deleting a superviewdoes not delete subordinate views.
ASSIGN A VIEW TO A USER
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
13/94
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
14/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
ENABLING SDM SUPPORT
STEP # COMMANDS COMMENTS
CONFIGURE HOSTNAME
CONFIGURE DOMAIN NAME
ENABLE HTTP SERVICES ip http server - enables HTTP services
ENABLE HTTPS SERVICES ip http secure-server - enables SSL services
ENABLE AUTHENTICATION
Enables user authentication either via anAAA serve
or local user database.
CREATE A PRIVILEGE LVL 15 USER The user running SDM has to have unrestricted acce
to the routers resources.
TUNE HTTP CONNECTIONS
idle defines how long the connection will
remain open if no data is sent / received (defa
= 180 sec.)
life defines how long the connection will be
kept open to the server from the time it has
been established (default = 180 sec.)
requests the number of concurrent requests
processed on an existing connection
CONFIGURE VIRTUAL LINES:
o GRANT LVL 15 PRIVILEGES TO
ANY USER THAT LOGS IN ONTHE LINE
o ENABLE AUTHENTICATION
VIA THE LOCAL USER
DATABASE
o ENABLE SSH
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
15/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
ROUTERS PASSWORDS RECOVERY PROCEDURE
STEP # COMMANDS COMMENTS
CONNECT TO THE ROUTER VIA CONSOLE PORTThe procedure requires physical access to the devic
and cannot be performed over a virtual connection
RECORD CURRENT REGISTER VALUE
() Configuration register is 0x2102
The register value dictates how the router acts dur
the bootup process e.g. how the router boots and
what options its using.
Relevant values:
0x2102
default setting enters ROM if booting fails
0x2142 ignores content of NVRAM
POWER ROUTER OFF / ON
ENTER THE ROMMON MODE Issue the breaksequence within 60 seconds of power up.
MODIFY THE REGISTER TO IGNORE THE STARTUP
CONFIGURATION DURING BOOTUP
rommon #1>confreg 0x2142
REBOOT THE ROUTER rommon #2>reset
COPY STARTUP CONFIGURATION TO NVRAM The command will override the default configuratio
the router booted up with.
VIEW THE STARTUP CONFIG
The purpose here is to view the startup configuratio
and try to recover the passwords
If the passwords are stored in an encrypted form an
cannot be recovered, new ones should be configure
RESTORE THE REGISTER VALUE Register is changed again to load the NVRAM conte
during boot up.
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
16/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
* DISABLE PASSWORD RECOVERY
To recover after the command was issued:
issue breakwithin 5 sec. of image being
decompressed
confirm to delete the startup config
the router will boot with default settings
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
17/94
SECURITY AUDITS
DISABLES ENABLES SETS
SDM SECURITY AUDIT WIZARD / CLI AUTO SECURE
SNMP
Finger
PAD
TCP Small Servers
UDP Small Servers
IP BootP
IDENT
CDP
IP Source Route
IP Redirects
IP Proxy ARP
IP Directed Broadcast
MOP
IP Unreachables
IP Mask Reply
password encryption
IP CEF
firewall rules on all outbound interfaces
unicast RPF on all outboundinterfaces
logging
minimum password length to 6 characters
local user database entries
ONE STEP LOCKDOWN
SNMP
Finger
PAD
TCP Small Servers
UDP Small Servers
IP BootP
IDENT
CDP IP Source Route
IP Redirects
IP Proxy ARP
IP Directed Broadcast
MOP
IP Unreachables
IP Mask Reply
password encryption
IP CEF
firewall rules on all outbound interfaces
unicast RPF on all outboundinterfaces
SSH
AAA
TCP Keepalives Inbound / Outbound
seq. # and timestamps on debugs
minimum password length to 6 characters
authentication failure rate
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
18/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
SAMPLE ROUTING HARDENING CONFIGURATION
GLOBAL
set hostname
set domain name
enable password encryption
set minimum password length = 7
set privilege EXEC password
SSH
generate a 1024 bit RSA key
enable SSH ver.2
set SSH timeout to 60
set SSH authentication retires limit to 2
create a userAdminwith lvl. 15 privileges and encrypted password
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
19/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
LOGIN
disable login for 60 sec. if there are 3 failed login attempts within 20 sec.
set login delayof 5 sec.
BANNERS
MOTD
LOGIN
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
20/94
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
21/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
DISABLE FEATURES AND SERVICES
GLOBALLY
o IP Source Routing o
o Finger o
o TCP Small Servers o
o UDP Small Servers o
o Cisco Discovery Protocol o
o BootP o
o TFTP Broadcast IOS o
o TFTP Broadcast Config. o
o DNS Lookup o
o IDENTD Services o
o X.25 PAD o
o Gratuitous ARPs o
o SNMP o
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
22/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
ON INTERFACES
o Proxy ARP o
o ICMP Redirects o
o ICMP Unreachables o
o ICMP Mask Reply o
o Maintenance Operation Protocol o
o Cisco Discovery Protocol o
o IP Directed Broadcast o
ENABLE FEATURES AND SERVICES
GLOBALLY
o TCP Keepalives IN o
o TCP Keepalives OUT o
o Sequence Numbers And Timestamps On Debugs o
o Sequence Numbers And Timestamps On Logs o
o TCP Synwait Time o
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
23/94
AAA
AAA Local Authentication
AAA Server Authentication (TACACS+)
AAA Server Authorization (TACACS+)
AAA Server Accounting (TACACS+)
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
24/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
AAA LOCAL AUTHENTICATION
STEP # COMMANDS COMMENTS
ADD USERS TO THE LOCAL USER
DATABASE
ENABLE AAA
Disables all other forms for authentication on the router
LocalAAA Authenticationis similar to login localcommand
with the addition of fallback mechanisms.
DEFINE A LIST OF
AUTHENTICATION METHODS
EXAMPLE:
The list is sequential.
1-4 methods can be specified.
Next method is used only when theres no response or erro
from the previous method
The defaultlist is used for all authentication if no other list
were specifically assigned.
The default list contains only one method: local
On the console line, login succeeds without any
authentication checks if default is not set.
METHOD USES
enable enable password
line line password
local local user database
local-case local user database (case sensitive)
none no password required
ASSIGN A LIST TO LINES /
INTERFACES
Different lists can be assigned to different lines / interfaces
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
25/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
* DEFINE A LIMIT FOR FAILED
AUTHENTICATION ATTEMPTS
To view locked accounts:
To unlock an account:
If the threshold is exceeded the user is locked out and furt
attempts are only possible if the administrator unlocks the
account first.
* CONFIGURE BANNERS AND
PROMPTS
aaa authentication banner - overrides LOGINbanne
aaa authentication fail-message - text displayed upo
failed authentication
TSHOOT
show aaa user (all | username)
show aaa sessions
debug aaa authentication
EXAMPLE:
(* hardcoding a default method is not necessary)
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
26/94
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
27/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
AAA SERVER AUTHORIZATION (TACACS+)
STEP # COMMANDS COMMENTS
CREATE A LEVEL 15 PRIVILEGE USER
When AAA authorization is not enabled, all users are allowe
full access.
After authentication is started, the default changes to allow
access.
This means that the administrator must create a user with f
access rights before authorization is enabled.
Failure to do so immediately locks the administrator out of
system the moment the aaa authorizationcommand is
entered.
To recover reboot the router.
ENABLE AAA
DEFINE TACACS+ SERVER
DEFINE A LIST OF AUTHORIZATION
METHODS
RESOURCE TYPE DESCRIPTION
networkauthorization for starting L2
connections
execverifies if a user has access to an
EXEC shell
commands level_#
verifies if a user has access to a
command at a specific privilege
level
TSHOOT debug aaa authorization
debug tacacs authorization
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
28/94
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
29/94
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
30/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
TSHOOT debug aaa accounting
debug tacacs accounting
EXAMPLE
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
31/94
ACLs
Standard ACLs
Extended ACLs
Misc ACL Featureso Sequencing
o Wildcards
o Port Operators
o TCP Established
o Reflexive ACLs
o Dynamic ACLs
o Time Based ACLs
o Turbo ACLsMisc ACL Features
ACLs Verification and Tshooting
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
32/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
STANDARD ACLs
RANGE 1 - 99
1300 - 1999
FILTER BASED ON SOURCE ADDRESS
POSITION AS CLOSE TO DESTINATION AS POSSIBLE
WORK AT L3 NETWORK LAYER
CONFIGRAUTION: STANDARD MODE
ELEMENT SYNTAX COMMENTS
REMARK Remarks are saved in routers NVRAM.
RULES
log generates a log entry every time a packet
matches the ACLs statement
Log messages are generated on the first match and
then at 5 min. intervals
Should only be used when the network is under atta
(very resources consuming)
ACTIVATION
EXAMPLE
deny host Sydney (192.168.0.1) from reaching host Perth (192.168.0.2)
allow all other traffic
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
33/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
CONFIGURATION: SUB-CONFIGURATION MODE
ELEMENT SYNTAX COMMENTS
CREATE ACL
REMARK
RULES
ACTIVATION
The router doesnt evaluate traffic against outboun
set ACL if the traffic is originated by the router itself
e.g. routing protocol updates
EXAMPLE
deny host Sydney (192.168.0.1) from reaching host Perth (192.168.0.2)
allow all other traffic
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
34/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
EXTENDED ACLs
RANGE 100 - 199
2000 - 2699
FILTER BASED ON
DESTINATION ADDRESS
SOURCE ADDRESS
IP PROTOCOL (NAME / NUMBER)
PROTOCOL INFORMATION
o ICMP: message type
o TCP /UDP: source and/or destination port names and numbers
o TCP: flags
POSITION
AS CLOSE TO SOURCE AS POSSIBLE
WORK AT L3 NETWORK LAYER
L4 TRANSPORT LAYER
CONFIGRAUTION: STANDARD MODE
ELEMENT SYNTAX COMMENTS
REMARK
RULES
ACTIVATION
EXAMPLE
allow all protocols used by IPSec suite originated by host Sydney (192.168.0.1) to reach host Perth (192.168.0.2)
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
35/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
CONFIGURATION: SUB-CONFIGURATION MODE
ELEMENT SYNTAX COMMENTS
CREATE ACL
REMARK
RULES
ACTIVATION
EXAMPLE
allow all protocols used by IPSec suite originated by host Sydney (192.168.0.1) to reach host Perth (192.168.0.2)
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
36/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
MISC ACL FEATURES
ACLs are processed:
o top-down, from the first to the last statement
o until a packet matches a statement or the packet matches none of the statements
o once a match is found, no more statements are processed
the more restrictive statements should be at the t op of the list and the less restrictive ones at the bottom
by default, statements are added to the end of the list (can be overridden by using the sequence numbers)
there is an invisible deny 0.0.0.0 255.255.255.255statement at the end of the list that drops all traffic not explicitly permitted
oneACL per protocol, per interfaceand per directionis allowed
an empty ACL permits all traffic
an ACL needs to have at least one statement permitting traffic for the invisible deny anyto take effect
explicit deny ip any any statement should be put at the end of the ACL to be able to view hit counts for denied traffic
SEQUENCING
SYNTAX COMMENTS
To resequence:
Sequencing works only in sub-configuration mode (
both standard and extended ACLs).
Each entry is given a unique sequence number.
By default starts at 10 and increments by 10.
Not stored in NVRAM; the IOS adds them when rou
loads the startup config. into RAM.
If no sequence number is specified the number wil
the next increment (starting with 10).
WILDCARDS
SYNTAX COMMENTS
host A.A.A.A = A.A.A.A 0.0.0.0
access-list 100 permit ip 192.168.0.1 0.0.0.0 192.168.0.11 0.0.0.0 access-list 100 permit ip host 192.168.0.1 host 192.168.0.11
any = 0.0.0.0 255.255.255.255
access-list 10 permit 0.0.0.0 255.255.255.255 access-list 10 permit any
ip access-list 100 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ip access-list 100 permit ip any any
0 = match exactly
1 = ignore
If wildcard is omitted it defaults to 0.0.0.0 (only tru
for standard ACLs)
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
37/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
PORT OPERATORS
SYNTAX COMMENTS
Example:
allow only HTTP traffic from R1 (10.0.0.1) to the R2 server (10.0.0.2)
deny all incoming traffic on ports 10-25
OPERATOR MATCHES
eq match only packets on a given port
range match only packets in the range of ports
gt match only packets with a greater port number
lt match only packets with a lower port number
neq match only packets not on a given port number
TCP ESTABLISHEDPARAMETER
SYNTAX COMMENTS
Example:
allow any HTTPS traffic to host SYDNEY (10.0.0.3) as long as it was originated by SYDNEY.
Works only with extended ACLs.
Allows / denies traffic coming from the outside that was initiate
from the inside.
Does not maintain stateful information.
Checks TCP segments for the following flags (ACK or RST) and
permits the packets if these bits are have the flags set on.
Available only for TCP; UDP and ICMP can only be permitted ordenied.
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
38/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
REFLEXIVE ACLs
allow to perform session filtering for any type of IP traffic
remembers outgoing traffic by dynamically building ACL entries and permits returning traffic
allow the local device to initiate traffic to the remote devices and get response (but denies traffic initiated by remote devices)
SYNTAX COMMENTS
CREATE AN OUTBOUND ACL
reflect creates reflexive access list entry in the
reflexive ACL (name) with the source and
destination addresses swapped
timeout maximum time for the ACL to live
(default = 300 sec.)
reflexive ACLsare allowed on named ACLs only
CREATE AN INBOUND ACL
evaluate nests ACL within ACL
ASSIGN THE ACL TO AN INTERFACE
EXAMPLE
allow only TELNET and ICMP traffic into the local network as long as it was originated by HOME (98.174.249.99)
deny all traffic originated from the remote network
the ACLs need to be configured on the border router CLOUD on the outside interface s1/1
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
39/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
DYNAMIC ACLs (LOCK AND KEY)
opens a temporary door in the firewall and grants access to specified resources provided the user is authenticated using Telnet / SSH
the access request is put on hold until the user is authenticated using a Telnet / SSH connection
once authentication is complete the remote connection i s dropped and a single-entry dynamic ACL is added to the existing extended ACL
the traffic is permitted for specified period (idleand absolute timeouts)
only one policy can be configured for all dynamic ACL users and this single policy is applied to all the authenticated users
SYNTAX COMMENTS
CREATE LOCAL USER DATABASE ENTRY
Supported methods of authentication:
local user database
AAA server line password
CREATE A DYNAMIC ACCESS LIST
The first statement has to allow remote access
connections (Telnet or SSH)
dynamic- defines what resources are available /
prohibited once the authentication is successful
only one dynamic statement per an ACL is allowe
timeout (absolute timer) specifies the time
window during which the DYNAMIC ACL rules are
effect (in minutes)
ASSIGN THE ACL TO AN INTERFACE
CONFIGURE THE VTY LINES
autocommand- executes the command that foll
after successful authentication
access-enable creates a temporary ACL entry
host replaces the ACL entry any with the users
address (dependent on ACL direction)
idle idle timeout (overridden by the absolute
timer configured in the DYNAMIC ACL)
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
40/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
EXAMPLE
allow remote host JEREMY (172.30.2.11/24) to access 192.168.1.0/24 network upon successful authentication with REMOTE router (67.40.69.33/24)
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
41/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
TIME BASED ACLs
CREATE TIME RANGE
absolute single time period for which the time
range is valid; if start time is omitted it defaults t
current time on the router; if end time is omitted
defaults to 23:59 31 December 2035
periodic recurring time period for which the tim
range is valid; if the day of week parameter is
omitted, it defaults to the day of week configure
for the beginning time
APPLY TIME RANGE TO AN ACL
APPLY ACL TO AN INTERFACE
EXAMPLE
allow web surfing only on the weekdays between 17:00 6:00
TURBO ACLs
SYNTAX COMMENTS
To verify:
Reduces the ACL lookup time by compiling ACLs into a hash
table.
The lookup time is the same no matter which ACL command
being looked up
Can only be used on an ACL that has more than three entrie
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
42/94
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
43/94
CLI BASEDFIREWALLS
CBAC
Zone Based Firewall
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
44/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
CBAC (Context Based Access Control)
Cisco IOS based firewall that filters TCP and UDP packets based on their L7 Application Layer information
generates real time audits and trails
creates and maintains session table to bu ild dynamic ACL entries
CBAC CONFIGURATIONS
STEP # COMMANDS COMMENTS
IDENTIFY INTERFACE ROLES
On what interfaces does the external traffic arrive?
What outbound interfaces are used to reach external networks?
INTERNAL interface on which sessions can b
initiated
EXTERNAL sessions initiated from external
interfaces will be blocked the ACL for the return traffic must be an
extended ACL
FILTER INGRESS TRAFFIC
USING ACLs
Example:
Allow protocols that are necessary for the network
be operational e.g. routing protocols.
Deny all external traffic that tries to access internal
network.
DEFINE INSPECTION RULES
Example:
alert on| off displays messages on the cons
line concerning CBAC operation e.g. DoS attac
(to globally disable alerts: no ip inspect alert-o
audit-trail on| off keeps track of the
connection inspected by CBAC (including valid
and invalid access attempts) e.g. displays
messages when CBAC adds / removes an entry
from the state table. By default outputs to the
console line but logging to a syslog server is
possible if enabled.
router-traffic inspects traffic generated by th
router itself
timeout- overrides the global TCP and UDP
timeouts but does not override the global
Domain Name Service (DNS) timeout
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
45/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
ASSIGN INSPECTION RULES
TO AN INTERFACE
in - on an INTERNAL interface
out - on an EXTERNAL interface
no ip inspect- removes all CBAC commands, t
state table, and all temporary ACL entries
created by CBAC.
It also resets all timeout and threshold values to the
factory defaults. After CBAC is removed, all inspecti
processes are no longer available, and the router us
only the current ACL implementations for filtering.
*TIMERS + THRESHOLDS
tcp synwait-time length of time CBAC waits
a new TCP session to reach established state
(default = 30 sec.)
tcp finwait-time length of time CBAC contin
to manage a TCP session after receiving a FIN
flag (default = 5 sec.)
tcp idle-time length of time CBAC continues
manage a TCP session with no activity
(default = 3600 sec.)
udp idle-time length of time CBAC continues
manage an UDP session with no activity
(default = 30 sec.)
max-incomplete high once the threshold fo
incomplete connections has been reached, CB
will actively begin to delete them (default = 5
sessions)
max-incomplete low if the threshold for
incomplete session have been breached, they
will be deleted until this value is reached
(default = 400 sessions)
one-minutehigh / low as above but over th
course of one minute
max-incomplete host threshold for incompl
TCP connections from a single host (default =
connections), and how long should connection
attempts be rejected if the threshold is reache
(default = 0)
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
46/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
EXAMPLE
the border Router, Cloud, has two active interfaces: s1/0 (INSIDE) and s1/1 (OUTSIDE)
the OUTSIDE traffic cannot initiate connection to the devices on the INSIDE and is dropped at the border router
RIP updates are excepted; their exchange is crucial for the network operation
device on the INSIDE can initiate connection to the OUTSIDE devices and the return traffic is permitted through the border router
allowed protocols: HTTP, ICMP, TELNET
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
47/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
CBAC VERIFICATION AND TSHOOTING
show ip inspect (parameter)
debug ip inspect detailed
debug ip inspect object-creation
debug ip inspect object-deletion
debug ip inspect function-trace
debug ip inspect events
debug ip inspect protocol (protocol)
COMMAND VERIFIES
show ip inspect (parameter)
PAREMTER DESCRIPTION
all all available information
config CBAC configuration
interfaces rules activated on interfaces
name rules details
sessions summary of inspections in the CBAC table
session details detailed information on inspection in the CBAC table
debug ip inspect detailed debugs information about all CBAC processes on the router
debug ip inspect timers debugs information related to CBAC timers e.g. idle timers expiration
debug ip inspect object-creation debugs information about added entry to the CBAC table
debug ip inspect object-deletion debugs information about removed entry from the CBAC table
debug ip inspect function-trace debugs information about the software function that CBAC calls
debug ip inspect events debugs CBAC events, including processing of packets
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
48/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
debug ip inspect protocol (protocol) debugs protocol related events
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
49/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
ZONE BASED FIREWALL
ZBF CONFIGURATION
STEP # COMMANDS COMMENTS
CREATE ZONES
The zone cannot be named self or null.
Traffic flowing to and from the routers interfaces is excluded
from zone policies.
Traffic between a zone and self zoneis permitted by default (t
self zoneis the only exception to the default deny allpolicy).
A policy can be defined using the self zoneeither as the source
destination.
The self zonedoes not require any interfaces to be configured
members all the IP interfaces on the router are automaticall
assigned to the self zone.
ASSIGN INTERFACES
TO THE ZONES
Once an interface is a member of a zone all traffic to and from
that interface (except traffic going to the router or initiated by
the router) is dropped by default.
An interface can only belong to a single zone.
Traffic cannot flow between an interface with an zone
assignment and an interface without a zone assignment.
Traffic between interfaces in the same zone is never filtered.
Interfaces should be grouped together based on their security
requirements.
A zone must be created before interfaces can be assigned to it
If there is no need for the interface to be a member of a zone
may be necessary to put that interface into a zone and configu
a pass-all policy (dummy policy) between that zone and any
other zone to which traffic flow is desired.
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
50/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
CREATE CLASS MAPS
L3/4 TYPE
Example:
L3/4 maps classify traffic based on information in the L3/4
headers.
The order is significant since the statements are processed top
downfor a match.
Only stateful protocols supported by the router can be
inspected.
type inspect only maps defined with this parameter ca
be used with ZBF
match-any a match on any of the conditions in the clas
map satisfies the requirements
match all specifies that traffic needs to match all entr
in the class map to be considered a match.
match protocol specifies a particular protocol (only
stateful are allowed)
match access-group traffic matchingpermitstatement
in a given ACL will be included in the class map (stateme
matching an ACL denyrule are excluded).
match class-map includes (embeds) another class map
which allows for nesting.
CREATE POLICY MAPS
L3/4 TYPE
*
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
51/94
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
52/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
ZBF VERIFICAITON AND TSHOOTING
show zone security (*zone_name)
show zone-pair security (*source (source zone)) destination (destination zone))
show class-map type inspect (*class-map_name )
show policy-map type inspect (*policy-map_name)
show policy-map type inspect zone-pair sessions
(config)#ip inspect log drop-pkt
debug zone security events
COMMAND VERIFIES
show zone security (*zone_name)
zones configured
interfaces associated with zones
show zone-pair security (*source (source zone)) destination (destination zone)) source and destination zones
policy associated with zone pairs
show class-map type inspect (*class-map_name ) class maps configured on the router
show policy-map type inspect (*policy-map_name) policy maps configured on the router
show policy-map type inspect zone-pair sessions
ZBF state table (number of established sessions)
zone-pair and associated policy-map
policy-map and associated class-map
class-map and hits statistics
action to be taken with regards to packets that fall under class-map
default class-map characteristics
(config)#ip inspect log drop-pkt
packets dropped by the firewall
debug zone security events debugs events associated with ZBF
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
53/94
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
54/94
DOES THE POLICY INCLUDE
A CLASS MAP?
YES
NO
APPLY POLICY-MAP:
DROP
DOES THE TRAFFIC
MATCHES THE CLASS-MAP
ASSOCIATED WITH POLICY-
MAP?
YES
DROP
YES
HAS THE DEFAULT POLICY
BEEN MODIFIED?NO NO
YES
APPLY DEFAULT POLICY
POLICY STATEMENTS:
DROP
PASS
INSPECT
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
55/94
IDS & IPS
IDS vs IPS
IPS Implementations
IPS Signatures
IPS Management and Monitoring
ISP Configurations
IPS Verification and Tshooting
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
56/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
IDS vs IPS
IDS (Intrusion Detection System)
implemented to passively monitor network traffic
an IDS-enabled device (e.g. Switch) copies all traffic passing through on the port to which IDS is connected
the IDS appliance analyses traffic in an off-line manner by comparing it to a known malicious signatures
if a match is found the IDS sends a command to a device to deny access / block t raffic
PROS off-line implementation (promiscuous mode) ensures no impact on network performance
does not introduce latency, jitter or other traffic flow issues
CONS
IDS cannot stop malicious traffic from single-packet attacks from reaching the target system
IDS requires assistance from other networking devices (e.g. routers, firewalls) to respond to attack less helpful in stopping email viruses and automated attacks e.g. worms
more vulnerable to network evasion techniques
a well thought-out security policy is essential to successfully deploy an IDS
IPS (Intrusion Prevention System)
implemented in inline mode all ingress and egress traffic must flow through it for processing
no traffic is allowed into the trusted network without first being analyzed
IPS can drop the trigger packet, the packets in connection or packets from a source IP address
PROS if the traffic matches a signature the IDS can stop the attack immediately
IDS can use traffic normalization techniques to reduce or eliminate many of the network evasion capabilities
CONS
can negatively affect the packet flow of the forwarded traffic
must be appropriately sized and implemented so that time-sensitive applications e.g. VoIP are not negatively
affected
errors, failures and overrunning the IPS sensor with too much traffic
can introduce jitter and latency
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
57/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
IPS IMPLEMENTATIONS
HOST BASED IPS IMPLEMENTATION COMMENTS
installed on individual computers using HIPS (Host Intrusion Prevention System) e.g. CSA
HIPS audits host log files, file systems and resources
protect systems using policies that network administrators configure and deploy on agents
the agents check whether an action i s allowed or denied before any system resources are accessed and acted upon
can stop attacks by reacting in real time without any updates
CSA contains two components:
Management Center (installed o
central server)
Security Agents (installed on ho
PROS
can monitor OS processes and protect critical system resources including files that may exist only on that specific host
has access to traffic in unencrypted form
with HIPS the success or failur e of an attack can be readily determined
CONS
does not provide a complete network pictures and has difficulty coordinating the events happening across the entire
network
has to support multiple OS
NETWORK BASED IPS IMPLEMENTATION COMMENTS
analyze network-wide activity looking for malicious activity
sensors are deployed at designated network points that enable security managers to monitor network activity while it is occurring
(regardless of the location)
Sensors can be deployed as:
a module on a device
a dedicated appliance
a networking device with IPS
capabilities (e.g. router)
PROS
additional hosts can be deployed without requiring more sensors
can easily see attacks that are occurring across the entire network
does not need to support every type of OS
Additional sensors are only required w
their rated traffic capacities are excee
or their performance does not meet
current needs.
CONS does not know whether an attack was successful
cannot examine encrypted traffic
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
58/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
IPS SIGNATURES
malicious traffic displays distinct characteristics (signatures)
a set of rules that and IDS and IPS use to detect typical intrusive activity
ATOMIC SIGNATURES COMMENTS
consists of a single packet, activity or event that is examined to determine if it matches a configured signature
because they can be matched on a single event there is no need to maintain state information by the IPS
the entire inspection can be accomplished in an atomic operation that does not require knowledge of past / future activities
detecting atomic signatures require minimal resources (e.g. RAM) on the IPS /IDS device
easy to identify and understand because they are compared against a specific event or packet
an IDS is vulnerable to an atomic packet attacksbecause until it finds the attack malicious single packets are allowed into the network
an IPS prevents atomic packet attacksfrom entering the network
COMPOSITE (STATEFUL) SIGNATURES COMMENTS
the signature identifies a sequence of operations distributed across multiple hosts over a period of time
stateful properties of a composite signature usually require several pieces of data to match an attack signature
event horizon- the length of tim
that the signature must maintai
state (can be adjusted)
IPS SIGNATURE CHARACTERISTICS EXAMPLE
ATOMIC
signatures that examine simple packets ATOMIC.IP
ATOMIC.ICMP
ATOMIC.IPOPTIONS
ATOMIC.UDP
ATOMIC.TCP
SERVICE
signatures that examine service that are attacked SERVICE.DNS
SERVICE.HTTP
SERVICE.FTP
STRING
signatures that use regular expression-based patterns to detect intrusions STRING.TCP
STRING.UDP
STRING.ICMP
MULTI-STRING supports flexible pattern matching and Trend Labs signatures MULTI-STRING
OTHER internal engine that handles misc. signatures NORMALIZER
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
59/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
IPS SIGNATURES ALARMS COMMENTS
PATTERN BASED
simplest triggering mechanism
searches for a specific, pre-defined pattern
network traffic is compared to a database of known attacks and triggers alarm if a match is found
can be detected in a single packet (atomic) or in a sequence of packets (composite)
this technique helps to lessen the amount of inspection done on every packet
makes it more difficult for systems to deal with protocols and attacks that do not utilize well-defined ports
ANOMALY
also known as profile-based detection
triggers alarms upon detecting traffic that deviates from normal profile (requires base-lining first)
can detect new and unpublished attacks
alarms can be misleading because not every traffic deviating from normal means a malicious activity
the administrator must guarantee that network is free of attack during base-lining
might be difficult to correlate an alert back to a specific attack (because it only indicates that non-normal traffic
was detected)
POLICY the administrator defines behaviors that are suspicious based on historical analysis
enables a single signature to cover an entire class of activities without having to specify each individual situation
HONEYPOT uses a dummy server to attract attacks
IPS SIGNATURES ALARM TYPES COMMENTS
FALSE POSITIVE alarm generated in response to normal traffic
FALSE NEGATIVE alarm not generated in response to malicious traffic
TRUE POSITIVE alarm generated in response to malicious traffic
TRUE NEGATIVE
alarm generated in response to normal traffic
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
60/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
IPS SIGNATURE ACTIONS COMMENTS
GENERATE AN ALERT
ATOMIC ALERTS
- generated every time a signature is detected
- can be exploited by sending numerous bogus alerts against an IPS or applications
SUMMARY ALERTS
- a single alert that ind icates multiple occurrences of the same signature from the same source
- limit the number of alerts generated and make it difficult for an attacker to consume resources on the sensor
- can be configured to summarize atomic alerts as well
LOG THE ACTIVITY
by logging the alerts the administrator can perform analysis later and identify exactly what is taking place
and make a decision as to whether it should be allowed or denied in the future
DROP / PREVENT THE
ACTIVITY
enables the device to stop an attack before it has the chance to perform malicious activity
the analysis engine determines which packets should be forwarded and which should be dropped
the drop action can be expanded to drop all packets for a specific session or all packets from a specific host
for a specific amount of time
RESET TCP
CONNECTION
used to terminate TCP connections by generating a packet for the connection with the TCP RST flag set
an IPS can use the TCP reset action to abruptly end a TCP connection that is performing unwanted
operation
can be used with conjunction with deny packet / connection actions
BLOCK FUTURE
ACTIVITY
future traffic can be blocked by the IPS device update the ACL on one of the infrastructure devices
the ACL expires after defined amount of time
can be used with conjunction with other actions such as dropping unwanted traffic
the IPS can block traffic at multiple locations throughout the network
ALLOW THE ACTIVITY allows to configure exceptions
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
61/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
IPS MANAGEMENT AND MONITORING
MANAGEMENT
METHOD
sensors can be managed individually or centrally
in larger networks a centralized management system that allows to configure and manage all IPS devices
from a single device
LOCAL CENTRAL
SDM
IDM
IEV
CSM
MARS
EVEN CORRELATION
correlating attacks and other events that are happening simultaneously at different points across the
network
NTP should be used to ensure that all alerts are accurately time-stamped
a correlation tool can correlate the alerts based on the timestamps
a centralized monitoring facility allows for accurate even correlation
CISCO MARSallows for correlate not
IPS events but other events on the
network e.g. syslog messages and
NetFlow input.
SDEE(Secure Device Event Exchange)
an alternative to syslog
format was developed to impro
communication of events gener
by security devices
primarily communicates IDS eve
but the protocols is intended to
extensible and allows additiona
event types to be included as th
are defined
Cisco SDM can monitor sysloga
SDEE-generated events
SECURITY STAFF large enterprises require the appropriate security staff to analyze numerous alerts and to tune and
optimize IPS sensors
INCIDENT RESPONSE
PLAN
a response plan needs to be designed to restore the state of the syst em to the state before the attack
MANAGING
SIGNATURES
upgrading sensors will mean network downtime
automatic update rather than manual if the number of sensors is high
signature packs should be placed on a dedicated FTP server within the management network
the FTP server should be allowed only read-only access
a custom signature can be created if an update is not available
the FTP server should be queried periodically and an update time windows should be set
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
62/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
IPS CONFIGURATIONS
CONFIGURATION VIA CISCO CLI
STEP # COMMANDS COMMENTS
DOWNLOAD IOS IPS FILES
Required files:
IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt
In Cisco IOS software T-Train releases prior to
12.4(11)T, and in all Cisco IOS Software 12.4
Mainline releases, IPS signature selection invo
loading an XML file onto the router.
XML - called the signature definition file (SDF),
contains a detailed description of each selecte
signature in Cisco IPS Sensor software 4.x signa
format.
Starting with Cisco IOS release 12.4(11)T, there
no built-in (hard-coded) signatures within the
IOS software. Instead all signatures are stored
separate signature file and must be imported.
releases 12.4(11)T and later use the newer 5.x
format signature files, which can be can be
downloaded from Cisco.com
CREATE AN IPS CONFIGURATION
DIRECTORY IN FLASH
Any system location will be accepted as long th
is write access.
CONFIGURE AN IOS IPS CRYPTO KEY
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
63/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
exit>
To remove:
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
64/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
LOAD SIGNATURE PACKAGE TO THE
ROUTER
To verify:
Commonly a FTP or TFTP server is used.
MODIFYING IPS SIGNATURES
MODYFING A GROUP OF
SIGNATURES
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
65/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
IPS VERIFICATION AND TSHOOTING
show ip ips all
show ip ips configuration
show ip ips interfces
show ip ips signatures (detail)
show ip ips statistics
clear ip ips statistics
clear ip ips configuration
COMMAND VERIFIES
show ip ips all Displays all IPS configuration data
show ip ips configuration Displays additional configuration data that is not displayed with the show running-config
show ip ips interfaces interface configuration data
inbound / outbound rules
show ip ips signatures (detail) Vverifies the signatures configuration
show ip ips statistics Displays number of packets audited and the number of alarms set
clear ip ips statistics Resets statistics on packets analyzed and alarms set
clear ip ips configuration Removes all IPS configuration entries and releases dynamic resources
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
66/94
LAYER 2SECURITY
Layer 2 Attacks
Securing Layer 2o DTP Modes
o Switchport Security
o STP Security
o Misc
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
67/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
LAYER 2 ATTACKS
ATTACK HOW IT WORKS COMMENTS
MAC ADDRESSING SPOOFING
a rouge host masquerades or poses as another to receive otherwise inaccessible data or to
circumnavigate security appliances
performed by changing the MAC address of the rouge device to match another known MAC
address of a known device
the attacking hosts then sends a frame throughout the network with the newly configured MAC
address
when the switch receives the frame with new MAC address it removes the original entry and
assigns the new MAC address to the new port
when the target host sends traffic the switch receives and examines the frame, which results in the
MAC address table being rewritten
MAC ADDRESS TABLE
OVERFLOW
takes advantage of the MAC table limited size and bombards the switch with fake source MAC
addresses until the switch MAC table is full if enough entries are entered into MAC addresses
table before older entries expire, the table fills up to the point that no new entries are can be
accepted
when this happens the switch begins to flood all incoming traffic to all ports (effectively turning into
hub)
the attacker can see all of the frames sent from one host to another (but only within the local
VLAN)
If the intruder does not maintain the
flood of invalid source MAC address
the switch eventually ages out the o
MAC addresses from the table.
Most common protection would be
limit to dynamically learnt MAC
addresses.
macof this tool floods a switch wit
frames containing randomly genera
source MAC and IP addresses; as lon
it is running the switch acts as a hub
STP MANIPULATION ATTACKS
the attacker broadcasts BPDUs that contain false STP configuration and topology changes
aim to promote the rouge device to the rank of ROOT BRIDGE, which will result in the attacker
having access to otherwise inaccessible traffic
PortFast
ROOT guard
BPDU guard
LAN STORM ATTACKS
LAN Storm packets flood the LAN creating excessive traffic and hurting network performance
broadcasts and multicasts are flooded on all ports within the same VLAN
storms can increase the CPU utilization on a switch to 100%
May be caused by errors in stack
implementation, configuration or us
initiated DoS attacks.
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
68/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
VLAN ATTACKS
exploiting DTP (Dynamic Trunking Protocol)
double-tagging
Can be done by spoofing DTP messa
or using a rouge switch.
Works only if the rouge and trunk p
have the same native vlan configure
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
69/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
SECURING LAYER 2
DTP MODES
MODE OVERVIEW COMMENTS
TRUNK
starts as a TRUNKport
periodically sends DTP frames (advertisements) to the remote host
unconditional trunking state
To hardcode mode on an interface:
DYNAMIC AUTO
starts as anACCESSport
periodically sends DTP frames to the remote host
advertises that it is able to trunk
does not request remote host to go into trunking mode
To hardcode mode on an interface:
< S1(config-if)#switchport mode dynamic auto>
DYNAMIC DESIRABLE (default)
starts as anACCESSport
periodically sends DTP frames to the remote host
advertises that is able to trunk
requests remote host to go into trunking mode
To hardcode mode on an interface:
NON-NEGOTIATE
disables DTP protocol
use when connecting switch from different vendors
To hardcode mode on an interface:
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
70/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
ACCESS TRUNK DYNAMIC AUTO DYNAMIC DESIRABLE NON-NEGOTIATE
ACCESS ACCESS MISMATCH ACCESS ACCESS MISMATCH
TRUNK MISMATCH TRUNK TRUNK TRUNK TRUNK
DYNAMIC AUTO ACCESS TRUNK ACCESS TRUNK MISMATCH
DYNAMIC DESIRABLE ACCESS TRUNK TRUNK TRUNK MISMATCH
NON-NEGOTIATE MISMATCH TRUNK MISMATCH MISMATCH TRUNK
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
71/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
SWITCHPORT SECURITY
STEP # COMMANDS COMMENTS
SET PORT TO ACCESS MODE A port can only be secured if it is in explicit ACCE
mode.
ENABLE SWITCHPORT SECURITY None of the port security settings will take effec
until this command is issued.
MAXMIUM MAC ADDRESSESES Number of MAC addresses allowed on the port.
SECURITY VIOLATION MODE
To recover a port from err-disabledstate:
OR
protect blocks all MAC addresses above t
limit restrict as above + sends a syslog msg. +
sends a SNMP trap + increments violation
counter
shutdown puts port into err-disabledsta
MAC ADDRESS ENTRY
H.H.H.H enter MAC address manually
sticky learns the incoming MAC addresse
and adds them to the running configuratio
the command is later removed all sticky M
remain a part of the running conf. but are
removed from the MAC table
AGING
absolute - all secure addresses on this por
age out exactly after specified time and
removed from the secure address list
inactivity secure address on this port are
aged out only if there is no data traffic from
the secure source for the specified time pe
TSHOOT show port-security (interface)
show port-security address
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
72/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
STP SECURITY
STEP # COMMANDS COMMENTS
PortFast
spanning-tree portfast default sets all n
trunking ports to PortFast
spanning-tree portfast sets given port to
PortFast (instant transition toACCESSmod
BPDU Guard
spanning-tree portfast bpduguard default
enable BPDU Guard on all PortFast ports
If a port with BPDU Guard enabled receives a BP
it will be blocked.
Should be enabled on all non-trunking ports.
BPDU Filter spanning-tree bpdufilter disable sending
receving of BPDUs
Root Guard
spanning-tree guard root enables root g
on a per-interface basis
If a port with Root Guard enabled receives a BPD
with a lower priority than those issued by the
current root bridge, that port is moved into root
inconsistentstate (STP listening state) - the port
recovers as soon as the offending BPDUs stop be
received.
Best deployed toward ports that connect to swit
that should never become the root bridge.
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
73/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
MISC
Storm Control
level (level-low)
bps (bps-low)
pps (pps-low)
To verify:
Allows to shutdown interfaces sending excessive
traffic.
The blocked port remains shut until the traffic d
below the falling threshold.
level (level-low) specifies the rising and
falling suppression levels as a % of total
bandwidth of the port:
level rising suppression (0.00 100.00);
flooding of storm packets is blocked when
value specified is reached
level-low falling suppression level (0.00 100.00); by default equals to the value of r
suppression
bps (bps-low) specifies the rising and fall
suppression levels as a rate in b its per seco
at which traffic is received on the port.
pps (pps-low) specifies the rising and fall
suppression levels as a rate in packets per
seconds at which traffic is received
action shutdown err-disabled status
action trap the switch sends a SNMP tra
when a storm occurs
SPAN Ports
To verify:
Forwards all the traffic received on port specifie
a specified destination port (mirrors the traffic)
further analysis (to an IPS / IDS).
RSPAN allows for mirroring traffic to a port on a
remote device.
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
74/94
IPSec
IPSec Configuration IKE Phase 1
IKE Phase 2
IPSec Verification and Tshooting
IPSec Configuration Example
IPSec Planning Template
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
75/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
IPSec CONFIGURATION
IKE PHASE 1
IKE - Internet Key Exchange
PHASE 1 is used:
o to exchange and agree on policy sets to be used
o to exchange DH keys
o to authenticate the peer
can run in MAINor AGGRESSIVE mode
STEP # COMMANDS COMMENTS
*ENSURE IPsec TRAFFIC IS
ALLOWED
IPSec uses the following protocols:
ESP (IP 50)
AH (IP 51)
ISAKMP (UDP 500)
They have to be permitted i.e. not blocked on the interface
using IPSec (restrictive traffic policies are most likely to be
present on perimeter routers).
ENABLE ISAKMP The default state of isakmpwill differ depending on the IOS
version.
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
76/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
CREATE ISAKMP POLICY
To verify:
Each policy configured on a router is assigned a priority
number, which is only locally significant (the lower the num
the higher the priority).
The peer initiating the negotiation sends all of its policies t
remote peer, who compares them with the locally configu
until a match is found - the policies with higher priorities a
compared first (thats why the most secure policies should
have lower priorities).
For a match to be found, two policies have to use identical
following protocols:
AUTHENTICATION
ENCRYPTION
HASH
DH LEVEL
If a match is found ISAKMP will use DH algorithm to exchan
keys and authenticate the peers
If a match is not found ISAKMP refuses negotiation.
lifetime- specifies after what time the IKE Phase 1 tu
is torn down and re-established (the value does not h
to be identical on both ends and if a non-default valu
used the lower the value on either sides is used).
CREATE ISKAMP LOCAL ID
The router can ID itself when communicating with the rem
end using either its IP address or hostname (both ends nee
use the same form of authentication).
Hostname should only be used when the routers IP addre
a subject to frequent changes e.g. by the ISP.
If hostname is used a DNS server must be present to resolv
the hostname to its IP address.
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
77/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
CREATE PSKs
IF LOCAL ID = HOSTNAME
IF LOCAL ID = IP ADDRESS
To verify:
The PKS has to be identical on both ends.
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
78/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
IKE PHASE 2
PHASE 2 is used to:
o negotiates and establishes IPSec SA (Security Associations) parameters protected by the existing IKE SA
o periodically renegotiates IPSec SA to ensure security
o optionally performs an additional DH exchange (with PFS)
STEP # COMMANDS COMMENTS
CREATE TRANSFORM SET
*
To verify:
transform set - groups together security protocols an
their protection methods and create security parame
that protect traffic traveling through the IPSec tunne
Multiple sets can be configured and multiple sets can be
specified in a crypto map
Each set is compared against each of the sets configured o
peer - at least one needs to m atch
There are four groups of transforms (only one transform fr
each category can be used):
o AU AUTHENTICATION (hashing)
o ESP AUTHENTICATION (hashing)
o ESP ENCRYPTION
o COMPRESSION
mode transport- protection of L2 and below
mode tunnel- protection of L3 and below
*TUNE IPSec SA
PARAMETERS
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
79/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
CREATE CRYPTO ACL
permit- encrypt data
deny- send in plain text
The ACL criteria are applied in the forward d irection to traf
exiting the router, and in the backward direction to the tra
entering the router (the outbound ACL source becomes the
inbound ACL destination).
CREATE CRYPTO MAP
*
Crypto map binds all the IPSec information together.
Only one crypto map can exist on an interface.
If no PKS are configured, the SA keys Phase 1 connection.
sequence number- used to prioritize multiple maps t
may exist on a router (the lower the number the highthe priority)
set pfs - (Perfect Forward Secrecy) performs a new D
exchange with each quick modeand provides key
material that has greater life and thereby greater
resistance to cryptographic attacks (increases CPU us
ASSIGN CRYPTO MAP TO
AN INTERFACE
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
80/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
IPSec VERIFICATION AND TSHOOTING
show crypto isakmp policy
show crypto ipsec transform-set
show crypto map
show crypto isakmp sa
show crypto ipsec sa
show crypto session detail
debug crypto isakmp
debug crypto ipsec
clear crypto isakmp (connection ID)
clear crypto sa
clear crypto sa peer
clear crypto sa map
clear crypto sa counters
COMMAND VERIFIES EXAMPLE
show crypto isakmp policy
Displays all of the isakmppolicies defined on the router:
policy number
encryption algorithm
hashing algorithm
authentication method
DH group
lifetime
show crypto ipsec transform-set
Displays all of the transform sets defined on the router:
transform set name
encryption algorithm hashing algorithm
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
81/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
show crypto map
Displays all of the crypto maps defined on the router:
maps name and sequence number
peer associated with the map
ACL defining interesting traffic associated
with the map
transform set associated with the map
interface associated with the map
show crypto isakmp sa
IKE Phase 1 Tunnel information:
source and destination
tunnels state (QM_IDLE desired)
tunnels status (ACTIVE desired)
MM = Main Mode
QM = Quick Mode
PHASE / STATE DESCRIPTION
MM_NO_STATE
AG_NO_STATE
The tunnel has been initialized but nothing
has been negotiated yet.
MM_SA_SETUPThe peers have negotiated IKE Phase 1
policies.
MM_KEY_EXCH DH has completed.
AG_INIT_EXCHThe peers have negotiated the Phase 1
policies and performed DH.
AG_AUTHThe Phase 1 authentication has completed.
QM_IDLEThe Phase 1 and/or Phase 2 sessions have
completed successfully.
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
82/94
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
83/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
show crypto session detail
Displays tunnels information and statistics
debug crypto isakmp Debugs the process of creating IKE Phase 1 tunnel
debug crypto ipsec Debugs the process of creating IKE Phase 2 tunnel
clear crypto isakmp (connection ID) Clears active ISAKMP connections
clear crypto sa Clears all data SA
clear crypto sa peer (IP Address |
hostname)Clears data SA associated with specific peer.
clear crypto sa map Clears all data SA associated with specific crypto map.
clear crypto sa counters Clears the counters in the output of the show crypto ipsec sa
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
84/94
Secure the traffic sent between 172.30.2.0 /24 and 192.168.1.0 /24
IKE PHASE 1: PLANNING
PEERS PEER 1: HOME PEER 2: REMOTE
LOCAL ID IP ADDRESS
IP ADDRESS 98.174.249.99 67.40.69.33
POLICY
NUMBER #10 #60
AUTHENTICATION PRE SHARED KEY
ENCRYPTION AES 128
HASHING SHA 1
DH LVL 2
LIFETIME 86,400
PRE SHARED KEY
NAME cbtkey
ACCEPTED FROM 67.40.69.33 98.174.249.99
IKE PHASE 2: PLANNING
TRANSFORM SET
NAME CBTVPN
AH HASHING N/A
ESP HASHING ESP-AES 123
ESP ENCRYPTION ESP-SHA-1-HMAC
COMPRESION N/A
IPSec CONFIGURATION EXAMPLE
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
85/94
CRYPTO ACL
NAME S2S-VPN-TRAFFIC S2S-VPN-TRAFFIC
INTERESTING TRAFFIC 172.30.2.0 /24192.168.1.0 /24
CRYPTO MAP
NAME S2S-VPN S2S-VPN
SEQUENCE # 100 200
INTERFACE s1/0 s1/1
IKE PHASE 1: CONFIGURATION
STEP # COMMANDS
1. ENABLE ISAKMP
2. CREATE ISAKMP POLICY
VERIFY:
3. CREATE ISAKMP LOCAL IDENTITY
4. CONFIGURE PRE-SHARED KEYS
VERIFY:
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
86/94
IKE PHASE 2: CONFIGURATION
STEP # COMMANDS
5. CREATE TRANSFORM SET
6. CREATE CRYPTO ACL
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
87/94
BASIC SECURITY ver. 1.0 CREATED BY PAWEL PAUL NADSTOGA ([email protected]) 2012-14
CONFIGURATION FILES
HOME REMOTE
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cbtkey address 67.40.69.33
!
crypto ipsec transform-set CBTVPN esp-aes esp-sha-hmac
!
crypto map S2S-VPN 100 ipsec-isakmp
set peer 67.40.69.33
set transform-set CBTVPN
match address S2S-VPN-TRAFFIC
!
interface Serial1/0
ip address 98.174.249.99 255.255.255.0
serial restart-delay 0
crypto map S2S-VPN
!
!
ip access-list extended S2S-VPN-TRAFFIC
permit ip 172.30.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
crypto isakmp policy 60
encr aes
authentication pre-share
group 2
crypto isakmp key cbtkey address 98.174.249.99
!
crypto ipsec transform-set CBTVPN esp-aes esp-sha-hmac
!
crypto map S2S-VPN 100 ipsec-isakmp
set peer 98.174.249.99
set transform-set CBTVPN
match address S2S-VPN-TRAFFIC
!
interface Serial1/1
ip address 67.40.69.33 255.255.255.0
serial restart-delay 0
crypto map S2S-VPN
!
!
ip access-list extended S2S-VPN-TRAFFIC
permit ip 192.168.1.0 0.0.0.255 172.30.2.0 0.0.0.255
!
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
88/94
IPSec PLANNING TEMPLATE
IKE PHASE 1
PEER PEER 1 PEER 2
LOCAL ID
IP ADDRESS
POLICY
NUMBER
AUTHENTICATION
ENCRYPTION
HASHING
DH LVL
LIFETIME
PRE SHARED KEY
NAME
ACCEPTED FROM
IKE PHASE 2
TRANSFORM SET
NAME
AH HASHING
ESP HASHING
ESP ENCRYPTION
COMPRESION
CRYPTO ACL
NAME
INTERESTING TRAFFIC
CRYPTO MAP
NAME
SEQUENCE #
INTERFACE
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
89/94
APPENDIXES
IPv4 Subnetting
Common Ports
ACLs
Zone Based Firewall
IPSec
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
90/94
packetlife.
by Jeremy Stretch v
IOS IPV4 ACCESS LISTSStandard ACL Syntax
permit
Actions
deny
remark
evaluate
Allow matched packets
Deny matched packets
Record a configuration comment
Evaluate a reflexive ACL
Extended ACL Syntax
! Legacy syntaxaccess-list {permit | deny} [log]
! Modern syntaxip access-list standard { | }[] {permit | deny} [log]
ACL Numbers
TCP Options
1-991300-1999
IP standard
100-199
2000-2699 IP extended
200-299 Protocol
300-399 DECnet
400-499 XNS
ack Match ACK flag
fin Match FIN flag
psh Match PSH flag
rst Match RST flag
syn Match SYN flag
Troubleshooting
show access-lists [ | ]
show ip access-lists [ | ]
show ip access-lists interface
show ip access-lists dynamic
show ip interface []
show time-range []
! Legacy syntaxaccess-list {permit | deny} [] [] []
! Modern syntaxip access-list extended { | }[] {permit | deny} [] [] []
500-599 Extended XNS
600-699 Appletalk
700-799 Ethernet MAC
800-899 IPX standard
900-999 IPX extended
1000-1099 IPX SAP
1100-1199 MAC extended
1200-1299 IPX summary
urg
established
Match URG flag
Source/Destination Definitions
any Any address
host A single address
Any address matched by the wildcard mask
IP Options
dscp Match the specified IP DSCP
fragments Check non-initial fragments
option Match the specified IP option
precedence {0-7} Match the specified IP precedence
ttl Match the specified IP time to live (TTL)
TCP/UDP Port Definitions
eq Not equal to
lt Greater than
range Matches a range of port numbers
neq
gt
Equal to
Less than
Miscellaneous Options
reflect Create a reflexive ACL entry
time-range Enable rule only during the given time rang
Applying ACLs to Restrict Traffic
interface FastEthernet0/0
ip access-group { | } {in | out}
Match packets in anestablished session
Logging Options
log Log ACL entry matches
log-inputLog matches includingingress interface andsource MAC address
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
91/94
./
1
2021
22 /
2
2 2
/
0
0
102
110 3
11
11 ()
12
1
11
1 4
1112
1
1
201
2
1
1
1112
00
12
1
1
1 /
20
21 (6)
0
6
0
1
1
()
()
1
0
02
0
4
3
102
102102
100
100
11
121
121
111
1
11
112
1
101 2
12
12
11 2000
1
11211
1
1
2000
2002
20
20220
2100
2222
202
22
2 .
2
00
0
12
12 12
222
20
0
0
2
2
000
001
001
0000
00 !
00
10 /
22222 /
2
00
12
00
00+
000001 11
112 .
12
2
00
/
1
101
0
212
000
00 00
11
200
00
.
100
10110
11
00
/
10000
10000
10111011
111
120120
12
120121
1
111 /
122
1
20000
200
2
201
2 7
20
1
+
//..//
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
92/94
packetlife.
by Jeremy Stretch v
IOS IPV4 ACCESS LISTSStandard ACL Syntax
permit
Actions
deny
remark
evaluate
Allow matched packets
Deny matched packets
Record a configuration comment
Evaluate a reflexive ACL
Extended ACL Syntax
! Legacy syntaxaccess-list {permit | deny} [log]
! Modern syntaxip access-list standard { | }[] {permit | deny} [log]
ACL Numbers
TCP Options
1-991300-1999
IP standard
100-199
2000-2699 IP extended
200-299 Protocol
300-399 DECnet
400-499 XNS
ack Match ACK flag
fin Match FIN flag
psh Match PSH flag
rst Match RST flag
syn Match SYN flag
Troubleshooting
show access-lists [ | ]
show ip access-lists [ | ]
show ip access-lists interface
show ip access-lists dynamic
show ip interface []
show time-range []
! Legacy syntaxaccess-list {permit | deny} [] [] []
! Modern syntaxip access-list extended { | }[] {permit | deny} [] [] []
500-599 Extended XNS
600-699 Appletalk
700-799 Ethernet MAC
800-899 IPX standard
900-999 IPX extended
1000-1099 IPX SAP
1100-1199 MAC extended
1200-1299 IPX summary
urg
established
Match URG flag
Source/Destination Definitions
any Any address
host A single address
Any address matched by the wildcard mask
IP Options
dscp Match the specified IP DSCP
fragments Check non-initial fragments
option Match the specified IP option
precedence {0-7} Match the specified IP precedence
ttl Match the specified IP time to live (TTL)
TCP/UDP Port Definitions
eq Not equal to
lt Greater than
range Matches a range of port numbers
neq
gt
Equal to
Less than
Miscellaneous Options
reflect Create a reflexive ACL entry
time-range Enable rule only during the given time rang
Applying ACLs to Restrict Traffic
interface FastEthernet0/0
ip access-group { | } {in | out}
Match packets in anestablished session
Logging Options
log Log ACL entry matches
log-inputLog matches includingingress interface andsource MAC address
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
93/94
packetlife.
by Jeremy Stretch v
IOS ZONE-BASED FIREWALL
Troubleshooting
show zone security
show zone-pair security
Security Zones
show policy-map type inspect
show class-map type inspect
! Defining security zoneszone security Trusted
zone security Guestzone security Internet
! Assigning interfaces to security zonesinterface GigabitEthernet0/0zone-member security Trusted
!interface GigabitEthernet0/1zone-member security Internet
!interface GigabitEthernet0/2.10zone-member security Trusted
!interface GigabitEthernet0/2.20
zone-member security Guest
Zone Pair Configuration
! Service policies are applied to zone pairszone-pair security T2I source Trusted destination Internetservice-policy type inspect Trusted2Internet
zone-pair security G2I source Guest destination Internetservice-policy type inspect Guest2Internet
zone-pair security I2T source Internet destination Trustedservice-policy type inspect Internet2Trusted
Terminology
Security ZoneA group of interfaces which share a common level of security
Zone PairA unidirectional pairing of source and destination zones to which asecurity policy is applied
Inspection Policy
An inspect-type policy map used to statefully filter traffic bymatching one or more inspect-type class maps
Trusted Internet
Guest
Inspection Class Configuration
! Match by protocolclass-map type inspect match-any ByProtocomatch protocol tcpmatch protocol udpmatch protocol icmp
! Match by access list
ip access-list extended MyACLpermit ip 10.0.0.0 255.255.0.0 any
!class-map type inspect match-all ByAccessLmatch access-group name MyACL
Inspection Policy Actions
Drop Traffic is prevented from passing
Traffic is permitted to pass withoutstateful inspection
Pass
InspectTraffic is subjected to statefulinspection; legitimate return trafficpermitted in the opposite direction
Inspection Policy Configuration
policy-map type inspect MyInspectionPolicy! Pass permitted stateless trafficclass VPN-Tunnelpass
! Inspect permitted stateful trafficclass Allowed-Traffic1inspect
! Stateful inspection with a parameter maclass Allowed-Traffic2inspect MyParameterMap
! Drop and log unpermitted trafficclass class-default
drop log
Parameter MapAn optional configuration of protocol-specific parameters referencedby an inspection policy
debug zone security events
Parameter Map Configuration
parameter-map type inspect MyParameterMapalert onaudit-trail offdns-timeout 5max-incomplete low 20000max-incomplete high 25000
icmp idle-time 3tcp synwait-time 3
show parameter-map type inspec
MPLS WAN Internet
Corporate
LAN
Guest
Wireless LANG0/2.10 G0/2.20
G0/0 G0/1
-
8/10/2019 IOS Security Reference Manual Ver. 0.9
94/94
packetlife.IPSECProtocols Encryption Algorithms
DES Symmetric 56
Type Key Length (Bits)
AES Symmetric
3DES Symmetric 168
Weak
Strengt
Medium
RSA Asymmetric
128/192/256
1024+
Strong
Strong
Hashing Algorithms
MD5 128
Length (Bits)
SHA-1 160
Medium
Strength
Strong
Internet Security Association and Key ManagementProtocol (ISAKMP)A framework for the negotiation and management ofsecurity associations between peers (traverses UDP/500)
Internet Key Exchange (IKE)Responsible for key agreement using asymmetric
cryptographyEncapsulating Security Payload (ESP)Provides data encryption, data integrity, and peerauthentication; IP protocol 50
Authentication Header (AH)Provides data integrity and peer authentication, but not dataencryption; IP protocol 51
IPsec Modes